X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/a83d091885dc701e61935eb9573b92d933ca1c50..d664113aeed50a5d28a4f2235f226df62b8c2820:/armsrc/iso14443b.c?ds=sidebyside

diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c
index f8e6046c..cb8567fa 100644
--- a/armsrc/iso14443b.c
+++ b/armsrc/iso14443b.c
@@ -1,5 +1,6 @@
 //-----------------------------------------------------------------------------
 // Jonathan Westhues, split Nov 2006
+// piwi 2018
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -16,8 +17,8 @@
 
 #include "iso14443crc.h"
 
-#define RECEIVE_SAMPLES_TIMEOUT 2000
-#define ISO14443B_DMA_BUFFER_SIZE 256
+#define RECEIVE_SAMPLES_TIMEOUT 1000 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA. 1000 seems to be much too high?
+#define ISO14443B_DMA_BUFFER_SIZE 128
 
 // PCB Block number for APDUs
 static uint8_t pcb_blocknum = 0;
@@ -243,7 +244,7 @@ static RAMFUNC int Handle14443bUartBit(uint8_t bit)
 					LED_A_OFF(); // Finished receiving
 					Uart.state = STATE_UNSYNCD;
 					if (Uart.byteCnt != 0) {
-						return TRUE;
+						return true;
 					}
 				} else {
 					// this is an error
@@ -259,7 +260,7 @@ static RAMFUNC int Handle14443bUartBit(uint8_t bit)
 			break;
 	}
 
-	return FALSE;
+	return false;
 }
 
 
@@ -283,7 +284,7 @@ static void UartInit(uint8_t *data)
 // Receive a command (from the reader to us, where we are the simulated tag),
 // and store it in the given buffer, up to the given maximum length. Keeps
 // spinning, waiting for a well-framed command, until either we get one
-// (returns TRUE) or someone presses the pushbutton on the board (FALSE).
+// (returns true) or someone presses the pushbutton on the board (false).
 //
 // Assume that we're called with the SSC (to the FPGA) and ADC path set
 // correctly.
@@ -302,20 +303,20 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
 	for(;;) {
 		WDT_HIT();
 
-		if(BUTTON_PRESS()) return FALSE;
+		if(BUTTON_PRESS()) return false;
 
 		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
 			uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 			for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
 				if(Handle14443bUartBit(b & mask)) {
 					*len = Uart.byteCnt;
-					return TRUE;
+					return true;
 				}
 			}
 		}
 	}
 
-	return FALSE;
+	return false;
 }
 
 //-----------------------------------------------------------------------------
@@ -324,10 +325,14 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
 //-----------------------------------------------------------------------------
 void SimulateIso14443bTag(void)
 {
-	// the only commands we understand is REQB, AFI=0, Select All, N=0:
-	static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
-	// ... and REQB, AFI=0, Normal Request, N=0:
-	static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF };
+	// the only commands we understand is WUPB, AFI=0, Select All, N=1:
+	static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // WUPB
+	// ... and REQB, AFI=0, Normal Request, N=1:
+	static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF }; // REQB
+	// ... and HLTB
+	static const uint8_t cmd3[] = { 0x50, 0xff, 0xff, 0xff, 0xff }; // HLTB
+	// ... and ATTRIB
+	static const uint8_t cmd4[] = { 0x1D, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
 
 	// ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
 	// supports only 106kBit/s in both directions, max frame size = 32Bytes,
@@ -336,11 +341,14 @@ void SimulateIso14443bTag(void)
 		0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
 		0x00, 0x21, 0x85, 0x5e, 0xd7
 	};
+	// response to HLTB and ATTRIB
+	static const uint8_t response2[] = {0x00, 0x78, 0xF0};
+
 
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 
 	clear_trace();
-	set_tracing(TRUE);
+	set_tracing(true);
 
 	const uint8_t *resp;
 	uint8_t *respCode;
@@ -359,9 +367,15 @@ void SimulateIso14443bTag(void)
 	memcpy(resp1Code, ToSend, ToSendMax);
 	uint16_t resp1CodeLen = ToSendMax;
 
