ADD: added the "hf snoop" patch original from @Enio, rearranged by @Etmatrix.

ADD: added the "t55x7" refactoring by @marshmellow42
2025-07-12 16:13:16 -07:00 · 2015-10-27 21:47:21 +01:00 · 2015-10-27 21:47:21 +01:00 · 1d0ccbe04b
commit 1d0ccbe04b
parent 1c8fbeb93e
24 changed files with 704 additions and 604 deletions
--- a/armsrc/Makefile
+++ b/armsrc/Makefile
@ -10,12 +10,12 @@ APP_INCLUDES = apps.h
 #remove one of the following defines and comment out the relevant line
 #in the next section to remove that particular feature from compilation  
-APP_CFLAGS	= -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE \
+APP_CFLAGS	= -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \
 				-fno-strict-aliasing -ffunction-sections -fdata-sections
 #-DWITH_LCD 
 #SRC_LCD = fonts.c LCD.c
-SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c
+SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c lfdemod.c protocols.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
 SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c
 SRC_ISO14443b = iso14443b.c
@ -52,7 +52,6 @@ THUMBSRC = start.c \
 # These are to be compiled in ARM mode
 ARMSRC = fpgaloader.c \
 	legicrf.c \
 	lfdemod.c \
 	$(SRC_ISO14443a) \
 	$(SRC_ISO14443b) \
 	$(SRC_CRAPTO1) \
@ -60,7 +59,8 @@ ARMSRC = fpgaloader.c \
 	legic_prng.c \
 	iclass.c \
 	BigBuf.c \
-	optimized_cipher.c
+	optimized_cipher.c \
 	hfsnoop.c
 # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
 include ../common/Makefile.common
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -985,9 +985,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
 		case CMD_T55XX_WRITE_BLOCK:
 			T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
 			break;
 		case CMD_T55XX_READ_TRACE:
 			T55xxReadTrace();
 			break;
 		case CMD_T55XX_WAKEUP:
 			T55xxWakeUp(c->arg[0]);
 			break;
@ -1236,6 +1233,11 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
 			break;
 #endif
 #ifdef WITH_HFSNOOP
 		case CMD_HF_SNIFFER:
 			HfSnoop(c->arg[0], c->arg[1]);
 			break;
 #endif
 		case CMD_BUFF_CLEAR:
 			BigBuf_Clear();
@ -1372,7 +1374,7 @@ void  __attribute__((noreturn)) AppMain(void)
 	AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
 	// PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
 	AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
-		AT91C_PMC_PRES_CLK_4;
+		AT91C_PMC_PRES_CLK_4; //  4 for 24Mhz pck0, 2 for 48 MHZ pck0
 	AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
 	// Reset SPI
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -86,11 +86,10 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioPro
 void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
-void CopyIndala64toT55x7(int hi, int lo); // Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7); // Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode);
 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
 void T55xxReadTrace(void);
 void T55xxWakeUp(uint32_t Pwd);
 void TurnReadLFOn();
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
@ -208,5 +207,6 @@ bool cmd_receive(UsbCommand* cmd);
 bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
 /// util.h
 void HfSnoop(int , int);
 #endif
--- a/armsrc/fpgaloader.h
+++ b/armsrc/fpgaloader.h
@ -43,6 +43,7 @@ void SetAdcMuxFor(uint32_t whichGpio);
 #define FPGA_MAJOR_MODE_HF_READER_RX_XCORR			(1<<5)
 #define FPGA_MAJOR_MODE_HF_SIMULATOR				(2<<5)
 #define FPGA_MAJOR_MODE_HF_ISO14443A				(3<<5)
 #define FPGA_MAJOR_MODE_HF_SNOOP				    (4<<5)
 // BOTH
 #define FPGA_MAJOR_MODE_OFF							(7<<5)
 // Options for LF_ADC
--- a/armsrc/hfsnoop.c
+++ b/armsrc/hfsnoop.c
@ -0,0 +1,76 @@
 #include "proxmark3.h"
 #include "apps.h"
 #include "BigBuf.h"
 #include "util.h"
 static void RAMFUNC optimizedSnoop(void);
 static void RAMFUNC optimizedSnoop(void)
 {
 	BigBuf_free();
 	int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory
 	uint16_t *dest = (uint16_t *)BigBuf_get_addr();
 	uint16_t *destend = dest + n;
 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word
 	// Reading data loop
 	while(dest <= destend)
 	{
 		if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)
 		{
 			*dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR);
 			dest = dest + 1;
 		}
 	}
 	//Resetting Frame mode (First set in fpgaloader.c)
 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
 }
 void HfSnoop(int samplesToSkip, int triggersToSkip)
 {
 	Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip);
 	bool trigger_cnt;
 	LED_D_ON();
 	// Select correct configs
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	// Set up the synchronous serial port
 	FpgaSetupSsc();
 	// connect Demodulated Signal to ADC:
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP);
 	SpinDelay(100);
 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer.
 	trigger_cnt = 0;
 	uint16_t r = 0;
 	while(!BUTTON_PRESS()) {
 		WDT_HIT();
 		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
 			r = (uint16_t)AT91C_BASE_SSC->SSC_RHR;
 			if (!(trigger_cnt == triggersToSkip) && ( (r >> 8) >= 240)) 
 			{
 				Dbprintf("Trigger kicked! Value: %d.", r >> 8);
 				trigger_cnt++;
 				break;
 			} 
 		}
 	}
 	if(!BUTTON_PRESS()) {
 		Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r >> 8);
 		int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0
 		while(waitcount != 0) {
 			if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
 				waitcount--;
 			}
 		}
 		optimizedSnoop();
 	}
 	DbpString("HF Snoop end");
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LED_D_OFF();
 }
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -16,8 +16,8 @@
 #include "string.h"
 #include "lfdemod.h"
 #include "lfsampling.h"
-#include "usb_cdc.h"
+#include "protocols.h"
-
+#include "usb_cdc.h" //test
 /**
 * Function to do a modulation and then get samples.
@ -1053,61 +1053,9 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 /*------------------------------
 * T5555/T5557/T5567 routines
 *------------------------------
- */
+ * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h 
-
+ *
-/* T55x7 configuration register definitions */
+ * Relevant communication times in microsecond
 #define T55x7_POR_DELAY				0x00000001
 #define T55x7_ST_TERMINATOR			0x00000008
 #define T55x7_PWD					0x00000010
 #define T55x7_MAXBLOCK_SHIFT		5
 #define T55x7_AOR					0x00000200
 #define T55x7_PSKCF_RF_2			0
 #define T55x7_PSKCF_RF_4			0x00000400
 #define T55x7_PSKCF_RF_8			0x00000800
 #define T55x7_MODULATION_DIRECT		0
 #define T55x7_MODULATION_PSK1		0x00001000
 #define T55x7_MODULATION_PSK2		0x00002000
 #define T55x7_MODULATION_PSK3		0x00003000
 #define T55x7_MODULATION_FSK1		0x00004000
 #define T55x7_MODULATION_FSK2		0x00005000
 #define T55x7_MODULATION_FSK1a		0x00006000
 #define T55x7_MODULATION_FSK2a		0x00007000
 #define T55x7_MODULATION_MANCHESTER	0x00008000
 #define T55x7_MODULATION_BIPHASE	0x00010000
 #define T55x7_MODULATION_DIPHASE	0x00018000
 //#define T55x7_MODULATION_BIPHASE57	0x00011000
 #define T55x7_BITRATE_RF_8			0
 #define T55x7_BITRATE_RF_16			0x00040000
 #define T55x7_BITRATE_RF_32			0x00080000
 #define T55x7_BITRATE_RF_40			0x000C0000
 #define T55x7_BITRATE_RF_50			0x00100000
 #define T55x7_BITRATE_RF_64			0x00140000
 #define T55x7_BITRATE_RF_100		0x00180000
 #define T55x7_BITRATE_RF_128		0x001C0000
 /* T5555 (Q5) configuration register definitions */
 #define T5555_ST_TERMINATOR			0x00000001
 #define T5555_MAXBLOCK_SHIFT		0x00000001
 #define T5555_MODULATION_MANCHESTER	0
 #define T5555_MODULATION_PSK1		0x00000010
 #define T5555_MODULATION_PSK2		0x00000020
 #define T5555_MODULATION_PSK3		0x00000030
 #define T5555_MODULATION_FSK1		0x00000040
 #define T5555_MODULATION_FSK2		0x00000050
 #define T5555_MODULATION_BIPHASE	0x00000060
 #define T5555_MODULATION_DIRECT		0x00000070
 #define T5555_INVERT_OUTPUT			0x00000080
 #define T5555_PSK_RF_2				0
 #define T5555_PSK_RF_4				0x00000100
 #define T5555_PSK_RF_8				0x00000200
 #define T5555_USE_PWD				0x00000400
 #define T5555_USE_AOR				0x00000800
 #define T5555_BITRATE_SHIFT			12
 #define T5555_FAST_WRITE			0x00004000
 #define T5555_PAGE_SELECT			0x00008000
 /*
 * Relevant times in microsecond
 * To compensate antenna falling times shorten the write times
 * and enlarge the gap ones.
 * Q5 tags seems to have issues when these values changes. 
@ -1136,24 +1084,29 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 void TurnReadLFOn(int delay) {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	// Give it a bit of time for the resonant antenna to settle.
-	SpinDelayUs(delay); //155*8 //50*8
+
 	// measure antenna strength.
