]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CHG: added a check if err variable is NIL.
[proxmark3-svn] / armsrc / iso14443a.c
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index bfbc70c7e6d645597a627f5de0ee9ee4eba5e900..7c0913d83fe3072c1ff747cd218748b9d6487903 100644 (file)
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -9,18 +9,7 @@
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-#include "cmd.h"
-#include "iso14443crc.h"
 #include "iso14443a.h"
 #include "iso14443a.h"
-#include "crapto1.h"
-#include "mifareutil.h"
-#include "BigBuf.h"
-#include "parity.h"
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
@@ -28,6 +17,8 @@ uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 
+static uint8_t* free_buffer_pointer;
+
 //
 // ISO14443 timing:
 //
 //
 // ISO14443 timing:
 //
@@ -106,8 +97,6 @@ static uint32_t NextTransferTime;
 static uint32_t LastTimeProxToAirStart;
 static uint32_t LastProxToAirDuration;
 
 static uint32_t LastTimeProxToAirStart;
 static uint32_t LastProxToAirDuration;
 
-
-
 // CARD TO READER - manchester
 // Sequence D: 11110000 modulation with subcarrier during first half
 // Sequence E: 00001111 modulation with subcarrier during second half
 // CARD TO READER - manchester
 // Sequence D: 11110000 modulation with subcarrier during first half
 // Sequence E: 00001111 modulation with subcarrier during second half
@@ -127,41 +116,39 @@ void iso14a_set_trigger(bool enable) {
        trigger = enable;
 }
 
        trigger = enable;
 }
 
-
 void iso14a_set_timeout(uint32_t timeout) {
        iso14a_timeout = timeout;
        if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
 }
 
 void iso14a_set_timeout(uint32_t timeout) {
        iso14a_timeout = timeout;
        if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
 }
 
-
 void iso14a_set_ATS_timeout(uint8_t *ats) {
 void iso14a_set_ATS_timeout(uint8_t *ats) {
-
        uint8_t tb1;
        uint8_t fwi; 
        uint32_t fwt;
        
        if (ats[0] > 1) {                                                       // there is a format byte T0
                if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
        uint8_t tb1;
        uint8_t fwi; 
        uint32_t fwt;
        
        if (ats[0] > 1) {                                                       // there is a format byte T0
                if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
-                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
+
+                       if ((ats[1] & 0x10) == 0x10)            // there is an interface byte TA(1) preceding TB(1)
                                tb1 = ats[3];
                                tb1 = ats[3];
-                       } else {
+                       else
                                tb1 = ats[2];
                                tb1 = ats[2];
-                       }
+
                        fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
                        fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
                        fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
                        fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
+                       //fwt = 4096 * (1 << fwi);
                        
                        iso14a_set_timeout(fwt/(8*16));
                        
                        iso14a_set_timeout(fwt/(8*16));
+                       //iso14a_set_timeout(fwt/128);
                }
        }
 }
 
                }
        }
 }
 
-
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
-void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
-{
+void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par) {
        uint16_t paritybit_cnt = 0;
        uint16_t paritybyte_cnt = 0;
        uint8_t parityBits = 0;
        uint16_t paritybit_cnt = 0;
        uint16_t paritybyte_cnt = 0;
        uint8_t parityBits = 0;
@@ -180,21 +167,13 @@ void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
        }
 
        // save remaining parity bits
        }
 
        // save remaining parity bits
-       par[paritybyte_cnt] = parityBits;
-       
+       par[paritybyte_cnt] = parityBits;       
 }
 
 }
 
-void AppendCrc14443a(uint8_t* data, int len)
-{
+void AppendCrc14443a(uint8_t* data, int len) {
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
-void AppendCrc14443b(uint8_t* data, int len)
-{
-       ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
-}
-
-
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
@@ -226,8 +205,7 @@ const bool Mod_Miller_LUT[] = {
 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
-void UartReset()
-{
+void UartReset() {
        Uart.state = STATE_UNSYNCD;
        Uart.bitCount = 0;
        Uart.len = 0;                                           // number of decoded data bytes
        Uart.state = STATE_UNSYNCD;
        Uart.bitCount = 0;
        Uart.len = 0;                                           // number of decoded data bytes
@@ -242,8 +220,7 @@ void UartReset()
        Uart.syncBit = 9999;
 }
 
        Uart.syncBit = 9999;
 }
 
-void UartInit(uint8_t *data, uint8_t *parity)
-{
+void UartInit(uint8_t *data, uint8_t *parity) {
        Uart.output = data;
        Uart.parity = parity;
        Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
        Uart.output = data;
        Uart.parity = parity;
        Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
@@ -251,14 +228,11 @@ void UartInit(uint8_t *data, uint8_t *parity)
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
-{
-
+static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
        Uart.fourBits = (Uart.fourBits << 8) | bit;
        
        if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
        Uart.fourBits = (Uart.fourBits << 8) | bit;
        
        if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
-       
-               Uart.syncBit = 9999;                                                                                                    // not set
+                       Uart.syncBit = 9999;                                                                                            // not set
                
                // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
                // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
                
                // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
                // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
@@ -282,12 +256,11 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
 
                if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
                else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
 
                if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
-                               Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
-                               Uart.startTime -= Uart.syncBit;
-                               Uart.endTime = Uart.startTime;
-                               Uart.state = STATE_START_OF_COMMUNICATION;
-                       }
-
+                       Uart.startTime = non_real_time ? non_real_time : (GetCountSspClk() & 0xfffffff8);
+                       Uart.startTime -= Uart.syncBit;
+                       Uart.endTime = Uart.startTime;
+                       Uart.state = STATE_START_OF_COMMUNICATION;
+               }
        } else {
 
                if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
        } else {
 
                if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
@@ -373,14 +346,10 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                                }
                        }
                }
                                }
                        }
                }
-                       
        } 
        } 
-
     return FALSE;      // not finished yet, need more data
 }
 
     return FALSE;      // not finished yet, need more data
 }
 
-
-
 //=============================================================================
 // ISO 14443 Type A - Manchester decoder
 //=============================================================================
 //=============================================================================
 // ISO 14443 Type A - Manchester decoder
 //=============================================================================
@@ -408,9 +377,7 @@ const bool Mod_Manchester_LUT[] = {
 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
 
 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
 
-
-void DemodReset()
-{
+void DemodReset() {
        Demod.state = DEMOD_UNSYNCD;
        Demod.len = 0;                                          // number of decoded data bytes
        Demod.parityLen = 0;
        Demod.state = DEMOD_UNSYNCD;
        Demod.len = 0;                                          // number of decoded data bytes
        Demod.parityLen = 0;
@@ -420,25 +387,20 @@ void DemodReset()
        Demod.twoBits = 0xffff;                         // buffer for 2 Bits
        Demod.highCnt = 0;
        Demod.startTime = 0;
        Demod.twoBits = 0xffff;                         // buffer for 2 Bits
        Demod.highCnt = 0;
        Demod.startTime = 0;
-       Demod.endTime = 0;
-       
-       //
+       Demod.endTime = 0;      
        Demod.bitCount = 0;
        Demod.syncBit = 0xFFFF;
        Demod.samples = 0;
 }
 
        Demod.bitCount = 0;
        Demod.syncBit = 0xFFFF;
        Demod.samples = 0;
 }
 
-void DemodInit(uint8_t *data, uint8_t *parity)
-{
+void DemodInit(uint8_t *data, uint8_t *parity) {
        Demod.output = data;
        Demod.parity = parity;
        DemodReset();
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
        Demod.output = data;
        Demod.parity = parity;
        DemodReset();
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
-{
-
+static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
        Demod.twoBits = (Demod.twoBits << 8) | bit;
        
        if (Demod.state == DEMOD_UNSYNCD) {
        Demod.twoBits = (Demod.twoBits << 8) | bit;
        
        if (Demod.state == DEMOD_UNSYNCD) {
@@ -466,7 +428,6 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
                                Demod.state = DEMOD_MANCHESTER_DATA;
                        }
                }
                                Demod.state = DEMOD_MANCHESTER_DATA;
                        }
                }
-
        } else {
 
                if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) {            // modulation in first half
        } else {
 
                if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) {            // modulation in first half
@@ -537,6 +498,7 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
+// "hf 14a sniff"
 //-----------------------------------------------------------------------------
 void RAMFUNC SniffIso14443a(uint8_t param) {
        // param:
 //-----------------------------------------------------------------------------
 void RAMFUNC SniffIso14443a(uint8_t param) {
        // param:
@@ -548,9 +510,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
        
        // Allocate memory from BigBuf for some buffers
        // free all previous allocations first
        
        // Allocate memory from BigBuf for some buffers
        // free all previous allocations first
-       BigBuf_free();
-       
-       // init trace buffer
+       BigBuf_free(); BigBuf_Clear_ext(false);
        clear_trace();
        set_tracing(TRUE);
        
        clear_trace();
        set_tracing(TRUE);
        
@@ -579,7 +539,10 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
        UartInit(receivedCmd, receivedCmdPar);
        
        // Setup and start DMA.
        UartInit(receivedCmd, receivedCmdPar);
        
        // Setup and start DMA.
-       FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
        
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
        
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
@@ -675,7 +638,6 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
                                        DemodReset();
                                        // And reset the Miller decoder including itS (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
                                        DemodReset();
                                        // And reset the Miller decoder including itS (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
-
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
@@ -690,20 +652,20 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
                }
        } // main cycle
 
                }
        } // main cycle
 
+       if (MF_DBGLEVEL >= 1) {
+               Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
+               Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
+       }
        FpgaDisableSscDma();
        FpgaDisableSscDma();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        LEDsoff();
-
-       Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
-       Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
-       
        set_tracing(FALSE);     
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
        set_tracing(FALSE);     
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
-static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
-{
+static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity) {
        ToSendReset();
 
        // Correction bit, might be removed when not needed
        ToSendReset();
 
        // Correction bit, might be removed when not needed
@@ -747,21 +709,17 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par
        ToSend[++ToSendMax] = SEC_F;
 
        // Convert from last byte pos to length
        ToSend[++ToSendMax] = SEC_F;
 
        // Convert from last byte pos to length
-       ToSendMax++;
+       ++ToSendMax;
 }
 
 }
 
-static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
-{
-       uint8_t par[MAX_PARITY_SIZE];
-       
+static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len) {
+       uint8_t par[MAX_PARITY_SIZE] = {0};
        GetParity(cmd, len, par);
        CodeIso14443aAsTagPar(cmd, len, par);
 }
 
        GetParity(cmd, len, par);
        CodeIso14443aAsTagPar(cmd, len, par);
 }
 
-
-static void Code4bitAnswerAsTag(uint8_t cmd)
-{
-       int i;
+static void Code4bitAnswerAsTag(uint8_t cmd) {
+       uint8_t b = cmd;
 
        ToSendReset();
 
 
        ToSendReset();
 
@@ -778,8 +736,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd)
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
-       uint8_t b = cmd;
-       for(i = 0; i < 4; i++) {
+       for(uint8_t i = 0; i < 4; i++) {
                if(b & 1) {
                        ToSend[++ToSendMax] = SEC_D;
                        LastProxToAirDuration = 8 * ToSendMax - 4;
                if(b & 1) {
                        ToSend[++ToSendMax] = SEC_D;
                        LastProxToAirDuration = 8 * ToSendMax - 4;
@@ -802,15 +759,14 @@ static void Code4bitAnswerAsTag(uint8_t cmd)
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
-static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
-{
+static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
-    // Now run a `software UART' on the stream of incoming samples.
+    // Now run a `software UART` on the stream of incoming samples.
        UartInit(received, parity);
 
        // clear RXRDY:
        UartInit(received, parity);
 
        // clear RXRDY:
@@ -831,26 +787,6 @@ static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int
     }
 }
 
     }
 }
 
-static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
-int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
-int EmSend4bit(uint8_t resp);
-int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
-int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
-int EmSendCmd(uint8_t *resp, uint16_t respLen);
-int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
-bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
-                                uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
-
-static uint8_t* free_buffer_pointer;
-
-typedef struct {
-  uint8_t* response;
-  size_t   response_n;
-  uint8_t* modulation;
-  size_t   modulation_n;
-  uint32_t ProxToAirDuration;
-} tag_response_info_t;
-
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
@@ -862,28 +798,24 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
-  // Prepare the tag modulation bits from the message
-  CodeIso14443aAsTag(response_info->response,response_info->response_n);
-  
-  // Make sure we do not exceed the free buffer space
-  if (ToSendMax > max_buffer_size) {
-    Dbprintf("Out of memory, when modulating bits for tag answer:");
-    Dbhexdump(response_info->response_n,response_info->response,false);
-    return false;
-  }
-  
-  // Copy the byte array, used for this modulation to the buffer position
-  memcpy(response_info->modulation,ToSend,ToSendMax);
-  
-  // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
-  response_info->modulation_n = ToSendMax;
-  response_info->ProxToAirDuration = LastProxToAirDuration;
-  
-  return true;
-}
+       // Prepare the tag modulation bits from the message
+       CodeIso14443aAsTag(response_info->response,response_info->response_n);
+
+       // Make sure we do not exceed the free buffer space
+       if (ToSendMax > max_buffer_size) {
+               Dbprintf("Out of memory, when modulating bits for tag answer:");
+               Dbhexdump(response_info->response_n,response_info->response,false);
+               return FALSE;
+       }
+
+       // Copy the byte array, used for this modulation to the buffer position
+       memcpy(response_info->modulation,ToSend,ToSendMax);
 
 
+       // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
+       response_info->modulation_n = ToSendMax;
+       response_info->ProxToAirDuration = LastProxToAirDuration;
+       return TRUE;
+}
 
 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
 
 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
@@ -894,84 +826,88 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
 
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
 
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
-  // Retrieve and store the current buffer index
-  response_info->modulation = free_buffer_pointer;
-  
-  // Determine the maximum size we can use from our buffer
-  size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
-  
-  // Forward the prepare tag modulation function to the inner function
-  if (prepare_tag_modulation(response_info, max_buffer_size)) {
-    // Update the free buffer offset
-    free_buffer_pointer += ToSendMax;
-    return true;
-  } else {
-    return false;
-  }
+       // Retrieve and store the current buffer index
+       response_info->modulation = free_buffer_pointer;
+
+       // Determine the maximum size we can use from our buffer
+       size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
+
+       // Forward the prepare tag modulation function to the inner function
+       if (prepare_tag_modulation(response_info, max_buffer_size)) {
+               // Update the free buffer offset
+               free_buffer_pointer += ToSendMax;
+               return true;
+       } else {
+               return false;
+       }
 }
 