+	// prepare the (other) tag answer:
+	CodeIso14443bAsTag(response2, sizeof(response2));
+	uint8_t *resp2Code = BigBuf_malloc(ToSendMax);
+	memcpy(resp2Code, ToSend, ToSendMax);
+	uint16_t resp2CodeLen = ToSendMax;
+
 	// We need to listen to the high-frequency, peak-detected path.
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-	FpgaSetupSsc();
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
 
 	cmdsRecvd = 0;
 
@@ -374,7 +388,7 @@ void SimulateIso14443bTag(void)
 
 		if (tracing) {
 			uint8_t parity[MAX_PARITY_SIZE];
-			LogTrace(receivedCmd, len, 0, 0, parity, TRUE);
+			LogTrace(receivedCmd, len, 0, 0, parity, true);
 		}
 
 		// Good, look at the command now.
@@ -384,18 +398,33 @@ void SimulateIso14443bTag(void)
 			respLen = sizeof(response1);
 			respCode = resp1Code;
 			respCodeLen = resp1CodeLen;
+		} else if ( (len == sizeof(cmd3) && receivedCmd[0] == cmd3[0])
+			|| (len == sizeof(cmd4) && receivedCmd[0] == cmd4[0]) ) {
+			resp = response2;
+			respLen = sizeof(response2);
+			respCode = resp2Code;
+			respCodeLen = resp2CodeLen;
 		} else {
 			Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
 			// And print whether the CRC fails, just for good measure
 			uint8_t b1, b2;
-			ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
-			if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
-				// Not so good, try again.
-				DbpString("+++CRC fail");
-			} else {
-				DbpString("CRC passes");
+			if (len >= 3){ // if crc exists
+				ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
+				if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
+					// Not so good, try again.
+					DbpString("+++CRC fail");
+		
+				} else {
+					DbpString("CRC passes");
+				}
 			}
-			break;
+			//get rid of compiler warning
+			respCodeLen = 0;
+			resp = response1;
+			respLen	= 0;
+			respCode = resp1Code;
+			//don't crash at new command just wait and see if reader will send other new cmds.
+			//break;
 		}
 
 		cmdsRecvd++;
@@ -412,7 +441,7 @@ void SimulateIso14443bTag(void)
 		LED_D_OFF();
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
 		AT91C_BASE_SSC->SSC_THR = 0xff;
-		FpgaSetupSsc();
+		FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
 
 		// Transmit the response.
 		uint16_t i = 0;
@@ -436,7 +465,7 @@ void SimulateIso14443bTag(void)
 		// trace the response:
 		if (tracing) {
 			uint8_t parity[MAX_PARITY_SIZE];
-			LogTrace(resp, respLen, 0, 0, parity, FALSE);
+			LogTrace(resp, respLen, 0, 0, parity, false);
 		}
 
 	}
@@ -507,54 +536,11 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 
 #define SUBCARRIER_DETECT_THRESHOLD	8
 
-// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
-/* #define CHECK_FOR_SUBCARRIER() { \
-		v = ci; \
-		if(v < 0) v = -v; \
-		if(cq > 0) { \
-			v += cq; \
-		} else { \
-			v -= cq; \
-		} \
-	}
- */
 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
-#define CHECK_FOR_SUBCARRIER() { \
-		if(ci < 0) { \
-			if(cq < 0) { /* ci < 0, cq < 0 */ \
-				if (cq < ci) { \
-					v = -cq - (ci >> 1); \
-				} else { \
-					v = -ci - (cq >> 1); \
-				} \
-			} else {	/* ci < 0, cq >= 0 */ \
-				if (cq < -ci) { \
-					v = -ci + (cq >> 1); \
-				} else { \
-					v = cq - (ci >> 1); \
-				} \
-			} \
-		} else { \
-			if(cq < 0) { /* ci >= 0, cq < 0 */ \
-				if (-cq < ci) { \
-					v = ci - (cq >> 1); \
-				} else { \
-					v = -cq + (ci >> 1); \
-				} \
-			} else {	/* ci >= 0, cq >= 0 */ \
-				if (cq < ci) { \
-					v = ci + (cq >> 1); \
-				} else { \
-					v = cq + (ci >> 1); \
-				} \
-			} \
-		} \
-	}
-
+#define AMPLITUDE(ci,cq) (MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2))
 	switch(Demod.state) {
 		case DEMOD_UNSYNCD:
-			CHECK_FOR_SUBCARRIER();
-			if(v > SUBCARRIER_DETECT_THRESHOLD) {	// subcarrier detected
+			if(AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) {	// subcarrier detected
 				Demod.state = DEMOD_PHASE_REF_TRAINING;
 				Demod.sumI = ci;
 				Demod.sumQ = cq;
@@ -564,8 +550,7 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 
 		case DEMOD_PHASE_REF_TRAINING:
 			if(Demod.posCount < 8) {
-				CHECK_FOR_SUBCARRIER();
-				if (v > SUBCARRIER_DETECT_THRESHOLD) {
+				if (AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) {
 					// set the reference phase (will code a logic '1') by averaging over 32 1/fs.
 					// note: synchronization time > 80 1/fs
 					Demod.sumI += ci;
@@ -668,7 +653,7 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 						LED_C_OFF();
 						if(s == 0x000) {
 							// This is EOF (start, stop and all data bits == '0'
-							return TRUE;
+							return true;
 						}
 					}
 				}
@@ -682,7 +667,7 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 			break;
 	}
 
-	return FALSE;
+	return false;
 }
 
 
@@ -705,14 +690,15 @@ static void DemodInit(uint8_t *data)
 
 /*
  *  Demodulate the samples we received from the tag, also log to tracebuffer
- *  quiet: set to 'TRUE' to disable debug output
+ *  quiet: set to 'true' to disable debug output
  */
 static void GetSamplesFor14443bDemod(int n, bool quiet)
 {
-	int max = 0;
-	bool gotFrame = FALSE;
-	int lastRxCounter, ci, cq, samples = 0;
-
+	int maxBehindBy = 0;
+	bool gotFrame = false;
+	int lastRxCounter, samples = 0;
+	int8_t ci, cq;
+	
 	// Allocate memory from BigBuf for some buffers
 	// free all previous allocations first
 	BigBuf_free();
@@ -721,15 +707,19 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 	uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
 
 	// The DMA buffer, used to stream samples from the FPGA
-	int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
+	uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
 
 	// Set up the demodulator for tag -> reader responses.
 	DemodInit(receivedResponse);
 
+	// wait for last transfer to complete
+	while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY))
+
 	// Setup and start DMA.
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
 	FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
 
-	int8_t *upTo = dmaBuf;
+	uint16_t *upTo = dmaBuf;
 	lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
 
 	// Signal field is ON with the appropriate LED:
@@ -738,43 +728,44 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
 
 	for(;;) {
-		int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
-		if(behindBy > max) max = behindBy;
-
-		while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
-			ci = upTo[0];
-			cq = upTo[1];
-			upTo += 2;
-			if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
-				upTo = dmaBuf;
-				AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
-				AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
-			}
-			lastRxCounter -= 2;
-			if(lastRxCounter <= 0) {
-				lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
-			}
+		int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
+		if(behindBy > maxBehindBy) {
+			maxBehindBy = behindBy;
+		}
 
-			samples += 2;
+		if(behindBy < 1) continue;
 
-			if(Handle14443bSamplesDemod(ci, cq)) {
-				gotFrame = TRUE;
-				break;
-			}
+		ci = *upTo >> 8;
+		cq = *upTo;
+		upTo++;
+		lastRxCounter--;
+		if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {               // we have read all of the DMA buffer content.
+			upTo = dmaBuf;                                             // start reading the circular buffer from the beginning
+			lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
+		}
+		if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {              // DMA Counter Register had reached 0, already rotated.
+			AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;          // refresh the DMA Next Buffer and
+			AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;  // DMA Next Counter registers
+		}
+		samples++;
+
+		if(Handle14443bSamplesDemod(ci, cq)) {
+			gotFrame = true;
+			break;
 		}
 
