X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/ce432659f2b238ecaced79ae6fa520750690146c..847f7404ffe293e263532dd3773b6f5b03038f98:/armsrc/mifarecmd.c

diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index 47c7fc12..7fa3f525 100644
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -16,8 +16,9 @@
 #include "mifarecmd.h"
 #include "apps.h"
 #include "util.h"
-
 #include "crc.h"
+#include "protocols.h"
+#include "parity.h"
 
 //-----------------------------------------------------------------------------
 // Select, Authenticate, Read a MIFARE tag. 
@@ -33,23 +34,24 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	
 	// variables
 	byte_t isOK = 0;
-	byte_t dataoutbuf[16];
-	uint8_t uid[10];
-	uint32_t cuid;
+	byte_t dataoutbuf[16] = {0x00};
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
 
-	// clear trace
-	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
+	clear_trace();
+	set_tracing(true);
+
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
 
 	while (true) {
-		if(!iso14443a_select_card(uid, NULL, &cuid)) {
+		if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 			break;
 		};
@@ -91,10 +93,13 @@ void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
 	bool turnOffField = (arg0 == 1);
 
 	LED_A_ON(); LED_B_OFF(); LED_C_OFF();
-	clear_trace();
+
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	clear_trace();
+	set_tracing(true);
+
+	if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -125,10 +130,12 @@ void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 
 	LEDsoff();
 	LED_A_ON();
-	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	int len = iso14443a_select_card(NULL, NULL, NULL);
+	clear_trace();
+	set_tracing(true);
+
+	int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
 		OnError(1);
@@ -189,23 +196,23 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	// variables
 	byte_t isOK = 0;
 	byte_t dataoutbuf[16 * 16];
-	uint8_t uid[10];
-	uint32_t cuid;
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
 
-	// clear trace
-	clear_trace();
-
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
+	clear_trace();
+	set_tracing(true);
+	
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
 
 	isOK = 1;
-	if(!iso14443a_select_card(uid, NULL, &cuid)) {
+	if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 		isOK = 0;
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 	}
@@ -248,10 +255,15 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 // datain = KEY bytes
 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 {
+	LEDsoff();
+	LED_A_ON();
+	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+
 	// free eventually allocated BigBuf memory
 	BigBuf_free();
 	clear_trace();
-
+	set_tracing(true);
+	
 	// params
 	uint8_t blockNo = arg0;
 	uint16_t blocks = arg1;
@@ -265,11 +277,7 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		return;
 	}
 
-	LEDsoff();
-	LED_A_ON();
-	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
-
-	int len = iso14443a_select_card(NULL, NULL, NULL);
+	int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
 	if (!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
 		OnError(1);
@@ -300,7 +308,7 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 	}
 
 	for (int i = 0; i < blocks; i++){
-		if ((i*4) + 4 > CARD_MEMORY_SIZE) {
+		if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
 			Dbprintf("Data exceeds buffer!!");
 			break;
 		}
@@ -332,9 +340,11 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
 
 	countblocks *= 4;
-	cmd_send(CMD_ACK, 1, countblocks, countblocks, 0, 0);
+
+	cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
+	BigBuf_free();
 }
 
 //-----------------------------------------------------------------------------
@@ -347,30 +357,30 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	uint8_t blockNo = arg0;
 	uint8_t keyType = arg1;
 	uint64_t ui64Key = 0;
-	byte_t blockdata[16];
+	byte_t blockdata[16] = {0x00};
 
 	ui64Key = bytes_to_num(datain, 6);
 	memcpy(blockdata, datain + 10, 16);
 	
 	// variables
 	byte_t isOK = 0;
-	uint8_t uid[10];
-	uint32_t cuid;
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
 
-	// clear trace
-	clear_trace();
-
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
+	clear_trace();
+	set_tracing(true);
+	
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
 
 	while (true) {
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 			break;
 		};
@@ -409,7 +419,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	LEDsoff();
 }
 