 //-----------------------------------------------------------------------------
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
 }
 
 //-----------------------------------------------------------------------------
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
+// 'hf 14a sim'
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
-{
-       uint32_t counters[] = {0,0,0};
-       //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
-       // This can be used in a reader-only attack.
-       // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
-       uint8_t ar_nr_collected = 0;
+void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
+
+       uint8_t sak = 0;
+       uint32_t cuid = 0;                      
+       uint32_t nonce = 0;
        
        
-       uint8_t sak;
-                                       
        // PACK response to PWD AUTH for EV1/NTAG
        // PACK response to PWD AUTH for EV1/NTAG
-       uint8_t response8[4] =  {0,0,0,0};
+       uint8_t response8[4] = {0,0,0,0};
+       // Counter for EV1/NTAG
+       uint32_t counters[] = {0,0,0};
        
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
        
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
-       uint8_t response1[2] =  {0,0};
+       uint8_t response1[] = {0,0};
+
+       // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+       // it should also collect block, keytype.
+       uint8_t cardAUTHSC = 0;
+       uint8_t cardAUTHKEY = 0xff;  // no authentication
+       // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
+       #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
+       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+
+       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
+       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+       uint8_t nonce1_count = 0;
+       uint8_t nonce2_count = 0;
+       uint8_t moebius_n_count = 0;
+       bool gettingMoebius = false;
+       uint8_t mM = 0; // moebius_modifier for collection storage
+
        
        switch (tagType) {
        
        switch (tagType) {
-               case 1: { // MIFARE Classic
-                       // Says: I am Mifare 1k - original line
+               case 1: { // MIFARE Classic 1k 
                        response1[0] = 0x04;
                        response1[0] = 0x04;
-                       response1[1] = 0x00;
                        sak = 0x08;
                } break;
                case 2: { // MIFARE Ultralight
                        sak = 0x08;
                } break;
                case 2: { // MIFARE Ultralight
-                       // Says: I am a stupid memory tag, no crypto
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x00;
                } break;
                case 3: { // MIFARE DESFire
                        sak = 0x00;
                } break;
                case 3: { // MIFARE DESFire
-                       // Says: I am a DESFire tag, ph33r me
                        response1[0] = 0x04;
                        response1[1] = 0x03;
                        sak = 0x20;
                } break;
                        response1[0] = 0x04;
                        response1[1] = 0x03;
                        sak = 0x20;
                } break;
-               case 4: { // ISO/IEC 14443-4
-                       // Says: I am a javacard (JCOP)
+               case 4: { // ISO/IEC 14443-4 - javacard (JCOP)
                        response1[0] = 0x04;
                        response1[0] = 0x04;
-                       response1[1] = 0x00;
                        sak = 0x28;
                } break;
                case 5: { // MIFARE TNP3XXX
                        sak = 0x28;
                } break;
                case 5: { // MIFARE TNP3XXX
-                       // Says: I am a toy
                        response1[0] = 0x01;
                        response1[1] = 0x0f;
                        sak = 0x01;
                } break;
                        response1[0] = 0x01;
                        response1[1] = 0x0f;
                        sak = 0x01;
                } break;
-               case 6: { // MIFARE Mini
-                       // Says: I am a Mifare Mini, 320b
+               case 6: { // MIFARE Mini 320b
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x09;
                } break;
                        sak = 0x09;
                } break;
-               case 7: { // NTAG?
-                       // Says: I am a NTAG, 
+               case 7: { // NTAG
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x00;
                        // PACK
                        response8[0] = 0x80;
                        sak = 0x00;
                        // PACK
                        response8[0] = 0x80;
@@ -982,8 +918,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                uint16_t start = 4 * (0+12);  
                                uint8_t emdata[8];
                                emlGetMemBt( emdata, start, sizeof(emdata));
                                uint16_t start = 4 * (0+12);  
                                uint8_t emdata[8];
                                emlGetMemBt( emdata, start, sizeof(emdata));
-                               memcpy(data, emdata, 3); //uid bytes 0-2
-                               memcpy(data+3, emdata+4, 4); //uid bytes 3-7
+                               memcpy(data, emdata, 3); // uid bytes 0-2
+                               memcpy(data+3, emdata+4, 4); // uid bytes 3-7
                                flags |= FLAG_7B_UID_IN_DATA;
                        }
                } break;                
                                flags |= FLAG_7B_UID_IN_DATA;
                        }
                } break;                
@@ -996,11 +932,11 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        // The second response contains the (mandatory) first 24 bits of the UID
        uint8_t response2[5] = {0x00};
 
        // The second response contains the (mandatory) first 24 bits of the UID
        uint8_t response2[5] = {0x00};
 
-       // Check if the uid uses the (optional) part
+       // For UID size 7, 
        uint8_t response2a[5] = {0x00};
        
        uint8_t response2a[5] = {0x00};
        
-       if (flags & FLAG_7B_UID_IN_DATA) {
-               response2[0] = 0x88;
+       if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA ) {
+               response2[0] = 0x88;  // Cascade Tag marker
                response2[1] = data[0];
                response2[2] = data[1];
                response2[3] = data[2];
                response2[1] = data[0];
                response2[2] = data[1];
                response2[3] = data[2];
@@ -1014,20 +950,21 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
+               
+               cuid = bytes_to_num(data+3, 4);
        } else {
                memcpy(response2, data, 4);
        } else {
                memcpy(response2, data, 4);
-               //num_to_bytes(uid_1st,4,response2);
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
+               cuid = bytes_to_num(data, 4);
        }
 
        // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
        }
 
        // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
-       uint8_t response3[3]  = {0x00};
-       response3[0] = sak;
+       uint8_t response3[3]  = {sak, 0x00, 0x00};
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
@@ -1035,20 +972,22 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
-       uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
-       uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: 
+       uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 };                               // Very random tag nonce
+       uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 };   // dummy ATS (pseudo-ATR), answer to RATS: 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
 
-       // Prepare GET_VERSION (different for UL EV-1 / NTAG)
-       //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
-       //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
+       // the randon nonce
+       nonce = bytes_to_num(response5, 4);     
        
        
+       // Prepare GET_VERSION (different for UL EV-1 / NTAG)
+       // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
+       // uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215  
        // Prepare CHK_TEARING
        // Prepare CHK_TEARING
-       //uint8_t response9[] =  {0xBD,0x90,0x3f};
+       // uint8_t response9[] =  {0xBD,0x90,0x3f};
        
        #define TAG_RESPONSE_COUNT 10
        tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
        
        #define TAG_RESPONSE_COUNT 10
        tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
@@ -1059,10 +998,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                { .response = response3a, .response_n = sizeof(response3a) },  // Acknowledge select - cascade 2
                { .response = response5,  .response_n = sizeof(response5)  },  // Authentication answer (random nonce)
                { .response = response6,  .response_n = sizeof(response6)  },  // dummy ATS (pseudo-ATR), answer to RATS
                { .response = response3a, .response_n = sizeof(response3a) },  // Acknowledge select - cascade 2
                { .response = response5,  .response_n = sizeof(response5)  },  // Authentication answer (random nonce)
                { .response = response6,  .response_n = sizeof(response6)  },  // dummy ATS (pseudo-ATR), answer to RATS
-               //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
-               { .response = response8,   .response_n = sizeof(response8) },  // EV1/NTAG PACK response
-               //{ .response = response9,      .response_n = sizeof(response9)     }  // EV1/NTAG CHK_TEAR response
-       };
+
+               { .response = response8,   .response_n = sizeof(response8) }  // EV1/NTAG PACK response
+       };      
+               // { .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
+               // { .response = response9,      .response_n = sizeof(response9)     }  // EV1/NTAG CHK_TEAR response
+       
 
        // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
        // Such a response is less time critical, so we can prepare them on the fly
 
        // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
        // Such a response is less time critical, so we can prepare them on the fly
@@ -1081,21 +1022,18 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        BigBuf_free_keep_EM();
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        BigBuf_free_keep_EM();
+       clear_trace();
+       set_tracing(TRUE);
 
        // allocate buffers:
        uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
        uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
        free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 
 
        // allocate buffers:
        uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
        uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
        free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 
-       // clear trace
-       clear_trace();
-       set_tracing(TRUE);
-
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
-       for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
+       for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
                prepare_allocated_tag_modulation(&responses[i]);
                prepare_allocated_tag_modulation(&responses[i]);
-       }
 
        int len = 0;
 
 
        int len = 0;
 
@@ -1107,80 +1045,78 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        int happened = 0;
        int happened2 = 0;
        int cmdsRecvd = 0;
        int happened = 0;
        int happened2 = 0;
        int cmdsRecvd = 0;
-
-       cmdsRecvd = 0;
        tag_response_info_t* p_response;
 
        LED_A_ON();
        tag_response_info_t* p_response;
 
        LED_A_ON();
-       for(;;) {
+       for(;;) {       
+               WDT_HIT();
+               
                // Clean receive command buffer
                if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
                        DbpString("Button press");
                        break;
                }
                // Clean receive command buffer
                if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
                        DbpString("Button press");
                        break;
                }
-
+               
+               // incease nonce at every command recieved
+               nonce++;
+               num_to_bytes(nonce, 4, response5);
+               
                p_response = NULL;
                
                // Okay, look at the command now.
                lastorder = order;
                p_response = NULL;
                
                // Okay, look at the command now.
                lastorder = order;
-               if(receivedCmd[0] == 0x26) { // Received a REQUEST
+               if(receivedCmd[0] == ISO14443A_CMD_REQA) { // Received a REQUEST
                        p_response = &responses[0]; order = 1;
                        p_response = &responses[0]; order = 1;
-               } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
+               } else if(receivedCmd[0] == ISO14443A_CMD_WUPA) { // Received a WAKEUP
                        p_response = &responses[0]; order = 6;
                        p_response = &responses[0]; order = 6;
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) {   // Received request for UID (cascade 1)
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received request for UID (cascade 1)
                        p_response = &responses[1]; order = 2;
                        p_response = &responses[1]; order = 2;
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) {   // Received request for UID (cascade 2)
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received request for UID (cascade 2)
                        p_response = &responses[2]; order = 20;
                        p_response = &responses[2]; order = 20;
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) {   // Received a SELECT (cascade 1)
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received a SELECT (cascade 1)
                        p_response = &responses[3]; order = 3;
                        p_response = &responses[3]; order = 3;
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) {   // Received a SELECT (cascade 2)
-                       p_response = &responses[4]; order = 30;
-               } else if(receivedCmd[0] == 0x30) {     // Received a (plain) READ
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received a SELECT (cascade 2)
+                       p_response = &responses[4]; order = 30;         
+               } else if(receivedCmd[0] == ISO14443A_CMD_READBLOCK) {  // Received a (plain) READ
                        uint8_t block = receivedCmd[1];
                        // if Ultralight or NTAG (4 byte blocks)
                        if ( tagType == 7 || tagType == 2 ) {
                        uint8_t block = receivedCmd[1];
                        // if Ultralight or NTAG (4 byte blocks)
                        if ( tagType == 7 || tagType == 2 ) {
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                               // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
                                uint16_t start = 4 * (block+12);  
                                uint16_t start = 4 * (block+12);  
-                                       uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
-                                       emlGetMemBt( emdata, start, 16);
-                                       AppendCrc14443a(emdata, 16);
-                                       EmSendCmdEx(emdata, sizeof(emdata), false);                             
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, start, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        } else { // all other tags (16 byte block tags)
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        } else { // all other tags (16 byte block tags)
-                               EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, block, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
+                               // EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
                                // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        }
                                // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        }
-               } else if(receivedCmd[0] == 0x3A) {     // Received a FAST READ (ranged read)
-                               
-                               uint8_t emdata[MAX_FRAME_SIZE];
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
-                               int start =  (receivedCmd[1]+12) * 4; 
-                               int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
-                               emlGetMemBt( emdata, start, len);
-                               AppendCrc14443a(emdata, len);
-                               EmSendCmdEx(emdata, len+2, false);                              
-                               p_response = NULL;
-                               
-               } else if(receivedCmd[0] == 0x3C && tagType == 7) {     // Received a READ SIGNATURE -- 
-                               // ECC data,  taken from a NTAG215 amiibo token. might work. LEN: 32, + 2 crc
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
-                               uint16_t start = 4 * 4;
-                               uint8_t emdata[34];
-                               emlGetMemBt( emdata, start, 32);
-                               AppendCrc14443a(emdata, 32);
-                               EmSendCmdEx(emdata, sizeof(emdata), false);
-                               //uint8_t data[] = {0x56,0x06,0xa6,0x4f,0x43,0x32,0x53,0x6f,
-                               //                                0x43,0xda,0x45,0xd6,0x61,0x38,0xaa,0x1e,
-                               //                                0xcf,0xd3,0x61,0x36,0xca,0x5f,0xbb,0x05,
-                               //                                0xce,0x21,0x24,0x5b,0xa6,0x7a,0x79,0x07,
-                               //                                0x00,0x00};
-                               //AppendCrc14443a(data, sizeof(data)-2);
-                               //EmSendCmdEx(data,sizeof(data),false);
-                               p_response = NULL;                                      
-               } else if (receivedCmd[0] == 0x39 && tagType == 7) {    // Received a READ COUNTER -- 
+               } else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) {    // Received a FAST READ (ranged read)                           
+                       uint8_t emdata[MAX_FRAME_SIZE];
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       int start =  (receivedCmd[1]+12) * 4; 
+                       int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
+                       emlGetMemBt( emdata, start, len);
+                       AppendCrc14443a(emdata, len);
+                       EmSendCmdEx(emdata, len+2, false);                              
+                       p_response = NULL;              
+               } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) {     // Received a READ SIGNATURE -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       uint16_t start = 4 * 4;
+                       uint8_t emdata[34];
+                       emlGetMemBt( emdata, start, 32);
+                       AppendCrc14443a(emdata, 32);
+                       EmSendCmdEx(emdata, sizeof(emdata), false);
+                       p_response = NULL;                                      
+               } else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) {   // Received a READ COUNTER -- 
                        uint8_t index = receivedCmd[1];
                        uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
                        if ( counters[index] > 0) {
                        uint8_t index = receivedCmd[1];
                        uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
                        if ( counters[index] > 0) {
@@ -1189,7 +1125,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        }
                        EmSendCmdEx(data,sizeof(data),false);                           
                        p_response = NULL;
                        }
                        EmSendCmdEx(data,sizeof(data),false);                           
                        p_response = NULL;
-               } else if (receivedCmd[0] == 0xA5 && tagType == 7) {    // Received a INC COUNTER -- 
+               } else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) {   // Received a INC COUNTER -- 
                        // number of counter
                        uint8_t counter = receivedCmd[1];
                        uint32_t val = bytes_to_num(receivedCmd+2,4);
                        // number of counter
                        uint8_t counter = receivedCmd[1];
                        uint32_t val = bytes_to_num(receivedCmd+2,4);
@@ -1198,38 +1134,32 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        // send ACK
                        uint8_t ack[] = {0x0a};
                        EmSendCmdEx(ack,sizeof(ack),false);
                        // send ACK
                        uint8_t ack[] = {0x0a};
                        EmSendCmdEx(ack,sizeof(ack),false);
-                       p_response = NULL;
-                       
-               } else if(receivedCmd[0] == 0x3E && tagType == 7) {     // Received a CHECK_TEARING_EVENT -- 
-                       //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       p_response = NULL;                      
+               } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) {   // Received a CHECK_TEARING_EVENT -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
                        uint8_t emdata[3];
                        uint8_t counter=0;
                        if (receivedCmd[1]<3) counter = receivedCmd[1];
                        emlGetMemBt( emdata, 10+counter, 1);
                        AppendCrc14443a(emdata, sizeof(emdata)-2);
                        EmSendCmdEx(emdata, sizeof(emdata), false);     
                        uint8_t emdata[3];
                        uint8_t counter=0;
                        if (receivedCmd[1]<3) counter = receivedCmd[1];
                        emlGetMemBt( emdata, 10+counter, 1);
                        AppendCrc14443a(emdata, sizeof(emdata)-2);
                        EmSendCmdEx(emdata, sizeof(emdata), false);     
+                       p_response = NULL;              
+               } else if(receivedCmd[0] == ISO14443A_CMD_HALT) {       // Received a HALT
+                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        p_response = NULL;
                        p_response = NULL;
-                       //p_response = &responses[9];                           
-               
-               } else if(receivedCmd[0] == 0x50) {     // Received a HALT
-
-                       if (tracing) {
-                               LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                       }
-                       p_response = NULL;
-               } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) {   // Received an authentication request
-                                       
+               } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) {   // Received an authentication request                           
                        if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
                                uint8_t emdata[10];
                                emlGetMemBt( emdata, 0, 8 );
                                AppendCrc14443a(emdata, sizeof(emdata)-2);
                        if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
                                uint8_t emdata[10];
                                emlGetMemBt( emdata, 0, 8 );
                                AppendCrc14443a(emdata, sizeof(emdata)-2);
-                               EmSendCmdEx(emdata, sizeof(emdata), false);     
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
                                p_response = NULL;
-                               //p_response = &responses[7];
                        } else {
                        } else {
+                               cardAUTHSC = receivedCmd[1] / 4; // received block num
+                               cardAUTHKEY = receivedCmd[0] - 0x60;
                                p_response = &responses[5]; order = 7;
                        }
                                p_response = &responses[5]; order = 7;
                        }
-               } else if(receivedCmd[0] == 0xE0) {     // Received a RATS request
+               } else if(receivedCmd[0] == ISO14443A_CMD_RATS) {       // Received a RATS request
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
                                EmSend4bit(CARD_NACK_NA);
                                p_response = NULL;
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
                                EmSend4bit(CARD_NACK_NA);
                                p_response = NULL;
@@ -1237,75 +1167,85 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                p_response = &responses[6]; order = 70;
                        }
                } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
                                p_response = &responses[6]; order = 70;
                        }
                } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
-                       if (tracing) {
-                               LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                       }
-                       uint32_t nonce = bytes_to_num(response5,4);
+                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
-                       //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
-
-                       if(flags & FLAG_NR_AR_ATTACK )
-                       {
-                               if(ar_nr_collected < 2){
-                                       // Avoid duplicates... probably not necessary, nr should vary. 
-                                       //if(ar_nr_responses[3] != nr){                                         
-                                               ar_nr_responses[ar_nr_collected*5]   = 0;
-                                               ar_nr_responses[ar_nr_collected*5+1] = 0;
-                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
-                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
-                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
-                                               ar_nr_collected++;
-                                       //}
-                               }                       
 
