]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ADD: a script to dump a specific type of Mifare Mini tags.
[proxmark3-svn] / armsrc / iso14443a.c
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index b1d3690f768968ef390d0e77aabbaa670194331f..200e31f25ee1a2991067948232bb8a11138d3648 100644 (file)
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -15,17 +15,13 @@
 #include "util.h"
 #include "string.h"
 #include "cmd.h"
 #include "util.h"
 #include "string.h"
 #include "cmd.h"
-
 #include "iso14443crc.h"
 #include "iso14443a.h"
 #include "crapto1.h"
 #include "mifareutil.h"
 #include "iso14443crc.h"
 #include "iso14443a.h"
 #include "crapto1.h"
 #include "mifareutil.h"
-
+#include "BigBuf.h"
 static uint32_t iso14a_timeout;
 static uint32_t iso14a_timeout;
-uint8_t *trace = (uint8_t *) BigBuf+TRACE_OFFSET;
 int rsamples = 0;
 int rsamples = 0;
-int traceLen = 0;
-int tracing = TRUE;
 uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
@@ -149,19 +145,35 @@ void iso14a_set_trigger(bool enable) {
        trigger = enable;
 }
 
        trigger = enable;
 }
 
-void iso14a_clear_trace() {
-       memset(trace, 0x44, TRACE_SIZE);
-       traceLen = 0;
-}
-
-void iso14a_set_tracing(bool enable) {
-       tracing = enable;
-}
 
 void iso14a_set_timeout(uint32_t timeout) {
        iso14a_timeout = timeout;
 
 void iso14a_set_timeout(uint32_t timeout) {
        iso14a_timeout = timeout;
+       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
+}
+
+
+void iso14a_set_ATS_timeout(uint8_t *ats) {
+
+       uint8_t tb1;
+       uint8_t fwi; 
+       uint32_t fwt;
+       
+       if (ats[0] > 1) {                                                       // there is a format byte T0
+               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
+                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
+                               tb1 = ats[3];
+                       } else {
+                               tb1 = ats[2];
+                       }
+                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
+                       fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
+                       
+                       iso14a_set_timeout(fwt/(8*16));
+               }
+       }
 }
 
 }
 
+
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
@@ -200,61 +212,12 @@ void AppendCrc14443a(uint8_t* data, int len)
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
-// The function LogTrace() is also used by the iClass implementation in iClass.c
-bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag)
+void AppendCrc14443b(uint8_t* data, int len)
 {
 {
-       if (!tracing) return FALSE;
-       
-       uint16_t num_paritybytes = (iLen-1)/8 + 1;      // number of valid paritybytes in *parity
-       uint16_t duration = timestamp_end - timestamp_start;
-
-       // Return when trace is full
-       if (traceLen + sizeof(iLen) + sizeof(timestamp_start) + sizeof(duration) + num_paritybytes + iLen >= TRACE_SIZE) {
-               tracing = FALSE;        // don't trace any more
-               return FALSE;
-       }
-       
-       // Traceformat:
-       // 32 bits timestamp (little endian)
-       // 16 bits duration (little endian)
-       // 16 bits data length (little endian, Highest Bit used as readerToTag flag)
-       // y Bytes data
-       // x Bytes parity (one byte per 8 bytes data)
-       
-       // timestamp (start)
-       trace[traceLen++] = ((timestamp_start >> 0) & 0xff);
-       trace[traceLen++] = ((timestamp_start >> 8) & 0xff);
-       trace[traceLen++] = ((timestamp_start >> 16) & 0xff);
-       trace[traceLen++] = ((timestamp_start >> 24) & 0xff);
-       
-       // duration
-       trace[traceLen++] = ((duration >> 0) & 0xff);
-       trace[traceLen++] = ((duration >> 8) & 0xff);
-
-       // data length
-       trace[traceLen++] = ((iLen >> 0) & 0xff);
-       trace[traceLen++] = ((iLen >> 8) & 0xff);
-
-       // readerToTag flag
-       if (!readerToTag) {
-               trace[traceLen - 1] |= 0x80;
-       }
-
-       // data bytes
-       if (btBytes != NULL && iLen != 0) {
-               memcpy(trace + traceLen, btBytes, iLen);
-       }
-       traceLen += iLen;
-
-       // parity bytes
-       if (parity != NULL && iLen != 0) {
-               memcpy(trace + traceLen, parity, num_paritybytes);
-       }
-       traceLen += num_paritybytes;
-
-       return TRUE;
+       ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
 }
 
 }
 
+
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
@@ -274,13 +237,17 @@ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_
 static tUart Uart;
 
 // Lookup-Table to decide if 4 raw bits are a modulation.
 static tUart Uart;
 
 // Lookup-Table to decide if 4 raw bits are a modulation.
-// We accept two or three consecutive "0" in any position with the rest "1"
+// We accept the following:
+// 0001  -   a 3 tick wide pause
+// 0011  -   a 2 tick wide pause, or a three tick wide pause shifted left
+// 0111  -   a 2 tick wide pause shifted left
+// 1001  -   a 2 tick wide pause shifted right
 const bool Mod_Miller_LUT[] = {
 const bool Mod_Miller_LUT[] = {
-       TRUE,  TRUE,  FALSE, TRUE,  FALSE, FALSE, FALSE, FALSE,
-       TRUE,  TRUE,  FALSE, FALSE, TRUE,  FALSE, FALSE, FALSE
+       FALSE,  TRUE, FALSE, TRUE,  FALSE, FALSE, FALSE, TRUE,
+       FALSE,  TRUE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE
 };
 };
-#define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x00F0) >> 4])
-#define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x000F)])
+#define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
+#define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
 void UartReset()
 {
 
 void UartReset()
 {
@@ -290,16 +257,19 @@ void UartReset()
        Uart.parityLen = 0;                                     // number of decoded parity bytes
        Uart.shiftReg = 0;                                      // shiftreg to hold decoded data bits
        Uart.parityBits = 0;                            // holds 8 parity bits
        Uart.parityLen = 0;                                     // number of decoded parity bytes
        Uart.shiftReg = 0;                                      // shiftreg to hold decoded data bits
        Uart.parityBits = 0;                            // holds 8 parity bits
-       Uart.twoBits = 0x0000;                          // buffer for 2 Bits
-       Uart.highCnt = 0;
        Uart.startTime = 0;
        Uart.endTime = 0;
        Uart.startTime = 0;
        Uart.endTime = 0;
+       
+       Uart.byteCntMax = 0;
+       Uart.posCnt = 0;
+       Uart.syncBit = 9999;
 }
 
 void UartInit(uint8_t *data, uint8_t *parity)
 {
        Uart.output = data;
        Uart.parity = parity;
 }
 
 void UartInit(uint8_t *data, uint8_t *parity)
 {
        Uart.output = data;
        Uart.parity = parity;
+       Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
        UartReset();
 }
 
        UartReset();
 }
 
@@ -307,44 +277,48 @@ void UartInit(uint8_t *data, uint8_t *parity)
 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
 {
 
 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
 {
 
-       Uart.twoBits = (Uart.twoBits << 8) | bit;
+       Uart.fourBits = (Uart.fourBits << 8) | bit;
        