-void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
+/* // Command not needed but left for future testing 
+void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
 {
 	uint8_t blockNo = arg0;
 	byte_t blockdata[16] = {0x00};
@@ -421,15 +432,16 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
 	LED_A_ON(); LED_B_OFF(); LED_C_OFF();
 
 	clear_trace();
+	set_tracing(true);
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	if(!iso14443a_select_card(uid, NULL, NULL)) {
+	if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
 		if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");
 		OnError(0);
 		return;
 	};
 
-	if(mifare_ultra_writeblock(blockNo, blockdata)) {
+	if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
 		if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");
 		OnError(0);
 		return;	};
@@ -446,6 +458,7 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
 }
+*/
 
 // Arg0   : Block to write to.
 // Arg1   : 0 = use no authentication.
@@ -453,7 +466,7 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
 //          2 = use 0x1B authentication.
 // datain : 4 first bytes is data to be written.
 //        : 4/16 next bytes is authentication key.
-void MifareUWriteBlock_Special(uint8_t arg0, uint8_t arg1, uint8_t *datain)
+void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 {
 	uint8_t blockNo = arg0;
 	bool useKey = (arg1 == 1); //UL_C
@@ -464,10 +477,12 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 	
 	LEDsoff();
 	LED_A_ON();
-	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	clear_trace();
+	set_tracing(true);
+	
+	if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -495,7 +510,7 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 		}
 	}
 	
-	if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
+	if(mifare_ultra_writeblock(blockNo, blockdata)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
 		OnError(0);
 		return;
@@ -522,10 +537,12 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 	memcpy(pwd, datain, 16);
 	
 	LED_A_ON(); LED_B_OFF(); LED_C_OFF();
-	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	if(!iso14443a_select_card(NULL, NULL, NULL)) {
+	clear_trace();
+	set_tracing(true);
+	
+	if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
 		OnError(0);
 		return;
@@ -535,7 +552,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 	blockdata[1] = pwd[6];
 	blockdata[2] = pwd[5];
 	blockdata[3] = pwd[4];
-	if(mifare_ultra_special_writeblock( 44, blockdata)) {
+	if(mifare_ultra_writeblock( 44, blockdata)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
 		OnError(44);
 		return;
@@ -545,7 +562,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 	blockdata[1] = pwd[2];
 	blockdata[2] = pwd[1];
 	blockdata[3] = pwd[0];
-	if(mifare_ultra_special_writeblock( 45, blockdata)) {
+	if(mifare_ultra_writeblock( 45, blockdata)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
 		OnError(45);
 		return;
@@ -555,7 +572,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 	blockdata[1] = pwd[14];
 	blockdata[2] = pwd[13];
 	blockdata[3] = pwd[12];
-	if(mifare_ultra_special_writeblock( 46, blockdata)) {
+	if(mifare_ultra_writeblock( 46, blockdata)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
 		OnError(46);
 		return;
@@ -565,7 +582,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 	blockdata[1] = pwd[10];
 	blockdata[2] = pwd[9];
 	blockdata[3] = pwd[8];
-	if(mifare_ultra_special_writeblock( 47, blockdata)) {
+	if(mifare_ultra_writeblock( 47, blockdata)) {
 		if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
 		OnError(47);
 		return;
@@ -584,9 +601,141 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
 