 
-                               if(ar_nr_collected > 1 ) {
-                               
-                                       if (MF_DBGLEVEL >= 2) {
-                                                       Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                                                       Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
-                                                               ar_nr_responses[0], // UID1
-                                                               ar_nr_responses[1], // UID2
-                                                               ar_nr_responses[2], // NT
-                                                               ar_nr_responses[3], // AR1
-                                                               ar_nr_responses[4], // NR1
-                                                               ar_nr_responses[8], // AR2
-                                                               ar_nr_responses[9]  // NR2
-                                                       );
-                                                       Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
-                                                               ar_nr_responses[0], // UID1
-                                                               ar_nr_responses[1], // UID2
-                                                               ar_nr_responses[2], // NT1
-                                                               ar_nr_responses[3], // AR1
-                                                               ar_nr_responses[4], // NR1
-                                                               ar_nr_responses[7], // NT2
-                                                               ar_nr_responses[8], // AR2
-                                                               ar_nr_responses[9]  // NR2
-                                                               );
+                       // Collect AR/NR per keytype & sector
+                       if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+                                       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                               if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+                                                       // if first auth for sector, or matches sector and keytype of previous auth
+                                                       if (ar_nr_collected[i+mM] < 2) {
+                                                               // if we haven't already collected 2 nonces for this sector
+                                                               if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+                                                                       // Avoid duplicates... probably not necessary, ar should vary. 
+                                                                       if (ar_nr_collected[i+mM]==0) {
+                                                                               // first nonce collect
+                                                                               ar_nr_resp[i+mM].cuid = cuid;
+                                                                               ar_nr_resp[i+mM].sector = cardAUTHSC;
+                                                                               ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+                                                                               ar_nr_resp[i+mM].nonce = nonce;
+                                                                               ar_nr_resp[i+mM].nr = nr;
+                                                                               ar_nr_resp[i+mM].ar = ar;
+                                                                               nonce1_count++;
+                                                                               // add this nonce to first moebius nonce
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+                                                                               ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+                                                                       } else { // second nonce collect (std and moebius)
+                                                                               ar_nr_resp[i+mM].nonce2 = nonce;
+                                                                               ar_nr_resp[i+mM].nr2 = nr;
+                                                                               ar_nr_resp[i+mM].ar2 = ar;
+                                                                               if (!gettingMoebius) {
+                                                                                       nonce2_count++;
+                                                                                       // check if this was the last second nonce we need for std attack
+                                                                                       if ( nonce2_count == nonce1_count ) {
+                                                                                               // done collecting std test switch to moebius
+                                                                                               // first finish incrementing last sample
+                                                                                               ar_nr_collected[i+mM]++; 
+                                                                                               // switch to moebius collection
+                                                                                               gettingMoebius = true;
+                                                                                               mM = ATTACK_KEY_COUNT;
+                                                                                               break;
+                                                                                       }
+                                                                               } else {
+                                                                                       moebius_n_count++;
+                                                                                       // if we've collected all the nonces we need - finish.
+                                                                                       if (nonce1_count == moebius_n_count) {
+                                                                                               cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+                                                                                               nonce1_count = 0;
+                                                                                               nonce2_count = 0;
+                                                                                               moebius_n_count = 0;
+                                                                                               gettingMoebius = false;
+                                                                                       }
+                                                                               }
+                                                                       }
+                                                                       ar_nr_collected[i+mM]++;
+                                                               }
+                                                       }
+                                                       // we found right spot for this nonce stop looking
+                                                       break;
+                                               }
                                        }
                                        }
-                                       uint8_t len = ar_nr_collected*5*4;
-                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
-                                       ar_nr_collected = 0;
-                                       memset(ar_nr_responses, 0x00, len);
                                }
                                }
-                       }
-               } else if (receivedCmd[0] == 0x1a ) // ULC authentication
-               {
                        
                        
-               }
-               else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
-               {
+               } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
+               } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
                        if ( tagType == 7 ) {
                        if ( tagType == 7 ) {
-                               uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
+                               uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
                                uint8_t emdata[4];
                                emlGetMemBt( emdata, start, 2);
                                AppendCrc14443a(emdata, 2);
                                EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
                                uint8_t emdata[4];
                                emlGetMemBt( emdata, start, 2);
                                AppendCrc14443a(emdata, 2);
                                EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
-                               //p_response =  &responses[8]; // PACK response
                                uint32_t pwd = bytes_to_num(receivedCmd+1,4);
                                
                                uint32_t pwd = bytes_to_num(receivedCmd+1,4);
                                
-                               if ( MF_DBGLEVEL >= 3)  Dbprintf("Auth attempt: %08x", pwd);    
+                               if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);     
                        }
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
                        }
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
@@ -1353,9 +1293,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 
                                default: {
                                        // Never seen this command before
 
                                default: {
                                        // Never seen this command before
-                                       if (tracing) {
-                                               LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       }
+                                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        Dbprintf("Received unknown command (len=%d):",len);
                                        Dbhexdump(len,receivedCmd,false);
                                        // Do not respond
                                        Dbprintf("Received unknown command (len=%d):",len);
                                        Dbhexdump(len,receivedCmd,false);
                                        // Do not respond
@@ -1373,9 +1311,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
         
                                if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
                                        Dbprintf("Error preparing tag response");
         
                                if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
                                        Dbprintf("Error preparing tag response");
-                                       if (tracing) {
-                                               LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       }
+                                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                p_response = &dynamic_response_info;
                                        break;
                                }
                                p_response = &dynamic_response_info;
@@ -1388,6 +1324,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
+               // comment this limit if you want to simulation longer          
+               if (!tracing) {
+                       Dbprintf("Trace Full. Simulation stopped.");
+                       break;
+               }
+               // comment this limit if you want to simulation longer
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
                        break;
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
                        break;
@@ -1397,7 +1339,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                if (p_response != NULL) {
                        EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
                        // do the tracing for the previous reader request and this tag answer:
                if (p_response != NULL) {
                        EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
                        // do the tracing for the previous reader request and this tag answer:
-                       uint8_t par[MAX_PARITY_SIZE];
+                       uint8_t par[MAX_PARITY_SIZE] = {0x00};
                        GetParity(p_response->response, p_response->response_n, par);
        
                        EmLogTrace(Uart.output, 
                        GetParity(p_response->response, p_response->response_n, par);
        
                        EmLogTrace(Uart.output, 
@@ -1411,11 +1353,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                                (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
                                                par);
                }
                                                (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
                                                par);
                }
-               
-               if (!tracing) {
-                       Dbprintf("Trace Full. Simulation stopped.");
-                       break;
-               }
        }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -1423,6 +1360,36 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        BigBuf_free_keep_EM();
        LED_A_OFF();
        
        BigBuf_free_keep_EM();
        LED_A_OFF();
        
+               if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
+               for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }       
+               for ( uint8_t   i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nonce2,//NT2
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }
+       }
+       
        if (MF_DBGLEVEL >= 4){
                Dbprintf("-[ Wake ups after halt [%d]", happened);
                Dbprintf("-[ Messages after halt [%d]", happened2);
        if (MF_DBGLEVEL >= 4){
                Dbprintf("-[ Wake ups after halt [%d]", happened);
                Dbprintf("-[ Messages after halt [%d]", happened2);
@@ -1430,29 +1397,29 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        }
 }
 
        }
 }
 
-
 // prepare a delayed transfer. This simply shifts ToSend[] by a number
 // of bits specified in the delay parameter.
 // prepare a delayed transfer. This simply shifts ToSend[] by a number
 // of bits specified in the delay parameter.
-void PrepareDelayedTransfer(uint16_t delay)
-{
+void PrepareDelayedTransfer(uint16_t delay) {
+       delay &= 0x07;
+       if (!delay) return;
+
        uint8_t bitmask = 0;
        uint8_t bits_to_shift = 0;
        uint8_t bits_shifted = 0;
        uint8_t bitmask = 0;
        uint8_t bits_to_shift = 0;
        uint8_t bits_shifted = 0;
+       uint16_t i = 0;
 
 
-       delay &= 0x07;
-       if (delay) {
-               for (uint16_t i = 0; i < delay; i++) {
-                       bitmask |= (0x01 << i);
-               }
-               ToSend[ToSendMax++] = 0x00;
-               for (uint16_t i = 0; i < ToSendMax; i++) {
+       for (i = 0; i < delay; ++i)
+               bitmask |= (0x01 << i);
+
+       ToSend[++ToSendMax] = 0x00;
+
+       for (i = 0; i < ToSendMax; ++i) {
                        bits_to_shift = ToSend[i] & bitmask;
                        ToSend[i] = ToSend[i] >> delay;
                        ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
                        bits_shifted = bits_to_shift;
                }
        }
                        bits_to_shift = ToSend[i] & bitmask;
                        ToSend[i] = ToSend[i] >> delay;
                        ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
                        bits_shifted = bits_to_shift;
                }
        }
-}
 
 
 //-------------------------------------------------------------------------------------
 
 
 //-------------------------------------------------------------------------------------
@@ -1463,9 +1430,7 @@ void PrepareDelayedTransfer(uint16_t delay)
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
-static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
-{
-       
+static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing) {
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
 
        uint32_t ThisTransferTime = 0;
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
 
        uint32_t ThisTransferTime = 0;
@@ -1481,7 +1446,9 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
                LastTimeProxToAirStart = *timing;
        } else {
                ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
                LastTimeProxToAirStart = *timing;
        } else {
                ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
+
                while(GetCountSspClk() < ThisTransferTime);
                while(GetCountSspClk() < ThisTransferTime);
+
                LastTimeProxToAirStart = ThisTransferTime;
        }
        
