From 41a43bc85cf87076109344ebec0e06a7c67f9e7c Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Sat, 19 Oct 2024 20:16:02 +0200 Subject: [PATCH] hf mf sim: add option to allow key b to be used even if readable --- CHANGELOG.md | 1 + armsrc/mifaresim.c | 16 +++++++++------- client/src/cmdhfmf.c | 14 ++++++++++---- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a40af5cc..447280308 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Changed `hf mf sim` - add option to allow key b to be used even if readable (@doegox) - Changed `data num` - outputed binary strings are now properly zero padded (@iceman1001) - Changed `hf iclass info` - now tries default keys and decode if legacy (@iceman1001) - Changed `hf iclass chk` - now loads dictionary file by default (@iceman1001) diff --git a/armsrc/mifaresim.c b/armsrc/mifaresim.c index 0d9f99287..a10956d61 100644 --- a/armsrc/mifaresim.c +++ b/armsrc/mifaresim.c @@ -900,14 +900,16 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t // Compliance of MIFARE Classic EV1 1K Datasheet footnote of Table 8 // If access bits show that key B is Readable, any subsequent memory access will be refused. + // Some cards don't respect it so we can also skip it with FLAG_MF_USE_READ_KEYB + if ((flags & FLAG_MF_USE_READ_KEYB) != FLAG_MF_USE_READ_KEYB) { + if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + FpgaDisableTracing(); - if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) { - EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); - FpgaDisableTracing(); - - if (g_dbglevel >= DBG_ERROR) - Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC); - break; + if (g_dbglevel >= DBG_ERROR) + Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC); + break; + } } } diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c index b275b847f..d252cdac3 100644 --- a/client/src/cmdhfmf.c +++ b/client/src/cmdhfmf.c @@ -4117,8 +4117,10 @@ static int CmdHF14AMfSim(const char *Cmd) { arg_lit0("x", NULL, "Performs the 'reader attack', nr/ar attack against a reader."), arg_lit0("y", NULL, "Performs the nested 'reader attack'. This requires preloading nt & nt_enc in emulator memory. Implies -x."), arg_lit0("e", "emukeys", "Fill simulator keys from found keys. Requires -x or -y. Implies -i. Simulation will restart automatically."), - arg_lit0("v", "verbose", "verbose output"), - arg_lit0(NULL, "cve", "trigger CVE 2021_0430"), + // If access bits show that key B is Readable, any subsequent memory access should be refused. + arg_lit0(NULL, "allowkeyb", "Allow key B even if readable"), + arg_lit0("v", "verbose", "Verbose output"), + arg_lit0(NULL, "cve", "Trigger CVE 2021_0430"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, true); @@ -4170,9 +4172,13 @@ static int CmdHF14AMfSim(const char *Cmd) { bool setEmulatorMem = arg_get_lit(ctx, 12); - bool verbose = arg_get_lit(ctx, 13); + if (arg_get_lit(ctx, 13)) { + flags |= FLAG_MF_USE_READ_KEYB; + } - if (arg_get_lit(ctx, 14)) { + bool verbose = arg_get_lit(ctx, 14); + + if (arg_get_lit(ctx, 15)) { flags |= FLAG_CVE21_0430; } CLIParserFree(ctx);