DEL: 'hf mf sniff' - since it is very similar to 'hf 14a sniff' , I removed this command. The desired functionality will become a new 'hf list mf' option in the future.

2025-08-20 05:13:46 -07:00 · 2018-01-18 14:11:22 +01:00 · 2018-01-18 14:11:22 +01:00 · be82f9f018
commit be82f9f018
parent 21dd3f68ea
10 changed files with 279 additions and 296 deletions
--- a/armsrc/Makefile
+++ b/armsrc/Makefile
@ -45,7 +45,8 @@ SRC_LCD = fonts.c LCD.c
 SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
 #SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c mifaresim.c
-SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c
+#SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresniff.c
 SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c 
 SRC_ISO14443b = iso14443b.c
 SRC_FELICA = felica.c
 SRC_CRAPTO1 = crypto1.c des.c aes.c desfire_key.c desfire_crypto.c mifaredesfire.c
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -886,7 +886,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
 			break;
 		// mifare sniffer
 		case CMD_MIFARE_SNIFFER:
-			SniffMifare(c->arg[0]);
+			//SniffMifare(c->arg[0]);
 			break;
 		case CMD_MIFARE_SETMOD:
 			MifareSetMod(c->arg[0], c->d.asBytes);
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -162,7 +162,7 @@ void OnErrorMagic(uint8_t reason);
 int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype );
-void RAMFUNC SniffMifare(uint8_t param);
+//void RAMFUNC SniffMifare(uint8_t param);
 //desfire
 void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -11,14 +11,14 @@
 //-----------------------------------------------------------------------------
 #include "iso14443a.h"
 static uint32_t iso14a_timeout;
 #define MAX_ISO14A_TIMEOUT 524288
 static uint32_t iso14a_timeout;
 int rsamples = 0;
 uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 static uint8_t* free_buffer_pointer;
 //
@ -187,7 +187,11 @@ const bool Mod_Miller_LUT[] = {
 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
-void UartReset() {
+tUart* GetUart() {
 	return &Uart;
 }
 void UartReset(void) {
 	Uart.state = STATE_UNSYNCD;
 	Uart.bitCount = 0;
 	Uart.len = 0;						// number of decoded data bytes
@ -208,7 +212,7 @@ void UartInit(uint8_t *data, uint8_t *parity) {
 }
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
+RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
 	Uart.fourBits = (Uart.fourBits << 8) | bit;
 	if (Uart.state == STATE_UNSYNCD) {											// not yet synced
@ -343,7 +347,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
 // 8 ticks modulated:									A collision. Save the collision position and treat as Sequence D
 // Note 1: the bitstream may start at any time. We therefore need to sync.
 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
-static tDemod Demod;
+tDemod Demod;
 // Lookup-Table to decide if 4 raw bits are a modulation.
 // We accept three or four "1" in any position
@ -355,7 +359,10 @@ const bool Mod_Manchester_LUT[] = {
 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
-void DemodReset() {
+tDemod* GetDemod() {
 	return &Demod;
 }
 void DemodReset(void) {
 	Demod.state = DEMOD_UNSYNCD;
 	Demod.len = 0;						// number of decoded data bytes
 	Demod.parityLen = 0;
@ -378,7 +385,7 @@ void DemodInit(uint8_t *data, uint8_t *parity) {
 }
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
+RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
 	Demod.twoBits = (Demod.twoBits << 8) | bit;
 	if (Demod.state == DEMOD_UNSYNCD) {
@ -496,8 +503,8 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
 	uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
 	// The response (tag -> reader) that we're receiving.
-	uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
+	uint8_t *receivedResp = BigBuf_malloc(MAX_FRAME_SIZE);
-	uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
+	uint8_t *receivedRespPar = BigBuf_malloc(MAX_PARITY_SIZE);
 	// The DMA buffer, used to stream samples from the FPGA
 	uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
@ -510,7 +517,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
 	bool ReaderIsActive = false;
 	// Set up the demodulator for tag -> reader responses.
