diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 01676bc95..8d48245a5 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -1932,7 +1932,7 @@ static int CmdHF14AMfChk(const char *Cmd) {
 
 
     uint8_t trgKeyType = 0;
-    uint32_t max_keys = keycnt > ((PM3_CMD_DATA_SIZE - 4) / 6) ? ((PM3_CMD_DATA_SIZE - 4) / 6) : keycnt;
+    uint16_t max_keys = keycnt > ((PM3_CMD_DATA_SIZE - 4) / 6) ? ((PM3_CMD_DATA_SIZE - 4) / 6) : keycnt;
 
     // time
     uint64_t t1 = msclock();
@@ -1949,7 +1949,7 @@ static int CmdHF14AMfChk(const char *Cmd) {
             // skip already found keys.
             if (e_sector[i].foundKey[trgKeyType]) continue;
 
-            for (uint32_t c = 0; c < keycnt; c += max_keys) {
+            for (uint16_t c = 0; c < keycnt; c += max_keys) {
 
                 printf(".");
                 fflush(stdout);
@@ -1960,15 +1960,13 @@ static int CmdHF14AMfChk(const char *Cmd) {
                     goto out;
                 }
 
-                uint32_t size = keycnt - c > max_keys ? max_keys : keycnt - c;
+                uint16_t size = keycnt - c > max_keys ? max_keys : keycnt - c;
 
                 if (mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6 * c], &key64) == PM3_SUCCESS) {
                     e_sector[i].Key[trgKeyType] = key64;
                     e_sector[i].foundKey[trgKeyType] = true;
                     break;
                 }
-
-
             }
             b < 127 ? (b += 4) : (b += 16);
         }
@@ -2011,11 +2009,6 @@ static int CmdHF14AMfChk(const char *Cmd) {
     }
 
 out:
-    // Disable fast mode and send a dummy command to make it effective
-    conn.block_after_ACK = false;
-    SendCommandMIX(CMD_PING, 0, 0, 0, NULL, 0);
-    WaitForResponseTimeout(CMD_ACK, NULL, 1000);
-
     //print keys
     printKeyTable(SectorsCnt, e_sector);
 
@@ -2032,6 +2025,12 @@ out:
         PrintAndLogEx(SUCCESS, "Found keys have been transferred to the emulator memory");
     }
 
+    // Disable fast mode and send a dummy command to make it effective
+    conn.block_after_ACK = false;
+    SendCommandMIX(CMD_PING, 0, 0, 0, NULL, 0);
+    WaitForResponseTimeout(CMD_ACK, NULL, 1000);
+    
+    
     if (createDumpFile) {
         fptr = GenerateFilename("hf-mf-", "-key.bin");
         if (fptr == NULL) {
diff --git a/client/lualibs/commands.lua b/client/lualibs/commands.lua
index 8f87d81fb..ca959291f 100644
--- a/client/lualibs/commands.lua
+++ b/client/lualibs/commands.lua
@@ -117,22 +117,6 @@ function Command:getBytes()
     return bin.pack("LLLLH",cmd, arg1, arg2, arg3, data);
 end
 
-function Command:__responsetostring()
-    print('NG package received')
-    print('CMD    ::', _commands.tostring(self.resp_cmd))
-    print('Length ::', tostring(self.resp_length))
-    print('Magic  ::', string.format("0x%08X", self.resp_magic), util.ConvertHexToAscii(string.format("0x%08X", self.resp_magic)))
-    print('Status ::', tostring(self.resp_status))
-    print('crc    ::', string.format("0x%02X", self.resp_crc))
-    print('Args   ::', ("(%s, %s, %s)\r\n"):format(
-                    tostring(self.resp_arg1),
-                    tostring(self.resp_arg2),
-                    tostring(self.resp_arg3)))
-    print('NG     ::', self.resp_ng)
-    print('Data   ::', self.resp_data)
-end
-
-
 --- Sends a packet to the device
 -- @param command - the usb packet to send
 -- @param ignoreresponse - if set to true, we don't read the device answer packet
@@ -177,13 +161,21 @@ function Command:sendMIX( ignore_response, timeout )
 --]]
 
     local packed = bin.pack("LLLLH", cmd, arg1, arg2, arg3, data)
+    --[[
+    return { Cmd = cmd,
+            Arg1 = arg1,
+            Arg2 = arg2,
+            Arg3 = arg3,
+            Data = data,
+    }
+    --]]
     return packed, nil;
 end
 function Command:sendNG( ignore_response, timeout )
     local data = self.data
     local cmd = self.cmd
     local err, msg = core.SendCommandNG(cmd, data)
-    if err == nil then return err, msg end
+    if err == nil then return nil, msg end
 
     if ignore_response then return true, nil end
 
@@ -193,28 +185,36 @@ function Command:sendNG( ignore_response, timeout )
     if response == nil then
         return nil, 'Error, waiting for response timed out :: '..msg
     end
+    local data
+    local count, cmd, length, magic, status, crc, arg0, arg1, arg2 = bin.unpack('SSIsSLLL', response)
+    count, data, ng = bin.unpack('H'..length..'C', response, count)
 
