Update CHANGELOG.md

[proxmark3-svn] / client / cmdhfmf.c
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c

index 4da6067a105624710cfb5f8daca24b5df3d4ccef..ef48b825116710d04a425bf88a41be734faf590a 100644 (file)
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -1,5 +1,5 @@
  //-----------------------------------------------------------------------------\r
  //-----------------------------------------------------------------------------\r
-// Copyright (C) 2011 Merlok\r
+// Copyright (C) 2011,2012 Merlok\r
  //\r
  // This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
  // at your option, any later version. See the LICENSE.txt file for the text of\r
  //\r
  // This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
  // at your option, any later version. See the LICENSE.txt file for the text of\r
@@ -9,101 +9,70 @@
  //-----------------------------------------------------------------------------\r
  \r
  #include "cmdhfmf.h"\r
  //-----------------------------------------------------------------------------\r
  \r
  #include "cmdhfmf.h"\r
-#include "proxmark3.h"\r
+\r
+#include <inttypes.h>\r
+#include <string.h>\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <ctype.h>\r
+#include "comms.h"\r
+#include "cmdmain.h"\r
+#include "cmdhfmfhard.h"\r
+#include "parity.h"\r
+#include "util.h"\r
+#include "util_posix.h"\r
+#include "usb_cmd.h"\r
+#include "ui.h"\r
+#include "mifare/mifarehost.h"\r
+#include "mifare.h"\r
+#include "mifare/mfkey.h"\r
+#include "hardnested/hardnested_bf_core.h"\r
+#include "cliparser/cliparser.h"\r
+#include "cmdhf14a.h"\r
+#include "mifare/mifaredefault.h"\r
+#include "mifare/mifare4.h"\r
+#include "mifare/mad.h"\r
+#include "mifare/ndef.h"\r
+#include "emv/dump.h"\r
+\r
+#define NESTED_SECTOR_RETRY     10          // how often we try mfested() until we give up\r
  \r
  static int CmdHelp(const char *Cmd);\r
  \r
  int CmdHF14AMifare(const char *Cmd)\r
  {\r
  \r
  static int CmdHelp(const char *Cmd);\r
  \r
  int CmdHF14AMifare(const char *Cmd)\r
  {\r
-       uint32_t uid = 0;\r
-       uint32_t nt = 0;\r
-       uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
-       uint8_t isOK = 0;\r
-       uint8_t keyBlock[6] = {0,0,0,0,0,0};\r
-\r
-       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, keyBlock, 8)) {\r
-               PrintAndLog("Nt must include 8 HEX symbols");\r
-               return 1;\r
+       int isOK = 0;\r
+       uint64_t key = 0;\r
+       isOK = mfDarkside(&key);\r
+       switch (isOK) {\r
+               case -1 : PrintAndLog("Button pressed. Aborted."); return 1;\r
+               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;\r
+               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;\r
+               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+                                 PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;\r
+               case -5 : PrintAndLog("Aborted via keyboard.");  return 1;\r
+               default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);\r
         }\r
  \r
         }\r
  \r
-       \r
-       UsbCommand c = {CMD_READER_MIFARE, {(uint32_t)bytes_to_num(keyBlock, 4), 0, 0}};\r
-start:\r
-       SendCommand(&c);\r
-       \r
-       //flush queue\r
-       while (ukbhit())        getchar();\r
-\r
-       // message\r
-       printf("-------------------------------------------------------------------------\n");\r
-       printf("Executing command. It may take up to 30 min.\n");\r
-       printf("Press the key on proxmark3 device to abort proxmark3.\n");\r
-       printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
-       printf("-------------------------------------------------------------------------\n");\r
-       \r
-       // wait cycle\r
-       while (true) {\r
-               printf(".");\r
-               fflush(stdout);\r
-               if (ukbhit()) {\r
-                       getchar();\r
-                       printf("\naborted via keyboard!\n");\r
-                       break;\r
-               }\r
-               \r
-               UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 2000);\r
-               if (resp != NULL) {\r
-                       isOK  = resp->arg[0] & 0xff;\r
-       \r
-                       uid = (uint32_t)bytes_to_num(resp->d.asBytes +  0, 4);\r
-                       nt =  (uint32_t)bytes_to_num(resp->d.asBytes +  4, 4);\r
-                       par_list = bytes_to_num(resp->d.asBytes +  8, 8);\r
-                       ks_list = bytes_to_num(resp->d.asBytes +  16, 8);\r
-       \r
-                       printf("\n\n");\r
-                       PrintAndLog("isOk:%02x", isOK);\r
-                       if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
-                       break;\r
-               }\r
-       }       \r
-       printf("\n");\r
-       \r
-       // error\r
-       if (isOK != 1) return 1;\r
-       \r
-       // execute original function from util nonce2key\r
-       if (nonce2key(uid, nt, par_list, ks_list, &r_key)) return 2;\r
-       printf("------------------------------------------------------------------\n");\r
-       PrintAndLog("Key found:%012llx \n", r_key);\r
-\r
-       num_to_bytes(r_key, 6, keyBlock);\r
-       isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
-       if (!isOK) \r
-               PrintAndLog("Found valid key:%012llx", r_key);\r
-       else\r
-       {\r
-               PrintAndLog("Found invalid key. ( Nt=%08x ,Trying use it to run again...", nt); \r
-               c.d.asDwords[0] = nt;\r
-               goto start;\r
-       }\r
-       \r
+       PrintAndLog("");\r
         return 0;\r
  }\r
  \r
         return 0;\r
  }\r
  \r
+\r
  int CmdHF14AMfWrBl(const char *Cmd)\r
  {\r
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
         uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
  int CmdHF14AMfWrBl(const char *Cmd)\r
  {\r
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
         uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
-       \r
-       char cmdp       = 0x00;\r
+\r
+       char cmdp   = 0x00;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");\r
                 return 0;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");\r
                 return 0;\r
-       }       \r
+       }\r
  \r
         blockNo = param_get8(Cmd, 0);\r
         cmdp = param_getchar(Cmd, 1);\r
  \r
         blockNo = param_get8(Cmd, 0);\r
         cmdp = param_getchar(Cmd, 1);\r
@@ -120,18 +89,17 @@ int CmdHF14AMfWrBl(const char *Cmd)
                 PrintAndLog("Block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
                 PrintAndLog("Block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
-       PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));\r
+       PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
         PrintAndLog("--data: %s", sprint_hex(bldata, 16));\r
         PrintAndLog("--data: %s", sprint_hex(bldata, 16));\r
-       \r
+\r
    UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};\r
         memcpy(c.d.asBytes, key, 6);\r
         memcpy(c.d.asBytes + 10, bldata, 16);\r
    SendCommand(&c);\r
    UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};\r
         memcpy(c.d.asBytes, key, 6);\r
         memcpy(c.d.asBytes + 10, bldata, 16);\r
    SendCommand(&c);\r
-       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
-\r
-       if (resp != NULL) {\r
-               uint8_t                isOK  = resp->arg[0] & 0xff;\r
  \r
  \r
+       UsbCommand resp;\r
+       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+               uint8_t isOK  = resp.arg[0] & 0xff;\r
                 PrintAndLog("isOk:%02x", isOK);\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
                 PrintAndLog("isOk:%02x", isOK);\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
@@ -145,16 +113,16 @@ int CmdHF14AMfRdBl(const char *Cmd)
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       \r
-       char cmdp       = 0x00;\r
+\r
+       char cmdp   = 0x00;\r
  \r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf rdbl    <block number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf rdbl 0 A FFFFFFFFFFFF ");\r
                 return 0;\r
  \r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf rdbl    <block number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf rdbl 0 A FFFFFFFFFFFF ");\r
                 return 0;\r
-       }       \r
-       \r
+       }\r
+\r
         blockNo = param_get8(Cmd, 0);\r
         cmdp = param_getchar(Cmd, 1);\r
         if (cmdp == 0x00) {\r
         blockNo = param_get8(Cmd, 0);\r
         cmdp = param_getchar(Cmd, 1);\r
         if (cmdp == 0x00) {\r
@@ -166,23 +134,37 @@ int CmdHF14AMfRdBl(const char *Cmd)
                 PrintAndLog("Key must include 12 HEX symbols");\r
                 return 1;\r
         }\r
                 PrintAndLog("Key must include 12 HEX symbols");\r
                 return 1;\r
         }\r
-       PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));\r
-       \r
+       PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
+\r
    UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};\r
         memcpy(c.d.asBytes, key, 6);\r
    SendCommand(&c);\r
    UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};\r
         memcpy(c.d.asBytes, key, 6);\r
    SendCommand(&c);\r
-       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
  \r
  \r
-       if (resp != NULL) {\r
-               uint8_t                isOK  = resp->arg[0] & 0xff;\r
-               uint8_t              * data  = resp->d.asBytes;\r
+       UsbCommand resp;\r
+       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+               uint8_t isOK  = resp.arg[0] & 0xff;\r
+               uint8_t *data = resp.d.asBytes;\r
  \r
  \r
-               if (isOK)\r
+               if (isOK) {\r
                         PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));\r
                         PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));\r
-               else\r
+               } else {\r
                         PrintAndLog("isOk:%02x", isOK);\r
                         PrintAndLog("isOk:%02x", isOK);\r
+                       return 1;\r
+               }\r
+\r
+               if (mfIsSectorTrailer(blockNo) && (data[6] || data[7] || data[8])) {\r
+                       PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+                       int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));\r
+                       int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;\r
+                       for (int i = 0; i < 4; i++) {\r
+                               PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &data[6]));\r
+                               bln += blinc;\r
+                       }\r
+                       PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&data[9], 1));\r
+               }\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
+               return 2;\r
         }\r
  \r
    return 0;\r
         }\r
  \r
    return 0;\r
@@ -194,25 +176,23 @@ int CmdHF14AMfRdSc(const char *Cmd)
         uint8_t sectorNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
         uint8_t sectorNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       \r
         uint8_t isOK  = 0;\r
         uint8_t isOK  = 0;\r
-       uint8_t * data  = NULL;\r
-\r
-       char cmdp       = 0x00;\r
+       uint8_t *data  = NULL;\r
+       char cmdp   = 0x00;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf rdsc    <sector number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf rdsc 0 A FFFFFFFFFFFF ");\r
                 return 0;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:  hf mf rdsc    <sector number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("        sample: hf mf rdsc 0 A FFFFFFFFFFFF ");\r
                 return 0;\r
-       }       \r
-       \r
+       }\r
+\r
         sectorNo = param_get8(Cmd, 0);\r
         sectorNo = param_get8(Cmd, 0);\r
-       if (sectorNo > 63) {\r
-               PrintAndLog("Sector number must be less than 64");\r
+       if (sectorNo > 39) {\r
+               PrintAndLog("Sector number must be less than 40");\r
                 return 1;\r
         }\r
         cmdp = param_getchar(Cmd, 1);\r
                 return 1;\r
         }\r
         cmdp = param_getchar(Cmd, 1);\r
-       if (cmdp == 0x00) {\r
+       if (cmdp != 'a' && cmdp != 'A' && cmdp != 'b' && cmdp != 'B') {\r
                 PrintAndLog("Key type must be A or B");\r
                 return 1;\r
         }\r
                 PrintAndLog("Key type must be A or B");\r
                 return 1;\r
         }\r
@@ -221,455 +201,660 @@ int CmdHF14AMfRdSc(const char *Cmd)
                 PrintAndLog("Key must include 12 HEX symbols");\r
                 return 1;\r
         }\r
                 PrintAndLog("Key must include 12 HEX symbols");\r
                 return 1;\r
         }\r
-       PrintAndLog("--sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));\r
-       \r
-  UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};\r
+       PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6));\r
+\r
+       UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};\r
         memcpy(c.d.asBytes, key, 6);\r
         memcpy(c.d.asBytes, key, 6);\r
-  SendCommand(&c);\r
-       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
+       SendCommand(&c);\r
         PrintAndLog(" ");\r
  \r
         PrintAndLog(" ");\r
  \r
-       if (resp != NULL) {\r
-               isOK  = resp->arg[0] & 0xff;\r
-               data  = resp->d.asBytes;\r
+       UsbCommand resp;\r
+       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+               isOK  = resp.arg[0] & 0xff;\r
+               data  = resp.d.asBytes;\r
  \r
                 PrintAndLog("isOk:%02x", isOK);\r
  \r
                 PrintAndLog("isOk:%02x", isOK);\r
-               if (isOK) \r
-                       for (i = 0; i < 2; i++) {\r
-                               PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));\r
+               if (isOK) {\r
+                       for (i = 0; i < (sectorNo<32?3:15); i++) {\r
+                               PrintAndLog("data   : %s", sprint_hex(data + i * 16, 16));\r
                         }\r
                         }\r
+                       PrintAndLog("trailer: %s", sprint_hex(data + (sectorNo<32?3:15) * 16, 16));\r
+\r
+                       PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+                                               int bln = mfFirstBlockOfSector(sectorNo);\r
+                                               int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;\r
+                                               for (i = 0; i < 4; i++) {\r
+                                                               PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &(data + (sectorNo<32?3:15) * 16)[6]));\r
+                                                               bln += blinc;\r
+                                               }\r
+                                               PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&(data + (sectorNo<32?3:15) * 16)[9], 1));\r
+               }\r
         } else {\r
         } else {\r
-               PrintAndLog("Command1 execute timeout");\r
+               PrintAndLog("Command execute timeout");\r
         }\r
  \r
         }\r
  \r
-               // response2\r
-       resp = WaitForResponseTimeout(CMD_ACK, 500);\r
-       PrintAndLog(" ");\r
+  return 0;\r
+}\r
  \r
  \r
-       if (resp != NULL) {\r
-               isOK  = resp->arg[0] & 0xff;\r
-               data  = resp->d.asBytes;\r
+uint8_t FirstBlockOfSector(uint8_t sectorNo)\r
+{\r
+       if (sectorNo < 32) {\r
+               return sectorNo * 4;\r
+       } else {\r
+               return 32 * 4 + (sectorNo - 32) * 16;\r
+       }\r
+}\r
  \r
  \r
-               if (isOK) \r
-                       for (i = 0; i < 2; i++) {\r
-                               PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));\r
-               }\r
+uint8_t NumBlocksPerSector(uint8_t sectorNo)\r
+{\r
+       if (sectorNo < 32) {\r
+               return 4;\r
         } else {\r
         } else {\r
-               PrintAndLog("Command2 execute timeout");\r
+               return 16;\r
         }\r
         }\r
-       \r
-  return 0;\r
+}\r
+\r
+static int ParamCardSizeSectors(const char c) {\r
+       int numSectors = 16;\r
+       switch (c) {\r
+               case '0' : numSectors = 5; break;\r
+               case '2' : numSectors = 32; break;\r
+               case '4' : numSectors = 40; break;\r
+               default:   numSectors = 16;\r
+       }\r
+       return numSectors;\r
+}\r
+\r
+static int ParamCardSizeBlocks(const char c) {\r
+       int numBlocks = 16 * 4;\r
+       switch (c) {\r
+               case '0' : numBlocks = 5 * 4; break;\r
+               case '2' : numBlocks = 32 * 4; break;\r
+               case '4' : numBlocks = 32 * 4 + 8 * 16; break;\r
+               default:   numBlocks = 16 * 4;\r
+       }\r
+       return numBlocks;\r
  }\r
  \r
  int CmdHF14AMfDump(const char *Cmd)\r
  {\r
  }\r
  \r
  int CmdHF14AMfDump(const char *Cmd)\r
  {\r
-       int i, j;\r
-       \r
-       uint8_t keyA[40][6];\r
-       uint8_t keyB[40][6];\r
+       uint8_t sectorNo, blockNo;\r
+\r
+       uint8_t keys[2][40][6];\r
         uint8_t rights[40][4];\r
         uint8_t rights[40][4];\r
-       \r
+       uint8_t carddata[256][16];\r
+       uint8_t numSectors = 16;\r
+\r
         FILE *fin;\r
         FILE *fout;\r
         FILE *fin;\r
         FILE *fout;\r
-       \r
-       UsbCommand *resp;\r
-       \r
+\r
+       UsbCommand resp;\r
+\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       numSectors = ParamCardSizeSectors(cmdp);\r
+\r
+       if (strlen(Cmd) > 3 || cmdp == 'h' || cmdp == 'H') {\r
+               PrintAndLog("Usage:   hf mf dump [card memory] [k|m]");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("  k: Always try using both Key A and Key B for each sector, even if access bits would prohibit it");\r
+               PrintAndLog("  m: When missing access bits or keys, replace that block with NULL");\r
+               PrintAndLog("");\r
+               PrintAndLog("Samples: hf mf dump");\r
+               PrintAndLog("         hf mf dump 4");\r
+               PrintAndLog("         hf mf dump 4 m");\r
+               return 0;\r
+       }\r
+\r
+       char opts = param_getchar(Cmd, 1);\r
+       bool useBothKeysAlways = false;\r
+       if (opts == 'k' || opts == 'K') useBothKeysAlways = true;\r
+       bool nullMissingKeys = false;\r
+       if (opts == 'm' || opts == 'M') nullMissingKeys = true;\r
+\r
         if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {\r
                 PrintAndLog("Could not find file dumpkeys.bin");\r
                 return 1;\r
         }\r
         if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {\r
                 PrintAndLog("Could not find file dumpkeys.bin");\r
                 return 1;\r
         }\r
-       \r
-       if ((fout = fopen("dumpdata.bin","wb")) == NULL) { \r
-               PrintAndLog("Could not create file name dumpdata.bin");\r
-               return 1;\r
-       }\r
-       \r
-       // Read key file\r
-       \r
-       for (i=0 ; i<16 ; i++) {\r
-               fread ( keyA[i], 1, 6, fin );\r
-       }\r
-       for (i=0 ; i<16 ; i++) {\r
-               fread ( keyB[i], 1, 6, fin );\r
+\r
+       // Read keys from file\r
+       for (int group=0; group<=1; group++) {\r
+               for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
+                       size_t bytes_read = fread(keys[group][sectorNo], 1, 6, fin);\r
+                       if (bytes_read != 6) {\r
+                               PrintAndLog("File reading error.");\r
+                               fclose(fin);\r
+                               return 2;\r
+                       }\r
+               }\r
         }\r
         }\r
-       \r
-       // Read access rights to sectors\r
-       \r
+\r
+       fclose(fin);\r
+\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|------ Reading sector access bits...-----|");\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|------ Reading sector access bits...-----|");\r
         PrintAndLog("|-----------------------------------------|");\r
-       \r
-       for (i = 0 ; i < 16 ; i++) {\r
-               UsbCommand c = {CMD_MIFARE_READBL, {4*i + 3, 0, 0}};\r
-               memcpy(c.d.asBytes, keyA[i], 6);\r
-               SendCommand(&c);\r
-               resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
-\r
-               if (resp != NULL) {\r
-                       uint8_t isOK  = resp->arg[0] & 0xff;\r
-                       uint8_t *data  = resp->d.asBytes;\r
-                       if (isOK){\r
-                               rights[i][0] = ((data[7] & 0x10)>>4) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>2);\r
-                               rights[i][1] = ((data[7] & 0x20)>>5) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>3);\r
-                               rights[i][2] = ((data[7] & 0x40)>>6) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>4);\r
-                               rights[i][3] = ((data[7] & 0x80)>>7) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>5);\r
+       uint8_t tries = 0;\r
+       for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+               for (tries = 0; tries < 3; tries++) {\r
+                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
+                       // At least the Access Conditions can always be read with key A.\r
+                       memcpy(c.d.asBytes, keys[0][sectorNo], 6);\r
+                       SendCommand(&c);\r
+\r
+                       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               uint8_t isOK  = resp.arg[0] & 0xff;\r
+                               uint8_t *data  = resp.d.asBytes;\r
+                               if (isOK){\r
+                                       rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
+                                       rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
+                                       rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
+                                       rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                                       break;\r
+                               } else if (tries == 2) { // on last try set defaults\r
+                                       PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+                                       rights[sectorNo][3] = 0x01;\r
                                 }\r
                                 }\r
-                       else{\r
-                               PrintAndLog("Could not get access rights for block %d", i);\r
+                       } else {\r
+                               PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                               rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+                               rights[sectorNo][3] = 0x01;\r