 // Return 1 if the nonce is invalid else return 0
 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
-	return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
-	(oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
-	(oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
+	return ((oddparity8((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
+	(oddparity8((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
+	(oddparity8((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
+}
+
+
+//-----------------------------------------------------------------------------
+// acquire encrypted nonces in order to perform the attack described in
+// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
+// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on 
+// Computer and Communications Security, 2015
+//-----------------------------------------------------------------------------
+void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)
+{
+	uint64_t ui64Key = 0;
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0;
+	uint8_t cascade_levels = 0;
+	struct Crypto1State mpcs = {0, 0};
+	struct Crypto1State *pcs;
+	pcs = &mpcs;
+	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
+	int16_t isOK = 0;
+	uint8_t par_enc[1] = {0x00};
+	uint8_t nt_par_enc = 0;
+	uint8_t buf[USB_CMD_DATA_SIZE] = {0x00};
+	uint32_t timeout = 0;
+	
+	uint8_t blockNo = arg0 & 0xff;
+	uint8_t keyType = (arg0 >> 8) & 0xff;
+	uint8_t targetBlockNo = arg1 & 0xff;
+	uint8_t targetKeyType = (arg1 >> 8) & 0xff;
+	ui64Key = bytes_to_num(datain, 6);
+	bool initialize = flags & 0x0001;
+	bool slow = flags & 0x0002;
+	bool field_off = flags & 0x0004;
+	
+	#define AUTHENTICATION_TIMEOUT 848			// card times out 1ms after wrong authentication (according to NXP documentation)
+	#define PRE_AUTHENTICATION_LEADTIME 400		// some (non standard) cards need a pause after select before they are ready for first authentication 
+	
+	LED_A_ON();
+	LED_C_OFF();
+
+	if (initialize) {
+		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+		clear_trace();
+		set_tracing(true);
+	}
+	
+	LED_C_ON();
+	
+	uint16_t num_nonces = 0;
+	bool have_uid = false;
+	for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {
+
+		// Test if the action was cancelled
+		if(BUTTON_PRESS()) {
+			isOK = 2;
+			field_off = true;
+			break;
+		}
+
+		if (!have_uid) { // need a full select cycle to get the uid first
+			iso14a_card_select_t card_info;		
+			if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
+				if (MF_DBGLEVEL >= 1)	Dbprintf("AcquireNonces: Can't select card (ALL)");
+				continue;
+			}
+			switch (card_info.uidlen) {
+				case 4 : cascade_levels = 1; break;
+				case 7 : cascade_levels = 2; break;
+				case 10: cascade_levels = 3; break;
+				default: break;
+			}
+			have_uid = true;	
+		} else { // no need for anticollision. We can directly select the card
+			if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {
+				if (MF_DBGLEVEL >= 1)	Dbprintf("AcquireNonces: Can't select card (UID)");
+				continue;
+			}
+		}
+		
+		if (slow) {
+			timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;
+			while(GetCountSspClk() < timeout);
+		}
+
+		uint32_t nt1;
+		if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {
+			if (MF_DBGLEVEL >= 1)	Dbprintf("AcquireNonces: Auth1 error");
+			continue;
+		}
+
+		// nested authentication
+		uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);
+		if (len != 4) {
+			if (MF_DBGLEVEL >= 1)	Dbprintf("AcquireNonces: Auth2 error len=%d", len);
+			continue;
+		}
+	
+		// send a dummy byte as reader response in order to trigger the cards authentication timeout
+		uint8_t dummy_answer = 0;
+		ReaderTransmit(&dummy_answer, 1, NULL);
+		timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
+		
+		num_nonces++;
+		if (num_nonces % 2) {
+			memcpy(buf+i, receivedAnswer, 4);
+			nt_par_enc = par_enc[0] & 0xf0;
+		} else {
+			nt_par_enc |= par_enc[0] >> 4;
+			memcpy(buf+i+4, receivedAnswer, 4);
+			memcpy(buf+i+8, &nt_par_enc, 1);
+			i += 9;
+		}
+
+		// wait for the card to become ready again
+		while(GetCountSspClk() < timeout);
+	
+	}
+
+	LED_C_OFF();
+	
+	crypto1_destroy(pcs);
+	
+	LED_B_ON();
+	cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));
+	LED_B_OFF();
+
+	if (MF_DBGLEVEL >= 3)	DbpString("AcquireEncryptedNonces finished");
+
+	if (field_off) {
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		LEDsoff();
+	}
 }
 
 
@@ -607,36 +756,37 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 	
 	// variables
 	uint16_t rtr, i, j, len;
-	uint16_t davg;
+	uint16_t davg = 0;
 	static uint16_t dmin, dmax;
-	uint8_t uid[10];
-	uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
-	uint8_t par[1];
-	uint32_t target_nt[2], target_ks[2];
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0, nt1, nt2, nttmp, nttest, ks1;
+	uint8_t par[1] = {0x00};
+	uint32_t target_nt[2] = {0x00}, target_ks[2] = {0x00};
 	
