Merge pull request #279 from McEloff/mf_sim_ac_fix

'hf mf sim' - wrong access rights to write key B in trailer
This commit is contained in:
Philippe Teuwen 2019-07-20 00:47:48 +02:00 committed by GitHub
commit 7ad7275ee9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 9 deletions

View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Fix 'hf mf sim' - wrong access rights to write key B in trailer (@McEloff)
- Add option -i to flasher to query Pm3 for its memory size (@doegox)
- Add support for flashing 512K units (@slurdge)
- Add a simple python tool to check the elf sizes (@slurdge)

View file

@ -743,7 +743,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd) {
//-----------------------------------------------------------------------------
// Wait for commands from reader
// stop when button is pressed
// stop when button is pressed or client usb connection resets
// or return TRUE when command is captured
//-----------------------------------------------------------------------------
static bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) {
@ -1094,7 +1094,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
#define ORDER_SELECT_CL2 30
#define ORDER_EV1_COMP_WRITE 40
#define ORDER_RATS 70
int order = ORDER_NONE;
uint8_t order = ORDER_NONE;
int retval = PM3_SUCCESS;

View file

@ -56,7 +56,7 @@ static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t act
}
case AC_KEYB_WRITE: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_KEYB_WRITE");
return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x04))
return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
|| (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
}
case AC_AC_READ: {
@ -457,8 +457,6 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
uint8_t *rats = NULL;
uint8_t rats_len = 0;
uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
//Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
// This will be used in the reader-only attack.
@ -713,7 +711,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
crypto1_word(pcs, cuid ^ nonce, 0);
// rAUTH_NT contains prepared nonce for authenticate
EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT));
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader authenticating for block %d (0x%02x) with key %c - nonce: %02X - ciud: %02X", receivedCmd_dec[1], receivedCmd_dec[1], (cardAUTHKEY == 0) ? 'A' : 'B', rAUTH_AT, cuid);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader authenticating for block %d (0x%02x) with key %c - nonce: %02X - ciud: %02X", receivedCmd_dec[1], receivedCmd_dec[1], (cardAUTHKEY == 0) ? 'A' : 'B', rAUTH_NT, cuid);
} else {
// nested authentication
/*
@ -1044,9 +1042,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
}
ans = prng_successor(nonce, 96);
num_to_bytes(ans, 4, rAUTH_AT);
mf_crypto1_encrypt(pcs, rAUTH_AT, 4, response_par);
EmSendCmdPar(rAUTH_AT, 4, response_par);
num_to_bytes(ans, 4, response);
mf_crypto1_encrypt(pcs, response, 4, response_par);
EmSendCmdPar(response, 4, response_par);
if (DBGLEVEL >= DBG_EXTENDED) {
Dbprintf("[MFEMUL_AUTH1] AUTH COMPLETED for sector %d with key %c. time=%d",