                         }\r
                 }\r
                         }\r
                 }\r
-               else {\r
-                       PrintAndLog("Command execute timeout");\r
-               }\r
         }\r
         }\r
-       \r
-       // Read blocks and print to file\r
-       \r
+\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|----- Dumping all blocks to file... -----|");\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|-----------------------------------------|");\r
         PrintAndLog("|----- Dumping all blocks to file... -----|");\r
         PrintAndLog("|-----------------------------------------|");\r
-       \r
-       for (i=0 ; i<16 ; i++) {\r
-               for (j=0 ; j<4 ; j++) {\r
-                       if (j == 3){\r
-                               UsbCommand c = {CMD_MIFARE_READBL, {i*4 + j, 0, 0}};\r
-                               memcpy(c.d.asBytes, keyA[i], 6);\r
-                               SendCommand(&c);\r
-                               resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
-                       }\r
-                       else{\r
-                               if ((rights[i][j] == 6) | (rights[i][j] == 5)) {\r
-                                       UsbCommand c = {CMD_MIFARE_READBL, {i*4+j, 1, 0}};\r
-                                       memcpy(c.d.asBytes, keyB[i], 6);\r
+\r
+       bool isOK = true;\r
+       for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
+               for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
+                       bool received = false;\r
+                       for (tries = 0; tries < 3; tries++) {\r
+                               if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer. At least the Access Conditions can always be read with key A.\r
+                                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+                                       memcpy(c.d.asBytes, keys[0][sectorNo], 6);\r
                                         SendCommand(&c);\r
                                         SendCommand(&c);\r
-                                       resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
-                               }\r
-                               else if (rights[i][j] == 7) {\r
-                                       PrintAndLog("Access rights do not allow reading of sector %d block %d",i,j);\r
+                                       received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                               } else if (useBothKeysAlways) {\r
+                                       // Always try both keys, even if access conditions wouldn't work.\r
+                                       for (int k=0; k<=1; k++) {\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+                                               memcpy(c.d.asBytes, keys[k][sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+\r
+                                               // Don't try the other one on success.\r
+                                               if (resp.arg[0] & 0xff) break;\r
+                                       }\r
+                               } else {                                                // data block. Check if it can be read with key A or key B\r
+                                       uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
+                                       if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+                                               memcpy(c.d.asBytes, keys[1][sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       } else if (rights[sectorNo][data_area] == 0x07) {                                       // no key would work\r
+                                               PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+                                               if (nullMissingKeys) {\r
+                                                       memset(resp.d.asBytes, 0, 16);\r
+                                                       resp.arg[0] = 1;\r
+                                                       PrintAndLog("  ... filling the block with NULL");\r
+                                                       received = true;\r
+                                               } else {\r
+                                                       isOK = false;\r
+                                                       tries = 2;\r
+                                               }\r
+                                       } else {                                                                                // key A would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+                                               memcpy(c.d.asBytes, keys[0][sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       }\r
                                 }\r
                                 }\r
-                               else {\r
-                                       UsbCommand c = {CMD_MIFARE_READBL, {i*4+j, 0, 0}};\r
-                                       memcpy(c.d.asBytes, keyA[i], 6);\r
-                                       SendCommand(&c);\r
-                                       resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
+                               if (received) {\r
+                                       isOK  = resp.arg[0] & 0xff;\r
+                                       if (isOK) break;\r
                                 }\r
                         }\r
  \r
                                 }\r
                         }\r
  \r
-                       if (resp != NULL) {\r
-                               uint8_t isOK  = resp->arg[0] & 0xff;\r
-                               uint8_t *data  = resp->d.asBytes;\r
-                               if (j == 3) {\r
-                                       data[0]  = (keyA[i][0]);\r
-                                       data[1]  = (keyA[i][1]);\r
-                                       data[2]  = (keyA[i][2]);\r
-                                       data[3]  = (keyA[i][3]);\r
-                                       data[4]  = (keyA[i][4]);\r
-                                       data[5]  = (keyA[i][5]);\r
-                                       data[10] = (keyB[i][0]);\r
-                                       data[11] = (keyB[i][1]);\r
-                                       data[12] = (keyB[i][2]);\r
-                                       data[13] = (keyB[i][3]);\r
-                                       data[14] = (keyB[i][4]);\r
-                                       data[15] = (keyB[i][5]);\r
+                       if (received) {\r
+                               isOK  = resp.arg[0] & 0xff;\r
+                               uint8_t *data  = resp.d.asBytes;\r
+                               if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer. Fill in the keys.\r
+                                       memcpy(data, keys[0][sectorNo], 6);\r
+                                       memcpy(data + 10, keys[1][sectorNo], 6);\r
                                 }\r
                                 if (isOK) {\r
                                 }\r
                                 if (isOK) {\r
-                                       fwrite ( data, 1, 16, fout );\r
-                               }\r
-                               else {\r
-                                       PrintAndLog("Could not get access rights for block %d", i);\r
+                                       memcpy(carddata[FirstBlockOfSector(sectorNo) + blockNo], data, 16);\r
+                                       PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo);\r
+                               } else {\r
+                                       PrintAndLog("Could not read block %2d of sector %2d", blockNo, sectorNo);\r
+                                       break;\r
                                 }\r
                         }\r
                         else {\r
                                 }\r
                         }\r
                         else {\r
-                               PrintAndLog("Command execute timeout");\r
+                               isOK = false;\r
+                               PrintAndLog("Command execute timeout when trying to read block %2d of sector %2d.", blockNo, sectorNo);\r
+                               break;\r
                         }\r
                 }\r
         }\r
                         }\r
                 }\r
         }\r
-       \r
-       fclose(fin);\r
-       fclose(fout);\r
-       \r
-  return 0;\r
+\r
+       if (isOK) {\r
+               if ((fout = fopen("dumpdata.bin","wb")) == NULL) {\r
+                       PrintAndLog("Could not create file name dumpdata.bin");\r
+                       return 1;\r
+               }\r
+               uint16_t numblocks = FirstBlockOfSector(numSectors - 1) + NumBlocksPerSector(numSectors - 1);\r
+               fwrite(carddata, 1, 16*numblocks, fout);\r
+               fclose(fout);\r
+               PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);\r
+       }\r
+\r
+       return 0;\r
  }\r
  \r
  int CmdHF14AMfRestore(const char *Cmd)\r
  {\r
  }\r
  \r
  int CmdHF14AMfRestore(const char *Cmd)\r
  {\r
-\r
-       int i,j;\r
+       uint8_t sectorNo,blockNo;\r
         uint8_t keyType = 0;\r
         uint8_t keyType = 0;\r
-       uint8_t key[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
-       uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
-       uint8_t keyA[16][6];\r
-       uint8_t keyB[16][6];\r
-       \r
+       uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};\r
+       uint8_t bldata[16] = {0x00};\r
+       uint8_t keyA[40][6];\r
+       uint8_t keyB[40][6];\r
+       uint8_t numSectors;\r
+\r
         FILE *fdump;\r
         FILE *fkeys;\r
         FILE *fdump;\r
         FILE *fkeys;\r
-       \r
-       if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
-               PrintAndLog("Could not find file dumpdata.bin");\r
-               return 1;\r
+\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       switch (cmdp) {\r
+               case '0' : numSectors = 5; break;\r
+               case '1' :\r
+               case '\0': numSectors = 16; break;\r
+               case '2' : numSectors = 32; break;\r
+               case '4' : numSectors = 40; break;\r
+               default:   numSectors = 16;\r
         }\r
         }\r
+\r
+       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
+               PrintAndLog("Usage:   hf mf restore [card memory]");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("");\r
+               PrintAndLog("Samples: hf mf restore");\r
+               PrintAndLog("         hf mf restore 4");\r
+               return 0;\r
+       }\r
+\r
         if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {\r
                 PrintAndLog("Could not find file dumpkeys.bin");\r
                 return 1;\r
         }\r
         if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {\r
                 PrintAndLog("Could not find file dumpkeys.bin");\r
                 return 1;\r
         }\r
-       \r
-       for (i=0 ; i<16 ; i++) {\r
-               fread(keyA[i], 1, 6, fkeys);\r
+\r
+       for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
+                       PrintAndLog("File reading error (dumpkeys.bin).");\r
+                       fclose(fkeys);\r
+                       return 2;\r
+               }\r
+       }\r
+\r
+       for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
+                       PrintAndLog("File reading error (dumpkeys.bin).");\r
+                       fclose(fkeys);\r
+                       return 2;\r
+               }\r
         }\r
         }\r
-       for (i=0 ; i<16 ; i++) {\r
-               fread(keyB[i], 1, 6, fkeys);\r
+\r
+       fclose(fkeys);\r
+\r
+       if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
+               PrintAndLog("Could not find file dumpdata.bin");\r
+               return 1;\r
         }\r
         }\r
-       \r
         PrintAndLog("Restoring dumpdata.bin to card");\r
  \r
         PrintAndLog("Restoring dumpdata.bin to card");\r
  \r
-       for (i=0 ; i<16 ; i++) {\r
-               for( j=0 ; j<4 ; j++) {\r
-                       UsbCommand c = {CMD_MIFARE_WRITEBL, {i*4 + j, keyType, 0}};\r
+       for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+               for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
+                       UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                         memcpy(c.d.asBytes, key, 6);\r
                         memcpy(c.d.asBytes, key, 6);\r
-                       \r
-                       fread(bldata, 1, 16, fdump);\r
-                                       \r
-                       if (j == 3) {\r
-                               bldata[0]  = (keyA[i][0]);\r
-                               bldata[1]  = (keyA[i][1]);\r
-                               bldata[2]  = (keyA[i][2]);\r
-                               bldata[3]  = (keyA[i][3]);\r
-                               bldata[4]  = (keyA[i][4]);\r
-                               bldata[5]  = (keyA[i][5]);\r
-                               bldata[10] = (keyB[i][0]);\r
-                               bldata[11] = (keyB[i][1]);\r
-                               bldata[12] = (keyB[i][2]);\r
-                               bldata[13] = (keyB[i][3]);\r
-                               bldata[14] = (keyB[i][4]);\r
-                               bldata[15] = (keyB[i][5]);\r
-                       }               \r
-                       \r
-                       PrintAndLog("Writing to block %2d: %s", i*4+j, sprint_hex(bldata, 16));\r
-                       \r
-                       /*\r
-                       PrintAndLog("Writing to block %2d: %s Confirm? [Y,N]", i*4+j, sprint_hex(bldata, 16));\r
-                       \r
-                       scanf("%c",&ch);\r
-                       if ((ch != 'y') && (ch != 'Y')){\r
-                               PrintAndLog("Aborting !");\r
-                               return 1;\r
+\r
+                       size_t bytes_read = fread(bldata, 1, 16, fdump);\r
+                       if (bytes_read != 16) {\r
+                               PrintAndLog("File reading error (dumpdata.bin).");\r
+                               fclose(fdump);\r
+                               return 2;\r
+                       }\r
+\r
+                       if (blockNo == NumBlocksPerSector(sectorNo) - 1) {  // sector trailer\r
+                               bldata[0]  = (keyA[sectorNo][0]);\r
+                               bldata[1]  = (keyA[sectorNo][1]);\r
+                               bldata[2]  = (keyA[sectorNo][2]);\r
+                               bldata[3]  = (keyA[sectorNo][3]);\r
+                               bldata[4]  = (keyA[sectorNo][4]);\r
+                               bldata[5]  = (keyA[sectorNo][5]);\r
+                               bldata[10] = (keyB[sectorNo][0]);\r
+                               bldata[11] = (keyB[sectorNo][1]);\r
+                               bldata[12] = (keyB[sectorNo][2]);\r
+                               bldata[13] = (keyB[sectorNo][3]);\r
+                               bldata[14] = (keyB[sectorNo][4]);\r
+                               bldata[15] = (keyB[sectorNo][5]);\r
                         }\r
                         }\r
-                       */\r
-                       \r
+\r
+                       PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));\r
+\r
                         memcpy(c.d.asBytes + 10, bldata, 16);\r
                         SendCommand(&c);\r
                         memcpy(c.d.asBytes + 10, bldata, 16);\r
                         SendCommand(&c);\r
-                       UsbCommand *resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
  \r
  \r
-                       if (resp != NULL) {\r
-                               uint8_t isOK  = resp->arg[0] & 0xff;\r
+                       UsbCommand resp;\r
+                       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               uint8_t isOK  = resp.arg[0] & 0xff;\r
                                 PrintAndLog("isOk:%02x", isOK);\r
                         } else {\r
                                 PrintAndLog("Command execute timeout");\r
                         }\r
                 }\r
         }\r
                                 PrintAndLog("isOk:%02x", isOK);\r
                         } else {\r
                                 PrintAndLog("Command execute timeout");\r
                         }\r
                 }\r
         }\r
-       \r
+\r
         fclose(fdump);\r
         fclose(fdump);\r
-       fclose(fkeys);\r
         return 0;\r
  }\r
  \r
         return 0;\r
  }\r
  \r
+//----------------------------------------------\r
+//   Nested\r
+//----------------------------------------------\r
+\r
+static void parseParamTDS(const char *Cmd, const uint8_t indx, bool *paramT, bool *paramD, uint8_t *timeout) {\r
+       char ctmp3[4] = {0};\r
+       int len = param_getlength(Cmd, indx);\r
+       if (len > 0 && len < 4){\r
+               param_getstr(Cmd, indx, ctmp3, sizeof(ctmp3));\r
+\r
+               *paramT |= (ctmp3[0] == 't' || ctmp3[0] == 'T');\r
+               *paramD |= (ctmp3[0] == 'd' || ctmp3[0] == 'D');\r
+               bool paramS1 = *paramT || *paramD;\r
+\r
+               // slow and very slow\r
+               if (ctmp3[0] == 's' || ctmp3[0] == 'S' || ctmp3[1] == 's' || ctmp3[1] == 'S') {\r
+                       *timeout = 11; // slow\r
+\r
+                       if (!paramS1 && (ctmp3[1] == 's' || ctmp3[1] == 'S')) {\r
+                               *timeout = 53; // very slow\r
+                       }\r
+                       if (paramS1 && (ctmp3[2] == 's' || ctmp3[2] == 'S')) {\r
+                               *timeout = 53; // very slow\r
+                       }\r
+               }\r
+       }\r
+}\r
+\r
  int CmdHF14AMfNested(const char *Cmd)\r
  {\r
         int i, j, res, iterations;\r
  int CmdHF14AMfNested(const char *Cmd)\r
  {\r
         int i, j, res, iterations;\r
-       sector  *       e_sector = NULL;\r
+       sector_t *e_sector = NULL;\r
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t trgBlockNo = 0;\r
         uint8_t trgKeyType = 0;\r
         uint8_t blockNo = 0;\r
         uint8_t keyType = 0;\r
         uint8_t trgBlockNo = 0;\r
         uint8_t trgKeyType = 0;\r
-       uint8_t blDiff = 0;\r
-       int  SectorsCnt = 0;\r
+       uint8_t SectorsCnt = 0;\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
         uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       uint8_t keyBlock[16 * 6];\r
+       uint8_t keyBlock[MifareDefaultKeysSize * 6];\r
         uint64_t key64 = 0;\r
         uint64_t key64 = 0;\r
-       int transferToEml = 0;\r
-       \r
-       int createDumpFile = 0;\r
+       // timeout in units. (ms * 106)/10 or us*0.0106\r
+       uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default\r
+\r
+       bool autosearchKey = false;\r
+\r
+       bool transferToEml = false;\r
+       bool createDumpFile = false;\r
         FILE *fkeys;\r
         uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
         uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
         FILE *fkeys;\r
         uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
         uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
-       \r
+\r
         char cmdp, ctmp;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:");\r
         char cmdp, ctmp;\r
  \r
         if (strlen(Cmd)<3) {\r
                 PrintAndLog("Usage:");\r
-               PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]");\r
+               PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t|d|s|ss]");\r
+               PrintAndLog(" all sectors autosearch key:  hf mf nested  <card memory> * [t|d|s|ss]");\r
                 PrintAndLog(" one sector:   hf mf nested  o <block number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("               <target block number> <target key A/B> [t]");\r
                 PrintAndLog(" one sector:   hf mf nested  o <block number> <key A/B> <key (12 hex symbols)>");\r
                 PrintAndLog("               <target block number> <target key A/B> [t]");\r
+               PrintAndLog(" ");\r
                 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
                 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
-               PrintAndLog("t - transfer keys into emulator memory");\r
-               PrintAndLog("d - write keys to binary file");\r
+               PrintAndLog("t - transfer keys to emulator memory");\r
+               PrintAndLog("d - write keys to binary file dumpkeys.bin");\r
+               PrintAndLog("s - Slow (1ms) check keys (required by some non standard cards)");\r
+               PrintAndLog("ss - Very slow (5ms) check keys");\r
                 PrintAndLog(" ");\r
                 PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
                 PrintAndLog(" ");\r
                 PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
-               PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
-               PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
-               PrintAndLog("      sample2: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
+               PrintAndLog("      sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
+               PrintAndLog("      sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample5: hf mf nested 1 * t");\r
+               PrintAndLog("      sample6: hf mf nested 1 * ss");\r
                 return 0;\r
                 return 0;\r
-       }       \r
-       \r
-       cmdp = param_getchar(Cmd, 0);\r
-       blockNo = param_get8(Cmd, 1);\r
-       ctmp = param_getchar(Cmd, 2);\r
-       if (ctmp == 0x00) {\r
-               PrintAndLog("Key type must be A or B");\r
-               return 1;\r
-       }\r
-       if (ctmp != 'A' && ctmp != 'a') keyType = 1;\r
-       if (param_gethex(Cmd, 3, key, 12)) {\r
-               PrintAndLog("Key must include 12 HEX symbols");\r
-               return 1;\r
         }\r
         }\r
-       \r
+\r
+       // <card memory>\r
+       cmdp = param_getchar(Cmd, 0);\r
         if (cmdp == 'o' || cmdp == 'O') {\r
                 cmdp = 'o';\r
         if (cmdp == 'o' || cmdp == 'O') {\r
                 cmdp = 'o';\r
-               trgBlockNo = param_get8(Cmd, 4);\r
-               ctmp = param_getchar(Cmd, 5);\r
-               if (ctmp == 0x00) {\r
-                       PrintAndLog("Target key type must be A or B");\r
+               SectorsCnt = 1;\r
+       } else {\r
+               SectorsCnt = ParamCardSizeSectors(cmdp);\r
+       }\r
+\r
+       // <block number>. number or autosearch key (*)\r
+       if (param_getchar(Cmd, 1) == '*') {\r
+               autosearchKey = true;\r
+\r
+               parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);\r
+\r