-	DemodInit(receivedResponse, receivedResponsePar);
+	DemodInit(receivedResp, receivedRespPar);
 	// Set up the demodulator for the reader -> tag commands
 	UartInit(receivedCmd, receivedCmdPar);
@ -547,7 +554,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
 		if (dataLen > maxDataLen) {
 			maxDataLen = dataLen;
 			if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
-				Dbprintf("blew circular buffer! dataLen=%d", dataLen);
+				Dbprintf("[!] blew circular buffer! | datalen %u", dataLen);
 				break;
 			}
 		}
@ -557,7 +564,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
 		if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
 			AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
-			Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
+			Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
 		}
 		// secondary buffer sets as primary, secondary buffer was stopped
 		if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
@ -602,7 +609,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
 				if (ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
 					LED_B_ON();
-					if (!LogTrace(receivedResponse, 
+					if (!LogTrace(receivedResp, 
 									Demod.len, 
 									Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, 
 									Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
@ -3366,166 +3373,3 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 	LEDsoff();
 	set_tracing(false);
 }
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 // if no activity for 2sec, it sends the collected data to the client.
 //-----------------------------------------------------------------------------
 // "hf mf sniff"
 void RAMFUNC SniffMifare(uint8_t param) {
 	// param:
 	// bit 0 - trigger from first card answer
 	// bit 1 - trigger from first reader 7-bit request
 	// C(red) A(yellow) B(green)
 	LEDsoff();
 	iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 	// Allocate memory from BigBuf for some buffers
 	// free all previous allocations first
 	BigBuf_free(); BigBuf_Clear_ext(false);
 	clear_trace();
 	set_tracing(true);
 	// The command (reader -> tag) that we're receiving.
 	uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};	
 	uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	// The response (tag -> reader) that we're receiving.
 	uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00};
 	uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	// allocate the DMA buffer, used to stream samples from the FPGA
 	uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
 	uint8_t *data = dmaBuf;
 	uint8_t previous_data = 0;
 	int maxDataLen = 0;
 	int dataLen = 0;
 	bool ReaderIsActive = false;
 	bool TagIsActive = false;
 	// Set up the demodulator for tag -> reader responses.
 	DemodInit(receivedResponse, receivedResponsePar);
 	// Set up the demodulator for the reader -> tag commands
 	UartInit(receivedCmd, receivedCmdPar);
 	// Setup and start DMA.
 	// set transfer address and number of bytes. Start transfer.
 	if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){
 		if (MF_DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); 
 		return;
 	}
 	// Signal field is off with the appropriate LED
 	LED_D_OFF();
 	MfSniffInit();
 	uint32_t sniffCounter = 0;
    // loop and listen
 	while (!BUTTON_PRESS()) {		
 		WDT_HIT();
 		LED_A_ON();
 		if ((sniffCounter & 0xFFFF) == 0) {	// from time to time
 			// check if a transaction is completed (timeout after 2000ms).
 			// if yes, stop the DMA transfer and send what we have so far to the client
 			if (MfSniffSend(2000)) {			
 				// Reset everything - we missed some sniffed data anyway while the DMA was stopped
 				sniffCounter = 0;
 				dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
 				data = dmaBuf;
 				maxDataLen = 0;
 				ReaderIsActive = false;
 				TagIsActive = false;
 				// Setup and start DMA. set transfer address and number of bytes. Start transfer.				
 				if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){
 					if (MF_DBGLEVEL > 1) DbpString("[!] FpgaSetupSscDma failed. Exiting"); 
 					return;
 				}
 			}
 		}
 		// number of bytes we have processed so far		
 		int register readBufDataP = data - dmaBuf;	
 		// number of bytes already transferred		
 		int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
 		if (readBufDataP <= dmaBufDataP)			// we are processing the same block of data which is currently being transferred
 			dataLen = dmaBufDataP - readBufDataP;	// number of bytes still to be processed
 		else
 			dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
 		// test for length of buffer
 		if (dataLen > maxDataLen) {					// we are more behind than ever...
 			maxDataLen = dataLen;					
 			if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
 				Dbprintf("[!] blew circular buffer! | datalen %u", dataLen);
 				break;
 			}
 		}
 		if (dataLen < 1) continue;
 		// primary buffer was stopped ( <-- we lost data!