        
-       if (Uart.state == STATE_UNSYNCD) {                                                                                              // not yet synced
-               if (Uart.highCnt < 7) {                                                                                                 // wait for a stable unmodulated signal
-                       if (Uart.twoBits == 0xffff) {
-                               Uart.highCnt++;
-                       } else {
-                               Uart.highCnt = 0;
-                       }
-               } else {        
-                       Uart.syncBit = 0xFFFF; // not set
-                       // look for 00xx1111 (the start bit)
-                       if              ((Uart.twoBits & 0x6780) == 0x0780) Uart.syncBit = 7; 
-                       else if ((Uart.twoBits & 0x33C0) == 0x03C0) Uart.syncBit = 6;
-                       else if ((Uart.twoBits & 0x19E0) == 0x01E0) Uart.syncBit = 5;
-                       else if ((Uart.twoBits & 0x0CF0) == 0x00F0) Uart.syncBit = 4;
-                       else if ((Uart.twoBits & 0x0678) == 0x0078) Uart.syncBit = 3;
-                       else if ((Uart.twoBits & 0x033C) == 0x003C) Uart.syncBit = 2;
-                       else if ((Uart.twoBits & 0x019E) == 0x001E) Uart.syncBit = 1;
-                       else if ((Uart.twoBits & 0x00CF) == 0x000F) Uart.syncBit = 0;
-                       if (Uart.syncBit != 0xFFFF) {
+       if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
+       
+               Uart.syncBit = 9999;                                                                                                    // not set
+               
+               // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
+               // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
+               // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause                     Sequence X (a "1")
+
+               // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
+               // Sequence X followed by Sequence Y followed by Sequence Z     (111100x1 11111111 00x11111)
+               // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern 
+               // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
+               //
+#define ISO14443A_STARTBIT_MASK                0x07FFEF80              // mask is    00001111 11111111 1110 1111 10000000
+#define ISO14443A_STARTBIT_PATTERN     0x07FF8F80              // pattern is 00001111 11111111 1000 1111 10000000
+
+               if              ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
+
+               if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
                                Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
                                Uart.startTime -= Uart.syncBit;
                                Uart.endTime = Uart.startTime;
                                Uart.state = STATE_START_OF_COMMUNICATION;
                        }
                                Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
                                Uart.startTime -= Uart.syncBit;
                                Uart.endTime = Uart.startTime;
                                Uart.state = STATE_START_OF_COMMUNICATION;
                        }
-               }
 
        } else {
 
 
        } else {
 
-               if (IsMillerModulationNibble1(Uart.twoBits >> Uart.syncBit)) {                  
-                       if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) {          // Modulation in both halves - error
+               if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
+                       if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) {         // Modulation in both halves - error
                                UartReset();
                                UartReset();
-                               Uart.highCnt = 6;
                        } else {                                                                                                                        // Modulation in first half = Sequence Z = logic "0"
                                if (Uart.state == STATE_MILLER_X) {                                                             // error - must not follow after X
                                        UartReset();
                        } else {                                                                                                                        // Modulation in first half = Sequence Z = logic "0"
                                if (Uart.state == STATE_MILLER_X) {                                                             // error - must not follow after X
                                        UartReset();
-                                       Uart.highCnt = 6;
                                } else {
                                        Uart.bitCount++;
                                        Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
                                } else {
                                        Uart.bitCount++;
                                        Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
@@ -364,7 +338,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                                }
                        }
                } else {
                                }
                        }
                } else {
-                       if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) {          // Modulation second half = Sequence X = logic "1"
+                       if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) {         // Modulation second half = Sequence X = logic "1"
                                Uart.bitCount++;
                                Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100;                                   // add a 1 to the shiftreg
                                Uart.state = STATE_MILLER_X;
                                Uart.bitCount++;
                                Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100;                                   // add a 1 to the shiftreg
                                Uart.state = STATE_MILLER_X;
@@ -395,12 +369,15 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                                        } else if (Uart.len & 0x0007) {                                                         // there are some parity bits to store
                                                Uart.parityBits <<= (8 - (Uart.len&0x0007));                    // left align remaining parity bits
                                                Uart.parity[Uart.parityLen++] = Uart.parityBits;                // and store them
                                        } else if (Uart.len & 0x0007) {                                                         // there are some parity bits to store
                                                Uart.parityBits <<= (8 - (Uart.len&0x0007));                    // left align remaining parity bits
                                                Uart.parity[Uart.parityLen++] = Uart.parityBits;                // and store them
+                                       }
+                                       if (Uart.len) {
                                                return TRUE;                                                                                    // we are finished with decoding the raw data sequence
                                                return TRUE;                                                                                    // we are finished with decoding the raw data sequence
+                                       } else {
+                                               UartReset();                                                                                    // Nothing received - start over
                                        }
                                }
                                if (Uart.state == STATE_START_OF_COMMUNICATION) {                               // error - must not follow directly after SOC
                                        UartReset();
                                        }
                                }
                                if (Uart.state == STATE_START_OF_COMMUNICATION) {                               // error - must not follow directly after SOC
                                        UartReset();
-                                       Uart.highCnt = 6;
                                } else {                                                                                                                // a logic "0"
                                        Uart.bitCount++;
                                        Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
                                } else {                                                                                                                // a logic "0"
                                        Uart.bitCount++;
                                        Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
@@ -467,9 +444,13 @@ void DemodReset()
        Demod.highCnt = 0;
        Demod.startTime = 0;
        Demod.endTime = 0;
        Demod.highCnt = 0;
        Demod.startTime = 0;
        Demod.endTime = 0;
+       
+       //
+       Demod.bitCount = 0;
+       Demod.syncBit = 0xFFFF;
+       Demod.samples = 0;
 }
 
 }
 
-
 void DemodInit(uint8_t *data, uint8_t *parity)
 {
        Demod.output = data;
 void DemodInit(uint8_t *data, uint8_t *parity)
 {
        Demod.output = data;
@@ -558,15 +539,15 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
                                } else if (Demod.len & 0x0007) {                                                // there are some parity bits to store
                                        Demod.parityBits <<= (8 - (Demod.len&0x0007));          // left align remaining parity bits
                                        Demod.parity[Demod.parityLen++] = Demod.parityBits;     // and store them
                                } else if (Demod.len & 0x0007) {                                                // there are some parity bits to store
                                        Demod.parityBits <<= (8 - (Demod.len&0x0007));          // left align remaining parity bits
                                        Demod.parity[Demod.parityLen++] = Demod.parityBits;     // and store them
+                               }
+                               if (Demod.len) {
                                        return TRUE;                                                                            // we are finished with decoding the raw data sequence
                                } else {                                                                                                // nothing received. Start over
                                        DemodReset();
                                }
                        }
                }
                                        return TRUE;                                                                            // we are finished with decoding the raw data sequence
                                } else {                                                                                                // nothing received. Start over
                                        DemodReset();
                                }
                        }
                }
-                       
        } 
        } 
-
     return FALSE;      // not finished yet, need more data
 }
 
     return FALSE;      // not finished yet, need more data
 }
 
@@ -580,15 +561,12 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
 //-----------------------------------------------------------------------------
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
 //-----------------------------------------------------------------------------
-void RAMFUNC SnoopIso14443a(uint8_t param) {
+void RAMFUNC SniffIso14443a(uint8_t param) {
        // param:
        // bit 0 - trigger from first card answer
        // bit 1 - trigger from first reader 7-bit request
        
        LEDsoff();
        // param:
        // bit 0 - trigger from first card answer
        // bit 1 - trigger from first reader 7-bit request
        
        LEDsoff();
-       // init trace buffer
-       iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
 
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
 
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
@@ -596,22 +574,25 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
        // triggered == FALSE -- to wait first for card
        bool triggered = !(param & 0x03); 
        
        // triggered == FALSE -- to wait first for card
        bool triggered = !(param & 0x03); 
        
+       // Allocate memory from BigBuf for some buffers
+       // free all previous allocations first
+       BigBuf_free();
+
        // The command (reader -> tag) that we're receiving.
        // The command (reader -> tag) that we're receiving.
-       // The length of a received command will in most cases be no more than 18 bytes.
-       // So 32 should be enough!
-       uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
-       uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
        
        // The response (tag -> reader) that we're receiving.
        