                LastTimeProxToAirStart = ThisTransferTime;
        }
        
@@ -1492,24 +1459,21 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
        for(;;) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = cmd[c];
        for(;;) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = cmd[c];
-                       c++;
-                       if(c >= len) {
+                       ++c;
+                       if(c >= len)
                                break;
                                break;
-                       }
                }
        }
        
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
 }
 
                }
        }
        
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
 }
 
-
 //-----------------------------------------------------------------------------
 // Prepare reader command (in bits, support short frames) to send to FPGA
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Prepare reader command (in bits, support short frames) to send to FPGA
 //-----------------------------------------------------------------------------
-void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
-{
+void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity) {
        int i, j;
        int i, j;
-       int last;
+       int last = 0;
        uint8_t b;
 
        ToSendReset();
        uint8_t b;
 
        ToSendReset();
@@ -1517,7 +1481,6 @@ void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8
        // Start of Communication (Seq. Z)
        ToSend[++ToSendMax] = SEC_Z;
        LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
        // Start of Communication (Seq. Z)
        ToSend[++ToSendMax] = SEC_Z;
        LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
-       last = 0;
 
        size_t bytecount = nbytes(bits);
        // Generate send structure for the data bits
 
        size_t bytecount = nbytes(bits);
        // Generate send structure for the data bits
@@ -1581,25 +1544,22 @@ void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8
        ToSend[++ToSendMax] = SEC_Y;
 
        // Convert to length of command:
        ToSend[++ToSendMax] = SEC_Y;
 
        // Convert to length of command:
-       ToSendMax++;
+       ++ToSendMax;
 }
 
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
 //-----------------------------------------------------------------------------
-void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity)
-{
+void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity) {
   CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
   CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
-
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
-static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
-{
+static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
@@ -1659,13 +1619,10 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                                return 0;
                        }
         }
                                return 0;
                        }
         }
-
        }
 }
 
        }
 }
 
-
-static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
-{
+int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded) {
        uint8_t b;
        uint16_t i = 0;
        uint32_t ThisTransferTime;
        uint8_t b;
        uint16_t i = 0;
        uint32_t ThisTransferTime;
@@ -1677,12 +1634,8 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        if (Uart.parityBits & 0x01) {
                correctionNeeded = TRUE;
        }
        if (Uart.parityBits & 0x01) {
                correctionNeeded = TRUE;
        }
-       if(correctionNeeded) {
-               // 1236, so correction bit needed
-               i = 0;
-       } else {
-               i = 1;
-       }
+       // 1236, so correction bit needed
+       i = (correctionNeeded) ? 0 : 1;
 
        // clear receiving shift register and holding register
        while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
 
        // clear receiving shift register and holding register
        while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
@@ -1691,7 +1644,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        b = AT91C_BASE_SSC->SSC_RHR; (void) b;
        
        // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
        b = AT91C_BASE_SSC->SSC_RHR; (void) b;
        
        // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
-       for (uint16_t j = 0; j < 5; j++) {      // allow timeout - better late than never
+       for (uint8_t j = 0; j < 5; j++) {       // allow timeout - better late than never
                while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
                if (AT91C_BASE_SSC->SSC_RHR) break;
        }
                while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
                if (AT91C_BASE_SSC->SSC_RHR) break;
        }
@@ -1712,7 +1665,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        }
 
        // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
        }
 
        // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
-       uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
+       uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;  // twich /8 ??   >>3, 
        for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = SEC_F;
        for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = SEC_F;
@@ -1720,9 +1673,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
                        i++;
                }
        }
                        i++;
                }
        }
-
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
-
        return 0;
 }
 
        return 0;
 }
 
@@ -1730,7 +1681,7 @@ int EmSend4bitEx(uint8_t resp, bool correctionNeeded){
        Code4bitAnswerAsTag(resp);
        int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
        // do the tracing for the previous reader request and this tag answer:
        Code4bitAnswerAsTag(resp);
        int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
        // do the tracing for the previous reader request and this tag answer:
-       uint8_t par[1];
+       uint8_t par[1] = {0x00};
        GetParity(&resp, 1, par);
        EmLogTrace(Uart.output, 
                                Uart.len, 
        GetParity(&resp, 1, par);
        EmLogTrace(Uart.output, 
                                Uart.len, 
@@ -1767,13 +1718,13 @@ int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8
 }
 
 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
 }
 
 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
-       uint8_t par[MAX_PARITY_SIZE];
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
        GetParity(resp, respLen, par);
        return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
 }
 
 int EmSendCmd(uint8_t *resp, uint16_t respLen){
        GetParity(resp, respLen, par);
        return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
 }
 
 int EmSendCmd(uint8_t *resp, uint16_t respLen){
-       uint8_t par[MAX_PARITY_SIZE];
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
        GetParity(resp, respLen, par);
        return EmSendCmdExPar(resp, respLen, false, par);
 }
        GetParity(resp, respLen, par);
        return EmSendCmdExPar(resp, respLen, false, par);
 }
@@ -1785,21 +1736,20 @@ int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
                                 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
 {
 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
                                 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
 {
-       if (tracing) {
-               // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
-               // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
-               // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
-               uint16_t reader_modlen = reader_EndTime - reader_StartTime;
-               uint16_t approx_fdt = tag_StartTime - reader_EndTime;
-               uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
-               reader_EndTime = tag_StartTime - exact_fdt;
-               reader_StartTime = reader_EndTime - reader_modlen;
-               if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) {
-                       return FALSE;
-               } else return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
-       } else {
-               return TRUE;
-       }
+       // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
+       // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
+       // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
+       uint16_t reader_modlen = reader_EndTime - reader_StartTime;
+       uint16_t approx_fdt = tag_StartTime - reader_EndTime;
+       uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
+       reader_EndTime = tag_StartTime - exact_fdt;
+       reader_StartTime = reader_EndTime - reader_modlen;
+               
+       if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE))
+               return FALSE;
+       else 
+               return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
+
 }
 
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
@@ -1807,8 +1757,7 @@ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_Start
 //  If a response is captured return TRUE
 //  If it takes too long return FALSE
 //-----------------------------------------------------------------------------
 //  If a response is captured return TRUE
 //  If it takes too long return FALSE
 //-----------------------------------------------------------------------------
-static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
-{
+static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset) {
        uint32_t c = 0x00;
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
        uint32_t c = 0x00;
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
@@ -1838,57 +1787,45 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
        }
 }
 
        }
 }
 
-void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
-{
+void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) {
+
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
-  
        // Send command to tag
        TransmitFor14443a(ToSend, ToSendMax, timing);
        // Send command to tag
        TransmitFor14443a(ToSend, ToSendMax, timing);
-       if(trigger)
-               LED_A_ON();
+       if(trigger) LED_A_ON();
   
   
-       // Log reader command in trace buffer
-       if (tracing) {
-               LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
-       }
+       LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
 }
 
 }
 
-void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
-{
+void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing) {
   ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
   ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
-void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
-{
-  // Generate parity and redirect
-  uint8_t par[MAX_PARITY_SIZE];
-  GetParity(frame, len/8, par);
-  ReaderTransmitBitsPar(frame, len, par, timing);
+void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len/8, par);  
+       ReaderTransmitBitsPar(frame, len, par, timing);
 }
 
 }
 
-void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
-{
-  // Generate parity and redirect
-  uint8_t par[MAX_PARITY_SIZE];
-  GetParity(frame, len, par);
-  ReaderTransmitBitsPar(frame, len*8, par, timing);
+void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len, par);
+       ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 }
 
-int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
-{
-       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return FALSE;
-       if (tracing) {
-               LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
-       }
+int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset))
+               return FALSE;
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
        return Demod.len;
 }
 
        return Demod.len;
 }
 
-int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
-{
-       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE;
-       if (tracing) {
-               LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
-       }
+int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0))
+               return FALSE;
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
        return Demod.len;
 }
 
        return Demod.len;
 }
 
@@ -1898,14 +1835,14 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
 // if anticollision is false, then the UID must be provided in uid_ptr[] 
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
 // if anticollision is false, then the UID must be provided in uid_ptr[] 
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
-       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
-       uint8_t sel_all[]    = { 0x93,0x20 };
-       uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
-       uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
-       uint8_t resp_par[MAX_PARITY_SIZE];
-       byte_t uid_resp[4];
-       size_t uid_resp_len;
+       uint8_t wupa[]       = { ISO14443A_CMD_WUPA };  // 0x26 - ISO14443A_CMD_REQA  0x52 - ISO14443A_CMD_WUPA
+       uint8_t sel_all[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x20 };
+       uint8_t sel_uid[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t rats[]       = { ISO14443A_CMD_RATS,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+       uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
+       uint8_t resp_par[MAX_PARITY_SIZE] = {0};
+       byte_t uid_resp[4] = {0};
+       size_t uid_resp_len = 0;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
@@ -1924,16 +1861,16 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
        }
 
        if (anticollision) {
        }
 
        if (anticollision) {
-       // clear uid
-       if (uid_ptr) {
-               memset(uid_ptr,0,10);
-       }
+               // clear uid
+               if (uid_ptr)
+                       memset(uid_ptr,0,10);
        }
 
        }
 
+       // reset the PCB block number
+       iso14_pcb_blocknum = 0;
+       
        // check for proprietary anticollision:
        // check for proprietary anticollision:
-       if ((resp[0] & 0x1F) == 0) {
-               return 3;
-       }
+       if ((resp[0] & 0x1F) == 0) return 3;
        
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
        
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
@@ -1944,40 +1881,41 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 
                if (anticollision) {
                // SELECT_ALL
 
                if (anticollision) {
                // SELECT_ALL
-               ReaderTransmit(sel_all, sizeof(sel_all), NULL);
-               if (!ReaderReceive(resp, resp_par)) return 0;
-
-               if (Demod.collisionPos) {                       // we had a collision and need to construct the UID bit by bit
-                       memset(uid_resp, 0, 4);
-                       uint16_t uid_resp_bits = 0;
-                       uint16_t collision_answer_offset = 0;
-                       // anti-collision-loop:
-                       while (Demod.collisionPos) {
-                               Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
-                               for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {      // add valid UID bits before collision point
-                                       uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
-                                       uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
+                       ReaderTransmit(sel_all, sizeof(sel_all), NULL);
+                       if (!ReaderReceive(resp, resp_par)) return 0;
+
+                       if (Demod.collisionPos) {                       // we had a collision and need to construct the UID bit by bit
+                               memset(uid_resp, 0, 4);
+                               uint16_t uid_resp_bits = 0;
+                               uint16_t collision_answer_offset = 0;
+                               // anti-collision-loop:
+                               while (Demod.collisionPos) {
+                                       Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
+                                       for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {      // add valid UID bits before collision point
+                                               uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
+                                               uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
+                                       }
+                                       uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);                                  // next time select the card(s) with a 1 in the collision position
+                                       uid_resp_bits++;
+                                       // construct anticollosion command:
+                                       sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07);     // length of data in bytes and bits
+                                       for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
+                                               sel_uid[2+i] = uid_resp[i];
+                                       }
+                                       collision_answer_offset = uid_resp_bits%8;
+                                       ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
+                                       if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
                                }
                                }
-                               uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);                                  // next time select the card(s) with a 1 in the collision position
-                               uid_resp_bits++;
-                               // construct anticollosion command:
-                               sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07);     // length of data in bytes and bits
-                               for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
-                                       sel_uid[2+i] = uid_resp[i];
+                               // finally, add the last bits and BCC of the UID
+                               for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
+                                       uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
+                                       uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
                                }
                                }
-                               collision_answer_offset = uid_resp_bits%8;
-                               ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
-                               if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
-                       }
-                       // finally, add the last bits and BCC of the UID
-                       for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
-                               uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
-                               uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
-                       }
 
 
-               } else {                // no collision, use the response to SELECT_ALL as current uid
-                       memcpy(uid_resp, resp, 4);
-               }
+                       } else {                // no collision, use the response to SELECT_ALL as current uid
+                               memcpy(uid_resp, resp, 4);
+                       }
+                       
                } else {
                        if (cascade_level < num_cascades - 1) {
                                uid_resp[0] = 0x88;
                } else {
                        if (cascade_level < num_cascades - 1) {
                                uid_resp[0] = 0x88;
@@ -1989,9 +1927,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                uid_resp_len = 4;
 
                // calculate crypto UID. Always use last 4 Bytes.
                uid_resp_len = 4;
 
                // calculate crypto UID. Always use last 4 Bytes.
-               if(cuid_ptr) {
+               if(cuid_ptr)
                        *cuid_ptr = bytes_to_num(uid_resp, 4);
                        *cuid_ptr = bytes_to_num(uid_resp, 4);
-               }
 
                // Construct SELECT UID command
                sel_uid[1] = 0x70;                                                                                                      // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
 
                // Construct SELECT UID command
                sel_uid[1] = 0x70;                                                                                                      // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
@@ -2002,9 +1939,10 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 
                // Receive the SAK
                if (!ReaderReceive(resp, resp_par)) return 0;
 
                // Receive the SAK
                if (!ReaderReceive(resp, resp_par)) return 0;
+               
                sak = resp[0];
 
                sak = resp[0];
 
-    // Test if more parts of the uid are coming
+               // Test if more parts of the uid are coming
                if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
                        // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
                        // http://www.nxp.com/documents/application_note/AN10927.pdf
                if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
                        // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
                        // http://www.nxp.com/documents/application_note/AN10927.pdf
@@ -2014,9 +1952,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                        uid_resp_len = 3;
                }
 
                        uid_resp_len = 3;
                }
 
-               if(uid_ptr && anticollision) {
+               if(uid_ptr && anticollision)
                        memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
                        memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
-               }
 
                if(p_hi14a_card) {
                        memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
 
                if(p_hi14a_card) {
                        memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
@@ -2037,49 +1974,47 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
        ReaderTransmit(rats, sizeof(rats), NULL);
 
        if (!(len = ReaderReceive(resp, resp_par))) return 0;
        ReaderTransmit(rats, sizeof(rats), NULL);
 
        if (!(len = ReaderReceive(resp, resp_par))) return 0;
-
        
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
                p_hi14a_card->ats_len = len;
        }
 
        
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
                p_hi14a_card->ats_len = len;
        }
 