 		if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
 			AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
 			Dbprintf("[-] RxEmpty ERROR | data length %u", dataLen); // temporary
 		}
 		// secondary buffer sets as primary, secondary buffer was stopped
 		if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
 			AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
 		}
 		LED_A_OFF();
 		// Need two samples to feed Miller and Manchester-Decoder
 		if (sniffCounter & 0x01) {
 			// no need to try decoding tag data if the reader is sending
 			if (!TagIsActive) {		
 				uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4);
 				if (MillerDecoding(readerbyte, (sniffCounter-1)*4)) {
 					LED_B_ON();
 					LED_C_OFF();
 					MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true);
 					DemodReset();
 					UartReset();
 				}
 				ReaderIsActive = (Uart.state != STATE_UNSYNCD);
 				TagIsActive = !ReaderIsActive;
 			}
 			// no need to try decoding tag data if the reader is sending
 			if (!ReaderIsActive) {		
 				uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F);
 				if (ManchesterDecoding(tagbyte, 0, (sniffCounter-1)*4)) {
 					LED_B_OFF();
 					LED_C_ON();
 					MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false);
 					DemodReset();
 					UartReset();
 				}
 				TagIsActive = (Demod.state != DEMOD_UNSYNCD);
 				ReaderIsActive = !TagIsActive;
 			}
 		}
 		previous_data = *data;
 		sniffCounter++;
 		data++;
 		if (data == dmaBuf + DMA_BUFFER_SIZE)
 			data = dmaBuf;
 	} // main cycle
 	if (MF_DBGLEVEL >= 1) 
 		Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
 	MfSniffEnd();
 	switch_off(); 
 }
--- a/armsrc/iso14443a.h
+++ b/armsrc/iso14443a.h
@ -87,7 +87,15 @@ typedef struct {
 extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);
 extern void AppendCrc14443a(uint8_t *data, int len);
-// iso14443a.h
+extern tDemod* GetDemod(void);
 extern void DemodReset(void);
 extern void DemodInit(uint8_t *data, uint8_t *parity);
 extern tUart* GetUart(void);
 extern void UartReset(void);
 extern void UartInit(uint8_t *data, uint8_t *parity);
 extern RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time);
 extern RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time);
 extern void RAMFUNC SniffIso14443a(uint8_t param);
 extern void SimulateIso14443aTag(int tagType, int flags, uint8_t *data);
 extern void ReaderIso14443a(UsbCommand *c);
--- a/armsrc/mifaresniff.c
+++ b/armsrc/mifaresniff.c
@ -10,7 +10,7 @@
 #include "mifaresniff.h"
-static int sniffState = SNF_INIT;
+//static int sniffState = SNF_INIT;
 static uint8_t sniffUIDType = 0;
 static uint8_t sniffUID[10] = {0,0,0,0,0,0,0,0,0,0};
 static uint8_t sniffATQA[2] = {0,0};
@ -18,12 +18,170 @@ static uint8_t sniffSAK = 0;
 static uint8_t sniffBuf[17];
 static uint32_t timerData = 0;
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 // if no activity for 2sec, it sends the collected data to the client.
 //-----------------------------------------------------------------------------
 // "hf mf sniff"
 void RAMFUNC SniffMifare(uint8_t param) {
 	// param:
 	// bit 0 - trigger from first card answer
 	// bit 1 - trigger from first reader 7-bit request
 	// C(red) A(yellow) B(green)
 	LEDsoff();
 	iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 	// Allocate memory from BigBuf for some buffers
 	// free all previous allocations first
 	BigBuf_free(); BigBuf_Clear_ext(false);
 	clear_trace();
 	set_tracing(true);
 	// The command (reader -> tag) that we're receiving.
 	uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};	
 	uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	// The response (tag -> reader) that we're receiving.
 	uint8_t receivedResp[MAX_MIFARE_FRAME_SIZE] = {0x00};
 	uint8_t receivedRespPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	// allocate the DMA buffer, used to stream samples from the FPGA
 	uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
 	uint8_t *data = dmaBuf;
 	uint8_t previous_data = 0;
 	int maxDataLen = 0;
 	int dataLen = 0;
 	bool ReaderIsActive = false;
 	bool TagIsActive = false;
 	// We won't start recording the frames that we acquire until we trigger;
 	// a good trigger condition to get started is probably when we see a
 	// response from the tag.