        // The response (tag -> reader) that we're receiving.
-       uint8_t *receivedResponse = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
-       uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
-       
-       // As we receive stuff, we copy it from receivedCmd or receivedResponse
-       // into trace, along with its length and other annotations.
-       //uint8_t *trace = (uint8_t *)BigBuf;
+       uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
        
        // The DMA buffer, used to stream samples from the FPGA
        
        // The DMA buffer, used to stream samples from the FPGA
-       uint8_t *dmaBuf = ((uint8_t *)BigBuf) + DMA_BUFFER_OFFSET;
+       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
+
+       // init trace buffer
+       clear_trace();
+       set_tracing(TRUE);
+
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        int maxDataLen = 0;
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        int maxDataLen = 0;
@@ -651,7 +632,7 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
                // test for length of buffer
                if(dataLen > maxDataLen) {
                        maxDataLen = dataLen;
                // test for length of buffer
                if(dataLen > maxDataLen) {
                        maxDataLen = dataLen;
-                       if(dataLen > 400) {
+                       if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
                                Dbprintf("blew circular buffer! dataLen=%d", dataLen);
                                break;
                        }
                                Dbprintf("blew circular buffer! dataLen=%d", dataLen);
                                break;
                        }
@@ -716,6 +697,9 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
 
                                        // And ready to receive another response.
                                        DemodReset();
 
                                        // And ready to receive another response.
                                        DemodReset();
+                                       // And reset the Miller decoder including itS (now outdated) input buffer
+                                       UartInit(receivedCmd, receivedCmdPar);
+
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
@@ -734,7 +718,7 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
 
        FpgaDisableSscDma();
        Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
 
        FpgaDisableSscDma();
        Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
-       Dbprintf("traceLen=%d, Uart.output[0]=%08x", traceLen, (uint32_t)Uart.output[0]);
+       Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
        LEDsoff();
 }
 
        LEDsoff();
 }
 
@@ -757,7 +741,6 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par
        
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
        
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
-       
        LastProxToAirDuration = 8 * ToSendMax - 4;
 
        for(uint16_t i = 0; i < len; i++) {
        LastProxToAirDuration = 8 * ToSendMax - 4;
 
        for(uint16_t i = 0; i < len; i++) {
@@ -881,7 +864,7 @@ int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
                                 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
 
 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
                                 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
 
-static uint8_t* free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
+static uint8_t* free_buffer_pointer;
 
 typedef struct {
   uint8_t* response;
 
 typedef struct {
   uint8_t* response;
@@ -891,10 +874,6 @@ typedef struct {
   uint32_t ProxToAirDuration;
 } tag_response_info_t;
 
   uint32_t ProxToAirDuration;
 } tag_response_info_t;
 
-void reset_free_buffer() {
-  free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
-}
-
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
@@ -906,7 +885,8 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
-  
   // Prepare the tag modulation bits from the message
   CodeIso14443aAsTag(response_info->response,response_info->response_n);
   
   // Prepare the tag modulation bits from the message
   CodeIso14443aAsTag(response_info->response,response_info->response_n);
   
@@ -927,15 +907,22 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
   return true;
 }
 
   return true;
 }
 
+
+// "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
+// Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
+// 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
+// -> need 273 bytes buffer
+#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
+
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
   // Retrieve and store the current buffer index
   response_info->modulation = free_buffer_pointer;
   
   // Determine the maximum size we can use from our buffer
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
   // Retrieve and store the current buffer index
   response_info->modulation = free_buffer_pointer;
   
   // Determine the maximum size we can use from our buffer
-  size_t max_buffer_size = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + FREE_BUFFER_SIZE) - free_buffer_pointer;
+  size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
   
   // Forward the prepare tag modulation function to the inner function
   
   // Forward the prepare tag modulation function to the inner function
-  if (prepare_tag_modulation(response_info,max_buffer_size)) {
+  if (prepare_tag_modulation(response_info, max_buffer_size)) {
     // Update the free buffer offset
     free_buffer_pointer += ToSendMax;
     return true;
     // Update the free buffer offset
     free_buffer_pointer += ToSendMax;
     return true;
@@ -948,12 +935,15 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
 //-----------------------------------------------------------------------------
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
 //-----------------------------------------------------------------------------
-void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
+void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
 {
 {
-       // Enable and clear the trace
-       iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
 
 
+       //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
+       // This can be used in a reader-only attack.
+       // (it can also be retrieved via 'hf 14a list', but hey...
+       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
+       uint8_t ar_nr_collected = 0;
+       
        uint8_t sak;
 
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
        uint8_t sak;
 
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
@@ -984,6 +974,18 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                        response1[1] = 0x00;
                        sak = 0x28;
                } break;
                        response1[1] = 0x00;
                        sak = 0x28;
                } break;
+               case 5: { // MIFARE TNP3XXX
+                       // Says: I am a toy
+                       response1[0] = 0x01;
+                       response1[1] = 0x0f;
+                       sak = 0x01;
+               } break;
+               case 6: { // MIFARE Mini
+                       // Says: I am a Mifare Mini, 320b
+                       response1[0] = 0x44;
+                       response1[1] = 0x00;
+                       sak = 0x09;
+               } break;
                default: {
                        Dbprintf("Error: unkown tagtype (%d)",tagType);
                        return;
                default: {
                        Dbprintf("Error: unkown tagtype (%d)",tagType);
                        return;
@@ -991,21 +993,29 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
        }
        
        // The second response contains the (mandatory) first 24 bits of the UID
        }
        
        // The second response contains the (mandatory) first 24 bits of the UID
-       uint8_t response2[5];
+       uint8_t response2[5] = {0x00};
 
        // Check if the uid uses the (optional) part
 
        // Check if the uid uses the (optional) part
-       uint8_t response2a[5];
-       if (uid_2nd) {
+       uint8_t response2a[5] = {0x00};
+       
+       if (flags & FLAG_7B_UID_IN_DATA) {
                response2[0] = 0x88;
                response2[0] = 0x88;
-               num_to_bytes(uid_1st,3,response2+1);
-               num_to_bytes(uid_2nd,4,response2a);
+               response2[1] = data[0];
+               response2[2] = data[1];
+               response2[3] = data[2];
+
+               response2a[0] = data[3];
+               response2a[1] = data[4];
+               response2a[2] = data[5];
+               response2a[3] = data[6]; //??
                response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
 
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
        } else {
                response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
 
