]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmf.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix: usage and sample text of hf mf cwipe
[proxmark3-svn] / client / cmdhfmf.c
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 48e78b1c2fcad2a74a90de187356d346ed54492c..d9578af25768e8aa0e6e7b5d4a91101bb5ea1cd9 100644 (file)
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -10,98 +10,60 @@
 \r
 #include "cmdhfmf.h"\r
 \r
 \r
 #include "cmdhfmf.h"\r
 \r
+#include <inttypes.h>\r
+#include <string.h>\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <ctype.h>\r
+#include "proxmark3.h"\r
+#include "cmdmain.h"\r
+#include "cmdhfmfhard.h"\r
+#include "util.h"\r
+#include "util_posix.h"\r
+#include "usb_cmd.h"\r
+#include "ui.h"\r
+#include "mifarehost.h"\r
+#include "mifare.h"\r
+#include "mfkey.h"\r
+\r
+#define NESTED_SECTOR_RETRY     10                     // how often we try mfested() until we give up\r
+\r
 static int CmdHelp(const char *Cmd);\r
 \r
 int CmdHF14AMifare(const char *Cmd)\r
 {\r
 static int CmdHelp(const char *Cmd);\r
 \r
 int CmdHF14AMifare(const char *Cmd)\r
 {\r
-       uint32_t uid = 0;\r
-       uint32_t nt = 0, nr = 0;\r
-       uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
-       int16_t isOK = 0;\r
-\r
-       UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
-\r
-       // message\r
-       printf("-------------------------------------------------------------------------\n");\r
-       printf("Executing command. Expected execution time: 25sec on average  :-)\n");\r
-       printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
-       printf("-------------------------------------------------------------------------\n");\r
-\r
-       \r
-start:\r
-    clearCommandBuffer();\r
-    SendCommand(&c);\r
-       \r
-       //flush queue\r
-       while (ukbhit())        getchar();\r
-\r
-       // wait cycle\r
-       while (true) {\r
-        printf(".");\r
-               fflush(stdout);\r
-               if (ukbhit()) {\r
-                       getchar();\r
-                       printf("\naborted via keyboard!\n");\r
-                       break;\r
-               }\r
-               \r
-               UsbCommand resp;\r
-               if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
-                       isOK  = resp.arg[0];\r
-                       uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);\r
-                       nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);\r
-                       par_list = bytes_to_num(resp.d.asBytes +  8, 8);\r
-                       ks_list = bytes_to_num(resp.d.asBytes +  16, 8);\r
-                       nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
-                       printf("\n\n");\r
-                       switch (isOK) {\r
-                               case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
-                               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
-                               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
-                               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
-                                                       PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
-                               default: ;\r
-                       }\r
-                       break;\r
-               }\r
-       }       \r
-\r
-       printf("\n");\r
-       \r
-       // error\r
-       if (isOK != 1) return 1;\r
-       \r
-       // execute original function from util nonce2key\r
-       if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
-               isOK = 2;\r
-               PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);    \r
-               PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
-               c.arg[0] = false;\r
-               goto start;\r
-       } else {\r
-               isOK = 0;\r
-               printf("------------------------------------------------------------------\n");\r
-               PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
+       int isOK = 0;\r
+       uint64_t key = 0;\r
+       isOK = mfDarkside(&key);\r
+       switch (isOK) {\r
+               case -1 : PrintAndLog("Button pressed. Aborted."); return 1;\r
+               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;\r
+               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;\r
+               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+                                 PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;\r
+               case -5 : PrintAndLog("Aborted via keyboard.");  return 1;\r
+               default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);\r
        }\r
        }\r
-       \r
+\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
+\r
 int CmdHF14AMfWrBl(const char *Cmd)\r
 {\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
        uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
 int CmdHF14AMfWrBl(const char *Cmd)\r
 {\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
        uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
-       \r
+\r
        char cmdp       = 0x00;\r
 \r
        if (strlen(Cmd)<3) {\r
                PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");\r
                PrintAndLog("        sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");\r
                return 0;\r
        char cmdp       = 0x00;\r
 \r
        if (strlen(Cmd)<3) {\r
                PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");\r
                PrintAndLog("        sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        blockNo = param_get8(Cmd, 0);\r
        cmdp = param_getchar(Cmd, 1);\r
 \r
        blockNo = param_get8(Cmd, 0);\r
        cmdp = param_getchar(Cmd, 1);\r
@@ -120,7 +82,7 @@ int CmdHF14AMfWrBl(const char *Cmd)
        }\r
        PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
        PrintAndLog("--data: %s", sprint_hex(bldata, 16));\r
        }\r
        PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
        PrintAndLog("--data: %s", sprint_hex(bldata, 16));\r
-       \r
+\r
   UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
        memcpy(c.d.asBytes + 10, bldata, 16);\r
   UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
        memcpy(c.d.asBytes + 10, bldata, 16);\r
@@ -142,7 +104,7 @@ int CmdHF14AMfRdBl(const char *Cmd)
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       \r
+\r
        char cmdp       = 0x00;\r
 \r
 \r
        char cmdp       = 0x00;\r
 \r
 \r
@@ -150,8 +112,8 @@ int CmdHF14AMfRdBl(const char *Cmd)
                PrintAndLog("Usage:  hf mf rdbl    <block number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("        sample: hf mf rdbl 0 A FFFFFFFFFFFF ");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf rdbl    <block number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("        sample: hf mf rdbl 0 A FFFFFFFFFFFF ");\r
                return 0;\r
-       }       \r
-       \r
+       }\r
+\r
        blockNo = param_get8(Cmd, 0);\r
        cmdp = param_getchar(Cmd, 1);\r
        if (cmdp == 0x00) {\r
        blockNo = param_get8(Cmd, 0);\r
        cmdp = param_getchar(Cmd, 1);\r
        if (cmdp == 0x00) {\r
@@ -164,7 +126,7 @@ int CmdHF14AMfRdBl(const char *Cmd)
                return 1;\r
        }\r
        PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
                return 1;\r
        }\r
        PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
-       \r
+\r
   UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
   SendCommand(&c);\r
   UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
   SendCommand(&c);\r
@@ -199,8 +161,8 @@ int CmdHF14AMfRdSc(const char *Cmd)
                PrintAndLog("Usage:  hf mf rdsc    <sector number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("        sample: hf mf rdsc 0 A FFFFFFFFFFFF ");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf rdsc    <sector number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("        sample: hf mf rdsc 0 A FFFFFFFFFFFF ");\r
                return 0;\r
-       }       \r
-       \r
+       }\r
+\r
        sectorNo = param_get8(Cmd, 0);\r
        if (sectorNo > 39) {\r
                PrintAndLog("Sector number must be less than 40");\r
        sectorNo = param_get8(Cmd, 0);\r
        if (sectorNo > 39) {\r
                PrintAndLog("Sector number must be less than 40");\r
@@ -217,7 +179,7 @@ int CmdHF14AMfRdSc(const char *Cmd)
                return 1;\r
        }\r
        PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6));\r
                return 1;\r
        }\r
        PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6));\r
-       \r
+\r
        UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
        SendCommand(&c);\r
        UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};\r
        memcpy(c.d.asBytes, key, 6);\r
        SendCommand(&c);\r
@@ -260,31 +222,46 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo)
        }\r
 }\r
 \r
        }\r
 }\r
 \r
+static int ParamCardSizeSectors(const char c) {\r
+       int numBlocks = 16;\r
+       switch (c) {\r
+               case '0' : numBlocks = 5; break;\r
+               case '2' : numBlocks = 32; break;\r
+               case '4' : numBlocks = 40; break;\r
+               default:   numBlocks = 16;\r
+       }\r
+       return numBlocks;\r
+}\r
+\r
+static int ParamCardSizeBlocks(const char c) {\r
+       int numBlocks = 16 * 4;\r
+       switch (c) {\r
+               case '0' : numBlocks = 5 * 4; break;\r
+               case '2' : numBlocks = 32 * 4; break;\r
+               case '4' : numBlocks = 32 * 4 + 8 * 16; break;\r
+               default:   numBlocks = 16 * 4;\r
+       }\r
+       return numBlocks;\r
+}\r
+\r
 int CmdHF14AMfDump(const char *Cmd)\r
 {\r
        uint8_t sectorNo, blockNo;\r
 int CmdHF14AMfDump(const char *Cmd)\r
 {\r
        uint8_t sectorNo, blockNo;\r
-       \r
+\r
        uint8_t keyA[40][6];\r
        uint8_t keyB[40][6];\r
        uint8_t rights[40][4];\r
        uint8_t carddata[256][16];\r
        uint8_t numSectors = 16;\r
        uint8_t keyA[40][6];\r
        uint8_t keyB[40][6];\r
        uint8_t rights[40][4];\r
        uint8_t carddata[256][16];\r
        uint8_t numSectors = 16;\r
-       \r
+\r
        FILE *fin;\r
        FILE *fout;\r
        FILE *fin;\r
        FILE *fout;\r
-       \r
+\r
        UsbCommand resp;\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
        UsbCommand resp;\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
-       switch (cmdp) {\r
-               case '0' : numSectors = 5; break;\r
-               case '1' : \r
-               case '\0': numSectors = 16; break;\r
-               case '2' : numSectors = 32; break;\r
-               case '4' : numSectors = 40; break;\r
-               default:   numSectors = 16;\r
-       }       \r
-       \r
+       numSectors = ParamCardSizeSectors(cmdp);\r
+\r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
                PrintAndLog("Usage:   hf mf dump [card memory]");\r
                PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
                PrintAndLog("Usage:   hf mf dump [card memory]");\r
                PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
@@ -293,90 +270,101 @@ int CmdHF14AMfDump(const char *Cmd)
                PrintAndLog("         hf mf dump 4");\r
                return 0;\r
        }\r
                PrintAndLog("         hf mf dump 4");\r
                return 0;\r
        }\r
-       \r
+\r
        if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {\r
                PrintAndLog("Could not find file dumpkeys.bin");\r
                return 1;\r
        }\r
        if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {\r
                PrintAndLog("Could not find file dumpkeys.bin");\r
                return 1;\r
        }\r
-       \r
+\r
        // Read keys A from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
        // Read keys A from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                }\r
        }\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                }\r
        }\r
-       \r
+\r
        // Read keys B from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
        // Read keys B from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                }\r
        }\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                }\r
        }\r
-       \r
+\r
        fclose(fin);\r
 \r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|------ Reading sector access bits...-----|");\r
        PrintAndLog("|-----------------------------------------|");\r
        fclose(fin);\r
 \r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|------ Reading sector access bits...-----|");\r
        PrintAndLog("|-----------------------------------------|");\r
-       \r
+       uint8_t tries = 0;\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
-               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-               SendCommand(&c);\r
+               for (tries = 0; tries < 3; tries++) {\r
+                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
+                       memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                       SendCommand(&c);\r
 \r
 \r
-               if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       uint8_t isOK  = resp.arg[0] & 0xff;\r
-                       uint8_t *data  = resp.d.asBytes;\r
-                       if (isOK){\r
-                               rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
-                               rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
-                               rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
-                               rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               uint8_t isOK  = resp.arg[0] & 0xff;\r
+                               uint8_t *data  = resp.d.asBytes;\r
+                               if (isOK){\r
+                                       rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
+                                       rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
+                                       rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
+                                       rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                                       break;\r
+                               } else if (tries == 2) { // on last try set defaults\r
+                                       PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+                                       rights[sectorNo][3] = 0x01;\r
+                               }\r
                        } else {\r
                        } else {\r
-                               PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                               PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
                                rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
                                rights[sectorNo][3] = 0x01;\r
                        }\r
                                rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
                                rights[sectorNo][3] = 0x01;\r
                        }\r
-               } else {\r
-                       PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
-                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
-                       rights[sectorNo][3] = 0x01;\r
                }\r
        }\r
                }\r
        }\r
-       \r
+\r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|----- Dumping all blocks to file... -----|");\r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|----- Dumping all blocks to file... -----|");\r
        PrintAndLog("|-----------------------------------------|");\r
-       \r
+\r
        bool isOK = true;\r
        for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
                for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        bool received = false;\r
        bool isOK = true;\r
        for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
                for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        bool received = false;\r
-                       \r
-                       if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A. \r
-                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
-                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-                               SendCommand(&c);\r
-                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                       } else {                                                                                                // data block. Check if it can be read with key A or key B\r
-                               uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
-                               if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
-                                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
-                                       memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
-                                       SendCommand(&c);\r
-                                       received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                               } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
-                                       isOK = false;\r
-                                       PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
-                               } else {                                                                                                                                                                // key A would work\r
+                       for (tries = 0; tries < 3; tries++) {\r
+                               if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A.\r
                                        UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
                                        memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
                                        SendCommand(&c);\r
                                        received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
                                        UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
                                        memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
                                        SendCommand(&c);\r