-	uint8_t par_array[4];
+	uint8_t par_array[4] = {0x00};
 	uint16_t ncount = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
-	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
+	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
 
 	uint32_t auth1_time, auth2_time;
 	static uint16_t delta_time;
 
-	// free eventually allocated BigBuf memory
-	BigBuf_free();
-	// clear trace
-	clear_trace();
-	set_tracing(false);
-	
-	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
-
 	LED_A_ON();
 	LED_C_OFF();
+	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
+	// free eventually allocated BigBuf memory
+	BigBuf_free();
+
+	if (calibrate) clear_trace();
+	set_tracing(true);
 
 	// statistics on nonce distance
+	int16_t isOK = 0;
+	#define NESTED_MAX_TRIES 12
+	uint16_t unsuccessfull_tries = 0;
 	if (calibrate) {	// for first call only. Otherwise reuse previous calibration
 		LED_B_ON();
 		WDT_HIT();
@@ -647,6 +797,12 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 		
 		for (rtr = 0; rtr < 17; rtr++) {
 
+			// Test if the action was cancelled
+			if(BUTTON_PRESS()) {
+				isOK = -2;
+				break;
+			}
+
 			// prepare next select. No need to power down the card.
 			if(mifare_classic_halt(pcs, cuid)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Halt error");
@@ -654,7 +810,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 				continue;
 			}
 
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");
 				rtr--;
 				continue;
@@ -694,27 +850,29 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 					delta_time = auth2_time - auth1_time + 32;  // allow some slack for proper timing
 				}
 				if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
+			} else {
+				unsuccessfull_tries++;
+				if (unsuccessfull_tries > NESTED_MAX_TRIES) {	// card isn't vulnerable to nested attack (random numbers are not predictable)
+					isOK = -3;
+				}
 			}
 		}
-		
-		if (rtr <= 1)	return;
 
 		davg = (davg + (rtr - 1)/2) / (rtr - 1);
 		
-		if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
+		if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
 
 		dmin = davg - 2;
 		dmax = davg + 2;
 		
 		LED_B_OFF();
-	
 	}
 //  -------------------------------------------------------------------------------------------------	
 	
 	LED_C_ON();
 
 	//  get crypted nonces for target sector
-	for(i=0; i < 2; i++) { // look for exactly two different nonces
+	for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
 
 		target_nt[i] = 0;
 		while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
@@ -725,7 +883,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 				continue;
 			}
 
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
+			if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");
 				continue;
 			};
@@ -738,7 +896,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 
 			// nested authentication
 			auth2_time = auth1_time + delta_time;
-			len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
+			len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
 			if (len != 4) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Auth2 error len=%d", len);
 				continue;
@@ -749,7 +907,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 			
 			// Parity validity check
 			for (j = 0; j < 4; j++) {
-				par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
+				par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
 			}
 			
 			ncount = 0;
@@ -792,33 +950,34 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 	memcpy(buf+16, &target_ks[1], 4);
 	
 	LED_B_ON();
-	cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
+	cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
 	LED_B_OFF();
 
 	if (MF_DBGLEVEL >= 3)	DbpString("NESTED FINISHED");
 
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
-	set_tracing(TRUE);
+	set_tracing(FALSE);
 }
 
 //-----------------------------------------------------------------------------
 // MIFARE check keys. key count up to 85. 
 // 
 //-----------------------------------------------------------------------------
-void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 {
   // params
-	uint8_t blockNo = arg0;
-	uint8_t keyType = arg1;
+	uint8_t blockNo = arg0 & 0xff;
+	uint8_t keyType = (arg0 >> 8) & 0xff;
+	bool clearTrace = arg1;
 	uint8_t keyCount = arg2;
 	uint64_t ui64Key = 0;
 	