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
        } else {
-               num_to_bytes(uid_1st,4,response2);
+               memcpy(response2, data, 4);
+               //num_to_bytes(uid_1st,4,response2);
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
@@ -1015,16 +1025,16 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
-       uint8_t response3[3];
+       uint8_t response3[3]  = {0x00};
        response3[0] = sak;
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
        response3[0] = sak;
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
-       uint8_t response3a[3];
+       uint8_t response3a[3]  = {0x00};
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
-       uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
+       uint8_t response5[] = { 0x01, 0x02, 0x03, 0x04 }; // Very random tag nonce
        uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
@@ -1056,9 +1066,17 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                .modulation_n = 0
        };
   
                .modulation_n = 0
        };
   
-       // Reset the offset pointer of the free buffer
-       reset_free_buffer();
-  
+       BigBuf_free_keep_EM();
+
+       // allocate buffers:
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
+       free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
+
+       // clear trace
+       clear_trace();
+       set_tracing(TRUE);
+
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
        for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
        for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
@@ -1079,10 +1097,6 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
-       // buffers used on software Uart:
-       uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
-       uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
-
        cmdsRecvd = 0;
        tag_response_info_t* p_response;
 
        cmdsRecvd = 0;
        tag_response_info_t* p_response;
 
@@ -1117,7 +1131,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                        // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                        p_response = NULL;
                } else if(receivedCmd[0] == 0x50) {     // Received a HALT
                        // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                        p_response = NULL;
                } else if(receivedCmd[0] == 0x50) {     // Received a HALT
-//                     DbpString("Reader requested we HALT!:");
+
                        if (tracing) {
                                LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        }
                        if (tracing) {
                                LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        }
@@ -1135,9 +1149,45 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                        if (tracing) {
                                LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        }
                        if (tracing) {
                                LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        }
+                       uint32_t nonce = bytes_to_num(response5,4);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
-                       Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
+                       //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
+
+                       if(flags & FLAG_NR_AR_ATTACK )
+                       {
+                               if(ar_nr_collected < 2){
+                                       // Avoid duplicates... probably not necessary, nr should vary. 
+                                       //if(ar_nr_responses[3] != nr){                                         
+                                               ar_nr_responses[ar_nr_collected*5]   = 0;
+                                               ar_nr_responses[ar_nr_collected*5+1] = 0;
+                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
+                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
+                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
+                                               ar_nr_collected++;
+                                       //}
+                               }                       
+
+                               if(ar_nr_collected > 1 ) {
+                               
+                                       if (MF_DBGLEVEL >= 2) {
+                                                       Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
+                                                       Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
+                                                               ar_nr_responses[0], // UID1
+                                                               ar_nr_responses[1], // UID2
+                                                               ar_nr_responses[2], // NT
+                                                               ar_nr_responses[3], // AR1
+                                                               ar_nr_responses[4], // NR1
+                                                               ar_nr_responses[8], // AR2
+                                                               ar_nr_responses[9]  // NR2
+                                                       );
+                                       }
+                                       uint8_t len = ar_nr_collected*5*4;
+                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
+                                       ar_nr_collected = 0;
+                                       memset(ar_nr_responses, 0x00, len);
+                               }
+                       }
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
                        switch (receivedCmd[0]) {
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
                        switch (receivedCmd[0]) {
@@ -1222,6 +1272,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                        // do the tracing for the previous reader request and this tag answer:
                        uint8_t par[MAX_PARITY_SIZE];
                        GetParity(p_response->response, p_response->response_n, par);
                        // do the tracing for the previous reader request and this tag answer:
                        uint8_t par[MAX_PARITY_SIZE];
                        GetParity(p_response->response, p_response->response_n, par);
+       
                        EmLogTrace(Uart.output, 
                                                Uart.len, 
                                                Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
                        EmLogTrace(Uart.output, 
                                                Uart.len, 
                                                Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
@@ -1240,8 +1291,11 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                }
        }
 
                }
        }
 
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       
        Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
        LED_A_OFF();
        Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
        LED_A_OFF();
+       BigBuf_free_keep_EM();
 }
 
 
 }
 
 
@@ -1302,13 +1356,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
        // clear TXRDY
        AT91C_BASE_SSC->SSC_THR = SEC_Y;
 
        // clear TXRDY
        AT91C_BASE_SSC->SSC_THR = SEC_Y;
 
-       // for(uint16_t c = 0; c < 10;) {       // standard delay for each transfer (allow tag to be ready after last transmission)
-               // if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       // AT91C_BASE_SSC->SSC_THR = SEC_Y;     
-                       // c++;
-               // }
-       // }
-
        uint16_t c = 0;
        for(;;) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
        uint16_t c = 0;
        for(;;) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
@@ -1321,7 +1368,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
        }
        
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
        }
        
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
-       
 }
 
 
 }
 
 
@@ -1369,7 +1415,7 @@ void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8
                }
 
                // Only transmit parity bit if we transmitted a complete byte
                }
 
                // Only transmit parity bit if we transmitted a complete byte
-               if (j == 8) {
+               if (j == 8 && parity != NULL) {
                        // Get the parity bit
                        if (parity[i>>3] & (0x80 >> (i&0x0007))) {
                                // Sequence X
                        // Get the parity bit
                        if (parity[i>>3] & (0x80 >> (i&0x0007))) {
                                // Sequence X
@@ -1414,6 +1460,7 @@ void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *p
   CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
   CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
+
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
@@ -1436,9 +1483,9 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
        // Set ADC to read field strength
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
        AT91C_BASE_ADC->ADC_MR =
        // Set ADC to read field strength
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
        AT91C_BASE_ADC->ADC_MR =
-                               ADC_MODE_PRESCALE(32) |
-                               ADC_MODE_STARTUP_TIME(16) |
-                               ADC_MODE_SAMPLE_HOLD_TIME(8);
+                               ADC_MODE_PRESCALE(63) |
+                               ADC_MODE_STARTUP_TIME(1) |
+                               ADC_MODE_SAMPLE_HOLD_TIME(15);
        AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
@@ -1448,7 +1495,7 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
 
        // Clear RXRDY:
     uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 
        // Clear RXRDY:
     uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
+       
        for(;;) {
                WDT_HIT();
 
        for(;;) {
                WDT_HIT();
 
@@ -1460,7 +1507,7 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                        analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
                        analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
-                               if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+                               if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
@@ -1523,7 +1570,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        AT91C_BASE_SSC->SSC_THR = SEC_F;
 
        // send cycle
        AT91C_BASE_SSC->SSC_THR = SEC_F;
 
        // send cycle
-       for(; i <= respLen; ) {
+       for(; i < respLen; ) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = resp[i++];
                        FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = resp[i++];
                        FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
@@ -1535,14 +1582,15 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        }
 
        // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
        }
 
        // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
-       for (i = 0; i < 2 ; ) {
+       uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
+       for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = SEC_F;
                        FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                        i++;
                }
        }
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = SEC_F;
                        FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                        i++;
                }
        }
-       
+
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
 
        return 0;
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
 
        return 0;
@@ -1631,7 +1679,7 @@ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_Start
 //-----------------------------------------------------------------------------
 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
 {
 //-----------------------------------------------------------------------------
 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
 {
-       uint16_t c;
+       uint32_t c = 0x00;
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
        // only, since we are receiving, not transmitting).
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
        // only, since we are receiving, not transmitting).
@@ -1644,8 +1692,7 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
 
