X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/0060e3daa26a5d89fa2ad0c010594feaebd18841..763d1befc1b9251c49cc88a50c73a3096323736a:/client/cmdhfmf.c?ds=sidebyside

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index aafbce2a..9ecf99fb 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -15,18 +15,28 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
-#include "proxmark3.h"
+#include "comms.h"
 #include "cmdmain.h"
 #include "cmdhfmfhard.h"
+#include "parity.h"
 #include "util.h"
 #include "util_posix.h"
 #include "usb_cmd.h"
 #include "ui.h"
-#include "mifarehost.h"
+#include "mifare/mifarehost.h"
 #include "mifare.h"
-#include "mfkey.h"
-
-#define NESTED_SECTOR_RETRY     10			// how often we try mfested() until we give up
+#include "mifare/mfkey.h"
+#include "hardnested/hardnested_bf_core.h"
+#include "cliparser/cliparser.h"
+#include "cmdhf14a.h"
+#include "mifare/mifaredefault.h"
+#include "mifare/mifare4.h"
+#include "mifare/mad.h"
+#include "mifare/ndef.h"
+#include "emv/dump.h"
+#include "protocols.h"
+
+#define NESTED_SECTOR_RETRY     10          // how often we try mfested() until we give up
 
 static int CmdHelp(const char *Cmd);
 
@@ -57,7 +67,7 @@ int CmdHF14AMfWrBl(const char *Cmd)
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
 	uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 
-	char cmdp	= 0x00;
+	char cmdp   = 0x00;
 
 	if (strlen(Cmd)<3) {
 		PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
@@ -83,10 +93,10 @@ int CmdHF14AMfWrBl(const char *Cmd)
 	PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
 	PrintAndLog("--data: %s", sprint_hex(bldata, 16));
 
-  UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
+	UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
 	memcpy(c.d.asBytes, key, 6);
 	memcpy(c.d.asBytes + 10, bldata, 16);
-  SendCommand(&c);
+	SendCommand(&c);
 
 	UsbCommand resp;
 	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
@@ -105,7 +115,7 @@ int CmdHF14AMfRdBl(const char *Cmd)
 	uint8_t keyType = 0;
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
 
-	char cmdp	= 0x00;
+	char cmdp   = 0x00;
 
 
 	if (strlen(Cmd)<3) {
@@ -127,24 +137,38 @@ int CmdHF14AMfRdBl(const char *Cmd)
 	}
 	PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));
 
-  UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
+	UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
 	memcpy(c.d.asBytes, key, 6);
-  SendCommand(&c);
+	SendCommand(&c);
 
 	UsbCommand resp;
 	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
 		uint8_t isOK  = resp.arg[0] & 0xff;
 		uint8_t *data = resp.d.asBytes;
 
-		if (isOK)
+		if (isOK) {
 			PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
-		else
+		} else {
 			PrintAndLog("isOk:%02x", isOK);
+			return 1;
+		}
+
+		if (mfIsSectorTrailer(blockNo) && (data[6] || data[7] || data[8])) {
+			PrintAndLogEx(NORMAL, "Trailer decoded:");
+			int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));
+			int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;
+			for (int i = 0; i < 4; i++) {
+				PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &data[6]));
+				bln += blinc;
+			}
+			PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&data[9], 1));
+		}
 	} else {
 		PrintAndLog("Command execute timeout");
+		return 2;
 	}
 
-  return 0;
+	return 0;
 }
 
 int CmdHF14AMfRdSc(const char *Cmd)
@@ -155,7 +179,7 @@ int CmdHF14AMfRdSc(const char *Cmd)
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
 	uint8_t isOK  = 0;
 	uint8_t *data  = NULL;
-	char cmdp	= 0x00;
+	char cmdp   = 0x00;
 
 	if (strlen(Cmd)<3) {
 		PrintAndLog("Usage:  hf mf rdsc    <sector number> <key A/B> <key (12 hex symbols)>");
@@ -196,12 +220,21 @@ int CmdHF14AMfRdSc(const char *Cmd)
 				PrintAndLog("data   : %s", sprint_hex(data + i * 16, 16));
 			}
 			PrintAndLog("trailer: %s", sprint_hex(data + (sectorNo<32?3:15) * 16, 16));
+
+			PrintAndLogEx(NORMAL, "Trailer decoded:");
+						int bln = mfFirstBlockOfSector(sectorNo);
+						int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;
+						for (i = 0; i < 4; i++) {
+								PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &(data + (sectorNo<32?3:15) * 16)[6]));
+								bln += blinc;
+						}
+						PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&(data + (sectorNo<32?3:15) * 16)[9], 1));
 		}
 	} else {
 		PrintAndLog("Command execute timeout");
 	}
 
-  return 0;
+	return 0;
 }
 
 uint8_t FirstBlockOfSector(uint8_t sectorNo)
@@ -222,12 +255,33 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo)
 	}
 }
 
+static int ParamCardSizeSectors(const char c) {
+	int numSectors = 16;
+	switch (c) {
+		case '0' : numSectors = 5; break;
+		case '2' : numSectors = 32; break;
+		case '4' : numSectors = 40; break;
+		default:   numSectors = 16;
+	}
+	return numSectors;
+}
+
+static int ParamCardSizeBlocks(const char c) {
+	int numBlocks = 16 * 4;
+	switch (c) {
+		case '0' : numBlocks = 5 * 4; break;
+		case '2' : numBlocks = 32 * 4; break;
+		case '4' : numBlocks = 32 * 4 + 8 * 16; break;
+		default:   numBlocks = 16 * 4;
+	}
+	return numBlocks;
+}
+
 int CmdHF14AMfDump(const char *Cmd)
 {
 	uint8_t sectorNo, blockNo;
 
-	uint8_t keyA[40][6];
-	uint8_t keyB[40][6];
+	uint8_t keys[2][40][6];
 	uint8_t rights[40][4];
 	uint8_t carddata[256][16];
 	uint8_t numSectors = 16;
@@ -238,46 +292,40 @@ int CmdHF14AMfDump(const char *Cmd)
 	UsbCommand resp;
 
 	char cmdp = param_getchar(Cmd, 0);
-	switch (cmdp) {
-		case '0' : numSectors = 5; break;
-		case '1' :
-		case '\0': numSectors = 16; break;
-		case '2' : numSectors = 32; break;
-		case '4' : numSectors = 40; break;
-		default:   numSectors = 16;
-	}
+	numSectors = ParamCardSizeSectors(cmdp);
 
-	if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
-		PrintAndLog("Usage:   hf mf dump [card memory]");
+	if (strlen(Cmd) > 3 || cmdp == 'h' || cmdp == 'H') {
+		PrintAndLog("Usage:   hf mf dump [card memory] [k|m]");
 		PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
+		PrintAndLog("  k: Always try using both Key A and Key B for each sector, even if access bits would prohibit it");
+		PrintAndLog("  m: When missing access bits or keys, replace that block with NULL");
 		PrintAndLog("");
 		PrintAndLog("Samples: hf mf dump");
 		PrintAndLog("         hf mf dump 4");
+		PrintAndLog("         hf mf dump 4 m");
 		return 0;
 	}
 
+	char opts = param_getchar(Cmd, 1);
+	bool useBothKeysAlways = false;
+	if (opts == 'k' || opts == 'K') useBothKeysAlways = true;
+	bool nullMissingKeys = false;
+	if (opts == 'm' || opts == 'M') nullMissingKeys = true;
+
 	if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {
 		PrintAndLog("Could not find file dumpkeys.bin");
 		return 1;
 	}
 
-	// Read keys A from file
-	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
-		if (bytes_read != 6) {
-			PrintAndLog("File reading error.");
-			fclose(fin);
-			return 2;
-		}
-	}
-
-	// Read keys B from file
-	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
-		if (bytes_read != 6) {
-			PrintAndLog("File reading error.");
-			fclose(fin);
-			return 2;
+	// Read keys from file
+	for (int group=0; group<=1; group++) {
+		for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
+			size_t bytes_read = fread(keys[group][sectorNo], 1, 6, fin);
+			if (bytes_read != 6) {
+				PrintAndLog("File reading error.");
+				fclose(fin);
+				return 2;
+			}
 		}
 	}
 
@@ -290,7 +338,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
 		for (tries = 0; tries < 3; tries++) {
 			UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
-			memcpy(c.d.asBytes, keyA[sectorNo], 6);
+			// At least the Access Conditions can always be read with key A.
+			memcpy(c.d.asBytes, keys[0][sectorNo], 6);
 			SendCommand(&c);
 
