Merge pull request #969 from pwpiwi/gcc10_fixes

Gcc10 fixes

.gitattributes

@@ -1,4 +1,5 @@
 # .gitattributes
 # prevent binary files from CRLF handling, diff and merge:
 fpga/fpga.bit -crlf -diff
- 
+*.bin -crlf -diff
+*.z -crlf -diff

.gitignore

@@ -1,7 +1,9 @@
 # .gitignore
 # don't push these files to the repository
 
+.history
 *.log
+*.eml
 *.o
 *.a
 *.d
@@ -9,15 +11,28 @@
 *.s19
 *.map
 *.bin
+!client/hardnested/*.bin
+!client/sc_upgrade_firmware/*.bin
 *.dll
 *.moc.cpp
+*.z
+!client/hardnested/tables/*.z
+usb_cmd.lua
+version.c
+armsrc/fpga_version_info.c
+client/ui/ui_overlays.h
+*.Td
+.DS_Store
+
 *.exe
-proxmark
+hardnested_stats.txt
 proxmark3
 flasher
-version.c
 lua
 luac
+fpga_compress
+mfkey32
+mfkey64
 
 fpga/*
 !fpga/tests
@@ -30,5 +45,3 @@ fpga/*
 !fpga/xst_hf.scr
 !fpga/go.bat
 !fpga/sim.tcl
-
-

CHANGELOG.md

@@ -0,0 +1,283 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
+
+## [unreleased][unreleased]
+
+### Changed
+- Changed hf mfp security. Now it works in all the modes. (drHatson)
+- `hf fido` - show/check DER certificate and signatures (Merlok)
+- Changed `lf hitag reader 0x ... <firstPage> <tagmode>` - to select first page to read and tagmode (0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED)
+- Accept hitagS con0 tags with memory bits set to 11 and handle like 2048 tag
+
+### Fixed
+- AC-Mode decoding for HitagS
+- Wrong UID at HitagS simulation
+- `hf 15 sim` now works as expected (piwi)
+- `hf mf chk t` save to emulator memory now works as expected (mwalker)
+- Fix `hf mf sim` - wrong access rights to write key B in trailer (@McEloff)
+- allow files > 512Bytes in 'hf iclass eload' (@Sherhannn79)
+- `hf mf nested` now works with fixed nonce tags too (uzlonewolf, piwi)
+ 
+### Added
+- Added to `hf 14a apdu` print apdu and compose apdu (@merlokk)
+- Added `hf 15 csetuid` - set UID on ISO-15693 Magic tags (t0m4)
+- Added `lf config s xxxx` option to allow skipping x samples before capture (marshmellow)
+- Added `lf em 4x05protect` to support changing protection blocks on em4x05 chips (marshmellow)
+- Support Standard Communication Mode in HITAG S
+- Added `hf emv scan` - commands for scan EMV card and dump data to json file (Merlok)
+- `hf mfp` group of commands (Merlok)
+- Added `hf fido` - FIDO U2F authenticator commands https://fidoalliance.org/ (Merlok)
+- Added `lf hitag reader 03` - read block (instead of pages) 
+- Added `lf hitag reader 04` - read block (instead of pages) 
+- Added `hf fido` `assert` and `make` commands from fido2 protocol (authenticatorMakeCredential and authenticatorGetAssertion) (Merlok)
+- Added `lf paradox clone` to clone a Paradox card
+- Added `emv` commands working for both contactless and smart cards (Merlok)
+- Added `hf 15 snoop` (piwi)
+- Added support for standard USB Smartcard Readers (piwi)
+- Added `hf plot` (piwi)
+- Added `hf mfp mad` `hf mf mad` parsing MAD1 and MAD2 (Merlok)
+- Added `hf mfp ndef` `hf mf ndef` parsing NDEF records (Merlok)
+- Added Mifare Mini, Mifare 2K and 4K support to `hf mf sim` (piwi)
+- Added Legic detection to `hf search` (dnet)
+- Added Home (Pos1) and End key bindings to the plot GUI (based on @mcd1992)
+- Added downlink reference mode option r <mode> [ 0 - (or missing) default/fixed bit, 1 - long leading, 2 - leading 0 and 3 - 1 of 4 ] to `lf t55xx detect`, `lf t55xx read`, `lf t55xx write`, and `lf t55xx bruteforce`
+- Added special option `r 4` to bruteforce, to try all downlink modes (0,1,2 and 3) for each password
+- `hf mfu info` now checks the NXP Originality Signature if availabe (piwi)
+- Added `hf mf personalize` to personalize the UID option of Mifare Classic EV1 cards (piwi)
+
+
+## [v3.1.0][2018-10-10]
+
+### Changed
+- Adjusted `lf cmdread` to respond to client when complete and the client will then automatically call `data samples`
+- Improved backdoor detection misbehaving magic s50/1k tag (Fl0-0)
+- Deleted wipe functionality from `hf mf csetuid` (Merlok)
+- Changed `hf mf nested` logic (Merlok)
+- Added `hf mf nested` mode: autosearch keys for attack (from well known keys) (Merlok)
+- `hf mf nested` Check keys after they have found (Merlok)
+- `hf mf chk` Move main cycle to arm (Merlok)
+- Changed proxmark command line parameter `flush` to `-f` or `-flush` (Merlok)
+- Changed `hf 14a reader` to just request-anticolission-select sequence (Merlok)
+- Changed `hf 14a raw` - works with LED's and some exchange logic (Merlok)
+- Changed TLV parser messages to more convenient (Merlok)
+- Rewritten Legic Prime reader (`hf legic reader`, `write` and `fill`) - it is using xcorrelation now (AntiCat)
+- `hf 14a` commands works via argtable3 commandline parsing library (Merlok)
+- HID LF operations on firmware updated for complete native support of long (>37 bit) HID tags (grauerfuchs)
+- Changed Legic Prime tag simulator (`hf legic sim`) to run from 212 kHz SSP clock for better reliability (AntiCat)
+
+### Fixed
+- Changed start sequence in Qt mode (fix: short commands hangs main Qt thread) (Merlok)
+- Changed driver file proxmark3.inf to support both old and new Product/Vendor IDs (piwi)
+- Changed all command line parsers in `hf emv` commands to argtable (Merlok)
+- Implemented AppNap API, fixing #283 and #627 OSX USB comm issues (AntiCat)
+
+### Added
+- Added `sc` smartcard (contact card) commands - reader, info, raw, upgrade, setclock, list (hardware version RDV4.0 only) must turn option on in makefile options (Willok, Iceman, marshmellow)
+- Added a bitbang mode to `lf cmdread` if delay is 0 the cmd bits turn off and on the antenna with 0 and 1 respectively (marshmellow)
+- Added PAC/Stanley detection to lf search (marshmellow)
+- Added lf pac demod and lf pac read - extracts the raw blocks from a PAC/Stanley tag (marshmellow)
+- Added hf mf c* commands compatibility for 4k and gen1b backdoor (Fl0-0)
+- Added backdoor detection for gen1b magic s70/4k tag (Fl0-0)
+- Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal. (marshmellow)
+- Added lf em 410xbrute, LF EM410x reader bruteforce attack by simulating UIDs from a file (Fl0-0)
+- Added `hf mf cwipe` command. It wipes "magic Chinese" card. For 1a generation it uses card's "wipe" command. For gen1a and gen1b it uses a write command. (Merlok)
+- Added to `hf mf nested` source key check before attack (Merlok)
+- Added to `hf mf nested` after attack it checks all found keys on non-open sectors (Merlok)
+- `hf mf chk` Added settings to set iso14443a operations timeout. default timeout set to 500us (Merlok)
+- Added to `hf mf nested` parameters `s` and `ss` for checking slow cards (Merlok)
+- Added to proxmark command line parameters `w` - wait 20s for serial port (Merlok)
+- Added to proxmark command line parameters `c` and `l` - execute command and lua script from command line (Merlok)
+- Added to proxmark ability to execute commands from stdin (pipe) (Merlok)
+- Added `hf 14a info` and moved there functionality from `hf 14a reader` (Merlok)
+- Added to `hf 14a info` detection of weak prng from Iceman1001 fork (Merlok)
+- Added to `hf 14a apdu` - exchange apdu via iso1443-4 (Merlok)
+- Added to `hf 14a apdu` - apdu and tlv results parser (Merlok)
+- Added `hf emv` group of commands (Merlok)
+- Added `hf emv search` `hf emv pse` - commands for selection of EMV application (Merlok)
+- Added `hf emv select` - command for select EMV application (Merlok)
+- Added `hf emv exec` - command for execute EMV transaction (Merlok)
+- Added to `hf emv exec` MSD path for VISA and Mastercard and some other compatible EMV cards (Merlok)
+- Added to `hf emv exec` SDA, DDA, fast DDA, CDA calculations for VISA and Mastercard and some other compatible EMV cards (Merlok)
+- Added `hf emv test` - crypto tests for DES, AES, SHA, RSA, SDA, DDA, CDA and some other crypto functions (Merlok)
+- Added `hf list mf` - deciphers crypto1 stream and works with first authentication and weak nested authentications (Merlok)
+- Added to `hf emv` commands: `gpo`, `readrec`, `genac`, `challenge`, `intauth` - commands working with EMV cards (Merlok)
+- Added `lf hid encode` and `lf hid decode` commands to translate printed HID card data to and from the packed data transmitted by a prox tag (grauerfuchs)
+- Added `lf hid write` command, which operates as a macro for encode followed by clone operations (grauerfuchs)
+
+## [3.0.1][2017-06-08]
+
+### Fixed
+- Compiles on OS X
+- Compiles with gcc 4.9
+- Compiles for non-Intel CPUs
+
+
+## [3.0.0][2017-06-05]
+
+### Added
+- Added lf hitag write 24, the command writes a block to hitag2 tags in crypto mode (henjo)
+
+### Added
+- Added hf mf hardnested, an attack working for hardened Mifare cards (EV1, Mifare Plus SL1) where hf mf nested fails (piwi)
+- Added experimental testmode write option for t55xx (danger) (marshmellow)
+- Added t55xx p1detect to `lf search` chip detections (marshmellow)
+- Added lf t55xx p1detect, detect page 1 of a t55xx tag based on E015 mfg code (marshmellow)
+- Added lf noralsy demod, read, clone, sim commands (iceman)
+- Added lf jablotron demod, read, clone, sim commands (iceman)
+- Added lf nexwatch read   - reads a nexwatch tag from the antenna
+- Added lf paradox read    - reads a paradox tag from the antenna
+- Added lf fdx sim (iceman)
+- Added lf fdx clone       - clones an fdx-b animal tag to t55x7 or q5 (iceman)
+- Added lf fdx read        - reads a fdx-b tag from the antenna (iceman)
+- Added lf gproxii read    - reads a gproxii tag from the antenna (marshmellow)
+- Added lf indala read     - reads an indala tag from the antenna (marshmellow)
+- Added lf visa2000 demod, read, clone, sim commands (iceman)
+- Added markers in the graph around found Sequence Terminator after askmandemod.
+- Added data mtrim <start> <stop> command to trim out samples between start and stop
+- Added data setgraphmarkers <orange> <blue> command to set two extra markers on the graph (marshmellow)
+- Added EM4x05/EM4x69 chip detection to lf search (marshmellow) 
+- Added lf em 4x05dump command to read and output all the blocks of the chip (marshmellow)
+- Added lf em 4x05info command to read and display information about the chip (marshmellow)
+- Added lf cotag read, and added it to lf search (iceman)
+- Added hitag2 read UID only and added that to lf search (marshmellow)
+- Added lf pyramid commands (iceman)
+- Added lf presco commands - some bits not fully understood... (iceman)
+- Added experimental HitagS support (Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg)
+  see https://media.ccc.de/v/32c3-7166-sicherheit_von_125khz_transpondern_am_beispiel_hitag_s
+  English video available
+- Added a LF ASK Sequence Terminator detection option to the standard ask demod - and applied it to `lf search u`, `lf t55xx detect`, and `data rawdemod am s` (marshmellow)
+- `lf t55xx bruteforce <start password> <end password> [i <*.dic>]` - Simple bruteforce attack to find password - (iceman and others)
+- `lf viking clone`- clone viking tag to t55x7 or Q5 from 4byte hex ID input 
+- `lf viking sim`  - sim full viking tag from 4byte hex ID input
+- `lf viking read` - read viking tag and output ID
+- `lf t55xx wipe`  - sets t55xx back to factory defaults
+- Added viking demod to `lf search` (marshmellow)
+- `lf viking demod` demod viking id tag from graphbuffer (marshmellow)
+- `lf t55xx resetread` added reset then read command - should allow determining start of stream transmissions (marshmellow)
+- `lf t55xx wakeup` added wake with password (AOR) to allow lf search or standard lf read after (iceman, marshmellow)
+- `hf iclass managekeys` to save, load and manage iclass keys.  (adjusted most commands to accept a loaded key in memory) (marshmellow)
+- `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow)
+- `hf iclass writeblk` to select, authenticate, and write 1 block to an iclass card (or picopass) (marshmellow + others)
+- `hf iclass clone` to take a saved dump file and clone selected blocks to a new tag (marshmellow + others)
+- `hf iclass calcnewkey` - to calculate the div_key change to change a key - (experimental) (marshmellow + others)
+- `hf iclass encryptblk` - to encrypt a data block hex to prep for writing that block (marshmellow)
+- ISO14443a stand-alone operation with ARM CFLAG="WITH_ISO14443a_StandAlone". This code can read & emulate two banks of 14a tag UIDs and write to "magic" cards  (Craig Young) 
+- AWID26 command context added as 'lf awid' containing realtime demodulation as well as cloning/simulation based on tag numbers (Craig Young)
+- Added 'hw status'. This command makes the ARM print out some runtime information. (holiman) 
+- Added 'hw ping'. This command just sends a usb packets and checks if the pm3 is responsive. Can be used to abort certain operations which supports abort over usb. (holiman)
+- Added `data hex2bin` and `data bin2hex` for command line conversion between binary and hexadecimal (holiman)
+- Added 'hf snoop'. This command take digitalized signal from FPGA and put in BigBuffer. (pwpiwi + enio)
+- Added Topaz (NFC type 1) protocol support ('hf topaz reader', 'hf list topaz', 'hf 14a raw -T', 'hf topaz snoop'). (piwi)
+- Added option c to 'hf list' (mark CRC bytes) (piwi)
+
+### Changed
+- Adjusted the lf demods to auto align and set the grid for the graph plot. 
+- `lf snoop` now automatically gets samples from the device
+- `lf read` now accepts [#samples] as arg. && now automatically gets samples from the device
+- adjusted lf t5 chip timings to use WaitUS. and adjusted the readblock timings
+    appears to have more consistent results with more antennas.
+- `lf t5 wakeup` has been adjusted to not need the p in front of the pwd arg.
+- `data psknexwatchdemod` has been moved to `lf nexwatch demod` (reads from graphbuffer)
+- `data fskparadoxdemod` has been moved to `lf paradox demod` (reads from graphbuffer)
+- `data fdxdemod` has been moved to `lf fdx demod` (reads from graphbuffer)
+- `data askgproxiidemod has been moved to `lf gproxii demod` (reads from graphbuffer)
+- `lf indalaclone` has been moved to `lf indala clone`
+- `lf indalademod` has been moved to `lf indala altdemod` (reads from graphbuffer)
+- `data pskindalademod` has been moved to `lf indala demod` (reads from graphbuffer)
+- `data askvikingdemod` has been moved to `lf viking demod` (reads from graphbuffer)
+- `data fskpyramiddemod` has been moved to `lf pyramid demod` (reads from graphbuffer)
+- `data fskiodemod` has been moved to `lf io demod` (reads from graphbuffer)
+- `lf io fskdemod` has been renamed to `lf io read` (reads from antenna)
+- `data fskawiddemod` has been moved to `lf awid demod` (reads from graphbuffer)
+- `lf awid fskdemod` has been renamed to `lf awid read` (reads from antenna)
+- `data fskhiddemod` has been moved to `lf hid demod` (reads from graphbuffer)
+- `lf hid demod` has been renamed to `lf hid read` (reads from antenna)
+- all em410x demod and print functions moved to cmdlfem4x.c
+- `data askem410xdemod` has been moved to `lf em 410xdemod` (reads from graphbuffer)
+- `lf em 410xdemod` has been renamed to `lf em 410xread` (reads from antenna)
+- hf mf dump - added retry loops to try each read attempt up to 3 times.  makes getting a complete dump easier with many antennas. 
+- small changes to lf psk and fsk demods to improve results when the trace begins with noise or the chip isn't broadcasting yet (marshmellow)
+- NOTE CHANGED ALL `lf em4x em*` cmds to simpler `lf em ` - example: `lf em4x em410xdemod` is now `lf em 410xdemod`
+- Renamed and rebuilt `lf em readword` && readwordpwd to `lf em 4x05readword` - it now demods and outputs the read block (marshmellow/iceman)
+- Renamed and rebuilt `lf em writeword` && writewordpwd to `lf em 4x05writeword` - it now also reads validation output from the tag (marshmellow/iceman)
+- Fixed bug in lf sim and continuous demods not turning off antenna when finished
+- Fixed bug(s) in hf iclass write
+- Fixed bug in lf biphase sim - `lf simask b` (and any tagtype that relies on it - gproxii...) (marshmellow)
+- Fixed bug in lf viking clone/sim (iceman)
+- Fixed broken `data askedgedetect` (marshmellow)
+- Adjusted hf mf sim command (marshmellow)
+    added auto run mfkey32 to extract all keys 
+    also added f parameter to allow attacking with UIDs from a file (implies x and i parameters)
+    also added e parameter to allow adding the extracted keys to emulator memory for the next simulation
+    added 10 byte uid option
+- Added `[l] <length>` option to data printdemodbuffer (marshmellow)
+- Adjusted lf awid clone to optionally clone to Q5 tags (marshmellow)
+- Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7 (marshmellow)
+- Adjusted all lf NRZ demods - works more accurately and consistently (as long as you have strong signal) (marshmellow)
+- Adjusted lf pskindalademod to reduce false positive reads. (marshmellow)
+- Small adjustments to psk, nrz, and ask clock detect routines - more reliable. (marshmellow)
+- Adjusted lf em410x em410xsim to accept a clock argument (marshmellow)
+- Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow)
+- Adjusted lf t55xx write input variables (marshmellow)
+- Adjusted lf t55xx read with password safety check and warning text and adjusted the input variables (marshmellow & iceman)
+- Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate. (marshmellow)
+- Adjusted timings for t55xx commands.  more reliable now. (marshmellow & iceman)
+- `lf cmdread` adjusted input methods and added help text (marshmellow & iceman)
+- changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow) 
+- `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to multiple pages for the larger tags yet) (marshmellow)
+- Revised workflow for StandAloneMode14a (Craig Young)
+- EPA functions (`hf epa`) now support both ISO 14443-A and 14443-B cards (frederikmoellers)
+- 'hw version' only talks to ARM at startup, after that the info is cached. (pwpiwi)
+- Added `r` option to iclass functions - allows key to be provided in raw block 3/4 format 
+
+## [2.2.0][2015-07-12]
+
+### Changed
+- Added `hf 14b raw -s` option to auto select a 14b std tag before raw command 
+- Changed `hf 14b write` to `hf 14b sriwrite` as it only applied to sri tags (marshmellow)
+- Added `hf 14b info` to `hf search` (marshmellow)
+- Added compression of fpga config and data, *BOOTROM REFLASH REQUIRED* (piwi)
+- Implemented better detection of mifare-tags that are not vulnerable to classic attacks (`hf mf mifare`, `hf mf nested`) (piwi)
+
+### Added
+- Add `hf 14b info` to find and print info about std 14b tags and sri tags (using 14b raw commands in the client)  (marshmellow)
+- Add PACE replay functionality (frederikmoellers)
+
+### Fixed 
+- t55xx write timing (marshmellow)
+
+
+## [2.1.0][2015-06-23]
+
+### Changed
+- Added ultralight/ntag tag type detection to `hf 14a read` (marshmellow)
+- Improved ultralight dump command to auto detect tag type, take authentication, and dump full memory (or subset specified) of known tag types (iceman1001 / marshmellow)
+- Combined ultralight read/write commands and added authentication (iceman1001)
+- Improved LF manchester and biphase demodulation and ask clock detection especially for reads with heavy clipping. (marshmellow)
+- Iclass read, `hf iclass read` now also reads tag config and prints configuration. (holiman)
+- *bootrom* needs to be flashed, due to new address boundaries between os and fpga, after a size optimization (piwi)
+
+### Fixed
+- Fixed EM4x50 read/demod of the tags broadcasted memory blocks. 'lf em4x em4x50read' (not page read) (marshmellow)
+- Fixed issue #19, problems with LF T55xx commands (iceman1001, marshmellow)
+- Fixed various problems with iso14443b, issue #103 (piwi, marshmellow)
+
+### Added
+- Added `hf search` - currently tests for 14443a tags, iclass tags, and 15693 tags (marshmellow) 
+- Added `hf mfu info` Ultralight/NTAG info command - reads tag configuration and info, allows authentication if needed (iceman1001, marshmellow)
+- Added Mifare Ultralight C and Ultralight EV1/NTAG authentication. (iceman1001)
+- Added changelog
+
+## [2.0.0] - 2015-03-25
+### Changed
+- LF sim operations now abort when new commands arrive over the USB - not required to push the device button anymore.
+
+### Fixed
+- Mifare simulation, `hf mf sim` (was broken a long time) (pwpiwi)
+- Major improvements in LF area and data operations. (marshmellow, iceman1001)
+- Issues regarding LF simulation (pwpiwi)
+
+### Added
+- iClass functionality: full simulation of iclass tags, so tags can be simulated with data (not only CSN). Not yet support for write/update, but readers don't seem to enforce update. (holiman).
+- iClass decryption. Proxmark can now decrypt data on an iclass tag, but requires you to have the HID decryption key locally on your computer, as this is not bundled with the sourcecode. 

CI/.travis.yml

@@ -0,0 +1,60 @@
+# Travis-CI config
+# variable REPOSITORY_EP must be filled with repository name. as sample: "merlokk/proxmark3"
+
+language: c
+
+compiler: gcc
+
+# Test on Linux and MacOS
+jobs:
+  include:
+    - os: osx
+      osx_image: xcode9.4   # OS X 10.13
+    - os: osx
+      osx_image: xcode10    # OS X 10.13
+    - os: osx
+      osx_image: xcode11    # OS X 10.14
+    - os: linux
+      dist: trusty          # Ubuntu 14.04
+    - os: linux
+      dist: xenial          # Ubuntu 16.04
+    - os: linux
+      dist: bionic          # Ubuntu 18.04
+
+git:
+  depth: false
+
+before_install:
+## Install ARM toolchain on Linux.
+## add our homebrew tap for MacOS
+## Note: all dependencies on MacOS should be resolved by the brew install command
+  echo $REPOSITORY_EP;
+  if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 
+    sudo apt-get update -qq;
+    sudo apt-get install -y gcc-arm-none-eabi libnewlib-arm-none-eabi libpcsclite-dev;
+  elif [[ "$TRAVIS_OS_NAME" == "osx" ]]; then
+    brew update;
+    if [[ "$REPOSITORY_EP" == "" ]]; then
+      brew tap --full proxmark/proxmark3;
+    else
+      brew tap --full "$REPOSITORY_EP" --env=std;
+    fi
+  fi
+
+install:
+  if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then 
+    brew info proxmark3;
+    brew install -v --HEAD proxmark3;
+  elif [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 
+    make all;
+  fi
+
+before_script:
+
+script: 
+## for the time being we are satisfied if it can be build and hf mf hardnested runs
+  if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then 
+    proxmark3 /dev/notexists travis_test_commands.scr ;
+  elif [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 
+    ./client/proxmark3  /dev/notexists travis_test_commands.scr ;
+  fi