-		if(samples > n || gotFrame) {
+		if(samples > n) {
 			break;
 		}
 	}
 
-	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+	FpgaDisableSscDma();
 
-	if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", max, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
+	if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", maxBehindBy, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
 	//Tracing
 	if (tracing && Demod.len > 0) {
 		uint8_t parity[MAX_PARITY_SIZE];
-		LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
+		LogTrace(Demod.output, Demod.len, 0, 0, parity, false);
 	}
 }
 
@@ -786,11 +777,7 @@ static void TransmitFor14443b(void)
 {
 	int c;
 
-	FpgaSetupSsc();
-
-	while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-		AT91C_BASE_SSC->SSC_THR = 0xff;
-	}
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
 
 	// Signal field is ON with the appropriate Red LED
 	LED_D_ON();
@@ -798,31 +785,15 @@ static void TransmitFor14443b(void)
 	LED_B_ON();
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
 
-	for(c = 0; c < 10;) {
-		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-			AT91C_BASE_SSC->SSC_THR = 0xff;
-			c++;
-		}
-		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-			volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-			(void)r;
-		}
-		WDT_HIT();
-	}
-
 	c = 0;
 	for(;;) {
 		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-			AT91C_BASE_SSC->SSC_THR = ToSend[c];
+			AT91C_BASE_SSC->SSC_THR = ~ToSend[c];
 			c++;
 			if(c >= ToSendMax) {
 				break;
 			}
 		}
-		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-			volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-			(void)r;
-		}
 		WDT_HIT();
 	}
 	LED_B_OFF(); // Finished sending
@@ -840,19 +811,14 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
 
 	ToSendReset();
 
-	// Establish initial reference level
-	for(i = 0; i < 40; i++) {
-		ToSendStuffBit(1);
-	}
 	// Send SOF
 	for(i = 0; i < 10; i++) {
 		ToSendStuffBit(0);
 	}
+	ToSendStuffBit(1);
+	ToSendStuffBit(1);
 
 	for(i = 0; i < len; i++) {
-		// Stop bits/EGT
-		ToSendStuffBit(1);
-		ToSendStuffBit(1);
 		// Start bit
 		ToSendStuffBit(0);
 		// Data bits
@@ -865,19 +831,18 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
 			}
 			b >>= 1;
 		}
+		// Stop bit
+		ToSendStuffBit(1);
 	}
+
 	// Send EOF
-	ToSendStuffBit(1);
 	for(i = 0; i < 10; i++) {
 		ToSendStuffBit(0);
 	}
-	for(i = 0; i < 8; i++) {
-		ToSendStuffBit(1);
-	}
+	ToSendStuffBit(1);
 
-	// And then a little more, to make sure that the last character makes
-	// it out before we switch to rx mode.
-	for(i = 0; i < 24; i++) {
+	// ensure that last byte is filled up
+	for(i = 0; i < 8; i++) {
 		ToSendStuffBit(1);
 	}
 
@@ -895,7 +860,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
 	TransmitFor14443b();
 	if (tracing) {
 		uint8_t parity[MAX_PARITY_SIZE];
-		LogTrace(cmd,len, 0, 0, parity, TRUE);
+		LogTrace(cmd,len, 0, 0, parity, true);
 	}
 }
 
@@ -917,7 +882,7 @@ int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *respo
 	// send
 	CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
 	// get response
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT*100, TRUE);
+	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	if(Demod.len < 3)
 	{
 		return 0;
@@ -947,7 +912,7 @@ int iso14443b_select_card()
 