+               PrintAndLog("--nested. sectors:%2d, block no:*, eml:%c, dmp=%c checktimeout=%d us",\r
+                       SectorsCnt, transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);\r
+       } else {\r
+               blockNo = param_get8(Cmd, 1);\r
+\r
+               ctmp = param_getchar(Cmd, 2);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Key type must be A or B");\r
                         return 1;\r
                 }\r
                         return 1;\r
                 }\r
-               if (ctmp != 'A' && ctmp != 'a') trgKeyType = 1;\r
-       } else {\r
-               switch (cmdp) {\r
-                       case '0': SectorsCnt = 05; break;\r
-                       case '1': SectorsCnt = 16; break;\r
-                       case '2': SectorsCnt = 32; break;\r
-                       case '4': SectorsCnt = 64; break;\r
-                       default:  SectorsCnt = 16;\r
-               }\r
-       }\r
-\r
-       ctmp = param_getchar(Cmd, 4);\r
-       if              (ctmp == 't' || ctmp == 'T') transferToEml = 1;\r
-       else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;\r
-       \r
-       ctmp = param_getchar(Cmd, 6);\r
-       transferToEml |= (ctmp == 't' || ctmp == 'T');\r
-       transferToEml |= (ctmp == 'd' || ctmp == 'D');\r
-       \r
-       PrintAndLog("--block no:%02x key type:%02x key:%s etrans:%d", blockNo, keyType, sprint_hex(key, 6), transferToEml);\r
-       if (cmdp == 'o')\r
-               PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType);\r
-\r
-       if (cmdp == 'o') {\r
-               if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) {\r
-                       PrintAndLog("Nested error.");\r
-                       return 2;\r
+\r
+               if (ctmp != 'A' && ctmp != 'a')\r
+                       keyType = 1;\r
+\r
+               if (param_gethex(Cmd, 3, key, 12)) {\r
+                       PrintAndLog("Key must include 12 HEX symbols");\r
+                       return 1;\r
+               }\r
+\r
+               // check if we can authenticate to sector\r
+               res = mfCheckKeys(blockNo, keyType, true, 1, key, &key64);\r
+               if (res) {\r
+                       PrintAndLog("Can't authenticate to block:%3d key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
+                       return 3;\r
                 }\r
  \r
                 }\r
  \r
-               for (i = 0; i < 16; i++) {\r
-                       PrintAndLog("count=%d key= %s", i, sprint_hex(keyBlock + i * 6, 6));\r
+               // one sector nested\r
+               if (cmdp == 'o') {\r
+                       trgBlockNo = param_get8(Cmd, 4);\r
+\r
+                       ctmp = param_getchar(Cmd, 5);\r
+                       if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                               PrintAndLog("Target key type must be A or B");\r
+                               return 1;\r
+                       }\r
+                       if (ctmp != 'A' && ctmp != 'a')\r
+                               trgKeyType = 1;\r
+\r
+                       parseParamTDS(Cmd, 6, &transferToEml, &createDumpFile, &btimeout14a);\r
+               } else {\r
+                       parseParamTDS(Cmd, 4, &transferToEml, &createDumpFile, &btimeout14a);\r
+               }\r
+\r
+               PrintAndLog("--nested. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",\r
+                       SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);\r
+       }\r
+\r
+       // one-sector nested\r
+       if (cmdp == 'o') { // ------------------------------------  one sector working\r
+               PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
+               int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
+               if (isOK) {\r
+                       switch (isOK) {\r
+                               case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                               case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                               case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+                               default : PrintAndLog("Unknown Error.\n");\r
+                       }\r
+                       return 2;\r
                 }\r
                 }\r
-       \r
-               // test keys\r
-               res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
-               if (res)\r
-                       res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
-               if (!res) {\r
-                       PrintAndLog("Found valid key:%012llx", key64);\r
+               key64 = bytes_to_num(keyBlock, 6);\r
+               if (key64) {\r
+                       PrintAndLog("Found valid key:%012" PRIx64, key64);\r
  \r
                         // transfer key to the emulator\r
                         if (transferToEml) {\r
  \r
                         // transfer key to the emulator\r
                         if (transferToEml) {\r
-                               mfEmlGetMem(keyBlock, (trgBlockNo / 4) * 4 + 3, 1);\r
-               \r
+                               uint8_t sectortrailer;\r
+                               if (trgBlockNo < 32*4) {    // 4 block sector\r
+                                       sectortrailer = trgBlockNo | 0x03;\r
+                               } else {                    // 16 block sector\r
+                                       sectortrailer = trgBlockNo | 0x0f;\r
+                               }\r
+                               mfEmlGetMem(keyBlock, sectortrailer, 1);\r
+\r
                                 if (!trgKeyType)\r
                                         num_to_bytes(key64, 6, keyBlock);\r
                                 else\r
                                         num_to_bytes(key64, 6, &keyBlock[10]);\r
                                 if (!trgKeyType)\r
                                         num_to_bytes(key64, 6, keyBlock);\r
                                 else\r
                                         num_to_bytes(key64, 6, &keyBlock[10]);\r
-                               mfEmlSetMem(keyBlock, (trgBlockNo / 4) * 4 + 3, 1);             \r
+                               mfEmlSetMem(keyBlock, sectortrailer, 1);\r
+                               PrintAndLog("Key transferred to emulator memory.");\r
                         }\r
                 } else {\r
                         PrintAndLog("No valid key found");\r
                 }\r
         }\r
         else { // ------------------------------------  multiple sectors working\r
                         }\r
                 } else {\r
                         PrintAndLog("No valid key found");\r
                 }\r
         }\r
         else { // ------------------------------------  multiple sectors working\r
-               blDiff = blockNo % 4;\r
-               PrintAndLog("Block shift=%d", blDiff);\r
-               e_sector = calloc(SectorsCnt, sizeof(sector));\r
+               uint64_t msclock1;\r
+               msclock1 = msclock();\r
+\r
+               e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
                 if (e_sector == NULL) return 1;\r
                 if (e_sector == NULL) return 1;\r
-               \r
-               //test current key 4 sectors\r
-               memcpy(keyBlock, key, 6);\r
-               num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 1 * 6));\r
-               num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 2 * 6));\r
-               num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 3 * 6));\r
-               num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 4 * 6));\r
-               num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));\r
+\r
+               //test current key and additional standard keys first\r
+               for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){\r
+                       num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));\r
+               }\r
  \r
                 PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
  \r
                 PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
-               for (i = 0; i < SectorsCnt; i++) {\r
-                       for (j = 0; j < 2; j++) {\r
-                               if (e_sector[i].foundKey[j]) continue;\r
-                               \r
-                               res = mfCheckKeys(i * 4 + blDiff, j, 6, keyBlock, &key64);\r
-                               \r
-                               if (!res) {\r
-                                       e_sector[i].Key[j] = key64;\r
-                                       e_sector[i].foundKey[j] = 1;\r
+               mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, MifareDefaultKeysSize, keyBlock, e_sector);\r
+\r
+               // get known key from array\r
+               bool keyFound = false;\r
+               if (autosearchKey) {\r
+                       for (i = 0; i < SectorsCnt; i++) {\r
+                               for (j = 0; j < 2; j++) {\r
+                                       if (e_sector[i].foundKey[j]) {\r
+                                               // get known key\r
+                                               blockNo = i * 4;\r
+                                               keyType = j;\r
+                                               num_to_bytes(e_sector[i].Key[j], 6, key);\r
+                                               keyFound = true;\r
+                                               break;\r
+                                       }\r
                                 }\r
                                 }\r
+                               if (keyFound) break;\r
+                       }\r
+\r
+                       // Can't found a key....\r
+                       if (!keyFound) {\r
+                               PrintAndLog("Can't found any of the known keys.");\r
+                               free(e_sector);\r
+                               return 4;\r
                         }\r
                         }\r
-               } \r
-               \r
+                       PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
+               }\r
+\r
                 // nested sectors\r
                 iterations = 0;\r
                 PrintAndLog("nested...");\r
                 // nested sectors\r
                 iterations = 0;\r
                 PrintAndLog("nested...");\r
+               bool calibrate = true;\r
                 for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
                 for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
-                       for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) \r
-                               for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
-                                       if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue;\r
-                                       if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) continue;\r
-                                       \r
+                       for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+                               for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {\r
+                                       if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
+                                       PrintAndLog("-----------------------------------------------");\r
+                                       int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+                                       if(isOK) {\r
+                                               switch (isOK) {\r
+                                                       case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                                                       case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                                                       case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+                                                       default : PrintAndLog("Unknown Error.\n");\r
+                                               }\r
+                                               free(e_sector);\r
+                                               return 2;\r
+                                       } else {\r
+                                               calibrate = false;\r
+                                       }\r
+\r
                                         iterations++;\r
                                         iterations++;\r
-                                       \r
-                                       //try keys from nested\r
-                                       res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
-                                       if (res)\r
-                                               res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
-                                       if (!res) {\r
-                                               PrintAndLog("Found valid key:%012llx", key64);  \r
-                                               e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1;\r
-                                               e_sector[trgBlockNo / 4].Key[trgKeyType] = key64;\r
+\r
+                                       key64 = bytes_to_num(keyBlock, 6);\r
+                                       if (key64) {\r
+                                               PrintAndLog("Found valid key:%012" PRIx64, key64);\r
+                                               e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
+                                               e_sector[sectorNo].Key[trgKeyType] = key64;\r
+\r
+                                               // try to check this key as a key to the other sectors\r
+                                               mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, 1, keyBlock, e_sector);\r
                                         }\r
                                 }\r
                                         }\r
                                 }\r
+                       }\r
                 }\r
  \r
                 }\r
  \r
-               PrintAndLog("Iterations count: %d", iterations);\r
-               //print them\r
+               // print nested statistic\r
+               PrintAndLog("\n\n-----------------------------------------------\nNested statistic:\nIterations count: %d", iterations);\r
+               PrintAndLog("Time in nested: %1.3f (%1.3f sec per key)", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);\r
+\r
+               // print result\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
                 PrintAndLog("|sec|key A           |res|key B           |res|");\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
                 for (i = 0; i < SectorsCnt; i++) {\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
                 PrintAndLog("|sec|key A           |res|key B           |res|");\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
                 for (i = 0; i < SectorsCnt; i++) {\r
-                       PrintAndLog("|%03d|  %012llx  | %d |  %012llx  | %d |", i, \r
+                       PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
                                 e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                 }\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
                                 e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                 }\r
                 PrintAndLog("|---|----------------|---|----------------|---|");\r
-               \r
-               // transfer them to the emulator\r
+\r
+               // transfer keys to the emulator memory\r
                 if (transferToEml) {\r
                         for (i = 0; i < SectorsCnt; i++) {\r
                 if (transferToEml) {\r
                         for (i = 0; i < SectorsCnt; i++) {\r
-                               mfEmlGetMem(keyBlock, i * 4 + 3, 1);\r
+                               mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
                                 if (e_sector[i].foundKey[0])\r
                                         num_to_bytes(e_sector[i].Key[0], 6, keyBlock);\r
                                 if (e_sector[i].foundKey[1])\r
                                         num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);\r
                                 if (e_sector[i].foundKey[0])\r
                                         num_to_bytes(e_sector[i].Key[0], 6, keyBlock);\r
                                 if (e_sector[i].foundKey[1])\r
                                         num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);\r
-                               mfEmlSetMem(keyBlock, i * 4 + 3, 1);\r
-                       }               \r
+                               mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
+                       }\r
+                       PrintAndLog("Keys transferred to emulator memory.");\r
                 }\r
                 }\r
-               \r
+\r
                 // Create dump file\r
                 if (createDumpFile) {\r
                 // Create dump file\r
                 if (createDumpFile) {\r
-                       if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) { \r
+                       if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {\r
                                 PrintAndLog("Could not create file dumpkeys.bin");\r
                                 free(e_sector);\r
                                 return 1;\r
                         }\r
                                 PrintAndLog("Could not create file dumpkeys.bin");\r
                                 free(e_sector);\r
                                 return 1;\r
                         }\r
-                       PrintAndLog("Printing keys to bynary file dumpkeys.bin...");\r
-                       for(i=0; i<16; i++) {\r
+                       PrintAndLog("Printing keys to binary file dumpkeys.bin...");\r
+                       for(i=0; i<SectorsCnt; i++) {\r
                                 if (e_sector[i].foundKey[0]){\r
                                         num_to_bytes(e_sector[i].Key[0], 6, tempkey);\r
                                         fwrite ( tempkey, 1, 6, fkeys );\r
                                 if (e_sector[i].foundKey[0]){\r
                                         num_to_bytes(e_sector[i].Key[0], 6, tempkey);\r
                                         fwrite ( tempkey, 1, 6, fkeys );\r
@@ -678,7 +863,7 @@ int CmdHF14AMfNested(const char *Cmd)
                                         fwrite ( &standart, 1, 6, fkeys );\r
                                 }\r
                         }\r
                                         fwrite ( &standart, 1, 6, fkeys );\r
                                 }\r
                         }\r
-                       for(i=0; i<16; i++) {\r
+                       for(i=0; i<SectorsCnt; i++) {\r
                                 if (e_sector[i].foundKey[1]){\r
                                         num_to_bytes(e_sector[i].Key[1], 6, tempkey);\r
                                         fwrite ( tempkey, 1, 6, fkeys );\r
                                 if (e_sector[i].foundKey[1]){\r
                                         num_to_bytes(e_sector[i].Key[1], 6, tempkey);\r
                                         fwrite ( tempkey, 1, 6, fkeys );\r
@@ -689,106 +874,263 @@ int CmdHF14AMfNested(const char *Cmd)
                         }\r
                         fclose(fkeys);\r
                 }\r
                         }\r
                         fclose(fkeys);\r
                 }\r
-               \r
+\r
                 free(e_sector);\r
         }\r
                 free(e_sector);\r
         }\r
-\r
         return 0;\r
  }\r
  \r
         return 0;\r
  }\r
  \r
-static  uint32_t\r
-get_trailer_block (uint32_t uiBlock)\r
-{\r
-  // Test if we are in the small or big sectors\r
-  uint32_t trailer_block = 0;\r
-  if (uiBlock < 128) {\r
-    trailer_block = uiBlock + (3 - (uiBlock % 4));\r
-  } else {\r
-    trailer_block = uiBlock + (15 - (uiBlock % 16));\r
-  }\r
-  return trailer_block;\r
-}\r
-int CmdHF14AMfChk(const char *Cmd)\r
+\r
+int CmdHF14AMfNestedHard(const char *Cmd)\r
  {\r
  {\r
-       FILE * f;\r
-       char filename[256]={0};\r
-       char buf[13];\r
-       uint8_t *keyBlock = NULL, *p;\r
-       uint8_t stKeyBlock = 20;\r
-       \r
-       int i, res;\r
-       int     keycnt = 0;\r
-       char ctmp       = 0x00;\r
         uint8_t blockNo = 0;\r
         uint8_t blockNo = 0;\r
-       uint8_t SectorsCnt = 1;\r
         uint8_t keyType = 0;\r
         uint8_t keyType = 0;\r
-       uint64_t key64 = 0;\r
-       \r
-       int transferToEml = 0;\r
-       int createDumpFile = 0;\r
+       uint8_t trgBlockNo = 0;\r
+       uint8_t trgKeyType = 0;\r
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
+       uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0};\r
  \r
  \r
-       keyBlock = calloc(stKeyBlock, 6);\r
-       if (keyBlock == NULL) return 1;\r
+       char ctmp;\r
+       ctmp = param_getchar(Cmd, 0);\r
  \r
  \r
-       num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 0 * 6)); // Default key (first key used by program if no user defined key)\r
-       num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 1 * 6)); // Blank key\r
-       num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 2 * 6)); // NFCForum MAD key\r
-       num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 3 * 6));\r
-       num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 4 * 6));\r
-       num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 5 * 6));\r
-       num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 6 * 6));\r
-       num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 7 * 6));\r
-       num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 8 * 6));\r
-       num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 9 * 6));\r
-       num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 10 * 6));\r
-       num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 11 * 6));\r
-       num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 12 * 6));\r
-       \r
-       if (strlen(Cmd)<3) {\r
-               PrintAndLog("Usage:  hf mf chk <block number>/<*card memory> <key type (A/B/?)> [t] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
-               PrintAndLog("          * - all sectors");\r
-               PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
-//             PrintAndLog("d - write keys to binary file\n");\r
-               \r
-               PrintAndLog("      sample: hf mf chk 0 A 1234567890ab keys.dic");\r
-               PrintAndLog("              hf mf chk *1 ? t");\r
+       if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {\r
+               PrintAndLog("Usage:");\r
+               PrintAndLog("      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");\r
+               PrintAndLog("                       <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");\r