CI/appveyor.yml

@@ -0,0 +1,321 @@
+version: 3.0.1.{build}
+image: Visual Studio 2017
+clone_folder: C:\ProxSpace\pm3
+init:
+- ps: >-
+    $psversiontable
+
+    #Get-ChildItem Env:
+
+
+    $releasename=""
+
+    $env:APPVEYOR_REPO_COMMIT_SHORT = $env:APPVEYOR_REPO_COMMIT.Substring(0, 8)
+
+    if ($env:appveyor_repo_tag -match "true"){
+      $releasename=$env:APPVEYOR_REPO_TAG_NAME + "/"
+    }
+
+    $releasename+=$env:APPVEYOR_BUILD_VERSION + " [" + $env:APPVEYOR_REPO_COMMIT_SHORT + "]"
+
+
+    Write-Host "repository: $env:appveyor_repo_name branch:$env:APPVEYOR_REPO_BRANCH release: $releasename" -ForegroundColor Yellow
+
+    Add-AppveyorMessage -Message "[$env:APPVEYOR_REPO_COMMIT_SHORT]$env:appveyor_repo_name($env:APPVEYOR_REPO_BRANCH)" -Category Information -Details "repository: $env:appveyor_repo_name branch: $env:APPVEYOR_REPO_BRANCH release: $releasename"
+
+
+    iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
+clone_script:
+- ps: >-
+    Write-Host "Removing ProxSpace..." -NoNewLine
+
+    cd \
+
+    Remove-Item -Recurse -Force -Path c:\ProxSpace\*
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Git clone ProxSpace..." -NoNewLine
+
+    git clone -q https://github.com/Gator96100/ProxSpace c:\ProxSpace
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Removing pm3 dir..." -NoNewLine
+
+    Remove-Item -Recurse -Force -Path c:\ProxSpace\pm3\*
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Cloning repository <$env:appveyor_repo_name> to $env:appveyor_build_folder ..." -NoNewLine
+
+    if(-not $env:appveyor_pull_request_number) {
+        git clone -q --branch=$env:appveyor_repo_branch https://github.com/$env:appveyor_repo_name.git $env:appveyor_build_folder
+        cd $env:appveyor_build_folder
+        git checkout -qf $env:appveyor_repo_commit
+    } else {
+        git clone -q https://github.com/$env:appveyor_repo_name.git $env:appveyor_build_folder
+        cd $env:appveyor_build_folder
+        git fetch -q origin +refs/pull/$env:appveyor_pull_request_number/merge:
+        git checkout -qf FETCH_HEAD
+    }
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Fill msys2\etc\fstab file..." -NoNewLine
+
+    New-Item c:\ProxSpace\msys2\etc\fstab -type file -force -value "# For a description of the file format, see the Users Guide`n# http://cygwin.com/cygwin-ug-net/using.html#mount-table`nnone / cygdrive binary,posix=0,noacl,user 0 0 `nC:\ProxSpace\pm3 /pm3 ntfs noacl 0 0 `nC:\ProxSpace\gcc-arm-none-eabi /gcc-arm-none-eabi ntfs noacl 0 0 `n"
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Update msys2 packages..." -NoNewLine
+
+    $env:Path = "C:\ProxSpace\msys2\usr\bin;C:\ProxSpace\msys2\mingw32\bin;C:\ProxSpace\gcc-arm-none-eabi\bin;$env:Path"
+
+    C:\ProxSpace\msys2\msys2_shell.cmd -mingw32 -defterm -no-start /dev/null 1> msys1.txt 2>&1
+
+    C:\ProxSpace\msys2\msys2_shell.cmd -mingw32 -defterm -no-start /dev/null 1> msys1.txt 2>&1
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+install:
+- ps: >-
+    function Exec-External {
+              param(
+                [Parameter(Position=0,Mandatory=1)][scriptblock] $command
+              )
+              & $command
+              if ($LASTEXITCODE -ne 0) {
+                throw ("Command returned non-zero error-code ${LASTEXITCODE}: $command")
+              }
+            }
+build_script:
+- ps: >-
+    "C:\ProxSpace\msys2\usr\bin;C:\ProxSpace\msys2\mingw32\bin;C:\ProxSpace\gcc-arm-none-eabi\bin;$env:Path"
+
+
+    $env:MINGW_HOME="C:\ProxSpace\msys2\mingw32"
+
+    $env:MSYS_HOME="C:\ProxSpace\msys2"
+
+    $env:MSYSTEM="MINGW32"
+
+    $env:MINGW_PREFIX="/mingw32"
+
+    $env:SHELL="/bin/bash"
+
+    $env:MSYSTEM_CHOST="i686-w64-mingw32"
+
+
+    #make
+
+    bash -c -i 'pwd;make clean;make all'
+
+
+    #some checks
+
+    if(!(Test-Path C:\ProxSpace\pm3\client\proxmark3.exe)){
+
+    throw "Main file proxmark3.exe not exists."
+
+    }
+
+    if(!(Test-Path C:\ProxSpace\pm3\armsrc\obj\fullimage.elf)){
+
+    throw "ARM file fullimage.elf not exists."
+
+    }
+
+    if(!(Test-Path C:\ProxSpace\pm3\client\hardnested\tables\*.bin.z)){
+
+    throw "Files in hardnested\tables not exists."
+
+    }
+
+
+    #copy
+
+    Write-Host "Copy release files..." -NoNewLine -ForegroundColor Yellow
+
+    New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release
+
+    Copy-Item C:\ProxSpace\pm3\client\*.exe C:\ProxSpace\Release
+
+    New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\arm
+
+    Copy-Item C:\ProxSpace\pm3\armsrc\obj\*.elf C:\ProxSpace\Release\arm
+
+    Copy-Item C:\ProxSpace\pm3\bootrom\obj\*.elf C:\ProxSpace\Release\arm
+
+    New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\scripts
+
+    Copy-Item C:\ProxSpace\pm3\client\scripts\*.lua C:\ProxSpace\Release\scripts
+
+    New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\hardnested\tables
+
+    Copy-Item C:\ProxSpace\pm3\client\hardnested\*.bin C:\ProxSpace\Release\hardnested
+
+    Copy-Item C:\ProxSpace\pm3\client\hardnested\tables\*.bin.z C:\ProxSpace\Release\hardnested\tables
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    #archive and push
+
+    $releasename=""
+
+    if ($env:appveyor_repo_tag -match "true"){
+
+    $releasename=$env:APPVEYOR_REPO_TAG_NAME + "/"
+
+    }
+
+    $releasename+=$env:APPVEYOR_BUILD_VERSION + " [" + $env:APPVEYOR_REPO_COMMIT.Substring(0, 7) + "]"
+
+
+    Write-Host "Archive and publish release files ($releasename)..." -NoNewLine -ForegroundColor Yellow
+
+    cd C:\ProxSpace
+
+    7z a release.zip C:\ProxSpace\Release
+
+    Push-AppveyorArtifact release.zip -DeploymentName "$releasename"
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Builded..." -ForegroundColor Yellow
+test_script:
+- ps: >-
+    $env:Path = "C:\ProxSpace\msys\bin;$env:Path"
+
+    cd c:\ProxSpace\pm3
+
+
+    $global:TestsPassed=$true
+
+
+    Function ExecTest($Name, $File, $Cmd, $CheckResult) {
+
+    #--- begin Job
+
+    $Job = Start-Job -ScriptBlock {
+      [bool]$res=$false
+      $TestTime=[System.Environment]::TickCount
+      $env:Path = "C:\ProxSpace\msys\bin;$env:Path"
+      Set-Location $using:PWD
+
+      $sb=[scriptblock]::Create("$using:Cmd")
+      #execute scriptblock
+      Write-host "Test [$using:Name] job: $using:Cmd"
+      $Cond=&$sb
+
+      if ($Cond -eq $null){
+      } ElseIf($using:CheckResult -ne $null) {
+        [String]$searchstr=""
+        if ($Cond -is [Object]){
+          ForEach($line in $Cond){
+            Write-host $line -ForegroundColor Gray
+            $searchstr += $line
+          }
+        }else{
+          Write-host "$Cond" -ForegroundColor Gray
+          $searchstr = $Cond
+        }
+        If($searchstr -like "*$using:CheckResult*") {
+          $res=$true
+        }
+        $Cond="*$using:CheckResult*"
+      } Else {
+        If (!($Cond -is [bool] -or $Cond -is [byte] -or $Cond -is [int16] -or $Cond -is [int32] -or $Cond -is [int64] -or $Cond -is [float])){
+            if ($Cond -is "String" -and $Cond -like "*passed*"){
+              $res= $true
+            }
+            if ($Cond -is "String" -and $Cond -like "*true*"){
+              $res= $true
+            }
+        } Else {
+          $res=$Cond
+        }
+      }
+
+      If ($res) {
+        Write-host "Result[$using:Name]: $Cond" -ForegroundColor Green
+        Add-AppveyorTest -Name "$using:Name" -Framework NUnit -Filename "$using:File" -Outcome Passed -Duration "$([System.Environment]::TickCount-$TestTime)"
+      }Else {
+        Write-host "Result[$using:Name]: $Cond" -ForegroundColor Red
+        Add-AppveyorTest -Name "$using:Name" -Framework NUnit -Filename "$using:File" -Outcome Failed -Duration "$([System.Environment]::TickCount-$TestTime)" -ErrorMessage "command:$using:Cmd`nresult:$Cond"
+      }
+        return $res
+    }
+
+    #--- end Job
+
+      [bool]$res=$false
+      # Wait 120 sec timeout for Job
+      if(Wait-Job $Job -Timeout 150){
+        $Results = $Job | Receive-Job
+        if($Results -like "true"){
+          $res=$true
+        }
+      } else {
+        Write-host "Test [$Name] timeout" -ForegroundColor Red
+        Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Failed -Duration 60000 -ErrorMessage "timeout"
+      }
+      Remove-Job -Force $Job
+
+      if(!$res){
+        $global:TestsPassed=$false
+      }
+    }
+
+
+    Write-Host "Running tests..." -ForegroundColor Yellow
+
+
+    #file test
+
+    ExecTest "proxmark3 exists" "proxmark3.exe" {Test-Path C:\ProxSpace\Release\proxmark3.exe}
+
+    ExecTest "arm image exists" "\arm\fullimage1.elf" {Test-Path C:\ProxSpace\Release\arm\fullimage.elf}
+
+    ExecTest "bootrom exists" "bootrom.elf" {Test-Path C:\ProxSpace\Release\arm\bootrom.elf}
+
+    ExecTest "hardnested tables exists" "hardnested" {Test-Path C:\ProxSpace\Release\hardnested\tables\*.z}
+
+    ExecTest "release exists" "release.zip" {Test-Path C:\ProxSpace\release.zip}
+
+
+    #proxmark logic tests
+
+    ExecTest "proxmark help" "proxmark3 -h" {bash -lc 'cd ~/client;./proxmark3 -h | grep -q Execute && echo Passed || echo Failed'}
+
+    ExecTest "proxmark help hardnested" "proxmark3 -h" {bash -lc 'cd ~/client;./proxmark3 -h | grep -q hardnested && echo Passed || echo Failed'}
+
+
+    ExecTest "hf mf offline text" "hf mf" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf mf'"} "at_enc"
+
+    ExecTest "hf mf hardnested" "hf mf hardnested" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf mf hardnested t 1 000000000000'"} "found:"
+
+
+    #proxmark crypto tests
+
+    ExecTest "hf emv test" "hf emv test" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf emv test'"} "Tests ?OK"
+
+
+    if ($global:TestsPassed) {
+      Write-Host "Tests [ OK ]" -ForegroundColor Green
+    } else {
+      Write-Host "Tests [ ERROR ]" -ForegroundColor Red
+      throw "Tests error."
+    }
+on_success:
+- ps: Write-Host "Build success..." -ForegroundColor Green
+on_failure:
+- ps: Write-Host "Build error." -ForegroundColor Red
+on_finish:
+- ps: $blockRdp = $false; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))

CI/readme.md

@@ -0,0 +1,20 @@
+# How to configure continuous integration
+
+Here 2 CI configuration files:
+
+1. for [travis](travis-ci.org)
+2. for [appveyor](appveyor.com)
+
+It needs to put files from this directory to repository root and then configure CI from appropriate WEB portal.
+
+## travis
+
+- Copy .travis.yml and travis_test_commands.scr files to repository root 
+- Configure CI from http://travis-ci.org
+- It needs to fork https://github.com/Proxmark/homebrew-proxmark3 from your proxmark repository home
+- Put to file `proxmark3.rb` in line `head "https://github.com/proxmark/proxmark3.git"` your repository link. As sample: `head "https://github.com/merlokk/proxmark3.git"`
+
+
+## appveyor
+
+- Just copy appveyor.yml file to root and configure it from http://appveyor.com

CI/travis_test_commands.scr

@@ -0,0 +1,3 @@
+hf mf hardnested t 1 000000000000
+emv test
+exit

COMPILING.txt

@@ -3,7 +3,7 @@ The project compiles on Linux, Mac OS X and Windows (MinGW/MSYS).
 it requires:
 - gcc >= 4.4
 - libpthread
-- libreadline
+- GNU libreadline or BSD libedit (editline)
 - libusb
 - perl
 - an ARM cross-compiler to compile the firmware
@@ -81,7 +81,55 @@ Download the ProxSpace environment archive and extract it to C:\
 = Mac OS X =
 ============
 
-macport stuff should do ;)
+Installing from HomeBrew tap
+---------------------------
+This method is recommended and tested on macOS Sierra 10.12.3
+
+1. Install homebrew if you haven't yet already done so: http://brew.sh/
+
+2. Tap proxmark repo:
+    brew tap proxmark/proxmark3 
+
+3. Install Proxmark3:
+
+Stable release
+    brew install proxmark3
+
+Latest non-stable from GitHub (use this if previous command fails)
+    brew install --HEAD proxmark3
+
+For more information go to https://github.com/Proxmark/homebrew-proxmark3
+
+
+Compilling from source manually (Legacy)
+---------------------------
+
+Tested on OSX 10.10 Yosemite
+
+1 - Install Xcode and Xcode Command Line Tools
+
+2 - Install Homebrew and dependencies
+    brew install libusb p7zip libusb-compat wget qt5 pkgconfig
+
+3 - Install DevKitARM for OSX
+    Option 1:
+        http://sourceforge.net/projects/devkitpro/files/devkitARM/devkitARM_r44/
+        Unpack devkitARM_r44-osx.tar.bz2 to proxmark3 directory.
+    Option 2:
+        brew tap nitsky/stm32
+        brew install arm-none-eabi-gcc
+
+4 - Edit proxmark3/client/Makefile adding path qt5
+
+    LDLIBS = -L/usr/local/opt/qt5/lib -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm
+    CFLAGS = -std=c99 -I/usr/local/opt/qt5/include -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
+
+5 - Set Environment
+
+    export DEVKITPRO=$HOME/proxmark3/
+    export DEVKITARM=$DEVKITPRO/devkitARM
+    export PATH=${PATH}:${DEVKITARM}/bin
+
 
 ============
 =   Linux  =

Makefile

@@ -1,49 +1,65 @@
-include common/Makefile.common
-
 GZIP=gzip
+# Windows' echo echos its input verbatim, on Posix there is some
+#  amount of shell command line parsing going on. echo "" on 
+#  Windows yields literal "", on Linux yields an empty line
+ifeq ($(shell echo ""),)
+# This is probably a proper system, so we can use uname
+DELETE=rm -rf
+FLASH_TOOL=client/flasher
+platform=$(shell uname)
+ifneq (,$(findstring MINGW,$(platform)))
+FLASH_PORT=com3
+PATHSEP=\\#
+else
 FLASH_PORT=/dev/ttyACM0
+PATHSEP=/
+endif
+else
+# Assume that we are running on native Windows
+DELETE=del /q
+FLASH_TOOL=client/flasher.exe
+platform=Windows
+FLASH_PORT=com3
+PATHSEP=\\#
+endif
 
-all clean: %: bootrom/% armsrc/% client/% recovery/%
+all clean: %: client/% bootrom/% armsrc/% recovery/% mfkey/%
 
 bootrom/%: FORCE
-	$(MAKE) -C bootrom $(patsubst bootrom/%,%,$@)
+	$(MAKE) -C bootrom $(patsubst bootrom/%, %, $@)
 armsrc/%: FORCE
-	$(MAKE) -C armsrc $(patsubst armsrc/%,%,$@)
+	$(MAKE) -C armsrc $(patsubst armsrc/%, %, $@)
 client/%: FORCE
-	$(MAKE) -C client $(patsubst client/%,%,$@)
+	$(MAKE) -C client $(patsubst client/%, %, $@)
 recovery/%: FORCE
-	$(MAKE) -C recovery $(patsubst recovery/%,%,$@)
+	$(MAKE) -C recovery $(patsubst recovery/%, %, $@)
+mfkey/%: FORCE
+	$(MAKE) -C tools/mfkey $(patsubst mfkey/%, %, $@)
 FORCE: # Dummy target to force remake in the subdirectories, even if files exist (this Makefile doesn't know about the prerequisites)
 
+.PHONY: all clean help _test flash-bootrom flash-os flash-all FORCE
 
-.PHONY: all clean help _test flash-bootrom flash-os flash-fpga flash-both flash-all FORCE
 help:
 	@echo Multi-OS Makefile, you are running on $(DETECTED_OS)
 	@echo Possible targets:
 	@echo +	all           - Make bootrom, armsrc and the OS-specific host directory
 	@echo + client        - Make only the OS-specific host directory
 	@echo + flash-bootrom - Make bootrom and flash it
-	@echo + flash-os      - Make armsrc and flash os
-	@echo + flash-fpga    - Make armsrc and flash fpga
-	@echo + flash-both    - Make armsrc and flash os and fpga image
-	@echo + flash-all     - Make bootrom and armsrc and flash bootrom, os and fpga image
+	@echo + flash-os      - Make armsrc and flash os \(includes fpga\)
+	@echo + flash-all     - Make bootrom and armsrc and flash bootrom and os image
 	@echo +	clean         - Clean in bootrom, armsrc and the OS-specific host directory
 
 client: client/all
 
+mfkey: mfkey/all
+
 flash-bootrom: bootrom/obj/bootrom.elf $(FLASH_TOOL)
 	$(FLASH_TOOL) $(FLASH_PORT) -b $(subst /,$(PATHSEP),$<)
 
-flash-os: armsrc/obj/osimage.elf $(FLASH_TOOL)
+flash-os: armsrc/obj/fullimage.elf $(FLASH_TOOL)
 	$(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$<)
 
-flash-fpga: armsrc/obj/fpgaimage.elf $(FLASH_TOOL)
-	$(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$<)
-
-flash-both: armsrc/obj/osimage.elf armsrc/obj/fpgaimage.elf $(FLASH_TOOL)
-	$(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$(filter-out $(FLASH_TOOL),$^))
-
-flash-all: bootrom/obj/bootrom.elf armsrc/obj/osimage.elf armsrc/obj/fpgaimage.elf $(FLASH_TOOL)
+flash-all: bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf $(FLASH_TOOL)
 	$(FLASH_TOOL) $(FLASH_PORT) -b $(subst /,$(PATHSEP),$(filter-out $(FLASH_TOOL),$^))
 
 newtarbin:

README.md

@@ -1,51 +1,43 @@
-NOTICE:
-(2014-03-26)
-This is now the official Proxmark repository!
-
-INTRODUCTION:
+# proxmark3: the official Proxmark repository!
 
 The proxmark3 is a powerful general purpose RFID tool, the size of a deck
 of cards, designed to snoop, listen and emulate everything from
-Low Frequency (125kHz) to High Frequency (13.56MHz) tags.
+**Low Frequency (125kHz)** to **High Frequency (13.56MHz)** tags.
 
 This repository contains enough software, logic (for the FPGA), and design
 documentation for the hardware that you could, at least in theory,
 do something useful with a proxmark3.
 
-RESOURCES:
+## Resources
 
-   * This repository!
-      https://github.com/Proxmark/proxmark3
-      
-   * The Wiki
-      https://github.com/Proxmark/proxmark3/wiki
-      
-   * The GitHub page
-      http://proxmark.github.io/proxmark3/
-      
-   * The Forum
-      http://www.proxmark.org/forum
-      
-   * The IRC chanel
-       irc.freenode.org #proxmark3
-       -or-
-       http://webchat.freenode.net/?channels=#proxmark3
+* [This repository!](https://github.com/Proxmark/proxmark3)
+* [The Wiki](https://github.com/Proxmark/proxmark3/wiki)
+* [The GitHub Pages website](http://proxmark.github.io/proxmark3/)
+* [The Forum](http://www.proxmark.org/forum)
+* The IRC channel: irc.freenode.org #proxmark3 ([chat in your browser](http://webchat.freenode.net/?channels=#proxmark3))
+* [The Homebrew formula repository](https://github.com/Proxmark/homebrew-proxmark3)
+* [Proxmark3 community discord server](https://discord.gg/86VcRtS)
    
-DEVELOPMENT:
+## Development
 
 The tools required to build  or run the project will vary depending on
-your operating system. Please refer to the Wiki for details.
+your operating system. Please refer to [the wiki](https://github.com/Proxmark/proxmark3/wiki) for details.
 
-   * https://github.com/Proxmark/proxmark3/wiki
+## Obtaining hardware
 
-OBTAINING HARDWARE:
-
-The Proxmark 3 is available for purcahse (assembled and tested) from the
+The Proxmark3 is available for purchase (assembled and tested) from the
 following locations:
 
-   * http://proxmark3.com/
-   * http://www.xfpga.com/
+| Distributor Name | Warehouse Location | Entity Location |
+|------------------|--------------------|-----------------|
+| [RyscCorp](https://proxmark3.com/)         | USA                | USA             |
+| [Hackerwarehouse](https://hackerwarehouse.com/)  | USA                | USA             |
+| [Elechouse](http://www.elechouse.com/)        | HK                 | HK              |
+| [Lab401](https://lab401.com/)           | EU                 | HK              |
+| [RFxSecure](http://www.rfxsecure.com/)       | CN                 | SG              |
+| [Sneaktechnology](https://www.sneaktechnology.com/)  | CN                 | CN              |
 
+   
 Most of the ultra-low-volume contract assemblers could put
 something like this together with a reasonable yield. A run of around
 a dozen units is probably cost-effective. The BOM includes (possibly-
@@ -64,7 +56,7 @@ The printed circuit board artwork is also available, as Gerbers and an
 Excellon drill file.
 
 
-LICENSING:
+## License
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -85,4 +77,3 @@ Jonathan Westhues
 user jwesthues, at host cq.cx
 
 May 2007, Cambridge MA
-

armsrc/BigBuf.c

@@ -0,0 +1,295 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, Aug 2005
+// Gerhard de Koning Gans, April 2008, May 2011
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// BigBuf and functions to allocate/free parts of it.
+//-----------------------------------------------------------------------------
+
+#include <stdint.h>
+#include "proxmark3.h"
+#include "apps.h"
+#include "string.h"
+#include "util.h"
+
+// BigBuf is the large multi-purpose buffer, typically used to hold A/D samples or traces.
+// Also used to hold various smaller buffers and the Mifare Emulator Memory.
+
+/* BigBuf memory layout:
+Pointer to highest available memory: BigBuf_hi
+
+	high BIGBUF_SIZE
+	reserved = BigBuf_malloc()  subtracts amount from BigBuf_hi,
+	low  0x00
+*/
+
+// declare it as uint32_t to achieve alignment to 4 Byte boundary
+static uint32_t BigBuf[BIGBUF_SIZE/sizeof(uint32_t)];
+
+// High memory mark
+static uint16_t BigBuf_hi = BIGBUF_SIZE;
+
+// pointer to the emulator memory.
+static uint8_t *emulator_memory = NULL;
+
+// trace related variables
+static uint32_t traceLen = 0;
+static bool tracing = true;
+
+
+// get the address of BigBuf
+uint8_t *BigBuf_get_addr(void)
+{
+	return (uint8_t *)BigBuf;
+}
+
+
+// get the address of the emulator memory. Allocate part of Bigbuf for it, if not yet done
+uint8_t *BigBuf_get_EM_addr(void)
+{
+	// not yet allocated
+	if (emulator_memory == NULL) {
+		emulator_memory = BigBuf_malloc(CARD_MEMORY_SIZE);
+	}
+
+	return emulator_memory;
+}
+
+
+// clear ALL of BigBuf
+void BigBuf_Clear(void)
+{
+	BigBuf_Clear_ext(true);
+}
+
+
+// clear ALL of BigBuf
+void BigBuf_Clear_ext(bool verbose)
+{
+	memset(BigBuf, 0, BIGBUF_SIZE);
+	if (verbose)
+		Dbprintf("Buffer cleared (%i bytes)", BIGBUF_SIZE);
+}
+
+
+void BigBuf_Clear_EM(void){
+	memset(BigBuf_get_EM_addr(), 0, CARD_MEMORY_SIZE);
+}
+
+
+void BigBuf_Clear_keep_EM(void)
+{
+	memset(BigBuf, 0, BigBuf_hi);
+}
+
+// allocate a chunk of memory from BigBuf. We allocate high memory first. The unallocated memory
+// at the beginning of BigBuf is always for traces/samples
+uint8_t *BigBuf_malloc(uint16_t chunksize)
+{
+	if (BigBuf_hi - chunksize < 0) {
+		return NULL;                            // no memory left
+	} else {
+		chunksize = (chunksize + 3) & 0xfffc;   // round to next multiple of 4
+		BigBuf_hi -= chunksize;                 // aligned to 4 Byte boundary
+		return (uint8_t *)BigBuf + BigBuf_hi;
+	}
+}
+
+
+// free ALL allocated chunks. The whole BigBuf is available for traces or samples again.
+void BigBuf_free(void)
+{
+	BigBuf_hi = BIGBUF_SIZE;
+	emulator_memory = NULL;
+}
+
+
+// free allocated chunks EXCEPT the emulator memory
+void BigBuf_free_keep_EM(void)
+{
+	if (emulator_memory != NULL) {
+		BigBuf_hi = emulator_memory - (uint8_t *)BigBuf;
+	} else {
+		BigBuf_hi = BIGBUF_SIZE;
+	}
+}
+
+void BigBuf_print_status(void)
+{
+	Dbprintf("Memory");
+	Dbprintf("  BIGBUF_SIZE.............%d", BIGBUF_SIZE);
+	Dbprintf("  Available memory........%d", BigBuf_hi);
+	Dbprintf("Tracing");
+	Dbprintf("  tracing ................%d", tracing);
+	Dbprintf("  traceLen ...............%d", traceLen);
+}
+
+
+// return the maximum trace length (i.e. the unallocated size of BigBuf)
+uint16_t BigBuf_max_traceLen(void)
+{
+	return BigBuf_hi;
+}
+
+
+void clear_trace() {
+	traceLen = 0;
+}
+
+
+void set_tracing(bool enable) {
+	tracing = enable;
+}
+
+
+bool get_tracing(void) {
+	return tracing;
+}
+
+
+/**
+ * Get the number of bytes traced
+ * @return
+ */
+uint16_t BigBuf_get_traceLen(void)
+{
+	return traceLen;
+}
+
+
+/**
+  This is a function to store traces. All protocols can use this generic tracer-function.
+  The traces produced by calling this function can be fetched on the client-side
+  by 'hf list raw', alternatively 'hf list <proto>' for protocol-specific
+  annotation of commands/responses.
+
+**/
+bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag)
+{
+	if (!tracing) return false;
+
+	uint8_t *trace = BigBuf_get_addr();
+
+	uint32_t num_paritybytes = (iLen-1)/8 + 1;  // number of valid paritybytes in *parity
+	uint32_t duration = timestamp_end - timestamp_start;
+
+	// Return when trace is full
+	uint16_t max_traceLen = BigBuf_max_traceLen();
+
+	if (traceLen + sizeof(iLen) + sizeof(timestamp_start) + sizeof(duration) + num_paritybytes + iLen >= max_traceLen) {
+		tracing = false;    // don't trace any more
+		return false;
+	}
+	// Traceformat:
+	// 32 bits timestamp (little endian)
+	// 16 bits duration (little endian)
+	// 16 bits data length (little endian, Highest Bit used as readerToTag flag)
+	// y Bytes data
+	// x Bytes parity (one byte per 8 bytes data)
+
+	// timestamp (start)
+	trace[traceLen++] = ((timestamp_start >> 0) & 0xff);
+	trace[traceLen++] = ((timestamp_start >> 8) & 0xff);
+	trace[traceLen++] = ((timestamp_start >> 16) & 0xff);
+	trace[traceLen++] = ((timestamp_start >> 24) & 0xff);
+
+	// duration
+	trace[traceLen++] = ((duration >> 0) & 0xff);
+	trace[traceLen++] = ((duration >> 8) & 0xff);
+
+	// data length
+	trace[traceLen++] = ((iLen >> 0) & 0xff);
+	trace[traceLen++] = ((iLen >> 8) & 0xff);
+
+	// readerToTag flag
+	if (!readerToTag) {
+		trace[traceLen - 1] |= 0x80;
+	}
+
+	// data bytes
+	if (btBytes != NULL && iLen != 0) {
+		for (int i = 0; i < iLen; i++) {
+			trace[traceLen++] = *btBytes++;
+		}
+	}
+
+	// parity bytes
+	if (num_paritybytes != 0) {
+		if (parity != NULL) {
+			for (int i = 0; i < num_paritybytes; i++) {
+				trace[traceLen++] = *parity++;
+			}
+		} else {
+			for (int i = 0; i < num_paritybytes; i++) {
+				trace[traceLen++] = 0x00;
+			}
+		}
+	}
+
+	return true;
+}
+
+
+int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwParity, int readerToTag)
+{
+	/**
+	  Todo, rewrite the logger to use the generic functionality instead. It should be noted, however,
+	  that this logger takes number of bits as argument, not number of bytes.
+	  **/
+
+	if (!tracing) return false;
+
+	uint8_t *trace = BigBuf_get_addr();
+	uint16_t iLen = nbytes(iBits);
+
+	// Return when trace is full
+	if (traceLen + sizeof(rsamples) + sizeof(dwParity) + sizeof(iBits) + iLen > BigBuf_max_traceLen()) {
+		return false;
+	}
+
+	//Hitag traces appear to use this traceformat:
+	// 32 bits timestamp (little endian,Highest Bit used as readerToTag flag)
+	// 32 bits parity
+	// 8 bits size (number of bits in the trace entry, not number of bytes)
+	// y Bytes data
+
+
+
+	rsamples += iSamples;
+	trace[traceLen++] = ((rsamples >> 0) & 0xff);
+	trace[traceLen++] = ((rsamples >> 8) & 0xff);
+	trace[traceLen++] = ((rsamples >> 16) & 0xff);
+	trace[traceLen++] = ((rsamples >> 24) & 0xff);
+
+	if (!readerToTag) {
+		trace[traceLen - 1] |= 0x80;
+	}
+
+	trace[traceLen++] = ((dwParity >> 0) & 0xff);
+	trace[traceLen++] = ((dwParity >> 8) & 0xff);
+	trace[traceLen++] = ((dwParity >> 16) & 0xff);
+	trace[traceLen++] = ((dwParity >> 24) & 0xff);
+	trace[traceLen++] = iBits;
+
+	for (int i = 0; i < iLen; i++) {
+		trace[traceLen++] = *btBytes++;
+	}
+
+	return true;
+}
+
+
+// Emulator memory
+uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length){
+	uint8_t* mem = BigBuf_get_EM_addr();
+	if (offset+length < CARD_MEMORY_SIZE) {
+		memcpy(mem+offset, data, length);
+		return 0;
+	} else {
+		Dbprintf("Error, trying to set memory outside of bounds! %d  > %d", (offset+length), CARD_MEMORY_SIZE);
+		return 1;
+	}
+}

armsrc/BigBuf.h

@@ -0,0 +1,44 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, Aug 2005
+// Gerhard de Koning Gans, April 2008, May 2011
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// BigBuf and functions to allocate/free parts of it.
+//-----------------------------------------------------------------------------
+
+#ifndef __BIGBUF_H
+#define __BIGBUF_H
+
+#include <stdbool.h> // for bool
+#include "common.h"  // for ramfunc
+
+#define BIGBUF_SIZE				40000
+#define MAX_FRAME_SIZE			256		// maximum allowed ISO14443 frame
+#define MAX_PARITY_SIZE			((MAX_FRAME_SIZE + 7) / 8)
+#define MAX_MIFARE_FRAME_SIZE	18		// biggest Mifare frame is answer to a read (one block = 16 Bytes) + 2 Bytes CRC
+#define MAX_MIFARE_PARITY_SIZE	3		// need 18 parity bits for the 18 Byte above. 3 Bytes are enough to store these
+#define CARD_MEMORY_SIZE		4096
+#define DMA_BUFFER_SIZE    		128
+
+extern uint8_t *BigBuf_get_addr(void);
+extern uint8_t *BigBuf_get_EM_addr(void);
+extern uint16_t BigBuf_max_traceLen(void);
+extern void BigBuf_Clear(void);
+extern void BigBuf_Clear_ext(bool verbose);
+extern void BigBuf_Clear_keep_EM(void);
+extern void BigBuf_Clear_EM(void);
+extern uint8_t *BigBuf_malloc(uint16_t);
+extern void BigBuf_free(void);
+extern void BigBuf_free_keep_EM(void);
+extern void BigBuf_print_status(void);
+extern uint16_t BigBuf_get_traceLen(void);
+extern void clear_trace(void);
+extern void set_tracing(bool enable);
+extern bool get_tracing(void);
+extern bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
+extern int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwParity, int bReader);
+extern uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length);
+#endif /* __BIGBUF_H */

armsrc/Makefile

@@ -9,82 +9,136 @@
 APP_INCLUDES = apps.h
 
 #remove one of the following defines and comment out the relevant line
-#in the next section to remove that particular feature from compilation  
-APP_CFLAGS	= -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG
-#-DWITH_LCD 
+#in the next section to remove that particular feature from compilation
+APP_CFLAGS  = -DON_DEVICE \
+        -fno-strict-aliasing -ffunction-sections -fdata-sections
 
-#SRC_LCD = fonts.c LCD.c
-SRC_LF = lfops.c hitag2.c
-SRC_ISO15693 = iso15693.c iso15693tools.c 
-SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c
-SRC_ISO14443b = iso14443.c
-SRC_CRAPTO1 = crapto1.c crypto1.c
+include ../common/Makefile_Enabled_Options.common
 