 	// first, wake up the tag
 	CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	// ATQB too short?
 	if (Demod.len < 14)
 	{
@@ -962,7 +927,7 @@ int iso14443b_select_card()
     attrib[7] = Demod.output[10] & 0x0F;
     ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
     CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
-    GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+    GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
     // Answer to ATTRIB too short?
     if(Demod.len < 3)
 	{
@@ -977,7 +942,7 @@ int iso14443b_select_card()
 void iso14443b_setup() {
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	// Set up the synchronous serial port
-	FpgaSetupSsc();
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
 	// connect Demodulated Signal to ADC:
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
@@ -985,9 +950,6 @@ void iso14443b_setup() {
     LED_D_ON();
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
 
-	// Start the timer
-	StartCountSspClk();
-
 	DemodReset();
 	UartReset();
 }
@@ -1013,7 +975,7 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	SpinDelay(200);
 
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-	FpgaSetupSsc();
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
 
 	// Now give it time to spin up.
 	// Signal field is on with the appropriate LED
@@ -1022,15 +984,17 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	SpinDelay(200);
 
 	clear_trace();
-	set_tracing(TRUE);
+	set_tracing(true);
 
 	// First command: wake up the tag using the INITIATE command
 	uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
 	CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 
 	if (Demod.len == 0) {
 		DbpString("No response from tag");
+		LED_D_OFF();
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		return;
 	} else {
 		Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
@@ -1043,20 +1007,26 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	cmd1[1] = Demod.output[0];
 	ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
 	CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	if (Demod.len != 3) {
 		Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
+		LED_D_OFF();
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		return;
 	}
 	// Check the CRC of the answer:
 	ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
 	if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
 		DbpString("CRC Error reading select response.");
+		LED_D_OFF();
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		return;
 	}
 	// Check response from the tag: should be the same UID as the command we just sent:
 	if (cmd1[1] != Demod.output[0]) {
 		Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
+		LED_D_OFF();
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		return;
 	}
 
@@ -1065,9 +1035,11 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	cmd1[0] = 0x0B;
 	ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
 	CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	if (Demod.len != 10) {
 		Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
+		LED_D_OFF();
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		return;
 	}
 	// The check the CRC of the answer (use cmd1 as temporary variable):
@@ -1094,9 +1066,11 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 		cmd1[1] = i;
 		ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
 		CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-		GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+		GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 		if (Demod.len != 6) { // Check if we got an answer from the tag
 			DbpString("Expected 6 bytes from tag, got less...");
+			LED_D_OFF();
+			FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 			return;
 		}
 		// The check the CRC of the answer (use cmd1 as temporary variable):
@@ -1115,6 +1089,9 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 		}
 		i++;
 	}
+	
+	LED_D_OFF();
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 }
 
 
@@ -1137,22 +1114,17 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
  */
 void RAMFUNC SnoopIso14443b(void)
 {
-	// We won't start recording the frames that we acquire until we trigger;
-	// a good trigger condition to get started is probably when we see a
-	// response from the tag.
-	int triggered = TRUE;			// TODO: set and evaluate trigger condition
-
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	BigBuf_free();
 
 	clear_trace();
-	set_tracing(TRUE);
+	set_tracing(true);
 
 	// The DMA buffer, used to stream samples from the FPGA
-	int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
+	uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
 	int lastRxCounter;
-	int8_t *upTo;
-	int ci, cq;
+	uint16_t *upTo;
+	int8_t ci, cq;
 	int maxBehindBy = 0;
 
 	// Count of samples received so far, so that we can include timing
@@ -1177,55 +1149,57 @@ void RAMFUNC SnoopIso14443b(void)
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
 	// Setup for the DMA.
-	FpgaSetupSsc();
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
 	upTo = dmaBuf;
 	lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
 	FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
 	uint8_t parity[MAX_PARITY_SIZE];
 
-	bool TagIsActive = FALSE;
-	bool ReaderIsActive = FALSE;
+	bool TagIsActive = false;
+	bool ReaderIsActive = false;
+	// We won't start recording the frames that we acquire until we trigger.
+	// A good trigger condition to get started is probably when we see a
+	// reader command
+	bool triggered = false;
 
