From fef399044428a047c9f998e408770e68610a4cbd Mon Sep 17 00:00:00 2001
From: douniwan5788 <douniwan5788@gmail.com>
Date: Thu, 21 Apr 2016 15:44:24 +0800
Subject: [PATCH 1/3] support parity attack for any block

---
 armsrc/appmain.c   |  2 +-
 armsrc/apps.h      |  2 +-
 armsrc/iso14443a.c |  6 ++++--
 client/cmdhfmf.c   | 19 ++++++++++++++++++-
 4 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index 475b1c1b..4807bc1b 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1110,7 +1110,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			break;
 			
 		case CMD_READER_MIFARE:
-			ReaderMifare(c->arg[0]);
+			ReaderMifare(c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_MIFARE_READBL:
 			MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
diff --git a/armsrc/apps.h b/armsrc/apps.h
index 4d4c8083..bef48d3e 100644
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@@ -113,7 +113,7 @@ void EPA_PACE_Collect_Nonce(UsbCommand * c);
 void EPA_PACE_Replay(UsbCommand *c);
 
 // mifarecmd.h
-void ReaderMifare(bool first_try);
+void ReaderMifare(bool first_try, uint8_t blockNo, uint8_t keyType);
 int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 27574dad..5a602c79 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -2022,16 +2022,18 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try)
+void ReaderMifare(bool first_try, uint8_t blockNo, uint8_t keyType)
 {
 	// Mifare AUTH
-	uint8_t mf_auth[]    = { 0x60,0x00,0xf5,0x7b };
+	uint8_t mf_auth[]    = { 0x60 + (keyType & 0x01), blockNo ,0x00,0x00 };
 	uint8_t mf_nr_ar[]   = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
 	static uint8_t mf_nr_ar3;
 
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
+	AppendCrc14443a(mf_auth, 2);
+
 	if (first_try) { 
 		iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
 	}
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 48e78b1c..181c9316 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -19,7 +19,24 @@ int CmdHF14AMifare(const char *Cmd)
 	uint64_t par_list = 0, ks_list = 0, r_key = 0;
 	int16_t isOK = 0;
 
-	UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
+	uint8_t blockNo = 0, keyType = 0;
+	char cmdp	= 0x00;
+
+	if (strlen(Cmd)<3) {
+		PrintAndLog("Usage:  hf mf mifare <block number> <key A/B>");
+		PrintAndLog("        sample: hf mf mi 0 A");
+		return 0;
+	}	
+
+	blockNo = param_get8(Cmd, 0);
+	cmdp = param_getchar(Cmd, 1);
+	if (cmdp == 0x00) {
+		PrintAndLog("Key type must be A or B");
+		return 1;
+	}
+	if (cmdp != 'A' && cmdp != 'a') keyType = 1;
+
+	UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keyType}};
 
 	// message
 	printf("-------------------------------------------------------------------------\n");

From 13b71e58fddf20c5d42b8f0af1d72c795139b86f Mon Sep 17 00:00:00 2001
From: douniwan5788 <douniwan5788@gmail.com>
Date: Thu, 21 Apr 2016 15:50:26 +0800
Subject: [PATCH 2/3] add support for a new kind Magic Chinese UID changable
 Mifare Classic card

---
 armsrc/mifarecmd.c  | 24 +++++++-----------------
 armsrc/mifareutil.c |  4 +++-
 2 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index a3d6609d..36a6e8f5 100644
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -1059,10 +1059,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 				break;
 			};
 
-			if(mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
+			mifare_classic_halt(NULL, cuid);
 		};
 	
 		// reset chip
@@ -1079,10 +1076,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 				break;
 			};
 
-			if(mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
+			mifare_classic_halt(NULL, cuid);
 		};	
 
 		// write block
@@ -1115,10 +1109,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 		};	
 	
 		if (workFlags & 0x04) {
-			if (mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
+			mifare_classic_halt(NULL, cuid);
 		}
 		
 		isOK = 1;
@@ -1192,10 +1183,7 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 		memcpy(data, receivedAnswer, 18);
 		
 		if (workFlags & 0x04) {
-			if (mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
+			mifare_classic_halt(NULL, cuid);
 		}
 		
 		isOK = 1;
@@ -1222,6 +1210,7 @@ void MifareCIdent(){
 	// card commands
 	uint8_t wupC1[]       = { 0x40 }; 
 	uint8_t wupC2[]       = { 0x43 }; 
+	uint8_t halt_ret	  = 0;
 	
 	// variables
 	byte_t isOK = 1;
@@ -1239,7 +1228,8 @@ void MifareCIdent(){
 		isOK = 0;
 	};
 
-	if (mifare_classic_halt(NULL, 0)) {
+	halt_ret = mifare_classic_halt(NULL, 0);
+	if (halt_ret && halt_ret != 4) {
 		isOK = 0;
 	};
 
diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c
index 8ef364c2..fb54c025 100644
--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@@ -511,7 +511,9 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
 	len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
 	if (len != 0) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
-			Dbprintf("halt error. response len: %x", len);  
+			Dbprintf("halt error. response len: %x data:%02X %02X %02X %02X", len, receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3]);  
+		if (len == 1 && receivedAnswer[0]==0x04)
+			return 4;
 		return 1;
 	}
 

From b75f4c6f102b1820a7205bf25d44a98afbd36f35 Mon Sep 17 00:00:00 2001
From: douniwan5788 <douniwan5788@gmail.com>
Date: Thu, 21 Apr 2016 15:51:30 +0800
Subject: [PATCH 3/3] some Mifare/CPU hybird card won't response to Mifare
 command any more if send RATS command