-       // reset the PCB block number
-       iso14_pcb_blocknum = 0;
-
        // set default timeout based on ATS
        iso14a_set_ATS_timeout(resp);
        // set default timeout based on ATS
        iso14a_set_ATS_timeout(resp);
-
        return 1;       
 }
 
 void iso14443a_setup(uint8_t fpga_minor_mode) {
        return 1;       
 }
 
 void iso14443a_setup(uint8_t fpga_minor_mode) {
+
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
        FpgaSetupSsc();
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
        FpgaSetupSsc();
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
+       LED_D_OFF();
        // Signal field is on with the appropriate LED
        // Signal field is on with the appropriate LED
-       if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
-               || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
+       if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD ||
+               fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN)
                LED_D_ON();
                LED_D_ON();
-       } else {
-               LED_D_OFF();
-       }
+
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
 
+       SpinDelay(20);
+       
        // Start the timer
        StartCountSspClk();
        
        // Start the timer
        StartCountSspClk();
        
+       // Prepare the demodulation functions
        DemodReset();
        UartReset();
        DemodReset();
        UartReset();
-       NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
-       iso14a_set_timeout(10*106); // 10ms default
+       NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
+       iso14a_set_timeout(10*106); // 20ms default     
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
-       uint8_t parity[MAX_PARITY_SIZE];
+       uint8_t parity[MAX_PARITY_SIZE] = {0x00};
        uint8_t real_cmd[cmd_len+4];
        real_cmd[0] = 0x0a; //I-Block
        // put block number into the PCB
        uint8_t real_cmd[cmd_len+4];
        real_cmd[0] = 0x0a; //I-Block
        // put block number into the PCB
@@ -2090,12 +2025,14 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
  
        ReaderTransmit(real_cmd, cmd_len+4, NULL);
        size_t len = ReaderReceive(data, parity);
  
        ReaderTransmit(real_cmd, cmd_len+4, NULL);
        size_t len = ReaderReceive(data, parity);
+        //DATA LINK ERROR
+       if (!len) return 0;
+       
        uint8_t *data_bytes = (uint8_t *) data;
        uint8_t *data_bytes = (uint8_t *) data;
-       if (!len)
-               return 0; //DATA LINK ERROR
+
        // if we received an I- or R(ACK)-Block with a block number equal to the
        // current block number, toggle the current block number
        // if we received an I- or R(ACK)-Block with a block number equal to the
        // current block number, toggle the current block number
-       else if (len >= 4 // PCB+CID+CRC = 4 bytes
+       if (len >= 4 // PCB+CID+CRC = 4 bytes
                 && ((data_bytes[0] & 0xC0) == 0 // I-Block
                     || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
                 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
                 && ((data_bytes[0] & 0xC0) == 0 // I-Block
                     || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
                 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
@@ -2106,50 +2043,48 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
        return len;
 }
 
        return len;
 }
 
+
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
-//
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void ReaderIso14443a(UsbCommand *c)
-{
+void ReaderIso14443a(UsbCommand *c) {
        iso14a_command_t param = c->arg[0];
        iso14a_command_t param = c->arg[0];
-       uint8_t *cmd = c->d.asBytes;
        size_t len = c->arg[1] & 0xffff;
        size_t lenbits = c->arg[1] >> 16;
        uint32_t timeout = c->arg[2];
        size_t len = c->arg[1] & 0xffff;
        size_t lenbits = c->arg[1] >> 16;
        uint32_t timeout = c->arg[2];
+       uint8_t *cmd = c->d.asBytes;
        uint32_t arg0 = 0;
        uint32_t arg0 = 0;
-       byte_t buf[USB_CMD_DATA_SIZE];
-       uint8_t par[MAX_PARITY_SIZE];
+       byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
   
   
-       if(param & ISO14A_CONNECT) {
+       if (param & ISO14A_CONNECT)
                clear_trace();
                clear_trace();
-       }
 
        set_tracing(TRUE);
 
 
        set_tracing(TRUE);
 
-       if(param & ISO14A_REQUEST_TRIGGER) {
+       if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(TRUE);
                iso14a_set_trigger(TRUE);
-       }
 
 
-       if(param & ISO14A_CONNECT) {
+       if (param & ISO14A_CONNECT) {
                iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
                if(!(param & ISO14A_NO_SELECT)) {
                        iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
                        arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
                iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
                if(!(param & ISO14A_NO_SELECT)) {
                        iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
                        arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
-                       cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
+                       cmd_send(CMD_ACK, arg0, card->uidlen, 0, buf, sizeof(iso14a_card_select_t));
+                       // if it fails,  the cmdhf14a.c client quites.. however this one still executes.
+                       if ( arg0 == 0 ) return;
                }
        }
 
                }
        }
 
-       if(param & ISO14A_SET_TIMEOUT) {
+       if (param & ISO14A_SET_TIMEOUT)
                iso14a_set_timeout(timeout);
                iso14a_set_timeout(timeout);
-       }
 
 
-       if(param & ISO14A_APDU) {
+       if (param & ISO14A_APDU) {
                arg0 = iso14_apdu(cmd, len, buf);
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
                arg0 = iso14_apdu(cmd, len, buf);
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
-       if(param & ISO14A_RAW) {
+       if (param & ISO14A_RAW) {
                if(param & ISO14A_APPEND_CRC) {
                        if(param & ISO14A_TOPAZMODE) {
                                AppendCrc14443b(cmd,len);
                if(param & ISO14A_APPEND_CRC) {
                        if(param & ISO14A_TOPAZMODE) {
                                AppendCrc14443b(cmd,len);
@@ -2188,126 +2123,125 @@ void ReaderIso14443a(UsbCommand *c)
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
-       if(param & ISO14A_REQUEST_TRIGGER) {
+       if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(FALSE);
                iso14a_set_trigger(FALSE);
-       }
 
 
-       if(param & ISO14A_NO_DISCONNECT) {
+       if (param & ISO14A_NO_DISCONNECT)
                return;
                return;
-       }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        set_tracing(FALSE);
        LEDsoff();
 }
 
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        set_tracing(FALSE);
        LEDsoff();
 }
 
-
 // Determine the distance between two nonces.
 // Assume that the difference is small, but we don't know which is first.
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
 // Determine the distance between two nonces.
 // Assume that the difference is small, but we don't know which is first.
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
-       uint16_t i;
-       uint32_t nttmp1, nttmp2;
-
        if (nt1 == nt2) return 0;
        if (nt1 == nt2) return 0;
-
-       nttmp1 = nt1;
-       nttmp2 = nt2;
        
        
-       for (i = 1; i < 0xFFFF; i++) {
-               nttmp1 = prng_successor(nttmp1, 1);
-               if (nttmp1 == nt2) return i;
-               nttmp2 = prng_successor(nttmp2, 1);
-                       if (nttmp2 == nt1) return -i;
-               }
-       
-       return(-99999); // either nt1 or nt2 are invalid nonces
+       uint32_t nttmp1 = nt1;
+       uint32_t nttmp2 = nt2;
+
+       // 0xFFFF -- Half up and half down to find distance between nonces
+       for (uint16_t i = 1; i < 32768/8; i += 8) {
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+1;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+2;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+3;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+4;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+5;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+6;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+7;
+               
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -i;
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+1);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+2);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+3);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+4);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+5);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+6);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+7);               
+       }
+       // either nt1 or nt2 are invalid nonces 
+       return(-99999); 
 }
 
 }
 
-
 //-----------------------------------------------------------------------------
 // Recover several bits of the cypher stream. This implements (first stages of)
 // the algorithm described in "The Dark Side of Security by Obscurity and
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Recover several bits of the cypher stream. This implements (first stages of)
 // the algorithm described in "The Dark Side of Security by Obscurity and
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try)
-{
-       // Mifare AUTH
-       uint8_t mf_auth[]    = { 0x60,0x00,0xf5,0x7b };
-       uint8_t mf_nr_ar[]   = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
-       static uint8_t mf_nr_ar3;
-
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
 
-       if (first_try) { 
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-       }
-       
-       // free eventually allocated BigBuf memory. We want all for tracing.
-       BigBuf_free();
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) {
        
        
-       clear_trace();
-       set_tracing(TRUE);
-
-       byte_t nt_diff = 0;
+       uint8_t mf_auth[]       = { keytype, block, 0x00, 0x00 };
+       uint8_t mf_nr_ar[]      = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
+       uint8_t uid[10]         = {0,0,0,0,0,0,0,0,0,0};
+       uint8_t par_list[8]     = {0,0,0,0,0,0,0,0};
+       uint8_t ks_list[8]      = {0,0,0,0,0,0,0,0};
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
-       static byte_t par_low = 0;
-       bool led_on = TRUE;
-       uint8_t uid[10]  ={0};
-       uint32_t cuid;
-
+       byte_t nt_diff = 0;
        uint32_t nt = 0;
        uint32_t nt = 0;
-       uint32_t previous_nt = 0;
-       static uint32_t nt_attacked = 0;
-       byte_t par_list[8] = {0x00};
-       byte_t ks_list[8] = {0x00};
+       uint32_t previous_nt = 0;       
+       uint32_t cuid = 0;
+       
+       int32_t catch_up_cycles = 0;
+       int32_t last_catch_up = 0;
+       int32_t isOK = 0;
+       int32_t nt_distance = 0;
+       
+       uint16_t elapsed_prng_sequences = 1;
+       uint16_t consecutive_resyncs = 0;
+       uint16_t unexpected_random = 0;
+       uint16_t sync_tries = 0;
 
 
-   #define PRNG_SEQUENCE_LENGTH  (1 << 16);
+       // static variables here, is re-used in the next call
+       static uint32_t nt_attacked = 0;
        static uint32_t sync_time = 0;
        static uint32_t sync_time = 0;
-       static int32_t sync_cycles = 0;
-       int catch_up_cycles = 0;
-       int last_catch_up = 0;
-       uint16_t elapsed_prng_sequences;
-       uint16_t consecutive_resyncs = 0;
-       int isOK = 0;
+       static uint32_t sync_cycles = 0;
+       static uint8_t par_low = 0;
+       static uint8_t mf_nr_ar3 = 0;
+       
+       #define PRNG_SEQUENCE_LENGTH    (1 << 16)
+       #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
+       #define MAX_SYNC_TRIES          32
+       
+       AppendCrc14443a(mf_auth, 2);
+       
+       BigBuf_free(); BigBuf_Clear_ext(false); 
+       clear_trace();
+       set_tracing(FALSE);     
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
 
 
-       if (first_try) { 
+       sync_time = GetCountSspClk() & 0xfffffff8;
+       sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).              
+       nt_attacked = 0;
+       
+   if (MF_DBGLEVEL >= 4)       Dbprintf("Mifare::Sync %08x", sync_time);
+                               
+       if (first_try) {
                mf_nr_ar3 = 0;
                mf_nr_ar3 = 0;
-               sync_time = GetCountSspClk() & 0xfffffff8;
-               sync_cycles = PRNG_SEQUENCE_LENGTH; //65536;    //0x10000                       // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
-               nt_attacked = 0;
-               par[0] = 0;
-       }
-       else {
-               // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
-               mf_nr_ar3++;
+               par_low = 0;
+       } else {
+               // we were unsuccessful on a previous call. 
+               // Try another READER nonce (first 3 parity bits remain the same)
+               ++mf_nr_ar3;
                mf_nr_ar[3] = mf_nr_ar3;
                par[0] = par_low;
        }
 
                mf_nr_ar[3] = mf_nr_ar3;
                par[0] = par_low;
        }
 
-       LED_A_ON();
-       LED_B_OFF();
-       LED_C_OFF();
-       
+       bool have_uid = FALSE;
+       uint8_t cascade_levels = 0;
+
+       LED_C_ON(); 
+       uint16_t i;
+       for(i = 0; TRUE; ++i) {
 
 
-       #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
-       #define MAX_SYNC_TRIES                  32
-       #define NUM_DEBUG_INFOS                 8               // per strategy
-       #define MAX_STRATEGY                    3
-       uint16_t unexpected_random = 0;
-       uint16_t sync_tries = 0;
-       int16_t debug_info_nr = -1;
-       uint16_t strategy = 0;
-       int32_t debug_info[MAX_STRATEGY][NUM_DEBUG_INFOS];
-       uint32_t select_time;
-       uint32_t halt_time;
-  
-       for(uint16_t i = 0; TRUE; i++) {
-               
-               LED_C_ON();
                WDT_HIT();
 
                // Test if the action was cancelled
                WDT_HIT();
 
                // Test if the action was cancelled
@@ -2316,132 +2250,117 @@ void ReaderMifare(bool first_try)
                        break;
                }
                