 	// variables
 	int i;
 	byte_t isOK = 0;
-	uint8_t uid[10];
-	uint32_t cuid;
+	uint8_t uid[10] = {0x00};
+	uint32_t cuid = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
@@ -827,45 +986,40 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	int OLD_MF_DBGLEVEL = MF_DBGLEVEL;	
 	MF_DBGLEVEL = MF_DBG_NONE;
 	
-	// clear trace
-	clear_trace();
-	set_tracing(TRUE);
-
-	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
-
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
+	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 
-	for (i = 0; i < keyCount; i++) {
-		if(mifare_classic_halt(pcs, cuid)) {
+	if (clearTrace) 
+		clear_trace();
+	
+	set_tracing(TRUE);
+
+	for (i = 0; i < keyCount; ++i) {
+		if (mifare_classic_halt(pcs, cuid))
 			if (MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Halt error");
-		}
 
-		if(!iso14443a_select_card(uid, NULL, &cuid)) {
+		if (!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 			if (OLD_MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Can't select card");
 			break;
-		};
+		}
 
 		ui64Key = bytes_to_num(datain + i * 6, 6);
-		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
+		if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST))
 			continue;
-		};
 		
 		isOK = 1;
 		break;
 	}
-	
-	//  ----------------------------- crypto1 destroy
 	crypto1_destroy(pcs);
 	
 	LED_B_ON();
     cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
-	LED_B_OFF();
-
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
-
+	set_tracing(FALSE);
+	
 	// restore debug level
 	MF_DBGLEVEL = OLD_MF_DBGLEVEL;	
 }
@@ -882,17 +1036,25 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 //-----------------------------------------------------------------------------
 // Work with emulator memory
 // 
+// Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
+// involved in dealing with emulator memory. But if it is called later, it might
+// destroy the Emulator Memory.
 //-----------------------------------------------------------------------------
+
 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	emlClearMem();
 }
 
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
-	emlSetMem(datain, arg0, arg1); // data, block num, blocks count
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+	if (arg2==0) arg2 = 16; // backwards compat... default bytewidth
+	emlSetMem_xt(datain, arg0, arg1, arg2); // data, block num, blocks count, block byte width
 }
 
 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
-	byte_t buf[USB_CMD_DATA_SIZE];
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+	byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
 	emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
 
 	LED_B_ON();
@@ -908,29 +1070,27 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 	uint8_t numSectors = arg0;
 	uint8_t keyType = arg1;
 	uint64_t ui64Key = 0;
-	uint32_t cuid;
+	uint32_t cuid = 0;
 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;
 
 	// variables
-	byte_t dataoutbuf[16];
-	byte_t dataoutbuf2[16];
-	uint8_t uid[10];
-
-	// clear trace
-	clear_trace();
-	set_tracing(false);
-	
-	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+	byte_t dataoutbuf[16] = {0x00};
+	byte_t dataoutbuf2[16] = {0x00};
+	uint8_t uid[10] = {0x00};
 
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
+	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+	
+	clear_trace();
+	set_tracing(TRUE);
 	
 	bool isOK = true;
 
-	if(!iso14443a_select_card(uid, NULL, &cuid)) {
+	if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 		isOK = false;
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 	}
@@ -956,7 +1116,7 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 				isOK = false;
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
 				break;
-			};
+			}
 			if (isOK) {
 				if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
 					emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
@@ -970,9 +1130,9 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 
 	}
 
-	if(mifare_classic_halt(pcs, cuid)) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-	};
+	if(mifare_classic_halt(pcs, cuid))
+		if (MF_DBGLEVEL >= 1)
+			Dbprintf("Halt error");
 
 	//  ----------------------------- crypto1 destroy
 	crypto1_destroy(pcs);
@@ -982,305 +1142,209 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 	
 	if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
 