+ifneq (,$(findstring WITH_LCD,$(APP_CFLAGS)))
+        SRC_LCD = fonts.c LCD.c
+else
+        SRC_LCD = 
+endif
+SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c protocols.c
+SRC_ISO15693 = iso15693.c
+SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c mifaresim.c
+SRC_ISO14443b = iso14443b.c
+SRC_CRAPTO1 = crypto1.c 
+SRC_DES = platform_util_arm.c des.c
+SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c parity.c iso15693tools.c
+SRC_SMARTCARD = i2c.c
+
+#the FPGA bitstream files. Note: order matters!
+FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit
+
+#the zlib source files required for decompressing the fpga config at run time
+SRC_ZLIB = inflate.c inffast.c inftrees.c adler32.c zutil.c
+#additional defines required to compile zlib
+ZLIB_CFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED
+APP_CFLAGS += $(ZLIB_CFLAGS)
+# zlib includes:
+APP_CFLAGS += -I../zlib
+
+# Compile these in thumb mode (small size)
 THUMBSRC = start.c \
 	$(SRC_LCD) \
-	$(SRC_ISO15693) \
 	$(SRC_LF) \
-	appmain.c printf.c \
+	$(SRC_ZLIB) \
+	$(SRC_SMARTCARD) \
+	appmain.c \
+	printf.c \
 	util.c \
 	string.c \
-	usb_cdc.c \
-	cmd.c
+	usb_cdc.c
+
+# Compile these in thumb mode optimized for speed (still smaller than ARM mode)
+THUMBOPTSRC = $(SRC_ISO15693)
 
 # These are to be compiled in ARM mode
 ARMSRC = fpgaloader.c \
 	legicrf.c \
-	iso14443crc.c \
-	crc16.c \
+	legicrfsim.c \
+	legic_prng.c \
 	$(SRC_ISO14443a) \
 	$(SRC_ISO14443b) \
 	$(SRC_CRAPTO1) \
-	legic_prng.c \
+	$(SRC_DES) \
+	$(SRC_CRC) \
 	iclass.c \
-	crc.c
+	BigBuf.c \
+	optimized_cipher.c \
+	hfsnoop.c
 
-# stdint.h provided locally until GCC 4.5 becomes C99 compliant
-APP_CFLAGS += -I.
+VERSIONSRC = version.c \
+	fpga_version_info.c
 
-# Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
+# Do not move this inclusion before the definition of {THUMB,THUMBOPT,ASM,ARM}SRC
 include ../common/Makefile.common
 
-OBJS = $(OBJDIR)/osimage.s19 $(OBJDIR)/fpgaimage.s19
+OBJS = $(OBJDIR)/fullimage.s19
+FPGA_COMPRESSOR = ../client/fpga_compress
 
 all: $(OBJS)
 
-$(OBJDIR)/fpga_lf.o: fpga_lf.bit
-	$(OBJCOPY) -O elf32-littlearm -I binary -B arm --redefine-sym _binary____fpga_fpga_lf_bit_start=_binary_fpga_lf_bit_start --redefine-sym _binary____fpga_fpga_lf_bit_end=_binary_fpga_lf_bit_end --prefix-sections=fpga_lf_bit  $^ $@
+.DELETE_ON_ERROR:
 
-$(OBJDIR)/fpga_hf.o: fpga_hf.bit
-	$(OBJCOPY) -O elf32-littlearm -I binary -B arm --redefine-sym _binary____fpga_fpga_hf_bit_start=_binary_fpga_hf_bit_start --redefine-sym _binary____fpga_fpga_hf_bit_end=_binary_fpga_hf_bit_end --prefix-sections=fpga_hf_bit  $^ $@
+# version.c and fpga_version_info.c to be remade on every compilation
+.PHONY: version.c fpga_version_info.c
 
-$(OBJDIR)/fullimage.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_lf.o $(OBJDIR)/fpga_hf.o $(THUMBOBJ) $(ARMOBJ)
+version.c: default_version.c
+	perl ../tools/mkversion.pl .. > $@ || $(COPY) $^ $@ 
+
+fpga_version_info.c: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR)
+	$(FPGA_COMPRESSOR) -v $(filter %.bit,$^) $@
+
+$(OBJDIR)/fpga_all.o: $(OBJDIR)/fpga_all.bit.z
+	$(OBJCOPY) -O elf32-littlearm -I binary -B arm --prefix-sections=fpga_all_bit $^ $@
+
+$(OBJDIR)/fpga_all.bit.z: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR)
+	$(FPGA_COMPRESSOR) $(filter %.bit,$^) $@
+
+$(FPGA_COMPRESSOR):
+		make -C ../client $(notdir $(FPGA_COMPRESSOR))
+
+$(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(THUMBOPTOBJ) $(ARMOBJ)
 	$(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ $(LIBS)
 
-$(OBJDIR)/fpgaimage.elf: $(OBJDIR)/fullimage.elf
-	$(OBJCOPY) -F elf32-littlearm --only-section .fpgaimage $^ $@  
+$(OBJDIR)/fullimage.nodata.bin: $(OBJDIR)/fullimage.stage1.elf
+	$(OBJCOPY) -O binary -I elf32-littlearm --remove-section .data $^ $@
 
-$(OBJDIR)/osimage.elf: $(OBJDIR)/fullimage.elf
-	$(OBJCOPY) -F elf32-littlearm --remove-section .fpgaimage $^ $@
+$(OBJDIR)/fullimage.nodata.o: $(OBJDIR)/fullimage.nodata.bin
+	$(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=stage1_image $^ $@
+
+$(OBJDIR)/fullimage.data.bin: $(OBJDIR)/fullimage.stage1.elf
+	$(OBJCOPY) -O binary -I elf32-littlearm --only-section .data $^ $@
+
+$(OBJDIR)/fullimage.data.bin.z: $(OBJDIR)/fullimage.data.bin $(FPGA_COMPRESSOR)
+	$(FPGA_COMPRESSOR) $(filter %.bin,$^) $@
+
+$(OBJDIR)/fullimage.data.o: $(OBJDIR)/fullimage.data.bin.z
+	$(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=compressed_data $^ $@
+
+$(OBJDIR)/fullimage.elf: $(OBJDIR)/fullimage.nodata.o $(OBJDIR)/fullimage.data.o
+	$(CC) $(LDFLAGS) -Wl,-T,ldscript,-e,_osimage_entry,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^
 
 tarbin: $(OBJS)
 	$(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(OBJS:%=armsrc/%) $(OBJS:%.s19=armsrc/%.elf)
 
-
 clean:
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.o
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.elf
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.s19
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.map
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.d
-	$(DELETE) version.c
+	$(DELETE) $(OBJDIR)$(PATHSEP)*.z
+	$(DELETE) $(OBJDIR)$(PATHSEP)*.bin
+	$(DELETE) version.c fpga_version_info.c
 
 .PHONY: all clean help
 help:
 	@echo Multi-OS Makefile, you are running on $(DETECTED_OS)
 	@echo Possible targets:
-	@echo +	all               - Make both:
-	@echo +	$(OBJDIR)/osimage.s19   - The OS image
-	@echo +	$(OBJDIR)/fpgaimage.s19 - The FPGA image
-	@echo +	clean             - Clean $(OBJDIR)
+	@echo +	all    - Build the full image $(OBJDIR)/fullimage.s19
+	@echo +	clean  - Clean $(OBJDIR)
 

armsrc/apps.h

@@ -15,35 +15,16 @@
 #include <stdint.h>
 #include <stddef.h>
 #include "common.h"
-#include "hitag2.h"
+#include "usb_cmd.h"
+#include "hitagS.h"
 #include "mifare.h"
-
-// The large multi-purpose buffer, typically used to hold A/D samples,
-// maybe processed in some way.
-uint32_t BigBuf[10000];
-// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
-#define TRACE_OFFSET          0
-#define TRACE_SIZE         3000
-#define RECV_CMD_OFFSET    3032
-#define RECV_CMD_SIZE        64
-#define RECV_RES_OFFSET    3096
-#define RECV_RES_SIZE        64
-#define DMA_BUFFER_OFFSET  3160
-#define DMA_BUFFER_SIZE    4096
-#define FREE_BUFFER_OFFSET 7256
-#define FREE_BUFFER_SIZE   2744
+#include "../common/crc32.h"
+#include "BigBuf.h"
 
 extern const uint8_t OddByteParity[256];
-extern uint8_t *trace; // = (uint8_t *) BigBuf;
-extern int traceLen;   // = 0;
 extern int rsamples;   // = 0;
-extern int tracing;    // = TRUE;
 extern uint8_t trigger;
 
-// This may be used (sparingly) to declare a function to be copied to
-// and executed from RAM
-#define RAMFUNC __attribute((long_call, section(".ramfunc")))
-
 /// appmain.h
 void ReadMem(int addr);
 void __attribute__((noreturn)) AppMain(void);
@@ -53,164 +34,82 @@ void DbpString(char *str);
 void Dbprintf(const char *fmt, ...);
 void Dbhexdump(int len, uint8_t *d, bool bAsci);
 
+// ADC Vref = 3300mV, and an (10M+1M):1M voltage divider on the HF input can measure voltages up to 36300 mV
+#define MAX_ADC_HF_VOLTAGE_LOW   36300
+// ADC Vref = 3300mV, and an (10000k+240k):240k voltage divider on the LF input can measure voltages up to 140800 mV
+#define MAX_ADC_HF_VOLTAGE_HIGH 140800
+#define MAX_ADC_LF_VOLTAGE      140800
 int AvgAdc(int ch);
 
 void ToSendStuffBit(int b);
 void ToSendReset(void);
 void ListenReaderField(int limit);
-void AcquireRawAdcSamples125k(int at134khz);
-void SnoopLFRawAdcSamples(int divisor, int trigger_threshold);
-void DoAcquisition125k(int trigger_threshold);
 extern int ToSendMax;
 extern uint8_t ToSend[];
-extern uint32_t BigBuf[];
 
-/// fpga.h
-void FpgaSendCommand(uint16_t cmd, uint16_t v);
-void FpgaWriteConfWord(uint8_t v);
-void FpgaDownloadAndGo(int bitstream_version);
-int FpgaGatherBitstreamVersion();
-void FpgaGatherVersion(char *dst, int len);
-void FpgaSetupSsc(void);
-void SetupSpi(int mode);
-bool FpgaSetupSscDma(uint8_t *buf, int len);
-#define FpgaDisableSscDma(void)	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-#define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
-void SetAdcMuxFor(uint32_t whichGpio);
-
-// Definitions for the FPGA commands.
-#define FPGA_CMD_SET_CONFREG					(1<<12)
-#define FPGA_CMD_SET_DIVISOR					(2<<12)
-#define FPGA_CMD_SET_USER_BYTE1					(3<<12)
-// Definitions for the FPGA configuration word.
-// LF
-#define FPGA_MAJOR_MODE_LF_ADC					(0<<5)
-#define FPGA_MAJOR_MODE_LF_EDGE_DETECT			(1<<5)
-#define FPGA_MAJOR_MODE_LF_PASSTHRU				(2<<5)
-// HF
-#define FPGA_MAJOR_MODE_HF_READER_TX				(0<<5)
-#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR			(1<<5)
-#define FPGA_MAJOR_MODE_HF_SIMULATOR				(2<<5)
-#define FPGA_MAJOR_MODE_HF_ISO14443A				(3<<5)
-// BOTH
-#define FPGA_MAJOR_MODE_OFF					(7<<5)
-// Options for LF_ADC
-#define FPGA_LF_ADC_READER_FIELD				(1<<0)
-// Options for LF_EDGE_DETECT
-#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD			FPGA_CMD_SET_USER_BYTE1
-#define FPGA_LF_EDGE_DETECT_READER_FIELD 			(1<<0)
-#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE				(1<<1)
-// Options for the HF reader, tx to tag
-#define FPGA_HF_READER_TX_SHALLOW_MOD				(1<<0)
-// Options for the HF reader, correlating against rx from tag
-#define FPGA_HF_READER_RX_XCORR_848_KHZ				(1<<0)
-#define FPGA_HF_READER_RX_XCORR_SNOOP				(1<<1)
-#define FPGA_HF_READER_RX_XCORR_QUARTER_FREQ			(1<<2)
-// Options for the HF simulated tag, how to modulate
-#define FPGA_HF_SIMULATOR_NO_MODULATION				(0<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_BPSK				(1<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_212K				(2<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_424K				(4<<0)
-// Options for ISO14443A
-#define FPGA_HF_ISO14443A_SNIFFER				(0<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_LISTEN				(1<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_MOD				(2<<0)
-#define FPGA_HF_ISO14443A_READER_LISTEN				(3<<0)
-#define FPGA_HF_ISO14443A_READER_MOD				(4<<0)
 
 /// lfops.h
+extern uint8_t decimation;
+extern uint8_t bits_per_sample ;
+extern bool averaging;
+
 void AcquireRawAdcSamples125k(int divisor);
-void ModThenAcquireRawAdcSamples125k(int delay_off,int period_0,int period_1,uint8_t *command);
+void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command);
 void ReadTItag(void);
 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc);
+
 void AcquireTiType(void);
 void AcquireRawBitsTI(void);
 void SimulateTagLowFrequency(int period, int gap, int ledcontrol);
-void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
-void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
-void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
-void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioProx card to T5557/T5567
 void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
-void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
+void CmdHIDsimTAG(int hi2, int hi, int lo, int ledcontrol);
+void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
+void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
+void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
+void CmdHIDdemodFSK(int findone, int *high2, int *high, int *low, int ledcontrol);
+void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26
+void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
+void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
+void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble); // Clone an HID-like card to T5557/T5567
+void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5);
 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
-void CopyIndala64toT55x7(int hi, int lo); // Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7); // Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
+void T55xxResetRead(void);
 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode);
-void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode );
-void T55xxReadTrace(void);
-int DemodPCF7931(uint8_t **outBlocks);
-int IsBlock0PCF7931(uint8_t *Block);
-int IsBlock1PCF7931(uint8_t *Block);
-void ReadPCF7931();
+void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
+void T55xxWakeUp(uint32_t Pwd);
+void TurnReadLFOn();
+//void T55xxReadTrace(void);
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
-void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
+void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
+void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd);
+void Cotag(uint32_t arg0);
 
 /// iso14443.h
-void SimulateIso14443Tag(void);
-void AcquireRawAdcSamplesIso14443(uint32_t parameter);
-void ReadSTMemoryIso14443(uint32_t);
-void RAMFUNC SnoopIso14443(void);
+void SimulateIso14443bTag(void);
+void AcquireRawAdcSamplesIso14443b(uint32_t parameter);
+void ReadSTMemoryIso14443b(uint32_t);
+void RAMFUNC SnoopIso14443b(void);
 void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);
 
-/// iso14443a.h
-void RAMFUNC SnoopIso14443a(uint8_t param);
-void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data);
-void ReaderIso14443a(UsbCommand * c);
 // Also used in iclass.c
-bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t iSamples, uint32_t dwParity, bool readerToTag);
-uint32_t GetParity(const uint8_t * pbtCmd, int iLen);
-void iso14a_set_trigger(bool enable);
-void iso14a_clear_trace();
-void iso14a_set_tracing(bool enable);
+void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity);
+
 void RAMFUNC SniffMifare(uint8_t param);
 
 /// epa.h
 void EPA_PACE_Collect_Nonce(UsbCommand * c);
+void EPA_PACE_Replay(UsbCommand *c);
 
-// mifarecmd.h
-void ReaderMifare(bool first_try);
-int32_t dist_nt(uint32_t nt1, uint32_t nt2);
-void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
-void MifareUReadBlock(uint8_t arg0,uint8_t *datain);
-void MifareUReadCard(uint8_t arg0,uint8_t *datain);
-void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareUWriteBlock(uint8_t arg0,uint8_t *datain);
-void MifareUWriteBlock_Special(uint8_t arg0,uint8_t *datain);
-void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);  // Work with "magic Chinese" card
-void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-
-/// iso15693.h
-void RecordRawAdcSamplesIso15693(void);
-void AcquireRawAdcSamplesIso15693(void);
-void ReaderIso15693(uint32_t parameter);	// Simulate an ISO15693 reader - greg
-void SimTagIso15693(uint32_t parameter);	// simulate an ISO15693 tag - greg
-void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox
-void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox 
-void SetDebugIso15693(uint32_t flag);
-
-/// iclass.h
-void RAMFUNC SnoopIClass(void);
-void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void ReaderIClass(uint8_t arg0);
-//int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived);
-// hitag2.h
-void SnoopHitag(uint32_t type);
-void SimulateHitagTag(bool tag_mem_supplied, byte_t* data);
-void ReaderHitag(hitag_function htf, hitag_data* htd);
-
-// cmd.h
-bool cmd_receive(UsbCommand* cmd);
-bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
-
-/// util.h
+// mifaredesfire.h
+bool    InitDesfireCard();
+void    MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain);
+void    MifareDesfireGetInformation();
+void    MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain);
+void    ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain);
+int     DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout);
+size_t  CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout);
 
 #endif

armsrc/crypto1.c

@@ -1,95 +0,0 @@
-/*  crypto1.c
-
-    This program is free software; you can redistribute it and/or
-    modify it under the terms of the GNU General Public License
-    as published by the Free Software Foundation; either version 2
-    of the License, or (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-    MA  02110-1301, US
-
-    Copyright (C) 2008-2008 bla <blapost@gmail.com>
-*/
-#include "crapto1.h"
-#include <stdlib.h>
-
-#define SWAPENDIAN(x)\
-	(x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
-
-void crypto1_create(struct Crypto1State *s, uint64_t key)
-{
-//	struct Crypto1State *s = malloc(sizeof(*s));
-	int i;
-
-	for(i = 47;s && i > 0; i -= 2) {
-		s->odd  = s->odd  << 1 | BIT(key, (i - 1) ^ 7);
-		s->even = s->even << 1 | BIT(key, i ^ 7);
-	}
-	return;
-}
-void crypto1_destroy(struct Crypto1State *state)
-{
-//	free(state);
-  state->odd = 0;
-  state->even = 0;
-}
-void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
-{
-	int i;
-	for(*lfsr = 0, i = 23; i >= 0; --i) {
-		*lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
-		*lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
-	}
-}
-uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
-{
-	uint32_t feedin;
-	uint8_t ret = filter(s->odd);
-
-	feedin  = ret & !!is_encrypted;
-	feedin ^= !!in;
-	feedin ^= LF_POLY_ODD & s->odd;
-	feedin ^= LF_POLY_EVEN & s->even;
-	s->even = s->even << 1 | parity(feedin);
-
-	s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
-
-	return ret;
-}
-uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
-{
-	uint8_t i, ret = 0;
-
-	for (i = 0; i < 8; ++i)
-		ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i;
-
-	return ret;
-}
-uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
-{
-	uint32_t i, ret = 0;
-
-	for (i = 0; i < 32; ++i)
-		ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24);
-
-	return ret;
-}
-
-/* prng_successor
- * helper used to obscure the keystream during authentication
- */
-uint32_t prng_successor(uint32_t x, uint32_t n)
-{
-	SWAPENDIAN(x);
-	while(n--)
-		x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
-
-	return SWAPENDIAN(x);
-}

armsrc/epa.c

@@ -5,17 +5,22 @@
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //-----------------------------------------------------------------------------
-// Routines to support the German eletronic "Personalausweis" (ID card)
+// Routines to support the German electronic "Personalausweis" (ID card)
 // Note that the functions which do not implement USB commands do NOT initialize
 // the card (with iso14443a_select_card etc.). If You want to use these
 // functions, You need to do the setup before calling them!
 //-----------------------------------------------------------------------------
 
+#include "apps.h"
 #include "iso14443a.h"
+#include "iso14443b.h"
 #include "epa.h"
-#include "cmd.h"
+#include "usb_cdc.h"
+#include "fpgaloader.h"
+#include "string.h"
+#include "util.h"
 
-// Protocol and Parameter Selection Request
+// Protocol and Parameter Selection Request for ISO 14443 type A cards
 // use regular (1x) speed in both directions
 // CRC is already included
 static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
@@ -74,6 +79,54 @@ static const uint8_t oid_pace_start[] = {
     0x04 // id-PACE
 };
 
+// APDUs for replaying:
+// MSE: Set AT (initiate PACE)
+static uint8_t apdu_replay_mse_set_at_pace[41];
+// General Authenticate (Get Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
+// General Authenticate (Map Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
+// General Authenticate (Mutual Authenticate)
+static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
+// General Authenticate (Perform Key Agreement)
+static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
+// pointers to the APDUs (for iterations)
+static struct {
+	uint8_t len;
+	uint8_t *data;
+} const apdus_replay[] = {
+	{sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
+	{sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
+	{sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
+	{sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
+	{sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
+};
+
+// lengths of the replay APDUs
+static uint8_t apdu_lengths_replay[5];
+
+// type of card (ISO 14443 A or B)
+static char iso_type = 0;
+
+//-----------------------------------------------------------------------------
+// Wrapper for sending APDUs to type A and B cards
+//-----------------------------------------------------------------------------
+int EPA_APDU(uint8_t *apdu, size_t length, uint8_t *response)
+{
+	switch(iso_type)
+	{
+		case 'a':
+			return iso14_apdu(apdu, (uint16_t) length, false, response, NULL);
+			break;
+		case 'b':
+			return iso14443b_apdu(apdu, length, response);
+			break;
+		default:
+			return 0;
+			break;
+	}
+}
+
 //-----------------------------------------------------------------------------
 // Closes the communication channel and turns off the field
 //-----------------------------------------------------------------------------
@@ -81,6 +134,7 @@ void EPA_Finish()
 {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();
+	iso_type = 0;
 }
 
 //-----------------------------------------------------------------------------
@@ -101,16 +155,16 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
                             pace_version_info_t *pace_info)
 {
 	size_t index = 0;
-	
+
 	while (index <= length - 2) {
 		// determine type of element
 		// SET or SEQUENCE
 		if (data[index] == 0x31 || data[index] == 0x30) {
 			// enter the set (skip tag + length)
 			index += 2;
-			// extended length
+			// check for extended length
 			if ((data[index - 1] & 0x80) != 0) {
-				index += (data[index] & 0x7F);
+				index += (data[index-1] & 0x7F);
 			}
 		}
 		// OID
@@ -158,7 +212,7 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
 			index += 2 + data[index + 1];
 		}
 	}
-	
+
 	// TODO: We should check whether we reached the end in error, but for that
 	//       we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
 	return 0;
@@ -176,29 +230,31 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
 	// we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
 	uint8_t response_apdu[262];
 	int rapdu_length = 0;
-	
+
 	// select the file EF.CardAccess
-	rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess,
+	rapdu_length = EPA_APDU((uint8_t *)apdu_select_binary_cardaccess,
 	                          sizeof(apdu_select_binary_cardaccess),
 	                          response_apdu);
-	if (rapdu_length != 6
+	if (rapdu_length < 6
 	    || response_apdu[rapdu_length - 4] != 0x90
 	    || response_apdu[rapdu_length - 3] != 0x00)
 	{
+		DbpString("Failed to select EF.CardAccess!");
 		return -1;
 	}
-	
+
 	// read the file
-	rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary,
+	rapdu_length = EPA_APDU((uint8_t *)apdu_read_binary,
 	                          sizeof(apdu_read_binary),
 	                          response_apdu);
 	if (rapdu_length <= 6
 	    || response_apdu[rapdu_length - 4] != 0x90
 	    || response_apdu[rapdu_length - 3] != 0x00)
 	{
+		Dbprintf("Failed to read EF.CardAccess!");
 		return -1;
 	}
-	
+
 	// copy the content into the buffer
 	// length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
 	size_t to_copy = rapdu_length - 6;
@@ -213,17 +269,11 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
 //-----------------------------------------------------------------------------
 static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
 {
-//	// step in which the failure occured
-//	ack->arg[0] = step;
-//	// last return code
-//	ack->arg[1] = func_return;
-
 	// power down the field
 	EPA_Finish();
-	
+
 	// send the USB packet
-  cmd_send(CMD_ACK,step,func_return,0,0,0);
-//UsbSendPacket((void *)ack, sizeof(UsbCommand));
+	cmd_send(CMD_ACK,step,func_return,0,0,0);
 }
 
 //-----------------------------------------------------------------------------
@@ -243,12 +293,8 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
 	 */
 
 	// return value of a function
-	int func_return;
+	int func_return = 0;
 
-//	// initialize ack with 0s
-//	memset(ack->arg, 0, 12);
-//	memset(ack->d.asBytes, 0, 48);
-	
 	// set up communication
 	func_return = EPA_Setup();
 	if (func_return != 0) {
@@ -256,9 +302,6 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
 		return;
 	}
 
-	// increase the timeout (at least some cards really do need this!)
-	iso14a_set_timeout(0x0002FFFF);
-	
 	// read the CardAccess file
 	// this array will hold the CardAccess file
 	uint8_t card_access[256] = {0};
@@ -279,11 +322,11 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
 		EPA_PACE_Collect_Nonce_Abort(3, func_return);
 		return;
 	}
-	
+
 	// initiate the PACE protocol
 	// use the CAN for the password since that doesn't change
 	func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
-	
+
 	// now get the nonce
 	uint8_t nonce[256] = {0};
 	uint8_t requested_size = (uint8_t)c->arg[0];
@@ -294,15 +337,12 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
 		EPA_PACE_Collect_Nonce_Abort(4, func_return);
 		return;
 	}
-  
-  // all done, return
+
+	// all done, return
 	EPA_Finish();
-	
+
 	// save received information
-//	ack->arg[1] = func_return;
-//	memcpy(ack->d.asBytes, nonce, func_return);
-//	UsbSendPacket((void *)ack, sizeof(UsbCommand));
-  cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
+	cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
 }
 
 //-----------------------------------------------------------------------------
@@ -323,10 +363,10 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
 	       sizeof(apdu_general_authenticate_pace_get_nonce));
 	// append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
 	apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
-	
+
 	// send it
 	uint8_t response_apdu[262];
-	int send_return = iso14_apdu(apdu,
+	int send_return = EPA_APDU(apdu,
 	                             sizeof(apdu),
 	                             response_apdu);
 	// check if the command succeeded
@@ -336,7 +376,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
 	{
 		return -1;
 	}
-	
+
 	// if there is no nonce in the RAPDU, return here
 	if (send_return < 10)
 	{
@@ -351,7 +391,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
 	}
 	// copy the nonce
 	memcpy(nonce, response_apdu + 6, nonce_length);
-	
+
 	return nonce_length;
 }
 
@@ -397,7 +437,7 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
 	apdu[4] = apdu_length - 5;
 	// send it
 	uint8_t response_apdu[6];
-	int send_return = iso14_apdu(apdu,
+	int send_return = EPA_APDU(apdu,
 	                             apdu_length,
 	                             response_apdu);
 	// check if the command succeeded
@@ -410,34 +450,106 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
 	return 0;
 }
 
+//-----------------------------------------------------------------------------
+// Perform the PACE protocol by replaying given APDUs
+//-----------------------------------------------------------------------------
+void EPA_PACE_Replay(UsbCommand *c) {
+	uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
+
+	// if an APDU has been passed, just save it
+	if (c->arg[0] != 0) {
+		// make sure it's not too big
+		if(c->arg[2] > apdus_replay[c->arg[0] - 1].len) {
+			cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
+			return;
+		}
+		memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1], c->d.asBytes, c->arg[2]);
+		// save/update APDU length
+		if (c->arg[1] == 0) {
+			apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
+		} else {
+			apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
+		}
+		cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
+		return;
+	}
+
+	// return value of a function
+	int func_return;
+
+	// set up communication
+	func_return = EPA_Setup();
+	if (func_return != 0) {
+		EPA_Finish();
+		cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
+		return;
+	}
+
+	// response APDU
+	uint8_t response_apdu[300] = {0};
+
+	// now replay the data and measure the timings
+	for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
+		StartCountUS();
+		func_return = EPA_APDU(apdus_replay[i].data,
+		                         apdu_lengths_replay[i],
+		                         response_apdu);
+		timings[i] = GetCountUS();
+		// every step but the last one should succeed
+		if (i < sizeof(apdu_lengths_replay) - 1
+		    && (func_return < 6
+		        || response_apdu[func_return - 4] != 0x90
+		        || response_apdu[func_return - 3] != 0x00))
+		{
+			EPA_Finish();
+			cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
+			return;
+		}
+	}
+	EPA_Finish();
+	cmd_send(CMD_ACK,0,0,0,timings,20);
+	return;
+}
+
 //-----------------------------------------------------------------------------
 // Set up a communication channel (Card Select, PPS)
 // Returns 0 on success or a non-zero error code on failure
 //-----------------------------------------------------------------------------
 int EPA_Setup()
 {
-	// return code
 	int return_code = 0;
-	// card UID
-	uint8_t uid[8];
-	// card select information
+	uint8_t uid[10];
+	uint8_t pps_response[3];
+	uint8_t pps_response_par[1];
 	iso14a_card_select_t card_select_info;
+
+	// first, look for type A cards
 	// power up the field
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-
 	// select the card
-	return_code = iso14443a_select_card(uid, &card_select_info, NULL);
-	if (return_code != 1) {
-		return 1;
+	return_code = iso14443a_select_card(uid, &card_select_info, NULL, true, 0, false);
+	if (return_code == 1) {
+		// send the PPS request
+		ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
+		return_code = ReaderReceive(pps_response, pps_response_par);
+		if (return_code != 3 || pps_response[0] != 0xD0) {
+			return return_code == 0 ? 2 : return_code;
+		}
+		Dbprintf("ISO 14443 Type A");
+		iso_type = 'a';
+		return 0;
 	}
 
