Minor corrections in fskdemod i lfops.c , see Holimans branch.

[proxmark3-svn] / armsrc / iclass.c
diff --git a/armsrc/iclass.c b/armsrc/iclass.c

index c827ed51d6517c49301a71951bf593bca592393e..6ceb436b81d1e56fa1f397894204685660d1fd3e 100644 (file)
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -36,30 +36,22 @@
  //
  //-----------------------------------------------------------------------------
  
  //
  //-----------------------------------------------------------------------------
  
-#include "proxmark3.h"
+#include "../include/proxmark3.h"
  #include "apps.h"
  #include "util.h"
  #include "string.h"
  #include "common.h"
  #include "apps.h"
  #include "util.h"
  #include "string.h"
  #include "common.h"
+#include "cmd.h"
  // Needed for CRC in emulation mode;
  // same construction as in ISO 14443;
  // different initial value (CRC_ICLASS)
  // Needed for CRC in emulation mode;
  // same construction as in ISO 14443;
  // different initial value (CRC_ICLASS)
-#include "iso14443crc.h"
+#include "../common/iso14443crc.h"
+#include "../common/iso15693tools.h"
  #include "iso15693tools.h"
  
  #include "iso15693tools.h"
  
+
  static int timeout = 4096;
  
  static int timeout = 4096;
  
-// CARD TO READER
-// Sequence D: 11110000 modulation with subcarrier during first half
-// Sequence E: 00001111 modulation with subcarrier during second half
-// Sequence F: 00000000 no modulation with subcarrier
-// READER TO CARD
-// Sequence X: 00001100 drop after half a period
-// Sequence Y: 00000000 no drop
-// Sequence Z: 11000000 drop at start
-#define        SEC_X 0x0c
-#define        SEC_Y 0x00
-#define        SEC_Z 0xc0
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
  
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
  
@@ -667,12 +659,7 @@ static RAMFUNC int ManchesterDecoding(int v)
  //-----------------------------------------------------------------------------
  void RAMFUNC SnoopIClass(void)
  {
  //-----------------------------------------------------------------------------
  void RAMFUNC SnoopIClass(void)
  {
-// DEFINED ABOVE
-// #define RECV_CMD_OFFSET   3032
-// #define RECV_RES_OFFSET   3096
-// #define DMA_BUFFER_OFFSET 3160
-// #define DMA_BUFFER_SIZE   4096
-// #define TRACE_SIZE        3000
+
  
      // We won't start recording the frames that we acquire until we trigger;
      // a good trigger condition to get started is probably when we see a
  
      // We won't start recording the frames that we acquire until we trigger;
      // a good trigger condition to get started is probably when we see a
@@ -682,14 +669,12 @@ void RAMFUNC SnoopIClass(void)
      // The command (reader -> tag) that we're receiving.
         // The length of a received command will in most cases be no more than 18 bytes.
         // So 32 should be enough!
      // The command (reader -> tag) that we're receiving.
         // The length of a received command will in most cases be no more than 18 bytes.
         // So 32 should be enough!
-    uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
+       uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
      // The response (tag -> reader) that we're receiving.
      // The response (tag -> reader) that we're receiving.
-    uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
+       uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
  
  
-    // As we receive stuff, we copy it from receivedCmd or receivedResponse
-    // into trace, along with its length and other annotations.
-    //uint8_t *trace = (uint8_t *)BigBuf;
-    
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ 
      // reset traceLen to 0
      iso14a_set_tracing(TRUE);
      iso14a_clear_trace();
      // reset traceLen to 0
      iso14a_set_tracing(TRUE);
      iso14a_clear_trace();
@@ -707,10 +692,8 @@ void RAMFUNC SnoopIClass(void)
      int samples = 0;
      rsamples = 0;
  
      int samples = 0;
      rsamples = 0;
  
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-
      // Set up the demodulator for tag -> reader responses.
      // Set up the demodulator for tag -> reader responses.
-    Demod.output = receivedResponse;
+       Demod.output = tagToReaderResponse;
      Demod.len = 0;
      Demod.state = DEMOD_UNSYNCD;
  