 			if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
@@ -324,25 +373,43 @@ int CmdHF14AMfDump(const char *Cmd)
 		for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
 			bool received = false;
 			for (tries = 0; tries < 3; tries++) {
-				if (blockNo == NumBlocksPerSector(sectorNo) - 1) {		// sector trailer. At least the Access Conditions can always be read with key A.
+				if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer. At least the Access Conditions can always be read with key A.
 					UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
-					memcpy(c.d.asBytes, keyA[sectorNo], 6);
+					memcpy(c.d.asBytes, keys[0][sectorNo], 6);
 					SendCommand(&c);
 					received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
-				} else {												// data block. Check if it can be read with key A or key B
+				} else if (useBothKeysAlways) {
+					// Always try both keys, even if access conditions wouldn't work.
+					for (int k=0; k<=1; k++) {
+						UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
+						memcpy(c.d.asBytes, keys[k][sectorNo], 6);
+						SendCommand(&c);
+						received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
+
+						// Don't try the other one on success.
+						if (resp.arg[0] & 0xff) break;
+					}
+				} else {                                                // data block. Check if it can be read with key A or key B
 					uint8_t data_area = sectorNo<32?blockNo:blockNo/5;
-					if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {	// only key B would work
+					if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work
 						UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
-						memcpy(c.d.asBytes, keyB[sectorNo], 6);
+						memcpy(c.d.asBytes, keys[1][sectorNo], 6);
 						SendCommand(&c);
 						received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
-					} else if (rights[sectorNo][data_area] == 0x07) {										// no key would work
-						isOK = false;
+					} else if (rights[sectorNo][data_area] == 0x07) {                                       // no key would work
 						PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
-						tries = 2;
-					} else {																				// key A would work
+						if (nullMissingKeys) {
+							memset(resp.d.asBytes, 0, 16);
+							resp.arg[0] = 1;
+							PrintAndLog("  ... filling the block with NULL");
+							received = true;
+						} else {
+							isOK = false;
+							tries = 2;
+						}
+					} else {                                                                                // key A would work
 						UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
-						memcpy(c.d.asBytes, keyA[sectorNo], 6);
+						memcpy(c.d.asBytes, keys[0][sectorNo], 6);
 						SendCommand(&c);
 						received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
 					}
@@ -356,23 +423,13 @@ int CmdHF14AMfDump(const char *Cmd)
 			if (received) {
 				isOK  = resp.arg[0] & 0xff;
 				uint8_t *data  = resp.d.asBytes;
-				if (blockNo == NumBlocksPerSector(sectorNo) - 1) {		// sector trailer. Fill in the keys.
-					data[0]  = (keyA[sectorNo][0]);
-					data[1]  = (keyA[sectorNo][1]);
-					data[2]  = (keyA[sectorNo][2]);
-					data[3]  = (keyA[sectorNo][3]);
-					data[4]  = (keyA[sectorNo][4]);
-					data[5]  = (keyA[sectorNo][5]);
-					data[10] = (keyB[sectorNo][0]);
-					data[11] = (keyB[sectorNo][1]);
-					data[12] = (keyB[sectorNo][2]);
-					data[13] = (keyB[sectorNo][3]);
-					data[14] = (keyB[sectorNo][4]);
-					data[15] = (keyB[sectorNo][5]);
+				if (blockNo == NumBlocksPerSector(sectorNo) - 1) {      // sector trailer. Fill in the keys.
+					memcpy(data, keys[0][sectorNo], 6);
+					memcpy(data + 10, keys[1][sectorNo], 6);
 				}
 				if (isOK) {
 					memcpy(carddata[FirstBlockOfSector(sectorNo) + blockNo], data, 16);
-                    PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo);
+					PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo);
 				} else {
 					PrintAndLog("Could not read block %2d of sector %2d", blockNo, sectorNo);
 					break;
@@ -475,7 +532,7 @@ int CmdHF14AMfRestore(const char *Cmd)
 				return 2;
 			}
 
-			if (blockNo == NumBlocksPerSector(sectorNo) - 1) {	// sector trailer
+			if (blockNo == NumBlocksPerSector(sectorNo) - 1) {  // sector trailer
 				bldata[0]  = (keyA[sectorNo][0]);
 				bldata[1]  = (keyA[sectorNo][1]);
 				bldata[2]  = (keyA[sectorNo][2]);
@@ -509,12 +566,33 @@ int CmdHF14AMfRestore(const char *Cmd)
 	return 0;
 }
 
+//----------------------------------------------
+//   Nested
+//----------------------------------------------
+
+static void parseParamTDS(const char *Cmd, const uint8_t indx, bool *paramT, bool *paramD, uint8_t *timeout) {
+	char ctmp3[4] = {0};
+	int len = param_getlength(Cmd, indx);
+	if (len > 0 && len < 4){
+		param_getstr(Cmd, indx, ctmp3, sizeof(ctmp3));
 
-typedef struct {
-	uint64_t Key[2];
-	int foundKey[2];
-} sector_t;
+		*paramT |= (ctmp3[0] == 't' || ctmp3[0] == 'T');
+		*paramD |= (ctmp3[0] == 'd' || ctmp3[0] == 'D');
+		bool paramS1 = *paramT || *paramD;
 
+		// slow and very slow
+		if (ctmp3[0] == 's' || ctmp3[0] == 'S' || ctmp3[1] == 's' || ctmp3[1] == 'S') {
+			*timeout = 11; // slow
+
+			if (!paramS1 && (ctmp3[1] == 's' || ctmp3[1] == 'S')) {
+				*timeout = 53; // very slow
+			}
+			if (paramS1 && (ctmp3[2] == 's' || ctmp3[2] == 'S')) {
+				*timeout = 53; // very slow
+			}
+		}
+	}
+}
 
 int CmdHF14AMfNested(const char *Cmd)
 {
@@ -526,10 +604,14 @@ int CmdHF14AMfNested(const char *Cmd)
 	uint8_t trgKeyType = 0;
 	uint8_t SectorsCnt = 0;
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
-	uint8_t keyBlock[14*6];
+	uint8_t keyBlock[MifareDefaultKeysSize * 6];
 	uint64_t key64 = 0;
-	bool transferToEml = false;
+	// timeout in units. (ms * 106)/10 or us*0.0106
+	uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default
+
+	bool autosearchKey = false;
 
+	bool transferToEml = false;
 	bool createDumpFile = false;
 	FILE *fkeys;
 	uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
@@ -539,67 +621,90 @@ int CmdHF14AMfNested(const char *Cmd)
 
 	if (strlen(Cmd)<3) {
 		PrintAndLog("Usage:");
-		PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]");
+		PrintAndLog(" all sectors:  hf mf nested  <card memory> <block number> <key A/B> <key (12 hex symbols)> [t|d|s|ss]");
+		PrintAndLog(" all sectors autosearch key:  hf mf nested  <card memory> * [t|d|s|ss]");
 		PrintAndLog(" one sector:   hf mf nested  o <block number> <key A/B> <key (12 hex symbols)>");
 		PrintAndLog("               <target block number> <target key A/B> [t]");
+		PrintAndLog(" ");
 		PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
-		PrintAndLog("t - transfer keys into emulator memory");
-		PrintAndLog("d - write keys to binary file");
+		PrintAndLog("t - transfer keys to emulator memory");
+		PrintAndLog("d - write keys to binary file dumpkeys.bin");
+		PrintAndLog("s - Slow (1ms) check keys (required by some non standard cards)");
+		PrintAndLog("ss - Very slow (5ms) check keys");
 		PrintAndLog(" ");
 		PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");
 		PrintAndLog("      sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");
 		PrintAndLog("      sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");
 		PrintAndLog("      sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");
+		PrintAndLog("      sample5: hf mf nested 1 * t");
+		PrintAndLog("      sample6: hf mf nested 1 * ss");
 		return 0;
 	}
 
+	// <card memory>
 	cmdp = param_getchar(Cmd, 0);
-	blockNo = param_get8(Cmd, 1);
-	ctmp = param_getchar(Cmd, 2);
-
-	if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
-		PrintAndLog("Key type must be A or B");
-		return 1;
+	if (cmdp == 'o' || cmdp == 'O') {
+		cmdp = 'o';
+		SectorsCnt = 1;
+	} else {
+		SectorsCnt = ParamCardSizeSectors(cmdp);
 	}
 
-	if (ctmp != 'A' && ctmp != 'a')
-		keyType = 1;
+	// <block number>. number or autosearch key (*)
+	if (param_getchar(Cmd, 1) == '*') {
+		autosearchKey = true;
 
-	if (param_gethex(Cmd, 3, key, 12)) {
-		PrintAndLog("Key must include 12 HEX symbols");
-		return 1;
-	}
+		parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);
 
-	if (cmdp == 'o' || cmdp == 'O') {
-		cmdp = 'o';
-		trgBlockNo = param_get8(Cmd, 4);
-		ctmp = param_getchar(Cmd, 5);
+		PrintAndLog("--nested. sectors:%2d, block no:*, eml:%c, dmp=%c checktimeout=%d us",
+			SectorsCnt, transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
+	} else {
+		blockNo = param_get8(Cmd, 1);
+
+		ctmp = param_getchar(Cmd, 2);
 		if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
-			PrintAndLog("Target key type must be A or B");
+			PrintAndLog("Key type must be A or B");
 			return 1;
 		}
+
 		if (ctmp != 'A' && ctmp != 'a')
-			trgKeyType = 1;
-	} else {
+			keyType = 1;
 
-		switch (cmdp) {
-			case '0': SectorsCnt = 05; break;
-			case '1': SectorsCnt = 16; break;
-			case '2': SectorsCnt = 32; break;
-			case '4': SectorsCnt = 40; break;
-			default:  SectorsCnt = 16;
+		if (param_gethex(Cmd, 3, key, 12)) {
+			PrintAndLog("Key must include 12 HEX symbols");
+			return 1;
+		}
+
+		// check if we can authenticate to sector
+		res = mfCheckKeys(blockNo, keyType, true, 1, key, &key64);
+		if (res) {
+			PrintAndLog("Can't authenticate to block:%3d key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
+			return 3;
 		}
-	}
 
-	ctmp = param_getchar(Cmd, 4);
-	if		(ctmp == 't' || ctmp == 'T') transferToEml = true;
-	else if (ctmp == 'd' || ctmp == 'D') createDumpFile = true;
+		// one sector nested
+		if (cmdp == 'o') {
+			trgBlockNo = param_get8(Cmd, 4);
 
-	ctmp = param_getchar(Cmd, 6);
-	transferToEml |= (ctmp == 't' || ctmp == 'T');
-	transferToEml |= (ctmp == 'd' || ctmp == 'D');
+			ctmp = param_getchar(Cmd, 5);
+			if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
+				PrintAndLog("Target key type must be A or B");
+				return 1;
+			}
+			if (ctmp != 'A' && ctmp != 'a')
+				trgKeyType = 1;
 
-	if (cmdp == 'o') {
+			parseParamTDS(Cmd, 6, &transferToEml, &createDumpFile, &btimeout14a);
+		} else {
+			parseParamTDS(Cmd, 4, &transferToEml, &createDumpFile, &btimeout14a);
+		}
+
+		PrintAndLog("--nested. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",
+			SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
+	}
+
+	// one-sector nested
+	if (cmdp == 'o') { // ------------------------------------  one sector working
 		PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
 		int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
 		if (isOK) {
@@ -618,10 +723,10 @@ int CmdHF14AMfNested(const char *Cmd)
 			// transfer key to the emulator
 			if (transferToEml) {
 				uint8_t sectortrailer;
-				if (trgBlockNo < 32*4) { 	// 4 block sector
-					sectortrailer = (trgBlockNo & 0x03) + 3;
-				} else {					// 16 block sector
-					sectortrailer = (trgBlockNo & 0x0f) + 15;
+				if (trgBlockNo < 32*4) {    // 4 block sector
+					sectortrailer = trgBlockNo | 0x03;
+				} else {                    // 16 block sector
+					sectortrailer = trgBlockNo | 0x0f;
 				}
 				mfEmlGetMem(keyBlock, sectortrailer, 1);
 