-	// send the PPS request
-	ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
-	uint8_t pps_response[3];
-	return_code = ReaderReceive(pps_response);
-	if (return_code != 3 || pps_response[0] != 0xD0) {
-		return return_code == 0 ? 2 : return_code;
+	// if we're here, there is no type A card, so we look for type B
+	// power up the field
+	iso14443b_setup();
+	// select the card
+	return_code = iso14443b_select_card();
+	if (return_code == 1) {
+		Dbprintf("ISO 14443 Type B");
+		iso_type = 'b';
+		return 0;
 	}
-	
-	return 0;
-}
+	Dbprintf("No card found.");
+	return 1;
+}

armsrc/epa.h

@@ -19,7 +19,7 @@ typedef struct {
 	uint8_t parameter_id;
 } pace_version_info_t;
 
-// note: EPA_PACE_GetNonce is declared in apps.h
+// note: EPA_PACE_Collect_Nonce and EPA_PACE_Replay are declared in apps.h
 
 // general functions
 void EPA_Finish();
@@ -33,4 +33,4 @@ int EPA_Setup();
 int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password);
 int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce);
 
-#endif /* __EPA_H */
+#endif /* __EPA_H */

armsrc/fpgaloader.c

@@ -9,10 +9,30 @@
 // Routines to load the FPGA image, and then to configure the FPGA's major
 // mode once it is configured.
 //-----------------------------------------------------------------------------
-#include "proxmark3.h"
+
+#include "fpgaloader.h"
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
 #include "apps.h"
+#include "fpga.h"
+#include "proxmark3.h"
 #include "util.h"
 #include "string.h"
+#include "BigBuf.h"
+#include "zlib.h"
+
+// remember which version of the bitstream we have already downloaded to the FPGA
+static int downloaded_bitstream = 0;
+
+// this is where the bitstreams are located in memory:
+extern uint8_t _binary_obj_fpga_all_bit_z_start, _binary_obj_fpga_all_bit_z_end;
+
+static uint8_t *fpga_image_ptr = NULL;
+static uint32_t uncompressed_bytes_cnt;
+
+#define OUTPUT_BUFFER_LEN       80
 
 //-----------------------------------------------------------------------------
 // Set up the Serial Peripheral Interface as master
@@ -29,16 +49,16 @@ void SetupSpi(int mode)
 
 	// Disable PIO control of the following pins, allows use by the SPI peripheral
 	AT91C_BASE_PIOA->PIO_PDR =
-		GPIO_NCS0	|
-		GPIO_NCS2 	|
-		GPIO_MISO	|
-		GPIO_MOSI	|
+		GPIO_NCS0   |
+		GPIO_NCS2   |
+		GPIO_MISO   |
+		GPIO_MOSI   |
 		GPIO_SPCK;
 
 	AT91C_BASE_PIOA->PIO_ASR =
-		GPIO_NCS0	|
-		GPIO_MISO	|
-		GPIO_MOSI	|
+		GPIO_NCS0   |
+		GPIO_MISO   |
+		GPIO_MOSI   |
 		GPIO_SPCK;
 
 	AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2;
@@ -51,57 +71,56 @@ void SetupSpi(int mode)
 	switch (mode) {
 		case SPI_FPGA_MODE:
 			AT91C_BASE_SPI->SPI_MR =
-				( 0 << 24)	|	// Delay between chip selects (take default: 6 MCK periods)
-				(14 << 16)	|	// Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
-				( 0 << 7)	|	// Local Loopback Disabled
-				( 1 << 4)	|	// Mode Fault Detection disabled
-				( 0 << 2)	|	// Chip selects connected directly to peripheral
-				( 0 << 1) 	|	// Fixed Peripheral Select
-				( 1 << 0);		// Master Mode
+				( 0 << 24)  |   // Delay between chip selects (take default: 6 MCK periods)
+				(14 << 16)  |   // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
+				( 0 << 7)   |   // Local Loopback Disabled
+				( 1 << 4)   |   // Mode Fault Detection disabled
+				( 0 << 2)   |   // Chip selects connected directly to peripheral
+				( 0 << 1)   |   // Fixed Peripheral Select
+				( 1 << 0);      // Master Mode
 			AT91C_BASE_SPI->SPI_CSR[0] =
-				( 1 << 24)	|	// Delay between Consecutive Transfers (32 MCK periods)
-				( 1 << 16)	|	// Delay Before SPCK (1 MCK period)
-				( 6 << 8)	|	// Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
-				( 8 << 4)	|	// Bits per Transfer (16 bits)
-				( 0 << 3)	|	// Chip Select inactive after transfer
-				( 1 << 1)	|	// Clock Phase data captured on leading edge, changes on following edge
-				( 0 << 0);		// Clock Polarity inactive state is logic 0
+				( 1 << 24)  |   // Delay between Consecutive Transfers (32 MCK periods)
+				( 1 << 16)  |   // Delay Before SPCK (1 MCK period)
+				( 6 << 8)   |   // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
+				( 8 << 4)   |   // Bits per Transfer (16 bits)
+				( 0 << 3)   |   // Chip Select inactive after transfer
+				( 1 << 1)   |   // Clock Phase data captured on leading edge, changes on following edge
+				( 0 << 0);      // Clock Polarity inactive state is logic 0
 			break;
 		case SPI_LCD_MODE:
 			AT91C_BASE_SPI->SPI_MR =
-				( 0 << 24)	|	// Delay between chip selects (take default: 6 MCK periods)
-				(11 << 16)	|	// Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
-				( 0 << 7)	|	// Local Loopback Disabled
-				( 1 << 4)	|	// Mode Fault Detection disabled
-				( 0 << 2)	|	// Chip selects connected directly to peripheral
-				( 0 << 1) 	|	// Fixed Peripheral Select
-				( 1 << 0);		// Master Mode
+				( 0 << 24)  |   // Delay between chip selects (take default: 6 MCK periods)
+				(11 << 16)  |   // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
+				( 0 << 7)   |   // Local Loopback Disabled
+				( 1 << 4)   |   // Mode Fault Detection disabled
+				( 0 << 2)   |   // Chip selects connected directly to peripheral
+				( 0 << 1)   |   // Fixed Peripheral Select
+				( 1 << 0);      // Master Mode
 			AT91C_BASE_SPI->SPI_CSR[2] =
-				( 1 << 24)	|	// Delay between Consecutive Transfers (32 MCK periods)
-				( 1 << 16)	|	// Delay Before SPCK (1 MCK period)
-				( 6 << 8)	|	// Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
-				( 1 << 4)	|	// Bits per Transfer (9 bits)
-				( 0 << 3)	|	// Chip Select inactive after transfer
-				( 1 << 1)	|	// Clock Phase data captured on leading edge, changes on following edge
-				( 0 << 0);		// Clock Polarity inactive state is logic 0
+				( 1 << 24)  |   // Delay between Consecutive Transfers (32 MCK periods)
+				( 1 << 16)  |   // Delay Before SPCK (1 MCK period)
+				( 6 << 8)   |   // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
+				( 1 << 4)   |   // Bits per Transfer (9 bits)
+				( 0 << 3)   |   // Chip Select inactive after transfer
+				( 1 << 1)   |   // Clock Phase data captured on leading edge, changes on following edge
+				( 0 << 0);      // Clock Polarity inactive state is logic 0
 			break;
-		default:				// Disable SPI
+		default:                // Disable SPI
 			AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS;
 			break;
 	}
 }
 
 //-----------------------------------------------------------------------------
-// Set up the synchronous serial port, with the one set of options that we
-// always use when we are talking to the FPGA. Both RX and TX are enabled.
+// Set up the synchronous serial port with the set of options that fits
+// the FPGA mode. Both RX and TX are always enabled.
 //-----------------------------------------------------------------------------
-void FpgaSetupSsc(void)
-{
+void FpgaSetupSsc(uint16_t FPGA_mode) {
 	// First configure the GPIOs, and get ourselves a clock.
 	AT91C_BASE_PIOA->PIO_ASR =
-		GPIO_SSC_FRAME	|
-		GPIO_SSC_DIN	|
-		GPIO_SSC_DOUT	|
+		GPIO_SSC_FRAME  |
+		GPIO_SSC_DIN    |
+		GPIO_SSC_DOUT   |
 		GPIO_SSC_CLK;
 	AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
 
@@ -110,17 +129,21 @@ void FpgaSetupSsc(void)
 	// Now set up the SSC proper, starting from a known state.
 	AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
 
-	// RX clock comes from TX clock, RX starts when TX starts, data changes
-	// on RX clock rising edge, sampled on falling edge
+	// RX clock comes from TX clock, RX starts on Transmit Start,
+	// data and frame signal is sampled on falling edge of RK
 	AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
 
-	// 8 bits per transfer, no loopback, MSB first, 1 transfer per sync
+	// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
 	// pulse, no output sync
-	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) |	AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
+	if ((FPGA_mode & FPGA_MAJOR_MODE_MASK) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
+		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
+	} else {
+		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
+	}
 
-	// clock comes from TK pin, no clock output, outputs change on falling
-	// edge of TK, sample on rising edge of TK, start on positive-going edge of sync
-	AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) |	SSC_CLOCK_MODE_START(5);
+	// TX clock comes from TK pin, no clock output, outputs change on rising edge of TK, 
+	// TF (frame sync) is sampled on falling edge of TK, start TX on rising edge of TF
+	AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
 
 	// tx framing is the same as the rx framing
 	AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
@@ -134,22 +157,105 @@ void FpgaSetupSsc(void)
 // ourselves, not to another buffer). The stuff to manipulate those buffers
 // is in apps.h, because it should be inlined, for speed.
 //-----------------------------------------------------------------------------
-bool FpgaSetupSscDma(uint8_t *buf, int len)
-{
-	if (buf == NULL) {
-        return false;
-    }
+bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count) {
+	if (buf == NULL) return false;
 
-	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;	// Disable DMA Transfer
-	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;		// transfer to this memory address
-	AT91C_BASE_PDC_SSC->PDC_RCR = len;					// transfer this many bytes
-	AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;		// next transfer to same memory address
-	AT91C_BASE_PDC_SSC->PDC_RNCR = len;					// ... with same number of bytes
-	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;		// go!
-    
-    return true;
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;        // Disable DMA Transfer
+	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;           // transfer to this memory address
+	AT91C_BASE_PDC_SSC->PDC_RCR = sample_count;             // transfer this many samples
+	AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;          // next transfer to same memory address
+	AT91C_BASE_PDC_SSC->PDC_RNCR = sample_count;            // ... with same number of samples
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;         // go!
+	return true;
 }
 
+
+//----------------------------------------------------------------------------
+// Uncompress (inflate) the FPGA data. Returns one decompressed byte with
+// each call.
+//----------------------------------------------------------------------------
+static int get_from_fpga_combined_stream(z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+	if (fpga_image_ptr == compressed_fpga_stream->next_out) {   // need more data
+		compressed_fpga_stream->next_out = output_buffer;
+		compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
+		fpga_image_ptr = output_buffer;
+		int res = inflate(compressed_fpga_stream, Z_SYNC_FLUSH);
+		if (res != Z_OK)
+			Dbprintf("inflate returned: %d, %s", res, compressed_fpga_stream->msg);
+
+		if (res < 0)
+			return res;
+	}
+
+	uncompressed_bytes_cnt++;
+
+	return *fpga_image_ptr++;
+}
+
+//----------------------------------------------------------------------------
+// Undo the interleaving of several FPGA config files. FPGA config files
+// are combined into one big file:
+// 288 bytes from FPGA file 1, followed by 288 bytes from FGPA file 2, etc.
+//----------------------------------------------------------------------------
+static int get_from_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+	while((uncompressed_bytes_cnt / FPGA_INTERLEAVE_SIZE) % fpga_bitstream_num != (bitstream_version - 1)) {
+		// skip undesired data belonging to other bitstream_versions
+		get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
+	}
+
+	return get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
+
+}
+
+
+static voidpf fpga_inflate_malloc(voidpf opaque, uInt items, uInt size)
+{
+	return BigBuf_malloc(items*size);
+}
+
+
+static void fpga_inflate_free(voidpf opaque, voidpf address)
+{
+	BigBuf_free(); BigBuf_Clear_ext(false);
+}
+
+
+//----------------------------------------------------------------------------
+// Initialize decompression of the respective (HF or LF) FPGA stream
+//----------------------------------------------------------------------------
+static bool reset_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+	uint8_t header[FPGA_BITSTREAM_FIXED_HEADER_SIZE];
+
+	uncompressed_bytes_cnt = 0;
+
+	// initialize z_stream structure for inflate:
+	compressed_fpga_stream->next_in = &_binary_obj_fpga_all_bit_z_start;
+	compressed_fpga_stream->avail_in = &_binary_obj_fpga_all_bit_z_end - &_binary_obj_fpga_all_bit_z_start;
+	compressed_fpga_stream->next_out = output_buffer;
+	compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
+	compressed_fpga_stream->zalloc = &fpga_inflate_malloc;
+	compressed_fpga_stream->zfree = &fpga_inflate_free;
+
+	inflateInit2(compressed_fpga_stream, 0);
+
+	fpga_image_ptr = output_buffer;
+
+	for (uint16_t i = 0; i < FPGA_BITSTREAM_FIXED_HEADER_SIZE; i++) {
+		header[i] = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+	}
+
+	// Check for a valid .bit file (starts with bitparse_fixed_header)
+	if(memcmp(bitparse_fixed_header, header, FPGA_BITSTREAM_FIXED_HEADER_SIZE) == 0) {
+		return true;
+	} else {
+		return false;
+	}
+}
+
+
 static void DownloadFPGA_byte(unsigned char w)
 {
 #define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
@@ -163,28 +269,30 @@ static void DownloadFPGA_byte(unsigned char w)
 	SEND_BIT(0);
 }
 
-// Download the fpga image starting at FpgaImage and with length FpgaImageLen bytes
-// If bytereversal is set: reverse the byte order in each 4-byte word
-static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int bytereversal)
+// Download the fpga image starting at current stream position with length FpgaImageLen bytes
+static void DownloadFPGA(int bitstream_version, int FpgaImageLen, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
 {
+
+	//Dbprintf("DownloadFPGA(len: %d)", FpgaImageLen);
+
 	int i=0;
 
 	AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
 	AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON;
-	HIGH(GPIO_FPGA_ON);		// ensure everything is powered on
+	HIGH(GPIO_FPGA_ON);     // ensure everything is powered on
 
 	SpinDelay(50);
 
 	LED_D_ON();
 
 	// These pins are inputs
-    AT91C_BASE_PIOA->PIO_ODR =
-    	GPIO_FPGA_NINIT |
-    	GPIO_FPGA_DONE;
+	AT91C_BASE_PIOA->PIO_ODR =
+		GPIO_FPGA_NINIT |
+		GPIO_FPGA_DONE;
 	// PIO controls the following pins
-    AT91C_BASE_PIOA->PIO_PER =
-    	GPIO_FPGA_NINIT |
-    	GPIO_FPGA_DONE;
+	AT91C_BASE_PIOA->PIO_PER =
+		GPIO_FPGA_NINIT |
+		GPIO_FPGA_DONE;
 	// Enable pull-ups
 	AT91C_BASE_PIOA->PIO_PPUER =
 		GPIO_FPGA_NINIT |
@@ -196,8 +304,8 @@ static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int byterevers
 	LOW(GPIO_FPGA_DIN);
 	// These pins are outputs
 	AT91C_BASE_PIOA->PIO_OER =
-		GPIO_FPGA_NPROGRAM	|
-		GPIO_FPGA_CCLK		|
+		GPIO_FPGA_NPROGRAM  |
+		GPIO_FPGA_CCLK      |
 		GPIO_FPGA_DIN;
 
 	// enter FPGA configuration mode
@@ -218,21 +326,13 @@ static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int byterevers
 		return;
 	}
 
-	if(bytereversal) {
-		/* This is only supported for uint32_t aligned images */
-		if( ((int)FpgaImage % sizeof(uint32_t)) == 0 ) {
-			i=0;
-			while(FpgaImageLen-->0)
-				DownloadFPGA_byte(FpgaImage[(i++)^0x3]);
-			/* Explanation of the magic in the above line:
-			 * i^0x3 inverts the lower two bits of the integer i, counting backwards
-			 * for each 4 byte increment. The generated sequence of (i++)^3 is
-			 * 3 2 1 0 7 6 5 4 11 10 9 8 15 14 13 12 etc. pp.
-			 */
+	for(i = 0; i < FpgaImageLen; i++) {
+		int b = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+		if (b < 0) {
+			Dbprintf("Error %d during FpgaDownload", b);
+			break;
 		}
-	} else {
-		while(FpgaImageLen-->0)
-			DownloadFPGA_byte(*FpgaImage++);
+		DownloadFPGA_byte(b);
 	}
 
 	// continue to clock FPGA until ready signal goes high
@@ -250,39 +350,21 @@ static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int byterevers
 	LED_D_OFF();
 }
 
-static char *bitparse_headers_start;
-static char *bitparse_bitstream_end;
-static int bitparse_initialized = 0;
+
 /* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
  * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
  * After that the format is 1 byte section type (ASCII character), 2 byte length
  * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
  * length.
  */
-static const char _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
-static int bitparse_init(void * start_address, void *end_address)
+static int bitparse_find_section(int bitstream_version, char section_name, unsigned int *section_length, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
 {
-	bitparse_initialized = 0;
-
-	if(memcmp(_bitparse_fixed_header, start_address, sizeof(_bitparse_fixed_header)) != 0) {
-		return 0; /* Not matched */
-	} else {
-		bitparse_headers_start= ((char*)start_address) + sizeof(_bitparse_fixed_header);
-		bitparse_bitstream_end= (char*)end_address;
-		bitparse_initialized = 1;
-		return 1;
-	}
-}
-
-int bitparse_find_section(char section_name, char **section_start, unsigned int *section_length)
-{
-	char *pos = bitparse_headers_start;
 	int result = 0;
-
-	if(!bitparse_initialized) return 0;
-
-	while(pos < bitparse_bitstream_end) {
-		char current_name = *pos++;
+	#define MAX_FPGA_BIT_STREAM_HEADER_SEARCH 100  // maximum number of bytes to search for the requested section
+	uint16_t numbytes = 0;
+	while(numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH) {
+		char current_name = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+		numbytes++;
 		unsigned int current_length = 0;
 		if(current_name < 'a' || current_name > 'e') {
 			/* Strange section name, abort */
@@ -292,11 +374,13 @@ int bitparse_find_section(char section_name, char **section_start, unsigned int
 		switch(current_name) {
 		case 'e':
 			/* Four byte length field */
-			current_length += (*pos++) << 24;
-			current_length += (*pos++) << 16;
+			current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 24;
+			current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 16;
+			numbytes += 2;
 		default: /* Fall through, two byte length field */
-			current_length += (*pos++) << 8;
-			current_length += (*pos++) << 0;
+			current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 8;
+			current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 0;
+			numbytes += 2;
 		}
 
 		if(current_name != 'e' && current_length > 255) {
@@ -306,132 +390,90 @@ int bitparse_find_section(char section_name, char **section_start, unsigned int
 
 		if(current_name == section_name) {
 			/* Found it */
-			*section_start = pos;
 			*section_length = current_length;
 			result = 1;
 			break;
 		}
 
-		pos += current_length; /* Skip section */
+		for (uint16_t i = 0; i < current_length && numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH; i++) {
+			get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+			numbytes++;
+		}
 	}
 
 	return result;
 }
 
-//-----------------------------------------------------------------------------
-// Find out which FPGA image format is stored in flash, then call DownloadFPGA
-// with the right parameters to download the image
-//-----------------------------------------------------------------------------
-extern char _binary_fpga_lf_bit_start, _binary_fpga_lf_bit_end;
-extern char _binary_fpga_hf_bit_start, _binary_fpga_hf_bit_end;
+
+//----------------------------------------------------------------------------
+// Check which FPGA image is currently loaded (if any). If necessary
+// decompress and load the correct (HF or LF) image to the FPGA
+//----------------------------------------------------------------------------
 void FpgaDownloadAndGo(int bitstream_version)
 {
-	void *bit_start;
-	void *bit_end;
+	z_stream compressed_fpga_stream;
+	uint8_t output_buffer[OUTPUT_BUFFER_LEN] = {0x00};
 
 	// check whether or not the bitstream is already loaded
-	if (FpgaGatherBitstreamVersion() == bitstream_version)
+	if (downloaded_bitstream == bitstream_version) {
+		FpgaEnableTracing();
 		return;
-
-	if (bitstream_version == FPGA_BITSTREAM_LF) {
-		bit_start = &_binary_fpga_lf_bit_start;
-		bit_end = &_binary_fpga_lf_bit_end;
-	} else if (bitstream_version == FPGA_BITSTREAM_HF) {
-		bit_start = &_binary_fpga_hf_bit_start;
-		bit_end = &_binary_fpga_hf_bit_end;
-	} else
-		return;
-	/* Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start
-	 */
-	if(bitparse_init(bit_start, bit_end)) {
-		/* Successfully initialized the .bit parser. Find the 'e' section and
-		 * send its contents to the FPGA.
-		 */
-		char *bitstream_start;
-		unsigned int bitstream_length;
-		if(bitparse_find_section('e', &bitstream_start, &bitstream_length)) {
-			DownloadFPGA(bitstream_start, bitstream_length, 0);
-
-			return; /* All done */
-		}
 	}
 
-	/* Fallback for the old flash image format: Check for the magic marker 0xFFFFFFFF
-	 * 0xAA995566 at address 0x102000. This is raw bitstream with a size of 336,768 bits
-	 * = 10,524 uint32_t, stored as uint32_t e.g. little-endian in memory, but each DWORD
-	 * is still to be transmitted in MSBit first order. Set the invert flag to indicate
-	 * that the DownloadFPGA function should invert every 4 byte sequence when doing
-	 * the bytewise download.
-	 */
-	if( *(uint32_t*)0x102000 == 0xFFFFFFFF && *(uint32_t*)0x102004 == 0xAA995566 )
-		DownloadFPGA((char*)0x102000, 10524*4, 1);
-}
+	// make sure that we have enough memory to decompress
+	BigBuf_free(); BigBuf_Clear_ext(false);
 
-int FpgaGatherBitstreamVersion()
-{
-	char temp[256];
-	FpgaGatherVersion(temp, sizeof (temp));
-	if (!memcmp("LF", temp, 2))
-		return FPGA_BITSTREAM_LF;
-	else if (!memcmp("HF", temp, 2))
-		return FPGA_BITSTREAM_HF;
-	return FPGA_BITSTREAM_ERR;
-}
-
-void FpgaGatherVersion(char *dst, int len)
-{
-	char *fpga_info;
-	unsigned int fpga_info_len;
-	dst[0] = 0;
-	if(!bitparse_find_section('e', &fpga_info, &fpga_info_len)) {
-		strncat(dst, "FPGA image: legacy image without version information", len-1);
-	} else {
-		/* USB packets only have 48 bytes data payload, so be terse */
-		if(bitparse_find_section('a', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-			if (!memcmp("fpga_lf", fpga_info, 7))
-				strncat(dst, "LF ", len-1);
-			else if (!memcmp("fpga_hf", fpga_info, 7))
-				strncat(dst, "HF ", len-1);
-		}
-		strncat(dst, "FPGA image built", len-1);
-#if 0
-		if(bitparse_find_section('b', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-			strncat(dst, " for ", len-1);
-			strncat(dst, fpga_info, len-1);
-		}
-#endif
-		if(bitparse_find_section('c', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-			strncat(dst, " on ", len-1);
-			strncat(dst, fpga_info, len-1);
-		}
-		if(bitparse_find_section('d', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-			strncat(dst, " at ", len-1);
-			strncat(dst, fpga_info, len-1);
-		}
+	if (!reset_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer)) {
+		return;
 	}
+
+	unsigned int bitstream_length;
+	if (bitparse_find_section(bitstream_version, 'e', &bitstream_length, &compressed_fpga_stream, output_buffer)) {
+		DownloadFPGA(bitstream_version, bitstream_length, &compressed_fpga_stream, output_buffer);
+		downloaded_bitstream = bitstream_version;
+	}
+
+	inflateEnd(&compressed_fpga_stream);
+
+	// turn off antenna
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+
+	// free eventually allocated BigBuf memory
+	BigBuf_free(); BigBuf_Clear_ext(false);
 }
 
+
 //-----------------------------------------------------------------------------
 // Send a 16 bit command/data pair to the FPGA.
 // The bit format is:  C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
 // where C is the 4 bit command and D is the 12 bit data
 //-----------------------------------------------------------------------------
-void FpgaSendCommand(uint16_t cmd, uint16_t v)
-{
+void FpgaSendCommand(uint16_t cmd, uint16_t v) {
 	SetupSpi(SPI_FPGA_MODE);
-	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);		// wait for the transfer to complete
-	AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v;		// send the data
+	AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v;     // write the data to be sent
+	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);  // wait for the transfer to complete
 }
+
 //-----------------------------------------------------------------------------
 // Write the FPGA setup word (that determines what mode the logic is in, read
 // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
 // avoid changing this function's occurence everywhere in the source code.
 //-----------------------------------------------------------------------------
-void FpgaWriteConfWord(uint8_t v)
-{
+void FpgaWriteConfWord(uint16_t v) {
 	FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
 }
 
+//-----------------------------------------------------------------------------
+// enable/disable FPGA internal tracing
+//-----------------------------------------------------------------------------
+void FpgaEnableTracing(void) {
+	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 1);
+}
+
+void FpgaDisableTracing(void) {
+	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 0);
+}
+
 //-----------------------------------------------------------------------------
 // Set up the CMOS switches that mux the ADC: four switches, independently
 // closable, but should only close one at a time. Not an FPGA thing, but
@@ -458,3 +500,12 @@ void SetAdcMuxFor(uint32_t whichGpio)
 