        // clear RXRDY:
     uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 
        // clear RXRDY:
     uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-       
-       c = 0;
+
        for(;;) {
                WDT_HIT();
 
        for(;;) {
                WDT_HIT();
 
@@ -1654,16 +1701,16 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
                        if(ManchesterDecoding(b, offset, 0)) {
                                NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
                                return TRUE;
                        if(ManchesterDecoding(b, offset, 0)) {
                                NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
                                return TRUE;
-                       } else if (c++ > iso14a_timeout) {
+                       } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
                                return FALSE; 
                        }
                }
        }
 }
 
                                return FALSE; 
                        }
                }
        }
 }
 
+
 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
 {
 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
 {
-
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
   
        // Send command to tag
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
   
        // Send command to tag
@@ -1677,11 +1724,13 @@ void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t
        }
 }
 
        }
 }
 
+
 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
 {
   ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
 {
   ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
+
 void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
 {
   // Generate parity and redirect
 void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
 {
   // Generate parity and redirect
@@ -1690,6 +1739,7 @@ void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
   ReaderTransmitBitsPar(frame, len, par, timing);
 }
 
   ReaderTransmitBitsPar(frame, len, par, timing);
 }
 
+
 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
 {
   // Generate parity and redirect
 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
 {
   // Generate parity and redirect
@@ -1724,8 +1774,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
-       uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
-       uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+       uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
+       uint8_t resp_par[MAX_PARITY_SIZE];
        byte_t uid_resp[4];
        size_t uid_resp_len;
 
        byte_t uid_resp[4];
        size_t uid_resp_len;
 
@@ -1738,7 +1788,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
        
        // Receive the ATQA
        if(!ReaderReceive(resp, resp_par)) return 0;
        
        // Receive the ATQA
        if(!ReaderReceive(resp, resp_par)) return 0;
-       //Dbprintf("atqa: %02x %02x",resp[1],resp[0]);
 
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->atqa, resp, 2);
 
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->atqa, resp, 2);
@@ -1751,6 +1800,11 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                memset(uid_ptr,0,10);
        }
 
                memset(uid_ptr,0,10);
        }
 
+       // check for proprietary anticollision:
+       if ((resp[0] & 0x1F) == 0) {
+               return 3;
+       }
+       
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
        // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
        // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
@@ -1771,7 +1825,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                                Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
                                for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {      // add valid UID bits before collision point
                                        uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
                                Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
                                for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {      // add valid UID bits before collision point
                                        uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
-                                       uid_resp[uid_resp_bits & 0xf8] |= UIDbit << (uid_resp_bits % 8);
+                                       uid_resp[uid_resp_bits 8] |= UIDbit << (uid_resp_bits % 8);
                                }
                                uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);                                  // next time select the card(s) with a 1 in the collision position
                                uid_resp_bits++;
                                }
                                uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);                                  // next time select the card(s) with a 1 in the collision position
                                uid_resp_bits++;
@@ -1794,7 +1848,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                        memcpy(uid_resp, resp, 4);
                }
                uid_resp_len = 4;
                        memcpy(uid_resp, resp, 4);
                }
                uid_resp_len = 4;
-               //Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
 
                // calculate crypto UID. Always use last 4 Bytes.
                if(cuid_ptr) {
 
                // calculate crypto UID. Always use last 4 Bytes.
                if(cuid_ptr) {
@@ -1812,15 +1865,10 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                if (!ReaderReceive(resp, resp_par)) return 0;
                sak = resp[0];
 
                if (!ReaderReceive(resp, resp_par)) return 0;
                sak = resp[0];
 
-               // Test if more parts of the uid are comming
+    // Test if more parts of the uid are coming
                if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
                        // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
                        // http://www.nxp.com/documents/application_note/AN10927.pdf
                if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
                        // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
                        // http://www.nxp.com/documents/application_note/AN10927.pdf
-                       // This was earlier:
-                       //memcpy(uid_resp, uid_resp + 1, 3);
-                       // But memcpy should not be used for overlapping arrays, 
-                       // and memmove appears to not be available in the arm build. 
-                       // Therefore:
                        uid_resp[0] = uid_resp[1];
                        uid_resp[1] = uid_resp[2];
                        uid_resp[2] = uid_resp[3]; 
                        uid_resp[0] = uid_resp[1];
                        uid_resp[1] = uid_resp[2];
                        uid_resp[2] = uid_resp[3]; 
@@ -1843,9 +1891,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                p_hi14a_card->ats_len = 0;
        }
 
                p_hi14a_card->ats_len = 0;
        }
 
-       if( (sak & 0x20) == 0) {
-               return 2; // non iso14443a compliant tag
-       }
+       // non iso14443a compliant tag
+       if( (sak & 0x20) == 0) return 2; 
 
        // Request for answer to select
        AppendCrc14443a(rats, 2);
 
        // Request for answer to select
        AppendCrc14443a(rats, 2);
@@ -1853,6 +1900,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 
        if (!(len = ReaderReceive(resp, resp_par))) return 0;
 
 
        if (!(len = ReaderReceive(resp, resp_par))) return 0;
 
+       
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
                p_hi14a_card->ats_len = len;
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
                p_hi14a_card->ats_len = len;
@@ -1860,7 +1908,10 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 
        // reset the PCB block number
        iso14_pcb_blocknum = 0;
 
        // reset the PCB block number
        iso14_pcb_blocknum = 0;
-       
+
+       // set default timeout based on ATS
+       iso14a_set_ATS_timeout(resp);
+
        return 1;       
 }
 
        return 1;       
 }
 
@@ -1886,7 +1937,7 @@ void iso14443a_setup(uint8_t fpga_minor_mode) {
        DemodReset();
        UartReset();
        NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
        DemodReset();
        UartReset();
        NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
-       iso14a_set_timeout(1050); // 10ms default
+       iso14a_set_timeout(10*106); // 10ms default
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
@@ -1925,17 +1976,18 @@ void ReaderIso14443a(UsbCommand *c)
 {
        iso14a_command_t param = c->arg[0];
        uint8_t *cmd = c->d.asBytes;
 {
        iso14a_command_t param = c->arg[0];
        uint8_t *cmd = c->d.asBytes;
-       size_t len = c->arg[1];
-       size_t lenbits = c->arg[2];
+       size_t len = c->arg[1] & 0xffff;
+       size_t lenbits = c->arg[1] >> 16;
+       uint32_t timeout = c->arg[2];
        uint32_t arg0 = 0;
        byte_t buf[USB_CMD_DATA_SIZE];
        uint8_t par[MAX_PARITY_SIZE];
   
        if(param & ISO14A_CONNECT) {
        uint32_t arg0 = 0;
        byte_t buf[USB_CMD_DATA_SIZE];
        uint8_t par[MAX_PARITY_SIZE];
   
        if(param & ISO14A_CONNECT) {
-               iso14a_clear_trace();
+               clear_trace();
        }
 