 --[[  uncomment if you want to debug
 
-    -- lets digest response NG package.
-    local data
-    local count, cmd, length, magic, status, crc, arg1, arg2, arg3 = bin.unpack('SSIsSLLL', response)
-    count, data, ng = bin.unpack('H'..length..'C', response, count)
-
-    self.resp_cmd = cmd
-    self.resp_length = length
-    self.resp_magic = magic
-    self.resp_status = status
-    self.resp_crc = crc
-    self.resp_arg1 = arg1
-    self.resp_arg2 = arg2
-    self.resp_arg3 = arg3
-    self.resp_data = data
-    self.resp_ng = ng
-    self:__responsetostring()
+    print('NG package received')
+    print('CMD    ::', tostring(cmd))
+    print('Length ::', tostring(length))
+    print('Magic  ::', string.format("0x%08X", magic), util.ConvertHexToAscii(string.format("0x%08X", magic)))
+    print('Status ::', tostring(status))
+    print('crc    ::', string.format("0x%02X", crc))
+    print('Args   ::', ("(%s, %s, %s)\r\n"):format(
+                    tostring(arg0),
+                    tostring(arg1),
+                    tostring(arg2)))
+    print('NG     ::', ng)
+    print('Data   ::', data)
 --]]
-
-    return response
+    return { Cmd = cmd,
+            Length = length,
+            Magic = magic,
+            Status = status,
+            Crc = crc,
+            Oldarg0 = arg0,
+            Oldarg1 = arg1,
+            Oldarg2 = arg2,
+            Data = data,
+            Ng = ng
+    }
 end
 
 return _commands
diff --git a/client/scripts/mfkeys.lua b/client/scripts/mfkeys.lua
index 9fb3d3f9d..f04059b67 100644
--- a/client/scripts/mfkeys.lua
+++ b/client/scripts/mfkeys.lua
@@ -58,15 +58,14 @@ local function checkCommand(response)
         return nil, "Timeout while waiting for device to respond"
     end
 
-    local data
-    local count, cmd, length, magic, status, crc, arg1, arg2, arg3 = bin.unpack('SSIsSLLL', response)
-    count, data, ng = bin.unpack('H'..length..'C', response, count)
-
-    if status == PM3_SUCCESS then
-        key = data:sub(1, 12)
-        return key
+    if response.Status == PM3_SUCCESS then
+        --decode data array
+        key = response.Data:sub(1, 12)
+        found = tonumber(response.Data:sub(13,14))
+        if found == 1 then
+            return key
+        end
     end
-
     return nil
 end
 
@@ -76,8 +75,6 @@ local function checkBlock(blockno, testkeys, keytype)
     -- each key is 6 bytes,
     -- NG args inside dataarray is 4 bytes.  That give us (512-4)/6 or max 84 keys in one go.
     -- If there's more, we need to split it up
-    local arg1 = bit32.bor(bit32.lshift(keytype, 8), blockno)
-    local arg2 = '00' -- don't clear trace
     local start, remaining = 1, #testkeys
     local maxchunk = math.floor((512-4)/6)
     local chunksize = remaining
@@ -85,9 +82,8 @@ local function checkBlock(blockno, testkeys, keytype)
     local n = chunksize
 
     while remaining > 0 do
---        print('start', start, 'chunksize', chunksize, 'testkeys kvar', remaining, 'N-index=', n)
 
-        local d0 = ('%04X%02X%02X'):format(arg1, arg2, chunksize)
+        local d0 = ('%02X%02X00%02X'):format(keytype, blockno, chunksize)
         local d1 = table.concat(testkeys, "", start, n)
 
         core.clearCommandBuffer()
@@ -95,7 +91,7 @@ local function checkBlock(blockno, testkeys, keytype)
         print(("Testing block %d, keytype %d, with %d keys"):format(blockno, keytype, chunksize))
 
         local c = Command:newNG{cmd = cmds.CMD_MIFARE_CHKKEYS, data = d0..d1}
-        key, err = checkCommand(c:sendNG(false, TIMEOUT))
+        key, err = checkCommand(c:sendNG(false))
 
         if key then return key, blockno end