 	//int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
 	// where to save it
 	SpinDelayUs(delay);
 }
 // Write one bit to card
 void T55xxWriteBit(int bit) {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	if (!bit)
-		SpinDelayUs(WRITE_0);
+		TurnReadLFOn(WRITE_0);
 	else
-		SpinDelayUs(WRITE_1);
+		TurnReadLFOn(WRITE_1);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelayUs(WRITE_GAP);
 }
 // Write one card block in page 0, no lock
-void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) {
+void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
 	LED_A_ON();
-	
+	bool PwdMode = arg & 0x1;
 	uint8_t Page = (arg & 0x2)>>1;
 	uint32_t i = 0;
 	// Set up FPGA, 125kHz
@ -1165,8 +1118,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	// Opcode 10
 	T55xxWriteBit(1);
-	T55xxWriteBit(0); //Page 0
+	T55xxWriteBit(Page); //Page 0
 	if (PwdMode){
 		// Send Pwd
 		for (i = 0x80000000; i != 0; i >>= 1)
@ -1186,20 +1138,24 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	// Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
 	// so wait a little more)
 	TurnReadLFOn(20 * 1000);
 		//could attempt to do a read to confirm write took
 		// as the tag should repeat back the new block 
 		// until it is reset, but to confirm it we would 
 		// need to know the current block 0 config mode
 	// turn field off
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	cmd_send(CMD_ACK,0,0,0,0,0);
 	LED_A_OFF();
 	LED_B_OFF();
 }
 // Read one card block in page 0
 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
 	LED_A_ON();
-	uint8_t PwdMode = arg0 & 0x01;
+	bool PwdMode = arg0 & 0x1;
-	uint8_t Page    = arg0 & 0x02;
+	uint8_t Page = (arg0 & 0x2) >> 1;
 	uint32_t i = 0;
 	bool RegReadMode = (Block == 0xFF);
 	//clear buffer now so it does not interfere with timing later
 	BigBuf_Clear_ext(false);
@ -1207,14 +1163,14 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
 	//make sure block is at max 7
 	Block &= 0x7;
-	// Set up FPGA, 125kHz
+	// Set up FPGA, 125kHz to power up the tag
 	LFSetupFPGAForADC(95, true);
-	// Trigger T55x7 Direct Access Mode
+	// Trigger T55x7 Direct Access Mode with start gap
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelayUs(START_GAP);
-	// Opcode 10
+	// Opcode 1[page]
 	T55xxWriteBit(1);
 	T55xxWriteBit(Page); //Page 0
@ -1223,11 +1179,11 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
 		for (i = 0x80000000; i != 0; i >>= 1)
 			T55xxWriteBit(Pwd & i);
 	}
 	// Send a zero bit separation
 	T55xxWriteBit(0);
-	// Send Block number
+	// Send Block number (if direct access mode)
 	if (!RegReadMode)
 	for (i = 0x04; i != 0; i >>= 1)
 		T55xxWriteBit(Block & i);
@ -1237,54 +1193,10 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
 	// Acquisition
 	doT55x7Acquisition();
-	// turn field off
+	// Turn the field off
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	cmd_send(CMD_ACK,0,0,0,0,0);    
 	LED_A_OFF();
 	LED_B_OFF();
 }
 // Read card traceability data (page 1)
 void T55xxReadTrace(void){
 	// LED_A_ON();
 	// uint8_t PwdMode = arg0 & 0xFF;
 	// uint32_t i = 0;
 	// //clear buffer now so it does not interfere with timing later
 	// BigBuf_Clear_ext(false);
 	// // Set up FPGA, 125kHz
 	// LFSetupFPGAForADC(95, true);
 	// // Trigger T55x7 Direct Access Mode
 	// FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	// SpinDelayUs(START_GAP);
 	// // Opcode 11
 	// T55xxWriteBit(1);
 	// T55xxWriteBit(1); //Page 1
 	// if (PwdMode){
 		// // Send Pwd
 		// for (i = 0x80000000; i != 0; i >>= 1)
 			// T55xxWriteBit(Pwd & i);
 	// }
 	// // Send a zero bit separation
 	// T55xxWriteBit(0);
 	// // Turn field on to read the response
 	// TurnReadLFOn(READ_GAP);
 	// // Acquisition
 	// doT55x7Acquisition();
 	// // turn field off
 	// FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	// cmd_send(CMD_ACK,0,0,0,0,0);
 	// LED_A_OFF();
 	// LED_B_OFF();
 }
 void T55xxWakeUp(uint32_t Pwd){
@ -1306,16 +1218,23 @@ void T55xxWakeUp(uint32_t Pwd){
 	for (i = 0x80000000; i != 0; i >>= 1)
 		T55xxWriteBit(Pwd & i);
-	// Turn field on to read the response
+	// Turn and leave field on to let the begin repeating transmission
 	TurnReadLFOn(20*1000);
 }
 /*-------------- Cloning routines -----------*/
 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
 	// write last block first and config block last (if included)
 	for (uint8_t i = numblocks; i > startblock; i--)
 		T55xxWriteBlock(blockdata[i-1],i-1,0,0);
 }
 // Copy HID id to card and setup block 0 config
-void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
-{
+	uint32_t data[] = {0,0,0,0,0,0,0};
-	int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
+	//int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
-	int last_block = 0;
+	uint8_t last_block = 0;
 	if (longFMT){
 		// Ensure no more than 84 bits supplied
@ -1325,108 +1244,34 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
 		}
 		// Build the 6 data blocks for supplied 84bit ID
 		last_block = 6;
-		data1 = 0x1D96A900; // load preamble (1D) & long format identifier (9E manchester encoded)
+		// load preamble (1D) & long format identifier (9E manchester encoded)
-		for (int i=0;i<4;i++) {
+		data[1] = 0x1D96A900 | manchesterEncode2Bytes((hi2 >> 16) & 0xF);
-			if (hi2 & (1<<(19-i)))
+		// load raw id from hi2, hi, lo to data blocks (manchester encoded)
-				data1 |= (1<<(((3-i)*2)+1)); // 1 -> 10
+		data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
-			else
+		data[3] = manchesterEncode2Bytes(hi >> 16);
-				data1 |= (1<<((3-i)*2)); // 0 -> 01
+		data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
-		}
+		data[5] = manchesterEncode2Bytes(lo >> 16);
-
+		data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
-		data2 = 0;
+	}	else {
 		for (int i=0;i<16;i++) {
 			if (hi2 & (1<<(15-i)))
 				data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data2 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 		data3 = 0;
 		for (int i=0;i<16;i++) {
 			if (hi & (1<<(31-i)))
 				data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data3 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 		data4 = 0;
 		for (int i=0;i<16;i++) {
 			if (hi & (1<<(15-i)))
 				data4 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data4 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 		data5 = 0;
 		for (int i=0;i<16;i++) {
 			if (lo & (1<<(31-i)))
 				data5 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data5 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 		data6 = 0;
 		for (int i=0;i<16;i++) {
 			if (lo & (1<<(15-i)))
 				data6 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data6 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 	}
 	else {
 		// Ensure no more than 44 bits supplied
 		if (hi>0xFFF) {
 			DbpString("Tags can only have 44 bits.");
 			return;
 		}
 		// Build the 3 data blocks for supplied 44bit ID
 		last_block = 3;
-
+		// load preamble
-		data1 = 0x1D000000; // load preamble
+		data[1] = 0x1D000000 | manchesterEncode2Bytes(hi & 0xFFF);
-
+		data[2] = manchesterEncode2Bytes(lo >> 16);
-		for (int i=0;i<12;i++) {
+		data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
 			if (hi & (1<<(11-i)))
 				data1 |= (1<<(((11-i)*2)+1)); // 1 -> 10
 			else
 				data1 |= (1<<((11-i)*2)); // 0 -> 01
 		}
 		data2 = 0;
 		for (int i=0;i<16;i++) {
 			if (lo & (1<<(31-i)))
 				data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data2 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 		data3 = 0;
 		for (int i=0;i<16;i++) {
 			if (lo & (1<<(15-i)))
 				data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
 			else
 				data3 |= (1<<((15-i)*2)); // 0 -> 01
 		}
 	}
 	// load chip config block
 	data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
 	LED_D_ON();
 	// Program the data blocks for supplied ID
 	// and the block 0 for HID format
-	T55xxWriteBlock(data1,1,0,0);
+	WriteT55xx(data, 0, last_block+1);
 	T55xxWriteBlock(data2,2,0,0);
 	T55xxWriteBlock(data3,3,0,0);
 	if (longFMT) { // if long format there are 6 blocks
 		T55xxWriteBlock(data4,4,0,0);
 		T55xxWriteBlock(data5,5,0,0);
 		T55xxWriteBlock(data6,6,0,0);
 	}
 	// Config for HID (RF/50, FSK2a, Maxblock=3 for short/6 for long)
 	T55xxWriteBlock(T55x7_BITRATE_RF_50    |
 					T55x7_MODULATION_FSK2a |
 					last_block << T55x7_MAXBLOCK_SHIFT,
 					0,0,0);
 	LED_D_OFF();
@ -1435,24 +1280,42 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
 void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
 {
-	int data1=0, data2=0; //up to six blocks for long format
+	uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
 	data1 = hi;  // load preamble
 	data2 = lo;
 	LED_D_ON();
 	// Program the data blocks for supplied ID
-	// and the block 0 for HID format
+	// and the block 0 config
-	T55xxWriteBlock(data1,1,0,0);
+	WriteT55xx(data, 0, 3);
 	T55xxWriteBlock(data2,2,0,0);
 	//Config Block
 	T55xxWriteBlock(0x00147040,0,0,0);
 	LED_D_OFF();
 	DbpString("DONE!");
 }
 // Clone Indala 64-bit tag by UID to T55x7
 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
 	//Program the 2 data blocks for supplied 64bit UID
 	// and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
 	uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
 	WriteT55xx(data, 0, 3);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
 	//	T5567WriteBlock(0x603E1042,0);
 	DbpString("DONE!");
 }
 // Clone Indala 224-bit tag by UID to T55x7
 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7)
 {
 	//Program the 7 data blocks for supplied 224bit UID
 	uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
 	// and the block 0 for Indala224 format	
 	//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
 	data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
 	WriteT55xx(data, 0, 8);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
 	//	T5567WriteBlock(0x603E10E2,0);
 	DbpString("DONE!");
 }
 // Define 9bit header for EM410x tags
 #define EM410X_HEADER		0x1FF
 #define EM410X_ID_LENGTH	40
@ -1518,94 +1381,29 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
 	LED_D_ON();
 	// Write EM410x ID
-	T55xxWriteBlock((uint32_t)(id >> 32), 1, 0, 0);
+	uint32_t data[] = {0, id>>32, id & 0xFFFF};
 	T55xxWriteBlock((uint32_t)id, 2, 0, 0);
 	// Config for EM410x (RF/64, Manchester, Maxblock=2)
 	if (card) {
 		// Clock rate is stored in bits 8-15 of the card value
 		clock = (card & 0xFF00) >> 8;
 		clock = (clock == 0) ? 64 : clock;
 		Dbprintf("Clock rate: %d", clock);
-		switch (clock) {
+		clock = GetT55xxClockBit(clock);
-		case 50:
+		if (clock == 0) {
 			clock = T55x7_BITRATE_RF_50;
 		case 40:
 			clock = T55x7_BITRATE_RF_40;
 		case 32:
 			clock = T55x7_BITRATE_RF_32;
 			break;
 		case 16:
 			clock = T55x7_BITRATE_RF_16;
 			break;
 		case 0:
 			// A value of 0 is assumed to be 64 for backwards-compatibility
 			// Fall through...