@@ -630,6 +735,7 @@ int CmdHF14AMfNested(const char *Cmd)
 				else
 					num_to_bytes(key64, 6, &keyBlock[10]);
 				mfEmlSetMem(keyBlock, sectortrailer, 1);
+				PrintAndLog("Key transferred to emulator memory.");
 			}
 		} else {
 			PrintAndLog("No valid key found");
@@ -643,33 +749,37 @@ int CmdHF14AMfNested(const char *Cmd)
 		if (e_sector == NULL) return 1;
 
 		//test current key and additional standard keys first
-		memcpy(keyBlock, key, 6);
-		num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));
-		num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));
-		num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));
-		num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));
-		num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));
-		num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6));
-		num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6));
-		num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6));
-		num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6));
-		num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6));
-		num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6));
-		num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6));
-		num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6));
+		for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){
+			num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
+		}
 
 		PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
-		for (i = 0; i < SectorsCnt; i++) {
-			for (j = 0; j < 2; j++) {
-				if (e_sector[i].foundKey[j]) continue;
+		mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, MifareDefaultKeysSize, keyBlock, e_sector);
 
-				res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);
-
-				if (!res) {
-					e_sector[i].Key[j] = key64;
-					e_sector[i].foundKey[j] = 1;
+		// get known key from array
+		bool keyFound = false;
+		if (autosearchKey) {
+			for (i = 0; i < SectorsCnt; i++) {
+				for (j = 0; j < 2; j++) {
+					if (e_sector[i].foundKey[j]) {
+						// get known key
+						blockNo = i * 4;
+						keyType = j;
+						num_to_bytes(e_sector[i].Key[j], 6, key);
+						keyFound = true;
+						break;
+					}
 				}
+				if (keyFound) break;
+			}
+
+			// Can't found a key....
+			if (!keyFound) {
+				PrintAndLog("Can't found any of the known keys.");
+				free(e_sector);
+				return 4;
 			}
+			PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
 		}
 
 		// nested sectors
@@ -702,15 +812,19 @@ int CmdHF14AMfNested(const char *Cmd)
 						PrintAndLog("Found valid key:%012" PRIx64, key64);
 						e_sector[sectorNo].foundKey[trgKeyType] = 1;
 						e_sector[sectorNo].Key[trgKeyType] = key64;
+
+						// try to check this key as a key to the other sectors
+						mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, 1, keyBlock, e_sector);
 					}
 				}
 			}
 		}
 
-		printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);
+		// print nested statistic
+		PrintAndLog("\n\n-----------------------------------------------\nNested statistic:\nIterations count: %d", iterations);
+		PrintAndLog("Time in nested: %1.3f (%1.3f sec per key)", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);
 
-		PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);
-		//print them
+		// print result
 		PrintAndLog("|---|----------------|---|----------------|---|");
 		PrintAndLog("|sec|key A           |res|key B           |res|");
 		PrintAndLog("|---|----------------|---|----------------|---|");
@@ -720,7 +834,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		}
 		PrintAndLog("|---|----------------|---|----------------|---|");
 
-		// transfer them to the emulator
+		// transfer keys to the emulator memory
 		if (transferToEml) {
 			for (i = 0; i < SectorsCnt; i++) {
 				mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
@@ -730,6 +844,7 @@ int CmdHF14AMfNested(const char *Cmd)
 					num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);
 				mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
 			}
+			PrintAndLog("Keys transferred to emulator memory.");
 		}
 
 		// Create dump file
@@ -789,6 +904,13 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 		PrintAndLog("      w: Acquire nonces and write them to binary file nonces.bin");
 		PrintAndLog("      s: Slower acquisition (required by some non standard cards)");
 		PrintAndLog("      r: Read nonces.bin and start attack");
+		PrintAndLog("      iX: set type of SIMD instructions. Without this flag programs autodetect it.");
+		PrintAndLog("        i5: AVX512");
+		PrintAndLog("        i2: AVX2");
+		PrintAndLog("        ia: AVX");
+		PrintAndLog("        is: SSE2");
+		PrintAndLog("        im: MMX");
+		PrintAndLog("        in: none (use CPU regular instruction set)");
 		PrintAndLog(" ");
 		PrintAndLog("      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");
 		PrintAndLog("      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");
@@ -807,15 +929,20 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 	int tests = 0;
 
 
+	uint16_t iindx = 0;
 	if (ctmp == 'R' || ctmp == 'r') {
 		nonce_file_read = true;
+		iindx = 1;
 		if (!param_gethex(Cmd, 1, trgkey, 12)) {
 			know_target_key = true;
+			iindx = 2;
 		}
 	} else if (ctmp == 'T' || ctmp == 't') {
 		tests = param_get32ex(Cmd, 1, 100, 10);
+		iindx = 2;
 		if (!param_gethex(Cmd, 2, trgkey, 12)) {
 			know_target_key = true;
+			iindx = 3;
 		}
 	} else {
 		blockNo = param_get8(Cmd, 0);
@@ -849,20 +976,55 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 			know_target_key = true;
 			i++;
 		}
+		iindx = i;
 
 		while ((ctmp = param_getchar(Cmd, i))) {
 			if (ctmp == 's' || ctmp == 'S') {
 				slow = true;
 			} else if (ctmp == 'w' || ctmp == 'W') {
 				nonce_file_write = true;
+			} else if (param_getlength(Cmd, i) == 2 && ctmp == 'i') {
+				iindx = i;
 			} else {
-				PrintAndLog("Possible options are w and/or s");
+				PrintAndLog("Possible options are w , s and/or iX");
 				return 1;
 			}
 			i++;
 		}
 	}
 
+	SetSIMDInstr(SIMD_AUTO);
+	if (iindx > 0) {
+		while ((ctmp = param_getchar(Cmd, iindx))) {
+			if (param_getlength(Cmd, iindx) == 2 && ctmp == 'i') {
+				switch(param_getchar_indx(Cmd, 1, iindx)) {
+					case '5':
+						SetSIMDInstr(SIMD_AVX512);
+						break;
+					case '2':
+						SetSIMDInstr(SIMD_AVX2);
+						break;
+					case 'a':
+						SetSIMDInstr(SIMD_AVX);
+						break;
+					case 's':
+						SetSIMDInstr(SIMD_SSE2);
+						break;
+					case 'm':
+						SetSIMDInstr(SIMD_MMX);
+						break;
+					case 'n':
+						SetSIMDInstr(SIMD_NONE);
+						break;
+					default:
+						PrintAndLog("Unknown SIMD type. %c", param_getchar_indx(Cmd, 1, iindx));
+						return 1;
+				}
+			}
+			iindx++;
+		}
+	}
+
 	PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ",
 			trgBlockNo,
 			trgKeyType?'B':'A',
@@ -890,95 +1052,102 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 int CmdHF14AMfChk(const char *Cmd)
 {
 	if (strlen(Cmd)<3) {
-		PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");
+		PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d|s|ss] [<key (12 hex symbols)>] [<dic (*.dic)>]");
 		PrintAndLog("          * - all sectors");
 		PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
-		PrintAndLog("d - write keys to binary file\n");
-		PrintAndLog("t - write keys to emulator memory");
+		PrintAndLog("d  - write keys to binary file (not used when <block number> supplied)");
+		PrintAndLog("t  - write keys to emulator memory");
+		PrintAndLog("s  - slow execute. timeout 1ms");
+		PrintAndLog("ss - very slow execute. timeout 5ms");
 		PrintAndLog("      sample: hf mf chk 0 A 1234567890ab keys.dic");
 		PrintAndLog("              hf mf chk *1 ? t");
 		PrintAndLog("              hf mf chk *1 ? d");
+		PrintAndLog("              hf mf chk *1 ? s");
+		PrintAndLog("              hf mf chk *1 ? dss");
 		return 0;
 	}
 
-	FILE * f;
-	char filename[FILE_PATH_SIZE]={0};
-	char buf[13];
-	uint8_t *keyBlock = NULL, *p;
-	uint16_t stKeyBlock = 20;
-
-	int i, res;
-	int	keycnt = 0;
-	char ctmp	= 0x00;
-	uint8_t blockNo = 0;
-	uint8_t SectorsCnt = 1;
-	uint8_t keyType = 0;
-	uint64_t key64 = 0;
+	FILE     * f;
+	char     filename[FILE_PATH_SIZE]={0};
+	char     buf[13];
+	uint8_t  *keyBlock      = NULL, *p;
+	uint16_t stKeyBlock     = 20;
+	int      i, res;
+	int      keycnt         = 0;
+	char     ctmp           = 0x00;
+	int      clen           = 0;
+	uint8_t  blockNo        = 0;
+	uint8_t  SectorsCnt     = 0;
+	uint8_t  keyType        = 0;
+	uint64_t key64          = 0;
+	// timeout in units. (ms * 106)/10 or us*0.0106
+	uint8_t  btimeout14a    = MF_CHKKEYS_DEFTIMEOUT; // fast by default
+	bool     param3InUse    = false;
+	bool     transferToEml  = 0;
+	bool     createDumpFile = 0;
+	bool     singleBlock    = false;     // Flag to ID if a single or multi key check
+	uint8_t  keyFoundCount  = 0;         // Counter to display the number of keys found/transfered to emulator
 
-	int transferToEml = 0;
-	int createDumpFile = 0;
+	sector_t *e_sector = NULL;
 
 	keyBlock = calloc(stKeyBlock, 6);
 	if (keyBlock == NULL) return 1;
 