---
 armsrc/appmain.c   |  2 +-
 armsrc/epa.c       |  2 +-
 armsrc/iso14443a.c |  9 +++++----
 armsrc/iso14443a.h |  2 +-
 armsrc/mifarecmd.c | 30 +++++++++++++++---------------
 5 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index 4807bc1b..fde20547 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -429,7 +429,7 @@ void StandAloneMode14a()
 						SpinDelay(300);
 					}
 				}
-				if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid))
+				if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, 1))
 					continue;
 				else
 				{
diff --git a/armsrc/epa.c b/armsrc/epa.c
index 50c7d878..e22a5a88 100644
--- a/armsrc/epa.c
+++ b/armsrc/epa.c
@@ -526,7 +526,7 @@ int EPA_Setup()
 	// power up the field
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
 	// select the card
-	return_code = iso14443a_select_card(uid, &card_select_info, NULL);
+	return_code = iso14443a_select_card(uid, &card_select_info, NULL, 0);
 	if (return_code == 1) {
 		// send the PPS request
 		ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 5a602c79..f9a33158 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -1698,7 +1698,7 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
 /* performs iso14443a anticollision procedure
  * fills the uid pointer unless NULL
  * fills resp_data unless NULL */
-int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) {
+int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, uint8_t no_rats) {
 	uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
 	uint8_t sel_all[]    = { 0x93,0x20 };
 	uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
@@ -1821,7 +1821,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 	}
 
 	// non iso14443a compliant tag
-	if( (sak & 0x20) == 0) return 2; 
+	// some Mifare/CPU hybird card won't response to Mifare command any more if send RATS command.
+	if( no_rats || (sak & 0x20) == 0) return 2; 
 
 	// Request for answer to select
 	AppendCrc14443a(rats, 2);
@@ -1926,7 +1927,7 @@ void ReaderIso14443a(UsbCommand *c)
 		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 		if(!(param & ISO14A_NO_SELECT)) {
 			iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
-			arg0 = iso14443a_select_card(NULL,card,NULL);
+			arg0 = iso14443a_select_card(NULL,card,NULL,0);
 			cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
 		}
 	}
@@ -2125,7 +2126,7 @@ void ReaderMifare(bool first_try, uint8_t blockNo, uint8_t keyType)
 			SpinDelay(100);
 		}
 		
-		if(!iso14443a_select_card(uid, NULL, &cuid)) {
+		if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Mifare: Can't select card");
 			continue;
 		}
diff --git a/armsrc/iso14443a.h b/armsrc/iso14443a.h
index ec99ab99..5bcb1fbf 100644
--- a/armsrc/iso14443a.h
+++ b/armsrc/iso14443a.h
@@ -82,7 +82,7 @@ extern int ReaderReceive(uint8_t *receivedAnswer, uint8_t *par);
 
 extern void iso14443a_setup(uint8_t fpga_minor_mode);
 extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data);
-extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr);
+extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr, uint8_t no_rats);
 extern void iso14a_set_trigger(bool enable);
 
 #endif /* __ISO14443A_H */
diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index 36a6e8f5..88f9aae4 100644
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -53,7 +53,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	LED_C_OFF();
 
 	while (true) {
-		if(!iso14443a_select_card(uid, NULL, &cuid)) {
+		if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 			break;
 		};
@@ -100,7 +100,7 @@ void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
 
 	clear_trace();
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -135,7 +135,7 @@ void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 
 	clear_trace();
 
-	int len = iso14443a_select_card(NULL, NULL, NULL);
+	int len = iso14443a_select_card(NULL, NULL, NULL, 1);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
 		OnError(1);
@@ -211,7 +211,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	LED_C_OFF();
 
 	isOK = 1;
-	if(!iso14443a_select_card(uid, NULL, &cuid)) {
+	if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 		isOK = 0;
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 	}
@@ -275,7 +275,7 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		return;
 	}
 
-	int len = iso14443a_select_card(NULL, NULL, NULL);
+	int len = iso14443a_select_card(NULL, NULL, NULL, 1);
 	if (!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
 		OnError(1);
@@ -377,7 +377,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	LED_C_OFF();
 
 	while (true) {
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 			break;
 		};
@@ -431,7 +431,7 @@ void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
 	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	if(!iso14443a_select_card(uid, NULL, NULL)) {
+	if(!iso14443a_select_card(uid, NULL, NULL, 1)) {
 		if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -477,7 +477,7 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 
 	clear_trace();
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -536,7 +536,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 
 	clear_trace();
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -672,7 +672,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 				continue;
 			}
 
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");
 				rtr--;
 				continue;
@@ -746,7 +746,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 				continue;
 			}
 
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");
 				continue;
 			};
@@ -861,7 +861,7 @@ void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 			if (MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Halt error");
 		}
 
-		if(!iso14443a_select_card(uid, NULL, &cuid)) {
+		if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 			if (OLD_MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Can't select card");
 			break;
 		};
@@ -954,7 +954,7 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 	
 	bool isOK = true;
 
-	if(!iso14443a_select_card(uid, NULL, &cuid)) {
+	if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 		isOK = false;
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 	}
@@ -1054,7 +1054,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 
 		// get UID from chip
 		if (workFlags & 0x01) {
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 				break;
 			};
@@ -1249,7 +1249,7 @@ void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 	clear_trace();
 
-	int len = iso14443a_select_card(uid, NULL, &cuid);
+	int len = iso14443a_select_card(uid, NULL, &cuid, 0);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
 		OnError(1);