+	set_tracing(FALSE);
 }
 
 
 //-----------------------------------------------------------------------------
 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
 // 
+// PARAMS - workFlags
+// bit 0 - need get UID
+// bit 1 - need wupC
+// bit 2 - need HALT after sequence
+// bit 3 - need turn on FPGA before sequence
+// bit 4 - need turn off FPGA
+// bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
+// bit 6 - wipe tag.
 //-----------------------------------------------------------------------------
-void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
+// magic uid card generation 1 commands
+uint8_t wupC1[] = { MIFARE_MAGICWUPC1 }; 
+uint8_t wupC2[] = { MIFARE_MAGICWUPC2 }; 
+uint8_t wipeC[] = { MIFARE_MAGICWIPEC }; 
+	
+void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
   
-  // params
-	uint8_t needWipe = arg0;
-	// bit 0 - need get UID
-	// bit 1 - need wupC
-	// bit 2 - need HALT after sequence
-	// bit 3 - need init FPGA and field before sequence
-	// bit 4 - need reset FPGA and LED
-	uint8_t workFlags = arg1;
-	uint8_t blockNo = arg2;
-	
-	// card commands
-	uint8_t wupC1[]       = { 0x40 }; 
-	uint8_t wupC2[]       = { 0x43 }; 
-	uint8_t wipeC[]       = { 0x41 }; 
+	// params
+	uint8_t workFlags = arg0;
+	uint8_t blockNo = arg1;
+	
+	Dbprintf("ICE :: CSetBlocks Flags %02x", workFlags);
 	
 	// variables
-	byte_t isOK = 0;
 	uint8_t uid[10] = {0x00};
-	uint8_t d_block[18] = {0x00};
-	uint32_t cuid;
+	uint8_t data[18] = {0x00};
+	uint32_t cuid = 0;
 	
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
-	// reset FPGA and LED
-	if (workFlags & 0x08) {
+	if (workFlags & MAGIC_INIT) {
 		LED_A_ON();
 		LED_B_OFF();
-		LED_C_OFF();
-	
+		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 		clear_trace();
 		set_tracing(TRUE);
-		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 	}
 
-	while (true) {
-
-		// get UID from chip
-		if (workFlags & 0x01) {
-			if(!iso14443a_select_card(uid, NULL, &cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
-				//break;
-			};
-
-			if(mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				//break;
-			};
-		};
+	// read UID and return to client
+	if (workFlags & MAGIC_UID) {
+		if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("Can't select card");
+			OnErrorMagic(MAGIC_UID);
+		}
+	}
 	
-		// reset chip
-		if (needWipe){
-			ReaderTransmitBitsPar(wupC1,7,0, NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");
-				break;
-			};
-
-			ReaderTransmit(wipeC, sizeof(wipeC), NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wipeC error");
-				break;
-			};
+	// wipe tag, fill it with zeros
+	if (workFlags & MAGIC_WIPE){
+		ReaderTransmitBitsPar(wupC1,7,0, NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC1 error");
+			OnErrorMagic(MAGIC_WIPE);
+		}
 
-			if(mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
-		};	
+		ReaderTransmit(wipeC, sizeof(wipeC), NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wipeC error");
+			OnErrorMagic(MAGIC_WIPE);
+		}
+	}	
 
-		// write block
-		if (workFlags & 0x02) {
-			ReaderTransmitBitsPar(wupC1,7,0, NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");
-				break;
-			};
+	// write block
+	if (workFlags & MAGIC_WUPC) {
+		ReaderTransmitBitsPar(wupC1,7,0, NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC1 error");
+			OnErrorMagic(MAGIC_WUPC);
+		}
 
-			ReaderTransmit(wupC2, sizeof(wupC2), NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC2 error");
-				break;
-			};
+		ReaderTransmit(wupC2, sizeof(wupC2), NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC2 error");
+			OnErrorMagic(MAGIC_WUPC);
 		}
+	}
 
-		if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
-			if (MF_DBGLEVEL >= 1)	Dbprintf("write block send command error");
-			break;
-		};
+	if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("write block send command error");
+		OnErrorMagic(4);
+	}
 	
-		memcpy(d_block, datain, 16);
-		AppendCrc14443a(d_block, 16);
+	memcpy(data, datain, 16);
+	AppendCrc14443a(data, 16);
 	