+               PrintAndLog("  or  hf mf hardnested r [known target key]");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Options: ");\r
+               PrintAndLog("      w: Acquire nonces and write them to binary file nonces.bin");\r
+               PrintAndLog("      s: Slower acquisition (required by some non standard cards)");\r
+               PrintAndLog("      r: Read nonces.bin and start attack");\r
+               PrintAndLog("      iX: set type of SIMD instructions. Without this flag programs autodetect it.");\r
+               PrintAndLog("        i5: AVX512");\r
+               PrintAndLog("        i2: AVX2");\r
+               PrintAndLog("        ia: AVX");\r
+               PrintAndLog("        is: SSE2");\r
+               PrintAndLog("        im: MMX");\r
+               PrintAndLog("        in: none (use CPU regular instruction set)");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");\r
+               PrintAndLog("      sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");\r
+               PrintAndLog("      sample4: hf mf hardnested r");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Add the known target key to check if it is present in the remaining key space:");\r
+               PrintAndLog("      sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF");\r
                 return 0;\r
                 return 0;\r
-       }       \r
-       \r
-       if (param_getchar(Cmd, 0)=='*') {\r
-               blockNo = 3;\r
-               switch(param_getchar(Cmd+1, 0)) {\r
-                       case '0': SectorsCnt =  5; break;\r
-                       case '1': SectorsCnt = 16; break;\r
-                       case '2': SectorsCnt = 32; break;\r
-                       case '4': SectorsCnt = 40; break;\r
-                       default:  SectorsCnt = 16;\r
+       }\r
+\r
+       bool know_target_key = false;\r
+       bool nonce_file_read = false;\r
+       bool nonce_file_write = false;\r
+       bool slow = false;\r
+       int tests = 0;\r
+\r
+\r
+       uint16_t iindx = 0;\r
+       if (ctmp == 'R' || ctmp == 'r') {\r
+               nonce_file_read = true;\r
+               iindx = 1;\r
+               if (!param_gethex(Cmd, 1, trgkey, 12)) {\r
+                       know_target_key = true;\r
+                       iindx = 2;\r
+               }\r
+       } else if (ctmp == 'T' || ctmp == 't') {\r
+               tests = param_get32ex(Cmd, 1, 100, 10);\r
+               iindx = 2;\r
+               if (!param_gethex(Cmd, 2, trgkey, 12)) {\r
+                       know_target_key = true;\r
+                       iindx = 3;\r
+               }\r
+       } else {\r
+               blockNo = param_get8(Cmd, 0);\r
+               ctmp = param_getchar(Cmd, 1);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') {\r
+                       keyType = 1;\r
+               }\r
+\r
+               if (param_gethex(Cmd, 2, key, 12)) {\r
+                       PrintAndLog("Key must include 12 HEX symbols");\r
+                       return 1;\r
+               }\r
+\r
+               trgBlockNo = param_get8(Cmd, 3);\r
+               ctmp = param_getchar(Cmd, 4);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Target key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') {\r
+                       trgKeyType = 1;\r
+               }\r
+\r
+               uint16_t i = 5;\r
+\r
+               if (!param_gethex(Cmd, 5, trgkey, 12)) {\r
+                       know_target_key = true;\r
+                       i++;\r
+               }\r
+               iindx = i;\r
+\r
+               while ((ctmp = param_getchar(Cmd, i))) {\r
+                       if (ctmp == 's' || ctmp == 'S') {\r
+                               slow = true;\r
+                       } else if (ctmp == 'w' || ctmp == 'W') {\r
+                               nonce_file_write = true;\r
+                       } else if (param_getlength(Cmd, i) == 2 && ctmp == 'i') {\r
+                               iindx = i;\r
+                       } else {\r
+                               PrintAndLog("Possible options are w , s and/or iX");\r
+                               return 1;\r
+                       }\r
+                       i++;\r
+               }\r
+       }\r
+\r
+       SetSIMDInstr(SIMD_AUTO);\r
+       if (iindx > 0) {\r
+               while ((ctmp = param_getchar(Cmd, iindx))) {\r
+                       if (param_getlength(Cmd, iindx) == 2 && ctmp == 'i') {\r
+                               switch(param_getchar_indx(Cmd, 1, iindx)) {\r
+                                       case '5':\r
+                                               SetSIMDInstr(SIMD_AVX512);\r
+                                               break;\r
+                                       case '2':\r
+                                               SetSIMDInstr(SIMD_AVX2);\r
+                                               break;\r
+                                       case 'a':\r
+                                               SetSIMDInstr(SIMD_AVX);\r
+                                               break;\r
+                                       case 's':\r
+                                               SetSIMDInstr(SIMD_SSE2);\r
+                                               break;\r
+                                       case 'm':\r
+                                               SetSIMDInstr(SIMD_MMX);\r
+                                               break;\r
+                                       case 'n':\r
+                                               SetSIMDInstr(SIMD_NONE);\r
+                                               break;\r
+                                       default:\r
+                                               PrintAndLog("Unknown SIMD type. %c", param_getchar_indx(Cmd, 1, iindx));\r
+                                               return 1;\r
+                               }\r
+                       }\r
+                       iindx++;\r
                 }\r
         }\r
                 }\r
         }\r
+\r
+       PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ",\r
+                       trgBlockNo,\r
+                       trgKeyType?'B':'A',\r
+                       trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],\r
+                       know_target_key?"":" (not set)",\r
+                       nonce_file_write?"write":nonce_file_read?"read":"none",\r
+                       slow?"Yes":"No",\r
+                       tests);\r
+\r
+       int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);\r
+\r
+       if (isOK) {\r
+               switch (isOK) {\r
+                       case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                       case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                       default : break;\r
+               }\r
+               return 2;\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+\r
+int CmdHF14AMfChk(const char *Cmd)\r
+{\r
+       if (strlen(Cmd)<3) {\r
+               PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d|s|ss] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
+               PrintAndLog("          * - all sectors");\r
+               PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
+               PrintAndLog("d  - write keys to binary file\n");\r
+               PrintAndLog("t  - write keys to emulator memory");\r
+               PrintAndLog("s  - slow execute. timeout 1ms");\r
+               PrintAndLog("ss - very slow execute. timeout 5ms");\r
+               PrintAndLog("      sample: hf mf chk 0 A 1234567890ab keys.dic");\r
+               PrintAndLog("              hf mf chk *1 ? t");\r
+               PrintAndLog("              hf mf chk *1 ? d");\r
+               PrintAndLog("              hf mf chk *1 ? s");\r
+               PrintAndLog("              hf mf chk *1 ? dss");\r
+               return 0;\r
+       }\r
+\r
+       FILE * f;\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       char buf[13];\r
+       uint8_t *keyBlock = NULL, *p;\r
+       uint16_t stKeyBlock = 20;\r
+\r
+       int i, res;\r
+       int keycnt = 0;\r
+       char ctmp   = 0x00;\r
+       int clen = 0;\r
+       uint8_t blockNo = 0;\r
+       uint8_t SectorsCnt = 0;\r
+       uint8_t keyType = 0;\r
+       uint64_t key64 = 0;\r
+       // timeout in units. (ms * 106)/10 or us*0.0106\r
+       uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default\r
+       bool param3InUse = false;\r
+\r
+       bool transferToEml = 0;\r
+       bool createDumpFile = 0;\r
+\r
+       sector_t *e_sector = NULL;\r
+\r
+       keyBlock = calloc(stKeyBlock, 6);\r
+       if (keyBlock == NULL) return 1;\r
+\r
+       int defaultKeysSize = MifareDefaultKeysSize;\r
+       for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++){\r
+               num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));\r
+       }\r
+\r
+       if (param_getchar(Cmd, 0)=='*') {\r
+               SectorsCnt = ParamCardSizeSectors(param_getchar(Cmd + 1, 0));\r
+       }\r
         else\r
                 blockNo = param_get8(Cmd, 0);\r
         else\r
                 blockNo = param_get8(Cmd, 0);\r
-       \r
+\r
         ctmp = param_getchar(Cmd, 1);\r
         ctmp = param_getchar(Cmd, 1);\r
-       switch (ctmp) { \r
-       case 'a': case 'A':\r
-               keyType = !0;\r
-               break;\r
-       case 'b': case 'B':\r
-               keyType = !1;\r
-               break;\r
-       case '?':\r
-               keyType = 2;\r
-               break;\r
-       default:\r
-               PrintAndLog("Key type must be A , B or ?");\r
-               return 1;\r
-       };\r
-       \r
-       ctmp = param_getchar(Cmd, 2);\r
-       if              (ctmp == 't' || ctmp == 'T') transferToEml = 1;\r
-       else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;\r
-       \r
-       for (i = transferToEml || createDumpFile; param_getchar(Cmd, 2 + i); i++) {\r
+       clen = param_getlength(Cmd, 1);\r
+       if (clen == 1) {\r
+               switch (ctmp) {\r
+               case 'a': case 'A':\r
+                       keyType = 0;\r
+                       break;\r
+               case 'b': case 'B':\r
+                       keyType = 1;\r
+                       break;\r
+               case '?':\r
+                       keyType = 2;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Key type must be A , B or ?");\r
+                       free(keyBlock);\r
+                       return 1;\r
+               };\r
+       }\r
+\r
+       parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);\r
+\r
+       param3InUse = transferToEml | createDumpFile | (btimeout14a != MF_CHKKEYS_DEFTIMEOUT);\r
+\r
+       PrintAndLog("--chk keys. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",\r
+                       SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);\r
+\r
+       for (i = param3InUse; param_getchar(Cmd, 2 + i); i++) {\r
                 if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {\r
                         if ( stKeyBlock - keycnt < 2) {\r
                                 p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
                 if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {\r
                         if ( stKeyBlock - keycnt < 2) {\r
                                 p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
@@ -799,35 +1141,32 @@ int CmdHF14AMfChk(const char *Cmd)
                                 }\r
                                 keyBlock = p;\r
                         }\r
                                 }\r
                                 keyBlock = p;\r
                         }\r
-                       PrintAndLog("chk key[%d] %02x%02x%02x%02x%02x%02x", keycnt,\r
+                       PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
                         (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
                         (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
-                       (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],     (keyBlock + 6*keycnt)[5], 6);\r
+                       (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);\r
                         keycnt++;\r
                 } else {\r
                         // May be a dic file\r
                         keycnt++;\r
                 } else {\r
                         // May be a dic file\r
-                       if ( param_getstr(Cmd, 2 + i,filename) > 255 ) {\r
+                       if ( param_getstr(Cmd, 2 + i, filename, sizeof(filename)) >= FILE_PATH_SIZE ) {\r
                                 PrintAndLog("File name too long");\r
                                 free(keyBlock);\r
                                 return 2;\r
                         }\r
                                 PrintAndLog("File name too long");\r
                                 free(keyBlock);\r
                                 return 2;\r
                         }\r
-                       \r
+\r
                         if ( (f = fopen( filename , "r")) ) {\r
                         if ( (f = fopen( filename , "r")) ) {\r
-                               while( !feof(f) ){\r
-                                       memset(buf, 0, sizeof(buf));\r
-                                       fgets(buf, sizeof(buf), f);\r
-                                       \r
+                               while( fgets(buf, sizeof(buf), f) ){\r
                                         if (strlen(buf) < 12 || buf[11] == '\n')\r
                                                 continue;\r
                                         if (strlen(buf) < 12 || buf[11] == '\n')\r
                                                 continue;\r
-                               \r
+\r
                                         while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
                                         while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
-                                       \r
-                                       if( buf[0]=='#' ) continue;     //The line start with # is remcommnet,skip\r
  \r
  \r
-                                       if (!isxdigit(buf[0])){\r
+                                       if( buf[0]=='#' ) continue; //The line start with # is comment, skip\r
+\r
+                                       if (!isxdigit((unsigned char)buf[0])){\r
                                                 PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
                                                 continue;\r
                                         }\r
                                                 PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
                                                 continue;\r
                                         }\r
-                                       \r
+\r
                                         buf[12] = 0;\r
  \r
                                         if ( stKeyBlock - keycnt < 2) {\r
                                         buf[12] = 0;\r
  \r
                                         if ( stKeyBlock - keycnt < 2) {\r
@@ -835,136 +1174,497 @@ int CmdHF14AMfChk(const char *Cmd)
                                                 if (!p) {\r
                                                         PrintAndLog("Cannot allocate memory for defKeys");\r
                                                         free(keyBlock);\r
                                                 if (!p) {\r
                                                         PrintAndLog("Cannot allocate memory for defKeys");\r
                                                         free(keyBlock);\r
+                                                       fclose(f);\r
                                                         return 2;\r
                                                 }\r
                                                 keyBlock = p;\r
                                         }\r
                                         memset(keyBlock + 6 * keycnt, 0, 6);\r
                                         num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
                                                         return 2;\r
                                                 }\r
                                                 keyBlock = p;\r
                                         }\r
                                         memset(keyBlock + 6 * keycnt, 0, 6);\r
                                         num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
-                                       PrintAndLog("chk custom key[%d] %012llx", keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+                                       PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
                                         keycnt++;\r
                                         keycnt++;\r
+                                       memset(buf, 0, sizeof(buf));\r
                                 }\r
                                 }\r
+                               fclose(f);\r
                         } else {\r
                                 PrintAndLog("File: %s: not found or locked.", filename);\r
                                 free(keyBlock);\r
                                 return 1;\r
                         } else {\r
                                 PrintAndLog("File: %s: not found or locked.", filename);\r
                                 free(keyBlock);\r
                                 return 1;\r
-                       fclose(f);\r
+\r
                         }\r
                 }\r
         }\r
                         }\r
                 }\r
         }\r
-       \r
+\r
+       // fill with default keys\r
         if (keycnt == 0) {\r
         if (keycnt == 0) {\r
-               PrintAndLog("No key specified,try default keys");\r
-               for (;keycnt <=12; keycnt++)\r
-                       PrintAndLog("chk default key[%d] %02x%02x%02x%02x%02x%02x", keycnt,\r
-                       (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
-                       (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],     (keyBlock + 6*keycnt)[5], 6);\r
-       }\r
-       \r
-       for ( int t = !keyType ; t < 2 ; keyType==2?(t++):(t=2) ) {\r
-               int b=blockNo;\r
-               for (int i=0; i<SectorsCnt; ++i) {\r
-                       PrintAndLog("--SectorsCnt:%d block no:0x%02x key type:%C key count:%d ", i,      b, t?'B':'A', keycnt);\r
-                       int size = keycnt>8?8:keycnt;\r
-                       for (int c = 0; c < keycnt; c+=size) {\r
-                               size=keycnt-c>8?8:keycnt-c;                     \r
-                               res = mfCheckKeys(b, t, size, keyBlock +6*c, &key64);\r
-                               if (res !=1) {\r
+               PrintAndLog("No key specified, trying default keys");\r
+               for (;keycnt < defaultKeysSize; keycnt++)\r
+                       PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
+                               (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
+                               (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);\r
+       }\r
+\r
+       // initialize storage for found keys\r
+       e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
+       if (e_sector == NULL) {\r
+               free(keyBlock);\r
+               return 1;\r
+       }\r
+       for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {\r
+               for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+                       e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;\r
+                       e_sector[sectorNo].foundKey[keyAB] = 0;\r
+               }\r
+       }\r
+       printf("\n");\r
+\r
+       bool foundAKey = false;\r
+       uint32_t max_keys = keycnt > USB_CMD_DATA_SIZE / 6 ? USB_CMD_DATA_SIZE / 6 : keycnt;\r
+       if (SectorsCnt) {\r
+               PrintAndLog("To cancel this operation press the button on the proxmark...");\r
+               printf("--");\r
+               for (uint32_t c = 0; c < keycnt; c += max_keys) {\r
+\r
+                       uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
+                       res = mfCheckKeysSec(SectorsCnt, keyType, btimeout14a, true, size, &keyBlock[6 * c], e_sector); // timeout is (ms * 106)/10 or us*0.0106\r
+\r
+                       if (res != 1) {\r
+                               if (!res) {\r
+                                       printf("o");\r
+                                       foundAKey = true;\r
+                               } else {\r
+                                       printf(".");\r
+                               }\r
+                       } else {\r
+                               printf("\n");\r
+                               PrintAndLog("Command execute timeout");\r
+                       }\r
+               }\r
+       } else {\r
+               int keyAB = keyType;\r
+               do {\r
+                       for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
+\r
+                               uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
+                               res = mfCheckKeys(blockNo, keyAB & 0x01, true, size, &keyBlock[6 * c], &key64);\r
+\r
+                               if (res != 1) {\r
                                         if (!res) {\r
                                         if (!res) {\r
-                                               PrintAndLog("Found valid key:[%012llx]",key64);\r
-                                               if (transferToEml) {\r
-                                                       uint8_t block[16];\r
-                                                       mfEmlGetMem(block, get_trailer_block(b), 1);\r
-                                                       num_to_bytes(key64, 6, block + t*10);\r
-                                                       mfEmlSetMem(block, get_trailer_block(b), 1);\r
-                                               }\r
-                                               break;\r
-                                       }\r
-                                       else {\r
-                                               printf("Not found yet, keycnt:%d\r", c+size);\r
-                                               fflush(stdout);\r
+                                               PrintAndLog("Found valid key:[%d:%c]%012" PRIx64, blockNo, (keyAB & 0x01)?'B':'A', key64);\r
+                                               foundAKey = true;\r
                                         }\r
                                 } else {\r
                                         PrintAndLog("Command execute timeout");\r
                                 }\r
                         }\r
                                         }\r
                                 } else {\r
                                         PrintAndLog("Command execute timeout");\r
                                 }\r
                         }\r
-                       b<127?(b+=4):(b+=16);   \r
+               } while(--keyAB > 0);\r
+       }\r
+\r