        }
 
-       iso14a_set_tracing(TRUE);
+       set_tracing(TRUE);
 
        if(param & ISO14A_REQUEST_TRIGGER) {
                iso14a_set_trigger(TRUE);
 
        if(param & ISO14A_REQUEST_TRIGGER) {
                iso14a_set_trigger(TRUE);
@@ -1951,7 +2003,7 @@ void ReaderIso14443a(UsbCommand *c)
        }
 
        if(param & ISO14A_SET_TIMEOUT) {
        }
 
        if(param & ISO14A_SET_TIMEOUT) {
-               iso14a_timeout = c->arg[2];
+               iso14a_set_timeout(timeout);
        }
 
        if(param & ISO14A_APDU) {
        }
 
        if(param & ISO14A_APDU) {
@@ -1961,15 +2013,38 @@ void ReaderIso14443a(UsbCommand *c)
 
        if(param & ISO14A_RAW) {
                if(param & ISO14A_APPEND_CRC) {
 
        if(param & ISO14A_RAW) {
                if(param & ISO14A_APPEND_CRC) {
-                       AppendCrc14443a(cmd,len);
+                       if(param & ISO14A_TOPAZMODE) {
+                               AppendCrc14443b(cmd,len);
+                       } else {
+                               AppendCrc14443a(cmd,len);
+                       }
                        len += 2;
                        if (lenbits) lenbits += 16;
                }
                        len += 2;
                        if (lenbits) lenbits += 16;
                }
-               if(lenbits>0) {
+               if(lenbits>0) {                         // want to send a specific number of bits (e.g. short commands)
+                       if(param & ISO14A_TOPAZMODE) {
+                               int bits_to_send = lenbits;
+                               uint16_t i = 0;
+                               ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL);             // first byte is always short (7bits) and no parity
+                               bits_to_send -= 7;
+                               while (bits_to_send > 0) {
+                                       ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL);     // following bytes are 8 bit and no parity
+                                       bits_to_send -= 8;
+                               }
+                       } else {
                        GetParity(cmd, lenbits/8, par);
                        GetParity(cmd, lenbits/8, par);
-                       ReaderTransmitBitsPar(cmd, lenbits, par, NULL);
+                               ReaderTransmitBitsPar(cmd, lenbits, par, NULL);                                                 // bytes are 8 bit with odd parity
+                       }
+               } else {                                        // want to send complete bytes only
+                       if(param & ISO14A_TOPAZMODE) {
+                               uint16_t i = 0;
+                               ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL);                                                // first byte: 7 bits, no paritiy
+                               while (i < len) {
+                                       ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL);                                        // following bytes: 8 bits, no paritiy
+                               }
                } else {
                } else {
-                       ReaderTransmit(cmd,len, NULL);
+                               ReaderTransmit(cmd,len, NULL);                                                                                  // 8 bits, odd parity
+                       }
                }
                arg0 = ReaderReceive(buf, par);
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
                }
                arg0 = ReaderReceive(buf, par);
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
@@ -1993,13 +2068,11 @@ void ReaderIso14443a(UsbCommand *c)
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
-       uint16_t i;
-       uint32_t nttmp1, nttmp2;
-
        if (nt1 == nt2) return 0;
 
        if (nt1 == nt2) return 0;
 
-       nttmp1 = nt1;
-       nttmp2 = nt2;
+       uint16_t i;
+       uint32_t nttmp1 = nt1;
+       uint32_t nttmp2 = nt2;
        
        for (i = 1; i < 32768; i++) {
                nttmp1 = prng_successor(nttmp1, 1);
        
        for (i = 1; i < 32768; i++) {
                nttmp1 = prng_successor(nttmp1, 1);
@@ -2018,41 +2091,43 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try)
-{
-       // Mifare AUTH
-       uint8_t mf_auth[]    = { 0x60,0x00,0xf5,0x7b };
-       uint8_t mf_nr_ar[]   = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
-       static uint8_t mf_nr_ar3;
+void ReaderMifare(bool first_try) {
+       // free eventually allocated BigBuf memory. We want all for tracing.
+       BigBuf_free();
+       
+       clear_trace();
+       set_tracing(TRUE);
 
 
-       uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
-       uint8_t* receivedAnswerPar = (((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET);
+       // Mifare AUTH
+       uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
+       uint8_t mf_nr_ar[8] = { 0x00 }; //{ 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 };
+       static uint8_t mf_nr_ar3 = 0;
 
 
-       iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = { 0x00 };
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = { 0x00 };
 
        byte_t nt_diff = 0;
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
        static byte_t par_low = 0;
        bool led_on = TRUE;
 
        byte_t nt_diff = 0;
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
        static byte_t par_low = 0;
        bool led_on = TRUE;
-       uint8_t uid[10]  ={0};
-       uint32_t cuid;
+       uint8_t uid[10] = {0x00};
+       //uint32_t cuid = 0x00;
 
        uint32_t nt = 0;
        uint32_t previous_nt = 0;
        static uint32_t nt_attacked = 0;
 
        uint32_t nt = 0;
        uint32_t previous_nt = 0;
        static uint32_t nt_attacked = 0;
-       byte_t par_list[8] = {0,0,0,0,0,0,0,0};
-       byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
+       byte_t par_list[8] = {0x00};
+       byte_t ks_list[8] = {0x00};
 
 
-       static uint32_t sync_time;
-       static uint32_t sync_cycles;
+       static uint32_t sync_time = 0;
+       static uint32_t sync_cycles = 0;
        int catch_up_cycles = 0;
        int last_catch_up = 0;
        uint16_t consecutive_resyncs = 0;
        int isOK = 0;
 
        int catch_up_cycles = 0;
        int last_catch_up = 0;
        uint16_t consecutive_resyncs = 0;
        int isOK = 0;
 
-
-
+       int numWrongDistance = 0;
+       
        if (first_try) { 
                mf_nr_ar3 = 0;
                iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
        if (first_try) { 
                mf_nr_ar3 = 0;
                iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
@@ -2072,20 +2147,22 @@ void ReaderMifare(bool first_try)
        LED_A_ON();
        LED_B_OFF();
        LED_C_OFF();
        LED_A_ON();
        LED_B_OFF();
        LED_C_OFF();
-       
+       LED_C_ON();     
   
        for(uint16_t i = 0; TRUE; i++) {
                
                WDT_HIT();
 
                // Test if the action was cancelled
   
        for(uint16_t i = 0; TRUE; i++) {
                
                WDT_HIT();
 
                // Test if the action was cancelled
-               if(BUTTON_PRESS()) {
+               if(BUTTON_PRESS()) break;
+               
+               if (numWrongDistance > 1000) {
+                       isOK = 0;
                        break;
                }
                
                        break;
                }
                
-               LED_C_ON();
-
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {
+               //if(!iso14443a_select_card(uid, NULL, &cuid)) {
+               if(!iso14443a_select_card(uid, NULL, NULL)) {
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Mifare: Can't select card");
                        continue;
                }
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Mifare: Can't select card");
                        continue;
                }
@@ -2119,9 +2196,14 @@ void ReaderMifare(bool first_try)
                                nt_attacked = nt;
                        }
                        else {
                                nt_attacked = nt;
                        }
                        else {
-                               if (nt_distance == -99999) { // invalid nonce received, try again
+                               
+                               // invalid nonce received, try again
+                               if (nt_distance == -99999) { 
+                                       numWrongDistance++;
+                                       if (MF_DBGLEVEL >= 3) Dbprintf("The two nonces has invalid distance, tag could have good PRNG\n");
                                        continue;
                                }
                                        continue;
                                }
+                               
                                sync_cycles = (sync_cycles - nt_distance);
                                if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
                                continue;
                                sync_cycles = (sync_cycles - nt_distance);
                                if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
                                continue;
@@ -2130,7 +2212,7 @@ void ReaderMifare(bool first_try)
 
                if ((nt != nt_attacked) && nt_attacked) {       // we somehow lost sync. Try to catch up again...
                        catch_up_cycles = -dist_nt(nt_attacked, nt);
 
                if ((nt != nt_attacked) && nt_attacked) {       // we somehow lost sync. Try to catch up again...
                        catch_up_cycles = -dist_nt(nt_attacked, nt);
-                       if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
+                       if (catch_up_cycles >= 99999) {                 // invalid nonce received. Don't resync on that one.
                                catch_up_cycles = 0;
                                continue;
                        }
                                catch_up_cycles = 0;
                                continue;
                        }
@@ -2188,10 +2270,10 @@ void ReaderMifare(bool first_try)
                }
        }
 