 		case 64:
 			clock = T55x7_BITRATE_RF_64;
 			break;
 		default:
 			Dbprintf("Invalid clock rate: %d", clock);
 			return;
 		}
-		// Writing configuration for T55x7 tag
+		data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
-		T55xxWriteBlock(clock	    |
+	} else {
-						T55x7_MODULATION_MANCHESTER |
+		data[0] = (0x1F << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
 						2 << T55x7_MAXBLOCK_SHIFT,
 						0, 0, 0);
 	}
-	else
+
-		// Writing configuration for T5555(Q5) tag
+	WriteT55xx(data, 0, 3);
 		T55xxWriteBlock(0x1F << T5555_BITRATE_SHIFT |
 						T5555_MODULATION_MANCHESTER |
 						2 << T5555_MAXBLOCK_SHIFT,
 						0, 0, 0);
 	LED_D_OFF();
 	Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
 			 (uint32_t)(id >> 32), (uint32_t)id);
 }
 // Clone Indala 64-bit tag by UID to T55x7
 void CopyIndala64toT55x7(int hi, int lo)
 {
 	//Program the 2 data blocks for supplied 64bit UID
 	// and the block 0 for Indala64 format
 	T55xxWriteBlock(hi,1,0,0);
 	T55xxWriteBlock(lo,2,0,0);
 	//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=2)
 	T55xxWriteBlock(T55x7_BITRATE_RF_32    |
 					T55x7_MODULATION_PSK1 |
 					2 << T55x7_MAXBLOCK_SHIFT,
 					0, 0, 0);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
 	//	T5567WriteBlock(0x603E1042,0);
 	DbpString("DONE!");
 }
 void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
 {
 	//Program the 7 data blocks for supplied 224bit UID
 	// and the block 0 for Indala224 format
 	T55xxWriteBlock(uid1,1,0,0);
 	T55xxWriteBlock(uid2,2,0,0);
 	T55xxWriteBlock(uid3,3,0,0);
 	T55xxWriteBlock(uid4,4,0,0);
 	T55xxWriteBlock(uid5,5,0,0);
 	T55xxWriteBlock(uid6,6,0,0);
 	T55xxWriteBlock(uid7,7,0,0);
 	//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
 	T55xxWriteBlock(T55x7_BITRATE_RF_32    |
 					T55x7_MODULATION_PSK1 |
 					7 << T55x7_MAXBLOCK_SHIFT,
 					0,0,0);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
 	//	T5567WriteBlock(0x603E10E2,0);
 	DbpString("DONE!");
 }
 //-----------------------------------
 // EM4469 / EM4305 routines
 //-----------------------------------
--- a/armsrc/lfsampling.c
+++ b/armsrc/lfsampling.c
@ -255,9 +255,8 @@ uint32_t SnoopLF() {
 void doT55x7Acquisition(void){
 	#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10  (32 bit times numofblock (7), times clock skip..)
-	#define T55xx_UPPER_THRESHOLD 128+40  // 50
+	#define T55xx_READ_UPPER_THRESHOLD 128+40  // 50
 	#define T55xx_READ_TOL   5
 	#define T55xx_LOWER_THRESHOLD 128-40  //-50
 	uint8_t *dest = BigBuf_get_addr();
 	uint16_t bufsize = BigBuf_max_traceLen();
@ -265,40 +264,43 @@ void doT55x7Acquisition(void){
 	if ( bufsize > T55xx_SAMPLES_SIZE )
 		bufsize = T55xx_SAMPLES_SIZE;
 	//int adcval = 0;
 	uint16_t i = 0;
 	bool startFound = false;
 	bool highFound = false;
-	uint8_t sample = 0;
+	uint8_t curSample = 0;
 	uint8_t firstSample = 0;
-	while(!BUTTON_PRESS()) {
+	uint16_t skipCnt = 0;
 	while(!BUTTON_PRESS() && skipCnt<1000) {
 		WDT_HIT();		
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
-			AT91C_BASE_SSC->SSC_THR = 0x00;
+			AT91C_BASE_SSC->SSC_THR = 0x43;
 			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
-			sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+			curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;	
 			LED_D_OFF();
 			// find first high sample
-			if (!startFound && sample > T55xx_UPPER_THRESHOLD) {
+			if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) {
-				if (sample > firstSample) 
+				if (curSample > firstSample) 
-					firstSample = sample;
+					firstSample = curSample;
-				highFound = TRUE;
+				highFound = true;
 			} else if (!highFound) {
 				skipCnt++;
 				continue;
 			}
 			// skip until samples begin to change
-			if (startFound || sample < firstSample - T55xx_READ_TOL){
+			if (startFound || curSample < firstSample-T55xx_READ_TOL){
 				if (!startFound) 
 					dest[i++] = firstSample;
-				startFound = TRUE;
+				startFound = true;
-				dest[i++] = sample;
+				dest[i++] = curSample;
-			
+				if (i >= bufsize-1) break;
 			// exit condition.
 			if (i >= bufsize) break;
 			}
 		}
 	}
-}
+}
--- a/client/cmdhf.c
+++ b/client/cmdhf.c
@ -736,6 +736,14 @@ int CmdHFSearch(const char *Cmd){
 	return 0;
 }
 int CmdHFSnoop(const char *Cmd)
 {
 	char * pEnd;
 	UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}};
 	SendCommand(&c);
 	return 0;
 }
 static command_t CommandTable[] = 
 {
  {"help",        CmdHelp,          1, "This help"},
@ -752,6 +760,7 @@ static command_t CommandTable[] =
  {"tune",			CmdHFTune,      0, "Continuously measure HF antenna tuning"},
  {"list",        CmdHFList,        1, "List protocol data in trace buffer"},
  {"search",      CmdHFSearch,      1, "Search for known HF tags [preliminary]"},
  {"snoop",       CmdHFSnoop,       0, "<samples to skip (10000)> <triggers to skip (1)> Generic LF/HF Snoop in Testing stage"},
 	{NULL, NULL, 0, NULL}
 };
--- a/client/cmdhfmfdes.c
+++ b/client/cmdhfmfdes.c
@ -611,7 +611,7 @@ int CmdHF14ADesAuth(const char *Cmd){
 	c.d.asBytes[0] = keylength;
 	memcpy(c.d.asBytes+1, key, keylength);
-	
+	clearCommandBuffer();
    SendCommand(&c);
 	UsbCommand resp;
--- a/client/cmdhfmfu.c
+++ b/client/cmdhfmfu.c
@ -1209,7 +1209,49 @@ int usage_hf_mfu_eload(void) {
 	return 0;
 }
 int usage_hf_mfu_ucauth(void) {
 	PrintAndLog("Usage:  hf mfu cauth k <key number>");
 	PrintAndLog("      0 (default): 3DES standard key");
 	PrintAndLog("      1 : all 0x00 key");
 	PrintAndLog("      2 : 0x00-0x0F key");
 	PrintAndLog("      3 : nfc key");
 	PrintAndLog("      4 : all 0x01 key");
 	PrintAndLog("      5 : all 0xff key");
 	PrintAndLog("      6 : 0x00-0xFF key");		
 	PrintAndLog("\n      sample : hf mfu cauth k");
 	PrintAndLog("               : hf mfu cauth k 3");
 	return 0;
 }
 int usage_hf_mfu_ucsetpwd(void) {
 	PrintAndLog("Usage:  hf mfu setpwd <password (32 hex symbols)>");
 	PrintAndLog("       [password] - (32 hex symbols)");
 	PrintAndLog("");
 	PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
 	PrintAndLog("");
 	return 0;
 }
 int usage_hf_mfu_ucsetuid(void) {
 	PrintAndLog("Usage:  hf mfu setuid <uid (14 hex symbols)>");
 	PrintAndLog("       [uid] - (14 hex symbols)");
 	PrintAndLog("\nThis only works for Magic Ultralight tags.");
 	PrintAndLog("");
 	PrintAndLog("sample: hf mfu setuid 11223344556677");
 	PrintAndLog("");
 	return 0;
 }
 int  usage_hf_mfu_gendiverse(void){
 	PrintAndLog("Usage:  hf mfu gen <uid (8 hex symbols)>");
 	PrintAndLog("");
 	PrintAndLog("sample: hf mfu gen 11223344");
 	PrintAndLog("");
 	return 0;
 }
 //
 //  Mifare Ultralight / Ultralight-C / Ultralight-EV1
 //  Read and Dump Card Contents,  using auto detection of tag size.