 	// triggered == false -- to wait first for card
 	//bool triggered = !(param & 0x03); 
 	// Set up the demodulator for tag -> reader responses.
 	DemodInit(receivedResp, receivedRespPar);
 	// Set up the demodulator for the reader -> tag commands
 	UartInit(receivedCmd, receivedCmdPar);
 	// Setup and start DMA.
 	// set transfer address and number of bytes. Start transfer.
 	if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){
 		if (MF_DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); 
 		return;
 	}
 	tUart* uart = GetUart();
 	tDemod* demod = GetDemod();
 	MfSniffInit();
 	uint32_t sniffCounter = 0;
    // loop and listen
 	while (!BUTTON_PRESS()) {
 		WDT_HIT();
 		LED_A_ON();
 /*
 		if ((sniffCounter & 0x0000FFFF) == 0) {	// from time to time
 			// check if a transaction is completed (timeout after 2000ms).
 			// if yes, stop the DMA transfer and send what we have so far to the client
 			if (BigBuf_get_traceLen()) {
 				MfSniffSend();
 				// Reset everything - we missed some sniffed data anyway while the DMA was stopped
 				sniffCounter = 0;				
 				dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
 				data = dmaBuf;
 				maxDataLen = 0;
 				ReaderIsActive = false;
 				TagIsActive = false;
 				FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
 			}
 		}
 		*/
 		// number of bytes we have processed so far		
 		int register readBufDataP = data - dmaBuf;	
 		// number of bytes already transferred		
 		int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
 		if (readBufDataP <= dmaBufDataP)			// we are processing the same block of data which is currently being transferred
 			dataLen = dmaBufDataP - readBufDataP;	// number of bytes still to be processed
 		else
 			dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
 		// test for length of buffer
 		if (dataLen > maxDataLen) {					// we are more behind than ever...
 			maxDataLen = dataLen;					
 			if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
 				Dbprintf("[!] blew circular buffer! | datalen %u", dataLen);		
 				break;
 			}
 		}
 		if (dataLen < 1) continue;
 		// primary buffer was stopped ( <-- we lost data!
 		if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
 			AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
 			Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
 		}
 		// secondary buffer sets as primary, secondary buffer was stopped
 		if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
 			AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
 		}
 		LED_A_OFF();
 		// Need two samples to feed Miller and Manchester-Decoder
 		if (sniffCounter & 0x01) {
 			// no need to try decoding tag data if the reader is sending
 			if (!TagIsActive) {		
 				uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4);
 				if (MillerDecoding(readerbyte, (sniffCounter-1)*4)) {
 					LogTrace(receivedCmd, uart->len, 0, 0, NULL, true);
 					DemodReset();
 					UartReset();
 				}
 				ReaderIsActive = (uart->state != STATE_UNSYNCD);
 			}
 			// no need to try decoding tag data if the reader is sending
 			if (!ReaderIsActive) {		
 				uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F);
 				if (ManchesterDecoding(tagbyte, 0, (sniffCounter-1)*4)) {
 					LogTrace(receivedResp,  demod->len, 0, 0, NULL, false);
 					DemodReset();
 					UartReset();
 				}
 				TagIsActive = (demod->state != DEMOD_UNSYNCD);
 			}
 		}
 		previous_data = *data;
 		sniffCounter++;
 		data++;
 		if (data == dmaBuf + DMA_BUFFER_SIZE)