 	HIGH(whichGpio);
 }
+
+void Fpga_print_status(void) {
+	Dbprintf("Currently loaded FPGA image:");
+	Dbprintf("  %s", fpga_version_information[downloaded_bitstream-1]);
+}
+
+int FpgaGetCurrent() {
+	return downloaded_bitstream;
+}

armsrc/fpgaloader.h

@@ -0,0 +1,99 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, April 2006
+// iZsh <izsh at fail0verflow.com>, 2014
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to load the FPGA image, and then to configure the FPGA's major
+// mode once it is configured.
+//-----------------------------------------------------------------------------
+
+#ifndef __FPGALOADER_H
+#define __FPGALOADER_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+void FpgaSendCommand(uint16_t cmd, uint16_t v);
+void FpgaWriteConfWord(uint16_t v);
+void FpgaDownloadAndGo(int bitstream_version);
+void FpgaSetupSsc(uint16_t mode);
+void SetupSpi(int mode);
+bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count);
+void Fpga_print_status();
+int FpgaGetCurrent();
+void FpgaEnableTracing(void);
+void FpgaDisableTracing(void);
+#define FpgaDisableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+#define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+void SetAdcMuxFor(uint32_t whichGpio);
+
+// definitions for multiple FPGA config files support
+#define FPGA_BITSTREAM_LF 1
+#define FPGA_BITSTREAM_HF 2
+
+// Definitions for the FPGA commands.
+#define FPGA_CMD_MASK                               0xF000
+// BOTH
+#define FPGA_CMD_SET_CONFREG                       (1<<12)
+// LF
+#define FPGA_CMD_SET_DIVISOR                       (2<<12)
+#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD         (3<<12)
+// HF
+#define FPGA_CMD_TRACE_ENABLE                      (2<<12)
+
+// Definitions for the FPGA configuration word.
+#define FPGA_MAJOR_MODE_MASK                        0x01C0
+// LF
+#define FPGA_MAJOR_MODE_LF_ADC                      (0<<6)
+#define FPGA_MAJOR_MODE_LF_EDGE_DETECT              (1<<6)
+#define FPGA_MAJOR_MODE_LF_PASSTHRU                 (2<<6)
+// HF
+#define FPGA_MAJOR_MODE_HF_READER                   (0<<6)
+#define FPGA_MAJOR_MODE_HF_SIMULATOR                (1<<6)
+#define FPGA_MAJOR_MODE_HF_ISO14443A                (2<<6)
+#define FPGA_MAJOR_MODE_HF_SNOOP                    (3<<6)
+#define FPGA_MAJOR_MODE_HF_GET_TRACE                (4<<6)
+// BOTH
+#define FPGA_MAJOR_MODE_OFF                         (7<<6)
+
+#define FPGA_MINOR_MODE_MASK                        0x003F
+// Options for LF_ADC
+#define FPGA_LF_ADC_READER_FIELD                    (1<<0)
+
+// Options for LF_EDGE_DETECT
+#define FPGA_LF_EDGE_DETECT_READER_FIELD            (1<<0)
+#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE             (2<<0)
+
+// Options for the HF reader
+#define FPGA_HF_READER_MODE_RECEIVE_IQ              (0<<0)
+#define FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE       (1<<0)
+#define FPGA_HF_READER_MODE_RECEIVE_PHASE           (2<<0)
+#define FPGA_HF_READER_MODE_SEND_FULL_MOD           (3<<0)
+#define FPGA_HF_READER_MODE_SEND_SHALLOW_MOD        (4<<0)
+#define FPGA_HF_READER_MODE_SNOOP_IQ                (5<<0)
+#define FPGA_HF_READER_MODE_SNOOP_AMPLITUDE         (6<<0)
+#define FPGA_HF_READER_MODE_SNOOP_PHASE             (7<<0)
+#define FPGA_HF_READER_MODE_SEND_JAM                (8<<0)
+
+#define FPGA_HF_READER_SUBCARRIER_848_KHZ           (0<<4)
+#define FPGA_HF_READER_SUBCARRIER_424_KHZ           (1<<4)
+#define FPGA_HF_READER_SUBCARRIER_212_KHZ           (2<<4)
+
+// Options for the HF simulated tag, how to modulate
+#define FPGA_HF_SIMULATOR_NO_MODULATION             (0<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_BPSK             (1<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_212K             (2<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K             (4<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT        0x5//101
+
+// Options for ISO14443A
+#define FPGA_HF_ISO14443A_SNIFFER                   (0<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_LISTEN             (1<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_MOD                (2<<0)
+#define FPGA_HF_ISO14443A_READER_LISTEN             (3<<0)
+#define FPGA_HF_ISO14443A_READER_MOD                (4<<0)
+
+#endif

armsrc/hfsnoop.c

@@ -0,0 +1,118 @@
+//-----------------------------------------------------------------------------
+// piwi, 2019
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to get sample data from FPGA.
+//-----------------------------------------------------------------------------
+
+#include "hfsnoop.h"
+
+#include "proxmark3.h"
+#include "BigBuf.h"
+#include "util.h"
+#include "apps.h"
+#include "usb_cdc.h"
+#include "fpga.h"
+#include "fpgaloader.h"
+
+static void RAMFUNC optimizedSnoop(void)
+{
+	int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory
+
+	uint16_t *dest = (uint16_t *)BigBuf_get_addr();
+	uint16_t *destend = dest + n;
+
+	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word
+	// Reading data loop
+	while(dest <= destend)
+	{
+		if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)
+		{
+			*dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR);
+			dest++;
+		}
+	}
+	//Resetting Frame mode (First set in fpgaloader.c)
+	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
+}
+
+void HfSnoop(int samplesToSkip, int triggersToSkip)
+{
+	BigBuf_free(); BigBuf_Clear();
+	
+	Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip);
+	int trigger_cnt;
+	LED_D_ON();
+	// Select correct configs
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+	// Set up the synchronous serial port
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SNOOP);
+	// connect Demodulated Signal to ADC:
+	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP);
+	SpinDelay(100);
+
+	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer.
+
+	trigger_cnt = 0;
+	uint16_t r = 0;
+	while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+		WDT_HIT();
+		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+			r = (uint16_t)AT91C_BASE_SSC->SSC_RHR;
+			r = MAX(r & 0xff, r >> 8); 
+			if (r >= 240) {
+				if (++trigger_cnt > triggersToSkip)
+					break;
+			} 
+		}
+	}
+
+	if(!BUTTON_PRESS()) {
+		int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0
+		while(waitcount != 0) {
+			if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY))
+				waitcount--;
+		}
+		optimizedSnoop();
+		Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r);
+	}
+
+	DbpString("HF Snoop end");
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	LED_D_OFF();
+}
+
+void HfPlot(void)
+{
+	uint8_t *buf = ToSend;
+	uint8_t *this_buf = buf;
+	
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_GET_TRACE);
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;   // Disable DMA Transfer
+	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) this_buf; // start transfer to this memory address
+	AT91C_BASE_PDC_SSC->PDC_RCR = USB_CMD_DATA_SIZE;   // transfer this many samples
+	buf[0] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;         // clear receive register
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;    // Start DMA transfer
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_GET_TRACE);   // let FPGA transfer its internal Block-RAM
+
+	LED_B_ON();
+	for(size_t i = 0; i < FPGA_TRACE_SIZE; i += USB_CMD_DATA_SIZE) {
+		// prepare next DMA transfer:
+		uint8_t *next_buf = buf + ((i + USB_CMD_DATA_SIZE) % (2 * USB_CMD_DATA_SIZE));
+		AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)next_buf;
+		AT91C_BASE_PDC_SSC->PDC_RNCR = USB_CMD_DATA_SIZE;
+		size_t len = MIN(FPGA_TRACE_SIZE - i, USB_CMD_DATA_SIZE);
+		while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX))) ; // wait for DMA transfer to complete
+		cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, i, len, FPGA_TRACE_SIZE, this_buf, len);
+		this_buf = next_buf;
+	}
+	// Trigger a finish downloading signal with an ACK frame
+	cmd_send(CMD_ACK, 1, 0, FPGA_TRACE_SIZE, 0, 0);
+	LED_B_OFF();
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+}

armsrc/hfsnoop.h

@@ -0,0 +1,17 @@
+//-----------------------------------------------------------------------------
+// piwi, 2019
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to get sample data from FPGA.
+//-----------------------------------------------------------------------------
+
+#ifndef HFSNOOP_H__
+#define HFSNOOP_H__
+
+void HfSnoop(int samplesToSkip, int triggersToSkip);
+void HfPlot(void);
+
+#endif

armsrc/hitag2.h

@@ -0,0 +1,24 @@
+//-----------------------------------------------------------------------------
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Hitag2 emulation
+//
+// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+// (c) 2012 Roel Verdult
+//-----------------------------------------------------------------------------
+
+#ifndef HITAG2_H__
+#define HITAG2_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "hitag.h"
+
+extern void SnoopHitag(uint32_t type);
+extern void SimulateHitagTag(bool tag_mem_supplied, uint8_t* data);
+extern void ReaderHitag(hitag_function htf, hitag_data* htd);
+extern void WriterHitag(hitag_function htf, hitag_data* htd, int page);
+
+#endif

armsrc/hitagS.h

@@ -0,0 +1,26 @@
+//-----------------------------------------------------------------------------
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// HitagS emulation (preliminary test version)
+//
+// (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
+//     <info@os-s.de>
+//-----------------------------------------------------------------------------
+// Some code was copied from Hitag2.c
+//-----------------------------------------------------------------------------
+
+#ifndef HITAGS_H__
+#define HITAGS_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "hitag.h"
+
+void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock);
+void SimulateHitagSTag(bool tag_mem_supplied, uint8_t* data);
+void WritePageHitagS(hitag_function htf, hitag_data* htd, int page);
+void check_challenges_cmd(bool file_given, uint8_t* data, uint64_t tagMode);
+
+#endif

armsrc/i2c.c

@@ -0,0 +1,811 @@
+//-----------------------------------------------------------------------------
+// Willok, June 2018
+// Edits by Iceman, July 2018
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// The main i2c code, for communications with smart card module
+//-----------------------------------------------------------------------------
+
+#include "i2c.h"
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "string.h"  //for memset memcmp
+#include "proxmark3.h"
+#include "mifareutil.h" // for MF_DBGLEVEL
+#include "BigBuf.h"
+#include "apps.h"
+#include "usb_cdc.h"
+#include "util.h"
+
+
+#ifdef WITH_SMARTCARD
+#include "smartcard.h"
+#endif
+
+
+#define GPIO_RST  AT91C_PIO_PA1
+#define GPIO_SCL  AT91C_PIO_PA5
+#define GPIO_SDA  AT91C_PIO_PA7
+
+#define SCL_H   HIGH(GPIO_SCL)
+#define SCL_L   LOW(GPIO_SCL)
+#define SDA_H   HIGH(GPIO_SDA)
+#define SDA_L   LOW(GPIO_SDA)
+
+#define SCL_read  (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SCL)
+#define SDA_read  (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SDA)
+
+#define I2C_ERROR  "I2C_WaitAck Error" 
+
+static volatile unsigned long c;
+
+//	直接使用循环来延时，一个循环 6 条指令，48M， Delay=1 大概为 200kbps
+// timer.
+// I2CSpinDelayClk(4) = 12.31us
+// I2CSpinDelayClk(1) = 3.07us
+static void __attribute__((optimize("O0"))) I2CSpinDelayClk(uint16_t delay) {
+	for (c = delay * 2; c; c--) {};
+}
+
+// communication delay functions
+#define I2C_DELAY_1CLK    I2CSpinDelayClk(1)
+#define I2C_DELAY_2CLK    I2CSpinDelayClk(2)
+#define I2C_DELAY_XCLK(x) I2CSpinDelayClk((x))
+
+#define  ISO7618_MAX_FRAME 255
+
+// try i2c bus recovery at 100kHz = 5uS high, 5uS low
+static void I2C_recovery(void) {
+
+	DbpString("Performing i2c bus recovery");	
+			
+	// reset I2C
+	SDA_H; SCL_H;
+	
+	 //9nth cycle acts as NACK
+	for (int i = 0; i < 10; i++)  {
+		SCL_H; WaitUS(5);
+		SCL_L; WaitUS(5);
+	}
+	
+    //a STOP signal (SDA from low to high while CLK is high)	
+	SDA_L; WaitUS(5);
+	SCL_H; WaitUS(2);
+	SDA_H; WaitUS(2);
+	
+	bool isok = (SCL_read && SDA_read); 
+    if (!SDA_read)
+		DbpString("I2C bus recovery  error: SDA still LOW");
+	if (!SCL_read)
+		DbpString("I2C bus recovery  error: SCL still LOW");
+	if (isok)
+		DbpString("I2C bus recovery complete");
+}
+
+static void I2C_init(void) {
+	// Configure reset pin
+	AT91C_BASE_PIOA->PIO_PPUDR = GPIO_RST;  // disable pull up resistor
+	AT91C_BASE_PIOA->PIO_MDDR = GPIO_RST;   // push-pull output (multidriver disabled)
+
+	// Configure SCL and SDA pins
+	AT91C_BASE_PIOA->PIO_PPUER |= (GPIO_SCL | GPIO_SDA);  // enable pull up resistor
+	AT91C_BASE_PIOA->PIO_MDER |= (GPIO_SCL | GPIO_SDA);   // open drain output (multidriver enabled) - requires external pull up resistor
+
+	// set all three outputs to high
+	AT91C_BASE_PIOA->PIO_SODR |= (GPIO_SCL | GPIO_SDA | GPIO_RST);
+
+	// configure all three pins as output, controlled by PIOA
+	AT91C_BASE_PIOA->PIO_OER |= (GPIO_SCL | GPIO_SDA | GPIO_RST);
+	AT91C_BASE_PIOA->PIO_PER |= (GPIO_SCL | GPIO_SDA | GPIO_RST);
+
+	bool isok =  (SCL_read && SDA_read); 
+	if ( !isok )
+		I2C_recovery();
+	
+}
+
+// set the reset state
+static void I2C_SetResetStatus(uint8_t LineRST, uint8_t LineSCK, uint8_t LineSDA) {
+	if (LineRST)
+		HIGH(GPIO_RST);
+	else
+		LOW(GPIO_RST);
+
+	if (LineSCK)
+		HIGH(GPIO_SCL);
+	else
+		LOW(GPIO_SCL);
+
+	if (LineSDA)
+		HIGH(GPIO_SDA);
+	else
+		LOW(GPIO_SDA);
+}
+
+// Reset the SIM_Adapter, then  enter the main program
+// Note: the SIM_Adapter will not enter the main program after power up. Please run this function before use SIM_Adapter.
+static void I2C_Reset_EnterMainProgram(void) {
+	StartTicks();
+	I2C_init();
+	I2C_SetResetStatus(0, 0, 0);
+	WaitMS(30);
+	I2C_SetResetStatus(1, 0, 0);
+	WaitMS(30);
+	I2C_SetResetStatus(1, 1, 1);
+	WaitMS(10);
+}
+
+// Wait for the clock to go High.	
+static bool WaitSCL_H_delay(uint32_t delay) {
+	while (delay--) {
+		if (SCL_read) {
+			return true;
+		}
+		I2C_DELAY_1CLK;
+	}
+	return false;
+}
+
+// 15000 * 3.07us = 46050us. 46.05ms
+static bool WaitSCL_H(void) {
+	return WaitSCL_H_delay(15000);
+}
+
+bool WaitSCL_L_delay(uint32_t delay) {
+	while (delay--)	{
+		if (!SCL_read) {
+			return true;
+		}
+		I2C_DELAY_1CLK;		
+	}
+	return false;	
+}
+
+bool WaitSCL_L(void) {
+	return WaitSCL_L_delay(15000);
+}
+
+static bool I2C_Start(void) {
+
+	I2C_DELAY_XCLK(4);
+	SDA_H; I2C_DELAY_1CLK;
+	SCL_H;
+	if (!WaitSCL_H()) return false;
+
+	I2C_DELAY_2CLK;
+
+	if (!SCL_read) return false;
+	if (!SDA_read) return false;
+
+	SDA_L; I2C_DELAY_2CLK;
+	return true;
+}
+
+// send i2c STOP
+static void I2C_Stop(void) {
+	SCL_L; I2C_DELAY_2CLK;
+	SDA_L; I2C_DELAY_2CLK;
+	SCL_H; I2C_DELAY_2CLK;
+	if (!WaitSCL_H()) return;
+	SDA_H;
+	I2C_DELAY_XCLK(8);
+}
+
+static bool I2C_WaitAck(void) {
+	SCL_L; I2C_DELAY_1CLK;
+	SDA_H; I2C_DELAY_1CLK;
+	SCL_H;
+	if (!WaitSCL_H())
+		return false;
+
+	I2C_DELAY_2CLK;
+	I2C_DELAY_2CLK;
+	if (SDA_read) {
+		SCL_L;
+		return false;
+	}
+	SCL_L;
+	return true;
+}
+
+static void I2C_SendByte(uint8_t data) {
+	uint8_t bits = 8;
+
+	while (bits--) {
+		SCL_L; 
+		I2C_DELAY_1CLK;
+
+		if (data & 0x80)
+			SDA_H;
+		else
+			SDA_L;
+
+		data <<= 1;
+
+		I2C_DELAY_1CLK;
+
+		SCL_H;
+		if (!WaitSCL_H())
+			return;
+
+		I2C_DELAY_2CLK;
+	}
+	SCL_L;
+}
+
+bool I2C_is_available(void) {
+	I2C_Reset_EnterMainProgram();
+	if (!I2C_Start())  // some other device is active on the bus
+		return true;
+	I2C_SendByte(I2C_DEVICE_ADDRESS_MAIN & 0xFE);
+	if (!I2C_WaitAck()) {  // no response from smartcard reader
+		I2C_Stop();
+		return false;
+	}
+	I2C_Stop();
+	return true;
+}
+
+#ifdef WITH_SMARTCARD
+// Reset the SIM_Adapter, then enter the bootloader program
+// Reserve：For firmware update.
+static void I2C_Reset_EnterBootloader(void) {
+	I2C_SetResetStatus(0, 1, 1);
+	WaitMS(100);
+	I2C_SetResetStatus(1, 1, 1);
+	WaitMS(10);
+}
+
+// Wait max 1800ms or until SCL goes LOW.
+// It timeout reading response from card
+// Which ever comes first
+bool WaitSCL_L_timeout(void){
+	volatile uint16_t delay = 1800;
+	while ( delay-- ) {
+		// exit on SCL LOW
+		if (!SCL_read)
+			return true;
+
+		WaitMS(1);
+	}
+	return (delay == 0);
+}
+
+static bool I2C_WaitForSim() {
+	// wait for data from card
+	if (!WaitSCL_L_timeout())
+		return false;
+
+	// 8051 speaks with smart card.
+	// 1000*50*3.07 = 153.5ms
+	// 1byte transfer == 1ms with max frame being 256bytes
+	if (!WaitSCL_H_delay(10 * 1000 * 50))
+		return false;
+
+	return true;
+}
+
+// Send i2c ACK
+static void I2C_Ack(void) {
+	SCL_L; I2C_DELAY_2CLK;
+	SDA_L; I2C_DELAY_2CLK;
+	SCL_H; I2C_DELAY_2CLK;
+	if (!WaitSCL_H()) return;
+	SCL_L; I2C_DELAY_2CLK;
+}
+
+// Send i2c NACK
+static void I2C_NoAck(void) {
+	SCL_L; I2C_DELAY_2CLK;
+	SDA_H; I2C_DELAY_2CLK;
+	SCL_H; I2C_DELAY_2CLK;
+	if (!WaitSCL_H()) return;
+	SCL_L; I2C_DELAY_2CLK;
+}
+
+static int16_t I2C_ReadByte(void) {
+	uint8_t bits = 8, b = 0;
+
+	SDA_H;
+	while (bits--) {
+		b <<= 1;
+		SCL_L; 
+		if (!WaitSCL_L()) return -2;
+		
+		I2C_DELAY_1CLK;
+
+		SCL_H;
+		if (!WaitSCL_H()) return -1;
+
+		I2C_DELAY_1CLK;
+		if (SDA_read)
+			b |= 0x01;
+	}
+	SCL_L;
+	return b;
+}
+
+// Sends one byte  ( command to be written, SlaveDevice address)
+static bool I2C_WriteCmd(uint8_t device_cmd, uint8_t device_address) {
+	bool bBreak = true;
+	do {
+		if (!I2C_Start())
+			return false;
+		
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(device_cmd);
+		if (!I2C_WaitAck())
+			break;
+
+		bBreak = false;
+	} while (false);
+
+	I2C_Stop();
+	if (bBreak) {
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return false;
+	}
+	return true;
+}
+
+// Sends 1 byte data (Data to be written, command to be written , SlaveDevice address  ).
+static bool I2C_WriteByte(uint8_t data, uint8_t device_cmd, uint8_t device_address) {
+	bool bBreak = true;
+	do {
+		if (!I2C_Start())
+			return false;
+
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(device_cmd);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(data);
+		if (!I2C_WaitAck())
+			break;
+
+		bBreak = false;
+	} while (false);
+
+	I2C_Stop();
+	if (bBreak) {
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return false;
+	}
+	return true;
+}
+
+//Sends a string of data (Array, length, command to be written , SlaveDevice address  ).
+// len = uint8 (max buffer to write 256bytes)
+static bool I2C_BufferWrite(uint8_t *data, uint8_t len, uint8_t device_cmd, uint8_t device_address) {
+	bool bBreak = true;
+	do {
+		if (!I2C_Start())
+			return false;
+
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(device_cmd);
+		if (!I2C_WaitAck())
+			break;
+
+		while (len) {
+			
+			I2C_SendByte(*data);
+			if (!I2C_WaitAck())
+				break;
+
+			len--;
+			data++;
+		}
+
+		if (len == 0)
+			bBreak = false;
+	} while (false);
+
+	I2C_Stop();
+	if (bBreak) {
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return false;
+	}
+	return true;
+}
+
+// read 1 strings of data (Data array, Readout length, command to be written , SlaveDevice address  ).
+// len = uint8 (max buffer to read 256bytes)
+static int16_t I2C_BufferRead(uint8_t *data, uint8_t len, uint8_t device_cmd, uint8_t device_address) {
+
+	if ( !data || len == 0 )
+		return 0;
+
+	// extra wait  500us (514us measured)
+	// 200us  (xx measured)
+	WaitUS(600);
+	bool bBreak = true;
+	uint16_t readcount = 0;
+
+	do {
+		if (!I2C_Start())
+			return 0;
+
+		// 0xB0 / 0xC0  == i2c write
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(device_cmd);
+		if (!I2C_WaitAck())
+			break;
+
+		// 0xB1 / 0xC1 == i2c read
+		I2C_Start();
+		I2C_SendByte(device_address | 1);
+		if (!I2C_WaitAck())
+			break;
+
+		bBreak = false;
+	} while (false);
+
+	if (bBreak) {
+		I2C_Stop();
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return 0;
+	}
+
+	while (len) {
+
+		int16_t tmp = I2C_ReadByte();
+		if ( tmp < 0 )
+			return tmp;
+		
+		*data = (uint8_t)tmp & 0xFF;
+		
+		len--;
+
+		// 读取的第一个字节为后续长度	
+		// The first byte in response is the message length
+		if (!readcount && (len > *data)) {
+			len = *data;
+		} else {
+			data++;
+		}
+		readcount++;
+
+		// acknowledgements. After last byte send NACK.
+		if (len == 0)
+			I2C_NoAck();
+		else
+			I2C_Ack();
+	}
+
+	I2C_Stop();
+	
+	// return bytecount - first byte (which is length byte)
+	return --readcount;
+}
+
+static int16_t I2C_ReadFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, uint8_t device_address) {
+	//START, 0xB0, 0x00, 0x00, START, 0xB1, xx, yy, zz, ......, STOP	
+	bool bBreak = true;
+	uint8_t	readcount = 0;
+
+	// sending
+	do {
+		if (!I2C_Start())
+			return 0;
+
+		// 0xB0 / 0xC0  i2c write
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(msb);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(lsb);
+		if (!I2C_WaitAck())
+			break;
+		
+		// 0xB1 / 0xC1  i2c read
+		I2C_Start();
+		I2C_SendByte(device_address | 1);
+		if (!I2C_WaitAck())
+			break;
+
+		bBreak = false;
+	} while (false);
+
+	if (bBreak) {
+		I2C_Stop();
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return 0;
+	}
+
+	// reading
+	while (len) {
+		
+		int16_t tmp = I2C_ReadByte();
+		if ( tmp < 0 )
+			return tmp;
+		
+		*data = (uint8_t)tmp & 0xFF;
+		
+		data++;
+		readcount++;
+		len--;
+
+		// acknowledgements. After last byte send NACK.		
+		if (len == 0)
+			I2C_NoAck();
+		else
+			I2C_Ack();
+	}
+
+	I2C_Stop();
+	return readcount;
+}
+
+static bool I2C_WriteFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, uint8_t device_address) {
+	//START, 0xB0, 0x00, 0x00, xx, yy, zz, ......, STOP	
+	bool bBreak = true;
+
+	do {
+		if (!I2C_Start())
+			return false;
+
+		// 0xB0  == i2c write
+		I2C_SendByte(device_address & 0xFE);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(msb);
+		if (!I2C_WaitAck())
+			break;
+
+		I2C_SendByte(lsb);
+		if (!I2C_WaitAck())
+			break;
+
+		while (len) {
+			I2C_SendByte(*data);
+			if (!I2C_WaitAck())
+				break;
+
+			len--;
+			data++;
+		}
+
+		if (len == 0)
+			bBreak = false;
+	} while (false);
+
+	I2C_Stop();
+	if (bBreak) {
+		if ( MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+		return false;
+	}
+	return true;
+}
+
+void I2C_print_status(void) {
+	DbpString("Smart card module (ISO 7816)");
+	uint8_t resp[] = {0,0,0,0};
+	I2C_Reset_EnterMainProgram();
+	uint8_t len = I2C_BufferRead(resp, sizeof(resp), I2C_DEVICE_CMD_GETVERSION, I2C_DEVICE_ADDRESS_MAIN);
+	if ( len > 0 )
+		Dbprintf("  version.................v%x.%02x", resp[0], resp[1]);
+	else
+		DbpString("  version.................FAILED");
+}
+
+// Will read response from smart card module,  retries 3 times to get the data.
+static bool sc_rx_bytes(uint8_t* dest, uint8_t *destlen) {
+ 	uint8_t i = 3;
+	int16_t len = 0;
+	while (i--) {
+		
+		I2C_WaitForSim();
+	
+		len = I2C_BufferRead(dest, *destlen, I2C_DEVICE_CMD_READ, I2C_DEVICE_ADDRESS_MAIN);
+		
+		if ( len > 1 ){
+			break;
+		} else if ( len == 1 ) {
+			continue;
+		} else if ( len <= 0 ) {
+			return false;	
+		} 
+	}
+ 	// after three
+	if ( len <= 1 )
+		return false;
+	
+	*destlen = (uint8_t)len & 0xFF;
+	return true;
+}
+
+static bool GetATR(smart_card_atr_t *card_ptr) {
+
+	if ( !card_ptr ) {
+		return false;
+	}
+
+	card_ptr->atr_len = 0;
+	memset(card_ptr->atr, 0, sizeof(card_ptr->atr));
+
+	// Send ATR
+	// start [C0 01] stop start C1 len aa bb cc stop]
+	I2C_WriteCmd(I2C_DEVICE_CMD_GENERATE_ATR, I2C_DEVICE_ADDRESS_MAIN);
+
+	// wait for sim card to answer.
+	// 1byte = 1ms, max frame 256bytes. Should wait 256ms at least just in case.
+	if (!I2C_WaitForSim()) 
+		return false;
+
+	// read bytes from module
+	uint8_t len = sizeof(card_ptr->atr);
+	if ( !sc_rx_bytes(card_ptr->atr, &len) )		
+		return false;
+
+	card_ptr->atr_len = len;
+	LogTrace(card_ptr->atr, card_ptr->atr_len, 0, 0, NULL, false);
+
+	return true;
+}
+
+void SmartCardAtr(void) {
+	smart_card_atr_t card;
+	LED_D_ON();
+	clear_trace();
+	set_tracing(true);
+	I2C_Reset_EnterMainProgram();
+	bool isOK = GetATR( &card );
+	cmd_send(CMD_ACK, isOK, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t));
+	set_tracing(false);
+	LEDsoff();
+}
+
+void SmartCardRaw( uint64_t arg0, uint64_t arg1, uint8_t *data ) {
+
+	LED_D_ON();
+
+	uint8_t len = 0;
+	uint8_t *resp = BigBuf_malloc(ISO7618_MAX_FRAME);
+	smartcard_command_t flags = arg0;
+
+	if ((flags & SC_CONNECT))
+		clear_trace();
+
+	set_tracing(true);
+
+	if ((flags & SC_CONNECT)) {	
+
+		I2C_Reset_EnterMainProgram();
+
+		if ((flags & SC_SELECT)) {
+			smart_card_atr_t card;
+			bool gotATR = GetATR( &card );
+			//cmd_send(CMD_ACK, gotATR, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t));
+			if ( !gotATR )
+				goto OUT;
+		}
+	}
+
+	if ((flags & SC_RAW) || (flags & SC_RAW_T0)) {
+
+		LogTrace(data, arg1, 0, 0, NULL, true);
+
+		// Send raw bytes
+		// asBytes = A0 A4 00 00 02
+		// arg1 = len 5
+		bool res = I2C_BufferWrite(data, arg1, ((flags & SC_RAW_T0) ? I2C_DEVICE_CMD_SEND_T0 : I2C_DEVICE_CMD_SEND), I2C_DEVICE_ADDRESS_MAIN);
+		if ( !res && MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);
+
+		// read bytes from module
+		len = ISO7618_MAX_FRAME;
+		res = sc_rx_bytes(resp, &len);
+		if ( res ) {
+			LogTrace(resp, len, 0, 0, NULL, false);
+		} else {
+			len = 0;
+		}
+	}
+OUT:
+	cmd_send(CMD_ACK, len, 0, 0, resp, len);
+	BigBuf_free();
+	set_tracing(false);
+	LEDsoff();
+}
+
+void SmartCardUpgrade(uint64_t arg0) {
+
+	LED_C_ON();
+
+	#define I2C_BLOCK_SIZE 128
+	// write.   Sector0,  with 11,22,33,44
+	// erase is 128bytes, and takes 50ms to execute
+
+	I2C_Reset_EnterBootloader();
+
+	bool isOK = true;
+	int16_t res = 0;
+	uint16_t length = arg0;
+	uint16_t pos = 0;
+	uint8_t *fwdata = BigBuf_get_addr();
+	uint8_t *verfiydata = BigBuf_malloc(I2C_BLOCK_SIZE);
+
+	while (length) {
+
+		uint8_t msb = (pos >> 8) & 0xFF;
+		uint8_t lsb = pos & 0xFF;
+
+		Dbprintf("FW %02X%02X", msb, lsb);
+
+		size_t size = MIN(I2C_BLOCK_SIZE, length);
+
+		// write
+		res = I2C_WriteFW(fwdata+pos, size, msb, lsb, I2C_DEVICE_ADDRESS_BOOT);
+		if ( !res ) {
+			DbpString("Writing failed");
+			isOK = false;
+			break;
+		}
+
+		// writing takes time.
+		WaitMS(50);
+
+		// read
+		res = I2C_ReadFW(verfiydata, size, msb, lsb, I2C_DEVICE_ADDRESS_BOOT);
+		if ( res <= 0) {
+			DbpString("Reading back failed");
+			isOK = false;
+			break;
+		}
+
+		// cmp
+		if ( 0 != memcmp(fwdata+pos, verfiydata, size)) {
+			DbpString("not equal data");
+			isOK = false;
+			break;
+		}
+
+		length -= size;
+		pos += size;
+	}
+	cmd_send(CMD_ACK, isOK, pos, 0, 0, 0);
+	LED_C_OFF();
+	BigBuf_free();	
+}
+
+// unfinished (or not needed?)
+//void SmartCardSetBaud(uint64_t arg0) {
+//}
+
+void SmartCardSetClock(uint64_t arg0) {
+	LED_D_ON();
+	set_tracing(true);
+	I2C_Reset_EnterMainProgram();
+
+	// Send SIM CLC
+	// start [C0 05 xx] stop
+	I2C_WriteByte(arg0, I2C_DEVICE_CMD_SIM_CLC, I2C_DEVICE_ADDRESS_MAIN);
+
+	cmd_send(CMD_ACK, 1, 0, 0, 0, 0);
+	set_tracing(false);
+	LEDsoff();
+}
+
+#endif

armsrc/i2c.h

@@ -0,0 +1,39 @@
+//-----------------------------------------------------------------------------
+// Willok, June 2018
+// Edits by Iceman, July 2018
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// The main i2c code, for communications with smart card module
+//-----------------------------------------------------------------------------
+#ifndef __I2C_H
+#define __I2C_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#define I2C_DEVICE_ADDRESS_BOOT       0xB0
+#define I2C_DEVICE_ADDRESS_MAIN       0xC0
+
+#define I2C_DEVICE_CMD_GENERATE_ATR   0x01
+#define I2C_DEVICE_CMD_SEND           0x02
+#define I2C_DEVICE_CMD_READ           0x03
+#define I2C_DEVICE_CMD_SETBAUD        0x04
+#define I2C_DEVICE_CMD_SIM_CLC        0x05
+#define I2C_DEVICE_CMD_GETVERSION     0x06
+#define I2C_DEVICE_CMD_SEND_T0        0x07
+
+
+bool I2C_is_available(void);
+
+#ifdef WITH_SMARTCARD
+void SmartCardAtr(void);
+void SmartCardRaw(uint64_t arg0, uint64_t arg1, uint8_t *data);
+void SmartCardUpgrade(uint64_t arg0);
+void SmartCardSetClock(uint64_t arg0);
+void I2C_print_status(void);
+#endif
+
+#endif // __I2C_H

armsrc/iclass.h

@@ -0,0 +1,32 @@
+//-----------------------------------------------------------------------------
+// Gerhard de Koning Gans - May 2008
+// Hagen Fritsch - June 2010
+// Gerhard de Koning Gans - May 2011
+// Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support iClass.
+//-----------------------------------------------------------------------------
+
+#ifndef ICLASS_H__
+#define ICLASS_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+
+extern void SnoopIClass(uint8_t jam_search_len, uint8_t *jam_search_string);
+extern void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void ReaderIClass(uint8_t arg0);
+extern void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC);
+extern void IClass_iso14443A_GetPublic(uint8_t arg0);
+extern void iClass_Readcheck(uint8_t block, bool use_credit_key);
+extern void iClass_Check(uint8_t *MAC);
+extern void iClass_WriteBlock(uint8_t blockNo, uint8_t *data);
+extern void iClass_ReadBlk(uint8_t blockNo);
+extern void iClass_Dump(uint8_t blockno, uint8_t numblks);
+extern void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
+
+#endif

armsrc/iso14443a.h

@@ -12,86 +12,46 @@
 
 #ifndef __ISO14443A_H
 #define __ISO14443A_H
-#include "common.h"
-#include "mifaresniff.h"
 
