fix 'hf iclass reader' and 'hf iclass readblk'

* don't do READCHECK when not trying to authenticate * standard LED handling * remove unused FLAG_ICLASS_READER_ONLY_ONCE and FLAG_ICLASS_READER_ONE_TRY * sanity check for negative times in TransmitTo15693Tag() * increase reader timeout for 'hf 15' functions to be enough for slot 7 answers to ACTALL * add 'hf iclass permute' inspired by RRG repository * whitespace fixes
2025-07-06 13:11:18 -07:00 · 2019-10-27 16:51:27 +01:00 · 2019-10-27 16:51:27 +01:00 · ece38ef311
commit ece38ef311
parent a3bef9863b
9 changed files with 674 additions and 582 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -1327,8 +1327,11 @@ void UsbPacketReceived(uint8_t *packet, int len)
 		case CMD_ICLASS_READBLOCK:
 			iClass_ReadBlk(c->arg[0]);
 			break;
-		case CMD_ICLASS_AUTHENTICATION: //check
+		case CMD_ICLASS_CHECK:
-			iClass_Authentication(c->d.asBytes);
+			iClass_Check(c->d.asBytes);
 			break;
 		case CMD_ICLASS_READCHECK:
 			iClass_Readcheck(c->arg[0], c->arg[1]);
 			break;
 		case CMD_ICLASS_DUMP:
 			iClass_Dump(c->arg[0], c->arg[1]);
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@ -63,9 +63,9 @@
 // 56,64us = 24 ssp_clk_cycles
 #define DELAY_ICLASS_VCD_TO_VICC_SIM     (140 - 24)
 // times in ssp_clk_cycles @ 3,3625MHz when acting as reader
-#define DELAY_ICLASS_VICC_TO_VCD_READER	 DELAY_ISO15693_VICC_TO_VCD_READER
+#define DELAY_ICLASS_VICC_TO_VCD_READER  DELAY_ISO15693_VICC_TO_VCD_READER
 // times in samples @ 212kHz when acting as reader
-#define ICLASS_READER_TIMEOUT_ACTALL     330 // 1558us, nominal 330us + 7slots*160us = 1450us         
+#define ICLASS_READER_TIMEOUT_ACTALL     330 // 1558us, nominal 330us + 7slots*160us = 1450us
 #define ICLASS_READER_TIMEOUT_OTHERS      80 // 380us, nominal 330us
@ -695,7 +695,6 @@ void RAMFUNC SnoopIClass(void) {
 			if (OutOfNDecoding((smpl & 0xF0) >> 4)) {
 				rsamples = samples - Uart.samples;
 				time_stop = (GetCountSspClk()-time_0) << 4;
 				LED_C_ON();
 				//if (!LogTrace(Uart.output, Uart.byteCnt, rsamples, Uart.parityBits,true)) break;
 				//if (!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, true)) break;
@ -708,7 +707,6 @@ void RAMFUNC SnoopIClass(void) {
 				/* And also reset the demod code, which might have been */
 				/* false-triggered by the commands from the reader. */
 				Demod.state = DEMOD_UNSYNCD;
 				LED_B_OFF();
 				Uart.byteCnt = 0;
 			} else {
 				time_start = (GetCountSspClk()-time_0) << 4;
@ -722,7 +720,6 @@ void RAMFUNC SnoopIClass(void) {
 				time_stop = (GetCountSspClk()-time_0) << 4;
 				rsamples = samples - Demod.samples;
 				LED_B_ON();
 				uint8_t parity[MAX_PARITY_SIZE];
 				GetParity(Demod.output, Demod.len, parity);
@ -732,7 +729,6 @@ void RAMFUNC SnoopIClass(void) {
 				memset(&Demod, 0, sizeof(Demod));
 				Demod.output = tagToReaderResponse;
 				Demod.state = DEMOD_UNSYNCD;
 				LED_C_OFF();
 			} else {
 				time_start = (GetCountSspClk()-time_0) << 4;
 			}
@ -1341,7 +1337,7 @@ static void ReaderTransmitIClass(uint8_t *frame, int len, uint32_t *start_time)
 }
-static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, size_t max_resp_size, 
+static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, size_t max_resp_size,
 										  uint8_t expected_size, uint8_t retries, uint32_t start_time, uint32_t *eof_time) {
 	while (retries-- > 0) {
 		ReaderTransmitIClass(command, cmdsize, &start_time);
@ -1353,39 +1349,31 @@ static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint
 }
 /**
- * @brief Talks to an iclass tag, sends the commands to get CSN and CC.
+ * @brief Selects an iclass tag
- * @param card_data where the CSN and CC are stored for return
+ * @param card_data where the CSN is stored for return
- * @return 0 = fail
+ * @return false = fail
- *         1 = Got CSN
+ *         true = success
 *         2 = Got CSN and CC
 */
-static uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time) {
+static bool selectIclassTag(uint8_t *card_data, uint32_t *eof_time) {
 	uint8_t act_all[]      = { 0x0a };
 	uint8_t identify[]     = { 0x0c };
 	uint8_t select[]       = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 	uint8_t readcheck_cc[] = { 0x88, 0x02 };
 	if (use_credit_key)
 		readcheck_cc[0] = 0x18;
 	else
 		readcheck_cc[0] = 0x88;
 	uint8_t resp[ICLASS_BUFFER_SIZE];
 	uint8_t read_status = 0;
 	uint32_t start_time = GetCountSspClk();
 	// Send act_all
 	ReaderTransmitIClass(act_all, 1, &start_time);
 	// Card present?
-	if (GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_ACTALL, eof_time) < 0) return read_status;//Fail
+	if (GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_ACTALL, eof_time) < 0) return false;//Fail
-	
+
 	//Send Identify
 	start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 	ReaderTransmitIClass(identify, 1, &start_time);
 	// FpgaDisableTracing(); // DEBUGGING
 	//We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
 	uint8_t len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
-	if (len != 10) return read_status;//Fail
+	if (len != 10) return false;//Fail
 	//Copy the Anti-collision CSN to our select-packet
 	memcpy(&select[1], resp, 8);
@ -1394,54 +1382,33 @@ static uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key, u
 	ReaderTransmitIClass(select, sizeof(select), &start_time);
 	//We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
 	len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
-	if (len != 10) return read_status;//Fail
+	if (len != 10) return false;//Fail
-	//Success - level 1, we got CSN
+	//Success - we got CSN
 	//Save CSN in response data
 	memcpy(card_data, resp, 8);
-	//Flag that we got to at least stage 1, read CSN
+	return true;
 	read_status = 1;
 	// Card selected, now read e-purse (cc) (only 8 bytes no CRC)
 	start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 	ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc), &start_time);
 	if (GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time) == 8) {
 		//Save CC (e-purse) in response data
 		memcpy(card_data+8, resp, 8);
 		read_status++;
 	}
 	return read_status;
 }
 static uint8_t handshakeIclassTag(uint8_t *card_data, uint32_t *eof_time) {
 	return handshakeIclassTag_ext(card_data, false, eof_time);
 }
-// Reader iClass Anticollission
+// Select an iClass tag and read all blocks which are always readable without authentication
 void ReaderIClass(uint8_t arg0) {
 	LED_A_ON();
 	uint8_t card_data[6 * 8] = {0};
 	memset(card_data, 0xFF, sizeof(card_data));
 	uint8_t last_csn[8] = {0,0,0,0,0,0,0,0};
 	uint8_t resp[ICLASS_BUFFER_SIZE];
 	memset(resp, 0xFF, sizeof(resp));
 	//Read conf block CRC(0x01) => 0xfa 0x22
-	uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22};
+	uint8_t readConf[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22};
 	//Read e-purse block CRC(0x02) => 0x61 0x10
 	uint8_t readEpurse[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x02, 0x61, 0x10};
 	//Read App Issuer Area block CRC(0x05) => 0xde  0x64
-	uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
+	uint8_t readAA[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
 	int read_status= 0;
 	uint8_t result_status = 0;
 	// flag to read until one tag is found successfully
 	bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
 	// flag to only try 5 times to find one tag then return
 	bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY;
 	// if neither abort_after_read nor try_once then continue reading until button pressed.
 	bool use_credit_key = arg0 & FLAG_ICLASS_READER_CEDITKEY;
 	// test flags for what blocks to be sure to read
 	uint8_t flagReadConfig = arg0 & FLAG_ICLASS_READER_CONF;
 	uint8_t flagReadCC = arg0 & FLAG_ICLASS_READER_CC;
@ -1454,93 +1421,57 @@ void ReaderIClass(uint8_t arg0) {
 	StartCountSspClk();
 	uint32_t start_time = 0;
 	uint32_t eof_time = 0;
 	if (selectIclassTag(resp, &eof_time)) {
 		result_status = FLAG_ICLASS_READER_CSN;
 		memcpy(card_data, resp, 8);
 	}
-	uint16_t tryCnt = 0;
+	start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
-	bool userCancelled = BUTTON_PRESS() || usb_poll_validate_length();
+	
-	while (!userCancelled) {
+	//Read block 1, config
-		// if only looking for one card try 2 times if we missed it the first time
+	if (flagReadConfig) {
-		if (try_once && tryCnt > 2) {
+		if (sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
-			break;
+			result_status |= FLAG_ICLASS_READER_CONF;
 			memcpy(card_data+8, resp, 8);
 		} else {
 			Dbprintf("Failed to read config block");
 		}
 		tryCnt++;
 		if (!get_tracing()) {
 			DbpString("Trace full");
 			break;
 		}
 		WDT_HIT();
 		read_status = handshakeIclassTag_ext(card_data, use_credit_key, &eof_time);
 		if (read_status == 0) continue;
 		if (read_status == 1) result_status = FLAG_ICLASS_READER_CSN;
 		if (read_status == 2) result_status = FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CC;
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		// handshakeIclass returns CSN|CC, but the actual block
 		// layout is CSN|CONFIG|CC, so here we reorder the data,
 		// moving CC forward 8 bytes
 		memcpy(card_data+16, card_data+8, 8);
 		//Read block 1, config
 		if (flagReadConfig) {
 			if (sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 				result_status |= FLAG_ICLASS_READER_CONF;
 				memcpy(card_data+8, resp, 8);
 			} else {
 				Dbprintf("Failed to dump config block");
 			}
 			start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		}
 		//Read block 5, AA
 		if (flagReadAA) {
 			if (sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 				result_status |= FLAG_ICLASS_READER_AA;
 				memcpy(card_data + (8*5), resp, 8);
 			} else {
 				//Dbprintf("Failed to dump AA block");
 			}
 		}
 		// 0 : CSN
 		// 1 : Configuration
 		// 2 : e-purse
 		// 3 : kd / debit / aa2 (write-only)
 		// 4 : kc / credit / aa1 (write-only)
 		// 5 : AIA, Application issuer area
 		//Then we can 'ship' back the 6 * 8 bytes of data,
 		// with 0xFF:s in block 3 and 4.
 		LED_B_ON();
 		//Send back to client, but don't bother if we already sent this -
 		//  only useful if looping in arm (not try_once && not abort_after_read)
 		if (memcmp(last_csn, card_data, 8) != 0) {
 			// If caller requires that we get Conf, CC, AA, continue until we got it
 			if ( (result_status ^ FLAG_ICLASS_READER_CSN ^ flagReadConfig ^ flagReadCC ^ flagReadAA) == 0) {
 				cmd_send(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data));
 				if (abort_after_read) {
 					FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 					LED_A_OFF();
 					LED_B_OFF();
 					return;
 				}
 				//Save that we already sent this....
 				memcpy(last_csn, card_data, 8);
 			}
 		}
 		LED_B_OFF();
 		userCancelled = BUTTON_PRESS() || usb_poll_validate_length();
 	}
-	if (userCancelled) {
+
-		cmd_send(CMD_ACK, 0xFF, 0, 0, card_data, 0);
+	//Read block 2, e-purse
-	} else {
+	if (flagReadCC) {
-		cmd_send(CMD_ACK, 0, 0, 0, card_data, 0);
+		if (sendCmdGetResponseWithRetries(readEpurse, sizeof(readEpurse), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 			result_status |= FLAG_ICLASS_READER_CC;
 			memcpy(card_data + (8*2), resp, 8);
 		} else {
 			Dbprintf("Failed to read e-purse");
 		}
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 	}
 	//Read block 5, AA
 	if (flagReadAA) {
 		if (sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 			result_status |= FLAG_ICLASS_READER_AA;
 			memcpy(card_data + (8*5), resp, 8);
 		} else {
 			Dbprintf("Failed to read AA block");
 		}
 	}
 	cmd_send(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data));
 	LED_A_OFF();
 }
 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 	LED_A_ON();
 	bool use_credit_key = false;
 	uint8_t card_data[USB_CMD_DATA_SIZE]={0};
 	uint16_t block_crc_LUT[255] = {0};
@ -1551,6 +1482,9 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 	}
 	//Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
 	uint8_t readcheck_cc[] = { ICLASS_CMD_READCHECK_KD, 0x02 };
 	if (use_credit_key)
 		readcheck_cc[0] = ICLASS_CMD_READCHECK_KC;
 	uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 	uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
@ -1575,7 +1509,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 	StartCountSspClk();
 	uint32_t start_time = 0;
 	uint32_t eof_time = 0;
-	
+
 	while (!BUTTON_PRESS()) {
 		WDT_HIT();
@ -1585,34 +1519,33 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 			break;
 		}
-		uint8_t read_status = handshakeIclassTag(card_data, &eof_time);
+		if (!selectIclassTag(card_data, &eof_time)) continue;
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		if (!sendCmdGetResponseWithRetries(readcheck_cc, sizeof(readcheck_cc), resp, sizeof(resp), 8, 3, start_time, &eof_time)) continue;
-		if (read_status < 2) continue;
+		// replay captured auth (cc must not have been updated)
 		//for now replay captured auth (as cc not updated)
 		memcpy(check+5, MAC, 4);
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		if (!sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 5, start_time, &eof_time)) {
 			start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 			Dbprintf("Error: Authentication Fail!");
 			continue;
 		}
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		//first get configuration block (block 1)
 		crc = block_crc_LUT[1];
 		read[1] = 1;
 		read[2] = crc >> 8;
 		read[3] = crc & 0xff;
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		if (!sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 			start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 			Dbprintf("Dump config (block 1) failed");
 			continue;
 		}
 		start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 		mem = resp[5];
 		memory.k16 = (mem & 0x80);
 		memory.book = (mem & 0x20);
@ -1633,8 +1566,8 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 			read[2] = crc >> 8;
 			read[3] = crc & 0xff;
 			start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 			if (sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, &eof_time)) {
 				start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 				Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
 						block, resp[0], resp[1], resp[2],
 						resp[3], resp[4], resp[5],
@ -1683,19 +1616,33 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 			 0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LED_D_OFF();
 	LED_A_OFF();
 }
-void iClass_Authentication(uint8_t *MAC) {
+
-	uint8_t check[] = { ICLASS_CMD_CHECK_KD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+void iClass_Check(uint8_t *MAC) {
-	uint8_t resp[ICLASS_BUFFER_SIZE];
+	uint8_t check[9] = {ICLASS_CMD_CHECK_KD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 	uint8_t resp[4];
 	memcpy(check+5, MAC, 4);
 	bool isOK;
 	uint32_t eof_time;
-	isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 6, 0, &eof_time);
+	bool isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 6, 0, &eof_time);
-	cmd_send(CMD_ACK,isOK, 0, 0, 0, 0);
+	cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));
 }
 void iClass_Readcheck(uint8_t block, bool use_credit_key) {
 	uint8_t readcheck[2] = {ICLASS_CMD_READCHECK_KD, block};
 	if (use_credit_key) {
 		readcheck[0] = ICLASS_CMD_READCHECK_KC;
 	}
 	uint8_t resp[8];
 	uint32_t eof_time;
 	bool isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 8, 6, 0, &eof_time);
 	cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));
 }
 static bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
 	uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
 	char bl = blockNo;
@ -1705,23 +1652,32 @@ static bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
 	uint8_t resp[10];
 	bool isOK = false;
 	uint32_t eof_time;
-	
+
 	//readcmd[1] = blockNo;
 	isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, sizeof(resp), 10, 10, 0, &eof_time);
 	memcpy(readdata, resp, sizeof(resp));
 	return isOK;
 }
 void iClass_ReadBlk(uint8_t blockno) {
 	LED_A_ON();
 	uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
 	bool isOK = false;
 	isOK = iClass_ReadBlock(blockno, readblockdata);
 	cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LED_D_OFF();
 	LED_A_OFF();
 }
 void iClass_Dump(uint8_t blockno, uint8_t numblks) {
 	LED_A_ON();
 	uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
 	bool isOK = false;
 	uint8_t blkCnt = 0;
@ -1751,12 +1707,19 @@ void iClass_Dump(uint8_t blockno, uint8_t numblks) {
 	}
 	//return pointer to dump memory in arg3
 	cmd_send(CMD_ACK, isOK, blkCnt, BigBuf_max_traceLen(), 0, 0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	LED_D_OFF();
 	BigBuf_free();
 	LED_A_OFF();
 }
 static bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
 	LED_A_ON();
 	uint8_t write[] = { ICLASS_CMD_UPDATE, blockNo, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 	//uint8_t readblockdata[10];
 	//write[1] = blockNo;
@ -1768,7 +1731,7 @@ static bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
 	uint8_t resp[10];
 	bool isOK = false;
 	uint32_t eof_time = 0;
-	
+
 	isOK = sendCmdGetResponseWithRetries(write, sizeof(write), resp, sizeof(resp), 10, 10, 0, &eof_time);
 	uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
 	if (isOK) { //if reader responded correctly
@ -1780,10 +1743,17 @@ static bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
 			}
 		}
 	}
 	LED_A_OFF();
 	return isOK;
 }
 void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {
 	LED_A_ON();
 	bool isOK = iClass_WriteBlock_ext(blockNo, data);
 	if (isOK){
 		Dbprintf("Write block [%02x] successful", blockNo);
@ -1791,7 +1761,11 @@ void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {
 		Dbprintf("Write block [%02x] failed", blockNo);
 	}
 	cmd_send(CMD_ACK, isOK, 0, 0, 0, 0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LED_D_OFF();
 	LED_A_OFF();
 }
 void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
@ -1819,5 +1793,6 @@ void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
 	cmd_send(CMD_ACK, 1, 0, 0, 0, 0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	LED_D_OFF();
 	LED_A_OFF();
 }
--- a/armsrc/iclass.h
+++ b/armsrc/iclass.h
@ -15,6 +15,7 @@
 #define ICLASS_H__
 #include <stdint.h>
 #include <stdbool.h>
 #include "common.h" // for RAMFUNC
 extern void RAMFUNC SnoopIClass(void);
@ -22,7 +23,8 @@ extern void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t
 extern void ReaderIClass(uint8_t arg0);
 extern void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC);
 extern void IClass_iso14443A_GetPublic(uint8_t arg0);
-extern void iClass_Authentication(uint8_t *MAC);
+extern void iClass_Readcheck(uint8_t block, bool use_credit_key);
 extern void iClass_Check(uint8_t *MAC);
 extern void iClass_WriteBlock(uint8_t blockNo, uint8_t *data);
 extern void iClass_ReadBlk(uint8_t blockNo);
 extern void iClass_Dump(uint8_t blockno, uint8_t numblks);
--- a/armsrc/iso15693.c
+++ b/armsrc/iso15693.c
@ -132,7 +132,7 @@ void CodeIso15693AsReader(uint8_t *cmd, int n) {
 	// EOF
 	ToSend[++ToSendMax] = 0x20; //0010 + 0000 padding
-	
+
 	ToSendMax++;
 }
@ -249,14 +249,18 @@ void CodeIso15693AsTag(uint8_t *cmd, size_t len) {
 void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD);
-	
+
 	if (*start_time < DELAY_ARM_TO_TAG) {
 		*start_time = DELAY_ARM_TO_TAG;
 	}
 	*start_time = (*start_time - DELAY_ARM_TO_TAG) & 0xfffffff0;
 	while (GetCountSspClk() > *start_time) { // we may miss the intended time
 		*start_time += 16; // next possible time
 	}
-	
+
 	while (GetCountSspClk() < *start_time)
 		/* wait */ ;
@ -275,7 +279,7 @@ void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) {
 		WDT_HIT();
 	}
 	LED_B_OFF();
-	
+
 	*start_time = *start_time + DELAY_ARM_TO_TAG;
 }
@ -289,7 +293,7 @@ void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time,
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K);
 	uint32_t modulation_start_time = *start_time - DELAY_ARM_TO_READER + 3 * 8;  // no need to transfer the unmodulated start of SOF
-	
+
 	while (GetCountSspClk() > (modulation_start_time & 0xfffffff8) + 3) { // we will miss the intended time
 		if (slot_time) {
 			modulation_start_time += slot_time; // use next available slot
@ -298,7 +302,7 @@ void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time,
 		}
 	}
-	while (GetCountSspClk() < (modulation_start_time & 0xfffffff8)) 
+	while (GetCountSspClk() < (modulation_start_time & 0xfffffff8))
 		/* wait */ ;
 	uint8_t shift_delay = modulation_start_time & 0x00000007;
@ -414,7 +418,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 			// DecodeTag->posCount = 2;
 			DecodeTag->state = STATE_TAG_SOF_HIGH;
 			break;
-				
+
 		case STATE_TAG_SOF_HIGH:
 			// waiting for 10 times high. Take average over the last 8
 			if (amplitude > DecodeTag->threshold_sof) {
@ -428,7 +432,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 				}
 			} else { // high phase was too short
 				DecodeTag->posCount = 1;
-				DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+				DecodeTag->previous_amplitude = amplitude;
 				DecodeTag->state = STATE_TAG_SOF_LOW;
 			}
 			break;
@ -444,18 +448,18 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 				DecodeTag->sum2 = 0;
 				DecodeTag->posCount = 2;
 				DecodeTag->state = STATE_TAG_RECEIVING_DATA;
-				// FpgaDisableTracing(); // DEBUGGING
+				FpgaDisableTracing(); // DEBUGGING
-				// Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d", 
+				Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d",
-					// amplitude, 
+					amplitude,
-					// DecodeTag->threshold_sof, 
+					DecodeTag->threshold_sof,
-					// DecodeTag->threshold_half/4,
+					DecodeTag->threshold_half/4,
-					// DecodeTag->previous_amplitude); // DEBUGGING
+					DecodeTag->previous_amplitude); // DEBUGGING
 				LED_C_ON();
 			} else {
 				DecodeTag->posCount++;
 				if (DecodeTag->posCount > 13) { // high phase too long
 					DecodeTag->posCount = 0;
-					DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+					DecodeTag->previous_amplitude = amplitude;
 					DecodeTag->state = STATE_TAG_SOF_LOW;
 					LED_C_OFF();
 				}
@ -478,7 +482,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 						DecodeTag->state = STATE_TAG_EOF;
 					} else {
 						DecodeTag->posCount = 0;
-						DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+						DecodeTag->previous_amplitude = amplitude;
 						DecodeTag->state = STATE_TAG_SOF_LOW;
 						LED_C_OFF();
 					}
@ -508,7 +512,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 					// logic 0
 					if (DecodeTag->lastBit == SOF_PART1) { // incomplete SOF
 						DecodeTag->posCount = 0;
-						DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+						DecodeTag->previous_amplitude = amplitude;
 						DecodeTag->state = STATE_TAG_SOF_LOW;
 						LED_C_OFF();
 					} else {
@ -522,7 +526,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 							if (DecodeTag->len > DecodeTag->max_len) {
 								// buffer overflow, give up
 								DecodeTag->posCount = 0;
-								DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+								DecodeTag->previous_amplitude = amplitude;
 								DecodeTag->state = STATE_TAG_SOF_LOW;
 								LED_C_OFF();
 							}
@ -561,7 +565,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 					DecodeTag->state = STATE_TAG_EOF_TAIL;
 				} else {
 					DecodeTag->posCount = 0;
-					DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+					DecodeTag->previous_amplitude = amplitude;
 					DecodeTag->state = STATE_TAG_SOF_LOW;
 					LED_C_OFF();
 				}
@ -585,7 +589,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 					return true;
 				} else {
 					DecodeTag->posCount = 0;
-					DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
+					DecodeTag->previous_amplitude = amplitude;
 					DecodeTag->state = STATE_TAG_SOF_LOW;
 					LED_C_OFF();
 				}
@ -598,8 +602,7 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1
 }
-static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_len)
+static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_len) {
 {
 	DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
 	DecodeTag->posCount = 0;
 	DecodeTag->state = STATE_TAG_SOF_LOW;
@ -608,8 +611,7 @@ static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_le
 }
-static void DecodeTagReset(DecodeTag_t *DecodeTag)
+static void DecodeTagReset(DecodeTag_t *DecodeTag) {
 {
 	DecodeTag->posCount = 0;
 	DecodeTag->state = STATE_TAG_SOF_LOW;
 	DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
@ -649,10 +651,10 @@ int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeo
 		samples++;
 		if (samples == 1) {
-		    // DMA has transferred the very first data
+			// DMA has transferred the very first data
 			dma_start_time = GetCountSspClk() & 0xfffffff0;
 		}
-		
+
 		uint16_t tagdata = *upTo++;
 		if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) {                // we have read all of the DMA buffer content.
@ -680,7 +682,7 @@ int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeo
 		}
 		if (samples > timeout && DecodeTag.state < STATE_TAG_RECEIVING_DATA) {
-			ret = -1;	// timeout
+			ret = -1;   // timeout
 			break;
 		}
@ -699,9 +701,9 @@ int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeo
 						- DecodeTag.len * 8 * 8 * 16 // time for byte transfers
 						- 32 * 16  // time for SOF transfer
 						- (DecodeTag.lastBit != SOF_PART2?32*16:0); // time for EOF transfer
-						
+
 	if (DEBUG) Dbprintf("timing: sof_time = %d, eof_time = %d", sof_time, *eof_time);
-	
+
 	LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, sof_time*4, *eof_time*4, NULL, false);
 	return DecodeTag.len;
@ -1089,20 +1091,19 @@ static void BuildIdentifyRequest(void)
 //-----------------------------------------------------------------------------
 void AcquireRawAdcSamplesIso15693(void)
 {
 	LEDsoff();
 	LED_A_ON();
 	uint8_t *dest = BigBuf_get_addr();
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
 	LED_D_ON();
 	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 	BuildIdentifyRequest();
 	// Give the tags time to energize
 	LED_D_ON();
 	SpinDelay(100);
 	// Now send the command
@ -1129,6 +1130,7 @@ void AcquireRawAdcSamplesIso15693(void)
 void SnoopIso15693(void)
 {
 	LED_A_ON();
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	BigBuf_free();
@ -1348,17 +1350,13 @@ static void BuildInventoryResponse(uint8_t *uid)
 //  return: length of received data, or -1 for timeout
 int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint32_t *eof_time) {
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
 	if (init) {
 		Iso15693InitReader();
 		StartCountSspClk();
 	}
-	
+
 	int answerLen = 0;
-	
+
 	if (!speed) {
 		// low speed (1 out of 256)
 		CodeIso15693AsReader256(send, sendlen);
@ -1367,18 +1365,13 @@ int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *recv,
 		CodeIso15693AsReader(send, sendlen);
 	}
 	if (start_time == 0) {
 		start_time = GetCountSspClk();
 	}
 	TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
 	// Now wait for a response
 	if (recv != NULL) {
-		answerLen = GetIso15693AnswerFromTag(recv, max_recv_len, DELAY_ISO15693_VCD_TO_VICC_READER * 2, eof_time);
+		answerLen = GetIso15693AnswerFromTag(recv, max_recv_len, ISO15693_READER_TIMEOUT, eof_time);
 	}
 	LED_A_OFF();
 	return answerLen;
 }
@ -1462,9 +1455,8 @@ void SetDebugIso15693(uint32_t debug) {
 // Simulate an ISO15693 reader, perform anti-collision and then attempt to read a sector.
 // all demodulation performed in arm rather than host. - greg
 //---------------------------------------------------------------------------------------
-void ReaderIso15693(uint32_t parameter)
+void ReaderIso15693(uint32_t parameter) {
-{
+
 	LEDsoff();
 	LED_A_ON();
 	set_tracing(true);
@ -1564,9 +1556,8 @@ void ReaderIso15693(uint32_t parameter)
 // Simulate an ISO15693 TAG.
 // For Inventory command: print command and send Inventory Response with given UID
 // TODO: interpret other reader commands and send appropriate response
-void SimTagIso15693(uint32_t parameter, uint8_t *uid)
+void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
-{
+
 	LEDsoff();
 	LED_A_ON();
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -1597,7 +1588,8 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid)
 	}
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	LED_D_OFF();
 	LED_A_OFF();
 }
@ -1605,7 +1597,6 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid)
 // (some manufactures offer a way to read the AFI, though)
 void BruteforceIso15693Afi(uint32_t speed)
 {
 	LEDsoff();
 	LED_A_ON();
 	uint8_t data[6];
@ -1648,17 +1639,19 @@ void BruteforceIso15693Afi(uint32_t speed)
 	Dbprintf("AFI Bruteforcing done.");
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	LED_D_OFF();
 	LED_A_OFF();
 }
 // Allows to directly send commands to the tag via the client
 void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]) {
 	LED_A_ON();
 	int recvlen = 0;
 	uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
 	uint32_t eof_time;
 	LED_A_ON();
 	if (DEBUG) {
 		Dbprintf("SEND:");
@ -1695,17 +1688,16 @@ void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint
 //-----------------------------------------------------------------------------
 // Set the UID to the tag (based on Iceman work).