      Demod.len = 0;
      Demod.state = DEMOD_UNSYNCD;
  
@@ -722,7 +705,7 @@ void RAMFUNC SnoopIClass(void)
  
      // And the reader -> tag commands
      memset(&Uart, 0, sizeof(Uart));
  
      // And the reader -> tag commands
      memset(&Uart, 0, sizeof(Uart));
-    Uart.output = receivedCmd;
+       Uart.output = readerToTagCmd;
      Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
      Uart.state = STATE_UNSYNCD;
  
      Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
      Uart.state = STATE_UNSYNCD;
  
@@ -732,6 +715,9 @@ void RAMFUNC SnoopIClass(void)
      FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
      SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
      FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
      SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
+       uint32_t time_0 = GetCountSspClk();
+
+
      int div = 0;
      //int div2 = 0;
      int decbyte = 0;
      int div = 0;
      //int div2 = 0;
      int decbyte = 0;
@@ -765,20 +751,13 @@ void RAMFUNC SnoopIClass(void)
  
          //samples += 4;
         samples += 1;
  
          //samples += 4;
         samples += 1;
-       //div2++;       
  
  
-       //if(div2 > 3) {
-               //div2 = 0;
-       //decbyte ^= ((smpl & 0x01) << (3 - div));
-       //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
-       //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
         if(smpl & 0xF) {
                 decbyte ^= (1 << (3 - div));
         }
         if(smpl & 0xF) {
                 decbyte ^= (1 << (3 - div));
         }
-       //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
         
         // FOR READER SIDE COMMUMICATION...
         
         // FOR READER SIDE COMMUMICATION...
-       //decbyte ^=  ((smpl & 0x10) << (3 - div));
+
         decbyter <<= 2;
         decbyter ^= (smpl & 0x30);
  
         decbyter <<= 2;
         decbyter ^= (smpl & 0x30);
  
@@ -789,21 +768,17 @@ void RAMFUNC SnoopIClass(void)
                 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
                     rsamples = samples - Uart.samples;
                     LED_C_ON();
                 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
                     rsamples = samples - Uart.samples;
                     LED_C_ON();
-                   //if(triggered) {
-                       trace[traceLen++] = ((rsamples >>  0) & 0xff);
-                       trace[traceLen++] = ((rsamples >>  8) & 0xff);
-                       trace[traceLen++] = ((rsamples >> 16) & 0xff);
-                       trace[traceLen++] = ((rsamples >> 24) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >>  0) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >>  8) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
-                       trace[traceLen++] = Uart.byteCnt;
-                       memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
-                       traceLen += Uart.byteCnt;
-                       if(traceLen > TRACE_SIZE) break;
-                   //}
-                   /* And ready to receive another command. */
+
+                       //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
+                       //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
+                       if(tracing)
+                       {
+                               LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
+                               LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
+                       }
+
+
+                       /* And ready to receive another command. */
                     Uart.state = STATE_UNSYNCD;
                     /* And also reset the demod code, which might have been */
                     /* false-triggered by the commands from the reader. */
                     Uart.state = STATE_UNSYNCD;
                     /* And also reset the demod code, which might have been */
                     /* false-triggered by the commands from the reader. */
@@ -820,26 +795,16 @@ void RAMFUNC SnoopIClass(void)
                     rsamples = samples - Demod.samples;
                     LED_B_ON();
  
                     rsamples = samples - Demod.samples;
                     LED_B_ON();
  
-                   // timestamp, as a count of samples
-                   trace[traceLen++] = ((rsamples >>  0) & 0xff);
-                   trace[traceLen++] = ((rsamples >>  8) & 0xff);
-                   trace[traceLen++] = ((rsamples >> 16) & 0xff);
-                   trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
-                   // length
-                   trace[traceLen++] = Demod.len;
-                   memcpy(trace+traceLen, receivedResponse, Demod.len);
-                   traceLen += Demod.len;
-                   if(traceLen > TRACE_SIZE) break;
-
-                   //triggered = TRUE;
+                       if(tracing)
+                       {
+                               LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
+                               LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
+                       }
+
  