+       // print result\r
+       if (foundAKey) {\r
+               if (SectorsCnt) {\r
+                       PrintAndLog("");\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
+                       PrintAndLog("|sec|key A           |res|key B           |res|");\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
+                       for (i = 0; i < SectorsCnt; i++) {\r
+                               PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
+                                       e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
+                       }\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
                 }\r
                 }\r
+       } else {\r
+               PrintAndLog("");\r
+               PrintAndLog("No valid keys found.");\r
+       }\r
+\r
+       if (transferToEml) {\r
+               uint8_t block[16];\r
+               for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+                       if (e_sector[sectorNo].foundKey[0] || e_sector[sectorNo].foundKey[1]) {\r
+                               mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
+                               for (uint16_t t = 0; t < 2; t++) {\r
+                                       if (e_sector[sectorNo].foundKey[t]) {\r
+                                               num_to_bytes(e_sector[sectorNo].Key[t], 6, block + t * 10);\r
+                                       }\r
+                               }\r
+                               mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
+                       }\r
+               }\r
+               PrintAndLog("Found keys have been transferred to the emulator memory");\r
         }\r
         }\r
-       \r
-       free(keyBlock);\r
  \r
  \r
-/*\r
-       // Create dump file\r
         if (createDumpFile) {\r
         if (createDumpFile) {\r
-               if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) { \r
+               FILE *fkeys = fopen("dumpkeys.bin","wb");\r
+               if (fkeys == NULL) {\r
                         PrintAndLog("Could not create file dumpkeys.bin");\r
                         free(e_sector);\r
                         PrintAndLog("Could not create file dumpkeys.bin");\r
                         free(e_sector);\r
+                       free(keyBlock);\r
                         return 1;\r
                 }\r
                         return 1;\r
                 }\r
-               PrintAndLog("Printing keys to bynary file dumpkeys.bin...");\r
-               for(i=0; i<16; i++) {\r
-                       if (e_sector[i].foundKey[0]){\r
-                               num_to_bytes(e_sector[i].Key[0], 6, tempkey);\r
-                               fwrite ( tempkey, 1, 6, fkeys );\r
-                       }\r
-                       else{\r
-                               fwrite ( &standart, 1, 6, fkeys );\r
+               uint8_t mkey[6];\r
+               for (uint8_t t = 0; t < 2; t++) {\r
+                       for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+                               num_to_bytes(e_sector[sectorNo].Key[t], 6, mkey);\r
+                               fwrite(mkey, 1, 6, fkeys);\r
                         }\r
                 }\r
                         }\r
                 }\r
-               for(i=0; i<16; i++) {\r
-                       if (e_sector[i].foundKey[1]){\r
-                               num_to_bytes(e_sector[i].Key[1], 6, tempkey);\r
-                               fwrite ( tempkey, 1, 6, fkeys );\r
+               fclose(fkeys);\r
+               PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");\r
+       }\r
+\r
+       free(e_sector);\r
+       free(keyBlock);\r
+       PrintAndLog("");\r
+       return 0;\r
+}\r
+\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+       #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+                                                          // cannot be more than 7 or it will overrun c.d.asBytes(512)\r
+       uint64_t key = 0;\r
+       typedef struct {\r
+                       uint64_t keyA;\r
+                       uint64_t keyB;\r
+       } st_t;\r
+       st_t sector_trailer[ATTACK_KEY_COUNT];\r
+       memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+       uint8_t stSector[ATTACK_KEY_COUNT];\r
+       memset(stSector, 0x00, sizeof(stSector));\r
+       uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+       memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+       for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+                       if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+                               PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+                                               if (ar_resp[i].keytype==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                       } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+                               uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+                               uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+                                       , keyType ? "B" : "A"\r
+                                       , sectorNum\r
+                                       , key\r
+                               );\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+                                               if (keyType==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                               continue;\r
                         }\r
                         }\r
-                       else{\r
-                               fwrite ( &standart, 1, 6, fkeys );\r
+               }\r
+       }\r
+       //set emulator memory for keys\r
+       if (setEmulatorMem) {\r
+               for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+                       if (key_cnt[i]>0) {\r
+                               uint8_t memBlock[16];\r
+                               memset(memBlock, 0x00, sizeof(memBlock));\r
+                               char cmd1[36];\r
+                               memset(cmd1,0x00,sizeof(cmd1));\r
+                               snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
+                               if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+                                       PrintAndLog("block data must include 32 HEX symbols");\r
+                                       return;\r
+                               }\r
+\r
+                               UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+                               memcpy(c.d.asBytes, memBlock, 16);\r
+                               clearCommandBuffer();\r
+                               SendCommand(&c);\r
                         }\r
                 }\r
                         }\r
                 }\r
-               fclose(fkeys);\r
         }\r
         }\r
-*/\r
-  return 0;\r
+       /*\r
+       //un-comment to use as well moebius attack\r
+       for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+                       }\r
+               }\r
+       }*/\r
  }\r
  \r
  }\r
  \r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
-       uint8_t uid[4] = {0, 0, 0, 0};\r
-       \r
-       if (param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf sim  <uid (8 hex symbols)>");\r
-               PrintAndLog("           sample: hf mf sim 0a0a0a0a ");\r
-               return 0;\r
-       }       \r
-       \r
-       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
-               PrintAndLog("UID must include 8 HEX symbols");\r
-               return 1;\r
+int usage_hf14_mfsim(void) {\r
+       PrintAndLog("Usage:  hf mf sim [h] [*<card memory>] [u <uid (8, 14, or 20 hex symbols)>] [n <numreads>] [i] [x]");\r
+       PrintAndLog("options:");\r
+       PrintAndLog("      h    (Optional) this help");\r
+       PrintAndLog("      card memory: 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other, default> - 1K");\r
+       PrintAndLog("      u    (Optional) UID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used");\r
+       PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
+       PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
+       PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+       PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
+       PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+       PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
+       PrintAndLog("samples:");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a");\r
+       PrintAndLog("           hf mf sim *4");\r
+       PrintAndLog("           hf mf sim u 11223344556677");\r
+       PrintAndLog("           hf mf sim f uids.txt");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a e");\r
+\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMfSim(const char *Cmd) {\r
+       UsbCommand resp;\r
+       uint8_t uid[7] = {0};\r
+       uint8_t exitAfterNReads = 0;\r
+       uint8_t flags = 0;\r
+       int uidlen = 0;\r
+       bool setEmulatorMem = false;\r
+       bool attackFromFile = false;\r
+       FILE *f;\r
+       char filename[FILE_PATH_SIZE];\r
+       memset(filename, 0x00, sizeof(filename));\r
+       int len = 0;\r
+       char buf[64];\r
+\r
+       uint8_t cmdp = 0;\r
+       bool errors = false;\r
+       uint8_t cardsize = '1';\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case '*':\r
+                       cardsize = param_getchar(Cmd + 1, cmdp);\r
+                       switch(cardsize) {\r
+                               case '0':\r
+                               case '1':\r
+                               case '2':\r
+                               case '4': break;\r
+                               default: cardsize = '1';\r
+                       }\r
+                       cmdp++;\r
+                       break;\r
+               case 'e':\r
+               case 'E':\r
+                       setEmulatorMem = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       len = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));\r
+                       if (len < 1) {\r
+                               PrintAndLog("error no filename found");\r
+                               return 0;\r
+                       }\r
+                       attackFromFile = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_hf14_mfsim();\r
+               case 'i':\r
+               case 'I':\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'n':\r
+               case 'N':\r
+                       exitAfterNReads = param_get8(Cmd, cmdp+1);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'r':\r
+               case 'R':\r
+                       flags |= FLAG_RANDOM_NONCE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'u':\r
+               case 'U':\r
+                       uidlen = 14;\r
+                       if (param_gethex_ex(Cmd, cmdp+1, uid, &uidlen)) {\r
+                               return usage_hf14_mfsim();\r
+                       }\r
+                       switch (uidlen) {\r
+                               case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
+                               default: return usage_hf14_mfsim();\r
+                       }\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'x':\r
+               case 'X':\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
+               if(errors) break;\r
         }\r
         }\r
-       PrintAndLog(" uid:%s ", sprint_hex(uid, 4));\r
-       \r
-  UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {0, 0, 0}};\r
-       memcpy(c.d.asBytes, uid, 4);\r
-  SendCommand(&c);\r
+       //Validations\r
+       if(errors) return usage_hf14_mfsim();\r
  \r
  \r
-  return 0;\r
+       //get uid from file\r
+       if (attackFromFile) {\r
+               int count = 0;\r
+               // open file\r
+               f = fopen(filename, "r");\r
+               if (f == NULL) {\r
+                       PrintAndLog("File %s not found or locked", filename);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
+               while(!feof(f) && !ukbhit()){\r
+                       memset(buf, 0, sizeof(buf));\r
+                       memset(uid, 0, sizeof(uid));\r
+\r
+                       if (fgets(buf, sizeof(buf), f) == NULL) {\r
+                               if (count > 0) break;\r
+\r
+                               PrintAndLog("File reading error.");\r
+                               fclose(f);\r
+                               return 2;\r
+                       }\r
+                       if(!strlen(buf) && feof(f)) break;\r
+\r
+                       uidlen = strlen(buf)-1;\r
+                       switch(uidlen) {\r
+                               case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags |= FLAG_4B_UID_IN_DATA; break;\r
+                               default:\r
+                                       PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
+                                       fclose(f);\r
+                                       return 2;\r
+                       }\r
+\r
+                       for (uint8_t i = 0; i < uidlen; i += 2) {\r
+                               sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
+                       }\r
+\r
+                       PrintAndLog("mf sim cardsize: %s, uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
+                               cardsize == '0' ? "Mini" :\r
+                                       cardsize == '2' ? "2K" :\r
+                                               cardsize == '4' ? "4K" : "1K",\r
+                               flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                                       flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A",\r
+                               exitAfterNReads,\r
+                               flags,\r
+                               flags);\r
+\r
+                       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads, cardsize}};\r
+                       memcpy(c.d.asBytes, uid, sizeof(uid));\r
+                       clearCommandBuffer();\r
+                       SendCommand(&c);\r
+\r
+                       while (! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
+                       }\r
+                       //got a response\r
+                       nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                       memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                       // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                       readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+                       if ((bool)resp.arg[1]) {\r
+                               PrintAndLog("Device button pressed - quitting");\r
+                               fclose(f);\r
+                               return 4;\r
+                       }\r
+                       count++;\r
+               }\r
+               fclose(f);\r
+\r
+       } else { //not from file\r
+\r
+               PrintAndLog("mf sim cardsize: %s, uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
+                       cardsize == '0' ? "Mini" :\r
+                               cardsize == '2' ? "2K" :\r
+                                       cardsize == '4' ? "4K" : "1K",\r
+                       flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                               flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A",\r
+                       exitAfterNReads,\r
+                       flags,\r
+                       flags);\r
+\r
+               UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads, cardsize}};\r
+               memcpy(c.d.asBytes, uid, sizeof(uid));\r
+               clearCommandBuffer();\r
+               SendCommand(&c);\r
+\r
+               if(flags & FLAG_INTERACTIVE) {\r
+                       PrintAndLog("Press pm3-button to abort simulation");\r
+                       while(! WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
+                       }\r
+                       //got a response\r
+                       if (flags & FLAG_NR_AR_ATTACK) {\r
+                               nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                               memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                               // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                               readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+                       }\r
+               }\r
+       }\r
+\r
+       return 0;\r
  }\r
  \r
  int CmdHF14AMfDbg(const char *Cmd)\r
  {\r
         int dbgMode = param_get32ex(Cmd, 0, 0, 10);\r
         if (dbgMode > 4) {\r
  }\r
  \r
  int CmdHF14AMfDbg(const char *Cmd)\r
  {\r
         int dbgMode = param_get32ex(Cmd, 0, 0, 10);\r
         if (dbgMode > 4) {\r
-               PrintAndLog("Max debud mode parameter is 4 \n");\r
+               PrintAndLog("Max debug mode parameter is 4 \n");\r
         }\r
  \r
         if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {\r
                 PrintAndLog("Usage:  hf mf dbg  <debug level>");\r
                 PrintAndLog(" 0 - no debug messages");\r
                 PrintAndLog(" 1 - error messages");\r
         }\r
  \r
         if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {\r
                 PrintAndLog("Usage:  hf mf dbg  <debug level>");\r
                 PrintAndLog(" 0 - no debug messages");\r
                 PrintAndLog(" 1 - error messages");\r
-               PrintAndLog(" 2 - all messages");\r
-               PrintAndLog(" 4 - extended debug mode");\r
+               PrintAndLog(" 2 - plus information messages");\r
+               PrintAndLog(" 3 - plus debug messages");\r
+               PrintAndLog(" 4 - print even debug messages in timing critical functions");\r
+               PrintAndLog("     Note: this option therefore may cause malfunction itself");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
    UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};\r
    SendCommand(&c);\r
  \r
    UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};\r
    SendCommand(&c);\r
@@ -975,26 +1675,19 @@ int CmdHF14AMfDbg(const char *Cmd)
  int CmdHF14AMfEGet(const char *Cmd)\r
  {\r
         uint8_t blockNo = 0;\r
  int CmdHF14AMfEGet(const char *Cmd)\r
  {\r
         uint8_t blockNo = 0;\r
-       uint8_t data[3 * 16];\r
-       int i;\r
+       uint8_t data[16] = {0x00};\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf eget <block number>");\r
                 PrintAndLog(" sample: hf mf eget 0 ");\r
                 return 0;\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf eget <block number>");\r
                 PrintAndLog(" sample: hf mf eget 0 ");\r
                 return 0;\r
-       }       \r
-       \r
-       blockNo = param_get8(Cmd, 0);\r
-       if (blockNo >= 32 * 4 + 8 * 16) {\r
-               PrintAndLog("Block number must be in [0..255] as in MIFARE classic.");\r
-               return 1;\r
         }\r
  \r
         }\r
  \r
+       blockNo = param_get8(Cmd, 0);\r
+\r
         PrintAndLog(" ");\r
         PrintAndLog(" ");\r
-       if (!mfEmlGetMem(data, blockNo, 3)) {\r
-               for (i = 0; i < 3; i++) {\r
-                       PrintAndLog("data[%d]:%s", blockNo + i, sprint_hex(data + i * 16, 16));\r
-               }\r
+       if (!mfEmlGetMem(data, blockNo, 1)) {\r
+               PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
         }\r
         } else {\r
                 PrintAndLog("Command execute timeout");\r
         }\r
@@ -1008,13 +1701,14 @@ int CmdHF14AMfEClear(const char *Cmd)
                 PrintAndLog("Usage:  hf mf eclr");\r
                 PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");\r
                 return 0;\r
                 PrintAndLog("Usage:  hf mf eclr");\r
                 PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");\r
                 return 0;\r
-       }       \r
+       }\r
  \r
    UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};\r
    SendCommand(&c);\r
    return 0;\r
  }\r
  \r
  \r
    UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};\r
    SendCommand(&c);\r
    return 0;\r
  }\r
  \r
+\r
  int CmdHF14AMfESet(const char *Cmd)\r
  {\r
         uint8_t memBlock[16];\r
  int CmdHF14AMfESet(const char *Cmd)\r
  {\r
         uint8_t memBlock[16];\r
@@ -1026,308 +1720,542 @@ int CmdHF14AMfESet(const char *Cmd)
                 PrintAndLog("Usage:  hf mf eset <block number> <block data (32 hex symbols)>");\r
                 PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");\r
                 return 0;\r
                 PrintAndLog("Usage:  hf mf eset <block number> <block data (32 hex symbols)>");\r
                 PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");\r
                 return 0;\r
-       }       \r
-       \r
-       blockNo = param_get8(Cmd, 0);\r
-       if (blockNo >= 32 * 4 + 8 * 16) {\r
-               PrintAndLog("Block number must be in [0..255] as in MIFARE classic.");\r
-               return 1;\r
         }\r
         }\r
-       \r
+\r
+       blockNo = param_get8(Cmd, 0);\r
+\r
         if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                 PrintAndLog("block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
         if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                 PrintAndLog("block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
-       \r
+\r
         //  1 - blocks count\r
         //  1 - blocks count\r
-  UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};\r
-       memcpy(c.d.asBytes, memBlock, 16);\r
-  SendCommand(&c);\r
-  return 0;\r
+       return mfEmlSetMem(memBlock, blockNo, 1);\r
  }\r
  \r
  }\r
  \r
+\r
  int CmdHF14AMfELoad(const char *Cmd)\r
  {\r
         FILE * f;\r
  int CmdHF14AMfELoad(const char *Cmd)\r
  {\r
         FILE * f;\r
-       char filename[20];\r
-       char * fnameptr = filename;\r
-       char buf[64];\r
-       uint8_t buf8[64];\r
-       int i, len, blockNum;\r
-       \r
-       memset(filename, 0, sizeof(filename));\r
-       memset(buf, 0, sizeof(buf));\r
+       char filename[FILE_PATH_SIZE];\r
+       char *fnameptr = filename;\r
+       char buf[64] = {0x00};\r
+       uint8_t buf8[64] = {0x00};\r
+       int i, len, blockNum, numBlocks;\r
+       int nameParamNo = 1;\r
  \r
  \r
-       if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
+       char ctmp = param_getchar(Cmd, 0);\r
+\r
+       if ( ctmp == 'h' || ctmp == 0x00) {\r
                 PrintAndLog("It loads emul dump from the file `filename.eml`");\r
                 PrintAndLog("It loads emul dump from the file `filename.eml`");\r
-               PrintAndLog("Usage:  hf mf eload <file name w/o `.eml`>");\r
+               PrintAndLog("Usage:  hf mf eload [card memory] <file name w/o `.eml`>");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("");\r
                 PrintAndLog(" sample: hf mf eload filename");\r
                 PrintAndLog(" sample: hf mf eload filename");\r
+               PrintAndLog("         hf mf eload 4 filename");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