                                        received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                               } else {                                                                                                // data block. Check if it can be read with key A or key B\r
+                                       uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
+                                       if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+                                               memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
+                                               isOK = false;\r
+                                               PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+                                               tries = 2;\r
+                                       } else {                                                                                                                                                                // key A would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+                                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       }\r
+                               }\r
+                               if (received) {\r
+                                       isOK  = resp.arg[0] & 0xff;\r
+                                       if (isOK) break;\r
                                }\r
                        }\r
 \r
                                }\r
                        }\r
 \r
@@ -414,7 +402,7 @@ int CmdHF14AMfDump(const char *Cmd)
        }\r
 \r
        if (isOK) {\r
        }\r
 \r
        if (isOK) {\r
-               if ((fout = fopen("dumpdata.bin","wb")) == NULL) { \r
+               if ((fout = fopen("dumpdata.bin","wb")) == NULL) {\r
                        PrintAndLog("Could not create file name dumpdata.bin");\r
                        return 1;\r
                }\r
                        PrintAndLog("Could not create file name dumpdata.bin");\r
                        return 1;\r
                }\r
@@ -423,7 +411,7 @@ int CmdHF14AMfDump(const char *Cmd)
                fclose(fout);\r
                PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);\r
        }\r
                fclose(fout);\r
                PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);\r
        }\r
-               \r
+\r
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
@@ -436,19 +424,19 @@ int CmdHF14AMfRestore(const char *Cmd)
        uint8_t keyA[40][6];\r
        uint8_t keyB[40][6];\r
        uint8_t numSectors;\r
        uint8_t keyA[40][6];\r
        uint8_t keyB[40][6];\r
        uint8_t numSectors;\r
-       \r
+\r
        FILE *fdump;\r
        FILE *fkeys;\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
        switch (cmdp) {\r
                case '0' : numSectors = 5; break;\r
        FILE *fdump;\r
        FILE *fkeys;\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
        switch (cmdp) {\r
                case '0' : numSectors = 5; break;\r
-               case '1' : \r
+               case '1' :\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
-       }       \r
+       }\r
 \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
                PrintAndLog("Usage:   hf mf restore [card memory]");\r
 \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
                PrintAndLog("Usage:   hf mf restore [card memory]");\r
@@ -463,18 +451,19 @@ int CmdHF14AMfRestore(const char *Cmd)
                PrintAndLog("Could not find file dumpkeys.bin");\r
                return 1;\r
        }\r
                PrintAndLog("Could not find file dumpkeys.bin");\r
                return 1;\r
        }\r
-       \r
+\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
-\r
                        fclose(fkeys);\r
                        return 2;\r
                }\r
        }\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
                        fclose(fkeys);\r
                        return 2;\r
                }\r
        }\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        fclose(fkeys);\r
                        return 2;\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        fclose(fkeys);\r
                        return 2;\r
@@ -486,20 +475,21 @@ int CmdHF14AMfRestore(const char *Cmd)
        if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
                PrintAndLog("Could not find file dumpdata.bin");\r
                return 1;\r
        if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
                PrintAndLog("Could not find file dumpdata.bin");\r
                return 1;\r
-       }       \r
+       }\r
        PrintAndLog("Restoring dumpdata.bin to card");\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
                for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                        memcpy(c.d.asBytes, key, 6);\r
        PrintAndLog("Restoring dumpdata.bin to card");\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
                for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                        memcpy(c.d.asBytes, key, 6);\r
-                       \r
-                       if (fread(bldata, 1, 16, fdump) == 0) {\r
+\r
+                       size_t bytes_read = fread(bldata, 1, 16, fdump);\r
+                       if (bytes_read != 16) {\r
                                PrintAndLog("File reading error (dumpdata.bin).");\r
                                fclose(fdump);\r
                                return 2;\r
                        }\r
                                PrintAndLog("File reading error (dumpdata.bin).");\r
                                fclose(fdump);\r
                                return 2;\r
                        }\r
-                                       \r
+\r
                        if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer\r
                                bldata[0]  = (keyA[sectorNo][0]);\r
                                bldata[1]  = (keyA[sectorNo][1]);\r
                        if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer\r
                                bldata[0]  = (keyA[sectorNo][0]);\r
                                bldata[1]  = (keyA[sectorNo][1]);\r
@@ -513,10 +503,10 @@ int CmdHF14AMfRestore(const char *Cmd)
                                bldata[13] = (keyB[sectorNo][3]);\r
                                bldata[14] = (keyB[sectorNo][4]);\r
                                bldata[15] = (keyB[sectorNo][5]);\r
                                bldata[13] = (keyB[sectorNo][3]);\r
                                bldata[14] = (keyB[sectorNo][4]);\r
                                bldata[15] = (keyB[sectorNo][5]);\r
-                       }               \r
-                       \r
+                       }\r
+\r
                        PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));\r
                        PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));\r
-                       \r
+\r
                        memcpy(c.d.asBytes + 10, bldata, 16);\r
                        SendCommand(&c);\r
 \r
                        memcpy(c.d.asBytes + 10, bldata, 16);\r
                        SendCommand(&c);\r
 \r
@@ -529,95 +519,150 @@ int CmdHF14AMfRestore(const char *Cmd)
                        }\r
                }\r
        }\r
                        }\r
                }\r
        }\r
-       \r
+\r
        fclose(fdump);\r
        return 0;\r
 }\r
 \r
        fclose(fdump);\r
        return 0;\r
 }\r
 \r
+//----------------------------------------------\r
+//   Nested\r
+//----------------------------------------------\r
+\r
+static void parseParamTDS(const char *Cmd, const uint8_t indx, bool *paramT, bool *paramD, uint8_t *timeout) {\r
+       char ctmp3[3] = {0};\r
+       int len = param_getlength(Cmd, indx);\r
+       if (len > 0 && len < 4){\r
+               param_getstr(Cmd, indx, ctmp3, sizeof(ctmp3));\r
+               \r
+               *paramT |= (ctmp3[0] == 't' || ctmp3[0] == 'T');\r
+               *paramD |= (ctmp3[0] == 'd' || ctmp3[0] == 'D');\r
+               bool paramS1 = *paramT || *paramD;\r
+\r
+               // slow and very slow\r
+               if (ctmp3[0] == 's' || ctmp3[0] == 'S' || ctmp3[1] == 's' || ctmp3[1] == 'S') {\r
+                       *timeout = 11; // slow\r
+               \r
+                       if (!paramS1 && (ctmp3[1] == 's' || ctmp3[1] == 'S')) {\r
+                               *timeout = 53; // very slow\r
+                       }\r
+                       if (paramS1 && (ctmp3[2] == 's' || ctmp3[2] == 'S')) {\r
+                               *timeout = 53; // very slow\r
+                       }\r
+               }\r
+       }\r
+}\r
+\r
 int CmdHF14AMfNested(const char *Cmd)\r
 {\r
        int i, j, res, iterations;\r
 int CmdHF14AMfNested(const char *Cmd)\r
 {\r
        int i, j, res, iterations;\r
-       sector *e_sector = NULL;\r
+       sector_t *e_sector = NULL;\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t trgBlockNo = 0;\r
        uint8_t trgKeyType = 0;\r
        uint8_t SectorsCnt = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t trgBlockNo = 0;\r
        uint8_t trgKeyType = 0;\r
        uint8_t SectorsCnt = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       uint8_t keyBlock[14*6];\r
+       uint8_t keyBlock[MifareDefaultKeysSize * 6];\r
        uint64_t key64 = 0;\r
        uint64_t key64 = 0;\r
-       bool transferToEml = false;\r
+       // timeout in units. (ms * 106)/10 or us*0.0106\r
+       uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default\r
        \r
        \r
+       bool autosearchKey = false;\r
+\r
+       bool transferToEml = false;\r
        bool createDumpFile = false;\r
        FILE *fkeys;\r
        uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
        uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
        bool createDumpFile = false;\r
        FILE *fkeys;\r
        uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
        uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
-       \r
+\r
        char cmdp, ctmp;\r
 \r
        if (strlen(Cmd)<3) {\r
                PrintAndLog("Usage:");\r
        char cmdp, ctmp;\r
 \r
        if (strlen(Cmd)<3) {\r
                PrintAndLog("Usage:");\r
-               PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]");\r
+               PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t|d|s|ss]");\r
+               PrintAndLog(" all sectors autosearch key:  hf mf nested  <card memory> * [t|d|s|ss]");\r
                PrintAndLog(" one sector:   hf mf nested  o <block number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("               <target block number> <target key A/B> [t]");\r
                PrintAndLog(" one sector:   hf mf nested  o <block number> <key A/B> <key (12 hex symbols)>");\r
                PrintAndLog("               <target block number> <target key A/B> [t]");\r
+               PrintAndLog(" ");\r
                PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
                PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
-               PrintAndLog("t - transfer keys into emulator memory");\r
-               PrintAndLog("d - write keys to binary file");\r
+               PrintAndLog("t - transfer keys to emulator memory");\r
+               PrintAndLog("d - write keys to binary file dumpkeys.bin");\r
+               PrintAndLog("s - Slow (1ms) check keys (required by some non standard cards)");\r
+               PrintAndLog("ss - Very slow (5ms) check keys");\r
                PrintAndLog(" ");\r
                PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
                PrintAndLog("      sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
                PrintAndLog("      sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
                PrintAndLog("      sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
                PrintAndLog(" ");\r
                PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
                PrintAndLog("      sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
                PrintAndLog("      sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
                PrintAndLog("      sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample5: hf mf nested 1 * t");\r
+               PrintAndLog("      sample6: hf mf nested 1 * ss");\r
                return 0;\r
                return 0;\r
-       }       \r
-       \r
-       cmdp = param_getchar(Cmd, 0);\r
-       blockNo = param_get8(Cmd, 1);\r
-       ctmp = param_getchar(Cmd, 2);\r
-       \r
-       if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
-               PrintAndLog("Key type must be A or B");\r
-               return 1;\r
        }\r
        }\r
-       \r
-       if (ctmp != 'A' && ctmp != 'a') \r
-               keyType = 1;\r
-               \r
-       if (param_gethex(Cmd, 3, key, 12)) {\r
-               PrintAndLog("Key must include 12 HEX symbols");\r
-               return 1;\r
-       }\r
-       \r
+\r
+       // <card memory>\r
+       cmdp = param_getchar(Cmd, 0);\r
        if (cmdp == 'o' || cmdp == 'O') {\r
                cmdp = 'o';\r
        if (cmdp == 'o' || cmdp == 'O') {\r
                cmdp = 'o';\r
-               trgBlockNo = param_get8(Cmd, 4);\r
-               ctmp = param_getchar(Cmd, 5);\r
+               SectorsCnt = 1;\r
+       } else {\r
+               SectorsCnt = ParamCardSizeSectors(cmdp);\r
+       }\r
+               \r
+       // <block number>. number or autosearch key (*)\r
+       if (param_getchar(Cmd, 1) == '*') {\r
+               autosearchKey = true;\r
+\r
+               parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);\r
+\r
+               PrintAndLog("--nested. sectors:%2d, block no:*, eml:%c, dmp=%c checktimeout=%d us", \r
+                       SectorsCnt, transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);\r
+       } else {\r
+               blockNo = param_get8(Cmd, 1);\r
+\r
+               ctmp = param_getchar(Cmd, 2);\r
                if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
                if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
-                       PrintAndLog("Target key type must be A or B");\r
+                       PrintAndLog("Key type must be A or B");\r
                        return 1;\r
                }\r
                        return 1;\r
                }\r
-               if (ctmp != 'A' && ctmp != 'a') \r
-                       trgKeyType = 1;\r
-       } else {\r
-                               \r
-               switch (cmdp) {\r
-                       case '0': SectorsCnt = 05; break;\r
-                       case '1': SectorsCnt = 16; break;\r
-                       case '2': SectorsCnt = 32; break;\r
-                       case '4': SectorsCnt = 40; break;\r
-                       default:  SectorsCnt = 16;\r
+\r
+               if (ctmp != 'A' && ctmp != 'a')\r
+                       keyType = 1;\r
+\r
+               if (param_gethex(Cmd, 3, key, 12)) {\r
+                       PrintAndLog("Key must include 12 HEX symbols");\r
+                       return 1;\r
+               }\r
+\r
+               // check if we can authenticate to sector\r
+               res = mfCheckKeys(blockNo, keyType, true, 1, key, &key64);\r
+               if (res) {\r
+                       PrintAndLog("Can't authenticate to block:%3d key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
+                       return 3;\r
+               }\r
+\r
+               // one sector nested\r
+               if (cmdp == 'o') { \r
+                       trgBlockNo = param_get8(Cmd, 4);\r
+\r
+                       ctmp = param_getchar(Cmd, 5);\r
+                       if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                               PrintAndLog("Target key type must be A or B");\r
+                               return 1;\r
+                       }\r
+                       if (ctmp != 'A' && ctmp != 'a')\r
+                               trgKeyType = 1;\r
+\r
+                       parseParamTDS(Cmd, 6, &transferToEml, &createDumpFile, &btimeout14a);\r
+               } else {\r
+                       parseParamTDS(Cmd, 4, &transferToEml, &createDumpFile, &btimeout14a);\r
                }\r
                }\r
+\r
+               PrintAndLog("--nested. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us", \r
+                       SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);\r
        }\r
 \r
        }\r
 \r
-       ctmp = param_getchar(Cmd, 4);\r
-       if              (ctmp == 't' || ctmp == 'T') transferToEml = true;\r
-       else if (ctmp == 'd' || ctmp == 'D') createDumpFile = true;\r
-       \r
-       ctmp = param_getchar(Cmd, 6);\r
-       transferToEml |= (ctmp == 't' || ctmp == 'T');\r
-       transferToEml |= (ctmp == 'd' || ctmp == 'D');\r
-       \r
-       if (cmdp == 'o') {\r
+       // one-sector nested\r
+       if (cmdp == 'o') { // ------------------------------------  one sector working\r
                PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
                int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
                if (isOK) {\r
                PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
                int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
                if (isOK) {\r
@@ -631,7 +676,7 @@ int CmdHF14AMfNested(const char *Cmd)
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
                if (key64) {\r
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
                if (key64) {\r
-                       PrintAndLog("Found valid key:%012"llx, key64);\r
+                       PrintAndLog("Found valid key:%012" PRIx64, key64);\r
 \r
                        // transfer key to the emulator\r
                        if (transferToEml) {\r
 \r
                        // transfer key to the emulator\r
                        if (transferToEml) {\r
@@ -642,61 +687,66 @@ int CmdHF14AMfNested(const char *Cmd)
                                        sectortrailer = (trgBlockNo & 0x0f) + 15;\r
                                }\r
                                mfEmlGetMem(keyBlock, sectortrailer, 1);\r
                                        sectortrailer = (trgBlockNo & 0x0f) + 15;\r
                                }\r
                                mfEmlGetMem(keyBlock, sectortrailer, 1);\r
-               \r
+\r
                                if (!trgKeyType)\r
                                        num_to_bytes(key64, 6, keyBlock);\r
                                else\r
                                        num_to_bytes(key64, 6, &keyBlock[10]);\r