-// mifare reader                      over DMA buffer (SnoopIso14443a())!!!
-#define MIFARE_BUFF_OFFSET 3560  //              \/   \/   \/
-// card emulator memory
-#define EML_RESPONSES      4000
-#define CARD_MEMORY        6000
-#define CARD_MEMORY_LEN    4096
+#include <stddef.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include "usb_cmd.h"
+#include "mifare.h"
 
 typedef struct {
-	enum {
-		DEMOD_UNSYNCD,
-		// DEMOD_HALF_SYNCD,
-		// DEMOD_MOD_FIRST_HALF,
-		// DEMOD_NOMOD_FIRST_HALF,
-		DEMOD_MANCHESTER_DATA
-	} state;
-	uint16_t twoBits;
-	uint16_t highCnt;
-	uint16_t bitCount;
-	uint16_t collisionPos;
-	uint16_t syncBit;
-	uint32_t parityBits;
-	uint16_t shiftReg;
-	uint16_t samples;
-	uint16_t len;
-	uint32_t startTime, endTime;
-	uint8_t  *output;
-} tDemod;
+  uint8_t* response;
+  uint8_t* modulation;
+  uint16_t response_n;
+  uint16_t modulation_n;
+  uint32_t ProxToAirDuration;
+  uint8_t  par; // enough for precalculated parity of 8 Byte responses
+} tag_response_info_t;
 
-typedef enum {
-	MOD_NOMOD = 0,
-	MOD_SECOND_HALF,
-	MOD_FIRST_HALF,
-	MOD_BOTH_HALVES
-	} Modulation_t;
-
-typedef struct {
-	enum {
-		STATE_UNSYNCD,
-		STATE_START_OF_COMMUNICATION,
-		STATE_MILLER_X,
-		STATE_MILLER_Y,
-		STATE_MILLER_Z,
-		// DROP_NONE,
-		// DROP_FIRST_HALF,
-		} state;
-	uint16_t shiftReg;
-	uint16_t bitCount;
-	uint16_t len;
-	uint16_t byteCntMax;
-	uint16_t posCnt;
-	uint16_t syncBit;
-	uint32_t parityBits;
-	uint16_t highCnt;
-	uint16_t twoBits;
-	uint32_t startTime, endTime;
-    uint8_t *output;
-} tUart;
-
-
-
-extern byte_t oddparity (const byte_t bt);
-extern uint32_t GetParity(const uint8_t *pbtCmd, int iLen);
+extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);
 extern void AppendCrc14443a(uint8_t *data, int len);
 
-extern void ReaderTransmit(uint8_t *frame, int len, uint32_t *timing);
-extern void ReaderTransmitBitsPar(uint8_t *frame, int bits, uint32_t par, uint32_t *timing);
-extern void ReaderTransmitPar(uint8_t *frame, int len, uint32_t par, uint32_t *timing);
-extern int ReaderReceive(uint8_t *receivedAnswer);
-extern int ReaderReceivePar(uint8_t *receivedAnswer, uint32_t *parptr);
+extern void RAMFUNC SnoopIso14443a(uint8_t param);
+extern void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, uint8_t *data);
+extern void ReaderIso14443a(UsbCommand *c);
+extern void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
+extern void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
+extern void ReaderTransmitPar(uint8_t *frame, uint16_t len, uint8_t *par, uint32_t *timing);
+extern int ReaderReceive(uint8_t *receivedAnswer, uint8_t *par);
+extern void ReaderMifare(bool first_try);
+
+extern int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity);
+extern int EmSendCmd(uint8_t *resp, uint16_t respLen);
+extern int EmSend4bit(uint8_t resp);
+extern int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
+extern int EmSendPrecompiledCmd(tag_response_info_t *response_info);
+
+extern bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_t **buffer, size_t *buffer_size);
 
 extern void iso14443a_setup(uint8_t fpga_minor_mode);
-extern int iso14_apdu(uint8_t *cmd, size_t cmd_len, void *data);
-extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr);
+extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, bool send_chaining, void *data, uint8_t *res);
+extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats);
 extern void iso14a_set_trigger(bool enable);
 extern void iso14a_set_timeout(uint32_t timeout);
-
-extern void iso14a_clear_tracelen();
-extern void iso14a_set_tracing(bool enable);
-
+extern uint32_t iso14a_get_timeout(void);
 #endif /* __ISO14443A_H */

armsrc/iso14443b.h

@@ -0,0 +1,27 @@
+//-----------------------------------------------------------------------------
+// Merlok - June 2011
+// Gerhard de Koning Gans - May 2008
+// Hagen Fritsch - June 2010
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support ISO 14443 type B.
+//-----------------------------------------------------------------------------
+
+#ifndef ISO14443B_H__
+#define ISO14443B_H__
+
+#include <stdint.h>
+#include <stddef.h>
+
+extern int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response);
+extern void iso14443b_setup();
+extern int iso14443b_select_card();
+extern void SimulateIso14443bTag(void);
+extern void ReadSTMemoryIso14443b(uint32_t);
+extern void SnoopIso14443b(void);
+extern void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);
+
+#endif /* __ISO14443B_H */

armsrc/iso15693.h

@@ -0,0 +1,43 @@
+//-----------------------------------------------------------------------------
+// Piwi - October 2018
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support ISO 15693.
+//-----------------------------------------------------------------------------
+
+#ifndef ISO15693_H__
+#define ISO15693_H__
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+
+// Delays in SSP_CLK ticks.
+// SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag
+#define DELAY_ISO15693_VCD_TO_VICC_SIM     132  // 132/423.75kHz = 311.5us from end of command EOF to start of tag response
+//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16
+#define DELAY_ISO15693_VCD_TO_VICC_READER 1056 // 1056/3,39MHz = 311.5us from end of command EOF to start of tag response
+#define DELAY_ISO15693_VICC_TO_VCD_READER 1024 // 1024/3.39MHz = 302.1us between end of tag response and next reader command
+
+extern void Iso15693InitReader(void);
+extern void Iso15693InitTag(void);
+extern void CodeIso15693AsReader(uint8_t *cmd, int n);
+extern void CodeIso15693AsTag(uint8_t *cmd, size_t len);
+extern void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow);
+extern int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time);
+extern void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time);
+extern int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time);
+extern void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string);
+extern void AcquireRawAdcSamplesIso15693(void);
+extern void ReaderIso15693(uint32_t parameter);
+extern void SimTagIso15693(uint32_t parameter, uint8_t *uid);
+extern void BruteforceIso15693Afi(uint32_t speed);
+extern void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]);
+extern void SetTag15693Uid(uint8_t *uid);
+extern void SetDebugIso15693(uint32_t flag);
+extern bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
+
+#endif

armsrc/ldscript

@@ -11,8 +11,7 @@ INCLUDE ../common/ldscript.common
 
 PHDRS
 {
-	fpgaimage PT_LOAD FLAGS(4);
-	text PT_LOAD;
+	text PT_LOAD FLAGS(5);
 	data PT_LOAD;
 	bss PT_LOAD;
 }
@@ -20,16 +19,12 @@ PHDRS
 ENTRY(Vector)
 SECTIONS
 {
-	.fpgaimage : {
-		*(fpga_lf_bit.data)
-		*(fpga_hf_bit.data)
-	} >fpgaimage :fpgaimage
-
 	.start : {
 		*(.startos)
 	} >osimage :text
 
 	.text : {
+		KEEP(*(stage1_image))
 		*(.text)
 		*(.text.*)
 		*(.eh_frame)
@@ -40,12 +35,13 @@ SECTIONS
 	.rodata : {
 		*(.rodata)
 		*(.rodata.*)
+		*(fpga_all_bit.data)
 		KEEP(*(.version_information))
+		. = ALIGN(8);
 	} >osimage :text
 
-	. = ALIGN(4);
-
 	.data : {
+		KEEP(*(compressed_data))
 		*(.data)
 		*(.data.*)
 		*(.ramfunc)
@@ -55,6 +51,7 @@ SECTIONS
 	__data_src_start__ = LOADADDR(.data);
 	__data_start__ = ADDR(.data);
 	__data_end__ = __data_start__ + SIZEOF(.data);
+	__os_size__ = SIZEOF(.text) + SIZEOF(.data) + SIZEOF(.rodata);
 	
 	.bss : {
 		__bss_start__ = .; 

armsrc/legicrf.h

@@ -1,5 +1,6 @@
 //-----------------------------------------------------------------------------
 // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+//     2018 AntiCat
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -11,8 +12,7 @@
 #ifndef __LEGICRF_H
 #define __LEGICRF_H
 
-extern void LegicRfSimulate(int phase, int frame, int reqresp);
-extern int  LegicRfReader(int bytes, int offset);
+extern void LegicRfReader(int bytes, int offset);
 extern void LegicRfWriter(int bytes, int offset);
 
 #endif /* __LEGICRF_H */

armsrc/legicrfsim.c

@@ -0,0 +1,470 @@
+//-----------------------------------------------------------------------------
+// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+//     2016 Iceman
+//     2018 AntiCat
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// LEGIC RF simulation code
+//-----------------------------------------------------------------------------
+
+#include "legicrfsim.h"
+
+#include "proxmark3.h"
+#include "apps.h"
+#include "util.h"
+#include "string.h"
+#include "legic_prng.h"
+#include "legic.h"
+#include "crc.h"
+#include "usb_cdc.h"  // for usb_poll_validate_length
+#include "fpgaloader.h"
+
+static uint8_t* legic_mem;      /* card memory, used for sim */
+static legic_card_select_t card;/* metadata of currently selected card */
+static crc_t legic_crc;
+
+//-----------------------------------------------------------------------------
+// Frame timing and pseudorandom number generator
+//
+// The Prng is forwarded every 99.1us (TAG_BIT_PERIOD), except when the reader is
+// transmitting. In that case the prng has to be forwarded every bit transmitted:
+//  - 31.3us for a 0 (RWD_TIME_0)
+//  - 99.1us for a 1 (RWD_TIME_1)
+//
+// The data dependent timing makes writing comprehensible code significantly
+// harder. The current aproach forwards the prng data based if there is data on
+// air and time based, using GetCountSspClk(), during computational and wait
+// periodes. SSP Clock is clocked by the FPGA at 212 kHz (subcarrier frequency).
+//
+// To not have the necessity to calculate/guess exection time dependend timeouts
+// tx_frame and rx_frame use a shared timestamp to coordinate tx and rx timeslots.
+//-----------------------------------------------------------------------------
+
+static uint32_t last_frame_end; /* ts of last bit of previews rx or tx frame */
+
+#define TAG_FRAME_WAIT       70 /* 330us from READER frame end to TAG frame start */
+#define TAG_ACK_WAIT        758 /* 3.57ms from READER frame end to TAG write ACK */
+#define TAG_BIT_PERIOD       21 /* 99.1us */
+
+#define RWD_TIME_PAUSE        4 /* 18.9us */
+#define RWD_TIME_1           21 /* RWD_TIME_PAUSE 18.9us off + 80.2us on = 99.1us */
+#define RWD_TIME_0           13 /* RWD_TIME_PAUSE 18.9us off + 42.4us on = 61.3us */
+#define RWD_CMD_TIMEOUT     120 /* 120 * 99.1us (arbitrary value) */
+#define RWD_MIN_FRAME_LEN     6 /* Shortest frame is 6 bits */
+#define RWD_MAX_FRAME_LEN    23 /* Longest frame is 23 bits */
+
+#define RWD_PULSE             1 /* Pulse is signaled with GPIO_SSC_DIN high */
+#define RWD_PAUSE             0 /* Pause is signaled with GPIO_SSC_DIN low */
+
+//-----------------------------------------------------------------------------
+// Demodulation
+//-----------------------------------------------------------------------------
+
+// Returns true if a pulse/pause is received within timeout
+static inline bool wait_for(bool value, const uint32_t timeout) {
+  while((bool)(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN) != value) {
+    if(GetCountSspClk() > timeout) {
+      return false;
+    }
+  }
+  return true;
+}
+
+// Returns a demedulated bit or -1 on code violation
+//
+// rx_bit decodes bits using a thresholds. rx_bit has to be called by as soon as
+// a frame starts (first pause is received). rx_bit checks for a pause up to
+// 18.9us followed by a pulse of 80.2us or 42.4us:
+//  - A bit length <18.9us is a code violation
+//  - A bit length >80.2us is a 1
+//  - A bit length <80.2us is a 0
+//  - A bit length >148.6us is a code violation
+static inline int8_t rx_bit() {
+  // backup ts for threshold calculation
+  uint32_t bit_start = last_frame_end;
+
+  // wait for pause to end
+  if(!wait_for(RWD_PULSE, bit_start + RWD_TIME_1*3/2)) {
+    return -1;
+  }
+
+  // wait for next pause
+  if(!wait_for(RWD_PAUSE, bit_start + RWD_TIME_1*3/2)) {
+    return -1;
+  }
+
+  // update bit and frame end
+  last_frame_end = GetCountSspClk();
+
+  // check for code violation (bit to short)
+  if(last_frame_end - bit_start < RWD_TIME_PAUSE) {
+    return -1;
+  }
+
+  // apply threshold (average of RWD_TIME_0 and )
+  return (last_frame_end - bit_start > (RWD_TIME_0 + RWD_TIME_1) / 2);
+}
+
+//-----------------------------------------------------------------------------
+// Modulation
+//
+// LEGIC RF uses a very basic load modulation from card to reader:
+//  - Subcarrier on for a 1
+//  - Subcarrier off for for a 0
+//
+// The 212kHz subcarrier is generated by the FPGA as well as a mathcing ssp clk.
+// Each bit is transfered in a 99.1us slot and the first timeslot starts 330us
+// after the final 20us pause generated by the reader.
+//-----------------------------------------------------------------------------
+
+// Transmits a bit
+//
+// Note: The Subcarrier is not disabled during bits to prevent glitches. This is
+//       not mandatory but results in a cleaner signal. tx_frame will disable
+//       the subcarrier when the frame is done.
+static inline void tx_bit(bool bit) {
+  LED_C_ON();
+
+  if(bit) {
+    // modulate subcarrier
+    HIGH(GPIO_SSC_DOUT);
+  } else {
+    // do not modulate subcarrier
+    LOW(GPIO_SSC_DOUT);
+  }
+
+  // wait for tx timeslot to end
+  last_frame_end += TAG_BIT_PERIOD;
+  while(GetCountSspClk() < last_frame_end) { };
+  LED_C_OFF();
+}
+
+//-----------------------------------------------------------------------------
+// Frame Handling
+//
+// The LEGIC RF protocol from reader to card does not include explicit frame
+// start/stop information or length information. The tag detects end of frame
+// trough an extended pulse (>99.1us) without a pause.
+// In reverse direction (card to reader) the number of bites is well known
+// and depends only the command received (IV, ACK, READ or WRITE).
+//-----------------------------------------------------------------------------
+
+static void tx_frame(uint32_t frame, uint8_t len) {
+  // wait for next tx timeslot
+  last_frame_end += TAG_FRAME_WAIT;
+  legic_prng_forward(TAG_FRAME_WAIT/TAG_BIT_PERIOD - 1);
+  while(GetCountSspClk() < last_frame_end) { };
+
+  // transmit frame, MSB first
+  for(uint8_t i = 0; i < len; ++i) {
+    bool bit = (frame >> i) & 0x01;
+    tx_bit(bit ^ legic_prng_get_bit());
+    legic_prng_forward(1);
+  };
+
+  // disable subcarrier
+  LOW(GPIO_SSC_DOUT);
+}
+
+static void tx_ack() {
+  // wait for ack timeslot
+  last_frame_end += TAG_ACK_WAIT;
+  legic_prng_forward(TAG_ACK_WAIT/TAG_BIT_PERIOD - 1);
+  while(GetCountSspClk() < last_frame_end) { };
+
+  // transmit ack (ack is not encrypted)
+  tx_bit(true);
+  legic_prng_forward(1);
+
+  // disable subcarrier
+  LOW(GPIO_SSC_DOUT);
+}
+
+// Returns a demedulated frame or -1 on code violation
+//
+// Since TX to RX delay is arbitrary rx_frame has to:
+//  - detect start of frame (first pause)
+//  - forward prng based on ts/TAG_BIT_PERIOD
+//  - receive the frame
+//  - detect end of frame (last pause)
+static int32_t rx_frame(uint8_t *len) {
+  int32_t frame = 0;
+
+  // add 2 SSP clock cycles (1 for tx and 1 for rx pipeline delay)
+  // those will be substracted at the end of the rx phase
+  last_frame_end -= 2;
+
+  // wait for first pause (start of frame)
+  for(uint8_t i = 0; true; ++i) {
+    // increment prng every TAG_BIT_PERIOD
+    last_frame_end += TAG_BIT_PERIOD;
+    legic_prng_forward(1);
+
+    // if start of frame was received exit delay loop
+    if(wait_for(RWD_PAUSE, last_frame_end)) {
+      last_frame_end = GetCountSspClk();
+      break;
+    }
+
+    // check for code violation
+    if(i > RWD_CMD_TIMEOUT) {
+      return -1;
+    }
+  }
+
+  // receive frame
+  for(*len = 0; true; ++(*len)) {
+    // receive next bit
+    LED_D_ON();
+    int8_t bit = rx_bit();
+    LED_D_OFF();
+
+    // check for code violation and to short / long frame
+    if((bit < 0) && ((*len < RWD_MIN_FRAME_LEN) || (*len > RWD_MAX_FRAME_LEN))) {
+      return -1;
+    }
+
+    // check for code violation caused by end of frame
+    if(bit < 0) {
+      break;
+    }
+
+    // append bit
+    frame |= (bit ^ legic_prng_get_bit()) << (*len);
+    legic_prng_forward(1);
+  }
+
+  // rx_bit sets coordination timestamp to start of pause, append pause duration
+  // and substract 2 SSP clock cycles (1 for rx and 1 for tx pipeline delay) to
+  // obtain exact end of frame.
+  last_frame_end += RWD_TIME_PAUSE - 2;
+
+  return frame;
+}
+
+//-----------------------------------------------------------------------------
+// Legic Simulator
+//-----------------------------------------------------------------------------
+
+static int32_t init_card(uint8_t cardtype, legic_card_select_t *p_card) {
+  p_card->tagtype = cardtype;
+
+  switch(p_card->tagtype) {
+    case 0:
+      p_card->cmdsize = 6;
+      p_card->addrsize = 5;
+      p_card->cardsize = 22;
+      break;
+    case 1:
+      p_card->cmdsize = 9;
+      p_card->addrsize = 8;
+      p_card->cardsize = 256;
+      break;
+    case 2:
+      p_card->cmdsize = 11;
+      p_card->addrsize = 10;
+      p_card->cardsize = 1024;
+      break;
+    default:
+      p_card->cmdsize = 0;
+      p_card->addrsize = 0;
+      p_card->cardsize = 0;
+      return 2;
+  }
+  return 0;
+}
+
+static void init_tag() {
+  // configure FPGA
+  FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR
+                  | FPGA_HF_SIMULATOR_MODULATE_212K);
+  SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+  // configure SSC with defaults
+  FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
+
+  // first pull output to low to prevent glitches then re-claim GPIO_SSC_DOUT
+  LOW(GPIO_SSC_DOUT);
+  AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+  AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+
+  // reserve a cardmem, meaning we can use the tracelog function in bigbuff easier.
+  legic_mem = BigBuf_get_addr();
+
+  // init crc calculator
+  crc_init(&legic_crc, 4, 0x19 >> 1, 0x05, 0);
+
+  // start 212kHz timer (running from SSP Clock)
+  StartCountSspClk();
+}
+
+// Setup reader to card connection
+//
+// The setup consists of a three way handshake:
+//  - Receive initialisation vector 7 bits
+//  - Transmit card type 6 bits
+//  - Receive Acknowledge 6 bits
+static int32_t setup_phase(legic_card_select_t *p_card) {
+  uint8_t len = 0;
+
+  // init coordination timestamp
+  last_frame_end = GetCountSspClk();
+
+  // reset prng
+  legic_prng_init(0);
+
+  // wait for iv
+  int32_t iv = rx_frame(&len);
+  if((len != 7) || (iv < 0)) {
+    return -1;
+  }
+
+  // configure prng
+  legic_prng_init(iv);
+
+  // reply with card type
+  switch(p_card->tagtype) {
+    case 0:
+      tx_frame(0x0D, 6);
+      break;
+    case 1:
+      tx_frame(0x1D, 6);
+      break;
+    case 2:
+      tx_frame(0x3D, 6);
+      break;
+  }
+
+  // wait for ack
+  int32_t ack = rx_frame(&len);
+  if((len != 6) || (ack < 0)) {
+    return -1;
+  }
+
+  // validate data
+  switch(p_card->tagtype) {
+    case 0:
+      if(ack != 0x19) return -1;
+      break;
+    case 1:
+      if(ack != 0x39) return -1;
+      break;
+    case 2:
+      if(ack != 0x39) return -1;
+      break;
+  }
+
+  // During rx the prng is clocked using the variable reader period.
+  // Since rx_frame detects end of frame by detecting a code violation,
+  // the prng is off by one bit period after each rx phase. Hence, tx
+  // code advances the prng by (TAG_FRAME_WAIT/TAG_BIT_PERIOD - 1).
+  // This is not possible for back to back rx, so this quirk reduces
+  // the gap by one period.
+  last_frame_end += TAG_BIT_PERIOD;
+
+  return 0;
+}
+
+static uint8_t calc_crc4(uint16_t cmd, uint8_t cmd_sz, uint8_t value) {
+  crc_clear(&legic_crc);
+  crc_update(&legic_crc, (value << cmd_sz) | cmd, 8 + cmd_sz);
+  return crc_finish(&legic_crc);
+}
+
+static int32_t connected_phase(legic_card_select_t *p_card) {
+  uint8_t len = 0;
+
+  // wait for command
+  int32_t cmd = rx_frame(&len);
+  if(cmd < 0) {
+    return -1;
+  }
+
+  // check if command is LEGIC_READ
+  if(len == p_card->cmdsize) {
+    // prepare data
+    uint8_t byte = legic_mem[cmd >> 1];
+    uint8_t crc = calc_crc4(cmd, p_card->cmdsize, byte);
+
+    // transmit data
+    tx_frame((crc << 8) | byte, 12);
+
+    return 0;
+  }
+
+  // check if command is LEGIC_WRITE
+  if(len == p_card->cmdsize + 8 + 4) {
+    // decode data
+    uint16_t mask = (1 << p_card->addrsize) - 1;
+    uint16_t addr = (cmd >> 1) & mask;
+    uint8_t  byte = (cmd >> p_card->cmdsize) & 0xff;
+    uint8_t  crc  = (cmd >> (p_card->cmdsize + 8)) & 0xf;
+
+    // check received against calculated crc
+    uint8_t calc_crc = calc_crc4(addr << 1, p_card->cmdsize, byte);
+    if(calc_crc != crc) {
+      Dbprintf("!!! crc mismatch: %x != %x !!!",  calc_crc, crc);
+      return -1;
+    }
+
+    // store data
+    legic_mem[addr] = byte;
+
+    // transmit ack
+    tx_ack();
+
+    return 0;
+  }
+
+  return -1;
+}
+
+//-----------------------------------------------------------------------------
+// Command Line Interface
+//
+// Only this function is public / called from appmain.c
+//-----------------------------------------------------------------------------
+
+void LegicRfSimulate(uint8_t cardtype) {
+  // configure ARM and FPGA
+  init_tag();
+
+  // verify command line input
+  if(init_card(cardtype, &card) != 0) {
+    DbpString("Unknown tagtype.");
+    goto OUT;
+  }
+
+  LED_A_ON();
+  DbpString("Starting Legic emulator, press button to end");
+  while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+    WDT_HIT();
+
+    // wait for carrier, restart after timeout
+    if(!wait_for(RWD_PULSE, GetCountSspClk() + TAG_BIT_PERIOD)) {
+      continue;
+    }
+
+    // wait for connection, restart on error
+    if(setup_phase(&card)) {
+      continue;
+    }
+
+    // conection is established, process commands until one fails
+    while(!connected_phase(&card)) {
+      WDT_HIT();
+    }
+  }
+
+OUT:
+  DbpString("Stopped");
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+  LED_A_OFF();
+  LED_C_OFF();
+  LED_D_OFF();
+  StopTicks();
+}

armsrc/legicrfsim.h

@@ -0,0 +1,19 @@
+//-----------------------------------------------------------------------------
+// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+//     2018 AntiCat
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// LEGIC RF emulation public interface
+//-----------------------------------------------------------------------------
+
+#ifndef __LEGICRFSIM_H
+#define __LEGICRFSIM_H
+
+#include "proxmark3.h"
+
+extern void LegicRfSimulate(uint8_t tagtype);
+
+#endif /* __LEGICRFSIM_H */