+\r
+       switch (ctmp) {\r
+               case '0' : numBlocks = 5*4; break;\r
+               case '1' :\r
+               case '\0': numBlocks = 16*4; break;\r
+               case '2' : numBlocks = 32*4; break;\r
+               case '4' : numBlocks = 256; break;\r
+               default:  {\r
+                       numBlocks = 16*4;\r
+                       nameParamNo = 0;\r
+               }\r
+       }\r
+\r
+       len = param_getstr(Cmd, nameParamNo, filename, sizeof(filename));\r
  \r
  \r
-       len = strlen(Cmd);\r
-       if (len > 14) len = 14;\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
  \r
  \r
-       memcpy(filename, Cmd, len);\r
         fnameptr += len;\r
  \r
         fnameptr += len;\r
  \r
-       sprintf(fnameptr, ".eml"); \r
-       \r
+       sprintf(fnameptr, ".eml");\r
+\r
         // open file\r
         f = fopen(filename, "r");\r
         if (f == NULL) {\r
         // open file\r
         f = fopen(filename, "r");\r
         if (f == NULL) {\r
-               PrintAndLog("File not found or locked.");\r
+               PrintAndLog("File %s not found or locked", filename);\r
                 return 1;\r
         }\r
                 return 1;\r
         }\r
-       \r
+\r
         blockNum = 0;\r
         while(!feof(f)){\r
                 memset(buf, 0, sizeof(buf));\r
         blockNum = 0;\r
         while(!feof(f)){\r
                 memset(buf, 0, sizeof(buf));\r
-               fgets(buf, sizeof(buf), f);\r
+\r
+               if (fgets(buf, sizeof(buf), f) == NULL) {\r
+\r
+                       if (blockNum >= numBlocks) break;\r
+\r
+                       PrintAndLog("File reading error.");\r
+                       fclose(f);\r
+                       return 2;\r
+               }\r
  \r
                 if (strlen(buf) < 32){\r
                         if(strlen(buf) && feof(f))\r
                                 break;\r
                         PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
  \r
                 if (strlen(buf) < 32){\r
                         if(strlen(buf) && feof(f))\r
                                 break;\r
                         PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+                       fclose(f);\r
                         return 2;\r
                 }\r
                         return 2;\r
                 }\r
-               for (i = 0; i < 32; i += 2)\r
-                 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
-//                     PrintAndLog("data[%02d]:%s", blockNum, sprint_hex(buf8, 16));\r
+\r
+               for (i = 0; i < 32; i += 2) {\r
+                       sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
+               }\r
  \r
                 if (mfEmlSetMem(buf8, blockNum, 1)) {\r
  \r
                 if (mfEmlSetMem(buf8, blockNum, 1)) {\r
-                       PrintAndLog("Cant set emul block: %d", blockNum);\r
+                       PrintAndLog("Cant set emul block: %3d", blockNum);\r
+                       fclose(f);\r
                         return 3;\r
                 }\r
                         return 3;\r
                 }\r
+               printf(".");\r
                 blockNum++;\r
                 blockNum++;\r
-               \r
-               if (blockNum >= 32 * 4 + 8 * 16) break;\r
+\r
+               if (blockNum >= numBlocks) break;\r
         }\r
         fclose(f);\r
         }\r
         fclose(f);\r
-       \r
-       if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
-               PrintAndLog("File content error. There must be 64 blocks");\r
+       printf("\n");\r
+\r
+       if ((blockNum != numBlocks)) {\r
+               PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);\r
                 return 4;\r
         }\r
                 return 4;\r
         }\r
-       PrintAndLog("Loaded from file: %s", filename);\r
-  return 0;\r
+       PrintAndLog("Loaded %d blocks from file: %s", blockNum, filename);\r
+       return 0;\r
  }\r
  \r
  }\r
  \r
+\r
  int CmdHF14AMfESave(const char *Cmd)\r
  {\r
         FILE * f;\r
  int CmdHF14AMfESave(const char *Cmd)\r
  {\r
         FILE * f;\r
-       char filename[20];\r
+       char filename[FILE_PATH_SIZE];\r
         char * fnameptr = filename;\r
         uint8_t buf[64];\r
         char * fnameptr = filename;\r
         uint8_t buf[64];\r
-       int i, j, len;\r
-       \r
+       int i, j, len, numBlocks;\r
+       int nameParamNo = 1;\r
+\r
         memset(filename, 0, sizeof(filename));\r
         memset(buf, 0, sizeof(buf));\r
  \r
         memset(filename, 0, sizeof(filename));\r
         memset(buf, 0, sizeof(buf));\r
  \r
-       if (param_getchar(Cmd, 0) == 'h') {\r
+       char ctmp = param_getchar(Cmd, 0);\r
+\r
+       if ( ctmp == 'h' || ctmp == 'H') {\r
                 PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");\r
                 PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");\r
-               PrintAndLog("Usage:  hf mf esave [file name w/o `.eml`]");\r
+               PrintAndLog(" Usage:  hf mf esave [card memory] [file name w/o `.eml`]");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("");\r
                 PrintAndLog(" sample: hf mf esave ");\r
                 PrintAndLog(" sample: hf mf esave ");\r
-               PrintAndLog("         hf mf esave filename");\r
+               PrintAndLog("         hf mf esave 4");\r
+               PrintAndLog("         hf mf esave 4 filename");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
+\r
+       switch (ctmp) {\r
+               case '0' : numBlocks = 5*4; break;\r
+               case '1' :\r
+               case '\0': numBlocks = 16*4; break;\r
+               case '2' : numBlocks = 32*4; break;\r
+               case '4' : numBlocks = 256; break;\r
+               default:  {\r
+                       numBlocks = 16*4;\r
+                       nameParamNo = 0;\r
+               }\r
+       }\r
+\r
+       len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));\r
  \r
  \r
-       len = strlen(Cmd);\r
-       if (len > 14) len = 14;\r
-       \r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
+       // user supplied filename?\r
         if (len < 1) {\r
         if (len < 1) {\r
-               // get filename\r
+               // get filename (UID from memory)\r
                 if (mfEmlGetMem(buf, 0, 1)) {\r
                 if (mfEmlGetMem(buf, 0, 1)) {\r
-                       PrintAndLog("Cant get block: %d", 0);\r
-                       return 1;\r
+                       PrintAndLog("Can\'t get UID from block: %d", 0);\r
+                       len = sprintf(fnameptr, "dump");\r
+                       fnameptr += len;\r
+               }\r
+               else {\r
+                       for (j = 0; j < 7; j++, fnameptr += 2)\r
+                               sprintf(fnameptr, "%02X", buf[j]);\r
                 }\r
                 }\r
-               for (j = 0; j < 7; j++, fnameptr += 2)\r
-                       sprintf(fnameptr, "%02x", buf[j]); \r
         } else {\r
         } else {\r
-               memcpy(filename, Cmd, len);\r
                 fnameptr += len;\r
         }\r
  \r
                 fnameptr += len;\r
         }\r
  \r
-       sprintf(fnameptr, ".eml"); \r
-       \r
+       // add file extension\r
+       sprintf(fnameptr, ".eml");\r
+\r
         // open file\r
         f = fopen(filename, "w+");\r
  \r
         // open file\r
         f = fopen(filename, "w+");\r
  \r
+       if ( !f ) {\r
+               PrintAndLog("Can't open file %s ", filename);\r
+               return 1;\r
+       }\r
+\r
         // put hex\r
         // put hex\r
-       for (i = 0; i < 32 * 4 + 8 * 16; i++) {\r
+       for (i = 0; i < numBlocks; i++) {\r
                 if (mfEmlGetMem(buf, i, 1)) {\r
                         PrintAndLog("Cant get block: %d", i);\r
                         break;\r
                 }\r
                 for (j = 0; j < 16; j++)\r
                 if (mfEmlGetMem(buf, i, 1)) {\r
                         PrintAndLog("Cant get block: %d", i);\r
                         break;\r
                 }\r
                 for (j = 0; j < 16; j++)\r
-                       fprintf(f, "%02x", buf[j]); \r
+                       fprintf(f, "%02X", buf[j]);\r
                 fprintf(f,"\n");\r
         }\r
         fclose(f);\r
                 fprintf(f,"\n");\r
         }\r
         fclose(f);\r
-       \r
-       PrintAndLog("Saved to file: %s", filename);\r
-       \r
+\r
+       PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);\r
+\r
    return 0;\r
  }\r
  \r
    return 0;\r
  }\r
  \r
-int CmdHF14AMfECFill(const char *Cmd)\r
+\r
+int CmdHF14AMfECFill(const char *Cmd)\r
+{\r
+       uint8_t keyType = 0;\r
+       uint8_t numSectors = 16;\r
+\r
+       if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+               PrintAndLog("Usage:  hf mf ecfill <key A/B> [card memory]");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("");\r
+               PrintAndLog("samples:  hf mf ecfill A");\r
+               PrintAndLog("          hf mf ecfill A 4");\r
+               PrintAndLog("Read card and transfer its data to emulator memory.");\r
+               PrintAndLog("Keys must be laid in the emulator memory. \n");\r
+               return 0;\r
+       }\r
+\r
+       char ctmp = param_getchar(Cmd, 0);\r
+       if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+               PrintAndLog("Key type must be A or B");\r
+               return 1;\r
+       }\r
+       if (ctmp != 'A' && ctmp != 'a') keyType = 1;\r
+\r
+       ctmp = param_getchar(Cmd, 1);\r
+       switch (ctmp) {\r
+               case '0' : numSectors = 5; break;\r
+               case '1' :\r
+               case '\0': numSectors = 16; break;\r
+               case '2' : numSectors = 32; break;\r
+               case '4' : numSectors = 40; break;\r
+               default:   numSectors = 16;\r
+       }\r
+\r
+       printf("--params: numSectors: %d, keyType:%d\n", numSectors, keyType);\r
+       UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};\r
+       SendCommand(&c);\r
+       return 0;\r
+}\r
+\r
+\r
+int CmdHF14AMfEKeyPrn(const char *Cmd)\r
+{\r
+       int i;\r
+       uint8_t numSectors = 16;\r
+       uint8_t data[16];\r
+       uint64_t keyA, keyB;\r
+       bool createDumpFile = false;\r
+\r
+       if (param_getchar(Cmd, 0) == 'h') {\r
+               PrintAndLog("It prints the keys loaded in the emulator memory");\r
+               PrintAndLog("Usage:  hf mf ekeyprn [card memory] [d]");\r
+               PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("  [d]          : write keys to binary file dumpkeys.bin");\r
+               PrintAndLog("");\r
+               PrintAndLog(" sample: hf mf ekeyprn 1");\r
+               return 0;\r
+       }\r
+\r
+       uint8_t cmdp = 0;\r
+       while (param_getchar(Cmd, cmdp) != 0x00) {\r
+               switch (param_getchar(Cmd, cmdp)) {\r
+                       case '0' : numSectors = 5; break;\r
+                       case '1' :\r
+                       case '\0': numSectors = 16; break;\r
+                       case '2' : numSectors = 32; break;\r
+                       case '4' : numSectors = 40; break;\r
+                       case 'd' : \r
+                       case 'D' : createDumpFile = true; break;\r
+               }\r
+               cmdp++;\r
+       }\r
+\r
+       PrintAndLog("|---|----------------|----------------|");\r
+       PrintAndLog("|sec|key A           |key B           |");\r
+       PrintAndLog("|---|----------------|----------------|");\r
+       for (i = 0; i < numSectors; i++) {\r
+               if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {\r
+                       PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+                       break;\r
+               }\r
+               keyA = bytes_to_num(data, 6);\r
+               keyB = bytes_to_num(data + 10, 6);\r
+               PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);\r
+       }\r
+       PrintAndLog("|---|----------------|----------------|");\r
+\r
+       // Create dump file\r
+       if (createDumpFile) {\r
+               FILE *fkeys;\r
+               if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {\r
+                       PrintAndLog("Could not create file dumpkeys.bin");\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Printing keys to binary file dumpkeys.bin...");\r
+               for(i = 0; i < numSectors; i++) {\r
+                       if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {\r
+                               PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+                               break;\r
+                       }\r
+                       fwrite(data+6, 1, 6, fkeys);\r
+               }\r
+               for(i = 0; i < numSectors; i++) {\r
+                       if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {\r
+                               PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+                               break;\r
+                       }\r
+                       fwrite(data+10, 1, 6, fkeys);\r
+               }\r
+               fclose(fkeys);\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+\r
+int CmdHF14AMfCSetUID(const char *Cmd)\r
+{\r
+       uint8_t uid[8] = {0x00};\r
+       uint8_t oldUid[8] = {0x00};\r
+       uint8_t atqa[2] = {0x00};\r
+       uint8_t sak[1] = {0x00};\r
+       uint8_t atqaPresent = 0;\r
+       int res;\r
+\r
+       uint8_t needHelp = 0;\r
+       char cmdp = 1;\r
+\r
+       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
+               PrintAndLog("UID must include 8 HEX symbols");\r
+               return 1;\r
+       }\r
+\r
+       if (param_getlength(Cmd, 1) > 1 && param_getlength(Cmd, 2) >  1) {\r
+               atqaPresent = 1;\r
+               cmdp = 3;\r
+\r
+               if (param_gethex(Cmd, 1, atqa, 4)) {\r
+                       PrintAndLog("ATQA must include 4 HEX symbols");\r
+                       return 1;\r
+               }\r
+\r
+               if (param_gethex(Cmd, 2, sak, 2)) {\r
+                       PrintAndLog("SAK must include 2 HEX symbols");\r
+                       return 1;\r
+               }\r
+       }\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00)\r
+       {\r
+               switch(param_getchar(Cmd, cmdp))\r
+               {\r
+               case 'h':\r
+               case 'H':\r
+                       needHelp = 1;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       needHelp = 1;\r
+                       break;\r
+               }\r
+               cmdp++;\r
+       }\r
+\r
+       if (strlen(Cmd) < 1 || needHelp) {\r
+               PrintAndLog("");\r
+               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols]");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304 0004 08");\r
+               PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
+               return 0;\r
+       }\r
+\r
+       PrintAndLog("uid:%s", sprint_hex(uid, 4));\r
+       if (atqaPresent) {\r
+               PrintAndLog("--atqa:%s sak:%02x", sprint_hex(atqa, 2), sak[0]);\r
+       }\r
+\r
+       res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid);\r
+       if (res) {\r
+                       PrintAndLog("Can't set UID. Error=%d", res);\r
+                       return 1;\r
+               }\r
+\r
+       PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
+       PrintAndLog("new UID:%s", sprint_hex(uid, 4));\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMfCWipe(const char *Cmd)\r
  {\r
  {\r
-       uint8_t keyType = 0;\r
+       int res, gen = 0;\r
+       int numBlocks = 16 * 4;\r
+       bool wipeCard = false;\r
+       bool fillCard = false;\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf efill <key A/B>");\r
-               PrintAndLog("sample:  hf mf efill A");\r
-               PrintAndLog("Card data blocks transfers to card emulator memory.");\r
-               PrintAndLog("Keys must be laid in the simulator memory. \n");\r
+               PrintAndLog("Usage:  hf mf cwipe [card size] [w] [f]");\r
+               PrintAndLog("sample:  hf mf cwipe 1 w f");\r
+               PrintAndLog("[card size]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("w - Wipe magic Chinese card (only works with gen:1a cards)");\r
+               PrintAndLog("f - Fill the card with default data and keys (works with gen:1a and gen:1b cards only)");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
  \r
-       char ctmp = param_getchar(Cmd, 0);\r
-       if (ctmp == 0x00) {\r
-               PrintAndLog("Key type must be A or B");\r
+       gen = mfCIdentify();\r
+       if ((gen != 1) && (gen != 2))\r
                 return 1;\r
                 return 1;\r
-       }\r
-       if (ctmp != 'A' && ctmp != 'a') keyType = 1;\r
  \r
  \r
-  UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {0, keyType, 0}};\r
-  SendCommand(&c);\r
-  return 0;\r
-}\r
+       numBlocks = ParamCardSizeBlocks(param_getchar(Cmd, 0));\r
  \r
  \r
-int CmdHF14AMfEKeyPrn(const char *Cmd)\r
-{\r
-       int i,b=-1;\r
-       uint8_t data[16];\r
-       uint64_t keyA, keyB;\r
-       \r
-       PrintAndLog("|---|----------------|----------------|");\r
-       PrintAndLog("|sec|key A           |key B           |");\r
-       PrintAndLog("|---|----------------|----------------|");\r
-       for (i = 0; i < 40; i++) {\r
-               b<127?(b+=4):(b+=16);\r
-               if (mfEmlGetMem(data, b, 1)) {\r
-                       PrintAndLog("error get block %d", b);\r
+       char cmdp = 0;\r
+       while(param_getchar(Cmd, cmdp) != 0x00){\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'w':\r
+               case 'W':\r
+                       wipeCard = 1;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       fillCard = 1;\r
+                       break;\r
+               default:\r
                         break;\r
                 }\r
                         break;\r
                 }\r
-               keyA = bytes_to_num(data, 6);\r
-               keyB = bytes_to_num(data + 10, 6);\r
-               PrintAndLog("|%03d|  %012llx  |  %012llx  |", i, keyA, keyB);\r
+               cmdp++;\r
         }\r
         }\r
-       PrintAndLog("|---|----------------|----------------|");\r
-       \r
-       return 0;\r
-}\r
  \r
  \r
-int CmdHF14AMfCSetUID(const char *Cmd)\r
-{\r
-       uint8_t wipeCard = 0;\r
-       uint8_t uid[8];\r
-       uint8_t oldUid[8];\r
-       int res;\r
+       if (!wipeCard && !fillCard)\r
+               wipeCard = true;\r
  \r
  \r
-       if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> <w>");\r
-               PrintAndLog("sample:  hf mf csetuid 01020304 w");\r
-               PrintAndLog("Set UID for magic Chinese card (only works with!!!)");\r
-               PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
-               return 0;\r
-       }       \r
+       PrintAndLog("--blocks count:%2d wipe:%c fill:%c", numBlocks, (wipeCard)?'y':'n', (fillCard)?'y':'n');\r
  \r
  \r
-       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
-               PrintAndLog("UID must include 8 HEX symbols");\r
-               return 1;\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               if (wipeCard) {\r
+                       PrintAndLog("WARNING: can't wipe magic card 1b generation");\r
+               }\r
+               res = mfCWipe(numBlocks, true, false, fillCard);\r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCWipe(numBlocks, false, wipeCard, fillCard);\r
         }\r
  \r
         }\r
  \r
-       char ctmp = param_getchar(Cmd, 1);\r
-       if (ctmp == 'w' || ctmp == 'W') wipeCard = 1;\r
-       \r
-       PrintAndLog("--wipe card:%02x uid:%s", wipeCard, sprint_hex(uid, 4));\r
-\r
-       res = mfCSetUID(uid, oldUid, wipeCard);\r
         if (res) {\r
         if (res) {\r
-                       PrintAndLog("Can't set UID. error=%d", res);\r
-                       return 1;\r
-               }\r
-       \r
-       PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
+               PrintAndLog("Can't wipe. error=%d", res);\r
+               return 1;\r
+       }\r
+       PrintAndLog("OK");\r
         return 0;\r
  }\r
  \r
  int CmdHF14AMfCSetBlk(const char *Cmd)\r
  {\r
         return 0;\r
  }\r
  \r
  int CmdHF14AMfCSetBlk(const char *Cmd)\r
  {\r
-       uint8_t uid[8];\r
-       uint8_t memBlock[16];\r
+       uint8_t memBlock[16] = {0x00};\r
         uint8_t blockNo = 0;\r
         uint8_t blockNo = 0;\r
-       int res;\r
-       memset(memBlock, 0x00, sizeof(memBlock));\r
+       bool wipeCard = false;\r
+       int res, gen = 0;\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)>");\r
+               PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
                 PrintAndLog("sample:  hf mf csetblk 1 01020304050607080910111213141516");\r
                 PrintAndLog("sample:  hf mf csetblk 1 01020304050607080910111213141516");\r
-               PrintAndLog("Set block data for magic Chinese card (only works with!!!)");\r
-               PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+               PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
+               PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
  \r
-       blockNo = param_get8(Cmd, 0);\r
-       if (blockNo >= 32 * 4 + 8 * 16) {\r
-               PrintAndLog("Block number must be in [0..255] as in MIFARE classic.");\r
+       gen = mfCIdentify();\r
+       if ((gen != 1) && (gen != 2))\r
                 return 1;\r
                 return 1;\r
-       }\r
+\r
+       blockNo = param_get8(Cmd, 0);\r
  \r
         if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                 PrintAndLog("block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
  \r
  \r
         if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                 PrintAndLog("block data must include 32 HEX symbols");\r
                 return 1;\r
         }\r
  \r
-       PrintAndLog("--block number:%02x data:%s", blockNo, sprint_hex(memBlock, 16));\r
+       char ctmp = param_getchar(Cmd, 2);\r
+       wipeCard = (ctmp == 'w' || ctmp == 'W');\r
+       PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));\r
+\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);\r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);\r
+       }\r
  \r
  \r
-       res = mfCSetBlock(blockNo, memBlock, uid, 0, CSETBLOCK_SINGLE_OPER);\r
         if (res) {\r
         if (res) {\r
-                       PrintAndLog("Can't write block. error=%d", res);\r
-                       return 1;\r
-               }\r
-       \r
-       PrintAndLog("UID:%s", sprint_hex(uid, 4));\r
+               PrintAndLog("Can't write block. error=%d", res);\r
+               return 1;\r
+       }\r
         return 0;\r
  }\r
  \r
         return 0;\r
  }\r
  \r
+\r
  int CmdHF14AMfCLoad(const char *Cmd)\r
  {\r
         FILE * f;\r
  int CmdHF14AMfCLoad(const char *Cmd)\r
  {\r
         FILE * f;\r
-       char filename[20];\r
+       char filename[FILE_PATH_SIZE] = {0x00};\r