 int CmdHF14AMfUDump(const char *Cmd){
@ -1455,6 +1497,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 // Ultralight C Methods
 //-------------------------------------------------------------------------------
 //
 // Ultralight C Authentication Demo {currently uses hard-coded key}
 //
@ -1472,22 +1515,9 @@ int CmdHF14AMfucAuth(const char *Cmd){
 			errors = true;
 	}
-	if (cmdp == 'h' || cmdp == 'H')
+	if (cmdp == 'h' || cmdp == 'H') errors = true;
 		errors = true;
-	if (errors) {
+	if (errors) return usage_hf_mfu_ucauth(); 
 		PrintAndLog("Usage:  hf mfu cauth k <key number>");
 		PrintAndLog("      0 (default): 3DES standard key");
 		PrintAndLog("      1 : all 0x00 key");
 		PrintAndLog("      2 : 0x00-0x0F key");
 		PrintAndLog("      3 : nfc key");
 		PrintAndLog("      4 : all 0x01 key");
 		PrintAndLog("      5 : all 0xff key");
 		PrintAndLog("      6 : 0x00-0xFF key");		
 		PrintAndLog("\n      sample : hf mfu cauth k");
 		PrintAndLog("               : hf mfu cauth k 3");
 		return 0;
 	} 
 	uint8_t *key = default_3des_keys[keyNo];
 	if (ulc_authentication(key, true))
@ -1601,17 +1631,9 @@ int CmdTestDES(const char * cmd)
 int CmdHF14AMfucSetPwd(const char *Cmd){
 	uint8_t pwd[16] = {0x00};	
 	char cmdp = param_getchar(Cmd, 0);
-	if (strlen(Cmd) == 0  || cmdp == 'h' || cmdp == 'H') {	
+	if (strlen(Cmd) == 0  || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetpwd();
 		PrintAndLog("Usage:  hf mfu setpwd <password (32 hex symbols)>");
 		PrintAndLog("       [password] - (32 hex symbols)");
 		PrintAndLog("");
 		PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
 		PrintAndLog("");
 		return 0;
 	}
 	if (param_gethex(Cmd, 0, pwd, 32)) {
 		PrintAndLog("Password must include 32 HEX symbols");
@ -1624,7 +1646,6 @@ int CmdHF14AMfucSetPwd(const char *Cmd){
 	SendCommand(&c);
 	UsbCommand resp;
 	if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
 		if ( (resp.arg[0] & 0xff) == 1)
 			PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16));
@ -1636,8 +1657,7 @@ int CmdHF14AMfucSetPwd(const char *Cmd){
 	else {
 		PrintAndLog("command execution time out");
 		return 1;
-	}
+	}	
 	return 0;
 }
@ -1650,17 +1670,8 @@ int CmdHF14AMfucSetUid(const char *Cmd){
 	UsbCommand resp;
 	uint8_t uid[7] = {0x00};
 	char cmdp = param_getchar(Cmd, 0);
-	
+	if (strlen(Cmd) == 0  || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetuid();
-	if (strlen(Cmd) == 0  || cmdp == 'h' || cmdp == 'H') {	
+
 		PrintAndLog("Usage:  hf mfu setuid <uid (14 hex symbols)>");
 		PrintAndLog("       [uid] - (14 hex symbols)");
 		PrintAndLog("\nThis only works for Magic Ultralight tags.");
 		PrintAndLog("");
 		PrintAndLog("sample: hf mfu setuid 11223344556677");
 		PrintAndLog("");
 		return 0;
 	}
 	if (param_gethex(Cmd, 0, uid, 14)) {
 		PrintAndLog("UID must include 14 HEX symbols");
 		return 1;
@ -1724,14 +1735,20 @@ int CmdHF14AMfucSetUid(const char *Cmd){
 }
 int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
 	uint8_t uid[4];	
 	char cmdp = param_getchar(Cmd, 0);
 	if (strlen(Cmd) == 0  || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse();
 	if (param_gethex(Cmd, 0, uid, 8)) {
 		PrintAndLog("UID must include 8 HEX symbols");
 		return 1;
 	}
 	uint8_t iv[8] = { 0x00 };
-	uint8_t block = 0x07;
+	uint8_t block = 0x01;
 	// UL-EV1
 	//04 57 b6 e2 05 3f 80 UID
 	//4a f8 4b 19   PWD
 	uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E };
 	uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 };
 	uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 };
 	uint8_t dkeyA[8] = { 0x00 };
@ -1760,15 +1777,13 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
 		, divkey         // output
 		);
-	PrintAndLog("3DES version");
+	PrintAndLog("-- 3DES version");
 	PrintAndLog("Masterkey    :\t %s", sprint_hex(masterkey,sizeof(masterkey)));
 	PrintAndLog("UID          :\t %s", sprint_hex(uid, sizeof(uid)));
-	PrintAndLog("Sector       :\t %0d", block);
+	PrintAndLog("block        :\t %0d", block);
 	PrintAndLog("Mifare key   :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA)));
 	PrintAndLog("Message      :\t %s", sprint_hex(mix, sizeof(mix)));
 	PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6));
 	PrintAndLog("\n DES version");
 	for (int i=0; i < sizeof(mifarekeyA); ++i){
 		dkeyA[i] = (mifarekeyA[i] << 1) & 0xff;
@ -1798,20 +1813,19 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
 		, newpwd         // output
 		);
 	PrintAndLog("\n-- DES version");
 	PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA)));
 	PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB)));
 	PrintAndLog("Mifare ABA   :\t %s", sprint_hex(dmkey, sizeof(dmkey)));
 	PrintAndLog("Mifare Pwd   :\t %s", sprint_hex(newpwd, sizeof(newpwd)));
 	// next. from the diversify_key method.	
 	return 0;
 }
 // static uint8_t * diversify_key(uint8_t * key){
- // for(int i=0; i<16; i++){
+
   // if(i<=6) key[i]^=cuid[i];
   // if(i>6) key[i]^=cuid[i%7];
 // }
 // return key;
 // }
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -26,9 +26,11 @@
 #include "../common/iso14443crc.h"
 #include "cmdhf14a.h"
-#define CONFIGURATION_BLOCK 0x00
+#define T55x7_CONFIGURATION_BLOCK 0x00
-#define TRACE_BLOCK 0x01
+#define T55x7_PAGE0 0x00
 #define T55x7_PAGE1 0x01
 #define T55x7_PWD	0x00000010
 #define REGULAR_READ_MODE_BLOCK 0xFF
 // Default configuration
 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00};
@ -50,11 +52,12 @@ int usage_t55xx_config(){
 	return 0;
 }
 int usage_t55xx_read(){
-	PrintAndLog("Usage:  lf t55xx read b <block> p <password> <override_safety>");
+	PrintAndLog("Usage:  lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");
 	PrintAndLog("Options:");
-    PrintAndLog("     b <block>,	block number to read. Between 0-7");
+	PrintAndLog("     b <block>    - block number to read. Between 0-7");
-    PrintAndLog("     p <password>, OPTIONAL password 4bytes (8 hex symbols)");
+	PrintAndLog("     p <password> - OPTIONAL password (8 hex characters)");
-	PrintAndLog("     o,			OPTIONAL override safety check");
+	PrintAndLog("     o            - OPTIONAL override safety check");
 	PrintAndLog("     1            - OPTIONAL read Page 1 instead of Page 0");
 	PrintAndLog("     ****WARNING****");
 	PrintAndLog("     Use of read with password on a tag not configured for a pwd");
 	PrintAndLog("     can damage the tag");
@ -67,22 +70,23 @@ int usage_t55xx_read(){
 	return 0;
 }
 int usage_t55xx_write(){
-	PrintAndLog("Usage:  lf t55xx write <block> <data> [password]");
+	PrintAndLog("Usage:  lf t55xx wr [b <block>] [d <data>] [p <password>] [1]");
 	PrintAndLog("Options:");
-	PrintAndLog("     <block>, block number to write. Between 0-7");
+	PrintAndLog("     b <block>    - block number to write. Between 0-7");
-	PrintAndLog("     <data>,  4 bytes of data to write (8 hex symbols)");
+	PrintAndLog("     d <data>     - 4 bytes of data to write (8 hex characters)");
-    PrintAndLog("     [password], OPTIONAL password 4bytes (8 hex symbols)");
+	PrintAndLog("     p <password> - OPTIONAL password 4bytes (8 hex characters)");
 	PrintAndLog("     1            - OPTIONAL write Page 1 instead of Page 0");
    PrintAndLog("");
 	PrintAndLog("Examples:");
-	PrintAndLog("      lf t55xx write 3 11223344           - write 11223344 to block 3");
+	PrintAndLog("      lf t55xx write b 3 d 11223344            - write 11223344 to block 3");
-	PrintAndLog("      lf t55xx write 3 11223344 feedbeef  - write 11223344 to block 3 password feedbeef");
+	PrintAndLog("      lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");
 	PrintAndLog("");
 	return 0;
 }
 int usage_t55xx_trace() {
 	PrintAndLog("Usage:  lf t55xx trace [1]");
 	PrintAndLog("Options:");
-	PrintAndLog("     [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");
+	PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx trace");
@ -93,7 +97,7 @@ int usage_t55xx_trace() {
 int usage_t55xx_info() {
 	PrintAndLog("Usage:  lf t55xx info [1]");
 	PrintAndLog("Options:");
-	PrintAndLog("     [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");
+	PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx info");
@ -102,20 +106,21 @@ int usage_t55xx_info() {
 	return 0;
 }
 int usage_t55xx_dump(){
-	PrintAndLog("Usage:  lf t55xx dump <password>");
+	PrintAndLog("Usage:  lf t55xx dump <password> [o]");
 	PrintAndLog("Options:");
-    PrintAndLog("     <password>, OPTIONAL password 4bytes (8 hex symbols)");
+	PrintAndLog("     <password>  - OPTIONAL password 4bytes (8 hex symbols)");
 	PrintAndLog("     o           - OPTIONAL override, force pwd read despite danger to card");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx dump");
-	PrintAndLog("      lf t55xx dump feedbeef");
+	PrintAndLog("      lf t55xx dump feedbeef o");
 	PrintAndLog("");
 	return 0;
 }
 int usage_t55xx_detect(){
 	PrintAndLog("Usage:  lf t55xx detect [1]");
 	PrintAndLog("Options:");
-	PrintAndLog("     [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");
+	PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx detect");
@ -146,8 +151,7 @@ int CmdT55xxSetConfig(const char *Cmd) {
 	char tmp = 0x00;
 	uint8_t bitRate = 0;
 	uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};
-	while(param_getchar(Cmd, cmdp) != 0x00 && !errors)
+	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
 	{
 		tmp = param_getchar(Cmd, cmdp);
 		switch(tmp)
 		{
@ -234,12 +238,43 @@ int CmdT55xxSetConfig(const char *Cmd) {
 	return printConfiguration ( config );
 }
 int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){
 	//Password mode
 	if ( usepwd ) {
 		// try reading the config block and verify that PWD bit is set before doing this!
 		if ( !override ) {
 			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;
 			if ( !tryDetectModulation() ) {
 				PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
 				return 0;
 			} else {
 				PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");	
 				usepwd = false;
 				page1 = false;
 			}
 		} else {
 			PrintAndLog("Safety Check Overriden - proceeding despite risk");
 		}
 	}
 	if (!AquireData(page1, block, usepwd, password) ) return 0;
 	if (!DecodeT55xxBlock()) return 0;
 	char blk[10]={0};
 	sprintf(blk,"%d", block);
 	printT55xxBlock(blk);	
 	return 1;
 }
 int CmdT55xxReadBlock(const char *Cmd) {
-	uint8_t block = 255;
+	uint8_t block = REGULAR_READ_MODE_BLOCK;
 	uint32_t password = 0; //default to blank Block 7
-	bool usepwd = FALSE;
+	bool usepwd = false;
-	bool override = FALSE;	
+	bool override = false;
-	bool errors = FALSE;
+	bool page1 = false;
 	bool errors = false;
 	uint8_t cmdp = 0;
 	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
 		switch(param_getchar(Cmd, cmdp)) {
@ -258,10 +293,14 @@ int CmdT55xxReadBlock(const char *Cmd) {
 			break;
 		case 'p':
 		case 'P':
-			password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16);
+			password = param_get32ex(Cmd, cmdp+1, 0, 16);
-			usepwd = TRUE;
+			usepwd = true;
 			cmdp += 2;
 			break;
 		case '1':
 			page1 = true;
 			cmdp++;
 			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
@ -270,49 +309,13 @@ int CmdT55xxReadBlock(const char *Cmd) {
 	}
 	if (errors) return usage_t55xx_read();
-	if ( block > 7 ) {
+	if (block > 7 && block != REGULAR_READ_MODE_BLOCK	) {
 		PrintAndLog("Block must be between 0 and 7");
-		return 1;
+		return 0;
 	}	
 	UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, password}};
 	//Password mode
 	if ( usepwd ) {
 		// try reading the config block and verify that PWD bit is set before doing this!
 		if ( !override ) {
 			AquireData( CONFIGURATION_BLOCK );
 			if ( !tryDetectModulation() ) {
 				PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
 				return 1;
 			} else {		
 				PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");	
 			}
 		} else {		
 			PrintAndLog("Safety Check Overriden - proceeding despite risk");
 			c.arg[0] = usepwd;
 		}
 	}
-
+	PrintAndLog("Reading Page %d:", page1);	
-	clearCommandBuffer();
+	PrintAndLog("blk | hex data | binary");
-	SendCommand(&c);
+	return T55xxReadBlock(block, page1, usepwd, override, password);
 	if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
 		PrintAndLog("command execution time out");
 		return 2;
 	}
 	uint8_t got[12000];
 	GetFromBigBuf(got,sizeof(got),0);
 	WaitForResponse(CMD_ACK,NULL);
 	setGraphBuf(got, sizeof(got));
 	if (!DecodeT55xxBlock()) return 3;
 	char blk[10]={0};
 	sprintf(blk,"%d", block);	
 	printT55xxBlock(blk);
 	return 0;
 }
 bool DecodeT55xxBlock(){
@ -323,9 +326,6 @@ bool DecodeT55xxBlock(){
 	uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};
 	DemodBufferLen = 0x00;
 	//trim 1/2 a clock from beginning
 	//snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 );
 	//CmdLtrim(cmdStr);
 	switch( config.modulation ){
 		case DEMOD_FSK:
 			snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );
@ -372,21 +372,36 @@ bool DecodeT55xxBlock(){
 int CmdT55xxDetect(const char *Cmd){
 	bool override = false;
 	//bool pwdmode = false;
 	uint32_t password = 0; //default to blank Block 7
 	bool usepwd = ( strlen(Cmd) > 0);	
 	if ( usepwd ){
 		password = param_get32ex(Cmd, 0, 0, 16);
 		if (param_getchar(Cmd, 1) =='o' )
 			override = true;
 	}
 	char cmdp = param_getchar(Cmd, 0);
 	if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect();
-	if (strlen(Cmd)==0)
+	if (strlen(Cmd)==0) {
-		AquireData( CONFIGURATION_BLOCK );
+		password = param_get32ex(Cmd, 0, 0, 16);
 		if (param_getchar(Cmd, 1) =='o' ) override = true;
 	}
 	if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )
 		return 0;
 	if ( !tryDetectModulation() )
 		PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
-	return 0;
+	return 1;
 }
 // detect configuration?
 bool tryDetectModulation(){
 	//char cmdStr[8] = {0};
 	uint8_t hits = 0;
 	t55xx_conf_block_t tests[15];
 	int bitRate=0;
@ -394,8 +409,6 @@ bool tryDetectModulation(){
 	save_restoreGB(1);
 	if (GetFskClock("", FALSE, FALSE)){ 
 		fskClocks(&fc1, &fc2, &clk, FALSE);
 		//sprintf(cmdStr,"%d", clk/2);
 		//CmdLtrim(cmdStr);
 		if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate)){
 			tests[hits].modulation = DEMOD_FSK;
 			if (fc1==8 && fc2 == 5)
@ -422,8 +435,6 @@ bool tryDetectModulation(){
 	} else {
 		clk = GetAskClock("", FALSE, FALSE);
 		if (clk>0) {
 			//sprintf(cmdStr,"%d", clk/2);
 			//CmdLtrim(cmdStr);
 			if ( ASKDemod("0 0 0", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_ASK;
 				tests[hits].bitrate = bitRate;
@ -457,8 +468,6 @@ bool tryDetectModulation(){
 		save_restoreGB(0);
 		clk = GetNrzClock("", FALSE, FALSE);
 		if (clk>0) {
 			//sprintf(cmdStr,"%d", clk/2);
 			//CmdLtrim(cmdStr);
 			if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_NRZ;
 				tests[hits].bitrate = bitRate;
@ -480,9 +489,6 @@ bool tryDetectModulation(){
 		save_restoreGB(0);
 		clk = GetPskClock("", FALSE, FALSE);
 		if (clk>0) {
 			//PrintAndLog("clk %d",clk);
 			//sprintf(cmdStr,"%d", clk/2);
 			//CmdLtrim(cmdStr);	
 			if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_PSK1;
 				tests[hits].bitrate = bitRate;
@ -700,66 +706,126 @@ int printConfiguration( t55xx_conf_block_t b){
 	return 0;
 }
-int CmdT55xxWriteBlock(const char *Cmd) {
+int CmdT55xxWakeUp(const char *Cmd) {
-	int block = 8; //default to invalid block
+	uint32_t password = 0;
-	int data = 0xFFFFFFFF; //default to blank Block 
+	uint8_t cmdp = 0;
-	int password = 0xFFFFFFFF; //default to blank Block 7
+	bool errors = false;
-	
+	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
-	char cmdp = param_getchar(Cmd, 0);
+		switch(param_getchar(Cmd, cmdp)) {
-	if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_write();
+		case 'h':
- 
+		case 'H':
-	int res = sscanf(Cmd, "%d %x %x",&block, &data, &password);
+			return usage_t55xx_wakup();
-	
+		case 'p':
-	if ( res < 2 || res > 3) {
+		case 'P':
-		usage_t55xx_write();
+			password = param_get32ex(Cmd, cmdp+1, 0, 16);
-		return 1;
+			cmdp += 2;
 			errors = false;
 			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
 			break;
 		}
 	}
 	if (errors) return usage_t55xx_wakup();
 	UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};
 	clearCommandBuffer();
 	SendCommand(&c);
 	PrintAndLog("Wake up command sent. Try read now");
 	return 0;
 }
 int CmdT55xxWriteBlock(const char *Cmd) {
 	uint8_t block = 0xFF; //default to invalid block
 	uint32_t data = 0; //default to blank Block 
 	uint32_t password = 0; //default to blank Block 7
 	bool usepwd = false;
 	bool page1 = false;	
 	bool gotdata = false;
 	bool errors = false;
 	uint8_t cmdp = 0;
 	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
 		switch(param_getchar(Cmd, cmdp)) {
 		case 'h':
 		case 'H':
 			return usage_t55xx_write();
 		case 'b':
 		case 'B':
 			errors |= param_getdec(Cmd, cmdp+1, &block);
 			cmdp += 2;
 			break;
 		case 'd':
 		case 'D':
 			data = param_get32ex(Cmd, cmdp+1, 0, 16);
 			gotdata	= true;
 			cmdp += 2;
 			break;
 		case 'p':
 		case 'P':
 			password = param_get32ex(Cmd, cmdp+1, 0, 16);
 			usepwd = true;
 			cmdp += 2;
 			break;
 		case '1':
 			page1 = true;
 			cmdp++;
 			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
 			break;
 		}
 	}
 	if (errors || !gotdata) return usage_t55xx_write();
 	if (block > 7) {
 		PrintAndLog("Block number must be between 0 and 7");
-		return 1;
+		return 0;
 	}
 	UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};
 	UsbCommand resp;
- 	c.d.asBytes[0] = 0x0; 
+ 	c.d.asBytes[0] = (page1) ? 0x2 : 0; 
-	PrintAndLog("Writing to block: %d  data  : 0x%08X", block, data);
+	PrintAndLog("Writing to page: %d  block: %d  data : 0x%08X", page1, block, data);
 	//Password mode
-	if (res == 3) {
+	if (usepwd) {
 		c.arg[2] = password;
-		c.d.asBytes[0] = 0x1; 
+		c.d.asBytes[0] |= 0x1; 
 		PrintAndLog("pwd   : 0x%08X", password);
 	}
 	clearCommandBuffer();
 	SendCommand(&c);
 	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
 		PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");
 		return -1;
 	}
 	return 0;
 	}
 	return 1;
 }
 int CmdT55xxReadTrace(const char *Cmd) {
 	char cmdp = param_getchar(Cmd, 0);
-	
+	bool pwdmode = false;
 	uint32_t password = 0;	
 	if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();
 	if (strlen(Cmd)==0)
-		AquireData( TRACE_BLOCK );
+		if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )
 			return 0;
-	if (!DecodeT55xxBlock()) return 1;
+	if (!DecodeT55xxBlock()) return 0;
-	if ( !DemodBufferLen) return 1;
+	if ( !DemodBufferLen) return 0;
 	RepaintGraphWindow();
 	uint8_t repeat = 0;
 	if (config.offset > 5) 
 		repeat = 32;
 	uint8_t si = config.offset+repeat;
-	uint32_t bl0     = PackBits(si, 32, DemodBuffer);
+	uint32_t bl1     = PackBits(si, 32, DemodBuffer);
-	uint32_t bl1     = PackBits(si+32, 32, DemodBuffer);
+	uint32_t bl2     = PackBits(si+32, 32, DemodBuffer);
 	uint32_t acl     = PackBits(si, 8,  DemodBuffer); si += 8;
 	uint32_t mfc     = PackBits(si, 8,  DemodBuffer); si += 8;
@ -780,7 +846,7 @@ int CmdT55xxReadTrace(const char *Cmd) {
 	if ( acl != 0xE0 ) {
 		PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");
-		return 1;
+		return 0;
 	}
 	PrintAndLog("");
@ -797,8 +863,8 @@ int CmdT55xxReadTrace(const char *Cmd) {
 	PrintAndLog("     Die Number   : %d", dw);
 	PrintAndLog("-------------------------------------------------------------");
 	PrintAndLog(" Raw Data - Page 1");
-	PrintAndLog("     Block 0  : 0x%08X  %s", bl0, sprint_bin(DemodBuffer+config.offset+repeat,32) );
+	PrintAndLog("     Block 1  : 0x%08X  %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
-	PrintAndLog("     Block 1  : 0x%08X  %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
+	PrintAndLog("     Block 2  : 0x%08X  %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
 	PrintAndLog("-------------------------------------------------------------");
 	/*
@ -827,12 +893,15 @@ int CmdT55xxInfo(const char *Cmd){
 		Normal mode
 		Extended mode
 	*/
 	bool pwdmode = false;
 	uint32_t password = 0;
 	char cmdp = param_getchar(Cmd, 0);
 	if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();
 	if (strlen(Cmd)==0)
-		AquireData( CONFIGURATION_BLOCK );
+		if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )
 			return 1;
 	if (!DecodeT55xxBlock()) return 1;
@ -883,55 +952,50 @@ int CmdT55xxInfo(const char *Cmd){
 int CmdT55xxDump(const char *Cmd){
-	char s[20] = {0x00};
+	uint32_t password = 0;
-	uint8_t pwd[4] = {0x00};
+	bool override = false;
-	char cmdp = param_getchar(Cmd, 0);
+	char cmdp = param_getchar(Cmd, 0);	
 	if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();
-	bool hasPwd = ( strlen(Cmd) > 0);	
+	bool usepwd = ( strlen(Cmd) > 0);	
-	if ( hasPwd ){
+	if ( usepwd ){
-		if (param_gethex(Cmd, 0, pwd, 8)) {
+		password = param_get32ex(Cmd, 0, 0, 16);
-			PrintAndLog("password must include 8 HEX symbols");
+		if (param_getchar(Cmd, 1) =='o' )
-			return 1;
+			override = true;
 		}
 	}
-	for ( int i = 0; i <8; ++i){
+	PrintAndLog("Reading Page 0:");	
-		memset(s,0,sizeof(s));
+	PrintAndLog("blk | hex data | binary");
-		if ( hasPwd ) {
+	for ( uint8_t i = 0; i < 8; ++i){
-			sprintf(s,"%d %02x%02x%02x%02x", i, pwd[0],pwd[1],pwd[2],pwd[3]);
+		T55xxReadBlock(i, 0, usepwd, override, password);
 		} else {
 			sprintf(s,"%d", i);
 		}
 		CmdT55xxReadBlock(s);
 	}
-	return 0;
+	PrintAndLog("Reading Page 1:");	
 	PrintAndLog("blk | hex data | binary");
 	for ( uint8_t	i = 0; i < 4; i++){
 		T55xxReadBlock(i, 1, usepwd, override, password);		
 	}
 	return 1;
 }
-int AquireData( uint8_t block ){
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){
-	
+	// arg0 bitmodes:
-	uint32_t password = 0;
+	// bit0 = pwdmode
-	UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, 0, password}};
+	// bit1 = page to read from
-	
+	uint8_t arg0 = (page<<1) | pwdmode;
-	if ( block == CONFIGURATION_BLOCK ) {
+	UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};
 		c.arg[0] = 0x00 | 0x01;
 	}
 	else if (block == TRACE_BLOCK ) {
 		c.arg[0] = 0x02 | 0x01;
 	}
 	clearCommandBuffer();
 	SendCommand(&c);
 	if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
 		PrintAndLog("command execution time out");
-		return 1;
+		return 0;
 	}
 	uint8_t got[12000];
 	GetFromBigBuf(got,sizeof(got),0);
 	WaitForResponse(CMD_ACK,NULL);
-	setGraphBuf(got, 12000);
+	setGraphBuf(got, sizeof(got));
-	return 0;
+	return 1;
 }
 char * GetBitRateStr(uint32_t id){
@ -1099,35 +1163,6 @@ void t55x7_create_config_block( int tagtype ){
 }
 int CmdT55xxWakeUp(const char *Cmd) {
 	uint32_t password = 0;
 	uint8_t cmdp = 0;
 	bool errors = false;
 	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
 		switch(param_getchar(Cmd, cmdp)) {
 		case 'h':
 		case 'H':
 			return usage_t55xx_wakup();
 		case 'p':
 		case 'P':
 			password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16);
 			cmdp+=2;
 			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
 			break;
 		}
 	}
 	if (errors) return usage_t55xx_wakup();
 	UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};
 	clearCommandBuffer();
 	SendCommand(&c);
 	PrintAndLog("Wake up command sent. Try read now");
 	return 0;
 }
 /*
 uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){
@ -1148,14 +1183,13 @@ static command_t CommandTable[] =
  {"help",   CmdHelp,           1, "This help"},
  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
  {"detect", CmdT55xxDetect,    0, "[1] Try detecting the tag modulation from reading the configuration block."},
-  {"read",   CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},
+  {"read",   CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data (page 0) [optional password]"},
-  {"write",  CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},
+  {"write",  CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data (page 0) [optional password]"},
  {"trace",  CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},
  {"info",   CmdT55xxInfo,      0, "[1] Show T55xx configuration data (page 0/ blk 0)"},
-  {"dump",   CmdT55xxDump,      0, "[password] Dump T55xx card block 0-7. [optional password]"},
+  {"dump",   CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. [optional password]"},
  {"special", special,          0, "Show block changes with 64 different offsets"},
  {"wakeup", CmdT55xxWakeUp,    0, "Send AOR wakeup command"},
  {NULL, NULL, 0, NULL}
 };
--- a/client/cmdlft55xx.h
+++ b/client/cmdlft55xx.h
@ -82,6 +82,6 @@ bool DecodeT55xxBlock();
 bool tryDetectModulation();
 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate);
 int special(const char *Cmd);
-int AquireData( uint8_t block );
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password );
 #endif
--- a/client/hid-flasher/usb_cmd.h
+++ b/client/hid-flasher/usb_cmd.h
@ -196,6 +196,8 @@ typedef struct{
 #define CMD_MIFARE_DESFIRE                                                0x072e
 #define CMD_MIFARE_COLLECT_NONCES										  0x072f
 #define CMD_HF_SNIFFER                                                    0x0800
 #define CMD_UNKNOWN                                                       0xFFFF
--- a/client/lualibs/commands.lua
+++ b/client/lualibs/commands.lua
@ -44,7 +44,7 @@ local _commands = {
 	CMD_INDALA_CLONE_TAG_L =                                             0x0213,
 	CMD_T55XX_READ_BLOCK =                                               0x0214,
 	CMD_T55XX_WRITE_BLOCK =                                              0x0215,
-	CMD_T55XX_READ_TRACE =                                               0x0216,
+	--//CMD_T55XX_READ_TRACE =                                               0x0216,
 	CMD_PCF7931_READ =                                                   0x0217,
 	CMD_PCF7931_WRITE =                                                  0x0223,
 	CMD_EM4X_READ_WORD =                                                 0x0218,
@ -157,7 +157,8 @@ local _commands = {
 	CMD_MIFARE_DES_READER =                                              0x072c,
 	CMD_MIFARE_DESFIRE_INFO =                                            0x072d,
 	CMD_MIFARE_DESFIRE =                                                 0x072e,
-	
+    CMD_HF_SNIFFER =                                                     0x0800,	
 	CMD_UNKNOWN =                                                        0xFFFF,
 }
--- a/client/scripting.c
+++ b/client/scripting.c
@ -53,7 +53,7 @@ static int l_SendCommand(lua_State *L){
    const char *data = luaL_checklstring(L, 1, &size);
    if(size != sizeof(UsbCommand))
    {
-        printf("Got data size %d, expected %d" , size, sizeof(UsbCommand));
+		printf("Got data size %d, expected %d" , (int) size,(int) sizeof(UsbCommand));
        lua_pushstring(L,"Wrong data size");
        return 1;
    }
--- a/common/Makefile.common
+++ b/common/Makefile.common
@ -67,7 +67,8 @@ VPATH = . ../common ../fpga ../zlib
 INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES)
-CFLAGS =  -c $(INCLUDE) -Wall -Werror -pedantic -std=c99 $(APP_CFLAGS) -Os
+#-Wunused -Wsign-compare -Wtype-limits -Wuninitialized -Wno-deprecated -Wstrict-aliasing -Wpointer-arith -Wpointer-arith -Wformat-nonliteral -Winit-self -Wparentheses -Wunreachable-code
 CFLAGS =  -c $(INCLUDE) -Wall -Werror -pedantic -Wunused -std=c99 $(APP_CFLAGS) -Os
 LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n
 LIBS = -lgcc
--- a/common/lfdemod.c
+++ b/common/lfdemod.c
@ -282,6 +282,16 @@ int manrawdecode(uint8_t * BitStream, size_t *size, uint8_t invert)
 	return bestErr;
 }
 uint32_t manchesterEncode2Bytes(uint16_t datain) {
 	uint32_t output = 0;
 	uint8_t curBit = 0;
 	for (uint8_t i=0; i<16; i++) {
 		curBit = (datain >> (15-i) & 1);
 		output |= (1<<(((15-i)*2)+curBit));
 	}
 	return output;
 }
 //by marshmellow
 //encode binary data into binary manchester 
 int ManchesterEncode(uint8_t *BitStream, size_t size)
--- a/common/lfdemod.h
+++ b/common/lfdemod.h
@ -30,6 +30,7 @@ int      DetectStrongAskClock(uint8_t dest[], size_t size, uint8_t high, uint8_t
 uint8_t  Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo);
 int      fskdemod(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow);
 int      getHiLo(uint8_t *BitStream, size_t size, int *high, int *low, uint8_t fuzzHi, uint8_t fuzzLo);
 uint32_t manchesterEncode2Bytes(uint16_t datain);
 int      ManchesterEncode(uint8_t *BitStream, size_t size);
 int      manrawdecode(uint8_t *BitStream, size_t *size, uint8_t invert);
 int      nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr);
--- a/common/protocols.c
+++ b/common/protocols.c
@ -3,13 +3,36 @@
 #include <stdint.h>
 #include <stdarg.h>
 #include "protocols.h"
 // ATA55xx shared presets & routines
 uint32_t GetT55xxClockBit(uint32_t clock) {
 	switch (clock) {
 		case 128:
 			return T55x7_BITRATE_RF_128;
 		case 100:
 			return T55x7_BITRATE_RF_100;
 		case 64:
 			return T55x7_BITRATE_RF_64;
 		case 50:
 			return T55x7_BITRATE_RF_50;
 		case 40:
 			return T55x7_BITRATE_RF_40;
 		case 32:
 			return T55x7_BITRATE_RF_32;
 		case 16:
 			return T55x7_BITRATE_RF_16;
 		case 8:
 			return T55x7_BITRATE_RF_8;
 		default:
 			return 0;
 	}
 }
 #ifndef ON_DEVICE
 #include "ui.h"
 #define prnt PrintAndLog
 #endif
 // iclass / picopass chip config structures and shared routines
 typedef struct {
 	uint8_t app_limit;      //[8]
 	uint8_t otp[2];         //[9-10]
@ -31,20 +54,7 @@ typedef struct {
 }picopass_hdr;
-
+uint8_t isset(uint8_t val, uint8_t mask) {
 //#define prnt printf
 /*void prnt(char *fmt,...)
 {
 	va_list argptr;
 	va_start(argptr, fmt);
 	vprintf(fmt, argptr);
 	printf("          "); // cleaning prompt
 	va_end(argptr);
 	printf("\n");
 }
 */
 uint8_t isset(uint8_t val, uint8_t mask)
 {
 	return (val & mask);
 }
@ -52,8 +62,7 @@ uint8_t notset(uint8_t val, uint8_t mask){
 	return !(val & mask);
 }
-void fuse_config(const picopass_hdr *hdr)
+void fuse_config(const picopass_hdr *hdr) {
 {
 	uint8_t fuses = hdr->conf.fuses;
 	if (isset(fuses,FUSE_FPERS))prnt("	Mode: Personalization [Programmable]");
@ -104,8 +113,7 @@ void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *
 	}
 }
-void mem_app_config(const picopass_hdr *hdr)
+void mem_app_config(const picopass_hdr *hdr) {
 {
 	uint8_t mem = hdr->conf.mem_config;
 	uint8_t chip = hdr->conf.chip_config;
 	uint8_t applimit = hdr->conf.app_limit;
@ -118,28 +126,25 @@ void mem_app_config(const picopass_hdr *hdr)
 	prnt("	AA1: blocks 06-%02X", applimit);
 	prnt("	AA2: blocks %02X-%02X", applimit+1, max_blk);
 }
-void print_picopass_info(const picopass_hdr *hdr)
+void print_picopass_info(const picopass_hdr *hdr) {
 {
 	fuse_config(hdr);
 	mem_app_config(hdr);
 }
-void printIclassDumpInfo(uint8_t* iclass_dump)
+void printIclassDumpInfo(uint8_t* iclass_dump) {
 {
 //	picopass_hdr hdr;
 //	memcpy(&hdr, iclass_dump, sizeof(picopass_hdr));
 	print_picopass_info((picopass_hdr *) iclass_dump);
 }
 /*
-void test()
+void test() {
 {
 	picopass_hdr hdr = {0x27,0xaf,0x48,0x01,0xf9,0xff,0x12,0xe0,0x12,0xff,0xff,0xff,0x7f,0x1f,0xff,0x3c};
 	prnt("Picopass configuration:");
 	print_picopass_info(&hdr);
 }
-int main(int argc, char *argv[])
+int main(int argc, char *argv[]) {
 {
 	test();
 	return 0;
 }
 */
 #endif
 //ON_DEVICE
--- a/common/protocols.h
+++ b/common/protocols.h
@ -267,4 +267,57 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 void printIclassDumpInfo(uint8_t* iclass_dump);
 void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);
-#endif // PROTOCOLS_H
+/* T55x7 configuration register definitions */
 #define T55x7_POR_DELAY			0x00000001
 #define T55x7_ST_TERMINATOR		0x00000008
 #define T55x7_PWD			0x00000010
 #define T55x7_MAXBLOCK_SHIFT		5
 #define T55x7_AOR			0x00000200
 #define T55x7_PSKCF_RF_2		0
 #define T55x7_PSKCF_RF_4		0x00000400
 #define T55x7_PSKCF_RF_8		0x00000800
 #define T55x7_MODULATION_DIRECT		0
 #define T55x7_MODULATION_PSK1		0x00001000
 #define T55x7_MODULATION_PSK2		0x00002000
 #define T55x7_MODULATION_PSK3		0x00003000
 #define T55x7_MODULATION_FSK1		0x00004000
 #define T55x7_MODULATION_FSK2		0x00005000
 #define T55x7_MODULATION_FSK1a		0x00006000
 #define T55x7_MODULATION_FSK2a		0x00007000
 #define T55x7_MODULATION_MANCHESTER	0x00008000
 #define T55x7_MODULATION_BIPHASE	0x00010000
 #define T55x7_MODULATION_DIPHASE	0x00018000
 #define T55x7_BITRATE_RF_8		0
 #define T55x7_BITRATE_RF_16		0x00040000
 #define T55x7_BITRATE_RF_32		0x00080000
 #define T55x7_BITRATE_RF_40		0x000C0000
 #define T55x7_BITRATE_RF_50		0x00100000
 #define T55x7_BITRATE_RF_64		0x00140000
 #define T55x7_BITRATE_RF_100		0x00180000
 #define T55x7_BITRATE_RF_128		0x001C0000