 	// And now we loop, receiving samples.
 	for(;;) {
-		int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
-								(ISO14443B_DMA_BUFFER_SIZE-1);
+		int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
 		if(behindBy > maxBehindBy) {
 			maxBehindBy = behindBy;
 		}
 
-		if(behindBy < 2) continue;
+		if(behindBy < 1) continue;
 
-		ci = upTo[0];
-		cq = upTo[1];
-		upTo += 2;
-		lastRxCounter -= 2;
-		if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
-			upTo = dmaBuf;
+		ci = *upTo>>8;
+		cq = *upTo;
+		upTo++;
+		lastRxCounter--;
+		if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {               // we have read all of the DMA buffer content.
+			upTo = dmaBuf;                                             // start reading the circular buffer from the beginning again
 			lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
-			AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
-			AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
-			WDT_HIT();
-			if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
-				Dbprintf("blew circular buffer! behindBy=%d", behindBy);
-				break;
-			}
-			if(!tracing) {
-				DbpString("Reached trace limit");
+			if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { 
+				Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
 				break;
 			}
+		}
+		if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {              // DMA Counter Register had reached 0, already rotated.
+			AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;          // refresh the DMA Next Buffer and
+			AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;  // DMA Next Counter registers
+			WDT_HIT();
 			if(BUTTON_PRESS()) {
 				DbpString("cancelled");
 				break;
 			}
 		}
 
-		samples += 2;
+		samples++;
 
 		if (!TagIsActive) {							// no need to try decoding reader data if the tag is sending
 			if(Handle14443bUartBit(ci & 0x01)) {
-				if(triggered && tracing) {
-					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
+				triggered = true;
+				if(tracing) {
+					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, true);
 				}
 				/* And ready to receive another command. */
 				UartReset();
@@ -1234,8 +1208,9 @@ void RAMFUNC SnoopIso14443b(void)
 				DemodReset();
 			}
 			if(Handle14443bUartBit(cq & 0x01)) {
-				if(triggered && tracing) {
-					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
+				triggered = true;
+				if(tracing) {
+					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, true);
 				}
 				/* And ready to receive another command. */
 				UartReset();
@@ -1246,17 +1221,15 @@ void RAMFUNC SnoopIso14443b(void)
 			ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
 		}
 
-		if(!ReaderIsActive) {						// no need to try decoding tag data if the reader is sending - and we cannot afford the time
-			if(Handle14443bSamplesDemod(ci | 0x01, cq | 0x01)) {
+		if(!ReaderIsActive && triggered) {						// no need to try decoding tag data if the reader is sending or not yet triggered
+			if(Handle14443bSamplesDemod(ci/2, cq/2)) {
 
 				//Use samples as a time measurement
 				if(tracing)
 				{
 					uint8_t parity[MAX_PARITY_SIZE];
-					LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE);
+					LogTrace(Demod.output, Demod.len, samples, samples, parity, false);
 				}
-				triggered = TRUE;
-
 				// And ready to receive another response.
 				DemodReset();
 			}
@@ -1267,7 +1240,6 @@ void RAMFUNC SnoopIso14443b(void)
 
 	FpgaDisableSscDma();
 	LEDsoff();
-	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
 	DbpString("Snoop statistics:");
 	Dbprintf("  Max behind by: %i", maxBehindBy);
 	Dbprintf("  Uart State: %x", Uart.state);
@@ -1293,16 +1265,22 @@ void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, u
 {
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-	FpgaSetupSsc();
-
-	set_tracing(TRUE);
-
-	CodeAndTransmit14443bAsReader(data, datalen);
 
-	if(recv) {
-		GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
-		uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
-		cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
+	// switch field on and give tag some time to power up
+	LED_D_ON();
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
+	SpinDelay(10);
+
+	if (datalen){
+		set_tracing(true);
+		
+		CodeAndTransmit14443bAsReader(data, datalen);
+
+		if(recv) {
+			GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+			uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
+			cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
+		}
 	}
 
 	if(!powerfield) {