                                if (!trgKeyType)\r
                                        num_to_bytes(key64, 6, keyBlock);\r
                                else\r
                                        num_to_bytes(key64, 6, &keyBlock[10]);\r
-                               mfEmlSetMem(keyBlock, sectortrailer, 1);                \r
+                               mfEmlSetMem(keyBlock, sectortrailer, 1);\r
+                               PrintAndLog("Key transferred to emulator memory.");\r
                        }\r
                } else {\r
                        PrintAndLog("No valid key found");\r
                }\r
        }\r
        else { // ------------------------------------  multiple sectors working\r
                        }\r
                } else {\r
                        PrintAndLog("No valid key found");\r
                }\r
        }\r
        else { // ------------------------------------  multiple sectors working\r
-               clock_t time1;\r
-               time1 = clock();\r
+               uint64_t msclock1;\r
+               msclock1 = msclock();\r
 \r
 \r
-               e_sector = calloc(SectorsCnt, sizeof(sector));\r
+               e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
                if (e_sector == NULL) return 1;\r
                if (e_sector == NULL) return 1;\r
-               \r
+\r
                //test current key and additional standard keys first\r
                //test current key and additional standard keys first\r
-               memcpy(keyBlock, key, 6);\r
-               num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));\r
-               num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));\r
-               num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));\r
-               num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));\r
-               num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));\r
-               num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6));\r
-               num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6));\r
-               num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6));\r
-               num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6));\r
-               num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6));\r
-               num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6));\r
-               num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6));\r
-               num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6));\r
+               for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){\r
+                       num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));\r
+               }\r
 \r
                PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
 \r
                PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
-               for (i = 0; i < SectorsCnt; i++) {\r
-                       for (j = 0; j < 2; j++) {\r
-                               if (e_sector[i].foundKey[j]) continue;\r
-                               \r
-                               res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);\r
-                               \r
-                               if (!res) {\r
-                                       e_sector[i].Key[j] = key64;\r
-                                       e_sector[i].foundKey[j] = 1;\r
+               mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, MifareDefaultKeysSize, keyBlock, e_sector);\r
+               \r
+               // get known key from array\r
+               bool keyFound = false;\r
+               if (autosearchKey) {\r
+                       for (i = 0; i < SectorsCnt; i++) {\r
+                               for (j = 0; j < 2; j++) {\r
+                                       if (e_sector[i].foundKey[j]) {\r
+                                               // get known key\r
+                                               blockNo = i * 4;\r
+                                               keyType = j;\r
+                                               num_to_bytes(e_sector[i].Key[j], 6, key);\r
+                                               \r
+                                               keyFound = true;\r
+                                               break;\r
+                                       }\r
                                }\r
                                }\r
+                               if (keyFound) break;\r
+                       }               \r
+\r
+                       // Can't found a key....\r
+                       if (!keyFound) {\r
+                               PrintAndLog("Can't found any of the known keys.");\r
+                               return 4;\r
                        }\r
                        }\r
+                       PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
                }\r
                }\r
-               \r
+\r
                // nested sectors\r
                iterations = 0;\r
                PrintAndLog("nested...");\r
                bool calibrate = true;\r
                for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
                        for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
                // nested sectors\r
                iterations = 0;\r
                PrintAndLog("nested...");\r
                bool calibrate = true;\r
                for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
                        for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
-                               for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
+                               for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {\r
                                        if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
                                        PrintAndLog("-----------------------------------------------");\r
                                        int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
                                        if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
                                        PrintAndLog("-----------------------------------------------");\r
                                        int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
@@ -712,33 +762,37 @@ int CmdHF14AMfNested(const char *Cmd)
                                        } else {\r
                                                calibrate = false;\r
                                        }\r
                                        } else {\r
                                                calibrate = false;\r
                                        }\r
-                                       \r
+\r
                                        iterations++;\r
 \r
                                        key64 = bytes_to_num(keyBlock, 6);\r
                                        if (key64) {\r
                                        iterations++;\r
 \r
                                        key64 = bytes_to_num(keyBlock, 6);\r
                                        if (key64) {\r
-                                               PrintAndLog("Found valid key:%012"llx, key64);\r
+                                               PrintAndLog("Found valid key:%012" PRIx64, key64);\r
                                                e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
                                                e_sector[sectorNo].Key[trgKeyType] = key64;\r
                                                e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
                                                e_sector[sectorNo].Key[trgKeyType] = key64;\r
+                                               \r
+                                               // try to check this key as a key to the other sectors\r
+                                               mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, 1, keyBlock, e_sector);\r
                                        }\r
                                }\r
                        }\r
                }\r
 \r
                                        }\r
                                }\r
                        }\r
                }\r
 \r
-               printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);\r
+               // print nested statistic\r
+               PrintAndLog("\n\n-----------------------------------------------\nNested statistic:\nIterations count: %d", iterations);\r
+               PrintAndLog("Time in nested: %1.3f (%1.3f sec per key)", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);\r
                \r
                \r
-               PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
-               //print them\r
+               // print result\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                PrintAndLog("|sec|key A           |res|key B           |res|");\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                for (i = 0; i < SectorsCnt; i++) {\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                PrintAndLog("|sec|key A           |res|key B           |res|");\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                for (i = 0; i < SectorsCnt; i++) {\r
-                       PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,\r
+                       PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
                                e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                }\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                                e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                }\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
-               \r
-               // transfer them to the emulator\r
+\r
+               // transfer keys to the emulator memory\r
                if (transferToEml) {\r
                        for (i = 0; i < SectorsCnt; i++) {\r
                                mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
                if (transferToEml) {\r
                        for (i = 0; i < SectorsCnt; i++) {\r
                                mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
@@ -747,12 +801,13 @@ int CmdHF14AMfNested(const char *Cmd)
                                if (e_sector[i].foundKey[1])\r
                                        num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);\r
                                mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
                                if (e_sector[i].foundKey[1])\r
                                        num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);\r
                                mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
-                       }               \r
+                       }\r
+                       PrintAndLog("Keys transferred to emulator memory.");\r
                }\r
                }\r
-               \r
+\r
                // Create dump file\r
                if (createDumpFile) {\r
                // Create dump file\r
                if (createDumpFile) {\r
-                       if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) { \r
+                       if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {\r
                                PrintAndLog("Could not create file dumpkeys.bin");\r
                                free(e_sector);\r
                                return 1;\r
                                PrintAndLog("Could not create file dumpkeys.bin");\r
                                free(e_sector);\r
                                return 1;\r
@@ -778,103 +833,231 @@ int CmdHF14AMfNested(const char *Cmd)
                        }\r
                        fclose(fkeys);\r
                }\r
                        }\r
                        fclose(fkeys);\r
                }\r
-               \r
+\r
                free(e_sector);\r
        }\r
        return 0;\r
 }\r
 \r
                free(e_sector);\r
        }\r
        return 0;\r
 }\r
 \r
+\r
+int CmdHF14AMfNestedHard(const char *Cmd)\r
+{\r
+       uint8_t blockNo = 0;\r
+       uint8_t keyType = 0;\r
+       uint8_t trgBlockNo = 0;\r
+       uint8_t trgKeyType = 0;\r
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
+       uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0};\r
+\r
+       char ctmp;\r
+       ctmp = param_getchar(Cmd, 0);\r
+\r
+       if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {\r
+               PrintAndLog("Usage:");\r
+               PrintAndLog("      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");\r
+               PrintAndLog("                       <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");\r
+               PrintAndLog("  or  hf mf hardnested r [known target key]");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Options: ");\r
+               PrintAndLog("      w: Acquire nonces and write them to binary file nonces.bin");\r
+               PrintAndLog("      s: Slower acquisition (required by some non standard cards)");\r
+               PrintAndLog("      r: Read nonces.bin and start attack");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");\r
+               PrintAndLog("      sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");\r
+               PrintAndLog("      sample4: hf mf hardnested r");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Add the known target key to check if it is present in the remaining key space:");\r
+               PrintAndLog("      sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF");\r
+               return 0;\r
+       }\r
+\r
+       bool know_target_key = false;\r
+       bool nonce_file_read = false;\r
+       bool nonce_file_write = false;\r
+       bool slow = false;\r
+       int tests = 0;\r
+\r
+\r
+       if (ctmp == 'R' || ctmp == 'r') {\r
+               nonce_file_read = true;\r
+               if (!param_gethex(Cmd, 1, trgkey, 12)) {\r
+                       know_target_key = true;\r
+               }\r
+       } else if (ctmp == 'T' || ctmp == 't') {\r
+               tests = param_get32ex(Cmd, 1, 100, 10);\r
+               if (!param_gethex(Cmd, 2, trgkey, 12)) {\r
+                       know_target_key = true;\r
+               }\r
+       } else {\r
+               blockNo = param_get8(Cmd, 0);\r
+               ctmp = param_getchar(Cmd, 1);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') {\r
+                       keyType = 1;\r
+               }\r
+\r
+               if (param_gethex(Cmd, 2, key, 12)) {\r
+                       PrintAndLog("Key must include 12 HEX symbols");\r
+                       return 1;\r
+               }\r
+\r
+               trgBlockNo = param_get8(Cmd, 3);\r
+               ctmp = param_getchar(Cmd, 4);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Target key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') {\r
+                       trgKeyType = 1;\r
+               }\r
+\r
+               uint16_t i = 5;\r
+\r
+               if (!param_gethex(Cmd, 5, trgkey, 12)) {\r
+                       know_target_key = true;\r
+                       i++;\r
+               }\r
+\r
+               while ((ctmp = param_getchar(Cmd, i))) {\r
+                       if (ctmp == 's' || ctmp == 'S') {\r
+                               slow = true;\r
+                       } else if (ctmp == 'w' || ctmp == 'W') {\r
+                               nonce_file_write = true;\r
+                       } else {\r
+                               PrintAndLog("Possible options are w and/or s");\r
+                               return 1;\r
+                       }\r
+                       i++;\r
+               }\r
+       }\r
+\r
+       PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ",\r
+                       trgBlockNo,\r
+                       trgKeyType?'B':'A',\r
+                       trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],\r
+                       know_target_key?"":" (not set)",\r
+                       nonce_file_write?"write":nonce_file_read?"read":"none",\r
+                       slow?"Yes":"No",\r
+                       tests);\r
+\r
+       int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);\r
+\r
+       if (isOK) {\r
+               switch (isOK) {\r
+                       case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                       case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                       default : break;\r
+               }\r
+               return 2;\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+\r
 int CmdHF14AMfChk(const char *Cmd)\r
 {\r
        if (strlen(Cmd)<3) {\r
 int CmdHF14AMfChk(const char *Cmd)\r
 {\r
        if (strlen(Cmd)<3) {\r
-               PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
+               PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d|s|ss] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
                PrintAndLog("          * - all sectors");\r
                PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
                PrintAndLog("d - write keys to binary file\n");\r
                PrintAndLog("t - write keys to emulator memory");\r
                PrintAndLog("          * - all sectors");\r
                PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
                PrintAndLog("d - write keys to binary file\n");\r
                PrintAndLog("t - write keys to emulator memory");\r
+               PrintAndLog("s - slow execute. timeout 1ms");\r
+               PrintAndLog("ss- very slow execute. timeout 5ms");\r
                PrintAndLog("      sample: hf mf chk 0 A 1234567890ab keys.dic");\r
                PrintAndLog("              hf mf chk *1 ? t");\r
                PrintAndLog("              hf mf chk *1 ? d");\r
                PrintAndLog("      sample: hf mf chk 0 A 1234567890ab keys.dic");\r
                PrintAndLog("              hf mf chk *1 ? t");\r
                PrintAndLog("              hf mf chk *1 ? d");\r
+               PrintAndLog("              hf mf chk *1 ? s");\r
+               PrintAndLog("              hf mf chk *1 ? dss");\r
                return 0;\r
                return 0;\r
-       }       \r
+       }\r
 \r
        FILE * f;\r
        char filename[FILE_PATH_SIZE]={0};\r
        char buf[13];\r
        uint8_t *keyBlock = NULL, *p;\r
 \r
        FILE * f;\r
        char filename[FILE_PATH_SIZE]={0};\r
        char buf[13];\r
        uint8_t *keyBlock = NULL, *p;\r
-       uint8_t stKeyBlock = 20;\r
-       \r
