hf mf sim: add option to allow key b to be used even if readable

2025-08-14 10:37:23 -07:00 · 2024-10-19 20:16:02 +02:00 · 2024-10-19 20:16:02 +02:00 · 41a43bc85c
commit 41a43bc85c
parent 838e0adfa7
3 changed files with 20 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+- Changed `hf mf sim` - add option to allow key b to be used even if readable (@doegox)
 - Changed `data num` - outputed binary strings are now properly zero padded (@iceman1001)
 - Changed `hf iclass info` - now tries default keys and decode if legacy (@iceman1001)
 - Changed `hf iclass chk` - now loads dictionary file by default (@iceman1001)
--- a/armsrc/mifaresim.c
+++ b/armsrc/mifaresim.c
@ -900,14 +900,16 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t

                    // Compliance of MIFARE Classic EV1 1K Datasheet footnote of Table 8
                    // If access bits show that key B is Readable, any subsequent memory access will be refused.
+                    // Some cards don't respect it so we can also skip it with FLAG_MF_USE_READ_KEYB
+                    if ((flags & FLAG_MF_USE_READ_KEYB) != FLAG_MF_USE_READ_KEYB) {
+                        if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) {
+                            EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                            FpgaDisableTracing();

-                    if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) {
-                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                        FpgaDisableTracing();
-
-                        if (g_dbglevel >= DBG_ERROR)
-                            Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC);
-                        break;
+                            if (g_dbglevel >= DBG_ERROR)
+                                Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC);
+                            break;
+                        }
                    }
                }

--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@ -4117,8 +4117,10 @@ static int CmdHF14AMfSim(const char *Cmd) {
        arg_lit0("x", NULL, "Performs the 'reader attack', nr/ar attack against a reader."),
        arg_lit0("y", NULL, "Performs the nested 'reader attack'. This requires preloading nt & nt_enc in emulator memory. Implies -x."),
        arg_lit0("e", "emukeys", "Fill simulator keys from found keys. Requires -x or -y. Implies -i. Simulation will restart automatically."),
-        arg_lit0("v", "verbose", "verbose output"),
-        arg_lit0(NULL, "cve", "trigger CVE 2021_0430"),
+        // If access bits show that key B is Readable, any subsequent memory access should be refused.
+        arg_lit0(NULL, "allowkeyb", "Allow key B even if readable"),
+        arg_lit0("v", "verbose", "Verbose output"),
+        arg_lit0(NULL, "cve", "Trigger CVE 2021_0430"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, true);
@ -4170,9 +4172,13 @@ static int CmdHF14AMfSim(const char *Cmd) {

    bool setEmulatorMem = arg_get_lit(ctx, 12);

-    bool verbose = arg_get_lit(ctx, 13);
+    if (arg_get_lit(ctx, 13)) {
+        flags |= FLAG_MF_USE_READ_KEYB;
+    }

-    if (arg_get_lit(ctx, 14)) {
+    bool verbose = arg_get_lit(ctx, 14);
+
+    if (arg_get_lit(ctx, 15)) {
        flags |= FLAG_CVE21_0430;
    }
    CLIParserFree(ctx);