FIX: 'hf 14a sim x' - this fixes the error with using moebius attack and sim. Updating the nonce variable doesn't change the premodulated response. And it should update everytime it gets a command. One concering issue is that this takes time. Successfully works with two PM3. One acting reader, another sim.

armsrc/iso14443a.c

@@ -1059,11 +1059,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 			DbpString("Button press");
 			break;
 		}	
-		
-		// incease nonce at every command recieved
-		nonce = prand();
-		num_to_bytes(nonce, 4, response5);
-		
 		p_response = NULL;
 		
 		// Okay, look at the command now.
@@ -1158,6 +1153,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 				EmSendCmdEx(emdata, sizeof(emdata), false);
 				p_response = NULL;
 			} else {
+				
+				// incease nonce at every command recieved. this is time consuming.
+				nonce = prand();
+				num_to_bytes(nonce, 4, response5);
+				prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
+				
 				cardAUTHSC = receivedCmd[1] / 4; // received block num
 				cardAUTHKEY = receivedCmd[0] - 0x60;
 				p_response = &responses[5]; order = 7;
@@ -1279,8 +1280,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 				  dynamic_response_info.response_n = 2;
 				} break;
 
-				case 0xaa:
-				case 0xbb: {
+				case 0xAA:
+				case 0xBB: {
 				  dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
 				  dynamic_response_info.response_n = 2;
 				} break;
@@ -1313,7 +1314,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 				dynamic_response_info.response[1] = receivedCmd[1];
 
 				// Add CRC bytes, always used in ISO 14443A-4 compliant cards
-				AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
+				AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n);
 				dynamic_response_info.response_n += 2;
         
 				if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
@@ -1333,7 +1334,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 
 		// comment this limit if you want to simulation longer		
 		if (!tracing) {
-			Dbprintf("Trace Full. Simulation stopped.");
+			DbpString("Trace Full. Simulation stopped.");
 			break;
 		}
 		// comment this limit if you want to simulation longer
@@ -1367,8 +1368,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 	BigBuf_free_keep_EM();
 	LED_A_OFF();
 
-	if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
 	/*	
+	if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
+
 		for ( uint8_t	i = 0; i < ATTACK_KEY_COUNT; i++) {
 			if (ar_nr_collected[i] == 2) {
 				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
@@ -1382,7 +1384,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 						);
 			}
 		}	
-		*/
+
 		for ( uint8_t	i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
 			if (ar_nr_collected[i] == 2) {
 				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
@@ -1398,6 +1400,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 			}
 		}
 	}
+	*/
 		
 	if (MF_DBGLEVEL >= 4){
 		Dbprintf("-[ Wake ups after halt [%d]", happened);

client/cmdhfmf.c

@@ -1383,7 +1383,9 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
 
 	printf("enter reader attack\n");
 	for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {
-		if (data[i].ar2 > 0) {
+		
+		// if no-collected data 
+		if (data[i].ar2 == 0) continue;
 
 		// We can probably skip this, mfkey32v2 is more reliable.
 #ifdef HFMF_TRYMFK32
@@ -1411,12 +1413,13 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
 			continue;
 		}
 #endif
+		
 		//moebius attack			
 		if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {
 			uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;
 			uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;
 
-				PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"
+			PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
 				, keyType ? "B" : "A"
 				, sectorNum
 				, key
@@ -1430,6 +1433,7 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
 				uint8_t	memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
 				num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);
 				num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);
+				//iceman,  guessing this will not work so well for 4K tags.
 				PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
 					, (sectorNum*4) + 3
 					, sprint_hex( memBlock, sizeof(memBlock))
@@ -1438,8 +1442,6 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
 			}
 			continue;
 		}
-
-		}
 	}
 }
 

client/nonce2key/nonce2key.c

@@ -280,8 +280,9 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool verbose) {
 	}
     isSuccess	= (counter > 0);
 	t1 = clock() - t1;
+	if (verbose) {
 		if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks  - possible keys %d", (float)t1, counter);
-
+	}
 	*outputkey = ( isSuccess ) ? outkey : 0;
 	crypto1_destroy(s);
 	return isSuccess;