+       uint16_t stKeyBlock = 20;\r
+\r
        int i, res;\r
        int     keycnt = 0;\r
        char ctmp       = 0x00;\r
        int i, res;\r
        int     keycnt = 0;\r
        char ctmp       = 0x00;\r
+       char ctmp3[3]   = {0x00};\r
        uint8_t blockNo = 0;\r
        uint8_t blockNo = 0;\r
-       uint8_t SectorsCnt = 1;\r
+       uint8_t SectorsCnt = 0;\r
        uint8_t keyType = 0;\r
        uint64_t key64 = 0;\r
        uint8_t keyType = 0;\r
        uint64_t key64 = 0;\r
-       \r
+       uint32_t timeout14a = 0; // timeout in us\r
+       bool param3InUse = false;\r
+\r
        int transferToEml = 0;\r
        int createDumpFile = 0;\r
        int transferToEml = 0;\r
        int createDumpFile = 0;\r
+       \r
+       sector_t *e_sector = NULL;\r
 \r
        keyBlock = calloc(stKeyBlock, 6);\r
        if (keyBlock == NULL) return 1;\r
 \r
 \r
        keyBlock = calloc(stKeyBlock, 6);\r
        if (keyBlock == NULL) return 1;\r
 \r
-       uint64_t defaultKeys[] =\r
-       {\r
-               0xffffffffffff, // Default key (first key used by program if no user defined key)\r
-               0x000000000000, // Blank key\r
-               0xa0a1a2a3a4a5, // NFCForum MAD key\r
-               0xb0b1b2b3b4b5,\r
-               0xaabbccddeeff,\r
-               0x4d3a99c351dd,\r
-               0x1a982c7e459a,\r
-               0xd3f7d3f7d3f7,\r
-               0x714c5c886e97,\r
-               0x587ee5f9350f,\r
-               0xa0478cc39091,\r
-               0x533cb6c723f6,\r
-               0x8fd0a4f256e9\r
-       };\r
-       int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t);\r
-\r
-       for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++)\r
-       {\r
-               num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));\r
+       int defaultKeysSize = MifareDefaultKeysSize;\r
+       for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++){\r
+               num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));\r
        }\r
        }\r
-       \r
+\r
        if (param_getchar(Cmd, 0)=='*') {\r
        if (param_getchar(Cmd, 0)=='*') {\r
-               blockNo = 3;\r
-               switch(param_getchar(Cmd+1, 0)) {\r
-                       case '0': SectorsCnt =  5; break;\r
-                       case '1': SectorsCnt = 16; break;\r
-                       case '2': SectorsCnt = 32; break;\r
-                       case '4': SectorsCnt = 40; break;\r
-                       default:  SectorsCnt = 16;\r
-               }\r
+               SectorsCnt = ParamCardSizeSectors(param_getchar(Cmd + 1, 0));\r
        }\r
        else\r
                blockNo = param_get8(Cmd, 0);\r
        }\r
        else\r
                blockNo = param_get8(Cmd, 0);\r
-       \r
+\r
        ctmp = param_getchar(Cmd, 1);\r
        ctmp = param_getchar(Cmd, 1);\r
-       switch (ctmp) { \r
+       switch (ctmp) {\r
        case 'a': case 'A':\r
        case 'a': case 'A':\r
-               keyType = !0;\r
+               keyType = 0;\r
                break;\r
        case 'b': case 'B':\r
                break;\r
        case 'b': case 'B':\r
-               keyType = !1;\r
+               keyType = 1;\r
                break;\r
        case '?':\r
                keyType = 2;\r
                break;\r
        default:\r
                PrintAndLog("Key type must be A , B or ?");\r
                break;\r
        case '?':\r
                keyType = 2;\r
                break;\r
        default:\r
                PrintAndLog("Key type must be A , B or ?");\r
+               free(keyBlock);\r
                return 1;\r
        };\r
                return 1;\r
        };\r
-       \r
+\r
+       // transfer to emulator & create dump file\r
        ctmp = param_getchar(Cmd, 2);\r
        ctmp = param_getchar(Cmd, 2);\r
-       if              (ctmp == 't' || ctmp == 'T') transferToEml = 1;\r
-       else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;\r
-       \r
-       for (i = transferToEml || createDumpFile; param_getchar(Cmd, 2 + i); i++) {\r
+       if (ctmp == 't' || ctmp == 'T') transferToEml = 1;\r
+       if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;\r
+       \r
+       param3InUse = transferToEml | createDumpFile;\r
+       \r
+       timeout14a = 500; // fast by default\r
+       // double parameters - ts, ds\r
+       int clen = param_getlength(Cmd, 2);\r
+       if (clen == 2 || clen == 3){\r
+               param_getstr(Cmd, 2, ctmp3, sizeof(ctmp3));\r
+               ctmp = ctmp3[1];\r
+       }\r
+       //parse\r
+       if (ctmp == 's' || ctmp == 'S') {\r
+               timeout14a = 1000; // slow\r
+               if (!param3InUse && clen == 2 && (ctmp3[1] == 's' || ctmp3[1] == 'S')) {\r
+                       timeout14a = 5000; // very slow\r
+               }\r
+               if (param3InUse && clen == 3 && (ctmp3[2] == 's' || ctmp3[2] == 'S')) {\r
+                       timeout14a = 5000; // very slow\r
+               }\r
+               param3InUse = true;\r
+       }\r
+\r
+       for (i = param3InUse; param_getchar(Cmd, 2 + i); i++) {\r
                if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {\r
                        if ( stKeyBlock - keycnt < 2) {\r
                                p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
                if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {\r
                        if ( stKeyBlock - keycnt < 2) {\r
                                p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
@@ -891,26 +1074,26 @@ int CmdHF14AMfChk(const char *Cmd)
                        keycnt++;\r
                } else {\r
                        // May be a dic file\r
                        keycnt++;\r
                } else {\r
                        // May be a dic file\r
-                       if ( param_getstr(Cmd, 2 + i,filename) >= FILE_PATH_SIZE ) {\r
+                       if ( param_getstr(Cmd, 2 + i, filename, sizeof(filename)) >= FILE_PATH_SIZE ) {\r
                                PrintAndLog("File name too long");\r
                                free(keyBlock);\r
                                return 2;\r
                        }\r
                                PrintAndLog("File name too long");\r
                                free(keyBlock);\r
                                return 2;\r
                        }\r
-                       \r
+\r
                        if ( (f = fopen( filename , "r")) ) {\r
                                while( fgets(buf, sizeof(buf), f) ){\r
                                        if (strlen(buf) < 12 || buf[11] == '\n')\r
                                                continue;\r
                        if ( (f = fopen( filename , "r")) ) {\r
                                while( fgets(buf, sizeof(buf), f) ){\r
                                        if (strlen(buf) < 12 || buf[11] == '\n')\r
                                                continue;\r
-                               \r
+\r
                                        while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
                                        while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
-                                       \r
+\r
                                        if( buf[0]=='#' ) continue;     //The line start with # is comment, skip\r
 \r
                                        if (!isxdigit(buf[0])){\r
                                                PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
                                                continue;\r
                                        }\r
                                        if( buf[0]=='#' ) continue;     //The line start with # is comment, skip\r
 \r
                                        if (!isxdigit(buf[0])){\r
                                                PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
                                                continue;\r
                                        }\r
-                                       \r
+\r
                                        buf[12] = 0;\r
 \r
                                        if ( stKeyBlock - keycnt < 2) {\r
                                        buf[12] = 0;\r
 \r
                                        if ( stKeyBlock - keycnt < 2) {\r
@@ -918,13 +1101,14 @@ int CmdHF14AMfChk(const char *Cmd)
                                                if (!p) {\r
                                                        PrintAndLog("Cannot allocate memory for defKeys");\r
                                                        free(keyBlock);\r
                                                if (!p) {\r
                                                        PrintAndLog("Cannot allocate memory for defKeys");\r
                                                        free(keyBlock);\r
+                                                       fclose(f);\r
                                                        return 2;\r
                                                }\r
                                                keyBlock = p;\r
                                        }\r
                                        memset(keyBlock + 6 * keycnt, 0, 6);\r
                                        num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
                                                        return 2;\r
                                                }\r
                                                keyBlock = p;\r
                                        }\r
                                        memset(keyBlock + 6 * keycnt, 0, 6);\r
                                        num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
-                                       PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+                                       PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
                                        keycnt++;\r
                                        memset(buf, 0, sizeof(buf));\r
                                }\r
                                        keycnt++;\r
                                        memset(buf, 0, sizeof(buf));\r
                                }\r
@@ -933,11 +1117,12 @@ int CmdHF14AMfChk(const char *Cmd)
                                PrintAndLog("File: %s: not found or locked.", filename);\r
                                free(keyBlock);\r
                                return 1;\r
                                PrintAndLog("File: %s: not found or locked.", filename);\r
                                free(keyBlock);\r
                                return 1;\r
-                       \r
+\r
                        }\r
                }\r
        }\r
                        }\r
                }\r
        }\r
-       \r
+\r
+       // fill with default keys\r
        if (keycnt == 0) {\r
                PrintAndLog("No key specified, trying default keys");\r
                for (;keycnt < defaultKeysSize; keycnt++)\r
        if (keycnt == 0) {\r
                PrintAndLog("No key specified, trying default keys");\r
                for (;keycnt < defaultKeysSize; keycnt++)\r
@@ -945,49 +1130,86 @@ int CmdHF14AMfChk(const char *Cmd)
                                (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
                                (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],     (keyBlock + 6*keycnt)[5], 6);\r
        }\r
                                (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
                                (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],     (keyBlock + 6*keycnt)[5], 6);\r
        }\r
-       \r
+\r
        // initialize storage for found keys\r
        // initialize storage for found keys\r
-       bool validKey[2][40];\r
-       uint8_t foundKey[2][40][6];\r
-       for (uint16_t t = 0; t < 2; t++) {\r
+       e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
+       if (e_sector == NULL) return 1;\r
+       for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
-                       validKey[t][sectorNo] = false;\r
-                       for (uint16_t i = 0; i < 6; i++) {\r
-                               foundKey[t][sectorNo][i] = 0xff;\r
-                       }\r
+                       e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;\r
+                       e_sector[sectorNo].foundKey[keyAB] = 0;\r
                }\r
        }\r
                }\r
        }\r
-       \r
-       for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) {\r
-               int b=blockNo;\r
-               for (int i = 0; i < SectorsCnt; ++i) {\r
-                       PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt);\r
-                       uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
+       printf("\n");\r
+\r
+       bool foundAKey = false;\r
+       uint32_t max_keys = keycnt > USB_CMD_DATA_SIZE / 6 ? USB_CMD_DATA_SIZE / 6 : keycnt;\r
+       if (SectorsCnt) {\r
+               PrintAndLog("To cancel this operation press the button on the proxmark...");\r
+               printf("--");\r
+               for (uint32_t c = 0; c < keycnt; c += max_keys) {\r
+\r
+                       uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
+                       res = mfCheckKeysSec(SectorsCnt, keyType, timeout14a * 1.06 / 100, true, size, &keyBlock[6 * c], e_sector); // timeout is (ms * 106)/10 or us*0.0106\r
+\r
+                       if (res != 1) {\r
+                               if (!res) {\r
+                                       printf("o");\r
+                                       foundAKey = true;\r
+                               } else {\r
+                                       printf(".");\r
+                               }\r
+                       } else {\r
+                               printf("\n");\r
+                               PrintAndLog("Command execute timeout");\r
+                       }\r
+               }\r
+       } else {\r
+               int keyAB = keyType;\r
+               do {\r
                        for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
                        for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
-                               uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
-                               res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
+\r
+                               uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
+                               res = mfCheckKeys(blockNo, keyAB & 0x01, true, size, &keyBlock[6 * c], &key64); \r
+\r
                                if (res != 1) {\r
                                        if (!res) {\r
                                if (res != 1) {\r
                                        if (!res) {\r
-                                               PrintAndLog("Found valid key:[%012"llx"]",key64);\r
-                                               num_to_bytes(key64, 6, foundKey[t][i]);\r
-                                               validKey[t][i] = true;\r
-                                       } \r
+                                               PrintAndLog("Found valid key:[%d:%c]%012" PRIx64, blockNo, (keyAB & 0x01)?'B':'A', key64);\r
+                                               foundAKey = true;\r
+                                       }\r
                                } else {\r
                                        PrintAndLog("Command execute timeout");\r
                                }\r
                        }\r
                                } else {\r
                                        PrintAndLog("Command execute timeout");\r
                                }\r
                        }\r
-                       b<127?(b+=4):(b+=16);   \r
-               }\r
+               } while(--keyAB > 0);\r
        }\r
        }\r
-\r
+       \r
+       // print result\r
+       if (foundAKey) {\r
+               if (SectorsCnt) {\r
+                       PrintAndLog("");\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
+                       PrintAndLog("|sec|key A           |res|key B           |res|");\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
+                       for (i = 0; i < SectorsCnt; i++) {\r
+                               PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
+                                       e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
+                       }\r
+                       PrintAndLog("|---|----------------|---|----------------|---|");\r
+               }\r
+       } else {\r
+               PrintAndLog("");\r
+               PrintAndLog("No valid keys found.");\r
+       }       \r
+       \r
        if (transferToEml) {\r
                uint8_t block[16];\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
        if (transferToEml) {\r
                uint8_t block[16];\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
-                       if (validKey[0][sectorNo] || validKey[1][sectorNo]) {\r
+                       if (e_sector[sectorNo].foundKey[0] || e_sector[sectorNo].foundKey[1]) {\r
                                mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
                                for (uint16_t t = 0; t < 2; t++) {\r
                                mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
                                for (uint16_t t = 0; t < 2; t++) {\r
-                                       if (validKey[t][sectorNo]) {\r
-                                               memcpy(block + t*10, foundKey[t][sectorNo], 6);\r
+                                       if (e_sector[sectorNo].foundKey[t]) {\r
+                                               num_to_bytes(e_sector[sectorNo].Key[t], 6, block + t * 10);\r
                                        }\r
                                }\r
                                mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
                                        }\r
                                }\r
                                mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
@@ -998,89 +1220,333 @@ int CmdHF14AMfChk(const char *Cmd)
 \r
        if (createDumpFile) {\r
                FILE *fkeys = fopen("dumpkeys.bin","wb");\r
 \r
        if (createDumpFile) {\r
                FILE *fkeys = fopen("dumpkeys.bin","wb");\r
-               if (fkeys == NULL) { \r
+               if (fkeys == NULL) {\r
                        PrintAndLog("Could not create file dumpkeys.bin");\r
                        PrintAndLog("Could not create file dumpkeys.bin");\r
+                       free(e_sector);\r
                        free(keyBlock);\r
                        return 1;\r
                }\r
                        free(keyBlock);\r
                        return 1;\r
                }\r
-               for (uint16_t t = 0; t < 2; t++) {\r
-                       fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys);\r
+               uint8_t mkey[6];\r
+               for (uint8_t t = 0; t < 2; t++) {\r
+                       for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+                               num_to_bytes(e_sector[sectorNo].Key[t], 6, mkey);\r
+                               fwrite(mkey, 1, 6, fkeys);\r
+                       }\r
                }\r
                fclose(fkeys);\r
                PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");\r
        }\r
 \r
                }\r
                fclose(fkeys);\r
                PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");\r
        }\r
 \r
+       free(e_sector);\r
        free(keyBlock);\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
        free(keyBlock);\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
-       uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
-       uint8_t exitAfterNReads = 0;\r
-       uint8_t flags = 0;\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+       #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+                                  // cannot be more than 7 or it will overrun c.d.asBytes(512)\r
+       uint64_t key = 0;\r
+       typedef struct {\r
+                       uint64_t keyA;\r
+                       uint64_t keyB;\r
+       } st_t;\r
+       st_t sector_trailer[ATTACK_KEY_COUNT];\r
+       memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+       uint8_t stSector[ATTACK_KEY_COUNT];\r
+       memset(stSector, 0x00, sizeof(stSector));\r
+       uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+       memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+       for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+                       if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+                               PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+                                               if (ar_resp[i].keytype==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                       } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+                               uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+                               uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+                                       , keyType ? "B" : "A"\r
+                                       , sectorNum\r
+                                       , key\r
+                               );\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+                                               if (keyType==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                               continue;\r
+                       }\r
+               }\r
+       }\r
+       //set emulator memory for keys\r
+       if (setEmulatorMem) {\r
+               for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+                       if (key_cnt[i]>0) {\r
+                               uint8_t memBlock[16];\r
+                               memset(memBlock, 0x00, sizeof(memBlock));\r
+                               char cmd1[36];\r
+                               memset(cmd1,0x00,sizeof(cmd1));\r
+                               snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
+                               if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+                                       PrintAndLog("block data must include 32 HEX symbols");\r
+                                       return;\r
+                               }\r
+\r
+                               UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+                               memcpy(c.d.asBytes, memBlock, 16);\r
+                               clearCommandBuffer();\r
+                               SendCommand(&c);\r
+                       }\r
+               }\r
+       }\r
+       /*\r
+       //un-comment to use as well moebius attack\r
+       for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+                       }\r
+               }\r
+       }*/\r
+}\r
+\r
+int usage_hf14_mf1ksim(void) {\r
+       PrintAndLog("Usage:  hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");\r
+       PrintAndLog("options:");\r
+       PrintAndLog("      h    this help");\r
+       PrintAndLog("      u    (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");\r
+       PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
+       PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
+       PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+       PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
+       PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+       PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
+       PrintAndLog("samples:");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a");\r
+       PrintAndLog("           hf mf sim u 11223344556677");\r
+       PrintAndLog("           hf mf sim u 112233445566778899AA");\r
+       PrintAndLog("           hf mf sim f uids.txt");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a e");\r
+\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
+       UsbCommand resp;\r
+       uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
+       uint8_t exitAfterNReads = 0;\r
+       uint8_t flags = 0;\r
+       int uidlen = 0;\r
+       uint8_t pnr = 0;\r
+       bool setEmulatorMem = false;\r
+       bool attackFromFile = false;\r
+       FILE *f;\r
+       char filename[FILE_PATH_SIZE];\r
+       memset(filename, 0x00, sizeof(filename));\r
+       int len = 0;\r
+       char buf[64];\r
+\r
+       uint8_t cmdp = 0;\r
+       bool errors = false;\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'e':\r
+               case 'E':\r
+                       setEmulatorMem = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       len = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));\r
+                       if (len < 1) {\r
+                               PrintAndLog("error no filename found");\r
+                               return 0;\r
+                       }\r
+                       attackFromFile = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_hf14_mf1ksim();\r
+               case 'i':\r
+               case 'I':\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'n':\r
+               case 'N':\r
+                       exitAfterNReads = param_get8(Cmd, pnr+1);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'r':\r
+               case 'R':\r
+                       flags |= FLAG_RANDOM_NONCE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'u':\r
+               case 'U':\r
+                       param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+                       switch(uidlen) {\r
+                               case 20: flags = FLAG_10B_UID_IN_DATA;  break; //not complete\r
+                               case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
+                               default: return usage_hf14_mf1ksim();\r
+                       }\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'x':\r
+               case 'X':\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
+               if(errors) break;\r
+       }\r
+       //Validations\r
+       if(errors) return usage_hf14_mf1ksim();\r
+\r
+       //get uid from file\r
+       if (attackFromFile) {\r
+               int count = 0;\r
+               // open file\r
+               f = fopen(filename, "r");\r
+               if (f == NULL) {\r
+                       PrintAndLog("File %s not found or locked", filename);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
+               while(!feof(f) && !ukbhit()){\r
+                       memset(buf, 0, sizeof(buf));\r
+                       memset(uid, 0, sizeof(uid));\r
+\r
+                       if (fgets(buf, sizeof(buf), f) == NULL) {\r
+                               if (count > 0) break;\r
+\r
+                               PrintAndLog("File reading error.");\r
+                               fclose(f);\r
+                               return 2;\r
+                       }\r
+                       if(!strlen(buf) && feof(f)) break;\r
+\r
+                       uidlen = strlen(buf)-1;\r
+                       switch(uidlen) {\r
+                               case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete\r
+                               case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags |= FLAG_4B_UID_IN_DATA; break;\r
+                               default:\r
+                                       PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
+                                       fclose(f);\r
+                                       return 2;\r
+                       }\r
+\r
+                       for (uint8_t i = 0; i < uidlen; i += 2) {\r
+                               sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
+                       }\r
+\r
+                       PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
+                                       flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                                               flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7):\r
+                                                       flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                                       , exitAfterNReads, flags, flags);\r
+\r
+                       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+                       memcpy(c.d.asBytes, uid, sizeof(uid));\r
+                       clearCommandBuffer();\r
+                       SendCommand(&c);\r
 \r
 \r
-       uint8_t cmdp = param_getchar(Cmd, 0);\r
-       \r
-       if (cmdp == 'h' || cmdp == 'H') {\r
-               PrintAndLog("Usage:  hf mf sim  u <uid (8 hex symbols)> n <numreads> i x");\r
-               PrintAndLog("           h    this help");\r
-               PrintAndLog("           u    (Optional) UID. If not specified, the UID from emulator memory will be used");\r
-               PrintAndLog("           n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
-               PrintAndLog("           i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
-               PrintAndLog("           x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
-               PrintAndLog("");\r
-               PrintAndLog("           sample: hf mf sim u 0a0a0a0a ");\r
-               return 0;\r
-       }\r
-       uint8_t pnr = 0;\r
-       if (param_getchar(Cmd, pnr) == 'u') {\r
-               if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
-               {\r
-                       flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
-               } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
-                       flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
-               } else {\r
-                       PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
-                       return 1;\r
+                       while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
+                       }\r
+                       //got a response\r
+                       nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                       memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                       // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                       readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+                       if ((bool)resp.arg[1]) {\r
+                               PrintAndLog("Device button pressed - quitting");\r
+                               fclose(f);\r
+                               return 4;\r
+                       }\r
+                       count++;\r
                }\r
                }\r
-               pnr +=2;\r
-       }\r
-       if (param_getchar(Cmd, pnr) == 'n') {\r
-               exitAfterNReads = param_get8(Cmd,pnr+1);\r
-               pnr += 2;\r
-       }\r
-       if (param_getchar(Cmd, pnr) == 'i' ) {\r
-               //Using a flag to signal interactiveness, least significant bit\r
-               flags |= FLAG_INTERACTIVE;\r
-               pnr++;\r
-       }\r
+               fclose(f);\r
+       } else { //not from file\r
 \r
 \r
-       if (param_getchar(Cmd, pnr) == 'x' ) {\r
-               //Using a flag to signal interactiveness, least significant bit\r
-               flags |= FLAG_NR_AR_ATTACK;\r
-       }\r
-       PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
+               PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
                                flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
                                flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
-                                                                                         flags & FLAG_7B_UID_IN_DATA   ? sprint_hex(uid,7): "N/A"\r
-                               , exitAfterNReads, flags,flags);\r
+                                       flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7):\r
+                                               flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                               , exitAfterNReads, flags, flags);\r
 \r
 \r
+               UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+               memcpy(c.d.asBytes, uid, sizeof(uid));\r
+               clearCommandBuffer();\r
+               SendCommand(&c);\r
 \r
 \r
-       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
-       memcpy(c.d.asBytes, uid, sizeof(uid));\r
-       SendCommand(&c);\r
-\r
-       if(flags & FLAG_INTERACTIVE)\r
-       {\r
-               UsbCommand resp;\r
-               PrintAndLog("Press pm3-button to abort simulation");\r
-               while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       //We're waiting only 1.5 s at a time, otherwise we get the\r
-                       // annoying message about "Waiting for a response... "\r
+               if(flags & FLAG_INTERACTIVE) {\r
+                       PrintAndLog("Press pm3-button to abort simulation");\r
+                       while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
+                       }\r
+                       //got a response\r
+                       if (flags & FLAG_NR_AR_ATTACK) {\r
+                               nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                               memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                               // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                               readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+                       }\r
                }\r
        }\r
                }\r
        }\r
-       \r
+\r
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
@@ -1100,7 +1566,7 @@ int CmdHF14AMfDbg(const char *Cmd)
                PrintAndLog(" 4 - print even debug messages in timing critical functions");\r
                PrintAndLog("     Note: this option therefore may cause malfunction itself");\r
                return 0;\r
                PrintAndLog(" 4 - print even debug messages in timing critical functions");\r
                PrintAndLog("     Note: this option therefore may cause malfunction itself");\r
                return 0;\r
-       }       \r
+       }\r
 \r
   UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};\r
   SendCommand(&c);\r
 \r
   UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};\r
   SendCommand(&c);\r
@@ -1117,8 +1583,8 @@ int CmdHF14AMfEGet(const char *Cmd)
                PrintAndLog("Usage:  hf mf eget <block number>");\r
                PrintAndLog(" sample: hf mf eget 0 ");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf eget <block number>");\r
                PrintAndLog(" sample: hf mf eget 0 ");\r
                return 0;\r
-       }       \r
-       \r
+       }\r
+\r
        blockNo = param_get8(Cmd, 0);\r
 \r
        PrintAndLog(" ");\r
        blockNo = param_get8(Cmd, 0);\r
 \r
        PrintAndLog(" ");\r
@@ -1137,7 +1603,7 @@ int CmdHF14AMfEClear(const char *Cmd)
                PrintAndLog("Usage:  hf mf eclr");\r
                PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf eclr");\r
                PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");\r
                return 0;\r
-       }       \r
+       }\r
 \r
   UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};\r
   SendCommand(&c);\r
 \r
   UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};\r
   SendCommand(&c);\r
@@ -1156,15 +1622,15 @@ int CmdHF14AMfESet(const char *Cmd)
                PrintAndLog("Usage:  hf mf eset <block number> <block data (32 hex symbols)>");\r
                PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf eset <block number> <block data (32 hex symbols)>");\r
                PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");\r
                return 0;\r
-       }       \r
-       \r
+       }\r
+\r
        blockNo = param_get8(Cmd, 0);\r
        blockNo = param_get8(Cmd, 0);\r
-       \r
+\r
        if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                PrintAndLog("block data must include 32 HEX symbols");\r
                return 1;\r
        }\r
        if (param_gethex(Cmd, 1, memBlock, 32)) {\r
                PrintAndLog("block data must include 32 HEX symbols");\r
                return 1;\r
        }\r
-       \r
+\r
        //  1 - blocks count\r
        UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};\r
        memcpy(c.d.asBytes, memBlock, 16);\r
        //  1 - blocks count\r
        UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};\r
        memcpy(c.d.asBytes, memBlock, 16);\r
@@ -1182,9 +1648,9 @@ int CmdHF14AMfELoad(const char *Cmd)
        uint8_t buf8[64] = {0x00};\r
        int i, len, blockNum, numBlocks;\r
        int nameParamNo = 1;\r
        uint8_t buf8[64] = {0x00};\r
        int i, len, blockNum, numBlocks;\r
        int nameParamNo = 1;\r
-       \r
+\r
        char ctmp = param_getchar(Cmd, 0);\r
        char ctmp = param_getchar(Cmd, 0);\r
-               \r
+\r
        if ( ctmp == 'h' || ctmp == 0x00) {\r
                PrintAndLog("It loads emul dump from the file `filename.eml`");\r
                PrintAndLog("Usage:  hf mf eload [card memory] <file name w/o `.eml`>");\r
        if ( ctmp == 'h' || ctmp == 0x00) {\r
                PrintAndLog("It loads emul dump from the file `filename.eml`");\r
                PrintAndLog("Usage:  hf mf eload [card memory] <file name w/o `.eml`>");\r
@@ -1193,11 +1659,11 @@ int CmdHF14AMfELoad(const char *Cmd)
                PrintAndLog(" sample: hf mf eload filename");\r
                PrintAndLog("         hf mf eload 4 filename");\r
                return 0;\r
                PrintAndLog(" sample: hf mf eload filename");\r
                PrintAndLog("         hf mf eload 4 filename");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        switch (ctmp) {\r
                case '0' : numBlocks = 5*4; break;\r
 \r
        switch (ctmp) {\r
                case '0' : numBlocks = 5*4; break;\r
-               case '1' : \r
+               case '1' :\r
                case '\0': numBlocks = 16*4; break;\r
                case '2' : numBlocks = 32*4; break;\r
                case '4' : numBlocks = 256; break;\r
                case '\0': numBlocks = 16*4; break;\r
                case '2' : numBlocks = 32*4; break;\r
                case '4' : numBlocks = 256; break;\r
@@ -1207,34 +1673,34 @@ int CmdHF14AMfELoad(const char *Cmd)
                }\r
        }\r
 \r
                }\r
        }\r
 \r
-       len = param_getstr(Cmd,nameParamNo,filename);\r
-       \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+       len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));\r
+\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
        fnameptr += len;\r
 \r
 \r
        fnameptr += len;\r
 \r
-       sprintf(fnameptr, ".eml"); \r
-       \r
+       sprintf(fnameptr, ".eml");\r
+\r
        // open file\r
        f = fopen(filename, "r");\r
        if (f == NULL) {\r
                PrintAndLog("File %s not found or locked", filename);\r
                return 1;\r
        }\r
        // open file\r
        f = fopen(filename, "r");\r
        if (f == NULL) {\r
                PrintAndLog("File %s not found or locked", filename);\r
                return 1;\r
        }\r
-       \r
+\r
        blockNum = 0;\r
        while(!feof(f)){\r
                memset(buf, 0, sizeof(buf));\r
        blockNum = 0;\r
        while(!feof(f)){\r
                memset(buf, 0, sizeof(buf));\r
-               \r
+\r
                if (fgets(buf, sizeof(buf), f) == NULL) {\r
                if (fgets(buf, sizeof(buf), f) == NULL) {\r
-                       \r
+\r
                        if (blockNum >= numBlocks) break;\r
                        if (blockNum >= numBlocks) break;\r
-                       \r
+\r
                        PrintAndLog("File reading error.");\r
                        fclose(f);\r
                        return 2;\r
                }\r
                        PrintAndLog("File reading error.");\r
                        fclose(f);\r
                        return 2;\r
                }\r
-               \r
+\r
                if (strlen(buf) < 32){\r
                        if(strlen(buf) && feof(f))\r
                                break;\r
                if (strlen(buf) < 32){\r
                        if(strlen(buf) && feof(f))\r
                                break;\r
@@ -1242,11 +1708,11 @@ int CmdHF14AMfELoad(const char *Cmd)
                        fclose(f);\r
                        return 2;\r
                }\r
                        fclose(f);\r
                        return 2;\r
                }\r
-               \r
+\r
                for (i = 0; i < 32; i += 2) {\r
                        sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
                }\r
                for (i = 0; i < 32; i += 2) {\r
                        sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
                }\r
-               \r
+\r
                if (mfEmlSetMem(buf8, blockNum, 1)) {\r
                        PrintAndLog("Cant set emul block: %3d", blockNum);\r
                        fclose(f);\r
                if (mfEmlSetMem(buf8, blockNum, 1)) {\r
                        PrintAndLog("Cant set emul block: %3d", blockNum);\r
                        fclose(f);\r
@@ -1254,12 +1720,12 @@ int CmdHF14AMfELoad(const char *Cmd)
                }\r
                printf(".");\r
                blockNum++;\r
                }\r
                printf(".");\r
                blockNum++;\r
-               \r
+\r
                if (blockNum >= numBlocks) break;\r
        }\r
        fclose(f);\r
        printf("\n");\r
                if (blockNum >= numBlocks) break;\r
        }\r
        fclose(f);\r
        printf("\n");\r
-       \r
+\r
        if ((blockNum != numBlocks)) {\r
                PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);\r
                return 4;\r
        if ((blockNum != numBlocks)) {\r
                PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);\r
                return 4;\r
@@ -1277,12 +1743,12 @@ int CmdHF14AMfESave(const char *Cmd)
        uint8_t buf[64];\r
        int i, j, len, numBlocks;\r
        int nameParamNo = 1;\r
        uint8_t buf[64];\r
        int i, j, len, numBlocks;\r
        int nameParamNo = 1;\r
-       \r
+\r
        memset(filename, 0, sizeof(filename));\r
        memset(buf, 0, sizeof(buf));\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        memset(filename, 0, sizeof(filename));\r
        memset(buf, 0, sizeof(buf));\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
-       \r
+\r
        if ( ctmp == 'h' || ctmp == 'H') {\r
                PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");\r
                PrintAndLog(" Usage:  hf mf esave [card memory] [file name w/o `.eml`]");\r
        if ( ctmp == 'h' || ctmp == 'H') {\r
                PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");\r
                PrintAndLog(" Usage:  hf mf esave [card memory] [file name w/o `.eml`]");\r
@@ -1292,11 +1758,11 @@ int CmdHF14AMfESave(const char *Cmd)
                PrintAndLog("         hf mf esave 4");\r
                PrintAndLog("         hf mf esave 4 filename");\r
                return 0;\r
                PrintAndLog("         hf mf esave 4");\r
                PrintAndLog("         hf mf esave 4 filename");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        switch (ctmp) {\r
                case '0' : numBlocks = 5*4; break;\r
 \r
        switch (ctmp) {\r
                case '0' : numBlocks = 5*4; break;\r
-               case '1' : \r
+               case '1' :\r
                case '\0': numBlocks = 16*4; break;\r
                case '2' : numBlocks = 32*4; break;\r
                case '4' : numBlocks = 256; break;\r
                case '\0': numBlocks = 16*4; break;\r
                case '2' : numBlocks = 32*4; break;\r
                case '4' : numBlocks = 256; break;\r
@@ -1306,10 +1772,10 @@ int CmdHF14AMfESave(const char *Cmd)
                }\r
        }\r
 \r
                }\r
        }\r
 \r
-       len = param_getstr(Cmd,nameParamNo,filename);\r
-       \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
-       \r
+       len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));\r
+\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
        // user supplied filename?\r
        if (len < 1) {\r
                // get filename (UID from memory)\r
        // user supplied filename?\r
        if (len < 1) {\r
                // get filename (UID from memory)\r
@@ -1327,8 +1793,8 @@ int CmdHF14AMfESave(const char *Cmd)
        }\r
 \r
        // add file extension\r
        }\r
 \r
        // add file extension\r
-       sprintf(fnameptr, ".eml"); \r
-       \r
+       sprintf(fnameptr, ".eml");\r
+\r
        // open file\r
        f = fopen(filename, "w+");\r
 \r
        // open file\r
        f = fopen(filename, "w+");\r
 \r
@@ -1336,7 +1802,7 @@ int CmdHF14AMfESave(const char *Cmd)
                PrintAndLog("Can't open file %s ", filename);\r
                return 1;\r
        }\r
                PrintAndLog("Can't open file %s ", filename);\r
                return 1;\r
        }\r
-       \r
+\r
        // put hex\r
        for (i = 0; i < numBlocks; i++) {\r
                if (mfEmlGetMem(buf, i, 1)) {\r
        // put hex\r
        for (i = 0; i < numBlocks; i++) {\r
                if (mfEmlGetMem(buf, i, 1)) {\r
@@ -1344,13 +1810,13 @@ int CmdHF14AMfESave(const char *Cmd)
                        break;\r
                }\r
                for (j = 0; j < 16; j++)\r
                        break;\r
                }\r
                for (j = 0; j < 16; j++)\r
-                       fprintf(f, "%02X", buf[j]); \r
+                       fprintf(f, "%02X", buf[j]);\r
                fprintf(f,"\n");\r
        }\r
        fclose(f);\r
                fprintf(f,"\n");\r
        }\r
        fclose(f);\r
-       \r
+\r
        PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);\r
        PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);\r
-       \r
+\r
   return 0;\r
 }\r
 \r
   return 0;\r
 }\r
 \r
@@ -1359,7 +1825,7 @@ int CmdHF14AMfECFill(const char *Cmd)
 {\r
        uint8_t keyType = 0;\r
        uint8_t numSectors = 16;\r
 {\r
        uint8_t keyType = 0;\r
        uint8_t numSectors = 16;\r
-       \r
+\r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf ecfill <key A/B> [card memory]");\r
                PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf ecfill <key A/B> [card memory]");\r
                PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
@@ -1369,7 +1835,7 @@ int CmdHF14AMfECFill(const char *Cmd)
                PrintAndLog("Read card and transfer its data to emulator memory.");\r
                PrintAndLog("Keys must be laid in the emulator memory. \n");\r
                return 0;\r
                PrintAndLog("Read card and transfer its data to emulator memory.");\r
                PrintAndLog("Keys must be laid in the emulator memory. \n");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
@@ -1381,12 +1847,12 @@ int CmdHF14AMfECFill(const char *Cmd)
        ctmp = param_getchar(Cmd, 1);\r
        switch (ctmp) {\r
                case '0' : numSectors = 5; break;\r
        ctmp = param_getchar(Cmd, 1);\r
        switch (ctmp) {\r
                case '0' : numSectors = 5; break;\r
-               case '1' : \r
+               case '1' :\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
-       }       \r
+       }\r
 \r
        printf("--params: numSectors: %d, keyType:%d", numSectors, keyType);\r
        UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};\r
 \r
        printf("--params: numSectors: %d, keyType:%d", numSectors, keyType);\r
        UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};\r
@@ -1394,14 +1860,13 @@ int CmdHF14AMfECFill(const char *Cmd)
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
-\r
 int CmdHF14AMfEKeyPrn(const char *Cmd)\r
 {\r
        int i;\r
        uint8_t numSectors;\r
        uint8_t data[16];\r
        uint64_t keyA, keyB;\r
 int CmdHF14AMfEKeyPrn(const char *Cmd)\r
 {\r
        int i;\r
        uint8_t numSectors;\r
        uint8_t data[16];\r
        uint64_t keyA, keyB;\r
-       \r
+\r
        if (param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("It prints the keys loaded in the emulator memory");\r
                PrintAndLog("Usage:  hf mf ekeyprn [card memory]");\r
        if (param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("It prints the keys loaded in the emulator memory");\r
                PrintAndLog("Usage:  hf mf ekeyprn [card memory]");\r
@@ -1409,19 +1874,19 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
                PrintAndLog("");\r
                PrintAndLog(" sample: hf mf ekeyprn 1");\r
                return 0;\r
                PrintAndLog("");\r
                PrintAndLog(" sample: hf mf ekeyprn 1");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
-       \r
+\r
        switch (cmdp) {\r
                case '0' : numSectors = 5; break;\r
        switch (cmdp) {\r
                case '0' : numSectors = 5; break;\r
-               case '1' : \r
+               case '1' :\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
                case '\0': numSectors = 16; break;\r
                case '2' : numSectors = 32; break;\r
                case '4' : numSectors = 40; break;\r
                default:   numSectors = 16;\r
-       }               \r
-       \r
+       }\r
+\r
        PrintAndLog("|---|----------------|----------------|");\r
        PrintAndLog("|sec|key A           |key B           |");\r
        PrintAndLog("|---|----------------|----------------|");\r
        PrintAndLog("|---|----------------|----------------|");\r
        PrintAndLog("|sec|key A           |key B           |");\r
        PrintAndLog("|---|----------------|----------------|");\r
@@ -1432,89 +1897,155 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
                }\r
                keyA = bytes_to_num(data, 6);\r
                keyB = bytes_to_num(data + 10, 6);\r
                }\r
                keyA = bytes_to_num(data, 6);\r
                keyB = bytes_to_num(data + 10, 6);\r
-               PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);\r
+               PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);\r
        }\r
        PrintAndLog("|---|----------------|----------------|");\r
        }\r
        PrintAndLog("|---|----------------|----------------|");\r
-       \r
+\r
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
-\r
 int CmdHF14AMfCSetUID(const char *Cmd)\r
 {\r
 int CmdHF14AMfCSetUID(const char *Cmd)\r
 {\r
-       uint8_t wipeCard = 0;\r
        uint8_t uid[8] = {0x00};\r
        uint8_t oldUid[8] = {0x00};\r
        uint8_t atqa[2] = {0x00};\r
        uint8_t sak[1] = {0x00};\r
        uint8_t uid[8] = {0x00};\r
        uint8_t oldUid[8] = {0x00};\r
        uint8_t atqa[2] = {0x00};\r
        uint8_t sak[1] = {0x00};\r
-       uint8_t atqaPresent = 1;\r
+       uint8_t atqaPresent = 0;\r
        int res;\r
        int res;\r
-       char ctmp;\r
-       int argi=0;\r
-\r
-       if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {\r
-               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
-               PrintAndLog("sample:  hf mf csetuid 01020304");\r
-               PrintAndLog("sample:  hf mf csetuid 01020304 0004 08 w");\r
-               PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
-               PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");\r
-               return 0;\r
-       }\r
 \r
 \r
-       if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) {\r
+       uint8_t needHelp = 0;\r
+       char cmdp = 1;\r
+       \r
+       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
                PrintAndLog("UID must include 8 HEX symbols");\r
                return 1;\r
        }\r
                PrintAndLog("UID must include 8 HEX symbols");\r
                return 1;\r
        }\r
-       argi++;\r
 \r
 \r
-       ctmp = param_getchar(Cmd, argi);\r
-       if (ctmp == 'w' || ctmp == 'W') {\r
-               wipeCard = 1;\r
-               atqaPresent = 0;\r
+       if (param_getlength(Cmd, 1) > 1 && param_getlength(Cmd, 2) >  1) {\r
+               atqaPresent = 1;\r
+               cmdp = 3;\r
+               \r
+               if (param_gethex(Cmd, 1, atqa, 4)) {\r
+                       PrintAndLog("ATQA must include 4 HEX symbols");\r
+                       return 1;\r
+               }\r
+                               \r
+               if (param_gethex(Cmd, 2, sak, 2)) {\r
+                       PrintAndLog("SAK must include 2 HEX symbols");\r
+                       return 1;\r
+               }\r
        }\r
 \r
        }\r
 \r
-       if (atqaPresent) {\r
-               if (param_getchar(Cmd, argi)) {\r
-                       if (param_gethex(Cmd, argi, atqa, 4)) {\r
-                               PrintAndLog("ATQA must include 4 HEX symbols");\r
-                               return 1;\r
-                       }\r
-                       argi++;\r
-                       if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) {\r
-                               PrintAndLog("SAK must include 2 HEX symbols");\r
-                               return 1;\r
-                       }\r
-                       argi++;\r
-               } else\r
-                       atqaPresent = 0;\r
+       while(param_getchar(Cmd, cmdp) != 0x00)\r
+       {\r
+               switch(param_getchar(Cmd, cmdp))\r
+               {\r
+               case 'h':\r
+               case 'H':\r
+                       needHelp = 1;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       needHelp = 1;\r
+                       break;\r
+               }\r
+               cmdp++;\r
        }\r
 \r
        }\r
 \r
-       if(!wipeCard) {\r
-               ctmp = param_getchar(Cmd, argi);\r
-               if (ctmp == 'w' || ctmp == 'W') {\r
-                       wipeCard = 1;\r
-               }\r
+       if (strlen(Cmd) < 1 || needHelp) {\r
+               PrintAndLog("");\r
+               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols]");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304 0004 08");\r
+               PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
+               return 0;\r
        }\r
 \r
        }\r
 \r
-       PrintAndLog("--wipe card:%s  uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));\r
+       PrintAndLog("uid:%s", sprint_hex(uid, 4));\r
+       if (atqaPresent) {\r
+               PrintAndLog("--atqa:%s sak:%02x", sprint_hex(atqa, 2), sak[0]);\r
+       }\r
 \r
 \r
-       res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard);\r
+       res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid);\r
        if (res) {\r
        if (res) {\r
-                       PrintAndLog("Can't set UID. error=%d", res);\r
+                       PrintAndLog("Can't set UID. Error=%d", res);\r
                        return 1;\r
                }\r
                        return 1;\r
                }\r
-       \r
+\r
        PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
        PrintAndLog("new UID:%s", sprint_hex(uid, 4));\r
        return 0;\r
 }\r
 \r
        PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
        PrintAndLog("new UID:%s", sprint_hex(uid, 4));\r
        return 0;\r
 }\r
 \r
+int CmdHF14AMfCWipe(const char *Cmd)\r
+{\r
+       int res, gen = 0;\r
+       int numBlocks = 16 * 4;\r
+       bool wipeCard = false;\r
+       bool fillCard = false;\r
+       \r
+       if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+               PrintAndLog("Usage:  hf mf cwipe [card size] [w] [f]");\r
+               PrintAndLog("sample:  hf mf cwipe 1 w f");\r
+               PrintAndLog("[card size]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+               PrintAndLog("w - Wipe magic Chinese card (only works with gen:1a cards)");\r
+               PrintAndLog("f - Fill the card with default data and keys (works with gen:1a and gen:1b cards only)");\r
+               return 0;\r
+       }\r
+\r
+       gen = mfCIdentify();\r
+       if ((gen != 1) && (gen != 2)) \r
+               return 1;\r
+       \r
+       numBlocks = ParamCardSizeBlocks(param_getchar(Cmd, 0));\r
+\r
+       char cmdp = 0;\r
+       while(param_getchar(Cmd, cmdp) != 0x00){\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'w':\r
+               case 'W':\r
+                       wipeCard = 1;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       fillCard = 1;\r
+                       break;\r
+               default:\r
+                       break;\r
+               }\r
+               cmdp++;\r
+       }\r
+\r
+       if (!wipeCard && !fillCard) \r
+               wipeCard = true;\r
+\r
+       PrintAndLog("--blocks count:%2d wipe:%c fill:%c", numBlocks, (wipeCard)?'y':'n', (fillCard)?'y':'n');\r
+\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               if (wipeCard) {\r
+                       PrintAndLog("WARNING: can't wipe magic card 1b generation");\r
+               }\r
+               res = mfCWipe(numBlocks, true, false, fillCard); \r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCWipe(numBlocks, false, wipeCard, fillCard); \r
+       }\r
+\r
+       if (res) {\r
+               PrintAndLog("Can't wipe. error=%d", res);\r
+               return 1;\r
+       }\r
+       PrintAndLog("OK");\r
+       return 0;\r
+}\r
+\r
 int CmdHF14AMfCSetBlk(const char *Cmd)\r
 {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
 int CmdHF14AMfCSetBlk(const char *Cmd)\r
 {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
-       bool wipeCard = FALSE;\r
-       int res;\r
+       bool wipeCard = false;\r
+       int res, gen = 0;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
@@ -1522,7 +2053,11 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
                PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
                PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
                return 0;\r
                PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
                PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
                return 0;\r
-       }       \r
+       }\r
+\r
+       gen = mfCIdentify();\r
+       if ((gen != 1) && (gen != 2)) \r
+               return 1;\r
 \r
        blockNo = param_get8(Cmd, 0);\r
 \r
 \r
        blockNo = param_get8(Cmd, 0);\r
 \r
@@ -1535,7 +2070,14 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
        wipeCard = (ctmp == 'w' || ctmp == 'W');\r
        PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));\r
 \r
        wipeCard = (ctmp == 'w' || ctmp == 'W');\r
        PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));\r
 \r
-       res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);\r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);\r
+       }\r
+\r
        if (res) {\r
                PrintAndLog("Can't write block. error=%d", res);\r
                return 1;\r
        if (res) {\r
                PrintAndLog("Can't write block. error=%d", res);\r
                return 1;\r
@@ -1549,33 +2091,44 @@ int CmdHF14AMfCLoad(const char *Cmd)
        FILE * f;\r
        char filename[FILE_PATH_SIZE] = {0x00};\r
        char * fnameptr = filename;\r
        FILE * f;\r
        char filename[FILE_PATH_SIZE] = {0x00};\r
        char * fnameptr = filename;\r
-       char buf[64] = {0x00};\r
-       uint8_t buf8[64] = {0x00};\r
+       char buf[256] = {0x00};\r
+       uint8_t buf8[256] = {0x00};\r
        uint8_t fillFromEmulator = 0;\r
        uint8_t fillFromEmulator = 0;\r
-       int i, len, blockNum, flags=0;\r
-       \r
+       int i, len, blockNum, flags = 0, gen = 0, numblock = 64;\r
+\r
        if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
                PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
        if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
                PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
-               PrintAndLog("or from emulator memory (option `e`)");\r
-               PrintAndLog("Usage:  hf mf cload <file name w/o `.eml`>");\r
-               PrintAndLog("   or:  hf mf cload e ");\r
-               PrintAndLog(" sample: hf mf cload filename");\r
+               PrintAndLog("or from emulator memory (option `e`). 4K card: (option `4`)");\r
+               PrintAndLog("Usage:  hf mf cload [file name w/o `.eml`][e][4]");\r
+               PrintAndLog("   or:  hf mf cload e [4]");\r
+               PrintAndLog("Sample: hf mf cload filename");\r
+               PrintAndLog("        hf mf cload filname 4");\r
+               PrintAndLog("        hf mf cload e");\r
+               PrintAndLog("        hf mf cload e 4");\r
                return 0;\r
                return 0;\r
-       }       \r
+       }\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
-       \r
+       ctmp = param_getchar(Cmd, 1);\r
+       if (ctmp == '4') numblock = 256;\r
+\r
+       gen = mfCIdentify();\r
+       PrintAndLog("Loading magic mifare %dK", numblock == 256 ? 4:1);\r
+\r
        if (fillFromEmulator) {\r
        if (fillFromEmulator) {\r
-               for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {\r
+               for (blockNum = 0; blockNum < numblock; blockNum += 1) {\r
                        if (mfEmlGetMem(buf8, blockNum, 1)) {\r
                                PrintAndLog("Cant get block: %d", blockNum);\r
                                return 2;\r
                        }\r
                        if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
                        if (blockNum == 1) flags = 0;                                                                                                   // just write\r
                        if (mfEmlGetMem(buf8, blockNum, 1)) {\r
                                PrintAndLog("Cant get block: %d", blockNum);\r
                                return 2;\r
                        }\r
                        if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
                        if (blockNum == 1) flags = 0;                                                                                                   // just write\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;             // Done. Magic Halt and switch off field.\r
+                       if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;           // Done. Magic Halt and switch off field.\r
 \r
 \r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Cant set magic card block: %d", blockNum);\r
                                return 3;\r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Cant set magic card block: %d", blockNum);\r
                                return 3;\r
@@ -1583,26 +2136,28 @@ int CmdHF14AMfCLoad(const char *Cmd)
                }\r
                return 0;\r
        } else {\r
                }\r
                return 0;\r
        } else {\r
-               len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+               param_getstr(Cmd, 0, filename, sizeof(filename));\r
+\r
+               len = strlen(filename);\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
 \r
-               memcpy(filename, Cmd, len);\r
+               //memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
 \r
                fnameptr += len;\r
 \r
-               sprintf(fnameptr, ".eml"); \r
-       \r
+               sprintf(fnameptr, ".eml");\r
+\r
                // open file\r
                f = fopen(filename, "r");\r
                if (f == NULL) {\r
                        PrintAndLog("File not found or locked.");\r
                        return 1;\r
                }\r
                // open file\r
                f = fopen(filename, "r");\r
                if (f == NULL) {\r
                        PrintAndLog("File not found or locked.");\r
                        return 1;\r
                }\r
-       \r
+\r
                blockNum = 0;\r
                while(!feof(f)){\r
                blockNum = 0;\r
                while(!feof(f)){\r
-               \r
+\r
                        memset(buf, 0, sizeof(buf));\r
                        memset(buf, 0, sizeof(buf));\r
-                       \r
+\r
                        if (fgets(buf, sizeof(buf), f) == NULL) {\r
                                fclose(f);\r
                                PrintAndLog("File reading error.");\r
                        if (fgets(buf, sizeof(buf), f) == NULL) {\r
                                fclose(f);\r
                                PrintAndLog("File reading error.");\r
@@ -1621,20 +2176,25 @@ int CmdHF14AMfCLoad(const char *Cmd)
 \r
                        if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
                        if (blockNum == 1) flags = 0;                                                                                                   // just write\r
 \r
                        if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
                        if (blockNum == 1) flags = 0;                                                                                                   // just write\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;             // Done. Switch off field.\r
+                       if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;           // Done. Switch off field.\r
 \r
 \r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
+                               fclose(f);\r
                                return 3;\r
                        }\r
                        blockNum++;\r
                                return 3;\r
                        }\r
                        blockNum++;\r
-               \r
-                       if (blockNum >= 16 * 4) break;  // magic card type - mifare 1K\r
+\r
+                       if (blockNum >= numblock) break;  // magic card type - mifare 1K 64 blocks, mifare 4k 256 blocks\r
                }\r
                fclose(f);\r
                }\r
                fclose(f);\r
-       \r
-               if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
-                       PrintAndLog("File content error. There must be 64 blocks");\r
+\r
+               //if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
+               if (blockNum != numblock){\r
+                       PrintAndLog("File content error. There must be %d blocks", numblock);\r
                        return 4;\r
                }\r
                PrintAndLog("Loaded from file: %s", filename);\r
                        return 4;\r
                }\r
                PrintAndLog("Loaded from file: %s", filename);\r
@@ -1646,7 +2206,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 int CmdHF14AMfCGetBlk(const char *Cmd) {\r
        uint8_t memBlock[16];\r
        uint8_t blockNo = 0;\r
 int CmdHF14AMfCGetBlk(const char *Cmd) {\r
        uint8_t memBlock[16];\r
        uint8_t blockNo = 0;\r
-       int res;\r
+       int res, gen = 0;\r
        memset(memBlock, 0x00, sizeof(memBlock));\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
        memset(memBlock, 0x00, sizeof(memBlock));\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
@@ -1654,55 +2214,77 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
                PrintAndLog("sample:  hf mf cgetblk 1");\r
                PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
                PrintAndLog("sample:  hf mf cgetblk 1");\r
                PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
-       }       \r
+       }\r
+\r
+       gen = mfCIdentify();\r
 \r
        blockNo = param_get8(Cmd, 0);\r
 \r
        PrintAndLog("--block number:%2d ", blockNo);\r
 \r
 \r
        blockNo = param_get8(Cmd, 0);\r
 \r
        PrintAndLog("--block number:%2d ", blockNo);\r
 \r
-       res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);\r
+       if (gen == 2) {\r
+               /* generation 1b magic card */\r
+               res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);\r
+       } else {\r
+               /* generation 1a magic card by default */\r
+               res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);\r
+       }\r
        if (res) {\r
                        PrintAndLog("Can't read block. error=%d", res);\r
                        return 1;\r
                }\r
        if (res) {\r
                        PrintAndLog("Can't read block. error=%d", res);\r
                        return 1;\r
                }\r
-       \r
+\r
        PrintAndLog("block data:%s", sprint_hex(memBlock, 16));\r
        return 0;\r
 }\r
 \r
        PrintAndLog("block data:%s", sprint_hex(memBlock, 16));\r
        return 0;\r
 }\r
 \r
-\r
 int CmdHF14AMfCGetSc(const char *Cmd) {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t sectorNo = 0;\r
 int CmdHF14AMfCGetSc(const char *Cmd) {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t sectorNo = 0;\r
-       int i, res, flags;\r
+       int i, res, flags, gen = 0, baseblock = 0, sect_size = 4;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf cgetsc <sector number>");\r
                PrintAndLog("sample:  hf mf cgetsc 0");\r
                PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf cgetsc <sector number>");\r
                PrintAndLog("sample:  hf mf cgetsc 0");\r
                PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
-       }       \r
+       }\r
 \r
        sectorNo = param_get8(Cmd, 0);\r
 \r
        sectorNo = param_get8(Cmd, 0);\r
-       if (sectorNo > 15) {\r
-               PrintAndLog("Sector number must be in [0..15] as in MIFARE classic.");\r
+\r
+       if (sectorNo > 39) {\r
+               PrintAndLog("Sector number must be in [0..15] in MIFARE classic 1k and [0..39] in MIFARE classic 4k.");\r
                return 1;\r
        }\r
 \r
        PrintAndLog("--sector number:%d ", sectorNo);\r
 \r
                return 1;\r
        }\r
 \r
        PrintAndLog("--sector number:%d ", sectorNo);\r
 \r
+       gen = mfCIdentify();\r
+\r
        flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
        flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-       for (i = 0; i < 4; i++) {\r
+       if (sectorNo < 32 ) {\r
+               baseblock = sectorNo * 4;\r
+       } else {\r
+               baseblock = 128 + 16 * (sectorNo - 32);\r
+\r
+       }\r
+       if (sectorNo > 31) sect_size = 16;\r
+\r
+       for (i = 0; i < sect_size; i++) {\r
                if (i == 1) flags = 0;\r
                if (i == 1) flags = 0;\r
-               if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+               if (i == sect_size - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
 \r
 \r
-               res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags);\r
+               if (gen == 2)\r
+                       /* generation 1b magic card */\r
+                       flags |= CSETBLOCK_MAGIC_1B;\r
+\r
+               res = mfCGetBlock(baseblock + i, memBlock, flags);\r
                if (res) {\r
                if (res) {\r
-                       PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res);\r
+                       PrintAndLog("Can't read block. %d error=%d", baseblock + i, res);\r
                        return 1;\r
                }\r
                        return 1;\r
                }\r
-       \r
-               PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16));\r
+\r
+               PrintAndLog("block %3d data:%s", baseblock + i, sprint_hex(memBlock, 16));\r
        }\r
        return 0;\r
 }\r
        }\r
        return 0;\r
 }\r
@@ -1714,37 +2296,50 @@ int CmdHF14AMfCSave(const char *Cmd) {
        char filename[FILE_PATH_SIZE] = {0x00};\r
        char * fnameptr = filename;\r
        uint8_t fillFromEmulator = 0;\r
        char filename[FILE_PATH_SIZE] = {0x00};\r
        char * fnameptr = filename;\r
        uint8_t fillFromEmulator = 0;\r
-       uint8_t buf[64] = {0x00};\r
-       int i, j, len, flags;\r
-       \r
+       uint8_t buf[256] = {0x00};\r
+       int i, j, len, flags, gen = 0, numblock = 64;\r
+\r
        // memset(filename, 0, sizeof(filename));\r
        // memset(buf, 0, sizeof(buf));\r
 \r
        if (param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
        // memset(filename, 0, sizeof(filename));\r
        // memset(buf, 0, sizeof(buf));\r
 \r
        if (param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
-               PrintAndLog("or into emulator memory (option `e`)");\r
-               PrintAndLog("Usage:  hf mf esave [file name w/o `.eml`][e]");\r
-               PrintAndLog(" sample: hf mf esave ");\r
-               PrintAndLog("         hf mf esave filename");\r
-               PrintAndLog("         hf mf esave e \n");\r
+               PrintAndLog("or into emulator memory (option `e`). 4K card: (option `4`)");\r
+               PrintAndLog("Usage:  hf mf csave [file name w/o `.eml`][e][4]");\r
+               PrintAndLog("Sample: hf mf csave ");\r
+               PrintAndLog("        hf mf csave filename");\r
+               PrintAndLog("        hf mf csave e");\r
+               PrintAndLog("        hf mf csave 4");\r
+               PrintAndLog("        hf mf csave filename 4");\r
+               PrintAndLog("        hf mf csave e 4");\r
                return 0;\r
                return 0;\r
-       }       \r
+       }\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
+       if (ctmp == '4') numblock = 256;\r
+       ctmp = param_getchar(Cmd, 1);\r
+       if (ctmp == '4') numblock = 256;\r
+\r
+       gen = mfCIdentify();\r
+       PrintAndLog("Saving magic mifare %dK", numblock == 256 ? 4:1);\r
 \r
        if (fillFromEmulator) {\r
                // put into emulator\r
                flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
 \r
        if (fillFromEmulator) {\r
                // put into emulator\r
                flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-               for (i = 0; i < 16 * 4; i++) {\r
+               for (i = 0; i < numblock; i++) {\r
                        if (i == 1) flags = 0;\r
                        if (i == 1) flags = 0;\r
-                       if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
-               \r
+                       if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
+\r
                        if (mfCGetBlock(i, buf, flags)) {\r
                                PrintAndLog("Cant get block: %d", i);\r
                                break;\r
                        }\r
                        if (mfCGetBlock(i, buf, flags)) {\r
                                PrintAndLog("Cant get block: %d", i);\r
                                break;\r
                        }\r
-                       \r
+\r
                        if (mfEmlSetMem(buf, i, 1)) {\r
                                PrintAndLog("Cant set emul block: %d", i);\r
                                return 3;\r
                        if (mfEmlSetMem(buf, i, 1)) {\r
                                PrintAndLog("Cant set emul block: %d", i);\r
                                return 3;\r
@@ -1752,27 +2347,35 @@ int CmdHF14AMfCSave(const char *Cmd) {
                }\r
                return 0;\r
        } else {\r
                }\r
                return 0;\r
        } else {\r
-               len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
-       \r
-               if (len < 1) {\r
+               param_getstr(Cmd, 0, filename, sizeof(filename));\r
+\r
+               len = strlen(filename);\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
+               ctmp = param_getchar(Cmd, 0);\r
+               if (len < 1 || (ctmp == '4')) {\r
                        // get filename\r
                        // get filename\r
-                       if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {\r
+\r
+                       flags = CSETBLOCK_SINGLE_OPER;\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
+                       if (mfCGetBlock(0, buf, flags)) {\r
                                PrintAndLog("Cant get block: %d", 0);\r
                                len = sprintf(fnameptr, "dump");\r
                                fnameptr += len;\r
                        }\r
                        else {\r
                                for (j = 0; j < 7; j++, fnameptr += 2)\r
                                PrintAndLog("Cant get block: %d", 0);\r
                                len = sprintf(fnameptr, "dump");\r
                                fnameptr += len;\r
                        }\r
                        else {\r
                                for (j = 0; j < 7; j++, fnameptr += 2)\r
-                                       sprintf(fnameptr, "%02x", buf[j]); \r
+                                       sprintf(fnameptr, "%02x", buf[j]);\r
                        }\r
                } else {\r
                        }\r
                } else {\r
-                       memcpy(filename, Cmd, len);\r
+                       //memcpy(filename, Cmd, len);\r
                        fnameptr += len;\r
                }\r
 \r
                        fnameptr += len;\r
                }\r
 \r
-               sprintf(fnameptr, ".eml"); \r
-       \r
+               sprintf(fnameptr, ".eml");\r
+\r
                // open file\r
                f = fopen(filename, "w+");\r
 \r
                // open file\r
                f = fopen(filename, "w+");\r
 \r
@@ -1783,22 +2386,25 @@ int CmdHF14AMfCSave(const char *Cmd) {
 \r
                // put hex\r
                flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
 \r
                // put hex\r
                flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
-               for (i = 0; i < 16 * 4; i++) {\r
+               for (i = 0; i < numblock; i++) {\r
                        if (i == 1) flags = 0;\r
                        if (i == 1) flags = 0;\r
-                       if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
-               \r
+                       if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+                       if (gen == 2)\r
+                               /* generation 1b magic card */\r
+                               flags |= CSETBLOCK_MAGIC_1B;\r
                        if (mfCGetBlock(i, buf, flags)) {\r
                                PrintAndLog("Cant get block: %d", i);\r
                                break;\r
                        }\r
                        for (j = 0; j < 16; j++)\r
                        if (mfCGetBlock(i, buf, flags)) {\r
                                PrintAndLog("Cant get block: %d", i);\r
                                break;\r
                        }\r
                        for (j = 0; j < 16; j++)\r
-                               fprintf(f, "%02x", buf[j]); \r
+                               fprintf(f, "%02x", buf[j]);\r
                        fprintf(f,"\n");\r
                }\r
                fclose(f);\r
                        fprintf(f,"\n");\r
                }\r
                fclose(f);\r
-       \r
+\r
                PrintAndLog("Saved to file: %s", filename);\r
                PrintAndLog("Saved to file: %s", filename);\r
-       \r
+\r
                return 0;\r
        }\r
 }\r
                return 0;\r
        }\r
 }\r
@@ -1811,7 +2417,7 @@ int CmdHF14AMfSniff(const char *Cmd){
        //bool wantSaveToEml = 0; TODO\r
        bool wantSaveToEmlFile = 0;\r
 \r
        //bool wantSaveToEml = 0; TODO\r
        bool wantSaveToEmlFile = 0;\r
 \r
-       //var \r
+       //var\r
        int res = 0;\r
        int len = 0;\r
        int blockLen = 0;\r
        int res = 0;\r
        int len = 0;\r
        int blockLen = 0;\r
@@ -1825,7 +2431,7 @@ int CmdHF14AMfSniff(const char *Cmd){
        uint8_t *buf = NULL;\r
        uint16_t bufsize = 0;\r
        uint8_t *bufPtr = NULL;\r
        uint8_t *buf = NULL;\r
        uint16_t bufsize = 0;\r
        uint8_t *bufPtr = NULL;\r
-       \r
+\r
        char ctmp = param_getchar(Cmd, 0);\r
        if ( ctmp == 'h' || ctmp == 'H' ) {\r
                PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
        char ctmp = param_getchar(Cmd, 0);\r
        if ( ctmp == 'h' || ctmp == 'H' ) {\r
                PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
@@ -1837,8 +2443,8 @@ int CmdHF14AMfSniff(const char *Cmd){
                PrintAndLog("Usage:  hf mf sniff [l][d][e][f]");\r
                PrintAndLog("  sample: hf mf sniff l d e");\r
                return 0;\r
                PrintAndLog("Usage:  hf mf sniff [l][d][e][f]");\r
                PrintAndLog("  sample: hf mf sniff l d e");\r
                return 0;\r
-       }       \r
-       \r
+       }\r
+\r
        for (int i = 0; i < 4; i++) {\r
                ctmp = param_getchar(Cmd, i);\r
                if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;\r
        for (int i = 0; i < 4; i++) {\r
                ctmp = param_getchar(Cmd, i);\r
                if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;\r
@@ -1846,7 +2452,7 @@ int CmdHF14AMfSniff(const char *Cmd){
                //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO\r
                if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;\r
        }\r
                //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO\r
                if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;\r
        }\r
-       \r
+\r
        printf("-------------------------------------------------------------------------\n");\r
        printf("Executing command. \n");\r
        printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
        printf("-------------------------------------------------------------------------\n");\r
        printf("Executing command. \n");\r
        printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
@@ -1866,18 +2472,21 @@ int CmdHF14AMfSniff(const char *Cmd){
                        printf("\naborted via keyboard!\n");\r
                        break;\r
                }\r
                        printf("\naborted via keyboard!\n");\r
                        break;\r
                }\r
-               \r
+\r
                UsbCommand resp;\r
                if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {\r
                        res = resp.arg[0] & 0xff;\r
                        uint16_t traceLen = resp.arg[1];\r
                        len = resp.arg[2];\r
 \r
                UsbCommand resp;\r
                if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {\r
                        res = resp.arg[0] & 0xff;\r
                        uint16_t traceLen = resp.arg[1];\r
                        len = resp.arg[2];\r
 \r
-                       if (res == 0) return 0;                                         // we are done\r
+                       if (res == 0) {                                                         // we are done\r
+                               free(buf);\r
+                               return 0;\r
+                       }\r
 \r
                        if (res == 1) {                                                         // there is (more) data to be transferred\r
                                if (pckNum == 0) {                                              // first packet, (re)allocate necessary buffer\r
 \r
                        if (res == 1) {                                                         // there is (more) data to be transferred\r
                                if (pckNum == 0) {                                              // first packet, (re)allocate necessary buffer\r
-                                       if (traceLen > bufsize) {\r
+                                       if (traceLen > bufsize || buf == NULL) {\r
                                                uint8_t *p;\r
                                                if (buf == NULL) {                              // not yet allocated\r
                                                        p = malloc(traceLen);\r
                                                uint8_t *p;\r
                                                if (buf == NULL) {                              // not yet allocated\r
                                                        p = malloc(traceLen);\r
@@ -1920,24 +2529,24 @@ int CmdHF14AMfSniff(const char *Cmd){
                                                memcpy(atqa, bufPtr + 2 + 7, 2);\r
                                                uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
                                                sak = bufPtr[11];\r
                                                memcpy(atqa, bufPtr + 2 + 7, 2);\r
                                                uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
                                                sak = bufPtr[11];\r
-                                               PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", \r
+                                               PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",\r
                                                        sprint_hex(uid + (7 - uid_len), uid_len),\r
                                                        sprint_hex(uid + (7 - uid_len), uid_len),\r
-                                                       atqa[1], \r
-                                                       atqa[0], \r
+                                                       atqa[1],\r
+                                                       atqa[0],\r
                                                        sak);\r
                                                if (wantLogToFile || wantDecrypt) {\r
                                                        FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);\r
                                                        AddLogCurrentDT(logHexFileName);\r
                                                        sak);\r
                                                if (wantLogToFile || wantDecrypt) {\r
                                                        FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);\r
                                                        AddLogCurrentDT(logHexFileName);\r
-                                               }                                               \r
-                                               if (wantDecrypt) \r
+                                               }\r
+                                               if (wantDecrypt)\r
                                                        mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
                                        } else {\r
                                                PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
                                                        mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
                                        } else {\r
                                                PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
-                                               if (wantLogToFile) \r
+                                               if (wantLogToFile)\r
                                                        AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
                                                        AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
-                                               if (wantDecrypt) \r
+                                               if (wantDecrypt)\r
                                                        mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
                                                        mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
-                                               num++;  \r
+                                               num++;\r
                                        }\r
                                        bufPtr += len;\r
                                        bufPtr += ((len-1)/8+1);        // ignore parity\r
                                        }\r
                                        bufPtr += len;\r
                                        bufPtr += ((len-1)/8+1);        // ignore parity\r
@@ -1961,33 +2570,35 @@ int CmdDecryptTraceCmds(const char *Cmd){
 \r
 static command_t CommandTable[] =\r
 {\r
 \r
 static command_t CommandTable[] =\r
 {\r
-  {"help",             CmdHelp,                                1, "This help"},\r
-  {"dbg",              CmdHF14AMfDbg,                  0, "Set default debug mode"},\r
-  {"rdbl",             CmdHF14AMfRdBl,                 0, "Read MIFARE classic block"},\r
-  {"rdsc",             CmdHF14AMfRdSc,                 0, "Read MIFARE classic sector"},\r
-  {"dump",             CmdHF14AMfDump,                 0, "Dump MIFARE classic tag to binary file"},\r
-  {"restore",  CmdHF14AMfRestore,              0, "Restore MIFARE classic binary file to BLANK tag"},\r
-  {"wrbl",             CmdHF14AMfWrBl,                 0, "Write MIFARE classic block"},\r
-  {"chk",              CmdHF14AMfChk,                  0, "Test block keys"},\r
-  {"mifare",   CmdHF14AMifare,                 0, "Read parity error messages."},\r
-  {"nested",   CmdHF14AMfNested,               0, "Test nested authentication"},\r
-  {"sniff",            CmdHF14AMfSniff,                0, "Sniff card-reader communication"},\r
-  {"sim",              CmdHF14AMf1kSim,                0, "Simulate MIFARE card"},\r
-  {"eclr",             CmdHF14AMfEClear,               0, "Clear simulator memory block"},\r
-  {"eget",             CmdHF14AMfEGet,                 0, "Get simulator memory block"},\r
-  {"eset",             CmdHF14AMfESet,                 0, "Set simulator memory block"},\r
-  {"eload",            CmdHF14AMfELoad,                0, "Load from file emul dump"},\r
-  {"esave",            CmdHF14AMfESave,                0, "Save to file emul dump"},\r
-  {"ecfill",   CmdHF14AMfECFill,               0, "Fill simulator memory with help of keys from simulator"},\r
-  {"ekeyprn",  CmdHF14AMfEKeyPrn,              0, "Print keys from simulator memory"},\r
-  {"csetuid",  CmdHF14AMfCSetUID,              0, "Set UID for magic Chinese card"},\r
-  {"csetblk",  CmdHF14AMfCSetBlk,              0, "Write block - Magic Chinese card"},\r
-  {"cgetblk",  CmdHF14AMfCGetBlk,              0, "Read block - Magic Chinese card"},\r
-  {"cgetsc",   CmdHF14AMfCGetSc,               0, "Read sector - Magic Chinese card"},\r
-  {"cload",            CmdHF14AMfCLoad,                0, "Load dump into magic Chinese card"},\r
-  {"csave",            CmdHF14AMfCSave,                0, "Save dump from magic Chinese card into file or emulator"},\r
-  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
-  {NULL, NULL, 0, NULL}\r
+  {"help",             CmdHelp,                 1, "This help"},\r
+  {"dbg",              CmdHF14AMfDbg,           0, "Set default debug mode"},\r
+  {"rdbl",             CmdHF14AMfRdBl,          0, "Read MIFARE classic block"},\r
+  {"rdsc",             CmdHF14AMfRdSc,          0, "Read MIFARE classic sector"},\r
+  {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},\r
+  {"restore",                 CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},\r
+  {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},\r
+  {"chk",              CmdHF14AMfChk,           0, "Test block keys"},\r
+  {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},\r
+  {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},\r
+  {"nested",           CmdHF14AMfNested,        0, "Test nested authentication"},\r
+  {"sniff",            CmdHF14AMfSniff,         0, "Sniff card-reader communication"},\r
+  {"sim",              CmdHF14AMf1kSim,         0, "Simulate MIFARE card"},\r
+  {"eclr",             CmdHF14AMfEClear,        0, "Clear simulator memory block"},\r
+  {"eget",             CmdHF14AMfEGet,          0, "Get simulator memory block"},\r
+  {"eset",             CmdHF14AMfESet,          0, "Set simulator memory block"},\r
+  {"eload",            CmdHF14AMfELoad,         0, "Load from file emul dump"},\r
+  {"esave",            CmdHF14AMfESave,         0, "Save to file emul dump"},\r
+  {"ecfill",           CmdHF14AMfECFill,        0, "Fill simulator memory with help of keys from simulator"},\r
+  {"ekeyprn",          CmdHF14AMfEKeyPrn,       0, "Print keys from simulator memory"},\r
+  {"cwipe",            CmdHF14AMfCWipe,         0, "Wipe magic Chinese card"},\r
+  {"csetuid",          CmdHF14AMfCSetUID,       0, "Set UID for magic Chinese card"},\r
+  {"csetblk",          CmdHF14AMfCSetBlk,       0, "Write block - Magic Chinese card"},\r
+  {"cgetblk",          CmdHF14AMfCGetBlk,       0, "Read block - Magic Chinese card"},\r
+  {"cgetsc",           CmdHF14AMfCGetSc,        0, "Read sector - Magic Chinese card"},\r
+  {"cload",            CmdHF14AMfCLoad,         0, "Load dump into magic Chinese card"},\r
+  {"csave",            CmdHF14AMfCSave,         0, "Save dump from magic Chinese card into file or emulator"},\r
+  {"decrypt",          CmdDecryptTraceCmds,     1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+  {NULL,               NULL,                    0, NULL}\r
 };\r
 \r
 int CmdHFMF(const char *Cmd)\r
 };\r
 \r
 int CmdHFMF(const char *Cmd)\r
Proxmark3 GIT tracking
Impressum, Datenschutz