                }
        }
 
-
        mf_nr_ar[3] &= 0x1F;
        
        mf_nr_ar[3] &= 0x1F;
        
-       byte_t buf[28];
+       byte_t buf[28] = {0x00};
+       
        memcpy(buf + 0,  uid, 4);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 0,  uid, 4);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
@@ -2200,14 +2282,13 @@ void ReaderMifare(bool first_try)
                
        cmd_send(CMD_ACK,isOK,0,0,buf,28);
 
                
        cmd_send(CMD_ACK,isOK,0,0,buf,28);
 
-       // Thats it...
+       set_tracing(FALSE);
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
-
-       iso14a_set_tracing(FALSE);
 }
 
 }
 
-/**
+
+ /*
   *MIFARE 1K simulate.
   *
   *@param flags :
   *MIFARE 1K simulate.
   *
   *@param flags :
@@ -2229,7 +2310,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
-       uint32_t cardRr = 0;
+//     uint32_t cardRr = 0;
        uint32_t cuid = 0;
        //uint32_t rn_enc = 0;
        uint32_t ans = 0;
        uint32_t cuid = 0;
        //uint32_t rn_enc = 0;
        uint32_t ans = 0;
@@ -2239,15 +2320,16 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        struct Crypto1State *pcs;
        pcs = &mpcs;
        uint32_t numReads = 0;//Counts numer of times reader read a block
        struct Crypto1State *pcs;
        pcs = &mpcs;
        uint32_t numReads = 0;//Counts numer of times reader read a block
-       uint8_t* receivedCmd = get_bigbufptr_recvcmdbuf();
-       uint8_t* receivedCmd_par = receivedCmd + MAX_FRAME_SIZE;
-       uint8_t* response = get_bigbufptr_recvrespbuf();
-       uint8_t* response_par = response + MAX_FRAME_SIZE;
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
+       uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
+       uint8_t response[MAX_MIFARE_FRAME_SIZE];
+       uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
        
        uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
        uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
        uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
        
        uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
        uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
        uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
-       uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
+       //uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
+       uint8_t rSAK[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
        uint8_t rSAK1[] = {0x04, 0xda, 0x17};
 
        uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
        uint8_t rSAK1[] = {0x04, 0xda, 0x17};
 
        uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
@@ -2256,13 +2338,19 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
        // This can be used in a reader-only attack.
        // (it can also be retrieved via 'hf 14a list', but hey...
        //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
        // This can be used in a reader-only attack.
        // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
+       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
        uint8_t ar_nr_collected = 0;
 
        uint8_t ar_nr_collected = 0;
 
+       Dbprintf("FIRE");
+       
+       // free eventually allocated BigBuf memory but keep Emulator Memory
+       BigBuf_free_keep_EM();
+
        // clear trace
        // clear trace
-    iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
+       clear_trace();
+       set_tracing(TRUE);
 
 
+       Dbprintf("ICE");
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
@@ -2292,6 +2380,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
                }
        }
 
+       Dbprintf("ICE2");
+       // save uid.
+       ar_nr_responses[0*5]   = bytes_to_num(rUIDBCC1+1, 3);
+       if ( _7BUID )
+               ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
+
        /*
         * Regardless of what method was used to set the UID, set fifth byte and modify
         * the ATQA for 4 or 7-byte UID
        /*
         * Regardless of what method was used to set the UID, set fifth byte and modify
         * the ATQA for 4 or 7-byte UID
@@ -2300,6 +2394,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        if (_7BUID) {
                rATQA[0] = 0x44;
                rUIDBCC1[0] = 0x88;
        if (_7BUID) {
                rATQA[0] = 0x44;
                rUIDBCC1[0] = 0x88;
+               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
                rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
        }
 
                rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
        }
 
@@ -2318,15 +2413,14 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
                }
        }
 
+       Dbprintf("ICE3");
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished) {
                WDT_HIT();
 
                // find reader field
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished) {
                WDT_HIT();
 
                // find reader field
-               // Vref = 3300mV, and an 10:1 voltage divider on the input
-               // can measure voltages up to 33000 mV
                if (cardSTATE == MFEMUL_NOFIELD) {
                if (cardSTATE == MFEMUL_NOFIELD) {
-                       vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
+                       vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
                        if (vHf > MF_MINFIELDV) {
                                cardSTATE_TO_IDLE();
                                LED_A_ON();
                        if (vHf > MF_MINFIELDV) {
                                cardSTATE_TO_IDLE();
                                LED_A_ON();
@@ -2335,7 +2429,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                if(cardSTATE == MFEMUL_NOFIELD) continue;
 
                //Now, get data
                if(cardSTATE == MFEMUL_NOFIELD) continue;
 
                //Now, get data
-
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
@@ -2401,38 +2494,47 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
+
                                uint32_t ar = bytes_to_num(receivedCmd, 4);
                                uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
 
                                //Collect AR/NR
                                uint32_t ar = bytes_to_num(receivedCmd, 4);
                                uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
 
                                //Collect AR/NR
+                               //if(ar_nr_collected < 2 && cardAUTHSC == 2){
                                if(ar_nr_collected < 2){
                                        if(ar_nr_responses[2] != ar)
                                        {// Avoid duplicates... probably not necessary, ar should vary. 
                                if(ar_nr_collected < 2){
                                        if(ar_nr_responses[2] != ar)
                                        {// Avoid duplicates... probably not necessary, ar should vary. 
-                                               ar_nr_responses[ar_nr_collected*4] = cuid;
-                                               ar_nr_responses[ar_nr_collected*4+1] = nonce;
-                                               ar_nr_responses[ar_nr_collected*4+2] = ar;
-                                               ar_nr_responses[ar_nr_collected*4+3] = nr;
+                                               //ar_nr_responses[ar_nr_collected*5]   = 0;
+                                               //ar_nr_responses[ar_nr_collected*5+1] = 0;
+                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
+                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
+                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
                                                ar_nr_collected++;
                                                ar_nr_collected++;
+                                       }                                               
+                                       // Interactive mode flag, means we need to send ACK
+                                       if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
+                                       {
+                                               finished = true;
                                        }
                                }
 
                                // --- crypto
                                        }
                                }
 