 			data = dmaBuf;
 	} // main cycle
 	MfSniffEnd();
 	switch_off(); 
 }
 void MfSniffInit(void){
 	memset(sniffUID, 0x00, sizeof(sniffUID));
 	memset(sniffATQA, 0x00, sizeof(sniffATQA));
 	memset(sniffBuf, 0x00, sizeof(sniffBuf));
 	sniffSAK = 0;
 	sniffUIDType = SNF_UID_4;
 	timerData = 0;
 }
 void MfSniffEnd(void){
@ -32,6 +190,7 @@ void MfSniffEnd(void){
 	LED_B_OFF();
 }
 /*
 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
 	// reset on 7-Bit commands from reader
@ -39,89 +198,86 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 		sniffState = SNF_INIT;
 	}
 	switch (sniffState) {
 		case SNF_INIT:{
-			// REQA or WUPA from reader
+			// REQA,WUPA or MAGICWUP from reader			
 			if ((len == 1) && (reader) && (bitCnt == 7) ) {
 				MfSniffInit();
-				sniffState = SNF_WUPREQ;
+				sniffState = (data[0] == MIFARE_MAGICWUPC1) ? SNF_MAGIC_WUPC2 : SNF_ATQA;
 			}
 			break;
 		}
-		case SNF_WUPREQ:{
+		case SNF_MAGIC_WUPC2: {
-			// ATQA from tag
+			if ((len == 1) && (reader) && (data[0] == MIFARE_MAGICWUPC2) ) {  
-			if ((!reader) && (len == 2)) {
+				sniffState = SNF_CARD_IDLE;
 				sniffATQA[0] = data[0];
 				sniffATQA[1] = data[1];
 				sniffState = SNF_ATQA;
 			}
 			break;
 		}
 		case SNF_ATQA:{
-			// Select ALL from reader
+			// ATQA from tag
-			if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20))
+			if ((!reader) && (len == 2)) {
-				sniffState = SNF_ANTICOL1;
+				sniffATQA[0] = data[0];
-			break;
+				sniffATQA[1] = data[1];
-		}
+				sniffState = SNF_UID;
 		case SNF_ANTICOL1:{
 			// UID from tag (CL1) 
 			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
 				memcpy(sniffUID, data, 4);
 				sniffState = SNF_UID1;
 			}
 			break;
 		}
-		case SNF_UID1:{
+		case SNF_UID: {
-			// Select 4 Byte UID from reader
+			
-			if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
+			if ( !reader ) break;
 			if ( len != 9 ) break;
 			if ( !CheckCrc14443(CRC_14443_A, data, 9)) break;
 			if ( data[1] != 0x70 ) break;
 			Dbprintf("[!] UID | %x", data[0]);
 			if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT)) {
 				// UID_4 - select 4 Byte UID from reader
 				memcpy(sniffUID, data+2, 4);
 				sniffUIDType = SNF_UID_4;
 				sniffState = SNF_SAK;
-			break;
+			} else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2)) {
-		}
+				// UID_7 - Select 2nd part of 7 Byte UID
-		case SNF_SAK:{
+
-			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
+				// get rid of 0x88
 				sniffSAK = data[0];
 				if (sniffUID[0] == 0x88)			// CL2/3 UID part to be expected					
 					sniffState = (sniffState == SNF_ANTICOL2 ) ? SNF_ANTICOL3 : SNF_ANTICOL2;
 				else								// select completed
 					sniffState = SNF_CARD_IDLE;
 			}
 			break;
 		}
 		case SNF_ANTICOL2:{
 			 // CL2 UID 
 			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
 				sniffUID[0] = sniffUID[1];
 				sniffUID[1] = sniffUID[2];
 				sniffUID[2] = sniffUID[3];
-				memcpy(sniffUID+3, data, 4);
+				//new uid bytes
 				memcpy(sniffUID+3, data+2, 4);
 				sniffUIDType = SNF_UID_7;
 				sniffState = SNF_UID2;
 			}
 			break;
 		}
 		case SNF_UID2:{
 			// Select 2nd part of 7 Byte UID
 			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
 				sniffState = SNF_SAK;				
-			break;
+			} else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3)) {
-		}
+				// UID_10 - Select 3nd part of 10 Byte UID
 		case SNF_ANTICOL3:{
 			// CL3 UID 
 			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { 
 				// 3+3+4 = 10.
