Merge branch 'master' of https://github.com/Proxmark/proxmark3

Conflicts:
	armsrc/appmain.c
	armsrc/apps.h

armsrc/appmain.c

@@ -18,6 +18,7 @@
 #include "util.h"
 #include "printf.h"
 #include "string.h"
+
 #include <stdarg.h>
 
 #include "legicrf.h"
@@ -667,7 +668,9 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
 			break;
 		case CMD_SIMULATE_TAG_125K:
+			LED_A_ON();
 			SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
+			LED_A_OFF();
 			break;
 		case CMD_LF_SIMULATE_BIDIR:
 			SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
@@ -805,7 +808,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			MifareUC_Auth2(c->arg[0],c->d.asBytes);
 			break;
 		case CMD_MIFAREU_READCARD:
-			MifareUReadCard(c->arg[0],c->arg[1],c->d.asBytes);
+			MifareUReadCard(c->arg[0], c->arg[1], c->d.asBytes);
                         break;
 		case CMD_MIFAREUC_READCARD:
 			MifareUReadCard(c->arg[0],c->arg[1],c->d.asBytes);

armsrc/apps.h

@@ -39,6 +39,25 @@ uint32_t BigBuf[BIGBUF_SIZE / sizeof(uint32_t)];
 #define FREE_BUFFER_OFFSET 		(CARD_MEMORY_OFFSET + CARD_MEMORY_SIZE)
 #define FREE_BUFFER_SIZE   		(BIGBUF_SIZE - FREE_BUFFER_OFFSET - 1)
 
+/*
+The statements above translates into this :
+BIGBUF_SIZE         = 40000
+TRACE_OFFSET        = 0
+TRACE_SIZE          = 3000
+RECV_CMD_OFFSET     = 3000
+MAX_FRAME_SIZE      = 256
+MAX_PARITY_SIZE     = 32
+RECV_CMD_PAR_OFFSET = 3256
+RECV_RESP_OFFSET    = 3288
+RECV_RESP_PAR_OFFSET= 3544
+CARD_MEMORY_OFFSET  = 3576
+CARD_MEMORY_SIZE    = 4096
+DMA_BUFFER_OFFSET   = 3576
+DMA_BUFFER_SIZE     = 4096
+FREE_BUFFER_OFFSET  = 7672
+FREE_BUFFER_SIZE    = 32327
+ */
+
 extern const uint8_t OddByteParity[256];
 extern uint8_t *trace; // = (uint8_t *) BigBuf;
 extern int traceLen;   // = 0;
@@ -117,6 +136,8 @@ void SetAdcMuxFor(uint32_t whichGpio);
 #define FPGA_HF_SIMULATOR_MODULATE_BPSK				(1<<0)
 #define FPGA_HF_SIMULATOR_MODULATE_212K				(2<<0)
 #define FPGA_HF_SIMULATOR_MODULATE_424K				(4<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT		0x5//101
+
 // Options for ISO14443A
 #define FPGA_HF_ISO14443A_SNIFFER				(0<<0)
 #define FPGA_HF_ISO14443A_TAGSIM_LISTEN				(1<<0)
@@ -179,9 +200,7 @@ void ReaderMifare(bool first_try);
 int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
 void MifareUReadBlock(uint8_t arg0,uint8_t *datain);
-void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
+void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain);
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
-void MifareUReadCard(uint8_t arg0, int Pages, uint8_t *datain);
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareUWriteBlock(uint8_t arg0,uint8_t *datain);

armsrc/crapto1.c

@@ -44,12 +44,12 @@ static void quicksort(uint32_t* const start, uint32_t* const stop)
 		else if(*rit > *start)
 			--rit;
 		else
-			*it ^= ( (*it ^= *rit ), *rit ^= *it);
+			*it ^= (*it ^= *rit, *rit ^= *it);
 
 	if(*rit >= *start)
 		--rit;
 	if(rit != start)
-		*rit ^= ( (*rit ^= *start), *start ^= *rit);
+		*rit ^= (*rit ^= *start, *start ^= *rit);
 
 	quicksort(start, rit - 1);
 	quicksort(rit + 1, stop);

armsrc/iclass.c

@@ -687,7 +687,8 @@ void RAMFUNC SnoopIClass(void)
     SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
 	uint32_t time_0 = GetCountSspClk();
-
+	uint32_t time_start = 0;
+	uint32_t time_stop  = 0;
 
     int div = 0;
     //int div2 = 0;
@@ -738,6 +739,7 @@ void RAMFUNC SnoopIClass(void)
 		smpl = decbyter;	
 		if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
 		    rsamples = samples - Uart.samples;
+			time_stop = (GetCountSspClk()-time_0) << 4;
 		    LED_C_ON();
 
 			//if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
@@ -745,7 +747,7 @@ void RAMFUNC SnoopIClass(void)
 			if(tracing)	{
 				uint8_t parity[MAX_PARITY_SIZE];
 				GetParity(Uart.output, Uart.byteCnt, parity);
-				LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE);
+				LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE);
 			}
 
 
@@ -756,6 +758,8 @@ void RAMFUNC SnoopIClass(void)
 		    Demod.state = DEMOD_UNSYNCD;
 		    LED_B_OFF();
 		    Uart.byteCnt = 0;
+		}else{
+			time_start = (GetCountSspClk()-time_0) << 4;
 		}
 		decbyter = 0;
 	}
@@ -763,21 +767,24 @@ void RAMFUNC SnoopIClass(void)
 	if(div > 3) {
 		smpl = decbyte;
 		if(ManchesterDecoding(smpl & 0x0F)) {
-		    rsamples = samples - Demod.samples;
+			time_stop = (GetCountSspClk()-time_0) << 4;
+
+			rsamples = samples - Demod.samples;
 		    LED_B_ON();
 
 			if(tracing)	{
 				uint8_t parity[MAX_PARITY_SIZE];
 				GetParity(Demod.output, Demod.len, parity);
-				LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE);
+				LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE);
 			}
 
-
 		    // And ready to receive another response.
 		    memset(&Demod, 0, sizeof(Demod));
 			Demod.output = tagToReaderResponse;
 		    Demod.state = DEMOD_UNSYNCD;
 		    LED_C_OFF();
+		}else{
+			time_start = (GetCountSspClk()-time_0) << 4;
 		}
 		
 		div = 0;
@@ -850,57 +857,93 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
     }
 }
 
+static uint8_t encode4Bits(const uint8_t b)
+{
+	uint8_t c = b & 0xF;
+	// OTA, the least significant bits first
+	//         The columns are
+	//               1 - Bit value to send
+	//               2 - Reversed (big-endian)
+	//               3 - Encoded
+	//               4 - Hex values
+
+	switch(c){
+	//                          1       2         3         4
+	  case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
+	  case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
+	  case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
+	  case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
+	  case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
+	  case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
+	  case 9:  return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
+	  case 8:  return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
+	  case 7:  return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
+	  case 6:  return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
+	  case 5:  return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
+	  case 4:  return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
+	  case 3:  return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
+	  case 2:  return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
+	  case 1:  return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
+	  default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
+
+	}
+}
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
 static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
 {
-	//So far a dummy implementation, not used
+
-	//int lastProxToAirDuration =0;
+	/*
+	 * SOF comprises 3 parts;
+	 * * An unmodulated time of 56.64 us
+	 * * 24 pulses of 423.75 KHz (fc/32)
+	 * * A logic 1, which starts with an unmodulated time of 18.88us
+	 *   followed by 8 pulses of 423.75kHz (fc/32)
+	 *
+	 *
+	 * EOF comprises 3 parts:
+	 * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
+	 *   time of 18.88us.
+	 * - 24 pulses of fc/32
+	 * - An unmodulated time of 56.64 us
+	 *
+	 *
+	 * A logic 0 starts with 8 pulses of fc/32
+	 * followed by an unmodulated time of 256/fc (~18,88us).
+	 *
+	 * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
+	 * 8 pulses of fc/32 (also 18.88us)
+	 *
+	 * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag,
+	 * works like this.
+	 * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us).
+	 * - A 0-bit inptu to the FPGA becomes an unmodulated time of 18.88us
+	 *
+	 * In this mode the SOF can be written as 00011101 = 0x1D
+	 * The EOF can be written as 10111000 = 0xb8
+	 * A logic 1 is 01
+	 * A logic 0 is 10
+	 *
+	 * */
+
 	int i;
 
 	ToSendReset();
 
 	// Send SOF
-	ToSend[++ToSendMax] = 0x00;
+	ToSend[++ToSendMax] = 0x1D;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0xff;
 
 	for(i = 0; i < len; i++) {
-		int j;
 		uint8_t b = cmd[i];
-
+		ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half
-		// Data bits
+		ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half
-		for(j = 0; j < 8; j++) {
-			if(b & 1) {
-				ToSend[++ToSendMax] = 0x00;
-				ToSend[++ToSendMax] = 0xff;
-			} else {
-				ToSend[++ToSendMax] = 0xff;
-				ToSend[++ToSendMax] = 0x00;
-			}
-			b >>= 1;
-		}
 	}
 
 	// Send EOF
-	ToSend[++ToSendMax] = 0xff;
+	ToSend[++ToSendMax] = 0xB8;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0xff;	
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0x00;
-
 	//lastProxToAirDuration  = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
-
 	// Convert from last byte pos to length
 	ToSendMax++;
 }
@@ -913,21 +956,13 @@ static void CodeIClassTagSOF()
 
 	ToSendReset();
 	// Send SOF
-	ToSend[++ToSendMax] = 0x00;
+	ToSend[++ToSendMax] = 0x1D;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0xff;
-	ToSend[++ToSendMax] = 0x00;
-	ToSend[++ToSendMax] = 0xff;
-
 //	lastProxToAirDuration  = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
 
-	
 	// Convert from last byte pos to length
 	ToSendMax++;
 }
+
 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
 /**
  * @brief SimulateIClass simulates an iClass card.
@@ -963,7 +998,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 	else if(simType == 2)
 	{
 
-		uint8_t mac_responses[64] = { 0 };
+		uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
 		Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
 		// In this mode, a number of csns are within datain. We'll simulate each one, one at a time
 		// in order to collect MAC's from the reader. This can later be used in an offlne-attack
@@ -976,6 +1011,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 			memcpy(csn_crc, datain+(i*8), 8);
 			if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
 			{
+				cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
 				return; // Button pressed
 			}
 		}
@@ -997,7 +1033,9 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
  */
 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
 {
+
 	// CSN followed by two CRC bytes
+	uint8_t response1[] = { 0x0F} ;
 	uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 	uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
 	memcpy(response3,csn,sizeof(response3));
@@ -1020,29 +1058,29 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 	// Reader 81 anticoll. CSN
 	// Tag    CSN
 
-	uint8_t *resp;
+	uint8_t *modulated_response;
-	int respLen;
+	int modulated_response_size;
-	uint8_t* respdata = NULL;
+	uint8_t* trace_data = NULL;
-	int respsize = 0;
+	int trace_data_size = 0;
-	uint8_t sof = 0x0f;
+	//uint8_t sof = 0x0f;
 
-	// Respond SOF -- takes 8 bytes
+	// Respond SOF -- takes 1 bytes
 	uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
 	int resp1Len;
 
 	// Anticollision CSN (rotated CSN)
-	// 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
+	// 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
-	uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
+	uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 2);
 	int resp2Len;
 
 	// CSN
-	// 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
+	// 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
-	uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
+	uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 30);
 	int resp3Len;
 
 	// e-Purse
-	// 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
+	// 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/byte)
-	uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
+	uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 60);
 	int resp4Len;
 
 	// + 1720..
@@ -1089,11 +1127,6 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 	LED_A_ON();
 	bool buttonPressed = false;
 
-	/** Hack  for testing
-	memcpy(reader_mac_buf,csn,8);
-	exitLoop = true;
-	end hack **/
-
 	while(!exitLoop) {
 
 		LED_B_OFF();
@@ -1112,35 +1145,35 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 		// Okay, look at the command now.
 		if(receivedCmd[0] == 0x0a ) {
 			// Reader in anticollission phase
-			resp = resp1; respLen = resp1Len; //order = 1;
+			modulated_response = resp1; modulated_response_size = resp1Len; //order = 1;
-			respdata = &sof;
+			trace_data = response1;
-			respsize = sizeof(sof);
+			trace_data_size = sizeof(response1);
 		} else if(receivedCmd[0] == 0x0c) {
 			// Reader asks for anticollission CSN
-			resp = resp2; respLen = resp2Len; //order = 2;
+			modulated_response = resp2; modulated_response_size = resp2Len; //order = 2;
-			respdata = response2;
+			trace_data = response2;
-			respsize = sizeof(response2);
+			trace_data_size = sizeof(response2);
 			//DbpString("Reader requests anticollission CSN:");
 		} else if(receivedCmd[0] == 0x81) {
 			// Reader selects anticollission CSN.
 			// Tag sends the corresponding real CSN
-			resp = resp3; respLen = resp3Len; //order = 3;
+			modulated_response = resp3; modulated_response_size = resp3Len; //order = 3;
-			respdata = response3;
+			trace_data = response3;
-			respsize = sizeof(response3);
+			trace_data_size = sizeof(response3);
 			//DbpString("Reader selects anticollission CSN:");
 		} else if(receivedCmd[0] == 0x88) {
 			// Read e-purse (88 02)
-			resp = resp4; respLen = resp4Len; //order = 4;
+			modulated_response = resp4; modulated_response_size = resp4Len; //order = 4;
-			respdata = response4;
+			trace_data = response4;
-			respsize = sizeof(response4);
+			trace_data_size = sizeof(response4);
 			LED_B_ON();
 		} else if(receivedCmd[0] == 0x05) {
 			// Reader random and reader MAC!!!
 			// Do not respond
             // We do not know what to answer, so lets keep quiet
-			resp = resp1; respLen = 0; //order = 5;
+			modulated_response = resp1; modulated_response_size = 0; //order = 5;
-			respdata = NULL;
+			trace_data = NULL;
-			respsize = 0;
+			trace_data_size = 0;
 			if (breakAfterMacReceived){
 				// dbprintf:ing ...
 				Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
@@ -1157,9 +1190,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 			}
 		} else if(receivedCmd[0] == 0x00 && len == 1) {
 			// Reader ends the session
-			resp = resp1; respLen = 0; //order = 0;
+			modulated_response = resp1; modulated_response_size = 0; //order = 0;
-			respdata = NULL;
+			trace_data = NULL;
-			respsize = 0;
+			trace_data_size = 0;
 		} else {
 			//#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
 			// Never seen this command before
@@ -1169,9 +1202,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 			receivedCmd[3], receivedCmd[4], receivedCmd[5],
 			receivedCmd[6], receivedCmd[7], receivedCmd[8]);
 			// Do not respond
-			resp = resp1; respLen = 0; //order = 0;
+			modulated_response = resp1; modulated_response_size = 0; //order = 0;
-			respdata = NULL;
+			trace_data = NULL;
-			respsize = 0;
+			trace_data_size = 0;
 		}
 
 		if(cmdsRecvd >  100) {
@@ -1181,9 +1214,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 		else {
 			cmdsRecvd++;
 		}
-
+		/**
-		if(respLen > 0) {
+		A legit tag has about 380us delay between reader EOT and tag SOF.
-			SendIClassAnswer(resp, respLen, 21);
+		**/
+		if(modulated_response_size > 0) {
+			SendIClassAnswer(modulated_response, modulated_response_size, 1);
 			t2r_time = GetCountSspClk();
 		}
 
@@ -1192,9 +1227,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 			GetParity(receivedCmd, len, parity);
 			LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
 
-			if (respdata != NULL) {
+			if (trace_data != NULL) {
-				GetParity(respdata, respsize, parity);
+				GetParity(trace_data, trace_data_size, parity);
-				LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
+				LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
 			}
 			if(!tracing) {
 				DbpString("Trace full");
@@ -1208,6 +1243,8 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 	//Dbprintf("%x", cmdsRecvd);
 	LED_A_OFF();
 	LED_B_OFF();
+	LED_C_OFF();
+
 	if(buttonPressed)
 	{
 		DbpString("Button pressed");
@@ -1220,7 +1257,8 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
 	int i = 0, d=0;//, u = 0, d = 0;
 	uint8_t b = 0;
 
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+	//FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K_8BIT);
 
 	AT91C_BASE_SSC->SSC_THR = 0x00;
 	FpgaSetupSsc();
@@ -1244,7 +1282,8 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
 			AT91C_BASE_SSC->SSC_THR = b;
 		}
 
-		if (i > respLen +4) break;
+//		if (i > respLen +4) break;
+		if (i > respLen +1) break;
 	}
 
 	return 0;

armsrc/iso14443a.c

@@ -1772,7 +1772,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 				Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
 				for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {	// add valid UID bits before collision point
 					uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
-					uid_resp[uid_resp_bits & 0xf8] |= UIDbit << (uid_resp_bits % 8);
+					uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
 				}
 				uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);					// next time select the card(s) with a 1 in the collision position
 				uid_resp_bits++;

armsrc/mifarecmd.c

@@ -168,21 +168,21 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
 	int len = iso14443a_select_card(uid, NULL, &cuid);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("Can't select card");
-		OnError(1);
+		//OnError(1);
 		return;
 		};
         
 	len = mifare_ultra_readblock(cuid, blockNo, dataout);
 	if(len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("Read block error");
-		OnError(2);
+		//OnError(2);
 		return;
 		};
         
 	len = mifare_ultra_halt(cuid);
 	if(len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("Halt error");
-		OnError(3);
+		//OnError(3);
 		return;
 		};
 		
@@ -267,11 +267,11 @@ void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
 	int count_Pages = 0;
 	byte_t dataout[176] = {0x00};;
 	uint8_t uid[10] = {0x00};
-        uint32_t cuid;
+	uint32_t cuid;
 
-        LED_A_ON();
+	LED_A_ON();
-        LED_B_OFF();
+	LED_B_OFF();
-        LED_C_OFF();
+	LED_C_OFF();
 
 	if (MF_DBGLEVEL >= MF_DBG_ALL) 
 		Dbprintf("Pages %d",Pages);
@@ -284,7 +284,7 @@ void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
 	if (!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("Can't select card");
-		OnError(1);
+		//OnError(1);
 		return;
 	}
 	
@@ -295,7 +295,7 @@ void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
 		if (len) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)
 				Dbprintf("Read block %d error",i);
-			OnError(2);
+			//OnError(2);
 			return;
 		} else {
 			count_Pages++;
@@ -306,7 +306,7 @@ void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
 	if (len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("Halt error");
-		OnError(3);
+		//OnError(3);
 		return;
 	}
 	
@@ -321,8 +321,8 @@ void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
 		len = 176;
 
 	cmd_send(CMD_ACK, 1, 0, 0, dataout, len);	
-        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-        LEDsoff();
+	LEDsoff();
 }
 
 
@@ -1181,4 +1181,4 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
 	cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
-}
+}

client/Makefile

@@ -13,9 +13,9 @@ CXX=g++
 VPATH = ../common
 OBJDIR = obj
 
-LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm -lcrypto
+LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm
 LDFLAGS = $(COMMON_FLAGS)
-CFLAGS = -std=c99 -lcrypto -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 
+CFLAGS = -std=c99 -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 
 LUAPLATFORM = generic
 
 ifneq (,$(findstring MINGW,$(platform)))
@@ -94,6 +94,7 @@ CMDSRCS = 	nonce2key/crapto1.c\
 			scripting.c\
 			cmdscript.c\
 			pm3_bitlib.c\
+			aes.c\
 
 
 COREOBJS = $(CORESRCS:%.c=$(OBJDIR)/%.o)

client/aes.h

@@ -0,0 +1,257 @@
+/**
+ * \file aes.h
+ *
+ * \brief AES block cipher
+ *
+ *  Copyright (C) 2006-2014, Brainspark B.V.
+ *
+ *  This file is part of PolarSSL (http://www.polarssl.org)
+ *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ *  All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef POLARSSL_AES_H
+#define POLARSSL_AES_H
+
+#if !defined(POLARSSL_CONFIG_FILE)
+#include "polarssl_config.h"
+#else
+#include POLARSSL_CONFIG_FILE
+#endif
+
+#include <string.h>
+
+#if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
+#include <basetsd.h>
+typedef UINT32 uint32_t;
+#else
+#include <inttypes.h>
+#endif
+
+/* padlock.c and aesni.c rely on these values! */
+#define AES_ENCRYPT     1
+#define AES_DECRYPT     0
+
+#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
+#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+
+#if !defined(POLARSSL_AES_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          AES context structure
+ *
+ * \note           buf is able to hold 32 extra bytes, which can be used:
+ *                 - for alignment purposes if VIA padlock is used, and/or
+ *                 - to simplify key expansion in the 256-bit case by
+ *                 generating an extra round key
+ */
+typedef struct
+{
+    int nr;                     /*!<  number of rounds  */
+    uint32_t *rk;               /*!<  AES round keys    */
+    uint32_t buf[68];           /*!<  unaligned data    */
+}
+aes_context;
+
+/**
+ * \brief          Initialize AES context
+ *
+ * \param ctx      AES context to be initialized
+ */
+void aes_init( aes_context *ctx );
+
+/**
+ * \brief          Clear AES context
+ *
+ * \param ctx      AES context to be cleared
+ */
+void aes_free( aes_context *ctx );
+
+/**
+ * \brief          AES key schedule (encryption)
+ *
+ * \param ctx      AES context to be initialized
+ * \param key      encryption key
+ * \param keysize  must be 128, 192 or 256
+ *
+ * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
+ */
+int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
+                    unsigned int keysize );
+
+/**
+ * \brief          AES key schedule (decryption)
+ *
+ * \param ctx      AES context to be initialized
+ * \param key      decryption key
+ * \param keysize  must be 128, 192 or 256
+ *
+ * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
+ */
+int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
+                    unsigned int keysize );
+
+/**
+ * \brief          AES-ECB block encryption/decryption
+ *
+ * \param ctx      AES context
+ * \param mode     AES_ENCRYPT or AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if successful
+ */
+int aes_crypt_ecb( aes_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(POLARSSL_CIPHER_MODE_CBC)
+/**
+ * \brief          AES-CBC buffer encryption/decryption
+ *                 Length should be a multiple of the block
+ *                 size (16 bytes)
+ *
+ * \param ctx      AES context
+ * \param mode     AES_ENCRYPT or AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
+ */
+int aes_crypt_cbc( aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* POLARSSL_CIPHER_MODE_CBC */
+
+#if defined(POLARSSL_CIPHER_MODE_CFB)
+/**
+ * \brief          AES-CFB128 buffer encryption/decryption.
+ *
+ * Note: Due to the nature of CFB you should use the same key schedule for
+ * both encryption and decryption. So a context initialized with
+ * aes_setkey_enc() for both AES_ENCRYPT and AES_DECRYPT.
+ *
+ * \param ctx      AES context
+ * \param mode     AES_ENCRYPT or AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv_off   offset in IV (updated after use)
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful
+ */
+int aes_crypt_cfb128( aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief          AES-CFB8 buffer encryption/decryption.
+ *
+ * Note: Due to the nature of CFB you should use the same key schedule for
+ * both encryption and decryption. So a context initialized with
+ * aes_setkey_enc() for both AES_ENCRYPT and AES_DECRYPT.
+ *
+ * \param ctx      AES context
+ * \param mode     AES_ENCRYPT or AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful
+ */
+int aes_crypt_cfb8( aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /*POLARSSL_CIPHER_MODE_CFB */
+
+#if defined(POLARSSL_CIPHER_MODE_CTR)
+/**
+ * \brief               AES-CTR buffer encryption/decryption
+ *
+ * Warning: You have to keep the maximum use of your counter in mind!
+ *
+ * Note: Due to the nature of CTR you should use the same key schedule for
+ * both encryption and decryption. So a context initialized with
+ * aes_setkey_enc() for both AES_ENCRYPT and AES_DECRYPT.
+ *
+ * \param ctx           AES context
+ * \param length        The length of the data
+ * \param nc_off        The offset in the current stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be 0 at the start of a stream.
+ * \param nonce_counter The 128-bit nonce and counter.
+ * \param stream_block  The saved stream-block for resuming. Is overwritten
+ *                      by the function.
+ * \param input         The input data stream
+ * \param output        The output data stream
+ *
+ * \return         0 if successful
+ */
+int aes_crypt_ctr( aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* POLARSSL_CIPHER_MODE_CTR */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* POLARSSL_AES_ALT */
+#include "aes_alt.h"
+#endif /* POLARSSL_AES_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int aes_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aes.h */

client/cmddata.c

@@ -618,7 +618,7 @@ int CmdFSKdemodHID(const char *Cmd)
     uint32_t cardnum = 0;
     if (((hi>>5)&1)==1){//if bit 38 is set then < 37 bit format is used
       uint32_t lo2=0;
-      lo2=(((hi & 15) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
+      lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
       uint8_t idx3 = 1;
       while(lo2>1){ //find last bit set to 1 (format len bit)
         lo2=lo2>>1;
@@ -631,10 +631,6 @@ int CmdFSKdemodHID(const char *Cmd)
         cardnum = (lo>>1)&0xFFFF;
         fc = (lo>>17)&0xFF;
       }
-      if(fmtLen==37){
-        cardnum = (lo>>1)&0x7FFFF;
-        fc = ((hi&0xF)<<12)|(lo>>20);
-      }
       if(fmtLen==34){
         cardnum = (lo>>1)&0xFFFF;
         fc= ((hi&1)<<15)|(lo>>17);
@@ -645,10 +641,10 @@ int CmdFSKdemodHID(const char *Cmd)
       }
     }
     else { //if bit 38 is not set then 37 bit format is used
-      fmtLen= 37;
+      fmtLen = 37;
-      fc =0;
+      fc = 0;
-      cardnum=0;
+      cardnum = 0;
-      if(fmtLen==37){
+      if(fmtLen == 37){
         cardnum = (lo>>1)&0x7FFFF;
         fc = ((hi&0xF)<<12)|(lo>>20);
       }
@@ -870,20 +866,35 @@ int PSKnrzDemod(const char *Cmd){
 // optional arguments - same as CmdpskNRZrawDemod (clock & invert)
 int CmdIndalaDecode(const char *Cmd)
 {
+  uint8_t verbose = 1;
+  int ans;
+  if (strlen(Cmd)>0){
+    if (Cmd[0]=='0'){
+      verbose=0;
+      ans = PSKnrzDemod("32");
+    }else{
+      ans = PSKnrzDemod(Cmd);
+    }
+  } else{ //default to RF/32
+    ans = PSKnrzDemod("32");
+  }
 
-	int ans=PSKnrzDemod(Cmd);
 	if (ans < 0){
-		PrintAndLog("Error1: %d",ans);
+		if (verbose) 
+      PrintAndLog("Error1: %d",ans);
 		return 0;
 	}
 	uint8_t invert=0;
 	ans = indala26decode(DemodBuffer,(size_t *) &DemodBufferLen, &invert);
 	if (ans < 1) {
-		PrintAndLog("Error2: %d",ans);
+		if (verbose)
+      PrintAndLog("Error2: %d",ans);
 		return -1;
 	}
 	char showbits[251];
-	if(invert==1) PrintAndLog("Had to invert bits");
+	if (invert)
+    if (verbose)
+      PrintAndLog("Had to invert bits");
 	//convert UID to HEX
 	uint32_t uid1, uid2, uid3, uid4, uid5, uid6, uid7;
 	int idx;
@@ -947,11 +958,19 @@ int CmdPskClean(const char *Cmd)
 //prints binary found and saves in graphbuffer for further commands
 int CmdpskNRZrawDemod(const char *Cmd)
 {
-	int errCnt= PSKnrzDemod(Cmd);
+  uint8_t verbose = 1;
+  int errCnt;
+  if (strlen(Cmd)>0){
+    if (Cmd[0]=='0')
+      verbose=0;
+  }
+
+  errCnt = PSKnrzDemod(Cmd);
 	//output
 	if (errCnt<0) return 0;
 	if (errCnt>0){
-		PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt);
+		if (verbose)
+      PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt);
 	}
 	PrintAndLog("PSK or NRZ demoded bitstream:");
 	// Now output the bitstream to the scrollback by line of 16 bits

client/cmdhf.c

@@ -123,23 +123,28 @@ NXP/Philips CUSTOM COMMANDS
 	40 = Long Range CMD (Standard ISO/TR7003:1990)
 		*/
 
-#define ICLASS_CMD_ACTALL 0x0A
+#define ICLASS_CMD_ACTALL           0x0A
 #define ICLASS_CMD_READ_OR_IDENTIFY 0x0C
-#define ICLASS_CMD_SELECT 0x81
+#define ICLASS_CMD_SELECT           0x81
-#define ICLASS_CMD_PAGESEL 0x84
+#define ICLASS_CMD_PAGESEL          0x84
-#define ICLASS_CMD_READCHECK 0x88
+#define ICLASS_CMD_READCHECK_KD     0x88
-#define ICLASS_CMD_CHECK 0x05
+#define ICLASS_CMD_READCHECK_KC     0x18
-#define ICLASS_CMD_SOF 0x0F
+#define ICLASS_CMD_CHECK            0x05
-#define ICLASS_CMD_HALT 0x00
+#define ICLASS_CMD_DETECT           0x0F
+#define ICLASS_CMD_HALT             0x00
+#define ICLASS_CMD_UPDATE			0x87
+#define ICLASS_CMD_ACT              0x8E
+#define ICLASS_CMD_READ4            0x06
 
-#define ISO14443_CMD_REQA       0x26
+
-#define ISO14443_CMD_READBLOCK  0x30
+#define ISO14443A_CMD_REQA       0x26
-#define ISO14443_CMD_WUPA       0x52
+#define ISO14443A_CMD_READBLOCK  0x30
-#define ISO14443_CMD_ANTICOLL_OR_SELECT     0x93
+#define ISO14443A_CMD_WUPA       0x52
-#define ISO14443_CMD_ANTICOLL_OR_SELECT_2   0x95
+#define ISO14443A_CMD_ANTICOLL_OR_SELECT     0x93
-#define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
+#define ISO14443A_CMD_ANTICOLL_OR_SELECT_2   0x95
-#define ISO14443_CMD_HALT       0x50
+#define ISO14443A_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
-#define ISO14443_CMD_RATS       0xE0
+#define ISO14443A_CMD_HALT       0x50
+#define ISO14443A_CMD_RATS       0xE0
 
 #define MIFARE_AUTH_KEYA	    0x60
 #define MIFARE_AUTH_KEYB	    0x61
@@ -175,14 +180,17 @@ NXP/Philips CUSTOM COMMANDS
 #define ISO15693_READ_MULTI_SECSTATUS 0x2C
 
 
+#define ISO_14443A 0
+#define ICLASS     1
+#define ISO_14443B 2
 
 
 void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
 {
 	switch(cmd[0])
 	{
-	case ISO14443_CMD_WUPA:        snprintf(exp,size,"WUPA"); break;
+	case ISO14443A_CMD_WUPA:        snprintf(exp,size,"WUPA"); break;
-	case ISO14443_CMD_ANTICOLL_OR_SELECT:{
+	case ISO14443A_CMD_ANTICOLL_OR_SELECT:{
 		// 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
 		// 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
 		if(cmd[2] == 0x70)
@@ -193,7 +201,7 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
 			snprintf(exp,size,"ANTICOLL"); break;
 		}
 	}
-	case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{
+	case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{
 		//95 20 = Anticollision of cascade level2
 		//95 70 = Select of cascade level2
 		if(cmd[2] == 0x70)
@@ -204,11 +212,11 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
 			snprintf(exp,size,"ANTICOLL-2"); break;
 		}
 	}
-	case ISO14443_CMD_REQA:       snprintf(exp,size,"REQA"); break;
+	case ISO14443A_CMD_REQA:       snprintf(exp,size,"REQA"); break;
-	case ISO14443_CMD_READBLOCK:  snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break;
+	case ISO14443A_CMD_READBLOCK:  snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break;
-	case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break;
+	case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break;
-	case ISO14443_CMD_HALT:       snprintf(exp,size,"HALT"); break;
+	case ISO14443A_CMD_HALT:       snprintf(exp,size,"HALT"); break;
-	case ISO14443_CMD_RATS:       snprintf(exp,size,"RATS"); break;
+	case ISO14443A_CMD_RATS:       snprintf(exp,size,"RATS"); break;
 	case MIFARE_CMD_INC:          snprintf(exp,size,"INC(%d)",cmd[1]); break;
 	case MIFARE_CMD_DEC:          snprintf(exp,size,"DEC(%d)",cmd[1]); break;
 	case MIFARE_CMD_RESTORE:      snprintf(exp,size,"RESTORE(%d)",cmd[1]); break;
@@ -235,11 +243,15 @@ void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
 		break;
 	}
 	case ICLASS_CMD_SELECT:      snprintf(exp,size,"SELECT"); break;
-	case ICLASS_CMD_PAGESEL:     snprintf(exp,size,"PAGESEL"); break;
+	case ICLASS_CMD_PAGESEL:     snprintf(exp,size,"PAGESEL(%d)", cmd[1]); break;
-	case ICLASS_CMD_READCHECK:   snprintf(exp,size,"READCHECK"); break;
+	case ICLASS_CMD_READCHECK_KC:snprintf(exp,size,"READCHECK[Kc](%d)", cmd[1]); break;
+	case ICLASS_CMD_READCHECK_KD:snprintf(exp,size,"READCHECK[Kd](%d)", cmd[1]); break;
 	case ICLASS_CMD_CHECK:       snprintf(exp,size,"CHECK"); break;
-	case ICLASS_CMD_SOF:         snprintf(exp,size,"SOF"); break;
+	case ICLASS_CMD_DETECT:      snprintf(exp,size,"DETECT"); break;
 	case ICLASS_CMD_HALT:        snprintf(exp,size,"HALT"); break;
+	case ICLASS_CMD_UPDATE:      snprintf(exp,size,"UPDATE(%d)",cmd[1]); break;
+	case ICLASS_CMD_ACT:         snprintf(exp,size,"ACT"); break;
+	case ICLASS_CMD_READ4:       snprintf(exp,size,"READ4(%d)",cmd[1]); break;
 	default:                     snprintf(exp,size,"?"); break;
 	}
 	return;
@@ -272,12 +284,106 @@ void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
 		case ISO15693_LOCK_DSFID           :snprintf(exp, size, "LOCK_DSFID");break;
 		case ISO15693_GET_SYSTEM_INFO      :snprintf(exp, size, "GET_SYSTEM_INFO");break;
 		case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break;
-		default:                     snprintf(exp,size,"?"); break;
+		default:                            snprintf(exp,size,"?"); break;
 		}
 	}
 }
+void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
+{
+	switch(cmd[0]){
+	case ISO14443B_REQB   : snprintf(exp,size,"REQB");break;
+	case ISO14443B_ATTRIB : snprintf(exp,size,"ATTRIB");break;
+	case ISO14443B_HALT   : snprintf(exp,size,"HALT");break;
+	default:                snprintf(exp,size ,"?");break;
+	}
 
-uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles)
+}
+
+/**
+ * @brief iso14443B_CRC_Ok Checks CRC in command or response
+ * @param isResponse
+ * @param data
+ * @param len
+ * @return  0 : CRC-command, CRC not ok
+ *          1 : CRC-command, CRC ok
+ *          2 : Not crc-command
+ */
+
+uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
+{
+	uint8_t b1,b2;
+
+	if(len <= 2) return 2;
+
+	ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
+	if(b1 != data[len-2] || b2 != data[len-1]) {
+	  return 0;
+	}
+	return 1;
+}
+
+/**
+ * @brief iclass_CRC_Ok Checks CRC in command or response
+ * @param isResponse
+ * @param data
+ * @param len
+ * @return  0 : CRC-command, CRC not ok
+ *	        1 : CRC-command, CRC ok
+ *          2 : Not crc-command
+ */
+uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
+{
+	if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes
+
+	uint8_t b1, b2;
+
+	if(!isResponse)//Commands to tag
+	{
+		/**
+		  These commands should have CRC. Total length leftmost
+		  4	READ
+		  4 READ4
+		  12 UPDATE - unsecured, ends with CRC16
+		  14 UPDATE - secured, ends with signature instead
+		  4 PAGESEL
+		  **/
+		if(len == 4 || len == 12)//Covers three of them
+		{
+			//Don't include the command byte
+			ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2);
+			return b1 == data[len -2] && b2 == data[len-1];
+		}
+		return 2;
+	}else{
+		/**
+		These tag responses should have CRC. Total length leftmost
+
+		10  READ		data[8] crc[2]
+		34  READ4		data[32]crc[2]
+		10  UPDATE	data[8] crc[2]
+		10 SELECT	csn[8] crc[2]
+		10  IDENTIFY  asnb[8] crc[2]
+		10  PAGESEL   block1[8] crc[2]
+		10  DETECT    csn[8] crc[2]
+
+		These should not
+
+		4  CHECK		chip_response[4]
+		8  READCHECK data[8]
+		1  ACTALL    sof[1]
+		1  ACT	     sof[1]
+
+		In conclusion, without looking at the command; any response
+		of length 10 or 34 should have CRC
+		  **/
+		if(len != 10 && len != 34) return true;
+
+		ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2);
+		return b1 == data[len -2] && b2 == data[len-1];
+	}
+}
+
+uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, uint8_t protocol, bool showWaitCycles)
 {
 	bool isResponse;
 	uint16_t duration, data_len,parity_len;
@@ -332,47 +438,45 @@ uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool sho
 		}
 	}
 	//--- Draw the CRC column
-	bool crcError = false;
+	uint8_t crcStatus = 2;
 
 	if (data_len > 2) {
 		uint8_t b1, b2;
-		if(iclass)
+		if(protocol == ICLASS)
 		{
-			if(!isResponse && data_len == 4 ) {
+			crcStatus = iclass_CRC_check(isResponse, frame, data_len);
-				// Rough guess that this is a command from the reader
-				// For iClass the command byte is not part of the CRC
-				ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
-			} else {
-				// For other data.. CRC might not be applicable (UPDATE commands etc.)
-				ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
-			}
 
-			if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
+		}else if (protocol == ISO_14443B)
-				crcError = true;
+		{
-			}
+			crcStatus = iso14443B_CRC_check(isResponse, frame, data_len);
-
+		}
-		}else{//Iso 14443a
+		else if (protocol == ISO_14443A){//Iso 14443a
 
 			ComputeCrc14443(CRC_14443_A, frame, data_len-2, &b1, &b2);
 
 			if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
 				if(!(isResponse & (data_len < 6)))
 				{
-						crcError = true;
+						crcStatus = 0;
 				}
 			}
 		}
 	}
-	char *crc = crcError ? "!crc" :"    ";
+	//0 CRC-command, CRC not ok
+	//1 CRC-command, CRC ok
+	//2 Not crc-command
+	char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : "    "));
 
 	EndOfTransmissionTimestamp = timestamp + duration;
 
 	if(!isResponse)
 	{
-		if(iclass)
+		if(protocol == ICLASS)
 			annotateIclass(explanation,sizeof(explanation),frame,data_len);
-		else 
+		else if (protocol == ISO_14443A)
 			annotateIso14443a(explanation,sizeof(explanation),frame,data_len);
+		else if(protocol == ISO_14443B)
+			annotateIso14443b(explanation,sizeof(explanation),frame,data_len);
 	}
 
 	int num_lines = (data_len - 1)/16 + 1;
@@ -415,9 +519,9 @@ int CmdHFList(const char *Cmd)
 	int tlen = param_getstr(Cmd,0,type);
 	char param = param_getchar(Cmd, 1);
 	bool errors = false;
-	bool iclass = false;
+	uint8_t protocol = 0;
 	//Validate params
-	if(tlen == 0 || (strcmp(type, "iclass") != 0 && strcmp(type,"14a") != 0))
+	if(tlen == 0)
 	{
 		errors = true;
 	}
@@ -425,22 +529,40 @@ int CmdHFList(const char *Cmd)
 	{
 		errors = true;
 	}
+	if(!errors)
+	{
+		if(strcmp(type, "iclass") == 0)
+		{
+			protocol = ICLASS;
+		}else if(strcmp(type, "14a") == 0)
+		{
+			protocol = ISO_14443A;
+		}
+		else if(strcmp(type, "14b") == 0)
+		{
+			protocol = ISO_14443B;
+		}else if(strcmp(type,"raw")== 0)
+		{
+			protocol = -1;//No crc, no annotations
+		}else{
+			errors = true;
+		}
+	}
 
 	if (errors) {
 		PrintAndLog("List protocol data in trace buffer.");
-		PrintAndLog("Usage:  hf list [14a|iclass] [f]");
+		PrintAndLog("Usage:  hf list [14a|14b|iclass] [f]");
 		PrintAndLog("    14a    - interpret data as iso14443a communications");
+		PrintAndLog("    14b    - interpret data as iso14443b communications");
 		PrintAndLog("    iclass - interpret data as iclass communications");
+		PrintAndLog("    raw    - just show raw data");
 		PrintAndLog("    f      - show frame delay times as well");
 		PrintAndLog("");
 		PrintAndLog("example: hf list 14a f");
 		PrintAndLog("example: hf list iclass");
 		return 0;
 	}
-	if(strcmp(type, "iclass") == 0)
+
-	{
-		iclass = true;
-	}
 
 	if (param == 'f') {
 		showWaitCycles = true;
@@ -463,7 +585,7 @@ int CmdHFList(const char *Cmd)
 
 	while(tracepos < TRACE_SIZE)
 	{
-		tracepos = printTraceLine(tracepos, trace, iclass, showWaitCycles);
+		tracepos = printTraceLine(tracepos, trace, protocol, showWaitCycles);
 	}
 	return 0;
 }

client/cmdhf14a.c

@@ -112,20 +112,15 @@ const manufactureName manufactureMapping[] = {
 // returns description of the best match	
 char* getTagInfo(uint8_t uid) {
 
-	int i, best = -1;	
+	int i;
 	int len = sizeof(manufactureMapping) / sizeof(manufactureName);
 	
-	for ( i = 0; i < len; ++i ) {
+	for ( i = 0; i < len; ++i ) 
-		if ( uid == manufactureMapping[i].uid) {
+		if ( uid == manufactureMapping[i].uid) 
-			if (best == -1) { 
+			return manufactureMapping[i].desc;
-				best = i;
-			} 
-		} 
-	} 
 
-	if (best>=0) return manufactureMapping[best].desc;
+	//No match, return default
-	
+	return manufactureMapping[len-1].desc; 
-	return manufactureMapping[i].desc; 
 }
 
 int CmdHF14AList(const char *Cmd)

client/cmdhflegic.c

@@ -16,7 +16,7 @@
 #include "cmdparser.h"
 #include "cmdhflegic.h"
 #include "cmdmain.h"
-
+#include "util.h"
 static int CmdHelp(const char *Cmd);
 
 static command_t CommandTable[] = 

client/cmdhfmf.c

@@ -662,6 +662,8 @@ int CmdHF14AMfRestore(const char *Cmd)
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
 		if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
+
+			fclose(fkeys);
 			return 2;
 		}
 	}
@@ -669,6 +671,7 @@ int CmdHF14AMfRestore(const char *Cmd)
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
 		if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
+			fclose(fkeys);
 			return 2;
 		}
 	}

client/cmdhw.c

@@ -15,7 +15,6 @@
 #include "ui.h"
 #include "proxmark3.h"
 #include "cmdparser.h"
-#include "cmddata.h"
 #include "cmdhw.h"
 #include "cmdmain.h"
 #include "cmddata.h"

client/cmdlf.c

@@ -19,6 +19,7 @@
 #include "cmdparser.h"
 #include "cmdmain.h"
 #include "cmddata.h"
+#include "util.h"
 #include "cmdlf.h"
 #include "cmdlfhid.h"
 #include "cmdlfti.h"
@@ -565,26 +566,37 @@ int CmdLFfind(const char *Cmd)
 		return 0;
 	}
 
-	if (!offline || (cmdp != '1') ){
+	if (!offline && (cmdp != '1')){
     ans=CmdLFRead("");
-	ans=CmdSamples("20000");
+    ans=CmdSamples("20000");
 	} else if (GraphTraceLen < 1000) {
 		PrintAndLog("Data in Graphbuffer was too small.");
 		return 0;
   }
 
+  PrintAndLog("NOTE: some demods output possible binary\n  if it finds something that looks like a tag");
   PrintAndLog("Checking for known tags:");
-  ans=Cmdaskmandemod("");
-  if (ans>0) return 1;
-  ans=CmdFSKdemodHID("");
-  if (ans>0) return 1;
   ans=CmdFSKdemodIO("");
-  if (ans>0) return 1;
+  if (ans>0) {
+    PrintAndLog("Valid IO Prox ID Found!");
+    return 1;
+  }
+  ans=CmdFSKdemodHID("");
+  if (ans>0) {
+    PrintAndLog("Valid HID Prox ID Found!");
+    return 1;
+  }
   //add psk and indala
-  ans=CmdIndalaDemod("");
+  ans=CmdIndalaDecode("0");
-  if (ans>0) return 1;
+  if (ans>0) {
-  ans=CmdIndalaDemod("224");
+    PrintAndLog("Valid Indala ID Found!");
-  if (ans>0) return 1;
+    return 1;
+  }
+  ans=Cmdaskmandemod("");
+  if (ans>0) {
+    PrintAndLog("Valid EM410x ID Found!");
+    return 1;
+  }
   PrintAndLog("No Known Tags Found!\n");
   return 0;
 }

client/loclass/cipher.c

@@ -1,5 +1,17 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
@@ -18,9 +30,13 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
 
+
 #include "cipher.h"
 #include "cipherutils.h"
 #include <stdio.h>

client/loclass/cipher.h

@@ -1,5 +1,17 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
@@ -18,9 +30,13 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
 
+
 #ifndef CIPHER_H
 #define CIPHER_H
 #include <stdint.h>

client/loclass/cipherutils.c

@@ -1,5 +1,17 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
@@ -18,7 +30,10 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
 
 #include <stdint.h>

client/loclass/cipherutils.h

@@ -1,5 +1,17 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
@@ -18,9 +30,13 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
 
+
 #ifndef CIPHERUTILS_H
 #define CIPHERUTILS_H
 #include <stdint.h>

client/loclass/elite_crack.c

@@ -1,3 +1,41 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
+ ****************************************************************************/
+
 #include <stdint.h>
 #include <stdbool.h>
 #include <string.h>
@@ -514,6 +552,7 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
  */
 int bruteforceFile(const char *filename, uint16_t keytable[])
 {
+
 	FILE *f = fopen(filename, "rb");
 	if(!f) {
 		prnlog("Failed to read from file '%s'", filename);
@@ -621,6 +660,21 @@ int _test_iclass_key_permutation()
 	prnlog("[+] Iclass key permutation OK!");
 	return 0;
 }
+int _testHash1()
+{
+    uint8_t csn[8]= {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0};
+    uint8_t k[8] = {0};
+    hash1(csn, k);
+    uint8_t expected[8] = {0x7E,0x72,0x2F,0x40,0x2D,0x02,0x51,0x42};
+    if(memcmp(k,expected,8) != 0)
+    {
+        prnlog("Error with hash1!");
+        printarr("calculated", k, 8);
+        printarr("expected", expected, 8);
+        return 1;
+    }
+    return 0;
+}
 
 int testElite()
 {
@@ -653,11 +707,13 @@ int testElite()
         prnlog("[+] Hash2 looks fine...");
     }
 
-    prnlog("[+] Testing key diversification ...");
-
 	int errors = 0 ;
-	errors +=_test_iclass_key_permutation();
+    prnlog("[+] Testing hash1...");
+    errors += _testHash1();
+    prnlog("[+] Testing key diversification ...");
+    errors +=_test_iclass_key_permutation();
 	errors += _testBruteforce();
+
 	return errors;
 
 }

client/loclass/elite_crack.h

@@ -1,3 +1,42 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
+ ****************************************************************************/
+
+
 #ifndef ELITE_CRACK_H
 #define ELITE_CRACK_H
 void permutekey(uint8_t key[8], uint8_t dest[8]);

client/loclass/fileutils.c

@@ -1,3 +1,41 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
+ ****************************************************************************/
+
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -40,14 +78,13 @@ int saveFile(const char *preferredName, const char *suffix, const void* data, si
 	/*Opening file for writing in binary mode*/
 	FILE *fileHandle=fopen(fileName,"wb");
 	if(!fileHandle) {
-		PrintAndLog("Failed to write to file '%s'", fileName);
+		prnlog("Failed to write to file '%s'", fileName);
 		free(fileName);
 		return 1;
 	}
 	fwrite(data, 1,	datalen, fileHandle);
 	fclose(fileHandle);
-	PrintAndLog("Saved data to '%s'", fileName);
+	prnlog("Saved data to '%s'", fileName);
-
 	free(fileName);
 
 	return 0;

client/loclass/fileutils.h

@@ -1,3 +1,41 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
+ ****************************************************************************/
+
 #ifndef FILEUTILS_H
 #define FILEUTILS_H
 /**

client/loclass/ikeys.c

@@ -1,15 +1,23 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
  * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
  * Milosch Meriac in the paper "Dismantling IClass".
  *
- * This is a reference implementation of iclass key diversification. I'm sure it can be
- * optimized heavily. It is written for ease of understanding and correctness, please take it
- * and tweak it and make a super fast version instead, using this for testing and verification.
-
  * Copyright (C) 2014 Martin Holst Swende
  *
  * This is free software: you can redistribute it and/or modify
@@ -22,8 +30,12 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
+
 /**
 
 

client/loclass/ikeys.h

@@ -1,3 +1,41 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
+ ****************************************************************************/
+
 #ifndef IKEYS_H
 #define IKEYS_H
 

client/loclass/loclass_main.h

@@ -0,0 +1,4 @@
+#ifndef LOCLASS_MAIN_H
+#define LOCLASS_MAIN_H
+
+#endif // LOCLASS_MAIN_H

client/loclass/main.c

@@ -1,5 +1,17 @@
 /*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. 
+ * 
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL 
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, 
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. 
+ * 
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. 
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
  * used in iClass, and RFID techology.
  *
  * The implementation is based on the work performed by
@@ -18,11 +30,14 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ * 
+ * 
  ****************************************************************************/
 
+
 #include <stdio.h>
-#include <cipherutils.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include <string.h>
@@ -40,11 +55,15 @@ int unitTests()
 	errors += testMAC();
 	errors += doKeyTests(0);
 	errors += testElite();
+    if(errors)
+    {
+        prnlog("OBS! There were errors!!!");
+    }
 	return errors;
 }
 int showHelp()
 {
-	prnlog("Usage: iclazz [options]");
+    prnlog("Usage: loclass [options]");
 	prnlog("Options:");
 	prnlog("-t                 Perform self-test");
 	prnlog("-h                 Show this help");
@@ -64,7 +83,18 @@ int main (int argc, char **argv)
 {
 	prnlog("IClass Cipher version 1.2, Copyright (C) 2014 Martin Holst Swende\n");
 	prnlog("Comes with ABSOLUTELY NO WARRANTY");
-	prnlog("This is free software, and you are welcome to use, abuse and repackage, please keep the credits\n");
+	prnlog("Released as GPLv2\n");
+	prnlog("WARNING");
+	prnlog("");
+	prnlog("THIS TOOL IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. ");
+	prnlog("");
+	prnlog("USAGE OF THIS TOOL IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL ");
+	prnlog("PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, ");
+	prnlog("AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. ");
+	prnlog("");
+	prnlog("THIS TOOL SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. ");
+
+
 	char *fileName = NULL;
 	int c;
 	while ((c = getopt (argc, argv, "thf:")) != -1)

client/lualibs/commands.lua

@@ -49,7 +49,7 @@ local _commands = {
 	CMD_EM4X_WRITE_WORD =                                                0x0219,
 	CMD_IO_DEMOD_FSK =                                                   0x021A,
   CMD_IO_CLONE_TAG =                                                   0x021B,
-  CMD_EM410X_DEMOD =    																							 0x021C,
+	CMD_EM410X_DEMOD = 												     0x021c,
 	--/* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */
 
 	--// For the 13.56 MHz tags

client/lualibs/html_dumplib.lua

@@ -49,7 +49,7 @@ end
 
 local function save_TEXT(data,filename)
 	-- Open the output file
-	local outfile = io.open(filename, "wb")
+	local outfile = io.open(filename, "w")
 	if outfile == nil then 
 		return oops(string.format("Could not write to file %s",tostring(filename)))
 	end

client/lualibs/utils.lua

@@ -108,6 +108,24 @@ local Utils =
 		return retval
 	end,
 	
+	-- input parameter is a string
+	-- Swaps the endianess and returns a string,  
+	-- IE:  'cd7a' -> '7acd'  -> 0x7acd
+	SwapEndiannessStr = function(s, len)
+		if s == nil then return nil end
+		if #s == 0 then return '' end
+		if  type(s) ~= 'string' then return nil end
+		
+		local retval
+		if len == 16 then
+			retval = s:sub(3,4)..s:sub(1,2)
+		elseif len == 24 then
+			retval = s:sub(5,6)..s:sub(3,4)..s:sub(1,2)
+		elseif len == 32 then
+			retval = s:sub(7,8)..s:sub(5,6)..s:sub(3,4)..s:sub(1,2)
+		end
+		return retval
+	end,	
 	------------ CONVERSIONS
 	
 	--
@@ -116,7 +134,7 @@ local Utils =
 		local B,K,OUT,I,D=16,"0123456789ABCDEF","",0
 		while IN>0 do
 			I=I+1
-			IN,D=math.floor(IN/B),math.mod(IN,B)+1
+			IN , D = math.floor(IN/B), math.modf(IN,B)+1
 			OUT=string.sub(K,D,D)..OUT
 		end
 		return OUT

client/scripting.c

@@ -18,8 +18,8 @@
 #include "util.h"
 #include "nonce2key/nonce2key.h"
 #include "../common/iso15693tools.h"
-#include <openssl/aes.h>   
 #include "../common/crc16.h"
+#include "aes.h"
 /**
  * The following params expected:
  *  UsbCommand c
@@ -240,10 +240,10 @@ static int l_aes(lua_State *L)
 
     const char *p_encTxt = luaL_checklstring(L, 2, &size);
     
-	unsigned char indata[AES_BLOCK_SIZE] = {0x00};
+	unsigned char indata[16] = {0x00};
-	unsigned char outdata[AES_BLOCK_SIZE] = {0x00};
+	unsigned char outdata[16] = {0x00};
-    unsigned char aes_key[AES_BLOCK_SIZE] = {0x00};
+    unsigned char aes_key[16] = {0x00};
-	unsigned char iv[AES_BLOCK_SIZE] = {0x00};
+	unsigned char iv[16] = {0x00};
 	
 	// convert key to bytearray
 	for (i = 0; i < 32; i += 2) {
@@ -255,10 +255,14 @@ static int l_aes(lua_State *L)
 		sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
 	}
 	
-	AES_KEY key;
+	//AES_KEY key;
-	AES_set_decrypt_key(aes_key, 128, &key);
+    //AES_set_decrypt_key(aes_key, 128, &key);
-    AES_cbc_encrypt(indata, outdata, sizeof(indata), &key, iv, AES_DECRYPT);
+    //AES_cbc_encrypt(indata, outdata, sizeof(indata), &key, iv, AES_DECRYPT);
 
+    aes_context ctx;
+    aes_init(&ctx);
+    aes_setkey_enc(&ctx,(const unsigned char *)p_key,128);
+	aes_crypt_cbc(&ctx,AES_DECRYPT,sizeof(indata), iv, indata,outdata );
     //Push decrypted array as a string
 	lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
 	return 1;// return 1 to signal one return value

client/scripts/tnp3dump.lua

@@ -249,17 +249,18 @@ local function main(args)
 		end
 	end 
 	
-	-- Write dump to files
-	if not DEBUG then
-		local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'.bin')
-		print(("Wrote a BIN dump to the file %s"):format(foo))
-		local bar = dumplib.SaveAsText(emldata, outputTemplate..'.eml')
-		print(("Wrote a EML dump to the file %s"):format(bar))
-	end
 
 	local uid = block0:sub(1,8)
 	local itemtype = block1:sub(1,4)
 	local cardid = block1:sub(9,24)
+	
+	-- Write dump to files
+	if not DEBUG then
+		local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'_uid_'..uid..'.bin')
+		print(("Wrote a BIN dump to the file %s"):format(foo))
+		local bar = dumplib.SaveAsText(emldata, outputTemplate..'_uid_'..uid..'.eml')
+		print(("Wrote a EML dump to the file %s"):format(bar))
+	end
 
 	-- Show info 
 	print( string.rep('--',20) )

client/scripts/tnp3sim.lua

@@ -241,18 +241,20 @@ local function main(args)
 	local cmdSetDbgOff = "hf mf dbg 0"
 	core.console( cmdSetDbgOff) 
 	
-	-- Look for tag present on reader,
+	-- if not loadFromDump then
-	result, err = lib14a.read1443a(false)
+		-- -- Look for tag present on reader,
-	if not result then return oops(err)	end
+		-- result, err = lib14a.read1443a(false)
+		-- if not result then return oops(err)	end
 
-	core.clearCommandBuffer()
+		-- core.clearCommandBuffer()
 	
-	if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
+		-- if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
-		return oops('This is not a TNP3xxx tag. aborting.')
+			-- return oops('This is not a TNP3xxx tag. aborting.')
-	end	
+		-- end	
 
-	-- Show tag info
+		-- -- Show tag info
-	print((' Found tag : %s'):format(result.name))
+		-- print((' Found tag : %s'):format(result.name))
+	-- end
 	
 	-- Load dump.bin file
 	print( (' Load data from %s'):format(inputTemplate))
@@ -349,7 +351,7 @@ local function main(args)
 		err = LoadEmulator(blocks)
 		if err then return oops(err) end	
 		core.clearCommandBuffer()
-		print('The simulation is now prepared.\n --> run \"hf mf sim 5 '..uid..'\" <--')
+		print('The simulation is now prepared.\n --> run \"hf mf sim u '..uid..' x\" <--')
 	end
 end
 main(args)

common/cmd.h

@@ -33,8 +33,8 @@
 #ifndef _PROXMARK_CMD_H_
 #define _PROXMARK_CMD_H_
 
-#include <common.h>
+#include "common.h"
-#include <usb_cmd.h>
+#include "usb_cmd.h"
 #include "usb_cdc.h"
 
 bool cmd_receive(UsbCommand* cmd);

common/lfdemod.c

@@ -19,21 +19,9 @@ uint64_t Em410xDecode(uint8_t *BitStream, size_t size)
 	//no arguments needed - built this way in case we want this to be a direct call from "data " cmds in the future
 	//  otherwise could be a void with no arguments
 	//set defaults
-	int high=0, low=128;
 	uint64_t lo=0;
-
 	uint32_t i = 0;
-	uint32_t initLoopMax = 65;
+	if (BitStream[10]>1){  //allow only 1s and 0s
-	if (initLoopMax>size) initLoopMax=size;
-
-	for (;i < initLoopMax; ++i) //65 samples should be plenty to find high and low values
-	{
-		if (BitStream[i] > high)
-			high = BitStream[i];
-		else if (BitStream[i] < low)
-			low = BitStream[i];
-	}
-	if (((high !=1)||(low !=0))){  //allow only 1s and 0s
 		// PrintAndLog("no data found");
 		return 0;
 	}
@@ -51,9 +39,9 @@ uint64_t Em410xDecode(uint8_t *BitStream, size_t size)
 			idx+=9;
 			for (i=0; i<10;i++){
 				for(ii=0; ii<5; ++ii){
-					parityTest += BitStream[(i*5)+ii+idx];
+					parityTest ^= BitStream[(i*5)+ii+idx];
 				}
-				if (parityTest== ((parityTest>>1)<<1)){
+				if (!parityTest){
 					parityTest=0;
 					for (ii=0; ii<4;++ii){
 						lo=(lo<<1LL)|(BitStream[(i*5)+ii+idx]);
@@ -63,7 +51,7 @@ uint64_t Em410xDecode(uint8_t *BitStream, size_t size)
 					//PrintAndLog("DEBUG: EM parity failed parity val: %d, i:%d, ii:%d,idx:%d, Buffer: %d%d%d%d%d",parityTest,i,ii,idx,BitStream[idx+ii+(i*5)-5],BitStream[idx+ii+(i*5)-4],BitStream[idx+ii+(i*5)-3],BitStream[idx+ii+(i*5)-2],BitStream[idx+ii+(i*5)-1]);
 					parityTest=0;
 					idx-=8;
-					if (resetCnt>5)return 0;
+					if (resetCnt>5)return 0; //try 5 times
 					resetCnt++;
 					goto restart;//continue;
 				}
@@ -84,7 +72,7 @@ uint64_t Em410xDecode(uint8_t *BitStream, size_t size)
 int askmandemod(uint8_t *BinStream, size_t *size, int *clk, int *invert)
 {
 	int i;
-	int high = 0, low = 128;
+	int high = 0, low = 255;
 	*clk=DetectASKClock(BinStream, *size, *clk); //clock default
 
 	if (*clk<8) *clk =64;
@@ -100,7 +88,7 @@ int askmandemod(uint8_t *BinStream, size_t *size, int *clk, int *invert)
 		else if (BinStream[i] < low)
 			low = BinStream[i];
 	}
-	if ((high < 158) ){  //throw away static
+	if ((high < 129) ){  //throw away static (anything < 1 graph)
 		//PrintAndLog("no data found");
 		return -2;
 	}
@@ -283,7 +271,7 @@ int askrawdemod(uint8_t *BinStream, size_t *size, int *clk, int *invert)
 {
 	uint32_t i;
 	// int invert=0;  //invert default
-	int high = 0, low = 128;
+	int high = 0, low = 255;
 	*clk=DetectASKClock(BinStream, *size, *clk); //clock default
 	uint8_t BitStream[502] = {0};
 
@@ -300,7 +288,8 @@ int askrawdemod(uint8_t *BinStream, size_t *size, int *clk, int *invert)
 		else if (BinStream[i] < low)
 			low = BinStream[i];
 	}
-	if ((high < 158)){  //throw away static
+	if ((high < 129)){  //throw away static  high has to be more than 0 on graph. 
+													//noise <= -10 here
 		//   PrintAndLog("no data found");
 		return -2;
 	}
@@ -407,21 +396,11 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow
 {
 	uint32_t last_transition = 0;
 	uint32_t idx = 1;
-	uint32_t maxVal=0;
+	//uint32_t maxVal=0;
 	if (fchigh==0) fchigh=10;
 	if (fclow==0) fclow=8;
-	// we do care about the actual theshold value as sometimes near the center of the
+	//set the threshold close to 0 (graph) or 128 std to avoid static
-	// wave we may get static that changes direction of wave for one value
+	uint8_t threshold_value = 123; 
-	// if our value is too low it might affect the read.  and if our tag or
-	// antenna is weak a setting too high might not see anything. [marshmellow]
-	if (size<100) return 0;
-	for(idx=1; idx<100; idx++){
-		if(maxVal<dest[idx]) maxVal = dest[idx];
-	}
-	// set close to the top of the wave threshold with 25% margin for error
-	// less likely to get a false transition up there.
-	// (but have to be careful not to go too high and miss some short waves)
-	uint8_t threshold_value = (uint8_t)(((maxVal-128)*.75)+128);
 