-	uint64_t defaultKeys[] =
-	{
-		0xffffffffffff, // Default key (first key used by program if no user defined key)
-		0x000000000000, // Blank key
-		0xa0a1a2a3a4a5, // NFCForum MAD key
-		0xb0b1b2b3b4b5,
-		0xaabbccddeeff,
-		0x4d3a99c351dd,
-		0x1a982c7e459a,
-		0xd3f7d3f7d3f7,
-		0x714c5c886e97,
-		0x587ee5f9350f,
-		0xa0478cc39091,
-		0x533cb6c723f6,
-		0x8fd0a4f256e9
-	};
-	int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t);
-
-	for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++)
-	{
-		num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
+	int defaultKeysSize = MifareDefaultKeysSize;
+	for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++){
+		num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
 	}
 
 	if (param_getchar(Cmd, 0)=='*') {
-		blockNo = 3;
-		switch(param_getchar(Cmd+1, 0)) {
-			case '0': SectorsCnt =  5; break;
-			case '1': SectorsCnt = 16; break;
-			case '2': SectorsCnt = 32; break;
-			case '4': SectorsCnt = 40; break;
-			default:  SectorsCnt = 16;
+		SectorsCnt = ParamCardSizeSectors(param_getchar(Cmd + 1, 0));
+	} else {   
+		blockNo = param_get8(Cmd, 0);
+		// Singe Key check, so Set Sector count to cover sectors (1 to sector that contains the block)
+		// 1 and 2 Cards : Sector = blockNo/4 + 1
+		// Sectors  0 - 31  :  4 blocks per sector : Blocks 0 - 127
+		// Sectors 32 - 39  : 16 blocks per sector : Blocks 128 - 255 (4K)
+		if (blockNo < 128) {
+			SectorsCnt = (blockNo / 4) + 1;
+		} else {
+			SectorsCnt = 32 + ((blockNo-128)/16) + 1;
 		}
+		singleBlock  = true;              // Set flag for single key check
 	}
-	else
-		blockNo = param_get8(Cmd, 0);
 
 	ctmp = param_getchar(Cmd, 1);
-	switch (ctmp) {
-	case 'a': case 'A':
-		keyType = !0;
-		break;
-	case 'b': case 'B':
-		keyType = !1;
-		break;
-	case '?':
-		keyType = 2;
-		break;
-	default:
-		PrintAndLog("Key type must be A , B or ?");
-		free(keyBlock);
+	clen = param_getlength(Cmd, 1);
+	if (clen == 1) {
+		switch (ctmp) {
+		case 'a': case 'A':
+			keyType = 0;
+			break;
+		case 'b': case 'B':
+			keyType = 1;
+			break;
+		case '?':
+			keyType = 2;
+			break;
+		default:
+			PrintAndLog("Key type must be A , B or ?");
+			free(keyBlock);
+			return 1;
+		};
+	}
+
+	parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);
+
+	if (singleBlock & createDumpFile) {
+		PrintAndLog (" block key check (<block no>) and write to dump file (d) combination is not supported ");
+		PrintAndLog (" please remove option d and try again");
 		return 1;
-	};
+	}
 
-	ctmp = param_getchar(Cmd, 2);
-	if		(ctmp == 't' || ctmp == 'T') transferToEml = 1;
-	else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;
+	param3InUse = transferToEml | createDumpFile | (btimeout14a != MF_CHKKEYS_DEFTIMEOUT);
 
-	for (i = transferToEml || createDumpFile; param_getchar(Cmd, 2 + i); i++) {
+	PrintAndLog("--chk keys. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",
+			SectorsCnt, blockNo, keyType==0?'A':keyType==1?'B':'?', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
+
+	for (i = param3InUse; param_getchar(Cmd, 2 + i); i++) {
 		if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {
 			if ( stKeyBlock - keycnt < 2) {
 				p = realloc(keyBlock, 6*(stKeyBlock+=10));
@@ -990,34 +1159,40 @@ int CmdHF14AMfChk(const char *Cmd)
 				keyBlock = p;
 			}
 			PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
-			(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
-			(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],	(keyBlock + 6*keycnt)[5], 6);
+			(keyBlock + 6*keycnt)[0], (keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
+			(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
 			keycnt++;
 		} else {
 			// May be a dic file
-			if ( param_getstr(Cmd, 2 + i,filename) >= FILE_PATH_SIZE ) {
+			if ( param_getstr(Cmd, 2 + i, filename, sizeof(filename)) >= FILE_PATH_SIZE ) {
 				PrintAndLog("File name too long");
 				free(keyBlock);
 				return 2;
 			}
 
-			if ( (f = fopen( filename , "r")) ) {
-				while( fgets(buf, sizeof(buf), f) ){
+			if ((f = fopen( filename , "r"))) {
+				while (fgets(buf, sizeof(buf), f)) {
 					if (strlen(buf) < 12 || buf[11] == '\n')
 						continue;
 
 					while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line
 
-					if( buf[0]=='#' ) continue;	//The line start with # is comment, skip
+					if( buf[0]=='#' ) continue; //The line start with # is comment, skip
 
-					if (!isxdigit(buf[0])){
-						PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);
+					bool content_error = false;
+					for (int i = 0; i < 12; i++) {
+						if (!isxdigit((unsigned char)buf[i])) {
+							content_error = true;
+						}
+					}
+					if (content_error) {
+						PrintAndLog("File content error. '%s' must include 12 HEX symbols", buf);
 						continue;
 					}
 
 					buf[12] = 0;
 
-					if ( stKeyBlock - keycnt < 2) {
+					if (stKeyBlock - keycnt < 2) {
 						p = realloc(keyBlock, 6*(stKeyBlock+=10));
 						if (!p) {
 							PrintAndLog("Cannot allocate memory for defKeys");
@@ -1038,91 +1213,160 @@ int CmdHF14AMfChk(const char *Cmd)
 				PrintAndLog("File: %s: not found or locked.", filename);
 				free(keyBlock);
 				return 1;
-
 			}
 		}
 	}
 
+	// fill with default keys
 	if (keycnt == 0) {
 		PrintAndLog("No key specified, trying default keys");
 		for (;keycnt < defaultKeysSize; keycnt++)
 			PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
-				(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
-				(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],	(keyBlock + 6*keycnt)[5], 6);
+				(keyBlock + 6*keycnt)[0], (keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
+				(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
 	}
 
 	// initialize storage for found keys
-	bool validKey[2][40];
-	uint8_t foundKey[2][40][6];
-	for (uint16_t t = 0; t < 2; t++) {
+	e_sector = calloc(SectorsCnt, sizeof(sector_t));
+	if (e_sector == NULL) {
+		free(keyBlock);
+		return 1;
+	}
+	for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {
 		for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
-			validKey[t][sectorNo] = false;
-			for (uint16_t i = 0; i < 6; i++) {
-				foundKey[t][sectorNo][i] = 0xff;
-			}
+			e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;
+			e_sector[sectorNo].foundKey[keyAB] = 0;
 		}
 	}
+	printf("\n");
+
+	bool foundAKey = false;
+	bool clearTraceLog = true;
+	uint32_t max_keys  = keycnt > USB_CMD_DATA_SIZE / 6 ? USB_CMD_DATA_SIZE / 6 : keycnt;
+
+	// !SingleKey, so all key check (if SectorsCnt > 0)
+	if (!singleBlock) {
+		PrintAndLog("To cancel this operation press the button on the proxmark...");
+		printf("--");
+		for (uint32_t c = 0; c < keycnt; c += max_keys) {
+
+			uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
+			res = mfCheckKeysSec(SectorsCnt, keyType, btimeout14a, clearTraceLog, size, &keyBlock[6 * c], e_sector); // timeout is (ms * 106)/10 or us*0.0106
+			clearTraceLog = false;
+
+			if (res != 1) {
+				if (!res) {
+					printf("o");
+					foundAKey = true;
+				} else {
+					printf(".");
+				}
+			} else {
+				printf("\n");
+				PrintAndLog("Command execute timeout");
+			}
+		}
+	} else {
+		int keyAB = keyType;
+		do {
+			for (uint32_t c = 0; c < keycnt; c += max_keys) {
+
+				uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
+				res = mfCheckKeys(blockNo, keyAB & 0x01, true, size, &keyBlock[6 * c], &key64);
+				clearTraceLog = false;
 
-	for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) {
-		int b=blockNo;
-		for (int i = 0; i < SectorsCnt; ++i) {
-			PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt);
-			uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
-			for (uint32_t c = 0; c < keycnt; c+=max_keys) {
-				uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
-				res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
 				if (res != 1) {
 					if (!res) {
-						PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
-						num_to_bytes(key64, 6, foundKey[t][i]);
-						validKey[t][i] = true;
+						// Use the common format below
+						// PrintAndLog("Found valid key:[%d:%c]%012" PRIx64, blockNo, (keyAB & 0x01)?'B':'A', key64);
+						foundAKey = true;
+
+						// Store the Single Key for display list
+						// For a single block check, SectorsCnt = Sector that contains the block
+						e_sector[SectorsCnt-1].foundKey[(keyAB & 0x01)] = true;  // flag key found
+						e_sector[SectorsCnt-1].Key[(keyAB & 0x01)]      = key64; // Save key data
+
 					}
 				} else {
 					PrintAndLog("Command execute timeout");
 				}
 			}
-			b<127?(b+=4):(b+=16);
+		} while(--keyAB > 0);
+	}
+
+	// print result
+	if (foundAKey) {
+		PrintAndLog("");
+		PrintAndLog("|---|----------------|----------------|");
+		PrintAndLog("|sec|key A           |key B           |");
+		PrintAndLog("|---|----------------|----------------|");
+		for (i = 0; i < SectorsCnt; i++) {
+			// If a block key check, only print a line if a key was found.
+			if (!singleBlock || e_sector[i].foundKey[0] || e_sector[i].foundKey[1]) {
+				char keyAString[13] = "      ?     ";
+				char keyBString[13] = "      ?     ";
+				if (e_sector[i].foundKey[0]) {
+					sprintf(keyAString, "%012" PRIx64, e_sector[i].Key[0]);
+				}
+				if (e_sector[i].foundKey[1]) {
+					sprintf(keyBString, "%012" PRIx64, e_sector[i].Key[1]);
+				}
+				PrintAndLog("|%03d|  %s  |  %s  |", i, keyAString, keyBString);
+			}
 		}
+		PrintAndLog("|---|----------------|----------------|");
+	} else {
+		PrintAndLog("");
+		PrintAndLog("No valid keys found.");
 	}
 
 	if (transferToEml) {
 		uint8_t block[16];
 		for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
-			if (validKey[0][sectorNo] || validKey[1][sectorNo]) {
+			if (e_sector[sectorNo].foundKey[0] || e_sector[sectorNo].foundKey[1]) {
 				mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
 				for (uint16_t t = 0; t < 2; t++) {
-					if (validKey[t][sectorNo]) {
-						memcpy(block + t*10, foundKey[t][sectorNo], 6);
+					if (e_sector[sectorNo].foundKey[t]) {
+						num_to_bytes(e_sector[sectorNo].Key[t], 6, block + t * 10);
+						keyFoundCount++; // Key found count for information
 					}
 				}
 				mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
 			}
 		}
-		PrintAndLog("Found keys have been transferred to the emulator memory");
+		// Updated to show the actual number of keys found/transfered.
+		PrintAndLog("%d keys(s) found have been transferred to the emulator memory",keyFoundCount);
 	}
 