-		ReaderTransmit(d_block, sizeof(d_block), NULL);
-		if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
-			if (MF_DBGLEVEL >= 1)	Dbprintf("write block send data error");
-			break;
-		};	
+	ReaderTransmit(data, sizeof(data), NULL);
+	if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("write block send data error");
+		OnErrorMagic(0);
+	}	
 	
-		if (workFlags & 0x04) {
-			if (mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
-		}
-		
-		isOK = 1;
-		break;
-	}
+	if (workFlags & MAGIC_OFF) 
+		mifare_classic_halt_ex(NULL);
 	
 	LED_B_ON();
-	cmd_send(CMD_ACK,isOK,0,0,uid,4);
+	// check if uid is cuid?
+	cmd_send(CMD_ACK,1,0,0,uid,sizeof(uid));
 	LED_B_OFF();
 
-	if ((workFlags & 0x10) || (!isOK)) {
-		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-		LEDsoff();
-	}
+	if (workFlags & MAGIC_OFF)
+		OnSuccessMagic();
 }
 
-
-void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
-  
-  // params
-	// bit 1 - need wupC
-	// bit 2 - need HALT after sequence
-	// bit 3 - need init FPGA and field before sequence
-	// bit 4 - need reset FPGA and LED
+void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
+    
 	uint8_t workFlags = arg0;
-	uint8_t blockNo = arg2;
-	
-	// card commands
-	uint8_t wupC1[]       = { 0x40 }; 
-	uint8_t wupC2[]       = { 0x43 }; 
-	
+	uint8_t blockNo = arg1;
+
 	// variables
-	byte_t isOK = 0;
-	uint8_t data[18] = {0x00};
-	uint32_t cuid = 0;
-	
+	uint8_t data[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 	
-	if (workFlags & 0x08) {
+	memset(data, 0x00, sizeof(data));
+	
+	if (workFlags & MAGIC_INIT) {
 		LED_A_ON();
 		LED_B_OFF();
-		LED_C_OFF();
-	
+		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);	
 		clear_trace();
 		set_tracing(TRUE);
-		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
 	}
 
-	while (true) {
-		if (workFlags & 0x02) {
-			ReaderTransmitBitsPar(wupC1,7,0, NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");
-				break;
-			};
-
-			ReaderTransmit(wupC2, sizeof(wupC2), NULL);
-			if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC2 error");
-				break;
-			};
+	if (workFlags & MAGIC_WUPC) {
+		ReaderTransmitBitsPar(wupC1,7,0, NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
+			OnErrorMagic(MAGIC_WUPC);
 		}
 
-		// read block
-		if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
-			if (MF_DBGLEVEL >= 1)	Dbprintf("read block send command error");
-			break;
-		};
-		memcpy(data, receivedAnswer, 18);
-		
-		if (workFlags & 0x04) {
-			if (mifare_classic_halt(NULL, cuid)) {
-				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");
-				break;
-			};
+		ReaderTransmit(wupC2, sizeof(wupC2), NULL);
+		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
+			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
+			OnErrorMagic(MAGIC_WUPC);
 		}
-		
-		isOK = 1;
-		break;
 	}
+
+	// read block		
+	if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("read block send command error");
+		OnErrorMagic(0);
+	}
+	
+	memcpy(data, receivedAnswer, sizeof(data));
+	
+	// send HALT
+	if (workFlags & MAGIC_HALT) 
+		mifare_classic_halt_ex(NULL);
 	
 	LED_B_ON();
-	cmd_send(CMD_ACK,isOK,0,0,data,18);
+	
+	// if MAGIC_DATAIN, the data stays on device side.
+	if (workFlags & MAGIC_DATAIN)
+		memcpy(datain, data, sizeof(data));
+	else
+		cmd_send(CMD_ACK,1,0,0,data,sizeof(data));
+	
 	LED_B_OFF();
 