 				// get ride of previous 0x88
 				sniffUID[3] = sniffUID[4];
 				sniffUID[4] = sniffUID[5];
 				sniffUID[5] = sniffUID[6];
-				memcpy(sniffUID+6, data, 4);
+				// new uid bytes
 				memcpy(sniffUID+6, data+2, 4);
 				sniffUIDType = SNF_UID_10;
-				sniffState = SNF_UID3;
+				sniffState = SNF_SAK;
 			}
 			break;
 		}
-		case SNF_UID3:{
+		case SNF_SAK:{
-			// Select 3nd part of 10 Byte UID
+			// SAK from card?
-			if ((reader) && (len == 9) && (data[0] == 0x97) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
+			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) {
-				sniffState = SNF_SAK;
+				sniffSAK = data[0];
 				// CL2 UID part to be expected
 				if (( sniffSAK == 0x04) && (sniffUIDType == SNF_UID_4)) {
 					sniffState = SNF_UID;
 				// CL3 UID part to be expected
 				} else if ((sniffSAK == 0x04) && (sniffUIDType == SNF_UID_7)) {
 					sniffState = SNF_UID;
 				} else {
 					// select completed
 					sniffState = SNF_CARD_IDLE;
 				}
 			}
 			break;
 		}		
 		case SNF_CARD_IDLE:{	// trace the card select sequence
@ -133,16 +289,10 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 			sniffBuf[15] = 0xFF;
 			sniffBuf[16] = 0xFF;
 			LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, true);
 			sniffState = SNF_CARD_CMD;
 		}	// intentionally no break;
 		case SNF_CARD_CMD:{	
-			LogTrace(data, len, 0, 0, NULL, true);
+			LogTrace(data, len, 0, 0, NULL, reader);	
 			sniffState = SNF_CARD_RESP;
 			timerData = GetTickCount();
 			break;
 		}
 		case SNF_CARD_RESP:{
 			LogTrace(data, len, 0, 0, NULL, false);
 			sniffState = SNF_CARD_CMD;
 			timerData = GetTickCount();
 			break;
 		}	
@ -152,37 +302,23 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 	}
 	return false;
 }
 */
-bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
+void RAMFUNC MfSniffSend() {
-	if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
+	uint16_t tracelen = BigBuf_get_traceLen();
-		return intMfSniffSend();
+	uint16_t chunksize = 0;
-	}
+	int packlen = tracelen;	// total number of bytes to send
 	return false;
 }
 // internal sending function. not a RAMFUNC.
 bool intMfSniffSend() {
 	int pckSize = 0;
 	int pckLen = BigBuf_get_traceLen();
 	int pckNum = 0;
 	uint8_t *data = BigBuf_get_addr();	
-	FpgaDisableSscDma();
+	while (packlen > 0) {
 	while (pckLen > 0) {
 		pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
 		LED_B_ON();
-		cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, data + BigBuf_get_traceLen() - pckLen, pckSize);
+		chunksize = MIN(USB_CMD_DATA_SIZE, packlen); // chunk size 512
 		cmd_send(CMD_ACK, 1, tracelen, chunksize, data + tracelen - packlen, chunksize);		
 		packlen -= chunksize;
 		LED_B_OFF();
 		pckLen -= pckSize;
 		pckNum++;
 	}
 	LED_B_ON();
-	cmd_send(CMD_ACK,2,0,0,0,0);  // 2 == data transfer is finished.
+	cmd_send(CMD_ACK, 2, 0, 0, 0, 0);  // 2 == data transfer finished.