 /* T5555 (Q5) configuration register definitions */
 #define T5555_ST_TERMINATOR		0x00000001
 #define T5555_MAXBLOCK_SHIFT		0x00000001
 #define T5555_MODULATION_MANCHESTER	0
 #define T5555_MODULATION_PSK1		0x00000010
 #define T5555_MODULATION_PSK2		0x00000020
 #define T5555_MODULATION_PSK3		0x00000030
 #define T5555_MODULATION_FSK1		0x00000040
 #define T5555_MODULATION_FSK2		0x00000050
 #define T5555_MODULATION_BIPHASE	0x00000060
 #define T5555_MODULATION_DIRECT		0x00000070
 #define T5555_INVERT_OUTPUT		0x00000080
 #define T5555_PSK_RF_2			0
 #define T5555_PSK_RF_4			0x00000100
 #define T5555_PSK_RF_8			0x00000200
 #define T5555_USE_PWD			0x00000400
 #define T5555_USE_AOR			0x00000800
 #define T5555_BITRATE_SHIFT		12
 #define T5555_FAST_WRITE		0x00004000
 #define T5555_PAGE_SELECT		0x00008000
 uint32_t GetT55xxClockBit(uint32_t clock);
 #endif 
 // PROTOCOLS_H
--- a/fpga/Makefile
+++ b/fpga/Makefile
@ -9,7 +9,7 @@ fpga_hf.ngc: fpga_hf.v fpga.ucf xst_hf.scr util.v hi_simulate.v hi_read_tx.v hi_
 	$(DELETE) $@
 	$(XILINX_TOOLS_PREFIX)xst -ifn xst_hf.scr
-fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v
+fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v hi_sniffer.v
 	$(DELETE) $@
 	$(XILINX_TOOLS_PREFIX)xst -ifn xst_lf.scr
--- a/fpga/fpga_hf.v
+++ b/fpga/fpga_hf.v
@ -17,6 +17,7 @@
 `include "hi_read_rx_xcorr.v"
 `include "hi_simulate.v"
 `include "hi_iso14443a.v"
 `include "hi_sniffer.v"
 `include "util.v"
 module fpga_hf(
@ -122,25 +123,36 @@ hi_iso14443a hisn(
 	hi_simulate_mod_type
 );
 hi_sniffer he(
       pck0, ck_1356meg, ck_1356megb,
       he_pwr_lo, he_pwr_hi, he_pwr_oe1, he_pwr_oe2, he_pwr_oe3,       he_pwr_oe4,
       adc_d, he_adc_clk,
       he_ssp_frame, he_ssp_din, ssp_dout, he_ssp_clk,
       cross_hi, cross_lo,
       he_dbg,
       hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter
 );
 // Major modes:
 //   000 --  HF reader, transmitting to tag; modulation depth selectable
 //   001 --  HF reader, receiving from tag, correlating as it goes; frequency selectable
 //   010 --  HF simulated tag
 //   011 --  HF ISO14443-A
 //   100 --  HF Snoop
 //   111 --  everything off
-mux8 mux_ssp_clk		(major_mode, ssp_clk,   ht_ssp_clk,   hrxc_ssp_clk,   hs_ssp_clk,   hisn_ssp_clk,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_clk		(major_mode, ssp_clk,   ht_ssp_clk,   hrxc_ssp_clk,   hs_ssp_clk,   hisn_ssp_clk,   he_ssp_clk, 1'b0, 1'b0, 1'b0);
-mux8 mux_ssp_din		(major_mode, ssp_din,   ht_ssp_din,   hrxc_ssp_din,   hs_ssp_din,   hisn_ssp_din,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_din		(major_mode, ssp_din,   ht_ssp_din,   hrxc_ssp_din,   hs_ssp_din,   hisn_ssp_din,   he_ssp_din, 1'b0, 1'b0, 1'b0);
-mux8 mux_ssp_frame		(major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, 1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_frame		(major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, he_ssp_frame, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe1		(major_mode, pwr_oe1,   ht_pwr_oe1,   hrxc_pwr_oe1,   hs_pwr_oe1,   hisn_pwr_oe1,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe1		(major_mode, pwr_oe1,   ht_pwr_oe1,   hrxc_pwr_oe1,   hs_pwr_oe1,   hisn_pwr_oe1,   he_pwr_oe1, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe2		(major_mode, pwr_oe2,   ht_pwr_oe2,   hrxc_pwr_oe2,   hs_pwr_oe2,   hisn_pwr_oe2,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe2		(major_mode, pwr_oe2,   ht_pwr_oe2,   hrxc_pwr_oe2,   hs_pwr_oe2,   hisn_pwr_oe2,   he_pwr_oe2, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe3		(major_mode, pwr_oe3,   ht_pwr_oe3,   hrxc_pwr_oe3,   hs_pwr_oe3,   hisn_pwr_oe3,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe3		(major_mode, pwr_oe3,   ht_pwr_oe3,   hrxc_pwr_oe3,   hs_pwr_oe3,   hisn_pwr_oe3,   he_pwr_oe3, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe4		(major_mode, pwr_oe4,   ht_pwr_oe4,   hrxc_pwr_oe4,   hs_pwr_oe4,   hisn_pwr_oe4,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe4		(major_mode, pwr_oe4,   ht_pwr_oe4,   hrxc_pwr_oe4,   hs_pwr_oe4,   hisn_pwr_oe4,   he_pwr_oe4, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_lo			(major_mode, pwr_lo,    ht_pwr_lo,    hrxc_pwr_lo,    hs_pwr_lo,    hisn_pwr_lo,    1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_lo			(major_mode, pwr_lo,    ht_pwr_lo,    hrxc_pwr_lo,    hs_pwr_lo,    hisn_pwr_lo,    he_pwr_lo, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_hi			(major_mode, pwr_hi,    ht_pwr_hi,    hrxc_pwr_hi,    hs_pwr_hi,    hisn_pwr_hi,    1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_hi			(major_mode, pwr_hi,    ht_pwr_hi,    hrxc_pwr_hi,    hs_pwr_hi,    hisn_pwr_hi,    he_pwr_hi, 1'b0, 1'b0, 1'b0);
-mux8 mux_adc_clk		(major_mode, adc_clk,   ht_adc_clk,   hrxc_adc_clk,   hs_adc_clk,   hisn_adc_clk,   1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_adc_clk		(major_mode, adc_clk,   ht_adc_clk,   hrxc_adc_clk,   hs_adc_clk,   hisn_adc_clk,   he_adc_clk, 1'b0, 1'b0, 1'b0);
-mux8 mux_dbg			(major_mode, dbg,       ht_dbg,       hrxc_dbg,       hs_dbg,       hisn_dbg,       1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_dbg			(major_mode, dbg,       ht_dbg,       hrxc_dbg,       hs_dbg,       hisn_dbg,       he_dbg, 1'b0, 1'b0, 1'b0);
 // In all modes, let the ADC's outputs be enabled.
 assign adc_noe = 1'b0;
--- a/fpga/hi_sniffer.v
+++ b/fpga/hi_sniffer.v
@ -0,0 +1,77 @@
 module hi_sniffer(
    pck0, ck_1356meg, ck_1356megb,
    pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4,
    adc_d, adc_clk,
    ssp_frame, ssp_din, ssp_dout, ssp_clk,
    cross_hi, cross_lo,
    dbg,
    xcorr_is_848, snoop, xcorr_quarter_freq // not used.
 );
    input pck0, ck_1356meg, ck_1356megb;
    output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4;
    input [7:0] adc_d;
    output adc_clk;
    input ssp_dout;
    output ssp_frame, ssp_din, ssp_clk;
    input cross_hi, cross_lo;
    output dbg;
    input xcorr_is_848, snoop, xcorr_quarter_freq; // not used.
 // We are only snooping, all off.
 assign pwr_hi  = 1'b0;// ck_1356megb & (~snoop);
 assign pwr_oe1 = 1'b0;
 assign pwr_oe2 = 1'b0;
 assign pwr_oe3 = 1'b0;
 assign pwr_oe4 = 1'b0;
 reg ssp_clk = 1'b0;
 reg ssp_frame;
 reg adc_clk;
 reg [7:0] adc_d_out = 8'd0;
 reg [7:0] ssp_cnt = 8'd0;
 reg [7:0] pck_divider = 8'd0;
 reg ant_lo = 1'b0;
 reg bit_to_send = 1'b0;
 always @(ck_1356meg, pck0) // should synthetisize to a mux..
  begin
    adc_clk = ck_1356meg;
    ssp_clk = ~ck_1356meg;
  end
 reg [7:0] cnt_test = 8'd0; // test
 always @(posedge pck0)
 begin
    ant_lo <= 1'b0;
 end
 always @(posedge ssp_clk) // ~1356 (hf)
 begin
  if(ssp_cnt[7:0] == 8'd255) // SSP counter for divides.
    ssp_cnt[7:0] <= 8'd0;
  else
    ssp_cnt <= ssp_cnt + 1;
      if((ssp_cnt[2:0] == 3'b000) && !ant_lo) // To set frame  length
        begin
          adc_d_out[7:0] = adc_d; // disable for test
          bit_to_send = adc_d_out[0];
          ssp_frame <= 1'b1;
        end
      else
        begin
          adc_d_out[6:0] = adc_d_out[7:1];
          adc_d_out[7] = 1'b0; // according to old lf_read.v comment prevents gliches if not set.
          bit_to_send = adc_d_out[0];
          ssp_frame <= 1'b0;
        end
 end
 assign ssp_din = bit_to_send && !ant_lo;//bit_to_send && !ant_lo; // && .. not needed i guess?
 assign pwr_lo = ant_lo;
 endmodule
--- a/include/usb_cmd.h
+++ b/include/usb_cmd.h
@ -200,6 +200,8 @@ typedef struct{
 #define CMD_MIFARE_COLLECT_NONCES										  0x072f
 #define CMD_HF_SNIFFER                                                    0x0800
 #define CMD_UNKNOWN                                                       0xFFFF