-void SetTag15693Uid(uint8_t *uid)
+void SetTag15693Uid(uint8_t *uid) {
 {
 	uint8_t cmd[4][9] = {0x00};
 	LED_A_ON();
 	uint8_t cmd[4][9] = {0x00};
 	uint16_t crc;
 	int recvlen = 0;
 	uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
 	uint32_t eof_time;
 	LED_A_ON();
 	// Command 1 : 02213E00000000
 	cmd[0][0] = 0x02;
@ -1767,8 +1759,6 @@ void SetTag15693Uid(uint8_t *uid)
 		cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
 	}
 	LED_D_OFF();
 	LED_A_OFF();
 }
--- a/armsrc/iso15693.h
+++ b/armsrc/iso15693.h
@ -21,6 +21,8 @@
 //SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16
 #define DELAY_ISO15693_VCD_TO_VICC_READER 1056 // 1056/3,39MHz = 311.5us from end of command EOF to start of tag response
 #define DELAY_ISO15693_VICC_TO_VCD_READER 1024 // 1024/3.39MHz = 302.1us between end of tag response and next reader command
 // times in samples @ 212kHz when acting as reader
 #define ISO15693_READER_TIMEOUT            330 // 330/212kHz = 1558us, should be even enough for iClass tags responding to ACTALL
 void Iso15693InitReader();
 void CodeIso15693AsReader(uint8_t *cmd, int n);
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
--- a/client/cmdhficlass.h
+++ b/client/cmdhficlass.h
@ -13,28 +13,6 @@
 #define CMDHFICLASS_H__
 int CmdHFiClass(const char *Cmd);
 int CmdHFiClassCalcNewKey(const char *Cmd);
 int CmdHFiClassCloneTag(const char *Cmd);
 int CmdHFiClassDecrypt(const char *Cmd);
 int CmdHFiClassEncryptBlk(const char *Cmd);
 int CmdHFiClassELoad(const char *Cmd);
 int CmdHFiClassList(const char *Cmd);
 int HFiClassReader(const char *Cmd, bool loop, bool verbose);
-int CmdHFiClassReader(const char *Cmd);
+
 int CmdHFiClassReader_Dump(const char *Cmd);
 int CmdHFiClassReader_Replay(const char *Cmd);
 int CmdHFiClassReadKeyFile(const char *filename);
 int CmdHFiClassReadTagFile(const char *Cmd);
 int CmdHFiClass_ReadBlock(const char *Cmd);
 int CmdHFiClass_TestMac(const char *Cmd);
 int CmdHFiClassManageKeys(const char *Cmd);
 int CmdHFiClass_loclass(const char *Cmd);
 int CmdHFiClassSnoop(const char *Cmd);
 int CmdHFiClassSim(const char *Cmd);
 int CmdHFiClassWriteKeyFile(const char *Cmd);
 int CmdHFiClass_WriteBlock(const char *Cmd);
 int CmdHFiClassCheckKeys(const char *Cmd);
 void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize);
 void HFiClassCalcDivKey(uint8_t	*CSN, uint8_t	*KEY, uint8_t *div_key, bool elite);
 #endif
--- a/client/loclass/elite_crack.h
+++ b/client/loclass/elite_crack.h
@ -85,7 +85,7 @@ typedef struct {
 	uint8_t cc_nr[12];
 	uint8_t mac[4];
-}dumpdata;
+} dumpdata;
 /**
 * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac.
--- a/include/usb_cmd.h
+++ b/include/usb_cmd.h
@ -165,7 +165,8 @@ typedef struct{
 #define CMD_ICLASS_READBLOCK                                              0x0396
 #define CMD_ICLASS_WRITEBLOCK                                             0x0397
 #define CMD_ICLASS_EML_MEMSET                                             0x0398
-#define CMD_ICLASS_AUTHENTICATION                                         0x0399
+#define CMD_ICLASS_CHECK                                                  0x0399
 #define CMD_ICLASS_READCHECK                                              0x039A                                         
 // For measurements of the antenna tuning
 #define CMD_MEASURE_ANTENNA_TUNING                                        0x0400
@ -236,13 +237,11 @@ typedef struct{
 // iCLASS reader flags
 #define FLAG_ICLASS_READER_ONLY_ONCE    0x01
 #define FLAG_ICLASS_READER_CC           0x02
 #define FLAG_ICLASS_READER_CSN          0x04
 #define FLAG_ICLASS_READER_CONF         0x08
 #define FLAG_ICLASS_READER_AA           0x10
-#define FLAG_ICLASS_READER_ONE_TRY      0x20
+#define FLAG_ICLASS_READER_CREDITKEY    0x40
 #define FLAG_ICLASS_READER_CEDITKEY     0x40
 // iCLASS simulation modes
 #define ICLASS_SIM_MODE_CSN                   0