         char * fnameptr = filename;\r
         char * fnameptr = filename;\r
-       char buf[64];\r
-       uint8_t buf8[64];\r
+       char buf[256] = {0x00};\r
+       uint8_t buf8[256] = {0x00};\r
         uint8_t fillFromEmulator = 0;\r
         uint8_t fillFromEmulator = 0;\r
-       int i, len, blockNum, flags;\r
-       \r
-       memset(filename, 0, sizeof(filename));\r
-       memset(buf, 0, sizeof(buf));\r
+       int i, len, blockNum, flags = 0, gen = 0, numblock = 64;\r
  \r
         if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
  \r
         if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
-               PrintAndLog("It loads magic Chinese card (only works with!!!) from the file `filename.eml`");\r
-               PrintAndLog("or from emulator memory (option `e`)");\r
-               PrintAndLog("Usage:  hf mf cload <file name w/o `.eml`>");\r
-               PrintAndLog("   or:  hf mf cload e ");\r
-               PrintAndLog(" sample: hf mf cload filename");\r
+               PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
+               PrintAndLog("or from emulator memory (option `e`). 4K card: (option `4`)");\r
+               PrintAndLog("Usage:  hf mf cload [file name w/o `.eml`][e][4]");\r
+               PrintAndLog("   or:  hf mf cload e [4]");\r
+               PrintAndLog("Sample: hf mf cload filename");\r
+               PrintAndLog("        hf mf cload filname 4");\r
+               PrintAndLog("        hf mf cload e");\r
+               PrintAndLog("        hf mf cload e 4");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
         char ctmp = param_getchar(Cmd, 0);\r
         if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
  \r
         char ctmp = param_getchar(Cmd, 0);\r
         if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
-       \r
+       ctmp = param_getchar(Cmd, 1);\r
+       if (ctmp == '4') numblock = 256;\r
+\r
+       gen = mfCIdentify();\r
+       PrintAndLog("Loading magic mifare %dK", numblock == 256 ? 4:1);\r
+\r
         if (fillFromEmulator) {\r
         if (fillFromEmulator) {\r
-               flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-               for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {\r
+               for (blockNum = 0; blockNum < numblock; blockNum += 1) {\r
                         if (mfEmlGetMem(buf8, blockNum, 1)) {\r
                                 PrintAndLog("Cant get block: %d", blockNum);\r
                                 return 2;\r
                         }\r
                         if (mfEmlGetMem(buf8, blockNum, 1)) {\r
                                 PrintAndLog("Cant get block: %d", blockNum);\r
                                 return 2;\r
                         }\r
-                       \r
-                       if (blockNum == 2) flags = 0;\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+                       if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;               // switch on field and send magic sequence\r
+                       if (blockNum == 1) flags = 0;                                                   // just write\r
+                       if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;       // Done. Magic Halt and switch off field.\r
  \r
  \r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                         if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                 PrintAndLog("Cant set magic card block: %d", blockNum);\r
                                 return 3;\r
                         if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                 PrintAndLog("Cant set magic card block: %d", blockNum);\r
                                 return 3;\r
@@ -1335,163 +2263,237 @@ int CmdHF14AMfCLoad(const char *Cmd)
                 }\r
                 return 0;\r
         } else {\r
                 }\r
                 return 0;\r
         } else {\r
-               len = strlen(Cmd);\r
-               if (len > 14) len = 14;\r
+               param_getstr(Cmd, 0, filename, sizeof(filename));\r
+\r
+               len = strlen(filename);\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
  \r
  \r
-               memcpy(filename, Cmd, len);\r
+               //memcpy(filename, Cmd, len);\r
                 fnameptr += len;\r
  \r
                 fnameptr += len;\r
  \r
-               sprintf(fnameptr, ".eml"); \r
-       \r
+               sprintf(fnameptr, ".eml");\r
+\r
                 // open file\r
                 f = fopen(filename, "r");\r
                 if (f == NULL) {\r
                         PrintAndLog("File not found or locked.");\r
                         return 1;\r
                 }\r
                 // open file\r
                 f = fopen(filename, "r");\r
                 if (f == NULL) {\r
                         PrintAndLog("File not found or locked.");\r
                         return 1;\r
                 }\r
-       \r
+\r
                 blockNum = 0;\r
                 blockNum = 0;\r
-               flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
                 while(!feof(f)){\r
                 while(!feof(f)){\r
+\r
                         memset(buf, 0, sizeof(buf));\r
                         memset(buf, 0, sizeof(buf));\r
-                       fgets(buf, sizeof(buf), f);\r
  \r
  \r
-                       if (strlen(buf) < 32){\r
+                       if (fgets(buf, sizeof(buf), f) == NULL) {\r
+                               fclose(f);\r
+                               PrintAndLog("File reading error.");\r
+                               return 2;\r
+                       }\r
+\r
+                       if (strlen(buf) < 32) {\r
                                 if(strlen(buf) && feof(f))\r
                                         break;\r
                                 PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
                                 if(strlen(buf) && feof(f))\r
                                         break;\r
                                 PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+                               fclose(f);\r
                                 return 2;\r
                         }\r
                         for (i = 0; i < 32; i += 2)\r
                                 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
  \r
                                 return 2;\r
                         }\r
                         for (i = 0; i < 32; i += 2)\r
                                 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
  \r
-                       if (blockNum == 2) flags = 0;\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+                       if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;               // switch on field and send magic sequence\r
+                       if (blockNum == 1) flags = 0;                                                   // just write\r
+                       if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;       // Done. Switch off field.\r
  \r
  \r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                         if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                         if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
-                               PrintAndLog("Cant set magic card block: %d", blockNum);\r
+                               PrintAndLog("Can't set magic card block: %d", blockNum);\r
+                               fclose(f);\r
                                 return 3;\r
                         }\r
                         blockNum++;\r
                                 return 3;\r
                         }\r
                         blockNum++;\r
-               \r
-                       if (blockNum >= 16 * 4) break;  // magic card type - mifare 1K\r
+\r
+                       if (blockNum >= numblock) break;  // magic card type - mifare 1K 64 blocks, mifare 4k 256 blocks\r
                 }\r
                 fclose(f);\r
                 }\r
                 fclose(f);\r
-       \r
-               if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
-                       PrintAndLog("File content error. There must be 64 blocks");\r
+\r
+               //if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
+               if (blockNum != numblock){\r
+                       PrintAndLog("File content error. There must be %d blocks", numblock);\r
                         return 4;\r
                 }\r
                 PrintAndLog("Loaded from file: %s", filename);\r
                 return 0;\r
         }\r
                         return 4;\r
                 }\r
                 PrintAndLog("Loaded from file: %s", filename);\r
                 return 0;\r
         }\r
+       return 0;\r
  }\r
  \r
  int CmdHF14AMfCGetBlk(const char *Cmd) {\r
         uint8_t memBlock[16];\r
         uint8_t blockNo = 0;\r
  }\r
  \r
  int CmdHF14AMfCGetBlk(const char *Cmd) {\r
         uint8_t memBlock[16];\r
         uint8_t blockNo = 0;\r
-       int res;\r
+       int res, gen = 0;\r
         memset(memBlock, 0x00, sizeof(memBlock));\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf cgetblk <block number>");\r
                 PrintAndLog("sample:  hf mf cgetblk 1");\r
         memset(memBlock, 0x00, sizeof(memBlock));\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf cgetblk <block number>");\r
                 PrintAndLog("sample:  hf mf cgetblk 1");\r
-               PrintAndLog("Get block data from magic Chinese card (only works with!!!)\n");\r
+               PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
+\r
+       gen = mfCIdentify();\r
  \r
         blockNo = param_get8(Cmd, 0);\r
  \r
         blockNo = param_get8(Cmd, 0);\r
-       if (blockNo >= 32 * 4 + 8 * 16) {\r
-               PrintAndLog("Block number must be in [0..255] as in MIFARE classic.");\r
-               return 1;\r
-       }\r
  \r
  \r
-       PrintAndLog("--block number:%02x ", blockNo);\r
+       PrintAndLog("--block number:%2d ", blockNo);\r
  \r
  \r
-       res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);\r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);\r
+       }\r
         if (res) {\r
                         PrintAndLog("Can't read block. error=%d", res);\r
                         return 1;\r
                 }\r
         if (res) {\r
                         PrintAndLog("Can't read block. error=%d", res);\r
                         return 1;\r
                 }\r
-       \r
+\r
         PrintAndLog("block data:%s", sprint_hex(memBlock, 16));\r
         PrintAndLog("block data:%s", sprint_hex(memBlock, 16));\r
+\r
+       if (mfIsSectorTrailer(blockNo)) {\r
+               PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+               PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));\r
+               PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));\r
+               int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));\r
+               int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;\r
+               for (int i = 0; i < 4; i++) {\r
+                       PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));\r
+                       bln += blinc;\r
+               }\r
+               PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));\r
+       }\r
+\r
         return 0;\r
  }\r
  \r
  int CmdHF14AMfCGetSc(const char *Cmd) {\r
         return 0;\r
  }\r
  \r
  int CmdHF14AMfCGetSc(const char *Cmd) {\r
-       uint8_t memBlock[16];\r
+       uint8_t memBlock[16] = {0x00};\r
         uint8_t sectorNo = 0;\r
         uint8_t sectorNo = 0;\r
-       int i, res, flags;\r
-       memset(memBlock, 0x00, sizeof(memBlock));\r
+       int i, res, flags, gen = 0, baseblock = 0, sect_size = 4;\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf cgetsc <sector number>");\r
                 PrintAndLog("sample:  hf mf cgetsc 0");\r
  \r
         if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("Usage:  hf mf cgetsc <sector number>");\r
                 PrintAndLog("sample:  hf mf cgetsc 0");\r
-               PrintAndLog("Get sector data from magic Chinese card (only works with!!!)\n");\r
+               PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
         sectorNo = param_get8(Cmd, 0);\r
  \r
         sectorNo = param_get8(Cmd, 0);\r
-       if (sectorNo > 15) {\r
-               PrintAndLog("Sector number must be in [0..15] as in MIFARE classic.");\r
+\r
+       if (sectorNo > 39) {\r
+               PrintAndLog("Sector number must be in [0..15] in MIFARE classic 1k and [0..39] in MIFARE classic 4k.");\r
                 return 1;\r
         }\r
  \r
                 return 1;\r
         }\r
  \r
-       PrintAndLog("--sector number:%02x ", sectorNo);\r
+       PrintAndLog("--sector number:%d ", sectorNo);\r
+\r
+       gen = mfCIdentify();\r
  \r
         flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
  \r
         flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-       for (i = 0; i < 4; i++) {\r
+       if (sectorNo < 32 ) {\r
+               baseblock = sectorNo * 4;\r
+       } else {\r
+               baseblock = 128 + 16 * (sectorNo - 32);\r
+\r
+       }\r
+       if (sectorNo > 31) sect_size = 16;\r
+\r
+       for (i = 0; i < sect_size; i++) {\r
                 if (i == 1) flags = 0;\r
                 if (i == 1) flags = 0;\r
-               if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+               if (i == sect_size - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
  \r
  \r
-               res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags);\r
+               if (gen == 2)\r
+                       /* generation 1b magic card */\r
+                       flags |= CSETBLOCK_MAGIC_1B;\r
+\r
+               res = mfCGetBlock(baseblock + i, memBlock, flags);\r
                 if (res) {\r
                 if (res) {\r
-                       PrintAndLog("Can't read block. %02x error=%d", sectorNo * 4 + i, res);\r
+                       PrintAndLog("Can't read block. %d error=%d", baseblock + i, res);\r
                         return 1;\r
                 }\r
                         return 1;\r
                 }\r
-       \r
-               PrintAndLog("block %02x data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16));\r
+\r
+               PrintAndLog("block %3d data:%s", baseblock + i, sprint_hex(memBlock, 16));\r
+\r
+               if (mfIsSectorTrailer(baseblock + i)) {\r
+                               PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+                               PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));\r
+                               PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));\r
+                               int bln = baseblock;\r
+                               int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;\r
+                               for (int i = 0; i < 4; i++) {\r
+                                               PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));\r
+                                               bln += blinc;\r
+                               }\r
+                               PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));\r
+               }\r
         }\r
         return 0;\r
  }\r
  \r
         }\r
         return 0;\r
  }\r
  \r
+\r
  int CmdHF14AMfCSave(const char *Cmd) {\r
  \r
         FILE * f;\r
  int CmdHF14AMfCSave(const char *Cmd) {\r
  \r
         FILE * f;\r
-       char filename[20];\r
+       char filename[FILE_PATH_SIZE] = {0x00};\r
         char * fnameptr = filename;\r
         uint8_t fillFromEmulator = 0;\r
         char * fnameptr = filename;\r
         uint8_t fillFromEmulator = 0;\r
-       uint8_t buf[64];\r
-       int i, j, len, flags;\r
-       \r
-       memset(filename, 0, sizeof(filename));\r
-       memset(buf, 0, sizeof(buf));\r
+       uint8_t buf[256] = {0x00};\r
+       int i, j, len, flags, gen = 0, numblock = 64;\r
+\r
+       // memset(filename, 0, sizeof(filename));\r
+       // memset(buf, 0, sizeof(buf));\r
  \r
         if (param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
  \r
         if (param_getchar(Cmd, 0) == 'h') {\r
                 PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
-               PrintAndLog("or into emulator memory (option `e`)");\r
-               PrintAndLog("Usage:  hf mf esave [file name w/o `.eml`][e]");\r
-               PrintAndLog(" sample: hf mf esave ");\r
-               PrintAndLog("         hf mf esave filename");\r
-               PrintAndLog("         hf mf esave e \n");\r
+               PrintAndLog("or into emulator memory (option `e`). 4K card: (option `4`)");\r
+               PrintAndLog("Usage:  hf mf csave [file name w/o `.eml`][e][4]");\r
+               PrintAndLog("Sample: hf mf csave ");\r
+               PrintAndLog("        hf mf csave filename");\r
+               PrintAndLog("        hf mf csave e");\r
+               PrintAndLog("        hf mf csave 4");\r
+               PrintAndLog("        hf mf csave filename 4");\r
+               PrintAndLog("        hf mf csave e 4");\r
                 return 0;\r
                 return 0;\r
-       }       \r
+       }\r
  \r
         char ctmp = param_getchar(Cmd, 0);\r
         if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
  \r
         char ctmp = param_getchar(Cmd, 0);\r
         if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
+       if (ctmp == '4') numblock = 256;\r
+       ctmp = param_getchar(Cmd, 1);\r
+       if (ctmp == '4') numblock = 256;\r
+\r
+       gen = mfCIdentify();\r
+       PrintAndLog("Saving magic mifare %dK", numblock == 256 ? 4:1);\r
  \r
         if (fillFromEmulator) {\r
                 // put into emulator\r
                 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
  \r
         if (fillFromEmulator) {\r
                 // put into emulator\r
                 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-               for (i = 0; i < 16 * 4; i++) {\r
+               for (i = 0; i < numblock; i++) {\r
                         if (i == 1) flags = 0;\r
                         if (i == 1) flags = 0;\r
-                       if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
-               \r
+                       if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
+\r
                         if (mfCGetBlock(i, buf, flags)) {\r
                                 PrintAndLog("Cant get block: %d", i);\r
                                 break;\r
                         }\r
                         if (mfCGetBlock(i, buf, flags)) {\r
                                 PrintAndLog("Cant get block: %d", i);\r
                                 break;\r
                         }\r
-                       \r
+\r
                         if (mfEmlSetMem(buf, i, 1)) {\r
                                 PrintAndLog("Cant set emul block: %d", i);\r
                                 return 3;\r
                         if (mfEmlSetMem(buf, i, 1)) {\r
                                 PrintAndLog("Cant set emul block: %d", i);\r
                                 return 3;\r
@@ -1499,85 +2501,511 @@ int CmdHF14AMfCSave(const char *Cmd) {
                 }\r
                 return 0;\r
         } else {\r
                 }\r
                 return 0;\r
         } else {\r
-               len = strlen(Cmd);\r
-               if (len > 14) len = 14;\r
-       \r
-               if (len < 1) {\r
+               param_getstr(Cmd, 0, filename, sizeof(filename));\r
+\r
+               len = strlen(filename);\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
+               ctmp = param_getchar(Cmd, 0);\r
+               if (len < 1 || (ctmp == '4')) {\r
                         // get filename\r
                         // get filename\r
-                       if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {\r
+\r
+                       flags = CSETBLOCK_SINGLE_OPER;\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
+                       if (mfCGetBlock(0, buf, flags)) {\r
                                 PrintAndLog("Cant get block: %d", 0);\r
                                 PrintAndLog("Cant get block: %d", 0);\r
-                               return 1;\r
+                               len = sprintf(fnameptr, "dump");\r
+                               fnameptr += len;\r
+                       }\r
+                       else {\r
+                               for (j = 0; j < 7; j++, fnameptr += 2)\r
+                                       sprintf(fnameptr, "%02x", buf[j]);\r
                         }\r
                         }\r
-                       for (j = 0; j < 7; j++, fnameptr += 2)\r
-                               sprintf(fnameptr, "%02x", buf[j]); \r
                 } else {\r
                 } else {\r
-                       memcpy(filename, Cmd, len);\r
+                       //memcpy(filename, Cmd, len);\r
                         fnameptr += len;\r
                 }\r
  \r
                         fnameptr += len;\r
                 }\r
  \r
-               sprintf(fnameptr, ".eml"); \r
-       \r
+               sprintf(fnameptr, ".eml");\r
+\r
                 // open file\r
                 f = fopen(filename, "w+");\r
  \r
                 // open file\r
                 f = fopen(filename, "w+");\r
  \r
+               if (f == NULL) {\r
+                       PrintAndLog("File not found or locked.");\r
+                       return 1;\r
+               }\r
+\r
                 // put hex\r
                 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
                 // put hex\r
                 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-               for (i = 0; i < 16 * 4; i++) {\r
+               for (i = 0; i < numblock; i++) {\r
                         if (i == 1) flags = 0;\r
                         if (i == 1) flags = 0;\r
-                       if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
-               \r
+                       if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                         if (mfCGetBlock(i, buf, flags)) {\r
                                 PrintAndLog("Cant get block: %d", i);\r
                                 break;\r
                         }\r
                         for (j = 0; j < 16; j++)\r
                         if (mfCGetBlock(i, buf, flags)) {\r
                                 PrintAndLog("Cant get block: %d", i);\r
                                 break;\r
                         }\r
                         for (j = 0; j < 16; j++)\r
-                               fprintf(f, "%02x", buf[j]); \r
+                               fprintf(f, "%02x", buf[j]);\r
                         fprintf(f,"\n");\r
                 }\r
                 fclose(f);\r
                         fprintf(f,"\n");\r
                 }\r
                 fclose(f);\r
-       \r
+\r
                 PrintAndLog("Saved to file: %s", filename);\r
                 PrintAndLog("Saved to file: %s", filename);\r
-       \r
+\r
+               return 0;\r
+       }\r