                        break;
                }
                
-               if (strategy == 2) {
-                       // test with additional hlt command
-                       halt_time = 0;
-                       int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
-                       if (len && MF_DBGLEVEL >= 3) {
-                               Dbprintf("Unexpected response of %d bytes to hlt command (additional debugging).", len);
+               // this part is from Piwi's faster nonce collecting part in Hardnested.
+               if (!have_uid) { // need a full select cycle to get the uid first
+                       iso14a_card_select_t card_info;         
+                       if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (ALL)");
+                               break;
                        }
                        }
-               }
-
-               if (strategy == 3) {
-                       // test with FPGA power off/on
-                       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-                       SpinDelay(200);
-                       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-                       SpinDelay(100);
-               }
-               
-               if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Mifare: Can't select card");
-                       continue;
-               }
-               select_time = GetCountSspClk();
-
-               elapsed_prng_sequences = 1;
-               if (debug_info_nr == -1) {
-                       sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
-                       catch_up_cycles = 0;
-
-                       // if we missed the sync time already, advance to the next nonce repeat
-                       while(GetCountSspClk() > sync_time) {
-                               elapsed_prng_sequences++;
-                               sync_time = (sync_time & 0xfffffff8) + sync_cycles;
+                       switch (card_info.uidlen) {
+                               case 4 : cascade_levels = 1; break;
+                               case 7 : cascade_levels = 2; break;
+                               case 10: cascade_levels = 3; break;
+                               default: break;
                        }
                        }
-
-                       // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked) 
-                       ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
-               } else {
-                       // collect some information on tag nonces for debugging:
-                       #define DEBUG_FIXED_SYNC_CYCLES PRNG_SEQUENCE_LENGTH
-                       if (strategy == 0) {
-                               // nonce distances at fixed time after card select:
-                               sync_time = select_time + DEBUG_FIXED_SYNC_CYCLES;
-                       } else if (strategy == 1) {
-                               // nonce distances at fixed time between authentications:
-                               sync_time = sync_time + DEBUG_FIXED_SYNC_CYCLES;
-                       } else if (strategy == 2) {
-                               // nonce distances at fixed time after halt:
-                               sync_time = halt_time + DEBUG_FIXED_SYNC_CYCLES;
-                       } else {
-                               // nonce_distances at fixed time after power on
-                               sync_time = DEBUG_FIXED_SYNC_CYCLES;
+                       have_uid = TRUE;        
+               } else { // no need for anticollision. We can directly select the card
+                       if(!iso14443a_select_card(uid, NULL, &cuid, false, cascade_levels)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (UID)");
+                               continue;
                        }
                        }
-                       ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
-               }                       
-
-               // Receive the (4 Byte) "random" nonce
-               if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Mifare: Couldn't receive tag nonce");
+               }
+               
+               // Sending timeslot of ISO14443a frame          
+               sync_time = (sync_time & 0xfffffff8 ) + sync_cycles + catch_up_cycles;
+               catch_up_cycles = 0;
+                                                               
+               // if we missed the sync time already, advance to the next nonce repeat
+               while( GetCountSspClk() > sync_time) {
+                       ++elapsed_prng_sequences;
+                       sync_time = (sync_time & 0xfffffff8 ) + sync_cycles;
+               }               
+
+               // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
+               ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
+
+               // Receive the (4 Byte) "random" nonce from TAG
+               if (!ReaderReceive(receivedAnswer, receivedAnswerPar))
                        continue;
                        continue;
-                 }
 
                previous_nt = nt;
                nt = bytes_to_num(receivedAnswer, 4);
 
                previous_nt = nt;
                nt = bytes_to_num(receivedAnswer, 4);
-
+               
                // Transmit reader nonce with fake par
                ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
                // Transmit reader nonce with fake par
                ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
+       
+               // we didn't calibrate our clock yet,
+               // iceman: has to be calibrated every time.
+               if (previous_nt && !nt_attacked) { 
 
 
-               if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
-                       int nt_distance = dist_nt(previous_nt, nt);
+                       nt_distance = dist_nt(previous_nt, nt);
+                       
+                       // if no distance between,  then we are in sync.
                        if (nt_distance == 0) {
                                nt_attacked = nt;
                        } else {
                                if (nt_distance == -99999) { // invalid nonce received
                        if (nt_distance == 0) {
                                nt_attacked = nt;
                        } else {
                                if (nt_distance == -99999) { // invalid nonce received
-                                       unexpected_random++;
+                                       ++unexpected_random;
                                        if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
                                                isOK = -3;              // Card has an unpredictable PRNG. Give up      
                                                break;
                                        if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
                                                isOK = -3;              // Card has an unpredictable PRNG. Give up      
                                                break;
-                                       } else {
+                                       } else {                                                
+                                               if (sync_cycles <= 0) sync_cycles += PRNG_SEQUENCE_LENGTH;
+                                               LED_B_OFF();
                                                continue;               // continue trying...
                                        }
                                }
                                                continue;               // continue trying...
                                        }
                                }
+                               
                                if (++sync_tries > MAX_SYNC_TRIES) {
                                if (++sync_tries > MAX_SYNC_TRIES) {
-                                       if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
-                                               isOK = -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly
-                                               break;
-                                       } else {                                // continue for a while, just to collect some debug info
-                                               debug_info[strategy][debug_info_nr] = nt_distance;
-                                               debug_info_nr++;
-                                               if (debug_info_nr == NUM_DEBUG_INFOS) {
-                                                       strategy++;
-                                                       debug_info_nr = 0;
-                                               }
-                                               continue;
-                                       }
+                                       isOK = -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly
+                                       break;
                                }
                                }
-                               sync_cycles = (sync_cycles - nt_distance/elapsed_prng_sequences);
-                               if (sync_cycles <= 0) {
+                               
+                               sync_cycles = (sync_cycles - nt_distance)/elapsed_prng_sequences;
+                               
+                               if (sync_cycles <= 0)
                                        sync_cycles += PRNG_SEQUENCE_LENGTH;
                                        sync_cycles += PRNG_SEQUENCE_LENGTH;
-                               }
-                               if (MF_DBGLEVEL >= 3) {
+                               
+                               if (MF_DBGLEVEL >= 4)
                                        Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
                                        Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
-                               }
+
+                               LED_B_OFF();
                                continue;
                        }
                }
                                continue;
                        }
                }
+               LED_B_OFF();
 
 
-               if ((nt != nt_attacked) && nt_attacked) {       // we somehow lost sync. Try to catch up again...
-                       catch_up_cycles = -dist_nt(nt_attacked, nt);
+               if ( (nt != nt_attacked) && nt_attacked) {      // we somehow lost sync. Try to catch up again...
+                       
+                       catch_up_cycles = ABS(dist_nt(nt_attacked, nt));
                        if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
                                catch_up_cycles = 0;
                                continue;
                        if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
                                catch_up_cycles = 0;
                                continue;
-                       }
+                       }               
+                       // average? 
                        catch_up_cycles /= elapsed_prng_sequences;
                        catch_up_cycles /= elapsed_prng_sequences;
+               
                        if (catch_up_cycles == last_catch_up) {
                        if (catch_up_cycles == last_catch_up) {
-                               consecutive_resyncs++;
-                       }
-                       else {
+                               ++consecutive_resyncs;
+                       } else {
                                last_catch_up = catch_up_cycles;
                            consecutive_resyncs = 0;
                                last_catch_up = catch_up_cycles;
                            consecutive_resyncs = 0;
-                       }
+                       }               
+                       
                        if (consecutive_resyncs < 3) {
                        if (consecutive_resyncs < 3) {
-                               if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
-                       }
-                       else {  
-                               sync_cycles = sync_cycles + catch_up_cycles;
-                               if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
+                               if (MF_DBGLEVEL >= 4)
+                                       Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, catch_up_cycles, consecutive_resyncs);
+                       } else {        
+                               sync_cycles += catch_up_cycles;
+                               
+                               if (MF_DBGLEVEL >= 4) 
+                                       Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, catch_up_cycles, sync_cycles);
+
                                last_catch_up = 0;
                                catch_up_cycles = 0;
                                consecutive_resyncs = 0;
                                last_catch_up = 0;
                                catch_up_cycles = 0;
                                consecutive_resyncs = 0;
@@ -2449,21 +2368,15 @@ void ReaderMifare(bool first_try)
                        continue;
                }
  
                        continue;
                }
  
-               consecutive_resyncs = 0;
-               
                // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
                if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
                        catch_up_cycles = 8;    // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
        
                // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
                if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
                        catch_up_cycles = 8;    // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
        
-                       if (nt_diff == 0) {
+                       if (nt_diff == 0)
                                par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
                                par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
-                       }
-
-                       led_on = !led_on;
-                       if(led_on) LED_B_ON(); else LED_B_OFF();
 
                        par_list[nt_diff] = SwapBits(par[0], 8);
 
                        par_list[nt_diff] = SwapBits(par[0], 8);
-                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
+                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;  // xor with NACK value to get keystream
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
@@ -2474,170 +2387,214 @@ void ReaderMifare(bool first_try)
                        nt_diff = (nt_diff + 1) & 0x07;
                        mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
                        par[0] = par_low;
                        nt_diff = (nt_diff + 1) & 0x07;
                        mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
                        par[0] = par_low;
+                       
                } else {
                } else {
-                       if (nt_diff == 0 && first_try)
-                       {
+                       // No NACK.     
+                       if (nt_diff == 0 && first_try) {
                                par[0]++;
                                par[0]++;
-                               if (par[0] == 0x00) {           // tried all 256 possible parities without success. Card doesn't send NACK.
+                               if (par[0] == 0x00) {   // tried all 256 possible parities without success. Card doesn't send NACK.
                                        isOK = -2;
                                        break;
                                }
                        } else {
                                        isOK = -2;
                                        break;
                                }
                        } else {
+                               // Why this?
                                par[0] = ((par[0] & 0x1F) + 1) | par_low;
                        }
                }
                                par[0] = ((par[0] & 0x1F) + 1) | par_low;
                        }
                }
-       }
-
+               
+               // reset the resyncs since we got a complete transaction on right time.
+               consecutive_resyncs = 0;
+       } // end for loop
 
        mf_nr_ar[3] &= 0x1F;
 
        mf_nr_ar[3] &= 0x1F;
+
+       if (MF_DBGLEVEL >= 4) Dbprintf("Number of sent auth requestes: %u", i);
        
        
-       if (isOK == -4) {
-               if (MF_DBGLEVEL >= 3) {
-                       for (uint16_t i = 0; i <= MAX_STRATEGY; i++) {
-                               for(uint16_t j = 0; j < NUM_DEBUG_INFOS; j++) {
-                                       Dbprintf("collected debug info[%d][%d] = %d", i, j, debug_info[i][j]);
-                               }
-                       }
-               }
-       }
-       
-       byte_t buf[28];
-       memcpy(buf + 0,  uid, 4);
+       uint8_t buf[28] = {0x00};
+       memset(buf, 0x00, sizeof(buf));
+       num_to_bytes(cuid, 4, buf);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
        memcpy(buf + 24, mf_nr_ar, 4);
                
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
        memcpy(buf + 24, mf_nr_ar, 4);
                
-       cmd_send(CMD_ACK,isOK,0,0,buf,28);
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, sizeof(buf) );
 
 
-       // Thats it...
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
-
        set_tracing(FALSE);
 }
 
        set_tracing(FALSE);
 }
 
+
 /**
   *MIFARE 1K simulate.
   *
   *@param flags :
 /**
   *MIFARE 1K simulate.
   *
   *@param flags :
-  *    FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
-  * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
-  * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
-  *    FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
+  *    FLAG_INTERACTIVE                - In interactive mode, we are expected to finish the operation with an ACK
+  * FLAG_4B_UID_IN_DATA                - use 4-byte UID in the data-section
+  * FLAG_7B_UID_IN_DATA                - use 7-byte UID in the data-section
+  * FLAG_10B_UID_IN_DATA       - use 10-byte UID in the data-section
+  * FLAG_UID_IN_EMUL           - use 4-byte UID from emulator memory
+  *    FLAG_NR_AR_ATTACK               - collect NR_AR responses for bruteforcing later
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
   */
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
   */
-void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
-{
+void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) {
        int cardSTATE = MFEMUL_NOFIELD;
        int cardSTATE = MFEMUL_NOFIELD;
-       int _7BUID = 0;
+       int _UID_LEN = 0;  // 4, 7, 10
        int vHf = 0;    // in mV
        int vHf = 0;    // in mV
-       int res;
+       int res = 0;
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
        uint16_t len = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
        uint16_t len = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
-//     uint32_t cardRr = 0;
        uint32_t cuid = 0;
        uint32_t cuid = 0;
-       //uint32_t rn_enc = 0;
        uint32_t ans = 0;
        uint32_t cardINTREG = 0;
        uint8_t cardINTBLOCK = 0;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
        uint32_t ans = 0;
        uint32_t cardINTREG = 0;
        uint8_t cardINTBLOCK = 0;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
-       uint32_t numReads = 0;//Counts numer of times reader read a block
-       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
-       uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
-       uint8_t response[MAX_MIFARE_FRAME_SIZE];
-       uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
-       
-       uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
-       uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
-       uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
-       uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
-       //uint8_t rSAK[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
-       uint8_t rSAK1[] = {0x04, 0xda, 0x17};
-
-       uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
+       uint32_t numReads = 0;  // Counts numer of times reader read a block
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
+       uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t response_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
+       
+       uint8_t atqa[]   = {0x04, 0x00}; // Mifare classic 1k
+       uint8_t sak_4[]  = {0x0C, 0x00, 0x00}; // CL1 - 4b uid
+       uint8_t sak_7[]  = {0x0C, 0x00, 0x00}; // CL2 - 7b uid
+       uint8_t sak_10[] = {0x0C, 0x00, 0x00}; // CL3 - 10b uid
+       // uint8_t sak[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
+       
+       uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+
+       uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};  // very random nonce
+       // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this?
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
                
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
                
-       //Here, we collect UID1,UID2,NT,AR,NR,0,0,NT2,AR2,NR2
+       // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
        // This can be used in a reader-only attack.
        // This can be used in a reader-only attack.
-       // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
-       uint8_t ar_nr_collected = 0;
+       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
+       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+
+       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
+       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+       uint8_t nonce1_count = 0;
+       uint8_t nonce2_count = 0;
+       uint8_t moebius_n_count = 0;
+       bool gettingMoebius = false;
+       uint8_t mM = 0; // moebius_modifier for collection storage
+       bool doBufResetNext = false;
 
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
 
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
-       //-- Determine the UID
-       // Can be set from emulator memory, incoming data
-       // and can be 7 or 4 bytes long
-       if (flags & FLAG_4B_UID_IN_DATA)
-       {
-               // 4B uid comes from data-portion of packet
-               memcpy(rUIDBCC1,datain,4);
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-
-       } else if (flags & FLAG_7B_UID_IN_DATA) {
-               // 7B uid comes from data-portion of packet
-               memcpy(&rUIDBCC1[1],datain,3);
-               memcpy(rUIDBCC2, datain+3, 4);
-               _7BUID = true;
-       } else {
-               // get UID from emul memory
-               emlGetMemBt(receivedCmd, 7, 1);
-               _7BUID = !(receivedCmd[0] == 0x00);
-               if (!_7BUID) {                     // ---------- 4BUID
-                       emlGetMemBt(rUIDBCC1, 0, 4);
-               } else {                           // ---------- 7BUID
-                       emlGetMemBt(&rUIDBCC1[1], 0, 3);
-                       emlGetMemBt(rUIDBCC2, 3, 4);
-               }
-       }
-
-       // save uid.
-       ar_nr_responses[0*5]   = bytes_to_num(rUIDBCC1+1, 3);
-       if ( _7BUID )
-               ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
-
-       /*
-        * Regardless of what method was used to set the UID, set fifth byte and modify
-        * the ATQA for 4 or 7-byte UID
-        */
-       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-       if (_7BUID) {
-               rATQA[0] = 0x44;
-               rUIDBCC1[0] = 0x88;
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-               rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+       // -- Determine the UID
+       // Can be set from emulator memory or incoming data
+       // Length: 4,7,or 10 bytes
+       if ( (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL)
+               emlGetMemBt(datain, 0, 10);  // load 10bytes from EMUL to the datain pointer. to be used below.
+       
+       if ( (flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) {
+               memcpy(rUIDBCC1, datain, 4);
+               _UID_LEN = 4;
+       } else if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy( rUIDBCC2,    datain+3, 4);
+               _UID_LEN = 7;
+       } else if ( (flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy(&rUIDBCC2[1], datain+3, 3);
+               memcpy( rUIDBCC3,    datain+6, 4);
+               _UID_LEN = 10;
        }
 