                                // --- crypto
-                               crypto1_word(pcs, ar , 1);
-                               cardRr = nr ^ crypto1_word(pcs, 0, 0);
-
-                               // test if auth OK
-                               if (cardRr != prng_successor(nonce, 64)){
-                                       if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
-                                                       cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
-                                                       cardRr, prng_successor(nonce, 64));
+                               //crypto1_word(pcs, ar , 1);
+                               //cardRr = nr ^ crypto1_word(pcs, 0, 0);
+
+                               //test if auth OK
+                               //if (cardRr != prng_successor(nonce, 64)){
+                                       
+                                       //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+                                       //      cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
+                                       //              cardRr, prng_successor(nonce, 64));
                                        // Shouldn't we respond anything here?
                                        // Right now, we don't nack or anything, which causes the
                                        // reader to do a WUPA after a while. /Martin
                                        // -- which is the correct response. /piwi
                                        // Shouldn't we respond anything here?
                                        // Right now, we don't nack or anything, which causes the
                                        // reader to do a WUPA after a while. /Martin
                                        // -- which is the correct response. /piwi
-                                       cardSTATE_TO_IDLE();
-                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       break;
-                               }
+                                       //cardSTATE_TO_IDLE();
+                                       //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       //break;
+                               //}
 
                                ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
 
 
                                ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
 
@@ -2507,6 +2609,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
                                        }
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
                                        }
+
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                        //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
                                        cardSTATE = MFEMUL_AUTH1;
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                        //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
                                        cardSTATE = MFEMUL_AUTH1;
@@ -2539,13 +2642,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                || receivedCmd[0] == 0xB0) { // transfer
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                || receivedCmd[0] == 0xB0) { // transfer
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                                break;
                                        }
 
                                        if (receivedCmd[1] / 4 != cardAUTHSC) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
 
                                        if (receivedCmd[1] / 4 != cardAUTHSC) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
                                                break;
                                        }
                                }
                                                break;
                                        }
                                }
@@ -2559,7 +2662,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        mf_crypto1_encrypt(pcs, response, 18, response_par);
                                        EmSendCmdPar(response, 18, response_par);
                                        numReads++;
                                        mf_crypto1_encrypt(pcs, response, 18, response_par);
                                        EmSendCmdPar(response, 18, response_par);
                                        numReads++;
-                                       if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
+                                       if(exitAfterNReads > 0 && numReads >= exitAfterNReads) {
                                                Dbprintf("%d reads done, exiting", numReads);
                                                finished = true;
                                        }
                                                Dbprintf("%d reads done, exiting", numReads);
                                                finished = true;
                                        }
@@ -2577,7 +2680,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                        if (emlCheckValBl(receivedCmd[1])) {
                                if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                        if (emlCheckValBl(receivedCmd[1])) {
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
@@ -2679,38 +2782,40 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
        {
                //May just aswell send the collected ar_nr in the response aswell
        if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
        {
                //May just aswell send the collected ar_nr in the response aswell
-               cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_responses,ar_nr_collected*4*4);
+               uint8_t len = ar_nr_collected*5*4;
+               cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
 
        }
 
-       if(flags & FLAG_NR_AR_ATTACK)
+       if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 )
        {
        {
-               if(ar_nr_collected > 1) {
+               if(ar_nr_collected > 1 ) {
                        Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
                        Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                       Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
-                                        ar_nr_responses[0], // UID
-                                       ar_nr_responses[1], //NT
-                                       ar_nr_responses[2], //AR1
-                                       ar_nr_responses[3], //NR1
-                                       ar_nr_responses[6], //AR2
-                                       ar_nr_responses[7] //NR2
+                       Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
+                                       ar_nr_responses[0], // UID1
+                                       ar_nr_responses[1], // UID2
+                                       ar_nr_responses[2], // NT
+                                       ar_nr_responses[3], // AR1
+                                       ar_nr_responses[4], // NR1
+                                       ar_nr_responses[8], // AR2
+                                       ar_nr_responses[9]  // NR2
                                        );
                } else {
                        Dbprintf("Failed to obtain two AR/NR pairs!");
                                        );
                } else {
                        Dbprintf("Failed to obtain two AR/NR pairs!");
-                       if(ar_nr_collected >0) {
-                               Dbprintf("Only got these: UID=%08x, nonce=%08x, AR1=%08x, NR1=%08x",
-                                               ar_nr_responses[0], // UID
-                                               ar_nr_responses[1], //NT
-                                               ar_nr_responses[2], //AR1
-                                               ar_nr_responses[3] //NR1
+                       if(ar_nr_collected > 0 ) {
+                               Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
+                                               ar_nr_responses[0], // UID1
+                                               ar_nr_responses[1], // UID2
+                                               ar_nr_responses[2], // NT
+                                               ar_nr_responses[3], // AR1
+                                               ar_nr_responses[4]  // NR1
                                                );
                        }
                }
        }
                                                );
                        }
                }
        }
-       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ",    tracing, traceLen);
+       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
 }
 
 
 }
 
 
-
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
@@ -2720,27 +2825,26 @@ void RAMFUNC SniffMifare(uint8_t param) {
        // bit 0 - trigger from first card answer
        // bit 1 - trigger from first reader 7-bit request
 
        // bit 0 - trigger from first card answer
        // bit 1 - trigger from first reader 7-bit request
 
+       // free eventually allocated BigBuf memory
+       BigBuf_free();
+       
        // C(red) A(yellow) B(green)
        LEDsoff();
        // init trace buffer
        // C(red) A(yellow) B(green)
        LEDsoff();
        // init trace buffer
-       iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
+       clear_trace();
+       set_tracing(TRUE);
 
        // The command (reader -> tag) that we're receiving.
        // The length of a received command will in most cases be no more than 18 bytes.
        // So 32 should be enough!
 
        // The command (reader -> tag) that we're receiving.
        // The length of a received command will in most cases be no more than 18 bytes.
        // So 32 should be enough!
-       uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
-       uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
+       uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
        // The response (tag -> reader) that we're receiving.
        // The response (tag -> reader) that we're receiving.
-       uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
-       uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+       uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
+       uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
 
 
-       // As we receive stuff, we copy it from receivedCmd or receivedResponse
-       // into trace, along with its length and other annotations.
-       //uint8_t *trace = (uint8_t *)BigBuf;
-       
-       // The DMA buffer, used to stream samples from the FPGA
-       uint8_t *dmaBuf = ((uint8_t *)BigBuf) + DMA_BUFFER_OFFSET;
+       // allocate the DMA buffer, used to stream samples from the FPGA
+       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        int maxDataLen = 0;
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        int maxDataLen = 0;
@@ -2799,7 +2903,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
                // test for length of buffer
                if(dataLen > maxDataLen) {                                      // we are more behind than ever...
                        maxDataLen = dataLen;                                   
                // test for length of buffer
                if(dataLen > maxDataLen) {                                      // we are more behind than ever...
                        maxDataLen = dataLen;                                   
-                       if(dataLen > 400) {
+                       if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
                                Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
                                break;
                        }
                                Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
                                break;
                        }
@@ -2829,7 +2933,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
                                        /* And ready to receive another command. */
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
                                        /* And ready to receive another command. */
-                                       UartReset();
+                                       UartInit(receivedCmd, receivedCmdPar);
                                        
                                        /* And also reset the demod code */
                                        DemodReset();
                                        
                                        /* And also reset the demod code */
                                        DemodReset();
@@ -2846,6 +2950,9 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
                                        // And ready to receive another response.
                                        DemodReset();
 
                                        // And ready to receive another response.
                                        DemodReset();
+
+                                       // And reset the Miller decoder including its (now outdated) input buffer
+                                       UartInit(receivedCmd, receivedCmdPar);
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                        }
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                        }
Proxmark3 GIT tracking
Impressum, Datenschutz