                     // And ready to receive another response.
                     memset(&Demod, 0, sizeof(Demod));
  
                     // And ready to receive another response.
                     memset(&Demod, 0, sizeof(Demod));
-                   Demod.output = receivedResponse;
+                       Demod.output = tagToReaderResponse;
                     Demod.state = DEMOD_UNSYNCD;
                     LED_C_OFF();
                 }
                     Demod.state = DEMOD_UNSYNCD;
                     LED_C_OFF();
                 }
@@ -923,6 +888,8 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
  //-----------------------------------------------------------------------------
  static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  {
  //-----------------------------------------------------------------------------
  static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  {
+       //So far a dummy implementation, not used
+       //int lastProxToAirDuration =0;
         int i;
  
         ToSendReset();
         int i;
  
         ToSendReset();
@@ -931,7 +898,7 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
+       ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0x00;
@@ -959,11 +926,13 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
+       ToSend[++ToSendMax] = 0xff;     
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
  
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
  
+       //lastProxToAirDuration  = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
+
         // Convert from last byte pos to length
         ToSendMax++;
  }
         // Convert from last byte pos to length
         ToSendMax++;
  }
@@ -971,8 +940,10 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  // Only SOF 
  static void CodeIClassTagSOF()
  {
  // Only SOF 
  static void CodeIClassTagSOF()
  {
-       ToSendReset();
+       //So far a dummy implementation, not used
+       //int lastProxToAirDuration =0;
  
  
+       ToSendReset();
         // Send SOF
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
         // Send SOF
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0x00;
@@ -982,37 +953,92 @@ static void CodeIClassTagSOF()
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0xff;
         ToSend[++ToSendMax] = 0x00;
         ToSend[++ToSendMax] = 0xff;
+
+//     lastProxToAirDuration  = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
+
         
         // Convert from last byte pos to length
         ToSendMax++;
  }
         
         // Convert from last byte pos to length
         ToSendMax++;
  }
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
+/**
+ * @brief SimulateIClass simulates an iClass card.
+ * @param arg0 type of simulation
+ *                     - 0 uses the first 8 bytes in usb data as CSN
+ *                     - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
+ *                     in the usb data. This mode collects MAC from the reader, in order to do an offline
+ *                     attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
+ *                     - Other : Uses the default CSN (031fec8af7ff12e0)
+ * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
+ * @param arg2
+ * @param datain
+ */
+void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
+{
+       uint32_t simType = arg0;
+       uint32_t numberOfCSNS = arg1;
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
  
  
-//-----------------------------------------------------------------------------
-// Simulate iClass Card
-// Only CSN (Card Serial Number)
-// 
-//-----------------------------------------------------------------------------
-void SimulateIClass(uint8_t arg0, uint8_t *datain)
+       // Enable and clear the trace
+       iso14a_set_tracing(TRUE);
+       iso14a_clear_trace();
+
+       uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
+       if(simType == 0) {
+               // Use the CSN from commandline
+               memcpy(csn_crc, datain, 8);
+               doIClassSimulation(csn_crc,0,NULL);
+       }else if(simType == 1)
+       {
+               doIClassSimulation(csn_crc,0,NULL);
+       }
+       else if(simType == 2)
+       {
+
+               uint8_t mac_responses[64] = { 0 };
+               Dbprintf("Going into attack mode");
+               // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
+               // in order to collect MAC's from the reader. This can later be used in an offlne-attack
+               // in order to obtain the keys, as in the "dismantling iclass"-paper.
+               int i = 0;
+               for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
+               {
+                       // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
+
+                       memcpy(csn_crc, datain+(i*8), 8);
+                       if(doIClassSimulation(csn_crc,1,mac_responses))
+                       {
+                               return; // Button pressed
+                       }
+               }
+               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
+
+       }
+       else{
+               // We may want a mode here where we hardcode the csns to use (from proxclone).
+               // That will speed things up a little, but not required just yet.
+               Dbprintf("The mode is not implemented, reserved for future use");
+       }
+       Dbprintf("Done...");
+
+}
+/**
+ * @brief Does the actual simulation
+ * @param csn - csn to use
+ * @param breakAfterMacReceived if true, returns after reader MAC has been received.
+ */
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
  {
  {
-       uint8_t simType = arg0;
  