armsrc/lfsampling.c

@@ -0,0 +1,402 @@
+//-----------------------------------------------------------------------------
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Miscellaneous routines for low frequency sampling.
+//-----------------------------------------------------------------------------
+
+#include "proxmark3.h"
+#include "apps.h"
+#include "util.h"
+#include "string.h"
+#include "lfsampling.h"
+#include "usb_cdc.h"	// for usb_poll_validate_length
+#include "fpgaloader.h"
+
+sample_config config = { 1, 8, 1, 95, 0, 0 } ;
+
+void printConfig()
+{
+	Dbprintf("LF Sampling config: ");
+	Dbprintf("  [q] divisor:           %d ", config.divisor);
+	Dbprintf("  [b] bps:               %d ", config.bits_per_sample);
+	Dbprintf("  [d] decimation:        %d ", config.decimation);
+	Dbprintf("  [a] averaging:         %d ", config.averaging);
+	Dbprintf("  [t] trigger threshold: %d ", config.trigger_threshold);
+	Dbprintf("  [s] samples to skip:   %d ", config.samples_to_skip);
+}
+
+
+/**
+ * Called from the USB-handler to set the sampling configuration
+ * The sampling config is used for std reading and snooping.
+ *
+ * Other functions may read samples and ignore the sampling config,
+ * such as functions to read the UID from a prox tag or similar.
+ *
+ * Values set to '0' implies no change (except for averaging, threshold, samples_to_skip)
+ * @brief setSamplingConfig
+ * @param sc
+ */
+void setSamplingConfig(uint8_t *config_data) {
+	sample_config *sc = (sample_config *)config_data;
+	if (sc->divisor != 0) config.divisor = sc->divisor;
+	if (sc->bits_per_sample != 0) config.bits_per_sample = sc->bits_per_sample;
+	if (sc->decimation != 0) config.decimation = sc->decimation;
+	if (sc->trigger_threshold != -1) config.trigger_threshold = sc->trigger_threshold;
+	if (sc->samples_to_skip != -1) config.samples_to_skip = sc->samples_to_skip;
+
+	config.averaging= sc->averaging;
+	if (config.bits_per_sample > 8)	config.bits_per_sample = 8;
+	if (config.decimation < 1)	config.decimation = 1;
+
+	printConfig();
+}
+
+sample_config* getSamplingConfig()
+{
+	return &config;
+}
+
+typedef struct {
+	uint8_t * buffer;
+	uint32_t numbits;
+	uint32_t position;
+} BitstreamOut;
+
+/**
+ * @brief Pushes bit onto the stream
+ * @param stream
+ * @param bit
+ */
+void pushBit( BitstreamOut* stream, uint8_t bit)
+{
+	int bytepos = stream->position >> 3; // divide by 8
+	int bitpos = stream->position & 7;
+	*(stream->buffer+bytepos) |= (bit > 0) <<  (7 - bitpos);
+	stream->position++;
+	stream->numbits++;
+}
+
+/**
+* Setup the FPGA to listen for samples. This method downloads the FPGA bitstream
+* if not already loaded, sets divisor and starts up the antenna.
+* @param divisor : 1, 88> 255 or negative ==> 134.8 KHz
+* 				   0 or 95 ==> 125 KHz
+*
+**/
+void LFSetupFPGAForADC(int divisor, bool lf_field)
+{
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+	if ( (divisor == 1) || (divisor < 0) || (divisor > 255) )
+		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
+	else if (divisor == 0)
+		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	else
+		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);
+
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | (lf_field ? FPGA_LF_ADC_READER_FIELD : 0));
+
+	// Connect the A/D to the peak-detected low-frequency path.
+	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+	// Give it a bit of time for the resonant antenna to settle.
+	SpinDelay(50);
+	// Now set up the SSC to get the ADC samples that are now streaming at us.
+	FpgaSetupSsc(FPGA_MAJOR_MODE_LF_ADC);
+}
+
+/**
+ * Does the sample acquisition. If threshold is specified, the actual sampling
+ * is not commenced until the threshold has been reached.
+ * This method implements decimation and quantization in order to
+ * be able to provide longer sample traces.
+ * Uses the following global settings:
+ * @param decimation - how much should the signal be decimated. A decimation of N means we keep 1 in N samples, etc.
+ * @param bits_per_sample - bits per sample. Max 8, min 1 bit per sample.
+ * @param averaging If set to true, decimation will use averaging, so that if e.g. decimation is 3, the sample
+ * value that will be used is the average value of the three samples.
+ * @param trigger_threshold - a threshold. The sampling won't commence until this threshold has been reached. Set
+ * to -1 to ignore threshold.
+ * @param silent - is true, now outputs are made. If false, dbprints the status
+ * @return the number of bits occupied by the samples.
+ */
+uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
+{
+	//.
+	uint8_t *dest = BigBuf_get_addr();
+	bufsize = (bufsize > 0 && bufsize < BigBuf_max_traceLen()) ? bufsize : BigBuf_max_traceLen();
+
+	//memset(dest, 0, bufsize); //creates issues with cmdread (marshmellow)
+
+	if(bits_per_sample < 1) bits_per_sample = 1;
+	if(bits_per_sample > 8) bits_per_sample = 8;
+
+	if(decimation < 1) decimation = 1;
+
+	// Use a bit stream to handle the output
+	BitstreamOut data = { dest , 0, 0};
+	int sample_counter = 0;
+	uint8_t sample = 0;
+	//If we want to do averaging
+	uint32_t sample_sum =0 ;
+	uint32_t sample_total_numbers =0 ;
+	uint32_t sample_total_saved =0 ;
+	uint32_t cancel_counter = 0;
+	uint32_t samples_skipped = 0;
+
+	while(!BUTTON_PRESS() && !usb_poll_validate_length() ) {
+		WDT_HIT();
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
+			AT91C_BASE_SSC->SSC_THR = 0x43;
+			LED_D_ON();
+		}
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
+			sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+			LED_D_OFF();
+			// threshold either high or low values 128 = center 0.  if trigger = 178 
+			if ((trigger_threshold > 0) && (sample < (trigger_threshold+128)) && (sample > (128-trigger_threshold))) { // 
+				if (cancel_after > 0) {
+					cancel_counter++;
+					if (cancel_after == cancel_counter) break;
+				}
+				continue;
+			}
+			trigger_threshold = 0;
+			if (samples_to_skip > samples_skipped) {
+				samples_skipped++;
+				continue;
+			}
+			sample_total_numbers++;
+
+			if(averaging)
+			{
+				sample_sum += sample;
+			}
+			//Check decimation
+			if(decimation > 1)
+			{
+				sample_counter++;
+				if(sample_counter < decimation) continue;
+				sample_counter = 0;
+			}
+			//Averaging
+			if(averaging && decimation > 1) {
+				sample = sample_sum / decimation;
+				sample_sum =0;
+			}
+			//Store the sample
+			sample_total_saved ++;
+			if(bits_per_sample == 8){
+				dest[sample_total_saved-1] = sample;
+				data.numbits = sample_total_saved << 3;//Get the return value correct
+				if(sample_total_saved >= bufsize) break;
+			}
+			else{
+				pushBit(&data, sample & 0x80);
+				if(bits_per_sample > 1)	pushBit(&data, sample & 0x40);
+				if(bits_per_sample > 2)	pushBit(&data, sample & 0x20);
+				if(bits_per_sample > 3)	pushBit(&data, sample & 0x10);
+				if(bits_per_sample > 4)	pushBit(&data, sample & 0x08);
+				if(bits_per_sample > 5)	pushBit(&data, sample & 0x04);
+				if(bits_per_sample > 6)	pushBit(&data, sample & 0x02);
+				//Not needed, 8bps is covered above
+				//if(bits_per_sample > 7)	pushBit(&data, sample & 0x01);
+				if((data.numbits >> 3) +1  >= bufsize) break;
+			}
+		}
+	}
+
+	if(!silent)
+	{
+		Dbprintf("Done, saved %d out of %d seen samples at %d bits/sample",sample_total_saved, sample_total_numbers,bits_per_sample);
+		Dbprintf("buffer samples: %02x %02x %02x %02x %02x %02x %02x %02x ...",
+					dest[0], dest[1], dest[2], dest[3], dest[4], dest[5], dest[6], dest[7]);
+	}
+	return data.numbits;
+}
+/**
+ * @brief Does sample acquisition, ignoring the config values set in the sample_config.
+ * This method is typically used by tag-specific readers who just wants to read the samples
+ * the normal way
+ * @param trigger_threshold
+ * @param silent
+ * @return number of bits sampled
+ */
+uint32_t DoAcquisition_default(int trigger_threshold, bool silent)
+{
+	return DoAcquisition(1,8,0,trigger_threshold,silent,0,0,0);
+}
+uint32_t DoAcquisition_config(bool silent, int sample_size)
+{
+	return DoAcquisition(config.decimation
+				  ,config.bits_per_sample
+				  ,config.averaging
+				  ,config.trigger_threshold
+				  ,silent
+				  ,sample_size
+				  ,0
+				  ,config.samples_to_skip);
+}
+
+uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after) {
+	return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after,0);
+}
+
+uint32_t ReadLF(bool activeField, bool silent, int sample_size)
+{
+	if (!silent) printConfig();
+	LFSetupFPGAForADC(config.divisor, activeField);
+	// Now call the acquisition routine
+	return DoAcquisition_config(silent, sample_size);
+}
+
+/**
+* Initializes the FPGA for reader-mode (field on), and acquires the samples.
+* @return number of bits sampled
+**/
+uint32_t SampleLF(bool printCfg, int sample_size)
+{
+	uint32_t ret = ReadLF(true, printCfg, sample_size);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	return ret;
+}
+/**
+* Initializes the FPGA for snoop-mode (field off), and acquires the samples.
+* @return number of bits sampled
+**/
+
+uint32_t SnoopLF()
+{
+	uint32_t ret = ReadLF(false, true, 0);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	return ret;
+}
+
+/**
+* acquisition of Cotag LF signal. Similar to other LF,  since the Cotag has such long datarate RF/384
+* and is Manchester?,  we directly gather the manchester data into bigbuff
+**/
+#define COTAG_T1 384
+#define COTAG_T2 (COTAG_T1>>1)
+#define COTAG_ONE_THRESHOLD 128+30
+#define COTAG_ZERO_THRESHOLD 128-30
+#ifndef COTAG_BITS
+#define COTAG_BITS 264
+#endif
+void doCotagAcquisition(size_t sample_size) {
+
+	uint8_t *dest = BigBuf_get_addr();
+	uint16_t bufsize = BigBuf_max_traceLen();
+	
+	if ( bufsize > sample_size )
+		bufsize = sample_size;
+
+	dest[0] = 0;
+	uint8_t sample = 0, firsthigh = 0, firstlow = 0; 
+	uint16_t i = 0;
+
+	while (!BUTTON_PRESS() && !usb_poll_validate_length() && (i < bufsize) ) {
+		WDT_HIT();
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
+			AT91C_BASE_SSC->SSC_THR = 0x43;
+			LED_D_ON();
+		}
+		
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
+			sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+			LED_D_OFF();
+		
+			// find first peak
+			if ( !firsthigh ) {
+				if (sample < COTAG_ONE_THRESHOLD) 
+					continue;
+				firsthigh = 1;
+			}
+			if ( !firstlow ){
+				if (sample > COTAG_ZERO_THRESHOLD )
+					continue;
+				firstlow = 1;
+			}
+
+			++i;
+	
+			if ( sample > COTAG_ONE_THRESHOLD)
+				dest[i] = 255;
+			else if ( sample < COTAG_ZERO_THRESHOLD)
+				dest[i] = 0;
+			else 
+				dest[i] = dest[i-1];
+		}
+	}
+}
+
+uint32_t doCotagAcquisitionManchester() {
+
+	uint8_t *dest = BigBuf_get_addr();
+	uint16_t bufsize = BigBuf_max_traceLen();
+	
+	if ( bufsize > COTAG_BITS )
+		bufsize = COTAG_BITS;
+
+	dest[0] = 0;
+	uint8_t sample = 0, firsthigh = 0, firstlow = 0; 
+	uint16_t sample_counter = 0, period = 0;
+	uint8_t curr = 0, prev = 0;
+	uint16_t noise_counter = 0;
+	while (!BUTTON_PRESS() && !usb_poll_validate_length() && (sample_counter < bufsize) && (noise_counter < (COTAG_T1<<1)) ) {
+		WDT_HIT();
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
+			AT91C_BASE_SSC->SSC_THR = 0x43;
+			LED_D_ON();
+		}
+
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
+			sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+			LED_D_OFF();
+
+			// find first peak
+			if ( !firsthigh ) {
+				if (sample < COTAG_ONE_THRESHOLD) {
+					noise_counter++;
+					continue;
+				}
+				noise_counter = 0;
+				firsthigh = 1;
+			}
+
+			if ( !firstlow ){
+				if (sample > COTAG_ZERO_THRESHOLD ) {
+					noise_counter++;
+					continue;
+				}
+				noise_counter=0;
+				firstlow = 1;
+			}
+
+			// set sample 255, 0,  or previous
+			if ( sample > COTAG_ONE_THRESHOLD){
+				prev = curr;
+				curr = 1;
+			}
+			else if ( sample < COTAG_ZERO_THRESHOLD) {
+				prev = curr;
+				curr = 0;
+			}
+			else {
+				curr = prev;
+			}
+
+			// full T1 periods, 
+			if ( period > 0 ) {
+				--period;
+				continue;
+			}
+
+			dest[sample_counter] = curr;
+			++sample_counter;
+			period = COTAG_T1;
+		}
+	}
+	return sample_counter;
+}

armsrc/lfsampling.h

@@ -0,0 +1,71 @@
+#ifndef LFSAMPLING_H__
+#define LFSAMPLING_H__
+
+/**
+* acquisition of Cotag LF signal. Similar to other LF,  since the Cotag has such long datarate RF/384
+* and is Manchester?,  we directly gather the manchester data into bigbuff
+**/
+void doCotagAcquisition(size_t sample_size);
+uint32_t doCotagAcquisitionManchester(void);
+
+/**
+* Initializes the FPGA for reader-mode (field on), and acquires the samples.
+* @return number of bits sampled
+**/
+uint32_t SampleLF(bool silent, int sample_size);
+
+/**
+* Initializes the FPGA for snoop-mode (field off), and acquires the samples.
+* @return number of bits sampled
+**/
+uint32_t SnoopLF();
+
+// adds sample size to default options
+uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after);
+
+/**
+ * @brief Does sample acquisition, ignoring the config values set in the sample_config.
+ * This method is typically used by tag-specific readers who just wants to read the samples
+ * the normal way
+ * @param trigger_threshold
+ * @param silent
+ * @return number of bits sampled
+ */
+uint32_t DoAcquisition_default(int trigger_threshold, bool silent);
+/**
+ * @brief Does sample acquisition, using the config values set in the sample_config.
+ * @param trigger_threshold
+ * @param silent
+ * @return number of bits sampled
+ */
+
+uint32_t DoAcquisition_config(bool silent, int sample_size);
+
+/**
+* Setup the FPGA to listen for samples. This method downloads the FPGA bitstream
+* if not already loaded, sets divisor and starts up the antenna.
+* @param divisor : 1, 88> 255 or negative ==> 134.8 KHz
+*                  0 or 95 ==> 125 KHz
+*
+**/
+void LFSetupFPGAForADC(int divisor, bool lf_field);
+
+/**
+ * Called from the USB-handler to set the sampling configuration
+ * The sampling config is used for std reading and snooping.
+ *
+ * Other functions may read samples and ignore the sampling config,
+ * such as functions to read the UID from a prox tag or similar.
+ *
+ * Values set to '0' implies no change (except for averaging)
+ * @brief setSamplingConfig
+ * @param sc
+ */
+void setSamplingConfig(uint8_t *config_data);
+
+sample_config *getSamplingConfig();
+
+void printConfig();
+
+
+#endif // LFSAMPLING_H

armsrc/mifarecmd.h

@@ -10,19 +10,36 @@
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
 
-#ifndef __MIFARECMD_H
-#define __MIFARECMD_H
+#ifndef MIFARECMD_H__
+#define MIFARECMD_H__
 
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
+#include <stdint.h>
 
-#include "iso14443crc.h"
-#include "iso14443a.h"
-#include "crapto1.h"
-#include "mifareutil.h"
-#include "common.h"
+extern void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
+extern void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
+extern void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
+extern void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+//extern void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain);
+extern void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
+extern void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
+extern void MifareChkKeys(uint16_t arg0, uint32_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);       // Work with "magic Chinese" card
+extern void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCIdent();  // is "magic chinese" card?
+extern void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
+extern void MifarePersonalizeUID(uint8_t keyType, uint8_t perso_option, uint8_t *datain);
 
+//desfire
+extern void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
+extern void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);
 
-#endif
+#endif

armsrc/mifaresim.c

@@ -0,0 +1,867 @@
+//-----------------------------------------------------------------------------
+// Merlok - June 2011, 2012
+// Gerhard de Koning Gans - May 2008
+// Hagen Fritsch - June 2010
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Mifare Classic Card Simulation
+//-----------------------------------------------------------------------------
+
+#include "mifaresim.h"
+#include "iso14443a.h"
+#include "iso14443crc.h"
+#include "crapto1/crapto1.h"
+#include "BigBuf.h"
+#include "string.h"
+#include "mifareutil.h"
+#include "fpgaloader.h"
+#include "proxmark3.h"
+#include "usb_cdc.h"
+#include "protocols.h"
+#include "apps.h"
+#include "util.h"
+
+
+//mifare emulator states
+#define MFEMUL_NOFIELD           0
+#define MFEMUL_IDLE              1
+#define MFEMUL_SELECT1           2
+#define MFEMUL_SELECT2           3
+#define MFEMUL_SELECT3           4
+#define MFEMUL_AUTH1             5
+#define MFEMUL_AUTH2             6
+#define MFEMUL_WORK              7
+#define MFEMUL_WRITEBL2          8
+#define MFEMUL_INTREG_INC        9
+#define MFEMUL_INTREG_DEC       10
+#define MFEMUL_INTREG_REST      11
+#define MFEMUL_HALTED           12
+
+#define AC_DATA_READ             0
+#define AC_DATA_WRITE            1
+#define AC_DATA_INC              2
+#define AC_DATA_DEC_TRANS_REST   3
+#define AC_KEYA_READ             0
+#define AC_KEYA_WRITE            1
+#define AC_KEYB_READ             2
+#define AC_KEYB_WRITE            3
+#define AC_AC_READ               4
+#define AC_AC_WRITE              5
+
+#define AUTHKEYA                 0
+#define AUTHKEYB                 1
+#define AUTHKEYNONE              0xff
+
+
+static int ParamCardSizeBlocks(const char c) {
+	int numBlocks = 16 * 4;
+	switch (c) {
+		case '0' : numBlocks = 5 * 4; break;
+		case '2' : numBlocks = 32 * 4; break;
+		case '4' : numBlocks = 32 * 4 + 8 * 16; break;
+		default:   numBlocks = 16 * 4;
+	}
+	return numBlocks;
+}
+
+static uint8_t BlockToSector(int block_num) {
+	if (block_num < 32 * 4) {    // 4 blocks per sector
+		return (block_num / 4);
+	} else {                     // 16 blocks per sector
+		return 32 + (block_num - 32 * 4) / 16;
+	}
+}
+
+static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
+	uint8_t sector_trailer[16];
+	emlGetMem(sector_trailer, blockNo, 1);
+	uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
+			   | ((sector_trailer[8] >> 2) & 0x02)
+			   | ((sector_trailer[8] >> 7) & 0x01);
+	switch (action) {
+		case AC_KEYA_READ: {
+			return false;
+			break;
+		}
+		case AC_KEYA_WRITE: {
+			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
+				 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
+			break;
+		}
+		case AC_KEYB_READ: {
+			return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
+			break;
+		}
+		case AC_KEYB_WRITE: {
+			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
+				 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
+			break;
+		}
+		case AC_AC_READ: {
+			return ((keytype == AUTHKEYA)
+				 || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
+			break;
+		}
+		case AC_AC_WRITE: {
+			return ((keytype == AUTHKEYA && (AC == 0x01))
+				 || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
+			break;
+		}
+		default: return false;
+	}
+}
+
+
+static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action)
+{
+	uint8_t sector_trailer[16];
+	emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
+
+	uint8_t sector_block;
+	if (blockNo < 32*4) {
+		sector_block = blockNo & 0x03;
+	} else {
+		sector_block = (blockNo & 0x0f) / 5;
+	}
+
+	uint8_t AC;
+	switch (sector_block) {
+		case 0x00: {
+			AC = ((sector_trailer[7] >> 2) & 0x04)
+			   | ((sector_trailer[8] << 1) & 0x02)
+			   | ((sector_trailer[8] >> 4) & 0x01);
+			break;
+		}
+		case 0x01: {
+			AC = ((sector_trailer[7] >> 3) & 0x04)
+			   | ((sector_trailer[8] >> 0) & 0x02)
+			   | ((sector_trailer[8] >> 5) & 0x01);
+			break;
+		}
+		case 0x02: {
+			AC = ((sector_trailer[7] >> 4) & 0x04)
+			   | ((sector_trailer[8] >> 1) & 0x02)
+			   | ((sector_trailer[8] >> 6) & 0x01);
+			break;
+		}
+		default:
+			return false;
+	}
+
+	switch (action) {
+		case AC_DATA_READ: {
+			return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
+				 || (keytype == AUTHKEYB && !(AC == 0x07)));
+			break;
+		}
+		case AC_DATA_WRITE: {
+			return ((keytype == AUTHKEYA && (AC == 0x00))
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
+			break;
+		}
+		case AC_DATA_INC: {
+			return ((keytype == AUTHKEYA && (AC == 0x00))
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
+			break;
+		}
+		case AC_DATA_DEC_TRANS_REST: {
+			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
+			break;
+		}
+	}
+
+	return false;
+}
+
+
+static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
+	if (IsSectorTrailer(blockNo)) {
+		return IsTrailerAccessAllowed(blockNo, keytype, action);
+	} else {
+		return IsDataAccessAllowed(blockNo, keytype, action);
+	}
+}
+
+
+static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t cardsize) {
+
+	#define TAG_RESPONSE_COUNT 5                                // number of precompiled responses
+	static uint8_t rATQA[]    = {0x00, 0x00};
+	static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
+	static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
+	static uint8_t rSAKfinal[]= {0x00, 0x00, 0x00};             // SAK after UID complete
+	static uint8_t rSAK1[]    = {0x00, 0x00, 0x00};             // indicate UID not finished
+
+	*uid_len = 4;
+	// UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
+	if (flags & FLAG_4B_UID_IN_DATA) {  // get UID from datain
+		memcpy(rUIDBCC1, datain, 4);
+	} else if (flags & FLAG_7B_UID_IN_DATA) {
+		rUIDBCC1[0] = 0x88;
+		memcpy(rUIDBCC1+1, datain, 3);
+		memcpy(rUIDBCC2, datain+3, 4);
+		*uid_len = 7;
+	} else {
+		uint8_t probable_atqa;
+		emlGetMemBt(&probable_atqa, 7, 1);  // get UID from emul memory - weak guess at length
+		if (probable_atqa == 0x00) {        // ---------- 4BUID
+			emlGetMemBt(rUIDBCC1, 0, 4);
+		} else {                            // ---------- 7BUID
+			rUIDBCC1[0] = 0x88;
+			emlGetMemBt(rUIDBCC1+1, 0, 3);
+			emlGetMemBt(rUIDBCC2, 3, 4);
+			*uid_len = 7;
+		}
+	}
+
+	switch (*uid_len) {
+		case 4:
+			*cuid = bytes_to_num(rUIDBCC1, 4);
+			rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+			if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+				Dbprintf("4B UID: %02x%02x%02x%02x",
+					rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]  );
+			}
+			break;
+		case 7:
+			*cuid = bytes_to_num(rUIDBCC2, 4);
+			rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+			rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+			if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+				Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
+					rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3]  );
+			}
+			break;
+		default:
+			break;
+	}
+
+	// set SAK based on cardsize
+	switch (cardsize) {
+		case '0': rSAKfinal[0] = 0x09; break; // Mifare Mini
+		case '2': rSAKfinal[0] = 0x10; break; // Mifare 2K
+		case '4': rSAKfinal[0] = 0x18; break; // Mifare 4K
+		default: rSAKfinal[0] = 0x08;         // Mifare 1K
+	}
+	ComputeCrc14443(CRC_14443_A, rSAKfinal, 1, rSAKfinal + 1, rSAKfinal + 2);
+	if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+		Dbprintf("SAK:    %02x", rSAKfinal[0]);
+	}
+
+	// set SAK for incomplete UID
+	rSAK1[0] = 0x04;                          // Bit 3 indicates incomplete UID
+	ComputeCrc14443(CRC_14443_A, rSAK1, 1, rSAK1 + 1, rSAK1 + 2);
+
+	// set ATQA based on cardsize and UIDlen
+	if (cardsize == '4') {
+		rATQA[0] = 0x02;
+	} else {
+		rATQA[0] = 0x04;
+	}
+	if (*uid_len == 7) {
+		rATQA[0] |= 0x40;
+	}
+	if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+		Dbprintf("ATQA:   %02x %02x", rATQA[1], rATQA[0]);
+	}
+
+	static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
+		{ .response = rATQA,     .response_n = sizeof(rATQA)  },        // Answer to request - respond with card type
+		{ .response = rUIDBCC1,  .response_n = sizeof(rUIDBCC1) },      // Anticollision cascade1 - respond with first part of uid
+		{ .response = rUIDBCC2,  .response_n = sizeof(rUIDBCC2) },      // Anticollision cascade2 - respond with 2nd part of uid
+		{ .response = rSAKfinal, .response_n = sizeof(rSAKfinal)  },    // Acknowledge select - last cascade
+		{ .response = rSAK1,     .response_n = sizeof(rSAK1) }          // Acknowledge select - previous cascades
+	};
+
+	// Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
+	// There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
+	// 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits  ->   need 177 bytes buffer
+	#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177    // number of bytes required for precompiled responses
+
+	uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
+	size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
+	for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
+		prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size);
+	}
+
+	*responses = responses_init;
+
+	// indices into responses array:
+	#define ATQA     0
+	#define UIDBCC1  1
+	#define UIDBCC2  2
+	#define SAKfinal 3
+	#define SAK1     4
+
+}
+
+
+static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {
+	uint8_t CRC_byte_1, CRC_byte_2;
+	ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2);
+	return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2);
+}
+
+
+/**
+  *MIFARE simulate.
+  *
+  *@param flags :
+  * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
+  * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
+  * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
+  * FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
+  * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
+  *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
+  * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
+  */
+void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain)
+{
+	LED_A_ON();
+
+	tag_response_info_t *responses;
+	uint8_t uid_len = 4;
+	uint32_t cuid = 0;
+	uint8_t cardWRBL = 0;
+	uint8_t cardAUTHSC = 0;
+	uint8_t cardAUTHKEY = AUTHKEYNONE;  // no authentication
+	uint32_t cardRr = 0;
+	//uint32_t rn_enc = 0;
+	uint32_t ans = 0;
+	uint32_t cardINTREG = 0;
+	uint8_t cardINTBLOCK = 0;
+	struct Crypto1State mpcs = {0, 0};
+	struct Crypto1State *pcs = &mpcs;
+	uint32_t numReads = 0; //Counts numer of times reader reads a block
+	uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
+	uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
+	uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
+	uint16_t receivedCmd_len;
+	uint8_t response[MAX_MIFARE_FRAME_SIZE];
+	uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
+	uint8_t fixed_nonce[] = {0x01, 0x02, 0x03, 0x04};
+
+	int num_blocks = ParamCardSizeBlocks(cardsize);
+
+	// Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
+	// This will be used in the reader-only attack.
+
+	// allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
+	#define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
+	nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
+	memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+
+	uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // *2 for 2nd attack type (moebius)
+	memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+	uint8_t nonce1_count = 0;
+	uint8_t nonce2_count = 0;
+	uint8_t moebius_n_count = 0;
+	bool gettingMoebius = false;
+	uint8_t mM = 0; // moebius_modifier for collection storage
+
+	// Authenticate response - nonce
+	uint32_t nonce;
+	if (flags & FLAG_RANDOM_NONCE) {
+		nonce = prand();
+	} else {
+		nonce = bytes_to_num(fixed_nonce, 4);
+	}
+
+	// free eventually allocated BigBuf memory but keep Emulator Memory
+	BigBuf_free_keep_EM();
+
+	MifareSimInit(flags, datain, &responses, &cuid, &uid_len, cardsize);
+
+	// We need to listen to the high-frequency, peak-detected path.
+	iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+	// clear trace
+	clear_trace();
+	set_tracing(true);
+	ResetSspClk();
+
+	bool finished = false;
+	bool button_pushed = BUTTON_PRESS();
+	int cardSTATE = MFEMUL_NOFIELD;
+
+	while (!button_pushed && !finished && !usb_poll_validate_length()) {
+		WDT_HIT();
+
+		if (cardSTATE == MFEMUL_NOFIELD) {
+			// wait for reader HF field
+			int vHf = (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
+			if (vHf > MF_MINFIELDV) {
+				LED_D_ON();
+				cardSTATE = MFEMUL_IDLE;
+			}
+			button_pushed = BUTTON_PRESS();
+			continue;
+		}
+
+		//Now, get data
+		FpgaEnableTracing();
+		int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
+
+		if (res == 2) { //  Reader has dropped the HF field. Power off.
+			FpgaDisableTracing();
+			LED_D_OFF();
+			cardSTATE = MFEMUL_NOFIELD;
+			continue;
+		} else if (res == 1) { // button pressed
+			FpgaDisableTracing();
+			button_pushed = true;
+			break;
+		}
+
+		// WUPA in HALTED state or REQA or WUPA in any other state
+		if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
+			EmSendPrecompiledCmd(&responses[ATQA]);
+			FpgaDisableTracing();
+
+			// init crypto block
+			crypto1_destroy(pcs);
+			cardAUTHKEY = AUTHKEYNONE;
+			if (flags & FLAG_RANDOM_NONCE) {
+				nonce = prand();
+			}
+			cardSTATE = MFEMUL_SELECT1;
+			continue;
+		}
+
+		switch (cardSTATE) {
+			case MFEMUL_NOFIELD:
+			case MFEMUL_HALTED:
+			case MFEMUL_IDLE:{
+				break;
+			}
+
+			case MFEMUL_SELECT1:{
+				// select all - 0x93 0x20
+				if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
+					EmSendPrecompiledCmd(&responses[UIDBCC1]);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("SELECT ALL CL1 received");
+					break;
+				}
+				// select card - 0x93 0x70 ...
+				if (receivedCmd_len == 9 &&
+						(receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
+					if (uid_len == 4) {
+						EmSendPrecompiledCmd(&responses[SAKfinal]);
+						cardSTATE = MFEMUL_WORK;
+					} else if (uid_len == 7) {
+						EmSendPrecompiledCmd(&responses[SAK1]);
+						cardSTATE = MFEMUL_SELECT2;
+					}
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
+					break;
+				}
+				cardSTATE = MFEMUL_IDLE;
+				break;
+			}
+
+			case MFEMUL_SELECT2:{
+				// select all cl2 - 0x95 0x20
+				if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
+					EmSendPrecompiledCmd(&responses[UIDBCC2]);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("SELECT ALL CL2 received");
+					break;
+				}
+				// select cl2 card - 0x95 0x70 xxxxxxxxxxxx
+				if (receivedCmd_len == 9 &&
+						(receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
+					if (uid_len == 7) {
+						EmSendPrecompiledCmd(&responses[SAKfinal]);
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
+						cardSTATE = MFEMUL_WORK;
+						break;
+					}
+				}
+				cardSTATE = MFEMUL_IDLE;
+				break;
+			}
+
+			case MFEMUL_WORK:{
+				if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
+					break;
+				}
+				bool encrypted_data = (cardAUTHKEY != AUTHKEYNONE) ;
+				if (encrypted_data) {
+					// decrypt seqence
+					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
+				} else {
+					memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
+				}
+				if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
+					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_TR));
+					break;
+				}
+
+				if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
+					// if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
+					if (receivedCmd_dec[1] >= num_blocks && !(flags & FLAG_NR_AR_ATTACK)) {
+						//is this the correct response to an auth on a out of range block? marshmellow
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], receivedCmd_dec[1]);
+						break;
+					}
+					cardAUTHSC = BlockToSector(receivedCmd_dec[1]);  // received block num
+					cardAUTHKEY = receivedCmd_dec[0] & 0x01;
+					crypto1_destroy(pcs);//Added by martin
+					crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
+					if (!encrypted_data) { // first authentication
+						crypto1_word(pcs, cuid ^ nonce, 0); // Update crypto state
+						num_to_bytes(nonce, 4, response);   // Send unencrypted nonce
+						EmSendCmd(response, sizeof(nonce));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
+					} else { // nested authentication
+						num_to_bytes(nonce, sizeof(nonce), response);
+						uint8_t pcs_in[4] = {0};
+						num_to_bytes(cuid ^ nonce, sizeof(nonce), pcs_in);
+						mf_crypto1_encryptEx(pcs, response, pcs_in, sizeof(nonce), response_par);
+						EmSendCmdPar(response, sizeof(nonce), response_par); // send encrypted nonce
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
+					}
+					cardSTATE = MFEMUL_AUTH1;
+					break;
+				}
+
+				// halt can be sent encrypted or in clear
+				if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("--> HALTED.");
+					cardSTATE = MFEMUL_HALTED;
+					break;
+				}
+
+				if(receivedCmd_dec[0] == MIFARE_CMD_READBLOCK
+					|| receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK
+					|| receivedCmd_dec[0] == MIFARE_CMD_INC
+					|| receivedCmd_dec[0] == MIFARE_CMD_DEC
+					|| receivedCmd_dec[0] == MIFARE_CMD_RESTORE
+					|| receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
+					if (receivedCmd_dec[1] >= num_blocks) {
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
+						break;
+					}
+					if (BlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
+						break;
+					}
+				}
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_READBLOCK) {
+					uint8_t blockNo = receivedCmd_dec[1];
+					emlGetMem(response, blockNo, 1);
+					if (IsSectorTrailer(blockNo)) {
+						memset(response, 0x00, 6);  // keyA can never be read
+						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
+							memset(response+10, 0x00, 6);   // keyB cannot be read
+						}
+						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
+							memset(response+6, 0x00, 4);    // AC bits cannot be read
+						}
+					} else {
+						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
+							memset(response, 0x00, 16);     // datablock cannot be read
+						}
+					}
+					AppendCrc14443a(response, 16);
+					mf_crypto1_encrypt(pcs, response, 18, response_par);
+					EmSendCmdPar(response, 18, response_par);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+						Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
+					}
+					numReads++;
+					if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
+						Dbprintf("%d reads done, exiting", numReads);
+						finished = true;
+					}
+					break;
+				}
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK) {
+					uint8_t blockNo = receivedCmd_dec[1];
+					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
+					cardWRBL = blockNo;
+					cardSTATE = MFEMUL_WRITEBL2;
+					break;
+				}
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
+					uint8_t blockNo = receivedCmd_dec[1];
+					if (emlCheckValBl(blockNo)) {
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+							Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
+						}
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
+						break;
+					}
+					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+						Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
+					}
+					cardWRBL = blockNo;
+					if (receivedCmd_dec[0] == MIFARE_CMD_INC)
+						cardSTATE = MFEMUL_INTREG_INC;
+					if (receivedCmd_dec[0] == MIFARE_CMD_DEC)
+						cardSTATE = MFEMUL_INTREG_DEC;
+					if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE)
+						cardSTATE = MFEMUL_INTREG_REST;
+					break;
+				}
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
+					uint8_t blockNo = receivedCmd_dec[1];
+					if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+					else
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
+					break;
+				}
+
+				// command not allowed
+				EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+				FpgaDisableTracing();
+				if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
+				cardSTATE = MFEMUL_IDLE;
+				break;
+			}
+
+			case MFEMUL_AUTH1:{
+				if (receivedCmd_len != 8) {
+					cardSTATE = MFEMUL_IDLE;
+					break;
+				}
+
+				uint32_t nr = bytes_to_num(receivedCmd, 4);
+				uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
+
+				// Collect AR/NR per keytype & sector
+				if(flags & FLAG_NR_AR_ATTACK) {
+					for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+						if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+							// if first auth for sector, or matches sector and keytype of previous auth
+							if (ar_nr_collected[i+mM] < 2) {
+								// if we haven't already collected 2 nonces for this sector
+								if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+									// Avoid duplicates... probably not necessary, ar should vary.
+									if (ar_nr_collected[i+mM]==0) {
+										// first nonce collect
+										ar_nr_resp[i+mM].cuid = cuid;
+										ar_nr_resp[i+mM].sector = cardAUTHSC;
+										ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+										ar_nr_resp[i+mM].nonce = nonce;
+										ar_nr_resp[i+mM].nr = nr;
+										ar_nr_resp[i+mM].ar = ar;
+										nonce1_count++;
+										// add this nonce to first moebius nonce
+										ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+										ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+										ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+										ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+										ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+										ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+										ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+									} else { // second nonce collect (std and moebius)
+										ar_nr_resp[i+mM].nonce2 = nonce;
+										ar_nr_resp[i+mM].nr2 = nr;
+										ar_nr_resp[i+mM].ar2 = ar;
+										if (!gettingMoebius) {
+											nonce2_count++;
+											// check if this was the last second nonce we need for std attack
+											if ( nonce2_count == nonce1_count ) {
+												// done collecting std test switch to moebius
+												// first finish incrementing last sample
+												ar_nr_collected[i+mM]++;
+												// switch to moebius collection
+												gettingMoebius = true;
+												mM = ATTACK_KEY_COUNT;
+												if (flags & FLAG_RANDOM_NONCE) {
+													nonce = prand();
+												} else {
+													nonce = nonce*7;
+												}
+												break;
+											}
+										} else {
+											moebius_n_count++;
+											// if we've collected all the nonces we need - finish.
+											if (nonce1_count == moebius_n_count) finished = true;
+										}
+									}
+									ar_nr_collected[i+mM]++;
+								}
+							}
+							// we found right spot for this nonce stop looking
+							break;
+						}
+					}
+				}
+
+				// --- crypto
+				crypto1_word(pcs, nr , 1);
+				cardRr = ar ^ crypto1_word(pcs, 0, 0);
+
+				// test if auth OK
+				if (cardRr != prng_successor(nonce, 64)){
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+							cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B',
+							cardRr, prng_successor(nonce, 64));
+					// Shouldn't we respond anything here?
+					// Right now, we don't nack or anything, which causes the
+					// reader to do a WUPA after a while. /Martin
+					// -- which is the correct response. /piwi
+					cardAUTHKEY = AUTHKEYNONE;  // not authenticated
+					cardSTATE = MFEMUL_IDLE;
+					break;
+				}
+				ans = prng_successor(nonce, 96);
+				num_to_bytes(ans, 4, response);
+				mf_crypto1_encrypt(pcs, response, 4, response_par);
+				EmSendCmdPar(response, 4, response_par);
+				FpgaDisableTracing();
+				if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
+				cardSTATE = MFEMUL_WORK;
+				break;
+			}
+
+			case MFEMUL_WRITEBL2:{
+				if (receivedCmd_len == 18) {
+					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
+					if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) {
+						if (IsSectorTrailer(cardWRBL)) {
+							emlGetMem(response, cardWRBL, 1);
+							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
+								memcpy(receivedCmd_dec, response, 6);   // don't change KeyA
+							}
+							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
+								memcpy(receivedCmd_dec+10, response+10, 6); // don't change KeyA
+							}
+							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
+								memcpy(receivedCmd_dec+6, response+6, 4);   // don't change AC bits
+							}
+						} else {
+							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
+								memcpy(receivedCmd_dec, response, 16);  // don't change anything
+							}
+						}
+						emlSetMem(receivedCmd_dec, cardWRBL, 1);
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));  // always ACK?
+						cardSTATE = MFEMUL_WORK;
+						break;
+					}
+				}
+				cardSTATE = MFEMUL_IDLE;
+				break;
+			}
+
+			case MFEMUL_INTREG_INC:{
+				if (receivedCmd_len == 6) {
+					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
+					if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						cardSTATE = MFEMUL_IDLE;
+						break;
+					}
+					cardINTREG = cardINTREG + ans;
+					cardSTATE = MFEMUL_WORK;
+				}
+				break;
+			}
+
+			case MFEMUL_INTREG_DEC:{
+				if (receivedCmd_len == 6) {
+					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
+					if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						cardSTATE = MFEMUL_IDLE;
+						break;
+					}
+					cardINTREG = cardINTREG - ans;
+					cardSTATE = MFEMUL_WORK;
+				}
+				break;
+			}
+
+			case MFEMUL_INTREG_REST:{
+				mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
+				if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+					cardSTATE = MFEMUL_IDLE;
+					break;
+				}
+				cardSTATE = MFEMUL_WORK;
+				break;
+			}
+
+		} // end of switch
+
+		FpgaDisableTracing();
+		button_pushed = BUTTON_PRESS();
+
+	} // end of while
+
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	LEDsoff();
+
+	if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= MF_DBG_INFO) {
+		for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
+			if (ar_nr_collected[i] == 2) {
+				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+				Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+						ar_nr_resp[i].cuid,  //UID
+						ar_nr_resp[i].nonce, //NT
+						ar_nr_resp[i].nr,    //NR1
+						ar_nr_resp[i].ar,    //AR1
+						ar_nr_resp[i].nr2,   //NR2
+						ar_nr_resp[i].ar2    //AR2
+						);
+			}
+		}
+		for ( uint8_t   i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+			if (ar_nr_collected[i] == 2) {
+				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+				Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
+						ar_nr_resp[i].cuid,  //UID
+						ar_nr_resp[i].nonce, //NT
+						ar_nr_resp[i].nr,    //NR1
+						ar_nr_resp[i].ar,    //AR1
+						ar_nr_resp[i].nonce2,//NT2
+						ar_nr_resp[i].nr2,   //NR2
+						ar_nr_resp[i].ar2    //AR2
+						);
+			}
+		}
+	}
+	if (MF_DBGLEVEL >= MF_DBG_INFO) Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", get_tracing(), BigBuf_get_traceLen());
+
+	if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
+		//Send the collected ar_nr in the response
+		cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
+	}
+
+	LED_A_OFF();
+}

