Merge pull request #279 from McEloff/mf_sim_ac_fix

'hf mf sim' - wrong access rights to write key B in trailer

CHANGELOG.md

@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Fix 'hf mf sim' - wrong access rights to write key B in trailer (@McEloff)
  - Add option -i to flasher to query Pm3 for its memory size (@doegox)
  - Add support for flashing 512K units (@slurdge)
  - Add a simple python tool to check the elf sizes (@slurdge)

armsrc/iso14443a.c

@@ -743,7 +743,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd) {
 
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
-// stop when button is pressed
+// stop when button is pressed or client usb connection resets
 // or return TRUE when command is captured
 //-----------------------------------------------------------------------------
 static bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) {
@@ -1094,7 +1094,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
 #define ORDER_SELECT_CL2     30
 #define ORDER_EV1_COMP_WRITE 40
 #define ORDER_RATS           70
-    int order = ORDER_NONE;
+    uint8_t order = ORDER_NONE;
 
     int retval = PM3_SUCCESS;
 

armsrc/mifaresim.c

@@ -56,7 +56,7 @@ static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t act
         }
         case AC_KEYB_WRITE: {
             if (DBGLEVEL >= DBG_EXTENDED)	Dbprintf("IsTrailerAccessAllowed: AC_KEYB_WRITE");
-            return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x04))
+            return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
                     || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
         }
         case AC_AC_READ: {
@@ -457,8 +457,6 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
     uint8_t *rats = NULL;
     uint8_t rats_len = 0;
 
-    uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
-
     //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
     // This will be used in the reader-only attack.
 
@@ -713,7 +711,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
                         crypto1_word(pcs, cuid ^ nonce, 0);
                         // rAUTH_NT contains prepared nonce for authenticate
                         EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT));
-                        if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader authenticating for block %d (0x%02x) with key %c - nonce: %02X - ciud: %02X", receivedCmd_dec[1], receivedCmd_dec[1], (cardAUTHKEY == 0) ? 'A' : 'B', rAUTH_AT, cuid);
+                        if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader authenticating for block %d (0x%02x) with key %c - nonce: %02X - ciud: %02X", receivedCmd_dec[1], receivedCmd_dec[1], (cardAUTHKEY == 0) ? 'A' : 'B', rAUTH_NT, cuid);
                     } else {
                         // nested authentication
                         /*
@@ -1044,9 +1042,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
                 }
 
                 ans = prng_successor(nonce, 96);
-                num_to_bytes(ans, 4, rAUTH_AT);
-                mf_crypto1_encrypt(pcs, rAUTH_AT, 4, response_par);
-                EmSendCmdPar(rAUTH_AT, 4, response_par);
+                num_to_bytes(ans, 4, response);
+                mf_crypto1_encrypt(pcs, response, 4, response_par);
+                EmSendCmdPar(response, 4, response_par);
 
                 if (DBGLEVEL >= DBG_EXTENDED) {
                     Dbprintf("[MFEMUL_AUTH1] AUTH COMPLETED for sector %d with key %c. time=%d",