        }
 
-       if (MF_DBGLEVEL >= 1)   {
-               if (!_7BUID) {
-                       Dbprintf("4B UID: %02x%02x%02x%02x", 
-                               rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
-               } else {
-                       Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
-                               rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
-                               rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
-               }
+       switch (_UID_LEN) {
+               case 4:
+                       sak_4[0] &= 0xFB;               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC1, 4);
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("4B UID: %02x%02x%02x%02x", 
+                                       rUIDBCC1[0],
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3]
+                               );
+                       }
+                       break;
+               case 7:
+                       atqa[0] |= 0x40;
+                       sak_7[0] &= 0xFB;                                               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC2, 4);                       
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; 
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; 
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[0],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3]
+                               );
+                       }
+                       break;
+               case 10:
+                       atqa[0] |= 0x80;
+                       sak_10[0] &= 0xFB;                                      
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC3, 4);
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       rUIDBCC2[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+                       rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
+
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3],
+                                       rUIDBCC3[0],
+                                       rUIDBCC3[1],
+                                       rUIDBCC3[2],
+                                       rUIDBCC3[3]
+                               );
+                       }
+                       break;
+               default: 
+                       break;
        }
        }
-
+       // calc some crcs
+       ComputeCrc14443(CRC_14443_A, sak_4, 1, &sak_4[1], &sak_4[2]);
+       ComputeCrc14443(CRC_14443_A, sak_7, 1, &sak_7[1], &sak_7[2]);
+       ComputeCrc14443(CRC_14443_A, sak_10, 1, &sak_10[1], &sak_10[2]);
+       
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        // free eventually allocated BigBuf memory but keep Emulator Memory
        BigBuf_free_keep_EM();
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        // free eventually allocated BigBuf memory but keep Emulator Memory
        BigBuf_free_keep_EM();
-
-       // clear trace
        clear_trace();
        set_tracing(TRUE);
 
        clear_trace();
        set_tracing(TRUE);
 
-
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
                WDT_HIT();
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
                WDT_HIT();
@@ -2650,29 +2607,28 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                LED_A_ON();
                        }
                } 
                                LED_A_ON();
                        }
                } 
-               if(cardSTATE == MFEMUL_NOFIELD) continue;
+               if (cardSTATE == MFEMUL_NOFIELD) continue;
 
 
-               //Now, get data
+               // Now, get data
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
                        LEDsoff();
                        continue;
                } else if (res == 1) {
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
                        LEDsoff();
                        continue;
                } else if (res == 1) {
-                       break;  //return value 1 means button press
+                       break;  // return value 1 means button press
                }
                        
                // REQ or WUP request in ANY state and WUP in HALTED state
                }
                        
                // REQ or WUP request in ANY state and WUP in HALTED state
-               if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+               // this if-statement doesn't match the specification above. (iceman)
+               if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
                        selTimer = GetTickCount();
                        selTimer = GetTickCount();
-                       EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+                       EmSendCmdEx(atqa, sizeof(atqa), (receivedCmd[0] == ISO14443A_CMD_WUPA));
                        cardSTATE = MFEMUL_SELECT1;
                        cardSTATE = MFEMUL_SELECT1;
-
-                       // init crypto block
-                       LED_B_OFF();
-                       LED_C_OFF();
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
+                       LEDsoff();
+                       nonce++; 
                        continue;
                }
                
                        continue;
                }
                
@@ -2684,158 +2640,258 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                break;
                        }
                        case MFEMUL_SELECT1:{
                                break;
                        }
                        case MFEMUL_SELECT1:{
-                               // select all
-                               if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
-
-                               if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
-                               {
-                                       Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
-                               }
                                // select card
                                if (len == 9 && 
                                // select card
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
-                                       EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
-                                       cuid = bytes_to_num(rUIDBCC1, 4);
-                                       if (!_7BUID) {
-                                               cardSTATE = MFEMUL_WORK;
-                                               LED_B_ON();
-                                               if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
-                                               break;
-                                       } else {
-                                               cardSTATE = MFEMUL_SELECT2;
+                                               ( receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT &&
+                                                 receivedCmd[1] == 0x70 && 
+                                                 memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+                                       
+                                       // SAK 4b 
+                                       EmSendCmd(sak_4, sizeof(sak_4));
+                                       switch(_UID_LEN){
+                                               case 4:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 7:
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT2;
+                                                       continue;
+                                               default:break;
                                        }
                                        }
+                               } else {
+                                       cardSTATE_TO_IDLE();
                                }
                                break;
                        }
                                }
                                break;
                        }
-                       case MFEMUL_AUTH1:{
-                               if( len != 8)
-                               {
-                                       cardSTATE_TO_IDLE();
+                       case MFEMUL_SELECT2:{
+                               if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
-
-                               uint32_t ar = bytes_to_num(receivedCmd, 4);
-                               uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
-
-                               //Collect AR/NR
-                               //if(ar_nr_collected < 2 && cardAUTHSC == 2){
-                               if(ar_nr_collected < 2){
-                                       if(ar_nr_responses[2] != ar)
-                                       {// Avoid duplicates... probably not necessary, ar should vary. 
-                                               //ar_nr_responses[ar_nr_collected*5]   = 0;
-                                               //ar_nr_responses[ar_nr_collected*5+1] = 0;
-                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
-                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
-                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
-                                               ar_nr_collected++;
-                                       }                                               
-                                       // Interactive mode flag, means we need to send ACK
-                                       if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
-                                       {
-                                               finished = true;
-                                       }
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
+                                       EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+                                       break;
                                }
                                }
-
-                               // --- crypto
-                               //crypto1_word(pcs, ar , 1);
-                               //cardRr = nr ^ crypto1_word(pcs, 0, 0);
-
-                               //test if auth OK
-                               //if (cardRr != prng_successor(nonce, 64)){
-                                       
-                                       //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
-                                       //      cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
-                                       //              cardRr, prng_successor(nonce, 64));
-                                       // Shouldn't we respond anything here?
-                                       // Right now, we don't nack or anything, which causes the
-                                       // reader to do a WUPA after a while. /Martin
-                                       // -- which is the correct response. /piwi
-                                       //cardSTATE_TO_IDLE();
-                                       //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       //break;
-                               //}
-
-                               ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
-
-                               num_to_bytes(ans, 4, rAUTH_AT);
-                               // --- crypto
-                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-                               LED_C_ON();
-                               cardSTATE = MFEMUL_WORK;
-                               if (MF_DBGLEVEL >= 4)   Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", 
-                                       cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
-                                       GetTickCount() - authTimer);
+                               if (len == 9 && 
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 &&
+                                                receivedCmd[1] == 0x70 && 
+                                                memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) {
+                                                        
+                                       EmSendCmd(sak_7, sizeof(sak_7));
+                                       switch(_UID_LEN){
+                                               case 7:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT3;
+                                                       continue;
+                                               default:break;
+                                       }
+                               } 
+                               cardSTATE_TO_IDLE();
                                break;
                        }
                                break;
                        }
-                       case MFEMUL_SELECT2:{
+                       case MFEMUL_SELECT3:{
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
-                               if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
-                                       EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
+                                       EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
                                        break;
                                }
                                        break;
                                }
-
-                               // select 2 card
                                if (len == 9 && 
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
-                                       EmSendCmd(rSAK, sizeof(rSAK));
-                                       cuid = bytes_to_num(rUIDBCC2, 4);
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
+                                                receivedCmd[1] == 0x70 && 
+                                                memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
+
+                                       EmSendCmd(sak_10, sizeof(sak_10));
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
-                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
+                                       break;
+                               }
+                               cardSTATE_TO_IDLE();
+                               break;
+                       }
+                       case MFEMUL_AUTH1:{
+                               if( len != 8) {
+                                       cardSTATE_TO_IDLE();
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        break;
                                }
+
+                               uint32_t nr = bytes_to_num(receivedCmd, 4);
+                               uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
+
+                               if (doBufResetNext) {
+                                       // Reset, lets try again!
+                                       Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer");
+                                       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+                                       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+                                       mM = 0;
+                                       doBufResetNext = false;
+                               }
+
+                               for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                       if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+
+                                               // if first auth for sector, or matches sector and keytype of previous auth
+                                               if (ar_nr_collected[i+mM] < 2) {
+                                                       // if we haven't already collected 2 nonces for this sector
+                                                       if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+                                                               // Avoid duplicates... probably not necessary, ar should vary.
+                                                               if (ar_nr_collected[i+mM]==0) {
+                                                                       // first nonce collect
+                                                                       ar_nr_resp[i+mM].cuid = cuid;
+                                                                       ar_nr_resp[i+mM].sector = cardAUTHSC;
+                                                                       ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+                                                                       ar_nr_resp[i+mM].nonce = nonce;
+                                                                       ar_nr_resp[i+mM].nr = nr;
+                                                                       ar_nr_resp[i+mM].ar = ar;
+                                                                       nonce1_count++;
+                                                                       // add this nonce to first moebius nonce
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+                                                                       ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+                                                               } else { // second nonce collect (std and moebius)
+                                                                       ar_nr_resp[i+mM].nonce2 = nonce;
+                                                                       ar_nr_resp[i+mM].nr2 = nr;
+                                                                       ar_nr_resp[i+mM].ar2 = ar;
+                                                                       if (!gettingMoebius) {
+                                                                               nonce2_count++;
+                                                                               // check if this was the last second nonce we need for std attack
+                                                                               if ( nonce2_count == nonce1_count ) {
+                                                                                       // done collecting std test switch to moebius
+                                                                                       // first finish incrementing last sample
+                                                                                       ar_nr_collected[i+mM]++; 
+                                                                                       // switch to moebius collection
+                                                                                       gettingMoebius = true;
+                                                                                       mM = ATTACK_KEY_COUNT;
+                                                                                       break;
+                                                                               }
+                                                                       } else {
+                                                                               moebius_n_count++;
+                                                                               // if we've collected all the nonces we need - finish.
+
+                                                                               if (nonce1_count == moebius_n_count) {
+                                                                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+                                                                                       nonce1_count = 0;
+                                                                                       nonce2_count = 0;
+                                                                                       moebius_n_count = 0;
+                                                                                       gettingMoebius = false;
+                                                                                       doBufResetNext = true;
+                                                                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE));
+                                                                               }
+                                                                       }
+                                                               }
+                                                               ar_nr_collected[i+mM]++;
+                                                       }
+                                               }
+                                               // we found right spot for this nonce stop looking
+                                               break;
+                                       }
+                               }
+
+
+                               /*
+                               // Collect AR/NR
+                               // if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               if(ar_nr_collected < 2) {                                       
+                                       // if(ar_nr_responses[2] != nr) {
+                                               ar_nr_responses[ar_nr_collected*4]   = cuid;
+                                               ar_nr_responses[ar_nr_collected*4+1] = nonce;
+                                               ar_nr_responses[ar_nr_collected*4+2] = nr;
+                                               ar_nr_responses[ar_nr_collected*4+3] = ar;
+                                               ar_nr_collected++;
+                                       // }                                    
+               
+                                       // Interactive mode flag, means we need to send ACK
+                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2);
+                               }
+                               
+                               crypto1_word(pcs, ar , 1);
+                               cardRr = nr ^ crypto1_word(pcs, 0, 0);
                                
                                
-                               // i guess there is a command). go into the work state.
-                               if (len != 4) {
+                               test if auth OK
+                               if (cardRr != prng_successor(nonce, 64)){
+                                       
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+                                               cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
+                                                       cardRr, prng_successor(nonce, 64));
+                                       Shouldn't we respond anything here?
+                                       Right now, we don't nack or anything, which causes the
+                                       reader to do a WUPA after a while. /Martin
+                                       -- which is the correct response. /piwi
+                                       cardSTATE_TO_IDLE();
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
+                               */
+                               
+                               ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
+                               num_to_bytes(ans, 4, rAUTH_AT);
+                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+                               LED_C_ON();
+                               
+                               if (MF_DBGLEVEL >= 4) {
+                                       Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", 
+                                               cardAUTHSC, 
+                                               cardAUTHKEY == 0 ? 'A' : 'B',
+                                               GetTickCount() - authTimer
+                                       );
+                               }
                                cardSTATE = MFEMUL_WORK;
                                cardSTATE = MFEMUL_WORK;
-                               //goto lbWORK;
-                               //intentional fall-through to the next case-stmt
+                               break;
                        }
                        }
-
                        case MFEMUL_WORK:{
                                if (len == 0) {
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                        case MFEMUL_WORK:{
                                if (len == 0) {
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
-                               }
-                               
+                               }               
                                bool encrypted_data = (cardAUTHKEY != 0xFF) ;
 
                                bool encrypted_data = (cardAUTHKEY != 0xFF) ;
 
-                               if(encrypted_data) {
-                                       // decrypt seqence
+                               if(encrypted_data)
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
-                               }
                                
                                
-                               if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
+                               if (len == 4 && (receivedCmd[0] == MIFARE_AUTH_KEYA || 
+                                                receivedCmd[0] == MIFARE_AUTH_KEYB)  ) {
+
                                        authTimer = GetTickCount();
                                        cardAUTHSC = receivedCmd[1] / 4;  // received block num
                                        authTimer = GetTickCount();
                                        cardAUTHSC = receivedCmd[1] / 4;  // received block num
-                                       cardAUTHKEY = receivedCmd[0] - 0x60;
-                                       crypto1_destroy(pcs);//Added by martin
+                                       cardAUTHKEY = receivedCmd[0] - 0x60; // & 1
+                                       crypto1_destroy(pcs);
                                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
 