 	LED_B_OFF();
 	clear_trace();
 	return true;
 }
--- a/armsrc/mifaresniff.h
+++ b/armsrc/mifaresniff.h
@ -23,18 +23,12 @@
 #define SNF_INIT			0
 #define SNF_NO_FIELD		1
-#define SNF_WUPREQ			2
+#define SNF_ATQA			2
-#define SNF_ATQA			3
+#define SNF_UID				3
-#define SNF_ANTICOL1		4
+#define SNF_SAK				4
-#define SNF_UID1			5
+#define SNF_CARD_IDLE		5
-#define SNF_ANTICOL2		6
+#define SNF_CARD_CMD		6
-#define SNF_UID2			7
+#define SNF_MAGIC_WUPC2		7
 #define SNF_ANTICOL3		8
 #define SNF_UID3			9
 #define SNF_SAK				10
 #define SNF_CARD_IDLE		11
 #define SNF_CARD_CMD		12
 #define SNF_CARD_RESP		13
 #define SNF_UID_4			0
 #define SNF_UID_7			0
@ -42,8 +36,7 @@
 void MfSniffInit(void);
 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader);
-bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs);
+void RAMFUNC MfSniffSend(void);
 bool intMfSniffSend();
 void MfSniffEnd(void);
 #endif
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -2913,7 +2913,7 @@ static command_t CommandTable[] = {
 	{"nested",		CmdHF14AMfNested,		0, "Nested attack. Test nested authentication"},
 	{"hardnested", 	CmdHF14AMfNestedHard, 	0, "Nested attack for hardened Mifare cards"},
 	{"keybrute",	CmdHF14AMfKeyBrute,		0, "J_Run's 2nd phase of multiple sector nested authentication key recovery"},
-	{"sniff",		CmdHF14AMfSniff,		0, "Sniff card-reader communication"},
+//	{"sniff",		CmdHF14AMfSniff,		0, "Sniff card-reader communication"},
 	{"sim",			CmdHF14AMf1kSim,		0, "Simulate MIFARE card"},
 	{"eclr",		CmdHF14AMfEClear,		0, "Clear simulator memory block"},
 	{"eget",		CmdHF14AMfEGet,			0, "Get simulator memory block"},
--- a/client/cmdhfmf.h
+++ b/client/cmdhfmf.h
@ -46,7 +46,7 @@ extern int CmdHF14AMfChk(const char* cmd);
 extern int CmdHF14AMifare(const char* cmd);
 extern int CmdHF14AMfNested(const char* cmd);
 extern int CmdHF14AMfNestedHard(const char *Cmd);
-extern int CmdHF14AMfSniff(const char* cmd);
+//extern int CmdHF14AMfSniff(const char* cmd);
 extern int CmdHF14AMf1kSim(const char* cmd);
 extern int CmdHF14AMfKeyBrute(const char *Cmd);
 extern int CmdHF14AMfEClear(const char* cmd);
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -697,26 +697,25 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 		}
 		// READ
-		if ((len ==4) && ((data[0] == ISO14443A_CMD_READBLOCK))) {
+		if ((len == 4) && ((data[0] == ISO14443A_CMD_READBLOCK))) {
 			traceState = TRACE_READ_DATA;
 			traceCurBlock = data[1];
 			return 0;
 		}
 		// WRITE
-		if ((len ==4) && ((data[0] == ISO14443A_CMD_WRITEBLOCK))) {
+		if ((len == 4) && ((data[0] == ISO14443A_CMD_WRITEBLOCK))) {
 			traceState = TRACE_WRITE_OK;
 			traceCurBlock = data[1];
 			return 0;
 		}
 		// HALT
-		if ((len ==4) && ((data[0] == ISO14443A_CMD_HALT) && (data[1] == 0x00))) {
+		if ((len == 4) && ((data[0] == ISO14443A_CMD_HALT) && (data[1] == 0x00))) {
 			traceState = TRACE_ERROR;  // do not decrypt the next commands
 			return 0;
 		}
 		return 0;
 	break;
 	case TRACE_READ_DATA: 
 		if (len == 18) {
@ -812,10 +811,12 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 			// set cryptosystem state
 			traceCrypto1 = lfsr_recovery64(ks2, ks3);			
-			return 0;
+
 		} else {
 			printf("[!] nested key recovery not implemented!\n");
 			at_enc = bytes_to_num(data, 4);
 			crypto1_destroy(traceCrypto1);			
 			traceState = TRACE_ERROR;
 			return 1;
 		}
 		break;
 	default: