diff --git a/armsrc/mifaresim.c b/armsrc/mifaresim.c index 456c10358..a276ce28c 100644 --- a/armsrc/mifaresim.c +++ b/armsrc/mifaresim.c @@ -790,7 +790,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] KEY %c: %012" PRIx64, (cardAUTHKEY == 0) ? 'A' : 'B', emlGetKey(cardAUTHSC, cardAUTHKEY)); // sector out of range - do not respond - if (cardAUTHSC >= cardMaxSEC) { + if ((cardAUTHSC >= cardMaxSEC) && (flags & FLAG_MF_ALLOW_OOB_AUTH) == 0) { cardAUTHKEY = AUTHKEYNONE; // not authenticated cardSTATE_TO_IDLE(); if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Out of range sector %d(0x%02x) >= %d(0x%02x)", cardAUTHSC, cardAUTHSC, cardMaxSEC, cardMaxSEC); diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c index 025698692..cf48dd5be 100644 --- a/client/src/cmdhfmf.c +++ b/client/src/cmdhfmf.c @@ -4671,6 +4671,7 @@ static int CmdHF14AMfSim(const char *Cmd) { arg_lit0("e", "emukeys", "Fill simulator keys from found keys. Requires -x or -y. Implies -i. Simulation will restart automatically."), // If access bits show that key B is Readable, any subsequent memory access should be refused. arg_lit0(NULL, "allowkeyb", "Allow key B even if readable"), + arg_lit0(NULL, "allowover", "Allow auth attempts out of range for selected mifare type"), arg_lit0("v", "verbose", "Verbose output"), arg_lit0(NULL, "cve", "Trigger CVE 2021_0430"), arg_param_end @@ -4725,9 +4726,13 @@ static int CmdHF14AMfSim(const char *Cmd) { flags |= FLAG_MF_USE_READ_KEYB; } - bool verbose = arg_get_lit(ctx, 14); + if (arg_get_lit(ctx, 14)) { + flags |= FLAG_MF_ALLOW_OOB_AUTH; + } - if (arg_get_lit(ctx, 15)) { + bool verbose = arg_get_lit(ctx, 15); + + if (arg_get_lit(ctx, 16)) { flags |= FLAG_CVE21_0430; } CLIParserFree(ctx); diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index cbce45a24..e5d8d2474 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -872,7 +872,7 @@ typedef struct { #define FLAG_NR_AR_ATTACK 0x0400 // support nested authentication attack #define FLAG_NESTED_AUTH_ATTACK 0x0800 - +#define FLAG_MF_ALLOW_OOB_AUTH 0x1000 #define MODE_SIM_CSN 0 #define MODE_EXIT_AFTER_MAC 1