+}\r
+\r
+\r
+int CmdHF14AMfSniff(const char *Cmd){\r
+\r
+       bool wantLogToFile = 0;\r
+       bool wantDecrypt = 0;\r
+       //bool wantSaveToEml = 0; TODO\r
+       bool wantSaveToEmlFile = 0;\r
+\r
+       //var\r
+       int res = 0;\r
+       int len = 0;\r
+       int parlen = 0;\r
+       int blockLen = 0;\r
+       int pckNum = 0;\r
+       int num = 0;\r
+       uint8_t uid[7];\r
+       uint8_t uid_len;\r
+       uint8_t atqa[2] = {0x00};\r
+       uint8_t sak;\r
+       bool isTag;\r
+       uint8_t *buf = NULL;\r
+       uint16_t bufsize = 0;\r
+       uint8_t *bufPtr = NULL;\r
+       uint8_t parity[16];\r
+\r
+       char ctmp = param_getchar(Cmd, 0);\r
+       if ( ctmp == 'h' || ctmp == 'H' ) {\r
+               PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
+               PrintAndLog("You can specify:");\r
+               PrintAndLog("    l - save encrypted sequence to logfile `uid.log`");\r
+               PrintAndLog("    d - decrypt sequence and put it to log file `uid.log`");\r
+               PrintAndLog(" n/a   e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");\r
+               PrintAndLog("    f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");\r
+               PrintAndLog("Usage:  hf mf sniff [l][d][e][f]");\r
+               PrintAndLog("  sample: hf mf sniff l d e");\r
                 return 0;\r
         }\r
                 return 0;\r
         }\r
+\r
+       for (int i = 0; i < 4; i++) {\r
+               ctmp = param_getchar(Cmd, i);\r
+               if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;\r
+               if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;\r
+               //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO\r
+               if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;\r
+       }\r
+\r
+       printf("-------------------------------------------------------------------------\n");\r
+       printf("Executing command. \n");\r
+       printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+       printf("Press the key on pc keyboard to abort the client.\n");\r
+       printf("-------------------------------------------------------------------------\n");\r
+\r
+       UsbCommand c = {CMD_MIFARE_SNIFFER, {0, 0, 0}};\r
+       clearCommandBuffer();\r
+       SendCommand(&c);\r
+\r
+       // wait cycle\r
+       while (true) {\r
+               printf(".");\r
+               fflush(stdout);\r
+               if (ukbhit()) {\r
+                       getchar();\r
+                       printf("\naborted via keyboard!\n");\r
+                       break;\r
+               }\r
+\r
+               UsbCommand resp;\r
+               if (WaitForResponseTimeoutW(CMD_ACK, &resp, 2000, false)) {\r
+                       res = resp.arg[0] & 0xff;\r
+                       uint16_t traceLen = resp.arg[1];\r
+                       len = resp.arg[2];\r
+\r
+                       if (res == 0) {                             // we are done\r
+                               break;\r
+                       }\r
+\r
+                       if (res == 1) {                             // there is (more) data to be transferred\r
+                               if (pckNum == 0) {                      // first packet, (re)allocate necessary buffer\r
+                                       if (traceLen > bufsize || buf == NULL) {\r
+                                               uint8_t *p;\r
+                                               if (buf == NULL) {              // not yet allocated\r
+                                                       p = malloc(traceLen);\r
+                                               } else {                        // need more memory\r
+                                                       p = realloc(buf, traceLen);\r
+                                               }\r
+                                               if (p == NULL) {\r
+                                                       PrintAndLog("Cannot allocate memory for trace");\r
+                                                       free(buf);\r
+                                                       return 2;\r
+                                               }\r
+                                               buf = p;\r
+                                       }\r
+                                       bufPtr = buf;\r
+                                       bufsize = traceLen;\r
+                                       memset(buf, 0x00, traceLen);\r
+                               }\r
+                               memcpy(bufPtr, resp.d.asBytes, len);\r
+                               bufPtr += len;\r
+                               pckNum++;\r
+                       }\r
+\r
+                       if (res == 2) {                             // received all data, start displaying\r
+                               blockLen = bufPtr - buf;\r
+                               bufPtr = buf;\r
+                               printf(">\n");\r
+                               PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);\r
+                               while (bufPtr - buf < blockLen) {\r
+                                       bufPtr += 6;                        // skip (void) timing information\r
+                                       len = *((uint16_t *)bufPtr);\r
+                                       if(len & 0x8000) {\r
+                                               isTag = true;\r
+                                               len &= 0x7fff;\r
+                                       } else {\r
+                                               isTag = false;\r
+                                       }\r
+                                       parlen = (len - 1) / 8 + 1;\r
+                                       bufPtr += 2;\r
+                                       if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
+                                               memcpy(uid, bufPtr + 2, 7);\r
+                                               memcpy(atqa, bufPtr + 2 + 7, 2);\r
+                                               uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
+                                               sak = bufPtr[11];\r
+                                               PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",\r
+                                                       sprint_hex(uid + (7 - uid_len), uid_len),\r
+                                                       atqa[1],\r
+                                                       atqa[0],\r
+                                                       sak);\r
+                                               if (wantLogToFile || wantDecrypt) {\r
+                                                       FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);\r
+                                                       AddLogCurrentDT(logHexFileName);\r
+                                               }\r
+                                               if (wantDecrypt)\r
+                                                       mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
+                                       } else {\r
+                                               oddparitybuf(bufPtr, len, parity);\r
+                                               PrintAndLog("%s(%d):%s [%s] c[%s]%c",\r
+                                                       isTag ? "TAG":"RDR",\r
+                                                       num,\r
+                                                       sprint_hex(bufPtr, len),\r
+                                                       printBitsPar(bufPtr + len, len),\r
+                                                       printBitsPar(parity, len),\r
+                                                       memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');\r
+                                               if (wantLogToFile)\r
+                                                       AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
+                                               if (wantDecrypt)\r
+                                                       mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);\r
+                                               num++;\r
+                                       }\r
+                                       bufPtr += len;\r
+                                       bufPtr += parlen;   // ignore parity\r
+                               }\r
+                               pckNum = 0;\r
+                       }\r
+               } // resp not NULL\r
+       } // while (true)\r
+\r
+       free(buf);\r
+\r
+       msleep(300); // wait for exiting arm side.\r
+       PrintAndLog("Done.");\r
+       return 0;\r
+}\r
+\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+       uint8_t data[50];\r
+       int len = 100;\r
+       param_gethex_ex(Cmd, 3, data, &len);\r
+       return tryDecryptWord(param_get32ex(Cmd, 0, 0, 16), param_get32ex(Cmd, 1, 0, 16), param_get32ex(Cmd, 2, 0, 16), data, len/2);\r
+}\r
+\r
+int CmdHF14AMfAuth4(const char *cmd) {\r
+       uint8_t keyn[20] = {0};\r
+       int keynlen = 0;\r
+       uint8_t key[16] = {0};\r
+       int keylen = 0;\r
+\r
+       CLIParserInit("hf mf auth4",\r
+               "Executes AES authentication command in ISO14443-4",\r
+               "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"\r
+                       "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");\r
+\r
+       void* argtable[] = {\r
+               arg_param_begin,\r
+               arg_str1(NULL,  NULL,     "<Key Num (HEX 2 bytes)>", NULL),\r
+               arg_str1(NULL,  NULL,     "<Key Value (HEX 16 bytes)>", NULL),\r
+               arg_param_end\r
+       };\r
+       CLIExecWithReturn(cmd, argtable, true);\r
+\r
+       CLIGetHexWithReturn(1, keyn, &keynlen);\r
+       CLIGetHexWithReturn(2, key, &keylen);\r
+       CLIParserFree();\r
+\r
+       if (keynlen != 2) {\r
+               PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);\r
+               return 1;\r
+       }\r
+\r
+       if (keylen != 16) {\r
+               PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);\r
+               return 1;\r
+       }\r
+\r
+       return MifareAuth4(NULL, keyn, key, true, false, true);\r
+}\r
+\r
+// https://www.nxp.com/docs/en/application-note/AN10787.pdf\r
+int CmdHF14AMfMAD(const char *cmd) {\r
+\r
+       CLIParserInit("hf mf mad",\r
+                                 "Checks and prints Mifare Application Directory (MAD)",\r
+                                 "Usage:\n\thf mf mad -> shows MAD if exists\n"\r
+                                 "\thf mf mad -a 03e1 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B\n");\r
+\r
+       void *argtable[] = {\r
+               arg_param_begin,\r
+               arg_lit0("vV",  "verbose",  "show technical data"),\r
+               arg_str0("aA",  "aid",      "print all sectors with aid", NULL),\r
+               arg_str0("kK",  "key",      "key for printing sectors", NULL),\r
+               arg_lit0("bB",  "keyb",     "use key B for access printing sectors (by default: key A)"),\r
+               arg_param_end\r
+       };\r
+       CLIExecWithReturn(cmd, argtable, true);\r
+       bool verbose = arg_get_lit(1);\r
+       uint8_t aid[2] = {0};\r
+       int aidlen;\r
+       CLIGetHexWithReturn(2, aid, &aidlen);\r
+       uint8_t key[6] = {0};\r
+       int keylen;\r
+       CLIGetHexWithReturn(3, key, &keylen);\r
+       bool keyB = arg_get_lit(4);\r
+\r
+       CLIParserFree();\r
+\r
+       if (aidlen != 2 && keylen > 0) {\r
+               PrintAndLogEx(WARNING, "do not need a key without aid.");\r
+       }\r
+\r
+       uint8_t sector0[16 * 4] = {0};\r
+       uint8_t sector10[16 * 4] = {0};\r
+       if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+               PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+               return 2;\r
+       }\r
+\r
+       if (verbose) {\r
+               for (int i = 0; i < 4; i ++)\r
+                       PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(&sector0[i * 16], 16));\r
+       }\r
+\r
+       bool haveMAD2 = false;\r
+       MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);\r
+\r
+       if (haveMAD2) {\r
+               if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+                       PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+                       return 2;\r
+               }\r
+\r
+               MAD2DecodeAndPrint(sector10, verbose);\r
+       }\r
+\r
+       if (aidlen == 2) {\r
+               uint16_t aaid = (aid[0] << 8) + aid[1];\r
+               PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);\r
+\r
+               uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+               size_t madlen = 0;\r
+               if (MADDecode(sector0, sector10, mad, &madlen)) {\r
+                       PrintAndLogEx(ERR, "can't decode mad.");\r
+                       return 10;\r
+               }\r
+\r
+               uint8_t akey[6] = {0};\r
+               memcpy(akey, g_mifare_ndef_key, 6);\r
+               if (keylen == 6) {\r
+                       memcpy(akey, key, 6);\r
+               }\r
+\r
+               for (int i = 0; i < madlen; i++) {\r
+                       if (aaid == mad[i]) {\r
+                               uint8_t vsector[16 * 4] = {0};\r
+                               if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector)) {\r
+                                       PrintAndLogEx(NORMAL, "");\r
+                                       PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+                                       return 2;\r
+                               }\r
+\r
+                               for (int j = 0; j < (verbose ? 4 : 3); j ++)\r
+                                       PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));\r
+                       }\r
+               }\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+int CmdHFMFNDEF(const char *cmd) {\r
+\r
+       CLIParserInit("hf mf ndef",\r
+                                 "Prints NFC Data Exchange Format (NDEF)",\r
+                                 "Usage:\n\thf mf ndef -> shows NDEF data\n"\r
+                                 "\thf mf ndef -a 03e1 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B\n");\r
+\r
+       void *argtable[] = {\r
+               arg_param_begin,\r
+               arg_litn("vV",  "verbose",  0, 2, "show technical data"),\r
+               arg_str0("aA",  "aid",      "replace default aid for NDEF", NULL),\r
+               arg_str0("kK",  "key",      "replace default key for NDEF", NULL),\r
+               arg_lit0("bB",  "keyb",     "use key B for access sectors (by default: key A)"),\r
+               arg_param_end\r
+       };\r
+       CLIExecWithReturn(cmd, argtable, true);\r
+\r
+       bool verbose = arg_get_lit(1);\r
+       bool verbose2 = arg_get_lit(1) > 1;\r
+       uint8_t aid[2] = {0};\r
+       int aidlen;\r
+       CLIGetHexWithReturn(2, aid, &aidlen);\r
+       uint8_t key[6] = {0};\r
+       int keylen;\r
+       CLIGetHexWithReturn(3, key, &keylen);\r
+       bool keyB = arg_get_lit(4);\r
+\r
+       CLIParserFree();\r
+\r
+       uint16_t ndefAID = 0x03e1;\r
+       if (aidlen == 2)\r
+               ndefAID = (aid[0] << 8) + aid[1];\r
+\r
+       uint8_t ndefkey[6] = {0};\r
+       memcpy(ndefkey, g_mifare_ndef_key, 6);\r
+       if (keylen == 6) {\r
+               memcpy(ndefkey, key, 6);\r
+       }\r
+\r
+       uint8_t sector0[16 * 4] = {0};\r
+       uint8_t sector10[16 * 4] = {0};\r
+       uint8_t data[4096] = {0};\r
+       int datalen = 0;\r
+\r
+       PrintAndLogEx(NORMAL, "");\r
+\r
+       if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+               PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+               return 2;\r
+       }\r
+\r
+       bool haveMAD2 = false;\r
+       int res = MADCheck(sector0, NULL, verbose, &haveMAD2);\r
+       if (res) {\r
+               PrintAndLogEx(ERR, "MAD error %d.", res);\r
+               return res;\r
+       }\r
+\r
+       if (haveMAD2) {\r
+               if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+                       PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+                       return 2;\r
+               }\r
+       }\r
+\r
+       uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+       size_t madlen = 0;\r
+       if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {\r
+               PrintAndLogEx(ERR, "can't decode mad.");\r
+               return 10;\r
+       }\r
+\r
+       printf("data reading:");\r
+       for (int i = 0; i < madlen; i++) {\r
+               if (ndefAID == mad[i]) {\r
+                       uint8_t vsector[16 * 4] = {0};\r
+                       if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector)) {\r
+                               PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+                               return 2;\r
+                       }\r
+\r
+                       memcpy(&data[datalen], vsector, 16 * 3);\r
+                       datalen += 16 * 3;\r
+\r
+                       printf(".");\r
+               }\r
+       }\r
+       printf(" OK\n");\r
+\r
+       if (!datalen) {\r
+               PrintAndLogEx(ERR, "no NDEF data.");\r
+               return 11;\r
+       }\r
+\r
+       if (verbose2) {\r
+               PrintAndLogEx(NORMAL, "NDEF data:");\r
+               dump_buffer(data, datalen, stdout, 1);\r
+       }\r
+\r
+       NDEFDecodeAndPrint(data, datalen, verbose);\r
+\r
+       return 0;\r
  }\r
  \r
  static command_t CommandTable[] =\r
  {\r
  }\r
  \r
  static command_t CommandTable[] =\r
  {\r
-  {"help",             CmdHelp,                                                1, "This help"},\r
-  {"dbg",                      CmdHF14AMfDbg,                  0, "Set default debug mode"},\r
-  {"rdbl",             CmdHF14AMfRdBl,                 0, "Read MIFARE classic block"},\r
-  {"rdsc",             CmdHF14AMfRdSc,                 0, "Read MIFARE classic sector"},\r
-  {"dump",             CmdHF14AMfDump,                 0, "Dump MIFARE classic tag to binary file"},\r
-  {"restore",  CmdHF14AMfRestore,      0, "Restore MIFARE classic binary file to BLANK tag"},\r
-  {"wrbl",             CmdHF14AMfWrBl,                 0, "Write MIFARE classic block"},\r
-  {"chk",                      CmdHF14AMfChk,                  0, "Test block keys"},\r
-  {"mifare",   CmdHF14AMifare,                 0, "Read parity error messages. param - <used card nonce>"},\r
-  {"nested",   CmdHF14AMfNested,               0, "Test nested authentication"},\r
-  {"sim",                      CmdHF14AMf1kSim,                0, "Simulate MIFARE card"},\r
-  {"eclr",             CmdHF14AMfEClear,               0, "Clear simulator memory block"},\r
-  {"eget",             CmdHF14AMfEGet,                 0, "Get simulator memory block"},\r
-  {"eset",             CmdHF14AMfESet,                 0, "Set simulator memory block"},\r
-  {"eload",            CmdHF14AMfELoad,                0, "Load from file emul dump"},\r
-  {"esave",            CmdHF14AMfESave,                0, "Save to file emul dump"},\r
-  {"ecfill",   CmdHF14AMfECFill,               0, "Fill simulator memory with help of keys from simulator"},\r
-  {"ekeyprn",  CmdHF14AMfEKeyPrn,      0, "Print keys from simulator memory"},\r
-  {"csetuid",  CmdHF14AMfCSetUID,      0, "Set UID for magic Chinese card"},\r
-  {"csetblk",  CmdHF14AMfCSetBlk,      0, "Write block into magic Chinese card"},\r
-  {"cgetblk",  CmdHF14AMfCGetBlk,      0, "Read block from magic Chinese card"},\r
-  {"cgetsc",   CmdHF14AMfCGetSc,               0, "Read sector from magic Chinese card"},\r
-  {"cload",            CmdHF14AMfCLoad,                0, "Load dump into magic Chinese card"},\r
-  {"csave",            CmdHF14AMfCSave,                0, "Save dump from magic Chinese card into file or emulator"},\r
-  {NULL, NULL, 0, NULL}\r
+  {"help",             CmdHelp,                 1, "This help"},\r
+  {"dbg",              CmdHF14AMfDbg,           0, "Set default debug mode"},\r
+  {"rdbl",             CmdHF14AMfRdBl,          0, "Read MIFARE classic block"},\r
+  {"rdsc",             CmdHF14AMfRdSc,          0, "Read MIFARE classic sector"},\r
+  {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},\r
+  {"restore",          CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},\r
+  {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},\r
+  {"auth4",            CmdHF14AMfAuth4,         0, "ISO14443-4 AES authentication"},\r
+  {"chk",              CmdHF14AMfChk,           0, "Test block keys"},\r
+  {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},\r
+  {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},\r
+  {"nested",           CmdHF14AMfNested,        0, "Test nested authentication"},\r
+  {"sniff",            CmdHF14AMfSniff,         0, "Sniff card-reader communication"},\r
+  {"sim",              CmdHF14AMfSim,           0, "Simulate MIFARE card"},\r
+  {"eclr",             CmdHF14AMfEClear,        0, "Clear simulator memory"},\r
+  {"eget",             CmdHF14AMfEGet,          0, "Get simulator memory block"},\r
+  {"eset",             CmdHF14AMfESet,          0, "Set simulator memory block"},\r
+  {"eload",            CmdHF14AMfELoad,         0, "Load from file emul dump"},\r
+  {"esave",            CmdHF14AMfESave,         0, "Save to file emul dump"},\r
+  {"ecfill",           CmdHF14AMfECFill,        0, "Fill simulator memory with help of keys from simulator"},\r
+  {"ekeyprn",          CmdHF14AMfEKeyPrn,       0, "Print keys from simulator memory"},\r
+  {"cwipe",            CmdHF14AMfCWipe,         0, "Wipe magic Chinese card"},\r
+  {"csetuid",          CmdHF14AMfCSetUID,       0, "Set UID for magic Chinese card"},\r
+  {"csetblk",          CmdHF14AMfCSetBlk,       0, "Write block - Magic Chinese card"},\r
+  {"cgetblk",          CmdHF14AMfCGetBlk,       0, "Read block - Magic Chinese card"},\r
+  {"cgetsc",           CmdHF14AMfCGetSc,        0, "Read sector - Magic Chinese card"},\r
+  {"cload",            CmdHF14AMfCLoad,         0, "Load dump into magic Chinese card"},\r
+  {"csave",            CmdHF14AMfCSave,         0, "Save dump from magic Chinese card into file or emulator"},\r
+  {"decrypt",          CmdDecryptTraceCmds,     1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+  {"mad",              CmdHF14AMfMAD,           0, "Checks and prints MAD"},\r
+  {"ndef",             CmdHFMFNDEF,             0, "Prints NDEF records from card"},\r
+  {NULL,               NULL,                    0, NULL}\r
  };\r
  \r
  int CmdHFMF(const char *Cmd)\r
  {\r
  };\r
  \r
  int CmdHFMF(const char *Cmd)\r
  {\r
-       // flush\r
-       while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ;\r
-\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+       (void)WaitForResponseTimeout(CMD_ACK,NULL,100);\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r
  }\r
  \r
  int CmdHelp(const char *Cmd)\r
  }\r
  \r
  int CmdHelp(const char *Cmd)\r