  
-  // Enable and clear the trace
-       tracing = TRUE;
-       traceLen = 0;
-  memset(trace, 0x44, TRACE_SIZE);
  
         // CSN followed by two CRC bytes
         uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  
         // CSN followed by two CRC bytes
         uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
-
+       uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
+       memcpy(response3,csn,sizeof(response3));
+       Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
         // e-Purse
         uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  
         // e-Purse
         uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  
-       if(simType == 0) {
-               // Use the CSN from commandline
-               memcpy(response3, datain, 8);
-       }
-
         // Construct anticollision-CSN
         rotateCSN(response3,response2);
  
         // Construct anticollision-CSN
         rotateCSN(response3,response2);
  
@@ -1020,6 +1046,7 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
         ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
         ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
  
         ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
         ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
  
+       int exitLoop = 0;
         // Reader 0a
         // Tag    0f
         // Reader 0c
         // Reader 0a
         // Tag    0f
         // Reader 0c
@@ -1053,7 +1080,7 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
         int resp4Len;
  
         // + 1720..
         int resp4Len;
  
         // + 1720..
-  uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
+       uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
         memset(receivedCmd, 0x44, RECV_CMD_SIZE);
         int len;
  
         memset(receivedCmd, 0x44, RECV_CMD_SIZE);
         int len;
  
@@ -1076,29 +1103,52 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
         CodeIClassTagAnswer(response4, sizeof(response4));
         memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
  
         CodeIClassTagAnswer(response4, sizeof(response4));
         memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
  
+
+       // Start from off (no field generated)
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       //SpinDelay(200);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+       SpinDelay(100);
+       StartCountSspClk();
         // We need to listen to the high-frequency, peak-detected path.
         SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
         FpgaSetupSsc();
  
         // To control where we are in the protocol
         int cmdsRecvd = 0;
         // We need to listen to the high-frequency, peak-detected path.
         SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
         FpgaSetupSsc();
  
         // To control where we are in the protocol
         int cmdsRecvd = 0;
+       uint32_t time_0 = GetCountSspClk();
+       uint32_t t2r_time =0;
+       uint32_t r2t_time =0;
  
         LED_A_ON();
  
         LED_A_ON();
-       for(;;) {
+       bool buttonPressed = false;
+
+       /** Hack  for testing
+       memcpy(reader_mac_buf,csn,8);
+       exitLoop = true;
+       end hack **/
+
+       while(!exitLoop) {
+
                 LED_B_OFF();
                 LED_B_OFF();
+               //Signal tracer
+               // Can be used to get a trigger for an oscilloscope..
+               LED_C_OFF();
+
                 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
                 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
-                       DbpString("button press");
+                       buttonPressed = true;
                         break;
                 }
                         break;
                 }
+               r2t_time = GetCountSspClk();
+               //Signal tracer
+               LED_C_ON();
  
                 // Okay, look at the command now.
  
                 // Okay, look at the command now.
-               if(receivedCmd[0] == 0x0a) {
+               if(receivedCmd[0] == 0x0a ) {
                         // Reader in anticollission phase
                         resp = resp1; respLen = resp1Len; //order = 1;
                         respdata = &sof;
                         respsize = sizeof(sof);
                         // Reader in anticollission phase
                         resp = resp1; respLen = resp1Len; //order = 1;
                         respdata = &sof;
                         respsize = sizeof(sof);
-                       //resp = resp2; respLen = resp2Len; order = 2;
-                       //DbpString("Hello request from reader:");
                 } else if(receivedCmd[0] == 0x0c) {
                         // Reader asks for anticollission CSN
                         resp = resp2; respLen = resp2Len; //order = 2;
                 } else if(receivedCmd[0] == 0x0c) {
                         // Reader asks for anticollission CSN
                         resp = resp2; respLen = resp2Len; //order = 2;
@@ -1120,30 +1170,31 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
                         LED_B_ON();
                 } else if(receivedCmd[0] == 0x05) {
                         // Reader random and reader MAC!!!
                         LED_B_ON();
                 } else if(receivedCmd[0] == 0x05) {
                         // Reader random and reader MAC!!!
-                       // Lets store this ;-)
-/*
-                       Dbprintf("                CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                       response3[0], response3[1], response3[2],
-                       response3[3], response3[4], response3[5],
-                       response3[6], response3[7]);
-*/                     
-                       Dbprintf("READER AUTH (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
-
                         // Do not respond
                         // Do not respond
-                       // We do not know what to answer, so lets keep quit
+            // We do not know what to answer, so lets keep quiet
                         resp = resp1; respLen = 0; //order = 5;
                         respdata = NULL;
                         respsize = 0;
                         resp = resp1; respLen = 0; //order = 5;
                         respdata = NULL;
                         respsize = 0;
+                       if (breakAfterMacReceived){
+                               // dbprintf:ing ...
+                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+                               Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
+                                                receivedCmd[0], receivedCmd[1], receivedCmd[2],
+                                               receivedCmd[3], receivedCmd[4], receivedCmd[5],
+                                               receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+                               if (reader_mac_buf != NULL)
+                               {
+                                       memcpy(reader_mac_buf,receivedCmd+1,8);
+                               }
+                               exitLoop = true;
+                       }
                 } else if(receivedCmd[0] == 0x00 && len == 1) {
                         // Reader ends the session
                         resp = resp1; respLen = 0; //order = 0;
                         respdata = NULL;
                         respsize = 0;
                 } else {
                 } else if(receivedCmd[0] == 0x00 && len == 1) {
                         // Reader ends the session
                         resp = resp1; respLen = 0; //order = 0;
                         respdata = NULL;
                         respsize = 0;
                 } else {
+                       //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
                         // Never seen this command before
                         Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
                         len,
                         // Never seen this command before
                         Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
                         len,
@@ -1156,9 +1207,9 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
                         respsize = 0;
                 }
  
                         respsize = 0;
                 }
  
-               if(cmdsRecvd > 999) {
-                       DbpString("1000 commands later...");
-                       break;
+               if(cmdsRecvd >  100) {
+                       //DbpString("100 commands later...");
+                       //break;
                 }
                 else {
                         cmdsRecvd++;
                 }
                 else {
                         cmdsRecvd++;
@@ -1166,64 +1217,68 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
  
                 if(respLen > 0) {
                         SendIClassAnswer(resp, respLen, 21);
  
                 if(respLen > 0) {
                         SendIClassAnswer(resp, respLen, 21);
+                       t2r_time = GetCountSspClk();
                 }
                 }
-               
+
                 if (tracing) {
                 if (tracing) {
-                       LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
+                       LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
+                       LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
+
                         if (respdata != NULL) {
                         if (respdata != NULL) {
-                               LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
+                               LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
+                               LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
+
+
                         }
                         }
-                       if(traceLen > TRACE_SIZE) {
+                       if(!tracing) {
                                 DbpString("Trace full");
                                 DbpString("Trace full");
-                               break;
+                               //break;
                         }
                         }
-               }
  
  
+               }
                 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
         }
  
                 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
         }
  
-       Dbprintf("%x", cmdsRecvd);
+       //Dbprintf("%x", cmdsRecvd);
         LED_A_OFF();
         LED_B_OFF();
         LED_A_OFF();
         LED_B_OFF();
+       if(buttonPressed)
+       {
+               DbpString("Button pressed");
+       }
+       return buttonPressed;
  }
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  {
  }
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  {
-       int i = 0, u = 0, d = 0;
+       int i = 0, d=0;//, u = 0, d = 0;
         uint8_t b = 0;
         uint8_t b = 0;
-       // return 0;
-       // Modulate Manchester
-       // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD424);
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
+
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+
         AT91C_BASE_SSC->SSC_THR = 0x00;
         FpgaSetupSsc();
         AT91C_BASE_SSC->SSC_THR = 0x00;
         FpgaSetupSsc();
-       
-       // send cycle
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       (void)b;
+       while(!BUTTON_PRESS()) {
+               if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
+                       b = AT91C_BASE_SSC->SSC_RHR; (void) b;
                 }
                 }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
+                       b = 0x00;
                         if(d < delay) {
                         if(d < delay) {
-                               b = 0x00;
                                 d++;
                         }
                                 d++;
                         }
-                       else if(i >= respLen) {
-                               b = 0x00;
-                               u++;
-                       } else {
-                               b = resp[i];
-                               u++;
-                               if(u > 1) { i++; u = 0; }
+                       else {
+                               if( i < respLen){
+                                       b = resp[i];
+                                       //Hack
+                                       //b = 0xAC;
+                               }
+                               i++;
                         }
                         AT91C_BASE_SSC->SSC_THR = b;
                         }
                         AT91C_BASE_SSC->SSC_THR = b;
-
-                       if(u > 4) break;
-               }
-               if(BUTTON_PRESS()) {
-                       break;
                 }
                 }
+
+               if (i > respLen +4) break;
         }
  
         return 0;
         }
  
         return 0;
@@ -1237,7 +1292,6 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
  {
    int c;
  static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
  {
    int c;
-
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
    AT91C_BASE_SSC->SSC_THR = 0x00;
    FpgaSetupSsc();
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
    AT91C_BASE_SSC->SSC_THR = 0x00;
    FpgaSetupSsc();
@@ -1313,12 +1367,12 @@ void CodeIClassCommand(const uint8_t * cmd, int len)
      b = cmd[i];
      for(j = 0; j < 4; j++) {
        for(k = 0; k < 4; k++) {
      b = cmd[i];
      for(j = 0; j < 4; j++) {
        for(k = 0; k < 4; k++) {
-       if(k == (b & 3)) {
-           ToSend[++ToSendMax] = 0x0f;
-       }
-       else {
-           ToSend[++ToSendMax] = 0x00;
-       }
+                       if(k == (b & 3)) {
+                               ToSend[++ToSendMax] = 0x0f;
+                       }
+                       else {
+                               ToSend[++ToSendMax] = 0x00;
+                       }
        }
        b >>= 2;
      }
        }
        b >>= 2;
      }
@@ -1414,36 +1468,138 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer)
    return Demod.len;
  }
  
    return Demod.len;
  }
  
+void setupIclassReader()
+{
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+    // Reset trace buffer
+    iso14a_set_tracing(TRUE);
+    iso14a_clear_trace();
+
+    // Setup SSC
+    FpgaSetupSsc();
+    // Start from off (no field generated)
+    // Signal field is off with the appropriate LED
+    LED_D_OFF();
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    SpinDelay(200);
+
+    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+    // Now give it time to spin up.
+    // Signal field is on with the appropriate LED
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+    SpinDelay(200);
+    LED_A_ON();
+
+}
+
  // Reader iClass Anticollission
  void ReaderIClass(uint8_t arg0) {
         uint8_t act_all[]     = { 0x0a };
         uint8_t identify[]    = { 0x0c };
         uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  // Reader iClass Anticollission
  void ReaderIClass(uint8_t arg0) {
         uint8_t act_all[]     = { 0x0a };
         uint8_t identify[]    = { 0x0c };
         uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    uint8_t readcheck_cc[]= { 0x88, 0x02 };
+
+    uint8_t card_data[24]={0};
+    uint8_t last_csn[8]={0};
  
         uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
  
  
         uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
  
-       // Reset trace buffer
-       memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
+    int read_status= 0;
+    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
  
  
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
+    setupIclassReader();
  
  
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+    size_t datasize = 0;
+    while(!BUTTON_PRESS())
+    {
+        WDT_HIT();
  
  
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
+        // Send act_all
+        ReaderTransmitIClass(act_all, 1);
+        // Card present?
+        if(ReaderReceiveIClass(resp)) {
+
+            ReaderTransmitIClass(identify, 1);
+
+            if(ReaderReceiveIClass(resp) == 10) {
+                //Copy the Anti-collision CSN to our select-packet
+                memcpy(&select[1],resp,8);
+                //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
+                //        resp[3], resp[4], resp[5],
+                //        resp[6], resp[7]);
+                //Select the card
+                ReaderTransmitIClass(select, sizeof(select));
+
+                if(ReaderReceiveIClass(resp) == 10) {
+                    //Save CSN in response data
+                    memcpy(card_data,resp,8);
+                    datasize += 8;
+                    //Flag that we got to at least stage 1, read CSN
+                    read_status = 1;
+
+                    // Card selected
+                    //Dbprintf("Readcheck on Sector 2");
+                    ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                    if(ReaderReceiveIClass(resp) == 8) {
+                        //Save CC (e-purse) in response data
+                        memcpy(card_data+8,resp,8);
+                        datasize += 8;
+                        //Got both
+                        read_status = 2;
+                    }
+
+                    LED_B_ON();
+                    //Send back to client, but don't bother if we already sent this
+                    if(memcmp(last_csn, card_data, 8) != 0)
+                        cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
+
+                    //Save that we already sent this....
+                    if(read_status ==  2)
+                        memcpy(last_csn, card_data, 8);
+
+                    LED_B_OFF();
+
+                    if(abort_after_read) break;
+                }
+            }
+        }
  
  
-       LED_A_ON();
+        if(traceLen > TRACE_SIZE) {
+            DbpString("Trace full");
+            break;
+        }
+    }
+    LED_A_OFF();
+}
  
  
-       for(;;) {
+void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
+       uint8_t act_all[]     = { 0x0a };
+       uint8_t identify[]    = { 0x0c };
+       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       
+    uint16_t crc = 0;
+       uint8_t cardsize=0;
+       bool read_success=false;
+       uint8_t mem=0;
+       
+       static struct memory_t{
+         int k16;
+         int book;
+         int k2;
+         int lockauth;
+         int keyaccess;
+       } memory;
+       
+       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+
+    setupIclassReader();
+
+
+       for(int i=0;i<1;i++) {
         
                 if(traceLen > TRACE_SIZE) {
                         DbpString("Trace full");
         
                 if(traceLen > TRACE_SIZE) {
                         DbpString("Trace full");
@@ -1468,7 +1624,72 @@ void ReaderIClass(uint8_t arg0) {
                                         resp[3], resp[4], resp[5],
                                         resp[6], resp[7]);
                                 }
                                         resp[3], resp[4], resp[5],
                                         resp[6], resp[7]);
                                 }
-                               // Card selected, whats next... ;-)
+                               // Card selected
+                               Dbprintf("Readcheck on Sector 2");
+                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                               if(ReaderReceiveIClass(resp) == 8) {
+                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }else return;
+                               Dbprintf("Authenticate");
+                               //for now replay captured auth (as cc not updated)
+                               memcpy(check+5,MAC,4);
+                //Dbprintf("     AA: %02x %02x %02x %02x",
+                //     check[5], check[6], check[7],check[8]);
+                               ReaderTransmitIClass(check, sizeof(check));
+                               if(ReaderReceiveIClass(resp) == 4) {
+                                  Dbprintf("     AR: %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],resp[3]);
+                               }else {
+                                 Dbprintf("Error: Authentication Fail!");
+                                 return;
+                               }
+                               Dbprintf("Dump Contents");
+                               //first get configuration block
+                               read_success=false;
+                               read[1]=1;
+                               uint8_t *blockno=&read[1];
+                               crc = iclass_crc16((char *)blockno,1);
+                               read[2] = crc >> 8;
+                               read[3] = crc & 0xff;
+                               while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        mem=resp[5];
+                                        memory.k16= (mem & 0x80);
+                                        memory.book= (mem & 0x20);
+                                        memory.k2= (mem & 0x8);
+                                        memory.lockauth= (mem & 0x2);
+                                        memory.keyaccess= (mem & 0x1);
+
+                                     }
+                               }
+                               if (memory.k16){
+                                 cardsize=255;
+                               }else cardsize=32;
+                               //then loop around remaining blocks
+                               for(uint8_t j=0; j<cardsize; j++){
+                                   read_success=false;
+                                   uint8_t *blockno=&j;
+                                   //crc_data[0]=j;
+                                   read[1]=j;
+                                   crc = iclass_crc16((char *)blockno,1);
+                                   read[2] = crc >> 8;
+                                   read[3] = crc & 0xff;
+                                   while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                         j, resp[0], resp[1], resp[2],
+                                         resp[3], resp[4], resp[5],
+                                         resp[6], resp[7]);
+                                     }
+                                   }
+                               }
                         }
                 }
                 WDT_HIT();
                         }
                 }
                 WDT_HIT();
@@ -1477,31 +1698,25 @@ void ReaderIClass(uint8_t arg0) {
         LED_A_OFF();
  }
  
         LED_A_OFF();
  }
  
-void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
+//2. Create Read method (cut-down from above) based off responses from 1. 
+//   Since we have the MAC could continue to use replay function.
+//3. Create Write method
+/*
+void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
         uint8_t act_all[]     = { 0x0a };
         uint8_t identify[]    = { 0x0c };
         uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t readcheck_cc[]= { 0x88, 0x02 };
         uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
         uint8_t act_all[]     = { 0x0a };
         uint8_t identify[]    = { 0x0c };
         uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t readcheck_cc[]= { 0x88, 0x02 };
         uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       uint8_t write[]       = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         
         
-        uint16_t crc = 0;
-       uint8_t cardsize=0;
-       bool read_success=false;
-       uint8_t mem=0;
-       
-       static struct memory_t{
-         int k16;
-         int book;
-         int k2;
-         int lockauth;
-         int keyaccess;
-       } memory;
+    uint16_t crc = 0;
         
         uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
  
         // Reset trace buffer
         
         uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
  
         // Reset trace buffer
-       memset(trace, 0x44, RECV_CMD_OFFSET);
+       memset(trace, 0x44, RECV_CMD_OFFSET);
         traceLen = 0;
  
         // Setup SSC
         traceLen = 0;
  
         // Setup SSC
@@ -1568,8 +1783,9 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                                   Dbprintf("Error: Authentication Fail!");
                                   return;
                                 }
                                   Dbprintf("Error: Authentication Fail!");
                                   return;
                                 }
-                               Dbprintf("Dump Contents");
-                               //first get configuration block
+                               Dbprintf("Write Block");
+                               
+                               //read configuration for max block number
                                 read_success=false;
                                 read[1]=1;
                                 uint8_t *blockno=&read[1];
                                 read_success=false;
                                 read[1]=1;
                                 uint8_t *blockno=&read[1];
@@ -1592,32 +1808,20 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                                 if (memory.k16){
                                   cardsize=255;
                                 }else cardsize=32;
                                 if (memory.k16){
                                   cardsize=255;
                                 }else cardsize=32;
-                               //then loop around remaining blocks
-                               for(uint8_t j=0; j<cardsize; j++){
-                                   read_success=false;
-                                   uint8_t *blockno=&j;
-                                   //crc_data[0]=j;
-                                   read[1]=j;
-                                   crc = iclass_crc16((char *)blockno,1);
-                                   read[2] = crc >> 8;
-                                   read[3] = crc & 0xff;
-                                   while(!read_success){
-                                     ReaderTransmitIClass(read, sizeof(read));
-                                     if(ReaderReceiveIClass(resp) == 10) {
-                                        read_success=true;
-                                        Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                         j, resp[0], resp[1], resp[2],
-                                         resp[3], resp[4], resp[5],
-                                         resp[6], resp[7]);
-                                     }
-                                   }
+                               //check card_size
+                               
+                               memcpy(write+1,blockNo,1);
+                               memcpy(write+2,data,8);
+                               memcpy(write+10,mac,4);
+                               while(!send_success){
+                                 ReaderTransmitIClass(write, sizeof(write));
+                                 if(ReaderReceiveIClass(resp) == 10) {
+                                   write_success=true;
                                 }
                                 }
-                       }
+                       }//
                 }
                 WDT_HIT();
         }
         
         LED_A_OFF();
                 }
                 WDT_HIT();
         }
         
         LED_A_OFF();
-}
-
-
+}*/