-	if ((workFlags & 0x10) || (!isOK)) {
-		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-		LEDsoff();
-	}
+	if (workFlags & MAGIC_OFF)
+		OnSuccessMagic();
 }
 
 void MifareCIdent(){
-  
-	// card commands
-	uint8_t wupC1[]       = { 0x40 }; 
-	uint8_t wupC2[]       = { 0x43 }; 
 	
 	// variables
-	byte_t isOK = 1;
-	
-	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
-	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
+	bool isOK = true;	
+	uint8_t receivedAnswer[1] = {0x00};
+	uint8_t receivedAnswerPar[1] = {0x00};
 
 	ReaderTransmitBitsPar(wupC1,7,0, NULL);
 	if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-		isOK = 0;
-	};
+		isOK = false;
+	}
 
 	ReaderTransmit(wupC2, sizeof(wupC2), NULL);
 	if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-		isOK = 0;
-	};
-
-	if (mifare_classic_halt(NULL, 0)) {
-		isOK = 0;
-	};
+		isOK = false;
+	}
 
+	// removed the if,  since some magic tags misbehavies and send an answer to it.
+	mifare_classic_halt(NULL, 0);
 	cmd_send(CMD_ACK,isOK,0,0,0,0);
 }
 
-void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
-
-	BigBuf_free();
-
-	uint32_t iterations = arg0;
-	uint8_t uid[10] = {0x00};
-
-	uint8_t *response = BigBuf_malloc(MAX_MIFARE_FRAME_SIZE);
-	uint8_t *responsePar = BigBuf_malloc(MAX_MIFARE_PARITY_SIZE);
-
-	uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
-	
-	// get memory from BigBuf.
-	uint8_t *nonces = BigBuf_malloc(iterations * 4);
-
-	LED_A_ON();
-	LED_B_OFF();
-	LED_C_OFF();
-
-	clear_trace();
-	set_tracing(TRUE);
-	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
-	
-	for (int i = 0; i < iterations; i++) {
-						
-		WDT_HIT();
-
-		// Test if the action was cancelled
-		if(BUTTON_PRESS()) break;
-		
-		//		if(mifare_classic_halt(pcs, cuid)) {
-		//			if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
-		//}
-
-		if(!iso14443a_select_card(uid, NULL, NULL)) {
-			if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
-			continue;
-		};
-
-		// Transmit MIFARE_CLASSIC_AUTH.
-		ReaderTransmit(mf_auth, sizeof(mf_auth), NULL);
-
-		// Receive the (4 Byte) "random" nonce
-		if (!ReaderReceive(response, responsePar)) {
-			if (MF_DBGLEVEL >= 1)	Dbprintf("Couldn't receive tag nonce");
-			continue;
-		}	
-		
-		nonces[i*4] = bytes_to_num(response, 4);
-	}
-		
-	int packLen =  iterations * 4;
-	int packSize = 0;
-	int packNum = 0;
-	while (packLen > 0) {
-		packSize = MIN(USB_CMD_DATA_SIZE, packLen);
-		LED_B_ON();
-		cmd_send(CMD_ACK, 77, 0, packSize, nonces - packLen, packSize);
-		LED_B_OFF();
-
-		packLen -= packSize;
-		packNum++;
-	}
+void OnSuccessMagic(){
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
+	set_tracing(FALSE);	
+}
+void OnErrorMagic(uint8_t reason){
+	//          ACK, ISOK, reason,0,0,0
+	cmd_send(CMD_ACK,0,reason,0,0,0);
+	OnSuccessMagic();
+}
+
+void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
 }
 
 //
@@ -1289,14 +1353,15 @@ void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
 
 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
 
-	byte_t dataout[11] = {0x00};
+	byte_t dataout[12] = {0x00};
 	uint8_t uid[10] = {0x00};
-	uint32_t cuid = 0x00;
+	uint32_t cuid = 0;
     
-	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+	clear_trace();
+	set_tracing(true);
 
-	int len = iso14443a_select_card(uid, NULL, &cuid);
+	int len = iso14443a_select_card(uid, NULL, &cuid, true, 0);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
 		OnError(1);