-	if (createDumpFile) {
+	if (createDumpFile && !singleBlock) {
 		FILE *fkeys = fopen("dumpkeys.bin","wb");
 		if (fkeys == NULL) {
 			PrintAndLog("Could not create file dumpkeys.bin");
+			free(e_sector);
 			free(keyBlock);
 			return 1;
 		}
-		for (uint16_t t = 0; t < 2; t++) {
-			fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys);
+		uint8_t mkey[6];
+		for (uint8_t t = 0; t < 2; t++) {
+			for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
+				num_to_bytes(e_sector[sectorNo].Key[t], 6, mkey);
+				fwrite(mkey, 1, 6, fkeys);
+			}
 		}
 		fclose(fkeys);
 		PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");
 	}
 
+	free(e_sector);
 	free(keyBlock);
 	PrintAndLog("");
 	return 0;
 }
 
+
 void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
 	#define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()
-	                           // cannot be more than 7 or it will overrun c.d.asBytes(512)
+							   // cannot be more than 7 or it will overrun c.d.asBytes(512)
 	uint64_t key = 0;
 	typedef struct {
 			uint64_t keyA;
@@ -1131,7 +1375,7 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack
 	st_t sector_trailer[ATTACK_KEY_COUNT];
 	memset(sector_trailer, 0x00, sizeof(sector_trailer));
 
-	uint8_t	stSector[ATTACK_KEY_COUNT];
+	uint8_t stSector[ATTACK_KEY_COUNT];
 	memset(stSector, 0x00, sizeof(stSector));
 	uint8_t key_cnt[ATTACK_KEY_COUNT];
 	memset(key_cnt, 0x00, sizeof(key_cnt));
@@ -1194,7 +1438,7 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack
 	if (setEmulatorMem) {
 		for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
 			if (key_cnt[i]>0) {
-				uint8_t	memBlock[16];
+				uint8_t memBlock[16];
 				memset(memBlock, 0x00, sizeof(memBlock));
 				char cmd1[36];
 				memset(cmd1,0x00,sizeof(cmd1));
@@ -1223,11 +1467,12 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack
 	}*/
 }
 
-int usage_hf14_mf1ksim(void) {
-	PrintAndLog("Usage:  hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");
+int usage_hf14_mfsim(void) {
+	PrintAndLog("Usage:  hf mf sim [h] [*<card memory>] [u <uid (8, 14, or 20 hex symbols)>] [n <numreads>] [i] [x]");
 	PrintAndLog("options:");
-	PrintAndLog("      h    this help");
-	PrintAndLog("      u    (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");
+	PrintAndLog("      h    (Optional) this help");
+	PrintAndLog("      card memory: 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other, default> - 1K");
+	PrintAndLog("      u    (Optional) UID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used");
 	PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
 	PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
 	PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
@@ -1236,21 +1481,20 @@ int usage_hf14_mf1ksim(void) {
 	PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
 	PrintAndLog("samples:");
 	PrintAndLog("           hf mf sim u 0a0a0a0a");
+	PrintAndLog("           hf mf sim *4");
 	PrintAndLog("           hf mf sim u 11223344556677");
-	PrintAndLog("           hf mf sim u 112233445566778899AA");
 	PrintAndLog("           hf mf sim f uids.txt");
 	PrintAndLog("           hf mf sim u 0a0a0a0a e");
 
 	return 0;
 }
 
-int CmdHF14AMf1kSim(const char *Cmd) {
+int CmdHF14AMfSim(const char *Cmd) {
 	UsbCommand resp;
-	uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+	uint8_t uid[7] = {0};
 	uint8_t exitAfterNReads = 0;
 	uint8_t flags = 0;
 	int uidlen = 0;
-	uint8_t pnr = 0;
 	bool setEmulatorMem = false;
 	bool attackFromFile = false;
 	FILE *f;
@@ -1261,9 +1505,21 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 
 	uint8_t cmdp = 0;
 	bool errors = false;
+	uint8_t cardsize = '1';
 
 	while(param_getchar(Cmd, cmdp) != 0x00) {
 		switch(param_getchar(Cmd, cmdp)) {
+		case '*':
+			cardsize = param_getchar(Cmd + 1, cmdp);
+			switch(cardsize) {
+				case '0':
+				case '1':
+				case '2':
+				case '4': break;
+				default: cardsize = '1';
+			}
+			cmdp++;
+			break;
 		case 'e':
 		case 'E':
 			setEmulatorMem = true;
@@ -1274,7 +1530,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			break;
 		case 'f':
 		case 'F':
-			len = param_getstr(Cmd, cmdp+1, filename);
+			len = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));
 			if (len < 1) {
 				PrintAndLog("error no filename found");
 				return 0;
@@ -1287,7 +1543,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			break;
 		case 'h':
 		case 'H':
-			return usage_hf14_mf1ksim();
+			return usage_hf14_mfsim();
 		case 'i':
 		case 'I':
 			flags |= FLAG_INTERACTIVE;
@@ -1295,7 +1551,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			break;
 		case 'n':
 		case 'N':
-			exitAfterNReads = param_get8(Cmd, pnr+1);
+			exitAfterNReads = param_get8(Cmd, cmdp+1);
 			cmdp += 2;
 			break;
 		case 'r':
@@ -1305,12 +1561,14 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			break;
 		case 'u':
 		case 'U':
-			param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
-			switch(uidlen) {
-				case 20: flags = FLAG_10B_UID_IN_DATA;	break; //not complete
+			uidlen = 14;
+			if (param_gethex_ex(Cmd, cmdp+1, uid, &uidlen)) {
+				return usage_hf14_mfsim();
+			}
+			switch (uidlen) {
 				case 14: flags = FLAG_7B_UID_IN_DATA; break;
 				case  8: flags = FLAG_4B_UID_IN_DATA; break;
-				default: return usage_hf14_mf1ksim();
+				default: return usage_hf14_mfsim();
 			}
 			cmdp += 2;
 			break;
@@ -1327,7 +1585,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 		if(errors) break;
 	}
 	//Validations
-	if(errors) return usage_hf14_mf1ksim();
+	if(errors) return usage_hf14_mfsim();
 
 	//get uid from file
 	if (attackFromFile) {
@@ -1354,7 +1612,6 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 
 			uidlen = strlen(buf)-1;
 			switch(uidlen) {
-				case 20: flags |= FLAG_10B_UID_IN_DATA;	break; //not complete
 				case 14: flags |= FLAG_7B_UID_IN_DATA; break;
 				case  8: flags |= FLAG_4B_UID_IN_DATA; break;
 				default:
@@ -1367,18 +1624,22 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 				sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);
 			}
 
-			PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
-					flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
-						flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7):
-							flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
-					, exitAfterNReads, flags, flags);
+			PrintAndLog("mf sim cardsize: %s, uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
+				cardsize == '0' ? "Mini" :
+					cardsize == '2' ? "2K" :
+						cardsize == '4' ? "4K" : "1K",
+				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
+					flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A",
+				exitAfterNReads,
+				flags,
+				flags);
 
-			UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
+			UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads, cardsize}};
 			memcpy(c.d.asBytes, uid, sizeof(uid));
 			clearCommandBuffer();
 			SendCommand(&c);
 
-			while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+			while (! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
 				//We're waiting only 1.5 s at a time, otherwise we get the
 				// annoying message about "Waiting for a response... "
 			}
@@ -1395,22 +1656,27 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			count++;
 		}
 		fclose(f);
-	} else { //not from file
 
-		PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",
-				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
-					flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7):
-						flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
-				, exitAfterNReads, flags, flags);
+	} else { //not from file
 
-		UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
+		PrintAndLog("mf sim cardsize: %s, uid: %s, numreads:%d, flags:%d (0x%02x) ",
+			cardsize == '0' ? "Mini" :
+				cardsize == '2' ? "2K" :
+					cardsize == '4' ? "4K" : "1K",
+			flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
+				flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A",
+			exitAfterNReads,
+			flags,
+			flags);
+
+		UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads, cardsize}};
 		memcpy(c.d.asBytes, uid, sizeof(uid));
 		clearCommandBuffer();
 		SendCommand(&c);
 
 		if(flags & FLAG_INTERACTIVE) {
 			PrintAndLog("Press pm3-button to abort simulation");
-			while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+			while(! WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
 				//We're waiting only 1.5 s at a time, otherwise we get the
 				// annoying message about "Waiting for a response... "
 			}
@@ -1445,10 +1711,10 @@ int CmdHF14AMfDbg(const char *Cmd)
 		return 0;
 	}
 
-  UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
-  SendCommand(&c);
+	UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
+	SendCommand(&c);
 
-  return 0;
+	return 0;
 }
 
 int CmdHF14AMfEGet(const char *Cmd)
@@ -1471,7 +1737,7 @@ int CmdHF14AMfEGet(const char *Cmd)
 		PrintAndLog("Command execute timeout");
 	}
 
-  return 0;
+	return 0;
 }
 
 int CmdHF14AMfEClear(const char *Cmd)
@@ -1482,9 +1748,9 @@ int CmdHF14AMfEClear(const char *Cmd)
 		return 0;
 	}
 
-  UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
-  SendCommand(&c);
-  return 0;
+	UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
+	SendCommand(&c);
+	return 0;
 }
 
 
@@ -1509,10 +1775,7 @@ int CmdHF14AMfESet(const char *Cmd)
 	}
 
 	//  1 - blocks count
-	UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};
-	memcpy(c.d.asBytes, memBlock, 16);
-	SendCommand(&c);
-	return 0;
+	return mfEmlSetMem(memBlock, blockNo, 1);
 }
 