                                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
 
-                                       if (!encrypted_data) { // first authentication
+                                       if (!encrypted_data) { 
+                                               // first authentication
+                                               crypto1_word(pcs, cuid ^ nonce, 0);// Update crypto state
+                                               num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
+                                               
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY  );
 
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY  );
 
-                                               crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
-                                               num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
-                                       } else { // nested authentication
-                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
+                                       } else {
+                                               // nested authentication
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
+
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
                                        }
 
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                        }
 
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-                                       //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
                                        cardSTATE = MFEMUL_AUTH1;
                                        break;
                                }
                                        cardSTATE = MFEMUL_AUTH1;
                                        break;
                                }
@@ -2858,12 +2914,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
 
                                        break;
                                }
 
-                               if(receivedCmd[0] == 0x30 // read block
-                                               || receivedCmd[0] == 0xA0 // write block
-                                               || receivedCmd[0] == 0xC0 // inc
-                                               || receivedCmd[0] == 0xC1 // dec
-                                               || receivedCmd[0] == 0xC2 // restore
-                                               || receivedCmd[0] == 0xB0) { // transfer
+                               if ( receivedCmd[0] == ISO14443A_CMD_READBLOCK ||
+                                        receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK ||
+                                        receivedCmd[0] == MIFARE_CMD_INC ||
+                                        receivedCmd[0] == MIFARE_CMD_DEC ||
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE ||
+                                        receivedCmd[0] == MIFARE_CMD_TRANSFER ) {
+                                               
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
@@ -2877,10 +2934,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        }
                                }
                                // read block
                                        }
                                }
                                // read block
-                               if (receivedCmd[0] == 0x30) {
-                                       if (MF_DBGLEVEL >= 4) {
-                                               Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]);
-                                       }
+                               if (receivedCmd[0] == ISO14443A_CMD_READBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)", receivedCmd[1], receivedCmd[1]);
+
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
                                        mf_crypto1_encrypt(pcs, response, 18, response_par);
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
                                        mf_crypto1_encrypt(pcs, response, 18, response_par);
@@ -2893,34 +2949,35 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // write block
                                        break;
                                }
                                // write block
-                               if (receivedCmd[0] == 0xA0) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]);
+                               if (receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)", receivedCmd[1], receivedCmd[1]);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WRITEBL2;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // increment, decrement, restore
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WRITEBL2;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // increment, decrement, restore
-                               if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                               if ( receivedCmd[0] == MIFARE_CMD_INC || 
+                                    receivedCmd[0] == MIFARE_CMD_DEC || 
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE) {
+
+                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0], receivedCmd[1], receivedCmd[1]);
+
                                        if (emlCheckValBl(receivedCmd[1])) {
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        if (emlCheckValBl(receivedCmd[1])) {
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
-                                       if (receivedCmd[0] == 0xC1)
-                                               cardSTATE = MFEMUL_INTREG_INC;
-                                       if (receivedCmd[0] == 0xC0)
-                                               cardSTATE = MFEMUL_INTREG_DEC;
-                                       if (receivedCmd[0] == 0xC2)
-                                               cardSTATE = MFEMUL_INTREG_REST;
+                                       if (receivedCmd[0] == MIFARE_CMD_INC)           cardSTATE = MFEMUL_INTREG_INC;
+                                       if (receivedCmd[0] == MIFARE_CMD_DEC)           cardSTATE = MFEMUL_INTREG_DEC;
+                                       if (receivedCmd[0] == MIFARE_CMD_RESTORE)       cardSTATE = MFEMUL_INTREG_REST;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // transfer
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // transfer
-                               if (receivedCmd[0] == 0xB0) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                               if (receivedCmd[0] == MIFARE_CMD_TRANSFER) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)", receivedCmd[0], receivedCmd[1], receivedCmd[1]);
                                        if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        else
                                        if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        else
@@ -2928,7 +2985,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // halt
                                        break;
                                }
                                // halt
-                               if (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00) {
+                               if (receivedCmd[0] == ISO14443A_CMD_HALT && receivedCmd[1] == 0x00) {
                                        LED_B_OFF();
                                        LED_C_OFF();
                                        cardSTATE = MFEMUL_HALTED;
                                        LED_B_OFF();
                                        LED_C_OFF();
                                        cardSTATE = MFEMUL_HALTED;
@@ -2937,7 +2994,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // RATS
                                        break;
                                }
                                // RATS
-                               if (receivedCmd[0] == 0xe0) {//RATS
+                               if (receivedCmd[0] == ISO14443A_CMD_RATS) {
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
@@ -2947,7 +3004,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                break;
                        }
                        case MFEMUL_WRITEBL2:{
                                break;
                        }
                        case MFEMUL_WRITEBL2:{
-                               if (len == 18){
+                               if (len == 18) {
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                        emlSetMem(receivedCmd, cardWRBL, 1);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                        emlSetMem(receivedCmd, cardWRBL, 1);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
@@ -2958,7 +3015,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                }
                                break;
                        }
                                }
                                break;
                        }
-                       
                        case MFEMUL_INTREG_INC:{
                                mf_crypto1_decrypt(pcs, receivedCmd, len);
                                memcpy(&ans, receivedCmd, 4);
                        case MFEMUL_INTREG_INC:{
                                mf_crypto1_decrypt(pcs, receivedCmd, len);
                                memcpy(&ans, receivedCmd, 4);
@@ -3000,54 +3056,50 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
                }
        }
 
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       LEDsoff();
-
-       if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
-       {
-               //May just aswell send the collected ar_nr in the response aswell
-               uint8_t len = ar_nr_collected*5*4;
+       // Interactive mode flag, means we need to send ACK
+       /*
+       if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) {
+               // May just aswell send the collected ar_nr in the response aswell
+               uint8_t len = ar_nr_collected * 4 * 4;
                cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
                cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
-
-       if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 )
-       {
-               if(ar_nr_collected > 1 ) {
-                       Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                       Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
-                                       ar_nr_responses[0], // UID1
-                                       ar_nr_responses[1], // UID2
-                                       ar_nr_responses[2], // NT
-                                       ar_nr_responses[3], // AR1
-                                       ar_nr_responses[4], // NR1
-                                       ar_nr_responses[8], // AR2
-                                       ar_nr_responses[9]  // NR2
-                                       );
-                       Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
-                                       ar_nr_responses[0], // UID1
-                                       ar_nr_responses[1], // UID2
-                                       ar_nr_responses[2], // NT1
-                                       ar_nr_responses[3], // AR1
-                                       ar_nr_responses[4], // NR1
-                                       ar_nr_responses[7], // NT2
-                                       ar_nr_responses[8], // AR2
-                                       ar_nr_responses[9]  // NR2
-                                       );
-               } else {
-                       Dbprintf("Failed to obtain two AR/NR pairs!");
-                       if(ar_nr_collected > 0 ) {
-                               Dbprintf("Only got these: UID=%06x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
-                                               ar_nr_responses[0], // UID1
-                                               ar_nr_responses[1], // UID2
-                                               ar_nr_responses[2], // NT
-                                               ar_nr_responses[3], // AR1
-                                               ar_nr_responses[4]  // NR1
+       
+   */
+       if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) {
+               for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }       
+               for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nonce2,//NT2
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
                                                );
                        }
                }
        }
                                                );
                        }
                }
        }
-       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
        
        
+       
+       if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
+       
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
        set_tracing(FALSE);
 }
 
        set_tracing(FALSE);
 }
 
@@ -3055,32 +3107,30 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
+// if no activity for 2sec, it sends the collected data to the client.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
+// "hf mf sniff"
 void RAMFUNC SniffMifare(uint8_t param) {
 void RAMFUNC SniffMifare(uint8_t param) {
-       // param:
-       // bit 0 - trigger from first card answer
-       // bit 1 - trigger from first reader 7-bit request
 
 
-       // C(red) A(yellow) B(green)
        LEDsoff();
        LEDsoff();
-       // init trace buffer
+
+       // free eventually allocated BigBuf memory
+       BigBuf_free(); BigBuf_Clear_ext(false);
        clear_trace();
        set_tracing(TRUE);
 
        // The command (reader -> tag) that we're receiving.
        clear_trace();
        set_tracing(TRUE);
 
        // The command (reader -> tag) that we're receiving.
-       // The length of a received command will in most cases be no more than 18 bytes.
-       // So 32 should be enough!
-       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
-       uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};    
+       uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
+
        // The response (tag -> reader) that we're receiving.
        // The response (tag -> reader) that we're receiving.
-       uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
-       uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
+       uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 
        iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 
 
        iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 
-       // free eventually allocated BigBuf memory
-       BigBuf_free();
        // allocate the DMA buffer, used to stream samples from the FPGA
        // allocate the DMA buffer, used to stream samples from the FPGA
+       // [iceman] is this sniffed data unsigned?
        uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
@@ -3095,25 +3145,28 @@ void RAMFUNC SniffMifare(uint8_t param) {
        // Set up the demodulator for the reader -> tag commands
        UartInit(receivedCmd, receivedCmdPar);
 
        // Set up the demodulator for the reader -> tag commands
        UartInit(receivedCmd, receivedCmdPar);
 
-       // Setup for the DMA.
-       FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+       // Setup and start DMA.
+       // set transfer address and number of bytes. Start transfer.
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
 
        LED_D_OFF();
 
        LED_D_OFF();
-       
-       // init sniffer
+
        MfSniffInit();
 
        // And now we loop, receiving samples.
        MfSniffInit();
 
        // And now we loop, receiving samples.
-       for(uint32_t sniffCounter = 0; TRUE; ) {
+       for(uint32_t sniffCounter = 0;; ) {
+
+               LED_A_ON();
+               WDT_HIT();
        
                if(BUTTON_PRESS()) {
                        DbpString("cancelled by button");
                        break;
                }
        
                if(BUTTON_PRESS()) {
                        DbpString("cancelled by button");
                        break;
                }
-
-               LED_A_ON();
-               WDT_HIT();
-               
+       
                if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
                        // check if a transaction is completed (timeout after 2000ms).
                        // if yes, stop the DMA transfer and send what we have so far to the client
                if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
                        // check if a transaction is completed (timeout after 2000ms).
                        // if yes, stop the DMA transfer and send what we have so far to the client
@@ -3124,17 +3177,22 @@ void RAMFUNC SniffMifare(uint8_t param) {
                                maxDataLen = 0;
                                ReaderIsActive = FALSE;
                                TagIsActive = FALSE;
                                maxDataLen = 0;
                                ReaderIsActive = FALSE;
                                TagIsActive = FALSE;
-                               FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+                               // Setup and start DMA. set transfer address and number of bytes. Start transfer.
+                               if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+                                       if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+                                       return;
+                               }                               
                        }
                }
                
                int register readBufDataP = data - dmaBuf;      // number of bytes we have processed so far
                int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
                        }
                }
                
                int register readBufDataP = data - dmaBuf;      // number of bytes we have processed so far
                int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
-               if (readBufDataP <= dmaBufDataP){                       // we are processing the same block of data which is currently being transferred
+
+               if (readBufDataP <= dmaBufDataP)                        // we are processing the same block of data which is currently being transferred
                        dataLen = dmaBufDataP - readBufDataP;   // number of bytes still to be processed
                        dataLen = dmaBufDataP - readBufDataP;   // number of bytes still to be processed
-               } else {                                                                        
+               else
                        dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
                        dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
-               }
+
                // test for length of buffer
                if(dataLen > maxDataLen) {                                      // we are more behind than ever...
                        maxDataLen = dataLen;                                   
                // test for length of buffer
                if(dataLen > maxDataLen) {                                      // we are more behind than ever...
                        maxDataLen = dataLen;                                   
@@ -3149,7 +3207,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
                if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
                        AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
                        AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
                        AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
                        AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
-                       Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
+                       Dbprintf("RxEmpty ERROR, data length:%d", dataLen); // temporary
                }
                // secondary buffer sets as primary, secondary buffer was stopped
                if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
                }
                // secondary buffer sets as primary, secondary buffer was stopped
                if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
@@ -3161,31 +3219,29 @@ void RAMFUNC SniffMifare(uint8_t param) {
                
                if (sniffCounter & 0x01) {
 
                
                if (sniffCounter & 0x01) {
 
-                       if(!TagIsActive) {              // no need to try decoding tag data if the reader is sending
+                       // no need to try decoding tag data if the reader is sending
+                       if(!TagIsActive) {              
                                uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
                                if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
                                        LED_C_INV();
                                uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
                                if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
                                        LED_C_INV();
+
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
-                                       /* And ready to receive another command. */
                                        UartInit(receivedCmd, receivedCmdPar);
                                        UartInit(receivedCmd, receivedCmdPar);
-                                       
-                                       /* And also reset the demod code */
                                        DemodReset();
                                }
                                ReaderIsActive = (Uart.state != STATE_UNSYNCD);
                        }
                        
                                        DemodReset();
                                }
                                ReaderIsActive = (Uart.state != STATE_UNSYNCD);
                        }
                        
-                       if(!ReaderIsActive) {           // no need to try decoding tag data if the reader is sending
+                       // no need to try decoding tag data if the reader is sending
+                       if(!ReaderIsActive) {           
                                uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
                                if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
                                        LED_C_INV();
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
 
                                uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
                                if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
                                        LED_C_INV();
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
 
-                                       // And ready to receive another response.
                                        DemodReset();
                                        DemodReset();
-                                       // And reset the Miller decoder including its (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                                        UartInit(receivedCmd, receivedCmdPar);
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
@@ -3195,15 +3251,17 @@ void RAMFUNC SniffMifare(uint8_t param) {
                previous_data = *data;
                sniffCounter++;
                data++;
                previous_data = *data;
                sniffCounter++;
                data++;
-               if(data == dmaBuf + DMA_BUFFER_SIZE) {
+
+               if(data == dmaBuf + DMA_BUFFER_SIZE)
                        data = dmaBuf;
                        data = dmaBuf;
-               }
 
        } // main cycle
 
        } // main cycle
-
+       
+       if (MF_DBGLEVEL >= 1) Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
+       
        FpgaDisableSscDma();
        MfSniffEnd();
        FpgaDisableSscDma();
        MfSniffEnd();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        LEDsoff();
-       Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
        set_tracing(FALSE);
 }
        set_tracing(FALSE);
 }
Proxmark3 GIT tracking
Impressum, Datenschutz