 	// sync to first lo-hi transition, and threshold
 
@@ -481,7 +460,7 @@ size_t aggregate_bits(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t maxCons
 		if ( dest[idx-1]==1 ) {
 			n=myround2((float)(n+1)/((float)(rfLen)/(float)fclow));
 		} else {// 0->1 crossing
-			n=myround2((float)(n+1)/((float)(rfLen-2)/(float)fchigh));  //-2 for fudge factor
+			n=myround2((float)(n+1)/((float)(rfLen-1)/(float)fchigh));  //-1 for fudge factor
 		}
 		if (n == 0) n = 1;
 
@@ -573,7 +552,7 @@ uint32_t bytebits_to_byte(uint8_t* src, size_t numbits)
 
 int IOdemodFSK(uint8_t *dest, size_t size)
 {
-	static const uint8_t THRESHOLD = 140;
+	static const uint8_t THRESHOLD = 129;
 	uint32_t idx=0;
 	//make sure buffer has data
 	if (size < 66) return -1;
@@ -617,7 +596,7 @@ int DetectASKClock(uint8_t dest[], size_t size, int clock)
 {
 	int i=0;
 	int peak=0;
-	int low=128;
+	int low=255;
 	int clk[]={16,32,40,50,64,100,128,256};
 	int loopCnt = 256;  //don't need to loop through entire array...
 	if (size<loopCnt) loopCnt = size;
@@ -689,7 +668,7 @@ int DetectpskNRZClock(uint8_t dest[], size_t size, int clock)
 {
 	int i=0;
 	int peak=0;
-	int low=128;
+	int low=255;
 	int clk[]={16,32,40,50,64,100,128,256};
 	int loopCnt = 2048;  //don't need to loop through entire array...
 	if (size<loopCnt) loopCnt = size;
@@ -707,8 +686,8 @@ int DetectpskNRZClock(uint8_t dest[], size_t size, int clock)
 			low = dest[i];
 		}
 	}
-	peak=(int)(((peak-128)*.90)+128);
+	peak=(int)(((peak-128)*.75)+128);
-	low= (int)(((low-128)*.90)+128);
+	low= (int)(((low-128)*.75)+128);
 	//PrintAndLog("DEBUG: peak: %d, low: %d",peak,low);
 	int ii;
 	uint8_t clkCnt;
@@ -720,7 +699,7 @@ int DetectpskNRZClock(uint8_t dest[], size_t size, int clock)
 	//test each valid clock from smallest to greatest to see which lines up
 	for(clkCnt=0; clkCnt < 6; ++clkCnt){
 		if (clk[clkCnt] == 32){
-			tol=0;
+			tol=1;
 		}else{
 			tol=0;
 		}
@@ -773,7 +752,7 @@ int DetectpskNRZClock(uint8_t dest[], size_t size, int clock)
 void pskCleanWave(uint8_t *bitStream, size_t size)
 {
 	int i;
-	int low=128;
+	int low=255;
 	int high=0;
 	int gap = 4;
  // int loopMax = 2048;
@@ -815,8 +794,7 @@ int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert)
 {
 	//26 bit 40134 format  (don't know other formats)
 	int i;
-	int long_wait;
+	int long_wait=29;//29 leading zeros in format
-	long_wait = 29;//29 leading zeros in format
 	int start;
 	int first = 0;
 	int first2 = 0;
@@ -838,7 +816,6 @@ int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert)
 		// did not find start sequence
 		return -1;
 	}
-	//found start once now test length by finding next one
 	// Inverting signal if needed
 	if (first == 1) {
 		for (i = start; i < *size; i++) {
@@ -848,6 +825,7 @@ int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert)
 	}else *invert=0;
 
 	int iii;
+	//found start once now test length by finding next one
 	for (ii=start+29; ii <= *size - 250; ii++) {
 		first2 = bitStream[ii];
 		for (iii = ii; iii < ii + long_wait; iii++) {
@@ -883,7 +861,7 @@ int pskNRZrawDemod(uint8_t *dest, size_t *size, int *clk, int *invert)
 	int clk2 = DetectpskNRZClock(dest, *size, *clk);
 	*clk=clk2;
 	uint32_t i;
-	uint8_t high=0, low=128;
+	uint8_t high=0, low=255;
 	uint32_t gLen = *size;
 	if (gLen > 1280) gLen=1280;
 	// get high
@@ -899,7 +877,7 @@ int pskNRZrawDemod(uint8_t *dest, size_t *size, int *clk, int *invert)
 	int lastBit = 0;  //set first clock check
 	uint32_t bitnum = 0;     //output counter
 	uint8_t tol = 0;  //clock tolerance adjust - waves will be accepted as within the clock if they fall + or - this value + clock from last valid wave
-	if (*clk==32)tol=2;    //clock tolerance may not be needed anymore currently set to + or - 1 but could be increased for poor waves or removed entirely
+	if (*clk==32) tol = 2;    //clock tolerance may not be needed anymore currently set to + or - 1 but could be increased for poor waves or removed entirely
 	uint32_t iii = 0;
 	uint8_t errCnt =0;
 	uint32_t bestStart = *size;

common/usb_cdc.h

@@ -35,7 +35,7 @@
 #ifndef _USB_CDC_H_
 #define _USB_CDC_H_
 
-#include <common.h>
+#include "common.h"
 
 void usb_disable();
 void usb_enable();

fpga/hi_simulate.v

@@ -50,12 +50,38 @@ begin
     else if(~(| adc_d[7:5])) after_hysteresis = 1'b0;
 end
 
+
 // Divide 13.56 MHz by 32 to produce the SSP_CLK
 // The register is bigger to allow higher division factors of up to /128
-reg [6:0] ssp_clk_divider;
+reg [10:0] ssp_clk_divider;
+
 always @(posedge adc_clk)
     ssp_clk_divider <= (ssp_clk_divider + 1);
-assign ssp_clk = ssp_clk_divider[4];
+
+reg ssp_clk;
+reg ssp_frame;
+always @(negedge adc_clk)
+begin
+    //If we're in 101, we only need a new bit every 8th carrier bit (53Hz). Otherwise, get next bit at 424Khz
+    if(mod_type == 3'b101)
+    begin
+	if(ssp_clk_divider[7:0] == 8'b00000000)
+	    ssp_clk <= 1'b0;
+	if(ssp_clk_divider[7:0] == 8'b10000000)
+	    ssp_clk <= 1'b1;
+
+    end
+    else
+    begin
+	if(ssp_clk_divider[4:0] == 5'd0)//[4:0] == 5'b00000)
+	    ssp_clk <= 1'b1;
+	if(ssp_clk_divider[4:0] == 5'd16) //[4:0] == 5'b10000)
+	    ssp_clk <= 1'b0;
+    end
+end
+
+
+//assign ssp_clk = ssp_clk_divider[4];
 
 // Divide SSP_CLK by 8 to produce the byte framing signal; the phase of
 // this is arbitrary, because it's just a bitstream.
@@ -69,12 +95,13 @@ reg [2:0] ssp_frame_divider_from_arm;
 always @(negedge ssp_clk)
     ssp_frame_divider_from_arm <= (ssp_frame_divider_from_arm + 1);
 
-reg ssp_frame;
+
+
 always @(ssp_frame_divider_to_arm or ssp_frame_divider_from_arm or mod_type)
     if(mod_type == 3'b000) // not modulating, so listening, to ARM
         ssp_frame = (ssp_frame_divider_to_arm == 3'b000);
     else
-        ssp_frame = (ssp_frame_divider_from_arm == 3'b000);
+	ssp_frame = (ssp_frame_divider_from_arm == 3'b000);
 
 // Synchronize up the after-hysteresis signal, to produce DIN.
 reg ssp_din;
@@ -90,7 +117,7 @@ always @(mod_type or ssp_clk or ssp_dout)
         modulating_carrier <= ssp_dout ^ ssp_clk_divider[3]; // XOR means BPSK
     else if(mod_type == 3'b010)
 	modulating_carrier <= ssp_dout & ssp_clk_divider[5]; // switch 212kHz subcarrier on/off
-    else if(mod_type == 3'b100)
+    else if(mod_type == 3'b100 || mod_type == 3'b101)
 	modulating_carrier <= ssp_dout & ssp_clk_divider[4]; // switch 424kHz modulation on/off
     else
         modulating_carrier <= 1'b0;                           // yet unused
@@ -106,7 +133,7 @@ assign pwr_oe4 = modulating_carrier;
 // This one is always on, so that we can watch the carrier.
 assign pwr_oe3 = 1'b0;
 
-assign dbg = after_hysteresis;
+assign dbg = modulating_carrier;
 //reg dbg;
 //always @(ssp_dout)
 //    dbg <= ssp_dout;

include/usb_cmd.h

@@ -150,10 +150,8 @@ typedef struct {
 
 #define CMD_MIFARE_READBL                                                 0x0620
 #define CMD_MIFAREU_READBL						  0x0720
-
 #define CMD_MIFARE_READSC                                                 0x0621
 #define CMD_MIFAREU_READCARD						  0x0721
-
 #define CMD_MIFARE_WRITEBL                                                0x0622
 #define CMD_MIFAREU_WRITEBL						                          0x0722
 #define CMD_MIFAREU_WRITEBL_COMPAT					                      0x0723