 
@@ -1550,7 +1813,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 		}
 	}
 
-	len = param_getstr(Cmd,nameParamNo,filename);
+	len = param_getstr(Cmd, nameParamNo, filename, sizeof(filename));
 
 	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
@@ -1649,7 +1912,7 @@ int CmdHF14AMfESave(const char *Cmd)
 		}
 	}
 
-	len = param_getstr(Cmd,nameParamNo,filename);
+	len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));
 
 	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
@@ -1694,7 +1957,7 @@ int CmdHF14AMfESave(const char *Cmd)
 
 	PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);
 
-  return 0;
+	return 0;
 }
 
 
@@ -1731,37 +1994,43 @@ int CmdHF14AMfECFill(const char *Cmd)
 		default:   numSectors = 16;
 	}
 
-	printf("--params: numSectors: %d, keyType:%d", numSectors, keyType);
+	printf("--params: numSectors: %d, keyType:%d\n", numSectors, keyType);
 	UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};
 	SendCommand(&c);
 	return 0;
 }
 
+
 int CmdHF14AMfEKeyPrn(const char *Cmd)
 {
 	int i;
-	uint8_t numSectors;
+	uint8_t numSectors = 16;
 	uint8_t data[16];
 	uint64_t keyA, keyB;
+	bool createDumpFile = false;
 
 	if (param_getchar(Cmd, 0) == 'h') {
 		PrintAndLog("It prints the keys loaded in the emulator memory");
-		PrintAndLog("Usage:  hf mf ekeyprn [card memory]");
+		PrintAndLog("Usage:  hf mf ekeyprn [card memory] [d]");
 		PrintAndLog("  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
+		PrintAndLog("  [d]          : write keys to binary file dumpkeys.bin");
 		PrintAndLog("");
 		PrintAndLog(" sample: hf mf ekeyprn 1");
 		return 0;
 	}
 
-	char cmdp = param_getchar(Cmd, 0);
-
-	switch (cmdp) {
-		case '0' : numSectors = 5; break;
-		case '1' :
-		case '\0': numSectors = 16; break;
-		case '2' : numSectors = 32; break;
-		case '4' : numSectors = 40; break;
-		default:   numSectors = 16;
+	uint8_t cmdp = 0;
+	while (param_getchar(Cmd, cmdp) != 0x00) {
+		switch (param_getchar(Cmd, cmdp)) {
+			case '0' : numSectors = 5; break;
+			case '1' :
+			case '\0': numSectors = 16; break;
+			case '2' : numSectors = 32; break;
+			case '4' : numSectors = 40; break;
+			case 'd' :
+			case 'D' : createDumpFile = true; break;
+		}
+		cmdp++;
 	}
 
 	PrintAndLog("|---|----------------|----------------|");
@@ -1778,9 +2047,35 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
 	}
 	PrintAndLog("|---|----------------|----------------|");
 
+	// Create dump file
+	if (createDumpFile) {
+		FILE *fkeys;
+		if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {
+			PrintAndLog("Could not create file dumpkeys.bin");
+			return 1;
+		}
+		PrintAndLog("Printing keys to binary file dumpkeys.bin...");
+		for(i = 0; i < numSectors; i++) {
+			if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {
+				PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
+				break;
+			}
+			fwrite(data+6, 1, 6, fkeys);
+		}
+		for(i = 0; i < numSectors; i++) {
+			if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {
+				PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
+				break;
+			}
+			fwrite(data+10, 1, 6, fkeys);
+		}
+		fclose(fkeys);
+	}
+
 	return 0;
 }
 
+
 int CmdHF14AMfCSetUID(const char *Cmd)
 {
 	uint8_t uid[8] = {0x00};
@@ -1792,7 +2087,7 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 
 	uint8_t needHelp = 0;
 	char cmdp = 1;
-	
+
 	if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {
 		PrintAndLog("UID must include 8 HEX symbols");
 		return 1;
@@ -1801,12 +2096,12 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 	if (param_getlength(Cmd, 1) > 1 && param_getlength(Cmd, 2) >  1) {
 		atqaPresent = 1;
 		cmdp = 3;
-		
+
 		if (param_gethex(Cmd, 1, atqa, 4)) {
 			PrintAndLog("ATQA must include 4 HEX symbols");
 			return 1;
 		}
-				
+
 		if (param_gethex(Cmd, 2, sak, 2)) {
 			PrintAndLog("SAK must include 2 HEX symbols");
 			return 1;
@@ -1854,27 +2149,16 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 	return 0;
 }
 
-static int ParamGetCardSize(const char c) {
-	int numBlocks = 16 * 4;
-	switch (c) {
-		case '0' : numBlocks = 5 * 4; break;
-		case '2' : numBlocks = 32 * 4; break;
-		case '4' : numBlocks = 32 * 4 + 8 * 16; break;
-		default:   numBlocks = 16 * 4;
-	}
-	return numBlocks;
-}
-
 int CmdHF14AMfCWipe(const char *Cmd)
 {
 	int res, gen = 0;
 	int numBlocks = 16 * 4;
 	bool wipeCard = false;
 	bool fillCard = false;
-	
+
 	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
-		PrintAndLog("Usage:  hf mf cwipe [card size] [w] [p]");
-		PrintAndLog("sample:  hf mf cwipe 1 w s");
+		PrintAndLog("Usage:  hf mf cwipe [card size] [w] [f]");
+		PrintAndLog("sample:  hf mf cwipe 1 w f");
 		PrintAndLog("[card size]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
 		PrintAndLog("w - Wipe magic Chinese card (only works with gen:1a cards)");
 		PrintAndLog("f - Fill the card with default data and keys (works with gen:1a and gen:1b cards only)");
@@ -1882,10 +2166,10 @@ int CmdHF14AMfCWipe(const char *Cmd)
 	}
 
 	gen = mfCIdentify();
-	if ((gen != 1) && (gen != 2)) 
+	if ((gen != 1) && (gen != 2))
 		return 1;
-	
-	numBlocks = ParamGetCardSize(param_getchar(Cmd, 0));
+
+	numBlocks = ParamCardSizeBlocks(param_getchar(Cmd, 0));
 
 	char cmdp = 0;
 	while(param_getchar(Cmd, cmdp) != 0x00){
@@ -1904,7 +2188,7 @@ int CmdHF14AMfCWipe(const char *Cmd)
 		cmdp++;
 	}
 
-	if (!wipeCard && !fillCard) 
+	if (!wipeCard && !fillCard)
 		wipeCard = true;
 
 	PrintAndLog("--blocks count:%2d wipe:%c fill:%c", numBlocks, (wipeCard)?'y':'n', (fillCard)?'y':'n');
@@ -1914,10 +2198,10 @@ int CmdHF14AMfCWipe(const char *Cmd)
 		if (wipeCard) {
 			PrintAndLog("WARNING: can't wipe magic card 1b generation");
 		}
-		res = mfCWipe(numBlocks, true, false, fillCard); 
+		res = mfCWipe(numBlocks, true, false, fillCard);
 	} else {
 		/* generation 1a magic card by default */
-		res = mfCWipe(numBlocks, false, wipeCard, fillCard); 
+		res = mfCWipe(numBlocks, false, wipeCard, fillCard);
 	}
 
 	if (res) {
@@ -1944,7 +2228,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 	}
 
 	gen = mfCIdentify();
-	if ((gen != 1) && (gen != 2)) 
+	if ((gen != 1) && (gen != 2))
 		return 1;
 
 	blockNo = param_get8(Cmd, 0);
@@ -2010,9 +2294,9 @@ int CmdHF14AMfCLoad(const char *Cmd)
 				PrintAndLog("Cant get block: %d", blockNum);
 				return 2;
 			}
-			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;				// switch on field and send magic sequence
-			if (blockNum == 1) flags = 0;													// just write
-			if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;		// Done. Magic Halt and switch off field.
+			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;               // switch on field and send magic sequence
+			if (blockNum == 1) flags = 0;                                                   // just write
+			if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;       // Done. Magic Halt and switch off field.
 
 			if (gen == 2)
 				/* generation 1b magic card */
@@ -2024,7 +2308,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		}
 		return 0;
 	} else {
-		param_getstr(Cmd, 0, filename);
+		param_getstr(Cmd, 0, filename, sizeof(filename));
 
 		len = strlen(filename);
 		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
@@ -2062,9 +2346,9 @@ int CmdHF14AMfCLoad(const char *Cmd)
 			for (i = 0; i < 32; i += 2)
 				sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
 
-			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;				// switch on field and send magic sequence
-			if (blockNum == 1) flags = 0;													// just write
-			if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;		// Done. Switch off field.
+			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;               // switch on field and send magic sequence
+			if (blockNum == 1) flags = 0;                                                   // just write
+			if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;       // Done. Switch off field.
 
 			if (gen == 2)
 				/* generation 1b magic card */
@@ -2123,6 +2407,20 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
 		}
 
 	PrintAndLog("block data:%s", sprint_hex(memBlock, 16));
+
+	if (mfIsSectorTrailer(blockNo)) {
+		PrintAndLogEx(NORMAL, "Trailer decoded:");
+		PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));
+		PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));
+		int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));
+		int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;
+		for (int i = 0; i < 4; i++) {
+			PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));
+			bln += blinc;
+		}
+		PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));
+	}
+
 	return 0;
 }
 
@@ -2173,6 +2471,19 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
 		}
 
 		PrintAndLog("block %3d data:%s", baseblock + i, sprint_hex(memBlock, 16));
+
+		if (mfIsSectorTrailer(baseblock + i)) {
+				PrintAndLogEx(NORMAL, "Trailer decoded:");
+				PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));
+				PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));
+				int bln = baseblock;
+				int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;
+				for (int i = 0; i < 4; i++) {
+						PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));
+						bln += blinc;
+				}
+				PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));
+		}
 	}
 	return 0;
 }
@@ -2235,7 +2546,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		}
 		return 0;
 	} else {
-		param_getstr(Cmd, 0, filename);
+		param_getstr(Cmd, 0, filename, sizeof(filename));
 
 		len = strlen(filename);
 		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
@@ -2308,6 +2619,7 @@ int CmdHF14AMfSniff(const char *Cmd){
 	//var
 	int res = 0;
 	int len = 0;
+	int parlen = 0;
 	int blockLen = 0;
 	int pckNum = 0;
 	int num = 0;
@@ -2319,6 +2631,7 @@ int CmdHF14AMfSniff(const char *Cmd){
 	uint8_t *buf = NULL;
 	uint16_t bufsize = 0;
 	uint8_t *bufPtr = NULL;
+	uint8_t parity[16];
 
 	char ctmp = param_getchar(Cmd, 0);
 	if ( ctmp == 'h' || ctmp == 'H' ) {
@@ -2362,23 +2675,22 @@ int CmdHF14AMfSniff(const char *Cmd){
 		}
 
 		UsbCommand resp;
-		if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {
+		if (WaitForResponseTimeoutW(CMD_ACK, &resp, 2000, false)) {
 			res = resp.arg[0] & 0xff;
 			uint16_t traceLen = resp.arg[1];
 			len = resp.arg[2];
 
-			if (res == 0) {								// we are done
-				free(buf);
-				return 0;
+			if (res == 0) {                             // we are done
+				break;
 			}
 
-			if (res == 1) {								// there is (more) data to be transferred
-				if (pckNum == 0) {						// first packet, (re)allocate necessary buffer
+			if (res == 1) {                             // there is (more) data to be transferred
+				if (pckNum == 0) {                      // first packet, (re)allocate necessary buffer
 					if (traceLen > bufsize || buf == NULL) {
 						uint8_t *p;
-						if (buf == NULL) {				// not yet allocated
+						if (buf == NULL) {              // not yet allocated
 							p = malloc(traceLen);
-						} else {						// need more memory
+						} else {                        // need more memory
 							p = realloc(buf, traceLen);
 						}
 						if (p == NULL) {
@@ -2397,13 +2709,13 @@ int CmdHF14AMfSniff(const char *Cmd){
 				pckNum++;
 			}
 
-			if (res == 2) {								// received all data, start displaying
+			if (res == 2) {                             // received all data, start displaying
 				blockLen = bufPtr - buf;
 				bufPtr = buf;
 				printf(">\n");
 				PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);
 				while (bufPtr - buf < blockLen) {
-					bufPtr += 6;						// skip (void) timing information
+					bufPtr += 6;                        // skip (void) timing information
 					len = *((uint16_t *)bufPtr);
 					if(len & 0x8000) {
 						isTag = true;
@@ -2411,6 +2723,7 @@ int CmdHF14AMfSniff(const char *Cmd){
 					} else {
 						isTag = false;
 					}
+					parlen = (len - 1) / 8 + 1;
 					bufPtr += 2;
 					if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {
 						memcpy(uid, bufPtr + 2, 7);
@@ -2429,15 +2742,22 @@ int CmdHF14AMfSniff(const char *Cmd){
 						if (wantDecrypt)
 							mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
 					} else {
-						PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));
+						oddparitybuf(bufPtr, len, parity);
+						PrintAndLog("%s(%d):%s [%s] c[%s]%c",
+							isTag ? "TAG":"RDR",
+							num,
+							sprint_hex(bufPtr, len),
+							printBitsPar(bufPtr + len, len),
+							printBitsPar(parity, len),
+							memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');
 						if (wantLogToFile)
 							AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
 						if (wantDecrypt)
-							mfTraceDecode(bufPtr, len, wantSaveToEmlFile);
+							mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);
 						num++;
 					}
 					bufPtr += len;
-					bufPtr += ((len-1)/8+1);	// ignore parity
+					bufPtr += parlen;   // ignore parity
 				}
 				pckNum = 0;
 			}
@@ -2445,61 +2765,375 @@ int CmdHF14AMfSniff(const char *Cmd){
 	} // while (true)
 
 	free(buf);
+
+	msleep(300); // wait for exiting arm side.
+	PrintAndLog("Done.");
 	return 0;
 }
 
 //needs nt, ar, at, Data to decrypt
 int CmdDecryptTraceCmds(const char *Cmd){
 	uint8_t data[50];
-	int len = 0;
-	param_gethex_ex(Cmd,3,data,&len);
-	return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
+	int len = 100;
+	param_gethex_ex(Cmd, 3, data, &len);
+	return tryDecryptWord(param_get32ex(Cmd, 0, 0, 16), param_get32ex(Cmd, 1, 0, 16), param_get32ex(Cmd, 2, 0, 16), data, len/2);
 }
 
-static command_t CommandTable[] =
-{
-  {"help",             CmdHelp,                 1, "This help"},
-  {"dbg",              CmdHF14AMfDbg,           0, "Set default debug mode"},
-  {"rdbl",             CmdHF14AMfRdBl,          0, "Read MIFARE classic block"},
-  {"rdsc",             CmdHF14AMfRdSc,          0, "Read MIFARE classic sector"},
-  {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},
-  {"restore",  	       CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},
-  {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},
-  {"chk",              CmdHF14AMfChk,           0, "Test block keys"},
-  {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},
-  {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},
-  {"nested",           CmdHF14AMfNested,        0, "Test nested authentication"},
-  {"sniff",            CmdHF14AMfSniff,         0, "Sniff card-reader communication"},
-  {"sim",              CmdHF14AMf1kSim,         0, "Simulate MIFARE card"},
-  {"eclr",             CmdHF14AMfEClear,        0, "Clear simulator memory block"},
-  {"eget",             CmdHF14AMfEGet,          0, "Get simulator memory block"},
-  {"eset",             CmdHF14AMfESet,          0, "Set simulator memory block"},
-  {"eload",            CmdHF14AMfELoad,         0, "Load from file emul dump"},
-  {"esave",            CmdHF14AMfESave,         0, "Save to file emul dump"},
-  {"ecfill",           CmdHF14AMfECFill,        0, "Fill simulator memory with help of keys from simulator"},
-  {"ekeyprn",          CmdHF14AMfEKeyPrn,       0, "Print keys from simulator memory"},
-  {"cwipe",            CmdHF14AMfCWipe,         0, "Wipe magic Chinese card"},
-  {"csetuid",          CmdHF14AMfCSetUID,       0, "Set UID for magic Chinese card"},
-  {"csetblk",          CmdHF14AMfCSetBlk,       0, "Write block - Magic Chinese card"},
-  {"cgetblk",          CmdHF14AMfCGetBlk,       0, "Read block - Magic Chinese card"},
-  {"cgetsc",           CmdHF14AMfCGetSc,        0, "Read sector - Magic Chinese card"},
-  {"cload",            CmdHF14AMfCLoad,         0, "Load dump into magic Chinese card"},
-  {"csave",            CmdHF14AMfCSave,         0, "Save dump from magic Chinese card into file or emulator"},
-  {"decrypt",          CmdDecryptTraceCmds,     1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
-  {NULL,               NULL,                    0, NULL}
+int CmdHF14AMfAuth4(const char *cmd) {
+	uint8_t keyn[20] = {0};
+	int keynlen = 0;
+	uint8_t key[16] = {0};
+	int keylen = 0;
+
+	CLIParserInit("hf mf auth4",
+		"Executes AES authentication command in ISO14443-4",
+		"Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"
+			"\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_str1(NULL,  NULL,     "<Key Num (HEX 2 bytes)>", NULL),
+		arg_str1(NULL,  NULL,     "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+
+	CLIGetHexWithReturn(1, keyn, &keynlen);
+	CLIGetHexWithReturn(2, key, &keylen);
+	CLIParserFree();
+
+	if (keynlen != 2) {
+		PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);
+		return 1;
+	}
+
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	return MifareAuth4(NULL, keyn, key, true, false, true);
+}
+
+// https://www.nxp.com/docs/en/application-note/AN10787.pdf
+int CmdHF14AMfMAD(const char *cmd) {
+
+	CLIParserInit("hf mf mad",
+				  "Checks and prints Mifare Application Directory (MAD)",
+				  "Usage:\n\thf mf mad -> shows MAD if exists\n"
+				  "\thf mf mad -a 03e1 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B\n");
+
+	void *argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose",  "show technical data"),
+		arg_str0("aA",  "aid",      "print all sectors with aid", NULL),
+		arg_str0("kK",  "key",      "key for printing sectors", NULL),
+		arg_lit0("bB",  "keyb",     "use key B for access printing sectors (by default: key A)"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	bool verbose = arg_get_lit(1);
+	uint8_t aid[2] = {0};
+	int aidlen;
+	CLIGetHexWithReturn(2, aid, &aidlen);
+	uint8_t key[6] = {0};
+	int keylen;
+	CLIGetHexWithReturn(3, key, &keylen);
+	bool keyB = arg_get_lit(4);
+
+	CLIParserFree();
+
+	if (aidlen != 2 && keylen > 0) {
+		PrintAndLogEx(WARNING, "do not need a key without aid.");
+	}
+
+	uint8_t sector0[16 * 4] = {0};
+	uint8_t sector10[16 * 4] = {0};
+	if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {
+		PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+		return 2;
+	}
+
+	if (verbose) {
+		for (int i = 0; i < 4; i ++)
+			PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(&sector0[i * 16], 16));
+	}
+
+	bool haveMAD2 = false;
+	MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);
+
+	if (haveMAD2) {
+		if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {
+			PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+			return 2;
+		}
+
+		MAD2DecodeAndPrint(sector10, verbose);
+	}
+
+	if (aidlen == 2) {
+		uint16_t aaid = (aid[0] << 8) + aid[1];
+		PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);
+
+		uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+		size_t madlen = 0;
+		if (MADDecode(sector0, sector10, mad, &madlen)) {
+			PrintAndLogEx(ERR, "can't decode mad.");
+			return 10;
+		}
+
+		uint8_t akey[6] = {0};
+		memcpy(akey, g_mifare_ndef_key, 6);
+		if (keylen == 6) {
+			memcpy(akey, key, 6);
+		}
+
+		for (int i = 0; i < madlen; i++) {
+			if (aaid == mad[i]) {
+				uint8_t vsector[16 * 4] = {0};
+				if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector)) {
+					PrintAndLogEx(NORMAL, "");
+					PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+					return 2;
+				}
+
+				for (int j = 0; j < (verbose ? 4 : 3); j ++)
+					PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));
+			}
+		}
+	}
+
+	return 0;
+}
+
+int CmdHFMFNDEF(const char *cmd) {
+
+	CLIParserInit("hf mf ndef",
+				  "Prints NFC Data Exchange Format (NDEF)",
+				  "Usage:\n\thf mf ndef -> shows NDEF data\n"
+				  "\thf mf ndef -a 03e1 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B\n");
+
+	void *argtable[] = {
+		arg_param_begin,
+		arg_litn("vV",  "verbose",  0, 2, "show technical data"),
+		arg_str0("aA",  "aid",      "replace default aid for NDEF", NULL),
+		arg_str0("kK",  "key",      "replace default key for NDEF", NULL),
+		arg_lit0("bB",  "keyb",     "use key B for access sectors (by default: key A)"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+
+	bool verbose = arg_get_lit(1);
+	bool verbose2 = arg_get_lit(1) > 1;
+	uint8_t aid[2] = {0};
+	int aidlen;
+	CLIGetHexWithReturn(2, aid, &aidlen);
+	uint8_t key[6] = {0};
+	int keylen;
+	CLIGetHexWithReturn(3, key, &keylen);
+	bool keyB = arg_get_lit(4);
+
+	CLIParserFree();
+
+	uint16_t ndefAID = 0x03e1;
+	if (aidlen == 2)
+		ndefAID = (aid[0] << 8) + aid[1];
+
+	uint8_t ndefkey[6] = {0};
+	memcpy(ndefkey, g_mifare_ndef_key, 6);
+	if (keylen == 6) {
+		memcpy(ndefkey, key, 6);
+	}
+
+	uint8_t sector0[16 * 4] = {0};
+	uint8_t sector10[16 * 4] = {0};
+	uint8_t data[4096] = {0};
+	int datalen = 0;
+
+	PrintAndLogEx(NORMAL, "");
+
+	if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {
+		PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+		return 2;
+	}
+
+	bool haveMAD2 = false;
+	int res = MADCheck(sector0, NULL, verbose, &haveMAD2);
+	if (res) {
+		PrintAndLogEx(ERR, "MAD error %d.", res);
+		return res;
+	}
+
+	if (haveMAD2) {
+		if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {
+			PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+			return 2;
+		}
+	}
+
+	uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+	size_t madlen = 0;
+	if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {
+		PrintAndLogEx(ERR, "can't decode mad.");
+		return 10;
+	}
+
+	printf("data reading:");
+	for (int i = 0; i < madlen; i++) {
+		if (ndefAID == mad[i]) {
+			uint8_t vsector[16 * 4] = {0};
+			if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector)) {
+				PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+				return 2;
+			}
+
+			memcpy(&data[datalen], vsector, 16 * 3);
+			datalen += 16 * 3;
+
+			printf(".");
+		}
+	}
+	printf(" OK\n");
+
+	if (!datalen) {
+		PrintAndLogEx(ERR, "no NDEF data.");
+		return 11;
+	}
+
+	if (verbose2) {
+		PrintAndLogEx(NORMAL, "NDEF data:");
+		dump_buffer(data, datalen, stdout, 1);
+	}
+
+	NDEFDecodeAndPrint(data, datalen, verbose);
+
+	return 0;
+}
+
+int CmdHFMFPersonalize(const char *cmd) {
+
+	CLIParserInit("hf mf personalize",
+				  "Personalize the UID of a Mifare Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized.",
+				  "Usage:\n\thf mf personalize UIDF0                        -> double size UID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize UIDF1                        -> double size UID according to ISO/IEC14443-3, optional usage of selection process shortcut\n"
+				  "\thf mf personalize UIDF2                        -> single size random ID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize UIDF3                        -> single size NUID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize -t B -k B0B1B2B3B4B5 UIDF3   -> use key B = 0xB0B1B2B3B4B5 instead of default key A\n");
+
+	void *argtable[] = {
+		arg_param_begin,
+		arg_str0("tT",  "keytype", "<A|B>",                     "key type (A or B) to authenticate sector 0 (default: A)"),
+		arg_str0("kK",  "key",     "<key (hex 6 Bytes)>",       "key to authenticate sector 0 (default: FFFFFFFFFFFF)"),
+		arg_str1(NULL,  NULL,      "<UIDF0|UIDF1|UIDF2|UIDF3>", "Personalization Option"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+
+	char keytypestr[2] = "A";
+	uint8_t keytype = 0x00;
+	int keytypestr_len;
+	int res = CLIParamStrToBuf(arg_get_str(1), (uint8_t*)keytypestr, 1, &keytypestr_len);
+	if (res || (keytypestr[0] != 'a' && keytypestr[0] != 'A' && keytypestr[0] != 'b' && keytypestr[0] != 'B')) {
+		PrintAndLog("ERROR: not a valid key type. Key type must be A or B");
+		CLIParserFree();
+		return 1;
+	}
+	if (keytypestr[0] == 'B' || keytypestr[0] == 'b') {
+		keytype = 0x01;
+	}
+
+	uint8_t key[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+	int key_len;
+	res = CLIParamHexToBuf(arg_get_str(2), key, 6, &key_len);
+	if (res || (!res && key_len > 0 && key_len != 6)) {
+		PrintAndLog("ERROR: not a valid key. Key must be 12 hex digits");
+		CLIParserFree();
+		return 1;
+	}
+
+	char pers_optionstr[6];
+	int opt_len;
+	uint8_t pers_option;
+	res = CLIParamStrToBuf(arg_get_str(3), (uint8_t*)pers_optionstr, 5, &opt_len);
+	if (res || (!res && opt_len > 0 && opt_len != 5)
+			|| (strncmp(pers_optionstr, "UIDF0", 5) && strncmp(pers_optionstr, "UIDF1", 5) && strncmp(pers_optionstr, "UIDF2", 5) && strncmp(pers_optionstr, "UIDF3", 5))) {
+		PrintAndLog("ERROR: invalid personalization option. Must be one of UIDF0, UIDF1, UIDF2, or UIDF3");
+		CLIParserFree();
+		return 1;
+	}
+	if (!strncmp(pers_optionstr, "UIDF0", 5)) {
+		pers_option = MIFARE_EV1_UIDF0;
+	} else if (!strncmp(pers_optionstr, "UIDF1", 5)) {
+		pers_option = MIFARE_EV1_UIDF1;
+	} else if (!strncmp(pers_optionstr, "UIDF2", 5)) {
+		pers_option = MIFARE_EV1_UIDF2;
+	} else {
+		pers_option = MIFARE_EV1_UIDF3;
+	}
+
+	CLIParserFree();
+
+	UsbCommand c = {CMD_MIFARE_PERSONALIZE_UID, {keytype, pers_option, 0}};
+	memcpy(c.d.asBytes, key, 6);
+	SendCommand(&c);
+
+	UsbCommand resp;
+	if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+		uint8_t isOK  = resp.arg[0] & 0xff;
+		PrintAndLog("Personalization %s", isOK ? "FAILED" : "SUCCEEDED");
+	} else {
+		PrintAndLog("Command execute timeout");
+	}
+
+	return 0;
+}
+
+
+static command_t CommandTable[] = {
+	{"help",             CmdHelp,                 1, "This help"},
+	{"dbg",              CmdHF14AMfDbg,           0, "Set default debug mode"},
+	{"rdbl",             CmdHF14AMfRdBl,          0, "Read MIFARE classic block"},
+	{"rdsc",             CmdHF14AMfRdSc,          0, "Read MIFARE classic sector"},
+	{"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},
+	{"restore",          CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},
+	{"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},
+	{"auth4",            CmdHF14AMfAuth4,         0, "ISO14443-4 AES authentication"},
+	{"chk",              CmdHF14AMfChk,           0, "Test block keys"},
+	{"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},
+	{"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},
+	{"nested",           CmdHF14AMfNested,        0, "Test nested authentication"},
+	{"sniff",            CmdHF14AMfSniff,         0, "Sniff card-reader communication"},
+	{"sim",              CmdHF14AMfSim,           0, "Simulate MIFARE card"},
+	{"eclr",             CmdHF14AMfEClear,        0, "Clear simulator memory"},
+	{"eget",             CmdHF14AMfEGet,          0, "Get simulator memory block"},
+	{"eset",             CmdHF14AMfESet,          0, "Set simulator memory block"},
+	{"eload",            CmdHF14AMfELoad,         0, "Load from file emul dump"},
+	{"esave",            CmdHF14AMfESave,         0, "Save to file emul dump"},
+	{"ecfill",           CmdHF14AMfECFill,        0, "Fill simulator memory with help of keys from simulator"},
+	{"ekeyprn",          CmdHF14AMfEKeyPrn,       0, "Print keys from simulator memory"},
+	{"cwipe",            CmdHF14AMfCWipe,         0, "Wipe magic Chinese card"},
+	{"csetuid",          CmdHF14AMfCSetUID,       0, "Set UID for magic Chinese card"},
+	{"csetblk",          CmdHF14AMfCSetBlk,       0, "Write block - Magic Chinese card"},
+	{"cgetblk",          CmdHF14AMfCGetBlk,       0, "Read block - Magic Chinese card"},
+	{"cgetsc",           CmdHF14AMfCGetSc,        0, "Read sector - Magic Chinese card"},
+	{"cload",            CmdHF14AMfCLoad,         0, "Load dump into magic Chinese card"},
+	{"csave",            CmdHF14AMfCSave,         0, "Save dump from magic Chinese card into file or emulator"},
+	{"decrypt",          CmdDecryptTraceCmds,     1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
+	{"mad",              CmdHF14AMfMAD,           0, "Checks and prints MAD"},
+	{"ndef",             CmdHFMFNDEF,             0, "Prints NDEF records from card"},
+	{"personalize",      CmdHFMFPersonalize,      0, "Personalize UID (Mifare Classic EV1 only)"},
+	{NULL,               NULL,                    0, NULL}
 };
 
-int CmdHFMF(const char *Cmd)
-{
-	// flush
-	WaitForResponseTimeout(CMD_ACK,NULL,100);
 
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+int CmdHFMF(const char *Cmd) {
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
 }
 
-int CmdHelp(const char *Cmd)
-{
-  CmdsHelp(CommandTable);
-  return 0;
+
+int CmdHelp(const char *Cmd) {
+	CmdsHelp(CommandTable);
+	return 0;
 }