]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhficlass.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix 'hf iclass writebl' and 'hf iclass clone' (#896)
[proxmark3-svn] / client / cmdhficlass.c
diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index 195a282d89815bcd0d039e1a4c5404ac86230924..1400395aa8dbb97ca1b78d23ce54ddab3175de3f 100644 (file)
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -2,6 +2,7 @@
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
 // Copyright (C) 2011 Gerhard de Koning Gans
 // Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
 // Copyright (C) 2011 Gerhard de Koning Gans
 // Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
+// Copyright (C) 2019 piwi
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -18,6 +19,7 @@
 #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
 #include "comms.h"
 #include "ui.h"
 #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
 #include "comms.h"
 #include "ui.h"
+#include "cliparser/cliparser.h"
 #include "cmdparser.h"
 #include "cmdhficlass.h"
 #include "common.h"
 #include "cmdparser.h"
 #include "cmdhficlass.h"
 #include "common.h"
@@ -49,9 +51,104 @@ static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = {
 };
 
 
 };
 
 
-typedef struct iclass_block {
-       uint8_t d[8];
-} iclass_block_t;
+// iclass / picopass chip config structures and shared routines
+typedef struct {
+       uint8_t app_limit;      //[8]
+       uint8_t otp[2];         //[9-10]
+       uint8_t block_writelock;//[11]
+       uint8_t chip_config;    //[12]
+       uint8_t mem_config;     //[13]
+       uint8_t eas;            //[14]
+       uint8_t fuses;          //[15]
+} picopass_conf_block;
+
+typedef struct {
+       uint8_t csn[8];
+       picopass_conf_block conf;
+       uint8_t epurse[8];
+       uint8_t key_d[8];
+       uint8_t key_c[8];
+       uint8_t app_issuer_area[8];
+} picopass_hdr;
+
+
+static void fuse_config(const picopass_hdr *hdr) {
+       uint8_t fuses = hdr->conf.fuses;
+
+       if (fuses & FUSE_FPERS)
+               PrintAndLog("  Mode: Personalization [Programmable]");
+       else
+               PrintAndLog("  Mode: Application [Locked]");
+
+       if (fuses & FUSE_CODING1)
+               PrintAndLog("Coding: RFU");
+       else {
+               if (fuses & FUSE_CODING0)
+                       PrintAndLog("Coding: ISO 14443-2 B/ISO 15693");
+               else
+                       PrintAndLog("Coding: ISO 14443B only");
+       }
+       if ((fuses & FUSE_CRYPT1) && (fuses & FUSE_CRYPT0)) PrintAndLog(" Crypt: Secured page, keys not locked");
+       if ((fuses & FUSE_CRYPT1) && !(fuses & FUSE_CRYPT0)) PrintAndLog(" Crypt: Secured page, keys locked");
+       if (!(fuses & FUSE_CRYPT1) && (fuses & FUSE_CRYPT0)) PrintAndLog(" Crypt: Non secured page");
+       if (!(fuses & FUSE_CRYPT1) && !(fuses & FUSE_CRYPT0)) PrintAndLog(" Crypt: No auth possible. Read only if RA is enabled");
+
+       if (fuses & FUSE_RA)
+               PrintAndLog("    RA: Read access enabled");
+       else
+               PrintAndLog("    RA: Read access not enabled");
+}
+
+
+static void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb) {
+       // mem-bit 5, mem-bit 7, chip-bit 4: defines chip type
+       if((chip_cfg & 0x10) && !(mem_cfg & 0x80) && !(mem_cfg & 0x20)) {
+               *kb = 2;
+               *app_areas = 2;
+               *max_blk = 31;
+       } else if((chip_cfg & 0x10) && (mem_cfg & 0x80) && !(mem_cfg & 0x20)) {
+               *kb = 16;
+               *app_areas = 2;
+               *max_blk = 255; //16kb
+       } else if(!(chip_cfg & 0x10) && !(mem_cfg & 0x80) && !(mem_cfg & 0x20)) {
+               *kb = 16;
+               *app_areas = 16;
+               *max_blk = 255; //16kb
+       } else if((chip_cfg & 0x10) && (mem_cfg & 0x80) && (mem_cfg & 0x20)) {
+               *kb = 32;
+               *app_areas = 3;
+               *max_blk = 255; //16kb
+       } else if(!(chip_cfg & 0x10) && !(mem_cfg & 0x80) && (mem_cfg & 0x20)) {
+               *kb = 32;
+               *app_areas = 17;
+               *max_blk = 255; //16kb
+       } else {
+               *kb = 32;
+               *app_areas = 2;
+               *max_blk = 255;
+       }
+}
+
+
+static void mem_app_config(const picopass_hdr *hdr) {
+       uint8_t mem = hdr->conf.mem_config;
+       uint8_t chip = hdr->conf.chip_config;
+       uint8_t applimit = hdr->conf.app_limit;
+       if (applimit < 6) applimit = 26;
+       uint8_t kb = 2;
+       uint8_t app_areas = 2;
+       uint8_t max_blk = 31;
+       getMemConfig(mem, chip, &max_blk, &app_areas, &kb);
+       PrintAndLog("   Mem: %u KBits/%u App Areas (%u * 8 bytes) [%02X]", kb, app_areas, max_blk+1, mem);
+       PrintAndLog("   AA1: blocks 06-%02X", applimit);
+       PrintAndLog("   AA2: blocks %02X-%02X", applimit+1, max_blk);
+}
+
+
+static void printIclassDumpInfo(uint8_t* iclass_dump) {
+       fuse_config((picopass_hdr*)iclass_dump);
+       mem_app_config((picopass_hdr*)iclass_dump);
+}
 
 
 static void usage_hf_iclass_chk(void) {
 
 
 static void usage_hf_iclass_chk(void) {
@@ -75,8 +172,29 @@ static int CmdHFiClassList(const char *Cmd) {
 
 
 static int CmdHFiClassSnoop(const char *Cmd) {
 
 
 static int CmdHFiClassSnoop(const char *Cmd) {
-       UsbCommand c = {CMD_SNOOP_ICLASS};
+
+       CLIParserInit("hf iclass snoop", "\nSnoop a communication between an iClass Reader and an iClass Tag.", NULL);
+       void* argtable[] = {
+               arg_param_begin,
+               arg_lit0("j",  "jam",    "Jam (prevent) e-purse Updates"),
+               arg_param_end
+       };
+       if (CLIParserParseString(Cmd, argtable, arg_getsize(argtable), true)){
+               CLIParserFree();
+               return 0;
+       }
+
+       bool jam_epurse_update = arg_get_lit(1);
+
+       const uint8_t update_epurse_sequence[2] = {0x87, 0x02};
+
+       UsbCommand c = {CMD_SNOOP_ICLASS, {0}};
+       if (jam_epurse_update) {
+               c.arg[0] = sizeof(update_epurse_sequence);
+               memcpy(c.d.asBytes, update_epurse_sequence, sizeof(update_epurse_sequence));
+       }
        SendCommand(&c);
        SendCommand(&c);
+
        return 0;
 }
 
        return 0;
 }
 
@@ -207,33 +325,34 @@ static int CmdHFiClassSim(const char *Cmd) {
 }
 
 
 }
 
 
-int HFiClassReader(const char *Cmd, bool loop, bool verbose) {
+int HFiClassReader(bool loop, bool verbose) {
+
        bool tagFound = false;
        bool tagFound = false;
-       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN |
-                       FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_AA} };
-       // loop in client not device - else on windows have a communication error
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_INIT | FLAG_ICLASS_READER_CLEARTRACE | FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_AA} };
        UsbCommand resp;
        UsbCommand resp;
-       while(!ukbhit()){
+
+       while (!ukbhit()) {
                SendCommand(&c);
                if (WaitForResponseTimeout(CMD_ACK,&resp, 4500)) {
                        uint8_t readStatus = resp.arg[0] & 0xff;
                        uint8_t *data = resp.d.asBytes;
 
                SendCommand(&c);
                if (WaitForResponseTimeout(CMD_ACK,&resp, 4500)) {
                        uint8_t readStatus = resp.arg[0] & 0xff;
                        uint8_t *data = resp.d.asBytes;
 
-                       // no tag found or button pressed
-                       if( (readStatus == 0 && !loop) || readStatus == 0xFF) {
+                       // no tag found
+                       if (readStatus == 0 && !loop) {
                                // abort
                                if (verbose) PrintAndLog("Quitting...");
                                // abort
                                if (verbose) PrintAndLog("Quitting...");
+                               DropField();
                                return 0;
                        }
 
                                return 0;
                        }
 
-                       ifreadStatus & FLAG_ICLASS_READER_CSN) {
+                       if (readStatus & FLAG_ICLASS_READER_CSN) {
                                PrintAndLog("   CSN: %s",sprint_hex(data,8));
                                tagFound = true;
                        }
                                PrintAndLog("   CSN: %s",sprint_hex(data,8));
                                tagFound = true;
                        }
-                       ifreadStatus & FLAG_ICLASS_READER_CC) {
+                       if (readStatus & FLAG_ICLASS_READER_CC) {
                                PrintAndLog("    CC: %s",sprint_hex(data+16,8));
                        }
                                PrintAndLog("    CC: %s",sprint_hex(data+16,8));
                        }
-                       ifreadStatus & FLAG_ICLASS_READER_CONF) {
+                       if (readStatus & FLAG_ICLASS_READER_CONF) {
                                printIclassDumpInfo(data);
                        }
                        if (readStatus & FLAG_ICLASS_READER_AA) {
                                printIclassDumpInfo(data);
                        }
                        if (readStatus & FLAG_ICLASS_READER_AA) {
@@ -253,35 +372,31 @@ int HFiClassReader(const char *Cmd, bool loop, bool verbose) {
                }
                if (!loop) break;
        }
                }
                if (!loop) break;
        }
+
+       DropField();
        return 0;
 }
 
 
        return 0;
 }
 
 
-static int CmdHFiClassReader(const char *Cmd) {
-       return HFiClassReader(Cmd, true, true);
+static void usage_hf_iclass_reader(void) {
+       PrintAndLogEx(NORMAL, "Act as a Iclass reader.  Look for iClass tags until Enter or the pm3 button is pressed\n");
+       PrintAndLogEx(NORMAL, "Usage:  hf iclass reader [h] [1]\n");
+       PrintAndLogEx(NORMAL, "Options:");
+       PrintAndLogEx(NORMAL, "    h   This help text");
+       PrintAndLogEx(NORMAL, "    1   read only 1 tag");
+       PrintAndLogEx(NORMAL, "Examples:");
+       PrintAndLogEx(NORMAL, "        hf iclass reader 1");
 }
 
 
 }
 
 
-static int CmdHFiClassReader_Replay(const char *Cmd) {
-       uint8_t readerType = 0;
-       uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
-
-       if (strlen(Cmd)<1) {
-               PrintAndLog("Usage:  hf iclass replay <MAC>");
-               PrintAndLog("        sample: hf iclass replay 00112233");
+static int CmdHFiClassReader(const char *Cmd) {
+       char cmdp = tolower(param_getchar(Cmd, 0));
+       if (cmdp == 'h') {
+               usage_hf_iclass_reader();
                return 0;
        }
                return 0;
        }
-
-       if (param_gethex(Cmd, 0, MAC, 8)) {
-               PrintAndLog("MAC must include 8 HEX symbols");
-               return 1;
-       }
-
-       UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
-       memcpy(c.d.asBytes, MAC, 4);
-       SendCommand(&c);
-
-       return 0;
+       bool findone = (cmdp == '1') ? false : true;
+       return HFiClassReader(findone, true);
 }
 
 
 }
 
 
@@ -514,17 +629,19 @@ static int CmdHFiClassEncryptBlk(const char *Cmd) {
 static void Calc_wb_mac(uint8_t blockno, uint8_t *data, uint8_t *div_key, uint8_t MAC[4]) {
        uint8_t WB[9];
        WB[0] = blockno;
 static void Calc_wb_mac(uint8_t blockno, uint8_t *data, uint8_t *div_key, uint8_t MAC[4]) {
        uint8_t WB[9];
        WB[0] = blockno;
-       memcpy(WB + 1,data,8);
-       doMAC_N(WB,sizeof(WB),div_key,MAC);
+       memcpy(WB+1, data, 8);
+       doMAC_N(WB, sizeof(WB), div_key, MAC);
        //printf("Cal wb mac block [%02x][%02x%02x%02x%02x%02x%02x%02x%02x] : MAC [%02x%02x%02x%02x]",WB[0],WB[1],WB[2],WB[3],WB[4],WB[5],WB[6],WB[7],WB[8],MAC[0],MAC[1],MAC[2],MAC[3]);
 }
 
 
        //printf("Cal wb mac block [%02x][%02x%02x%02x%02x%02x%02x%02x%02x] : MAC [%02x%02x%02x%02x]",WB[0],WB[1],WB[2],WB[3],WB[4],WB[5],WB[6],WB[7],WB[8],MAC[0],MAC[1],MAC[2],MAC[3]);
 }
 
 
-static bool select_only(uint8_t *CSN, bool verbose) {
-       UsbCommand resp;
+static bool iClass_select(uint8_t *CSN, bool verbose, bool cleartrace, bool init) {
 
 
-       UsbCommand c = {CMD_READER_ICLASS, {0}};
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN}};
+       if (init) c.arg[0] |= FLAG_ICLASS_READER_INIT;
+       if (cleartrace) c.arg[0] |= FLAG_ICLASS_READER_CLEARTRACE;
 
 
+       UsbCommand resp;
        clearCommandBuffer();
        SendCommand(&c);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
        clearCommandBuffer();
        SendCommand(&c);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
@@ -535,9 +652,8 @@ static bool select_only(uint8_t *CSN, bool verbose) {
        uint8_t isOK = resp.arg[0] & 0xff;
        uint8_t *data = resp.d.asBytes;
 
        uint8_t isOK = resp.arg[0] & 0xff;
        uint8_t *data = resp.d.asBytes;
 
-       memcpy(CSN, data, 8);
-
-       if (isOK > 0) {
+       if (isOK & FLAG_ICLASS_READER_CSN) {
+               memcpy(CSN, data, 8);
                if (verbose) PrintAndLog("CSN: %s", sprint_hex(CSN, 8));
        } else {
                PrintAndLog("Failed to select card! Aborting");
                if (verbose) PrintAndLog("CSN: %s", sprint_hex(CSN, 8));
        } else {
                PrintAndLog("Failed to select card! Aborting");
@@ -567,20 +683,24 @@ static void HFiClassCalcDivKey(uint8_t *CSN, uint8_t *KEY, uint8_t *div_key, boo
 }
 
 
 }
 
 
-static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
-       uint8_t CSN[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t CCNR[12] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-
-       if (!select_only(CSN, verbose))
-               return false;
+static bool iClass_authenticate(uint8_t *CSN, uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool replay, bool verbose) {
 
        //get div_key
 
        //get div_key
-       if (rawkey)
+       if (rawkey || replay)
                memcpy(div_key, KEY, 8);
        else
                HFiClassCalcDivKey(CSN, KEY, div_key, elite);
 
                memcpy(div_key, KEY, 8);
        else
                HFiClassCalcDivKey(CSN, KEY, div_key, elite);
 
-       if (verbose) PrintAndLog("Authenticating with %s: %s", rawkey ? "raw key" : "diversified key", sprint_hex(div_key, 8));
+       char keytypetext[23] = "legacy diversified key";
+       if (rawkey) {
+               strcpy(keytypetext, "raw key");
+       } else if (replay) {
+               strcpy(keytypetext, "replayed NR/MAC");
+       } else if (elite) {
+               strcpy(keytypetext, "Elite diversified key");
+       }
+
+       if (verbose) PrintAndLog("Authenticating with %s: %s", keytypetext, sprint_hex(div_key, 8));
 
        UsbCommand resp;
        UsbCommand d = {CMD_ICLASS_READCHECK, {2, use_credit_key, 0}};
 
        UsbCommand resp;
        UsbCommand d = {CMD_ICLASS_READCHECK, {2, use_credit_key, 0}};
@@ -597,12 +717,23 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u
                if (verbose) PrintAndLog("Couldn't get Card Challenge");
                return false;
        }
                if (verbose) PrintAndLog("Couldn't get Card Challenge");
                return false;
        }
-       memcpy(CCNR, resp.d.asBytes, 8);
 
 
-       doMAC(CCNR, div_key, MAC);
+       if (replay) {
+               memcpy(MAC, KEY+4, 4);
+       } else {
+               uint8_t CCNR[12];
+               memcpy(CCNR, resp.d.asBytes, 8);
+               memset(CCNR+8, 0x00, 4); // default NR = {0, 0, 0, 0}
+               doMAC(CCNR, div_key, MAC);
+       }
 
        d.cmd = CMD_ICLASS_CHECK;
 
        d.cmd = CMD_ICLASS_CHECK;
-       memcpy(d.d.asBytes, MAC, 4);
+       if (replay) {
+               memcpy(d.d.asBytes, KEY, 8);
+       } else {
+               memset(d.d.asBytes, 0x00, 4); // default NR = {0, 0, 0, 0}
+               memcpy(d.d.asBytes+4, MAC, 4);
+       }
        clearCommandBuffer();
        SendCommand(&d);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
        clearCommandBuffer();
        SendCommand(&d);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
@@ -619,15 +750,16 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u
 
 
 static void usage_hf_iclass_dump(void) {
 
 
 static void usage_hf_iclass_dump(void) {
-       PrintAndLog("Usage:  hf iclass dump f <fileName> k <Key> c <CreditKey> e|r\n");
+       PrintAndLog("Usage:  hf iclass dump f <fileName> k <Key> c <CreditKey> e|r|n\n");
        PrintAndLog("Options:");
        PrintAndLog("  f <filename> : specify a filename to save dump to");
        PrintAndLog("Options:");
        PrintAndLog("  f <filename> : specify a filename to save dump to");
-       PrintAndLog("  k <Key>      : *Access Key as 16 hex symbols or 1 hex to select key from memory");
-       PrintAndLog("  c <CreditKey>: Credit Key as 16 hex symbols or 1 hex to select key from memory");
-       PrintAndLog("  e            : If 'e' is specified, the key is interpreted as the 16 byte");
-       PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
+       PrintAndLog("  k <Key>      : *Debit Key (AA1) as 16 hex symbols (8 bytes) or 1 hex to select key from memory");
+       PrintAndLog("  c <CreditKey>: Credit Key (AA2) as 16 hex symbols (8 bytes) or 1 hex to select key from memory");
+       PrintAndLog("  e            : If 'e' is specified, the keys are interpreted as Elite");
+       PrintAndLog("                 Custom Keys (KCus), which can be obtained via reader-attack");
        PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
        PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
-       PrintAndLog("  r            : If 'r' is specified, the key is interpreted as raw block 3/4");
+       PrintAndLog("  r            : If 'r' is specified, keys are interpreted as raw blocks 3/4");
+       PrintAndLog("  n            : If 'n' is specified, keys are interpreted as NR/MAC pairs which can be obtained by 'hf iclass snoop'");
        PrintAndLog("  NOTE: * = required");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass dump k 001122334455667B");
        PrintAndLog("  NOTE: * = required");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass dump k 001122334455667B");
@@ -673,7 +805,7 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
        uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t c_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t blockno = 0;
        uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t c_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t blockno = 0;
-       uint8_t numblks = 0;
+       uint8_t AA1_maxBlk = 0;
        uint8_t maxBlk = 31;
        uint8_t app_areas = 1;
        uint8_t kb = 2;
        uint8_t maxBlk = 31;
        uint8_t app_areas = 1;
        uint8_t kb = 2;
@@ -689,98 +821,112 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
        bool use_credit_key = false;
        bool elite = false;
        bool rawkey = false;
        bool use_credit_key = false;
        bool elite = false;
        bool rawkey = false;
+       bool NRMAC_replay = false;
        bool errors = false;
        bool errors = false;
+       bool verbose = false;
        uint8_t cmdp = 0;
 
        uint8_t cmdp = 0;
 
-       while(param_getchar(Cmd, cmdp) != 0x00)
-       {
-               switch(param_getchar(Cmd, cmdp))
-               {
-               case 'h':
-               case 'H':
-                       usage_hf_iclass_dump();
-                       return 0;
-               case 'c':
-               case 'C':
-                       have_credit_key = true;
-                       dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
-                       if (dataLen == 16) {
-                               errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
-                       } else if (dataLen == 1) {
-                               keyNbr = param_get8(Cmd, cmdp+1);
-                               if (keyNbr < ICLASS_KEYS_MAX) {
-                                       memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
+       while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+               switch(param_getchar(Cmd, cmdp)) {
+                       case 'h':
+                       case 'H':
+                               usage_hf_iclass_dump();
+                               return 0;
+                       case 'c':
+                       case 'C':
+                               have_credit_key = true;
+                               dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
+                               if (dataLen == 16) {
+                                       errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
+                               } else if (dataLen == 1) {
+                                       keyNbr = param_get8(Cmd, cmdp+1);
+                                       if (keyNbr < ICLASS_KEYS_MAX) {
+                                               memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
+                                       } else {
+                                               PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                               errors = true;
+                                       }
                                } else {
                                } else {
-                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       PrintAndLog("\nERROR: Credit Key is incorrect length\n");
                                        errors = true;
                                }
                                        errors = true;
                                }
-                       } else {
-                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
-                               errors = true;
-                       }
-                       cmdp += 2;
-                       break;
-               case 'e':
-               case 'E':
-                       elite = true;
-                       cmdp++;
-                       break;
-               case 'f':
-               case 'F':
-                       fileNameLen = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));
-                       if (fileNameLen < 1) {
-                               PrintAndLog("No filename found after f");
-                               errors = true;
-                       }
-                       cmdp += 2;
-                       break;
-               case 'k':
-               case 'K':
-                       have_debit_key = true;
-                       dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
-                       if (dataLen == 16) {
-                               errors = param_gethex(tempStr, 0, KEY, dataLen);
-                       } else if (dataLen == 1) {
-                               keyNbr = param_get8(Cmd, cmdp+1);
-                               if (keyNbr < ICLASS_KEYS_MAX) {
-                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               cmdp += 2;
+                               break;
+                       case 'e':
+                       case 'E':
+                               elite = true;
+                               cmdp++;
+                               break;
+                       case 'f':
+                       case 'F':
+                               fileNameLen = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));
+                               if (fileNameLen < 1) {
+                                       PrintAndLog("No filename found after f");
+                                       errors = true;
+                               }
+                               cmdp += 2;
+                               break;
+                       case 'k':
+                       case 'K':
+                               have_debit_key = true;
+                               dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
+                               if (dataLen == 16) {
+                                       errors = param_gethex(tempStr, 0, KEY, dataLen);
+                               } else if (dataLen == 1) {
+                                       keyNbr = param_get8(Cmd, cmdp+1);
+                                       if (keyNbr < ICLASS_KEYS_MAX) {
+                                               memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                                       } else {
+                                               PrintAndLog("\nERROR: Debit KeyNbr is invalid\n");
+                                               errors = true;
+                                       }
                                } else {
                                } else {
-                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       PrintAndLog("\nERROR: Debit Key is incorrect length\n");
                                        errors = true;
                                }
                                        errors = true;
                                }
-                       } else {
-                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               cmdp += 2;
+                               break;
+                       case 'r':
+                       case 'R':
+                               rawkey = true;
+                               cmdp++;
+                               break;
+                       case 'n':
+                       case 'N':
+                               NRMAC_replay = true;
+                               cmdp++;
+                               break;
+                       case 'v':
+                       case 'V':
+                               verbose = true;
+                               cmdp++;
+                               break;
+                       default:
+                               PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                                errors = true;
                                errors = true;
-                       }
-                       cmdp += 2;
-                       break;
-               case 'r':
-               case 'R':
-                       rawkey = true;
-                       cmdp++;
-                       break;
-               default:
-                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
-                       errors = true;
-                       break;
-               }
-               if (errors) {
-                       usage_hf_iclass_dump();
-                       return 0;
+                               break;
                }
        }
 
                }
        }
 
-       if (cmdp < 2) {
+       if (elite + rawkey + NRMAC_replay > 1) {
+               PrintAndLog("You cannot combine the 'e', 'r', and 'n' options\n");
+               errors = true;
+       }
+
+       if (errors || cmdp < 2) {
                usage_hf_iclass_dump();
                return 0;
        }
                usage_hf_iclass_dump();
                return 0;
        }
-       // if no debit key given try credit key on AA1 (not for iclass but for some picopass this will work)
-       if (!have_debit_key && have_credit_key) use_credit_key = true;
 
 
-       //get config and first 3 blocks
-       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF}};
+       // if only credit key is given: try for AA1 as well (not for iclass but for some picopass this will work)
+       if (!have_debit_key && have_credit_key) {
+               memcpy(KEY, CreditKEY, 8);
+       }
+
+       // clear trace and get first 3 blocks
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_INIT | FLAG_ICLASS_READER_CLEARTRACE | FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_CC}};
        UsbCommand resp;
        UsbCommand resp;
-       uint8_t tag_data[255*8];
+       uint8_t tag_data[256*8];
 
        clearCommandBuffer();
        SendCommand(&c);
 
        clearCommandBuffer();
        SendCommand(&c);
@@ -789,150 +935,150 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
                DropField();
                return 0;
        }
                DropField();
                return 0;
        }
+
        uint8_t readStatus = resp.arg[0] & 0xff;
        uint8_t *data = resp.d.asBytes;
        uint8_t readStatus = resp.arg[0] & 0xff;
        uint8_t *data = resp.d.asBytes;
+       uint8_t status_mask = FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_CC;
 
 
-       if(readStatus == 0){
-               PrintAndLog("No tag found...");
-               DropField();
+       if (readStatus != status_mask) {
+               PrintAndLog("No tag found ...");
                return 0;
                return 0;
-       }
-       if( readStatus & (FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_CC)){
+       } else {
                memcpy(tag_data, data, 8*3);
                memcpy(tag_data, data, 8*3);
-               blockno+=2; // 2 to force re-read of block 2 later. (seems to respond differently..)
-               numblks = data[8];
+               if (verbose) PrintAndLog("CSN: %s", sprint_hex(tag_data, 8));
+               AA1_maxBlk = data[8];
                getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
                // large memory - not able to dump pages currently
                getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
                // large memory - not able to dump pages currently
-               if (numblks > maxBlk) numblks = maxBlk;
-       }
-       DropField();
-       // authenticate debit key and get div_key - later store in dump block 3
-       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
-               //try twice - for some reason it sometimes fails the first time...
-               if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
-                       DropField();
-                       return 0;
-               }
+               if (AA1_maxBlk > maxBlk) AA1_maxBlk = maxBlk;
        }
 
        }
 
-       // begin dump
-       UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1}};
-       clearCommandBuffer();
-       SendCommand(&w);
-       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
-               PrintAndLog("Command execute time-out 1");
-               DropField();
-               return 1;
-       }
-       uint32_t blocksRead = resp.arg[1];
-       uint8_t isOK = resp.arg[0] & 0xff;
-       if (!isOK && !blocksRead) {
-               PrintAndLog("Read Block Failed");
+       // authenticate with debit key (or credit key if we have no debit key) and get div_key - later store in dump block 3
+       if (!iClass_authenticate(tag_data, KEY, MAC, div_key, false, elite, rawkey, NRMAC_replay, verbose)) {
                DropField();
                return 0;
        }
                DropField();
                return 0;
        }
-       uint32_t startindex = resp.arg[2];
-       if (blocksRead*8 > sizeof(tag_data)-(blockno*8)) {
-               PrintAndLog("Data exceeded Buffer size!");
-               blocksRead = (sizeof(tag_data)/8) - blockno;
+
+       // read AA1
+       UsbCommand w = {CMD_ICLASS_DUMP};
+       uint32_t blocksRead = 0;
+       for (blockno = 3; blockno <= AA1_maxBlk; blockno += blocksRead) {
+               w.arg[0] = blockno;
+               w.arg[1] = AA1_maxBlk - blockno + 1;
+               clearCommandBuffer();
+               SendCommand(&w);
+               if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+                       PrintAndLog("Command execute time-out 1");
+                       DropField();
+                       return 1;
+               }
+               blocksRead = resp.arg[1];
+               bool isOK = resp.arg[0];
+               if (!isOK) {
+                       PrintAndLog("Reading AA1 block failed");
+                       DropField();
+                       return 0;
+               }
+               memcpy(tag_data + blockno*8, resp.d.asBytes, blocksRead*8);
        }
        }
-       // response ok - now get bigbuf content of the dump
-       GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex, NULL, -1, false);
-       size_t gotBytes = blocksRead*8 + blockno*8;
 
 
-       // try AA2
-       if (have_credit_key) {
-               //turn off hf field before authenticating with different key
-               DropField();
-               memset(MAC,0,4);
-               // AA2 authenticate credit key and git c_div_key - later store in dump block 4
-               if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
-                       //try twice - for some reason it sometimes fails the first time...
-                       if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
+       // do we still need to read more blocks (AA2 enabled)?
+       if (have_credit_key && maxBlk > AA1_maxBlk) {
+               if (!use_credit_key) {
+                       //turn off hf field before authenticating with different key
+                       DropField();
+                       // AA2 authenticate credit key and git c_div_key - later store in dump block 4
+                       uint8_t CSN[8];
+                       if (!iClass_select(CSN, verbose, false, true) || !iClass_authenticate(CSN, CreditKEY, MAC, c_div_key, true, false, false, NRMAC_replay, verbose)){
                                DropField();
                                return 0;
                        }
                }
                                DropField();
                                return 0;
                        }
                }
-               // do we still need to read more block?  (aa2 enabled?)
-               if (maxBlk > blockno+numblks+1) {
-                       // setup dump and start
-                       w.arg[0] = blockno + blocksRead;
-                       w.arg[1] = maxBlk - (blockno + blocksRead);
+               for ( ; blockno <= maxBlk; blockno += blocksRead) {
+                       w.arg[0] = blockno;
+                       w.arg[1] = maxBlk - blockno + 1;
                        clearCommandBuffer();
                        SendCommand(&w);
                        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
                        clearCommandBuffer();
                        SendCommand(&w);
                        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
-                               PrintAndLog("Command execute timeout 2");
+                               PrintAndLog("Command execute time-out 1");
                                DropField();
                                DropField();
-                               return 0;
+                               return 1;
                        }
                        }
-                       uint8_t isOK = resp.arg[0] & 0xff;
                        blocksRead = resp.arg[1];
                        blocksRead = resp.arg[1];
-                       if (!isOK && !blocksRead) {
-                               PrintAndLog("Read Block Failed 2");
+                       bool isOK = resp.arg[0];
+                       if (!isOK) {
+                               PrintAndLog("Reading AA2 block failed");
                                DropField();
                                return 0;
                        }
                                DropField();
                                return 0;
                        }
-
-                       startindex = resp.arg[2];
-                       if (blocksRead*8 > sizeof(tag_data)-gotBytes) {
-                               PrintAndLog("Data exceeded Buffer size!");
-                               blocksRead = (sizeof(tag_data) - gotBytes)/8;
-                       }
-                       // get dumped data from bigbuf
-                       GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex, NULL, -1, false);
-
-                       gotBytes += blocksRead*8;
-               } else { //field is still on - turn it off...
-                       DropField();
+                       memcpy(tag_data + blockno*8, resp.d.asBytes, blocksRead*8);
                }
        }
 
                }
        }
 
+       DropField();
+
        // add diversified keys to dump
        // add diversified keys to dump
-       if (have_debit_key) memcpy(tag_data+(3*8),div_key,8);
-       if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8);
+       if (have_debit_key) {
+               memcpy(tag_data + 3*8, div_key, 8);
+       } else {
+               memset(tag_data + 3*8, 0xff, 8);
+       }
+       if (have_credit_key) {
+               memcpy(tag_data + 4*8, c_div_key, 8);
+       } else {
+               memset(tag_data + 4*8, 0xff, 8);
+       }
+
        // print the dump
        printf("------+--+-------------------------+\n");
        printf("CSN   |00| %s|\n",sprint_hex(tag_data, 8));
        // print the dump
        printf("------+--+-------------------------+\n");
        printf("CSN   |00| %s|\n",sprint_hex(tag_data, 8));
-       printIclassDumpContents(tag_data, 1, (gotBytes/8), gotBytes);
+       printIclassDumpContents(tag_data, 1, blockno-1, blockno*8);
 
 
-       if (filename[0] == 0){
+       if (filename[0] == 0) {
                snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
                        tag_data[0],tag_data[1],tag_data[2],tag_data[3],
                        tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
        }
 
        // save the dump to .bin file
                snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
                        tag_data[0],tag_data[1],tag_data[2],tag_data[3],
                        tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
        }
 
        // save the dump to .bin file
-       PrintAndLog("Saving dump file - %d blocks read", gotBytes/8);
-       saveFile(filename, "bin", tag_data, gotBytes);
+       PrintAndLog("Saving dump file - %d blocks read", blockno);
+       saveFile(filename, "bin", tag_data, blockno*8);
        return 1;
 }
 
 
        return 1;
 }
 
 
-static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
-       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
-       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose))
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool NRMAC_replay, bool verbose) {
+
+       uint8_t MAC[4] = {0x00,0x00,0x00,0x00};
+       uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CSN[8];
+
+       if (!iClass_select(CSN, verbose, true, true) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, NRMAC_replay, verbose)) {
+               DropField();
                return 0;
                return 0;
+       }
 
        UsbCommand resp;
 
 
        UsbCommand resp;
 
-       Calc_wb_mac(blockno,bldata,div_key,MAC);
+       Calc_wb_mac(blockno, bldata, div_key, MAC);
+
        UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
        memcpy(w.d.asBytes, bldata, 8);
        memcpy(w.d.asBytes + 8, MAC, 4);
 
        clearCommandBuffer();
        SendCommand(&w);
        UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
        memcpy(w.d.asBytes, bldata, 8);
        memcpy(w.d.asBytes + 8, MAC, 4);
 
        clearCommandBuffer();
        SendCommand(&w);
-       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
-       {
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
                PrintAndLog("Write Command execute timeout");
                PrintAndLog("Write Command execute timeout");
+               DropField();
                return 0;
        }
                return 0;
        }
-       uint8_t isOK = resp.arg[0] & 0xff;
+       bool isOK = resp.arg[0];
        if (!isOK) {
                PrintAndLog("Write Block Failed");
        if (!isOK) {
                PrintAndLog("Write Block Failed");
+               DropField();
                return 0;
        }
                return 0;
        }
+
        PrintAndLog("Write Block Successful");
        return 1;
 }
        PrintAndLog("Write Block Successful");
        return 1;
 }
@@ -946,29 +1092,30 @@ static void usage_hf_iclass_writeblock(void) {
        PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
        PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
+       PrintAndLog("  o         : override protection and allow modification of blocks 0...4");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B");
        PrintAndLog("  hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B");
        PrintAndLog("  hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c");
-       PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA n 0");
+       PrintAndLog("  hf iclass writeblk b 03 d AAAAAAAAAAAAAAAA k 001122334455667B c o");
 }
 
 
 static int CmdHFiClass_WriteBlock(const char *Cmd) {
 }
 
 
 static int CmdHFiClass_WriteBlock(const char *Cmd) {
-       uint8_t blockno=0;
-       uint8_t bldata[8]={0,0,0,0,0,0,0,0};
-       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t blockno = 0;
+       uint8_t bldata[8] = {0};
+       uint8_t KEY[8] = {0};
        uint8_t keyNbr = 0;
        uint8_t dataLen = 0;
        char tempStr[50] = {0};
        bool use_credit_key = false;
        bool elite = false;
        uint8_t keyNbr = 0;
        uint8_t dataLen = 0;
        char tempStr[50] = {0};
        bool use_credit_key = false;
        bool elite = false;
-       bool rawkey= false;
+       bool rawkey = false;
+       bool override_protection = false;
        bool errors = false;
        uint8_t cmdp = 0;
        bool errors = false;
        uint8_t cmdp = 0;
-       while(param_getchar(Cmd, cmdp) != 0x00)
-       {
-               switch(param_getchar(Cmd, cmdp))
-               {
+
+       while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+               switch(param_getchar(Cmd, cmdp)) {
                case 'h':
                case 'H':
                        usage_hf_iclass_writeblock();
                case 'h':
                case 'H':
                        usage_hf_iclass_writeblock();
@@ -988,9 +1135,8 @@ static int CmdHFiClass_WriteBlock(const char *Cmd) {
                        break;
                case 'd':
                case 'D':
                        break;
                case 'd':
                case 'D':
-                       if (param_gethex(Cmd, cmdp+1, bldata, 16))
-                       {
-                               PrintAndLog("KEY must include 16 HEX symbols\n");
+                       if (param_gethex(Cmd, cmdp+1, bldata, 16)) {
+                               PrintAndLog("Data must include 16 HEX symbols\n");
                                errors = true;
                        }
                        cmdp += 2;
                                errors = true;
                        }
                        cmdp += 2;
@@ -1024,41 +1170,66 @@ static int CmdHFiClass_WriteBlock(const char *Cmd) {
                        rawkey = true;
                        cmdp++;
                        break;
                        rawkey = true;
                        cmdp++;
                        break;
+               case 'o':
+               case 'O':
+                       override_protection = true;
+                       cmdp++;
+                       break;
                default:
                        PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                        errors = true;
                        break;
                }
                default:
                        PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                        errors = true;
                        break;
                }
-               if(errors) {
+               if (errors) {
                        usage_hf_iclass_writeblock();
                        return 0;
                }
        }
 
                        usage_hf_iclass_writeblock();
                        return 0;
                }
        }
 
+       if (elite && rawkey) {
+               PrintAndLog("You cannot combine the 'e' and 'r' options\n");
+               errors = true;
+       }
+
        if (cmdp < 6) {
                usage_hf_iclass_writeblock();
                return 0;
        }
        if (cmdp < 6) {
                usage_hf_iclass_writeblock();
                return 0;
        }
-       int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true);
+
+       if (blockno < 5) {
+               if (override_protection) {
+                       PrintAndLog("Info: modifying keys, e-purse or configuration block.");
+               } else {
+                       PrintAndLog("You are going to modify keys, e-purse or configuration block.");
+                       PrintAndLog("You must add the 'o' (override) option to confirm that you know what you are doing");
+                       return 0;
+               }
+       }
+
+       int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, false, true);
+
        DropField();
        return ans;
 }
 
 
 static void usage_hf_iclass_clone(void) {
        DropField();
        return ans;
 }
 
 
 static void usage_hf_iclass_clone(void) {
-       PrintAndLog("Usage:  hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> c e|r");
+       PrintAndLog("Usage:  hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> c e|r o");
        PrintAndLog("Options:");
        PrintAndLog("  f <filename>: specify a filename to clone from");
        PrintAndLog("  b <Block>   : The first block to clone as 2 hex symbols");
        PrintAndLog("Options:");
        PrintAndLog("  f <filename>: specify a filename to clone from");
        PrintAndLog("  b <Block>   : The first block to clone as 2 hex symbols");
-       PrintAndLog("  l <Last Blk>: Set the Data to write as 16 hex symbols");
+       PrintAndLog("  l <Last Blk>: The last block to clone as 2 hex symbols");
        PrintAndLog("  k <Key>     : Access Key as 16 hex symbols or 1 hex to select key from memory");
        PrintAndLog("  c           : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e           : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r           : If 'r' is specified, no computations applied to key");
        PrintAndLog("  k <Key>     : Access Key as 16 hex symbols or 1 hex to select key from memory");
        PrintAndLog("  c           : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e           : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r           : If 'r' is specified, no computations applied to key");
+       PrintAndLog("  o           : override protection and allow modification of target blocks 0...4");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 19 k 0 e");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0");
        PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 19 k 0 e");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 19 k 0 e");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 03 l 19 k 0 e o");
 }
 
 
 }
 
 
@@ -1074,12 +1245,12 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
        bool use_credit_key = false;
        bool elite = false;
        bool rawkey = false;
        bool use_credit_key = false;
        bool elite = false;
        bool rawkey = false;
+       bool override_protection = false;
        bool errors = false;
        uint8_t cmdp = 0;
        bool errors = false;
        uint8_t cmdp = 0;
-       while(param_getchar(Cmd, cmdp) != 0x00)
-       {
-               switch(param_getchar(Cmd, cmdp))
-               {
+
+       while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+               switch (param_getchar(Cmd, cmdp)) {
                case 'h':
                case 'H':
                        usage_hf_iclass_clone();
                case 'h':
                case 'H':
                        usage_hf_iclass_clone();
@@ -1133,7 +1304,7 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
                case 'l':
                case 'L':
                        if (param_gethex(Cmd, cmdp+1, &endblock, 2)) {
                case 'l':
                case 'L':
                        if (param_gethex(Cmd, cmdp+1, &endblock, 2)) {
-                               PrintAndLog("Start Block No must include 2 HEX symbols\n");
+                               PrintAndLog("Last Block No must include 2 HEX symbols\n");
                                errors = true;
                        }
                        cmdp += 2;
                                errors = true;
                        }
                        cmdp += 2;
@@ -1143,6 +1314,11 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
                        rawkey = true;
                        cmdp++;
                        break;
                        rawkey = true;
                        cmdp++;
                        break;
+               case 'o':
+               case 'O':
+                       override_protection = true;
+                       cmdp++;
+                       break;
                default:
                        PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                        errors = true;
                default:
                        PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                        errors = true;
@@ -1159,86 +1335,94 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
                return 0;
        }
 
                return 0;
        }
 
-       FILE *f;
-
-       iclass_block_t tag_data[USB_CMD_DATA_SIZE/12];
-
-       if ((endblock-startblock+1)*12 > USB_CMD_DATA_SIZE) {
-               PrintAndLog("Trying to write too many blocks at once.  Max: %d", USB_CMD_DATA_SIZE/8);
+       if (startblock < 5) {
+               if (override_protection) {
+                       PrintAndLog("Info: modifying keys, e-purse or configuration block.");
+               } else {
+                       PrintAndLog("You are going to modify keys, e-purse or configuration block.");
+                       PrintAndLog("You must add the 'o' (override) option to confirm that you know what you are doing");
+                       return 0;
+               }
+       }
+       
+       if ((endblock - startblock + 1) * 12 > USB_CMD_DATA_SIZE) {
+               PrintAndLog("Trying to write too many blocks at once.  Max: %d", USB_CMD_DATA_SIZE/12);
        }
        }
+
        // file handling and reading
        // file handling and reading
+       FILE *f;
        f = fopen(filename,"rb");
        f = fopen(filename,"rb");
-       if(!f) {
+       if (!f) {
                PrintAndLog("Failed to read from file '%s'", filename);
                return 1;
        }
 
                PrintAndLog("Failed to read from file '%s'", filename);
                return 1;
        }
 
-       if (startblock<5) {
-               PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4");
-               fclose(f);
-               return 0;
-       }
-       // now read data from the file from block 6 --- 19
-       // ok we will use this struct [data 8 bytes][MAC 4 bytes] for each block calculate all mac number for each data
-       // then copy to usbcommand->asbytes; the max is 32 - 6 = 24 block 12 bytes each block 288 bytes then we can only accept to clone 21 blocks at the time,
-       // else we have to create a share memory
-       int i;
-       fseek(f,startblock*8,SEEK_SET);
-       if ( fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f) == 0 ) {
-               PrintAndLog("File reading error.");
-               fclose(f);
-               return 2;
+       uint8_t tag_data[USB_CMD_DATA_SIZE/12][8];
+       fseek(f, startblock*8, SEEK_SET);
+       for (int i = 0; i < endblock - startblock + 1; i++) {
+               if (fread(&tag_data[i], 1, 8, f) == 0 ) {
+                       PrintAndLog("File reading error.");
+                       fclose(f);
+                       return 2;
+               }
        }
 
        }
 
-       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
-       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t MAC[4] = {0x00, 0x00, 0x00, 0x00};
+       uint8_t div_key[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+       uint8_t CSN[8];
 
 
-       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, true))
+       if (!iClass_select(CSN, true, true, true) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, false, true)) {
+               DropField();
                return 0;
                return 0;
+       }
 
 
-       UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}};
+       UsbCommand w = {CMD_ICLASS_CLONE, {startblock, endblock}};
        uint8_t *ptr;
        uint8_t *ptr;
-       // calculate all mac for every the block we will write
-       for (i = startblock; i <= endblock; i++){
-               Calc_wb_mac(i,tag_data[i - startblock].d,div_key,MAC);
-               // usb command d start pointer = d + (i - 6) * 12
-               // memcpy(pointer,tag_data[i - 6],8) 8 bytes
-               // memcpy(pointer + 8,mac,sizoof(mac) 4 bytes;
-               // next one
-               ptr = w.d.asBytes + (i - startblock) * 12;
-               memcpy(ptr, &(tag_data[i - startblock].d[0]), 8);
-               memcpy(ptr + 8,MAC, 4);
+       // calculate MAC for every block we will write
+       for (int i = 0; i < endblock - startblock + 1; i++) {
+               Calc_wb_mac(startblock + i, tag_data[i], div_key, MAC);
+               ptr = w.d.asBytes + i * 12;
+               memcpy(ptr, tag_data[i], 8);
+               memcpy(ptr + 8, MAC, 4);
        }
        }
+
        uint8_t p[12];
        uint8_t p[12];
-       for (i = 0; i <= endblock - startblock;i++){
-               memcpy(p,w.d.asBytes + (i * 12),12);
-               printf("Block |%02x|",i + startblock);
-               printf(" %02x%02x%02x%02x%02x%02x%02x%02x |",p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7]);
-               printf(" MAC |%02x%02x%02x%02x|\n",p[8],p[9],p[10],p[11]);
+       PrintAndLog("Cloning");
+       for (int i = 0; i < endblock - startblock + 1; i++){
+               memcpy(p, w.d.asBytes + (i * 12), 12);
+               PrintAndLog("Block |%02x| %02x%02x%02x%02x%02x%02x%02x%02x | MAC |%02x%02x%02x%02x|",
+                       i + startblock, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7], p[8], p[9], p[10], p[11]);
        }
        }
+
        UsbCommand resp;
        SendCommand(&w);
        UsbCommand resp;
        SendCommand(&w);
-       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
-       {
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
                PrintAndLog("Command execute timeout");
                PrintAndLog("Command execute timeout");
+               DropField();
                return 0;
        }
                return 0;
        }
+
+       DropField();
        return 1;
 }
 
 
        return 1;
 }
 
 
-static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose, bool auth) {
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool NRMAC_replay, bool verbose, bool auth) {
 
        uint8_t MAC[4]={0x00,0x00,0x00,0x00};
        uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
 
        uint8_t MAC[4]={0x00,0x00,0x00,0x00};
        uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CSN[8];
+
+       if (!iClass_select(CSN, verbose, true, true)) {
+               DropField();
+               return 0;
+       }
 
        if (auth) {
 
        if (auth) {
-               if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose))
-                       return 0;
-       } else {
-               uint8_t CSN[8];
-               if (!select_only(CSN, verbose))
+               if (!iClass_authenticate(CSN, KEY, MAC, div_key, (keyType==0x18), elite, rawkey, NRMAC_replay, verbose)) {
+                       DropField();
                        return 0;
                        return 0;
+               }
        }
 
        UsbCommand resp;
        }
 
        UsbCommand resp;
@@ -1247,27 +1431,32 @@ static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite,
        SendCommand(&w);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
                PrintAndLog("Command execute timeout");
        SendCommand(&w);
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
                PrintAndLog("Command execute timeout");
+               DropField();
                return 0;
        }
                return 0;
        }
-       uint8_t isOK = resp.arg[0] & 0xff;
+       bool isOK = resp.arg[0];
        if (!isOK) {
                PrintAndLog("Read Block Failed");
        if (!isOK) {
                PrintAndLog("Read Block Failed");
+               DropField();
                return 0;
        }
        //data read is stored in: resp.d.asBytes[0-15]
                return 0;
        }
        //data read is stored in: resp.d.asBytes[0-15]
-       if (verbose) PrintAndLog("Block %02X: %s\n",blockno, sprint_hex(resp.d.asBytes,8));
+       if (verbose)
+               PrintAndLog("Block %02X: %s\n",blockno, sprint_hex(resp.d.asBytes,8));
+
        return 1;
 }
 
 
 static void usage_hf_iclass_readblock(void) {
        return 1;
 }
 
 
 static void usage_hf_iclass_readblock(void) {
-       PrintAndLog("Usage:  hf iclass readblk b <Block> k <Key> [c] [e|r]\n");
+       PrintAndLog("Usage:  hf iclass readblk b <Block> k <Key> [c] [e|r|n]\n");
        PrintAndLog("Options:");
        PrintAndLog("  b <Block> : The block number as 2 hex symbols");
        PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
        PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
        PrintAndLog("Options:");
        PrintAndLog("  b <Block> : The block number as 2 hex symbols");
        PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
        PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
        PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
        PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
+       PrintAndLog("  n         : If 'n' is specified, <Key> specifies a NR/MAC pair which can be obtained by 'hf iclass snoop'");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass readblk b 06 k 0011223344556677");
        PrintAndLog("  hf iclass readblk b 1B k 0011223344556677 c");
        PrintAndLog("Samples:");
        PrintAndLog("  hf iclass readblk b 06 k 0011223344556677");
        PrintAndLog("  hf iclass readblk b 1B k 0011223344556677 c");
@@ -1284,10 +1473,12 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
        char tempStr[50] = {0};
        bool elite = false;
        bool rawkey = false;
        char tempStr[50] = {0};
        bool elite = false;
        bool rawkey = false;
+       bool NRMAC_replay = false;
        bool errors = false;
        bool auth = false;
        uint8_t cmdp = 0;
        bool errors = false;
        bool auth = false;
        uint8_t cmdp = 0;
-       while (param_getchar(Cmd, cmdp) != 0x00) {
+
+       while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
                switch (param_getchar(Cmd, cmdp)) {
                        case 'h':
                        case 'H':
                switch (param_getchar(Cmd, cmdp)) {
                        case 'h':
                        case 'H':
@@ -1336,15 +1527,26 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
                                rawkey = true;
                                cmdp++;
                                break;
                                rawkey = true;
                                cmdp++;
                                break;
+                       case 'n':
+                       case 'N':
+                               NRMAC_replay = true;
+                               cmdp++;
+                               break;
                        default:
                                PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                                errors = true;
                                break;
                }
                        default:
                                PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
                                errors = true;
                                break;
                }
-               if (errors) {
-                       usage_hf_iclass_readblock();
-                       return 0;
-               }
+       }
+
+       if (elite + rawkey + NRMAC_replay > 1) {
+               PrintAndLog("You cannot combine the 'e', 'r', and 'n' options\n");
+               errors = true;
+       }
+
+       if (errors) {
+               usage_hf_iclass_readblock();
+               return 0;
        }
 
        if (cmdp < 2) {
        }
 
        if (cmdp < 2) {
@@ -1354,7 +1556,7 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
        if (!auth)
                PrintAndLog("warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.");
 
        if (!auth)
                PrintAndLog("warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.");
 
-       return ReadBlock(KEY, blockno, keyType, elite, rawkey, true, auth);
+       return ReadBlock(KEY, blockno, keyType, elite, rawkey, NRMAC_replay, true, auth);
 }
 
 
 }
 
 
@@ -1524,10 +1726,9 @@ static int CmdHFiClassCalcNewKey(const char *Cmd) {
        bool elite = false;
        bool errors = false;
        uint8_t cmdp = 0;
        bool elite = false;
        bool errors = false;
        uint8_t cmdp = 0;
-       while(param_getchar(Cmd, cmdp) != 0x00)
-       {
-               switch(param_getchar(Cmd, cmdp))
-               {
+
+       while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+               switch(param_getchar(Cmd, cmdp)) {
                case 'h':
                case 'H':
                        usage_hf_iclass_calc_newkey();
                case 'h':
                case 'H':
                        usage_hf_iclass_calc_newkey();
@@ -1604,8 +1805,11 @@ static int CmdHFiClassCalcNewKey(const char *Cmd) {
        }
 
        if (!givenCSN)
        }
 
        if (!givenCSN)
-               if (!select_only(CSN, true))
+               if (!iClass_select(CSN, true, true, true)) {
+                       DropField();
                        return 0;
                        return 0;
+               }
+       DropField();
 
        HFiClassCalcNewKey(CSN, OLDKEY, NEWKEY, xor_div_key, elite, oldElite, true);
        return 0;
 
        HFiClassCalcNewKey(CSN, OLDKEY, NEWKEY, xor_div_key, elite, oldElite, true);
        return 0;
@@ -1705,10 +1909,8 @@ static int CmdHFiClassManageKeys(const char *Cmd) {
        char tempStr[20];
        uint8_t cmdp = 0;
 
        char tempStr[20];
        uint8_t cmdp = 0;
 
-       while(param_getchar(Cmd, cmdp) != 0x00)
-       {
-               switch(param_getchar(Cmd, cmdp))
-               {
+       while(param_getchar(Cmd, cmdp) != 0x00) {
+               switch(param_getchar(Cmd, cmdp)) {
                case 'h':
                case 'H':
                        usage_hf_iclass_managekeys();
                case 'h':
                case 'H':
                        usage_hf_iclass_managekeys();
@@ -1768,11 +1970,13 @@ static int CmdHFiClassManageKeys(const char *Cmd) {
                        return 0;
                }
        }
                        return 0;
                }
        }
+
        if (operation == 0){
                PrintAndLog("no operation specified (load, save, or print)\n");
                usage_hf_iclass_managekeys();
                return 0;
        }
        if (operation == 0){
                PrintAndLog("no operation specified (load, save, or print)\n");
                usage_hf_iclass_managekeys();
                return 0;
        }
+
        if (operation > 6){
                PrintAndLog("Too many operations specified\n");
                usage_hf_iclass_managekeys();
        if (operation > 6){
                PrintAndLog("Too many operations specified\n");
                usage_hf_iclass_managekeys();
@@ -1808,12 +2012,12 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
        bool found_credit = false;
        bool errors = false;
        uint8_t cmdp = 0x00;
        bool found_credit = false;
        bool errors = false;
        uint8_t cmdp = 0x00;
-       FILE * f;
+       FILE *f;
        char filename[FILE_PATH_SIZE] = {0};
        uint8_t fileNameLen = 0;
        char buf[17];
        uint8_t *keyBlock = NULL, *p;
        char filename[FILE_PATH_SIZE] = {0};
        uint8_t fileNameLen = 0;
        char buf[17];
        uint8_t *keyBlock = NULL, *p;
-       int keyitems = 0, keycnt = 0;
+       int keycnt = 0;
 
        while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
                switch (param_getchar(Cmd, cmdp)) {
 
        while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
                switch (param_getchar(Cmd, cmdp)) {
@@ -1846,32 +2050,33 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
                        break;
                }
        }
                        break;
                }
        }
+
        if (errors) {
                usage_hf_iclass_chk();
                return 0;
        }
 
        if (errors) {
                usage_hf_iclass_chk();
                return 0;
        }
 
-       if ( !(f = fopen( filename , "r")) ) {
-               PrintAndLog("File: %s: not found or locked.", filename);
+       if (!(f = fopen(filename , "r"))) {
+               PrintAndLog("File %s not found or locked.", filename);
                return 1;
        }
 
                return 1;
        }
 
-       while( fgets(buf, sizeof(buf), f) ){
+       while (fgets(buf, sizeof(buf), f)) {
                if (strlen(buf) < 16 || buf[15] == '\n')
                        continue;
 
                while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line
 
                if (strlen(buf) < 16 || buf[15] == '\n')
                        continue;
 
                while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line
 
-               if( buf[0]=='#' ) continue; //The line start with # is comment, skip
+               if (buf[0] == '#') continue; //The line start with # is comment, skip
 
                if (!isxdigit(buf[0])){
 
                if (!isxdigit(buf[0])){
-                       PrintAndLog("File content error. '%s' must include 16 HEX symbols",buf);
+                       PrintAndLog("File content error. '%s' must include 16 HEX symbols", buf);
                        continue;
                }
 
                buf[16] = 0;
 
                        continue;
                }
 
                buf[16] = 0;
 
-               p = realloc(keyBlock, 8 * (keyitems += 64));
+               p = realloc(keyBlock, 8 * (keycnt + 1));
                if (!p) {
                        PrintAndLog("Cannot allocate memory for default keys");
                        free(keyBlock);
                if (!p) {
                        PrintAndLog("Cannot allocate memory for default keys");
                        free(keyBlock);
@@ -1883,57 +2088,39 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
                memset(keyBlock + 8 * keycnt, 0, 8);
                num_to_bytes(strtoull(buf, NULL, 16), 8, keyBlock + 8 * keycnt);
 
                memset(keyBlock + 8 * keycnt, 0, 8);
                num_to_bytes(strtoull(buf, NULL, 16), 8, keyBlock + 8 * keycnt);
 
-               //PrintAndLog("check key[%2d] %016" PRIx64, keycnt, bytes_to_num(keyBlock + 8*keycnt, 8));
                keycnt++;
                memset(buf, 0, sizeof(buf));
        }
        fclose(f);
        PrintAndLog("Loaded %2d keys from %s", keycnt, filename);
 
                keycnt++;
                memset(buf, 0, sizeof(buf));
        }
        fclose(f);
        PrintAndLog("Loaded %2d keys from %s", keycnt, filename);
 
-       // time
-       uint64_t t1 = msclock();
-
-       for (uint32_t c = 0; c < keycnt; c += 1) {
-                       printf("."); fflush(stdout);
-                       if (ukbhit()) {
-                               int gc = getchar(); (void)gc;
-                               printf("\naborted via keyboard!\n");
-                               break;
-                       }
-
-                       memcpy(key, keyBlock + 8 * c , 8);
+       uint8_t CSN[8];
+       if (!iClass_select(CSN, false, true, true)) {
+               DropField();
+               return 0;
+       }
 
 
-                       // debit key. try twice
-                       for (int foo = 0; foo < 2 && !found_debit; foo++) {
-                               if (!select_and_auth(key, mac, div_key, false, use_elite, use_raw, false))
-                                       continue;
+       for (uint32_t c = 0; c < keycnt; c++) {
 
 
-                               // key found.
-                               PrintAndLog("\n--------------------------------------------------------");
-                       PrintAndLog("   Found AA1 debit key\t\t[%s]", sprint_hex(key, 8));
-                               found_debit = true;
-                       }
+               memcpy(key, keyBlock + 8 * c, 8);
 
 
-                       // credit key. try twice
-                       for (int foo = 0; foo < 2 && !found_credit; foo++) {
-                               if (!select_and_auth(key, mac, div_key, true, use_elite, use_raw, false))
-                                       continue;
+               // debit key
+               if (iClass_authenticate(CSN, key, mac, div_key, false, use_elite, use_raw, false, false)) {
+                       PrintAndLog("\n   Found AA1 debit key\t\t[%s]", sprint_hex(key, 8));
+                       found_debit = true;
+               }
 
 
-                               // key found
-                               PrintAndLog("\n--------------------------------------------------------");
-                               PrintAndLog("   Found AA2 credit key\t\t[%s]", sprint_hex(key, 8));
-                               found_credit = true;
-                       }
+               // credit key
+               if (iClass_authenticate(CSN, key, mac, div_key, true, use_elite, use_raw, false, false)) {
+                       PrintAndLog("\n   Found AA2 credit key\t\t[%s]", sprint_hex(key, 8));
+                       found_credit = true;
+               }
 
 
-                       // both keys found.
-                       if ( found_debit && found_credit )
-                               break;
+               // both keys found.
+               if (found_debit && found_credit)
+                       break;
        }
 
        }
 
-       t1 = msclock() - t1;
-
-       PrintAndLog("\nTime in iclass checkkeys: %.0f seconds\n", (float)t1/1000.0);
-
        DropField();
        free(keyBlock);
        PrintAndLog("");
        DropField();
        free(keyBlock);
        PrintAndLog("");
@@ -2009,7 +2196,7 @@ static command_t CommandTable[] = {
        {"chk",         CmdHFiClassCheckKeys,           0,  "            Check keys"},
        {"clone",       CmdHFiClassCloneTag,            0,  "[options..] Authenticate and Clone from iClass bin file"},
        {"decrypt",     CmdHFiClassDecrypt,             1,  "[f <fname>] Decrypt tagdump" },
        {"chk",         CmdHFiClassCheckKeys,           0,  "            Check keys"},
        {"clone",       CmdHFiClassCloneTag,            0,  "[options..] Authenticate and Clone from iClass bin file"},
        {"decrypt",     CmdHFiClassDecrypt,             1,  "[f <fname>] Decrypt tagdump" },
-       {"dump",        CmdHFiClassReader_Dump,         0,  "[options..] Authenticate and Dump iClass tag's AA1"},
+       {"dump",        CmdHFiClassReader_Dump,         0,  "[options..] Authenticate and Dump iClass tag's AA1 and/or AA2"},
        {"eload",       CmdHFiClassELoad,               0,  "[f <fname>] (experimental) Load data into iClass emulator memory"},
        {"encryptblk",  CmdHFiClassEncryptBlk,          1,  "<BlockData> Encrypt given block data"},
        {"list",        CmdHFiClassList,                0,  "            (Deprecated) List iClass history"},
        {"eload",       CmdHFiClassELoad,               0,  "[f <fname>] (experimental) Load data into iClass emulator memory"},
        {"encryptblk",  CmdHFiClassEncryptBlk,          1,  "<BlockData> Encrypt given block data"},
        {"list",        CmdHFiClassList,                0,  "            (Deprecated) List iClass history"},
@@ -2019,7 +2206,6 @@ static command_t CommandTable[] = {
        {"readblk",     CmdHFiClass_ReadBlock,          0,  "[options..] Authenticate and Read iClass block"},
        {"reader",      CmdHFiClassReader,              0,  "            Look for iClass tags until a key or the pm3 button is pressed"},
        {"readtagfile", CmdHFiClassReadTagFile,         1,  "[options..] Display Content from tagfile"},
        {"readblk",     CmdHFiClass_ReadBlock,          0,  "[options..] Authenticate and Read iClass block"},
        {"reader",      CmdHFiClassReader,              0,  "            Look for iClass tags until a key or the pm3 button is pressed"},
        {"readtagfile", CmdHFiClassReadTagFile,         1,  "[options..] Display Content from tagfile"},
-       {"replay",      CmdHFiClassReader_Replay,       0,  "<mac>       Read an iClass tag via Reply Attack"},
        {"sim",         CmdHFiClassSim,                 0,  "[options..] Simulate iClass tag"},
        {"snoop",       CmdHFiClassSnoop,               0,  "            Eavesdrop iClass communication"},
        {"writeblk",    CmdHFiClass_WriteBlock,         0,  "[options..] Authenticate and Write iClass block"},
        {"sim",         CmdHFiClassSim,                 0,  "[options..] Simulate iClass tag"},
        {"snoop",       CmdHFiClassSnoop,               0,  "            Eavesdrop iClass communication"},
        {"writeblk",    CmdHFiClass_WriteBlock,         0,  "[options..] Authenticate and Write iClass block"},
Proxmark3 GIT tracking
Impressum, Datenschutz