armsrc/mifaresim.h

@@ -0,0 +1,20 @@
+//-----------------------------------------------------------------------------
+// Merlok - June 2011, 2012
+// Gerhard de Koning Gans - May 2008
+// Hagen Fritsch - June 2010
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Mifare Classic Card Simulation
+//-----------------------------------------------------------------------------
+
+#ifndef __MIFARESIM_H
+#define __MIFARESIM_H
+
+#include <stdint.h>
+
+extern void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain);
+
+#endif

armsrc/mifaresniff.c

@@ -1,173 +1,169 @@
-//-----------------------------------------------------------------------------
-// Merlok - 2012
-//
-// This code is licensed to you under the terms of the GNU GPL, version 2 or,
-// at your option, any later version. See the LICENSE.txt file for the text of
-// the license.
-//-----------------------------------------------------------------------------
-// Routines to support mifare classic sniffer.
-//-----------------------------------------------------------------------------
-
-#include "mifaresniff.h"
-#include "apps.h"
-
-static int sniffState = SNF_INIT;
-static uint8_t sniffUIDType;
-static uint8_t sniffUID[8];
-static uint8_t sniffATQA[2];
-static uint8_t sniffSAK;
-static uint8_t sniffBuf[16];
-static uint32_t timerData = 0;
-
-
-bool MfSniffInit(void){
-	memset(sniffUID, 0x00, 8);
-	memset(sniffATQA, 0x00, 2);
-	sniffSAK = 0;
-	sniffUIDType = SNF_UID_4;
-
-	return FALSE;
-}
-
-bool MfSniffEnd(void){
-	LED_B_ON();
-	cmd_send(CMD_ACK,0,0,0,0,0);
-	LED_B_OFF();
-
-	return FALSE;
-}
-
-bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader) {
-
-	if (reader && (len == 1) && (bitCnt == 7)) { 		// reset on 7-Bit commands from reader
-		sniffState = SNF_INIT;
-	}
-
-	switch (sniffState) {
-		case SNF_INIT:{
-			if ((len == 1) && (reader) && (bitCnt == 7) ) {  // REQA or WUPA from reader
-				sniffUIDType = SNF_UID_4;
-				memset(sniffUID, 0x00, 8);
-				memset(sniffATQA, 0x00, 2);
-				sniffSAK = 0;
-				sniffState = SNF_WUPREQ;
-			}
-			break;
-		}
-		case SNF_WUPREQ:{
-			if ((!reader) && (len == 2)) { 		// ATQA from tag
-				memcpy(sniffATQA, data, 2);
-				sniffState = SNF_ATQA;
-			}
-			break;
-		}
-		case SNF_ATQA:{
-			if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
-				sniffState = SNF_ANTICOL1;
-			}
-			break;
-		}
-		case SNF_ANTICOL1:{
-			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {  // UID from tag (CL1) 
-				memcpy(sniffUID + 3, data, 4);
-				sniffState = SNF_UID1;
-			}
-			break;
-		}
+//-----------------------------------------------------------------------------
+// Merlok - 2012
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support mifare classic sniffer.
+//-----------------------------------------------------------------------------
+
+#include "mifaresniff.h"
+
+#include "proxmark3.h"
+#include "util.h"
+#include "string.h"
+#include "iso14443crc.h"
+#include "iso14443a.h"
+#include "crapto1/crapto1.h"
+#include "mifareutil.h"
+#include "common.h"
+#include "usb_cdc.h"
+#include "BigBuf.h"
+#include "fpgaloader.h"
+
+
+static int sniffState = SNF_INIT;
+static uint8_t sniffUIDType;
+static uint8_t sniffUID[8] = {0x00};
+static uint8_t sniffATQA[2] = {0x00};
+static uint8_t sniffSAK;
+static uint8_t sniffBuf[16] = {0x00};
+static uint32_t timerData = 0;
+
+
+bool MfSniffInit(void){
+	memset(sniffUID, 0x00, 8);
+	memset(sniffATQA, 0x00, 2);
+	sniffSAK = 0;
+	sniffUIDType = SNF_UID_4;
+
+	return false;
+}
+
+bool MfSniffEnd(void){
+	LED_B_ON();
+	cmd_send(CMD_ACK,0,0,0,0,0);
+	LED_B_OFF();
+
+	return false;
+}
+
+bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
+
+	if (reader && (len == 1) && (bitCnt == 7)) { 		// reset on 7-Bit commands from reader
+		sniffState = SNF_INIT;
+	}
+
+	switch (sniffState) {
+		case SNF_INIT:{
+			if ((len == 1) && (reader) && (bitCnt == 7) ) {  // REQA or WUPA from reader
+				sniffUIDType = SNF_UID_4;
+				memset(sniffUID, 0x00, 8);
+				memset(sniffATQA, 0x00, 2);
+				sniffSAK = 0;
+				sniffState = SNF_ATQA;
+				if (data[0] == 0x40) 
+					sniffState = SNF_MAGIC_WUPC2;
+			}
+			break;
+		}
+		case SNF_MAGIC_WUPC2:
+			if ((len == 1) && (reader) && (data[0] == 0x43) ) {  
+				sniffState = SNF_CARD_IDLE;
+			}
+			break;
+		case SNF_ATQA:{
+			if ((!reader) && (len == 2)) { 		// ATQA from tag
+				memcpy(sniffATQA, data, 2);
+				sniffState = SNF_UID1;
+			}
+			break;
+		}
 		case SNF_UID1:{
 			if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {   // Select 4 Byte UID from reader
+				memcpy(sniffUID + 3, &data[2], 4);
 				sniffState = SNF_SAK;
 			}
-			break;
-		}
-		case SNF_SAK:{
-			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
-				sniffSAK = data[0];
-				if (sniffUID[3] == 0x88) {			// CL2 UID part to be expected
-					sniffState = SNF_ANTICOL2;
-				} else {							// select completed
-					sniffState = SNF_CARD_IDLE;
-				}
-			}
-			break;
-		}
-		case SNF_ANTICOL2:{
-			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID 
-				memcpy(sniffUID, sniffUID+4, 3);
-				memcpy(sniffUID+3, data, 4);
-				sniffUIDType = SNF_UID_7;
-				sniffState = SNF_UID2;
-			}
-			break;
+			break;
 		}
+		case SNF_SAK:{
+			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
+				sniffSAK = data[0];
+				if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) {			// CL2 UID part to be expected
+					sniffUIDType = SNF_UID_7;
+					memcpy(sniffUID, sniffUID + 4, 3);
+					sniffState = SNF_UID2;
+				} else {															// select completed
+					sniffState = SNF_CARD_IDLE;
+				}
+			}
+			break;
+		}
 		case SNF_UID2:{
-			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {	// Select 2nd part of 7 Byte UID
+			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {
+				memcpy(sniffUID + 3, &data[2], 4);
 				sniffState = SNF_SAK;
 			}
 			break;
 		}
-		case SNF_CARD_IDLE:{	// trace the card select sequence
-			sniffBuf[0] = 0xFF;
-			sniffBuf[1] = 0xFF;
-			memcpy(sniffBuf + 2, sniffUID, 7);
-			memcpy(sniffBuf + 9, sniffATQA, 2);
-			sniffBuf[11] = sniffSAK;
-			sniffBuf[12] = 0xFF;
-			sniffBuf[13] = 0xFF;
-			LogTrace(sniffBuf, 14, 0, parity, true);
-		}	// intentionally no break;
-		case SNF_CARD_CMD:{		
-			LogTrace(data, len, 0, parity, true);
-			sniffState = SNF_CARD_RESP;
-			timerData = GetTickCount();
-			break;
-		}
-		case SNF_CARD_RESP:{
-			LogTrace(data, len, 0, parity, false);
-			sniffState = SNF_CARD_CMD;
-			timerData = GetTickCount();
-			break;
-		}
-	
-		default:
-			sniffState = SNF_INIT;
-		break;
-	}
-
-
-	return FALSE;
-}
-
-bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
-	if (traceLen && (GetTickCount() > timerData + maxTimeoutMs)) {
-		return intMfSniffSend();
-	}
-	return FALSE;
-}
-
-// internal sending function. not a RAMFUNC.
-bool intMfSniffSend() {
-
-	int pckSize = 0;
-	int pckLen = traceLen;
-	int pckNum = 0;
-
-	FpgaDisableSscDma();
-	while (pckLen > 0) {
-		pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
-		LED_B_ON();
-		cmd_send(CMD_ACK, 1, pckSize, pckNum, trace + traceLen - pckLen, pckSize);
-		LED_B_OFF();
-
-		pckLen -= pckSize;
-		pckNum++;
-	}
-
-	LED_B_ON();
-	cmd_send(CMD_ACK,2,0,0,0,0);
-	LED_B_OFF();
-
-	iso14a_clear_trace();
-	
-	return TRUE;
-}
+		case SNF_CARD_IDLE:{	// trace the card select sequence
+			sniffBuf[0] = 0xFF;
+			sniffBuf[1] = 0xFF;
+			memcpy(sniffBuf + 2, sniffUID, 7);
+			memcpy(sniffBuf + 9, sniffATQA, 2);
+			sniffBuf[11] = sniffSAK;
+			sniffBuf[12] = 0xFF;
+			sniffBuf[13] = 0xFF;
+			LogTrace(sniffBuf, 14, 0, 0, NULL, true);
+			sniffState = SNF_CARD_CMD;
+		}	// intentionally no break;
+		case SNF_CARD_CMD:{	
+			LogTrace(data, len, 0, 0, parity, reader);
+			timerData = GetTickCount();
+			break;
+		}
+	
+		default:
+			sniffState = SNF_INIT;
+		break;
+	}
+
+
+	return false;
+}
+
+bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
+	if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
+		return intMfSniffSend();
+	}
+	return false;
+}
+
+// internal sending function. not a RAMFUNC.
+bool intMfSniffSend() {
+
+	int pckSize = 0;
+	int pckLen = BigBuf_get_traceLen();
+	int pckNum = 0;
+	uint8_t *trace = BigBuf_get_addr();
+	
+	FpgaDisableSscDma();
+	while (pckLen > 0) {
+		pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
+		LED_B_ON();
+		cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
+		LED_B_OFF();
+
+		pckLen -= pckSize;
+		pckNum++;
+	}
+
+	LED_B_ON();
+	cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,2,0,0,0,0);
+	LED_B_OFF();
+
+	clear_trace();
+	
+	return true;
+}

armsrc/mifaresniff.h

@@ -11,37 +11,31 @@
 #ifndef __MIFARESNIFF_H
 #define __MIFARESNIFF_H
 
-#include "proxmark3.h"
-#include "apps.h"
+#include <stdint.h>
+#include <stdbool.h>
 #include "util.h"
-#include "string.h"
-
-#include "iso14443crc.h"
-#include "iso14443a.h"
-#include "crapto1.h"
-#include "mifareutil.h"
-#include "common.h"
 
 #define SNF_INIT				0
-#define SNF_NO_FIELD		1
-#define SNF_WUPREQ			2
+#define SNF_NO_FIELD			1
+#define SNF_WUPREQ				2
 #define SNF_ATQA				3
-#define SNF_ANTICOL1		4
+#define SNF_ANTICOL1			4
 #define SNF_UID1				5
-#define SNF_ANTICOL2		6
+#define SNF_ANTICOL2			6
 #define SNF_UID2				7
 #define SNF_SAK					8
-#define SNF_CARD_IDLE		9
-#define SNF_CARD_CMD		10
-#define SNF_CARD_RESP		11
+#define SNF_CARD_IDLE			9
+#define SNF_CARD_CMD			10
+#define SNF_CARD_RESP			11
+#define SNF_MAGIC_WUPC2			12
 
 #define SNF_UID_4				0
 #define SNF_UID_7				0
 
 bool MfSniffInit(void);
-bool RAMFUNC MfSniffLogic(const uint8_t * data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader);
+bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader);
 bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs);
 bool intMfSniffSend();
 bool MfSniffEnd(void);
 
-#endif
+#endif

armsrc/mifareutil.h

@@ -9,76 +9,71 @@
 // code for work with mifare cards.
 //-----------------------------------------------------------------------------
 
-#ifndef __MIFAREUTIL_H
-#define __MIFAREUTIL_H
+#ifndef MIFAREUTIL_H__
+#define MIFAREUTIL_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include "crapto1/crapto1.h"
+#include "usb_cdc.h"
 
 // mifare authentication
-#define CRYPT_NONE    0
-#define CRYPT_ALL     1
-#define CRYPT_REQUEST 2
-#define AUTH_FIRST    0
-#define AUTH_NESTED   2
-
-// mifare 4bit card answers
-#define CARD_ACK      0x0A  // 1010 - ACK
-#define CARD_NACK_NA  0x04  // 0100 - NACK, not allowed (command not allowed)
-#define CARD_NACK_TR  0x05  // 0101 - NACK, transmission error
+#define CRYPT_NONE           0
+#define CRYPT_ALL            1
+#define CRYPT_REQUEST        2
+#define AUTH_FIRST           0
+#define AUTH_NESTED          2
 
 // reader voltage field detector
 #define MF_MINFIELDV      4000
 
 // debug
-// 0 - no debug messages 1 - error messages 2 - all messages 4 - extended debug mode
-#define MF_DBG_NONE          0
-#define MF_DBG_ERROR         1
-#define MF_DBG_ALL           2
-#define MF_DBG_EXTENDED      4
+#define MF_DBG_NONE          0  // no messages
+#define MF_DBG_ERROR         1  // errors only
+#define MF_DBG_INFO          2  // errors + info messages
+#define MF_DBG_DEBUG         3  // errors + info + debug messages
+#define MF_DBG_EXTENDED      4  // errors + info + debug + breaking debug messages
 
 extern int MF_DBGLEVEL;
 
-//mifare emulator states
-#define MFEMUL_NOFIELD      0
-#define MFEMUL_IDLE         1
-#define MFEMUL_SELECT1      2
-#define MFEMUL_SELECT2      3
-#define MFEMUL_AUTH1        4
-#define MFEMUL_AUTH2        5
-#define MFEMUL_WORK	        6
-#define MFEMUL_WRITEBL2     7
-#define MFEMUL_INTREG_INC   8
-#define MFEMUL_INTREG_DEC   9
-#define MFEMUL_INTREG_REST 10
-#define MFEMUL_HALTED      11
+//functions
+int mifare_sendcmd(uint8_t cmd, uint8_t *data, uint8_t data_size, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
 
-#define cardSTATE_TO_IDLE() cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF();
+// mifare classic
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t *auth_timeout);
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing, uint32_t *auth_timeout);
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid);
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
 
-//functions
-uint8_t* mifare_get_bigbufptr(void);
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t *timing);
-int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t* amswer, uint8_t *timing);
-int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t * parptr, uint32_t *timing);
-
-int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, \
-												uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested);
-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, \
-													uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested, uint32_t * ntptr, uint32_t *timing);
-int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); 
-int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid); 
-int mifare_ultra_halt(uint32_t uid);
-
-// crypto functions
-void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
-void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, int len, uint32_t *par);
+// Ultralight/NTAG...
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack);
+int mifare_ultra_auth(uint8_t *key);
+int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData);
+//int mifare_ultra_writeblock_compat(uint8_t blockNo, uint8_t *blockData);
+int mifare_ultra_writeblock(uint8_t blockNo, uint8_t *blockData);
+int mifare_ultra_halt();
+
+// desfire
+int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
+int mifare_sendcmd_special2(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer,uint8_t *answer_parity, uint32_t *timing);
+int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData);
+int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData);
+
+// crypto functions
+void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
+void mf_crypto1_decryptEx(struct Crypto1State *pcs, uint8_t *data_in, int len, uint8_t *data_out);
+void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par);
+void mf_crypto1_encryptEx(struct Crypto1State *pcs, uint8_t *data, uint8_t *in, uint16_t len, uint8_t *par);
 uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data);
 
-// memory management
-uint8_t* mifare_get_bigbufptr(void);
-uint8_t* eml_get_bigbufptr_sendbuf(void);
-uint8_t* eml_get_bigbufptr_recbuf(void);
+// Mifare memory structure
+uint8_t NumBlocksPerSector(uint8_t sectorNo);
+uint8_t FirstBlockOfSector(uint8_t sectorNo);
+bool IsSectorTrailer(uint8_t blockNo);
+uint8_t SectorTrailer(uint8_t blockNo);
 
 // emulator functions
 void emlClearMem(void);
@@ -87,7 +82,13 @@ void emlGetMem(uint8_t *data, int blockNum, int blocksCount);
 void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount);
 uint64_t emlGetKey(int sectorNum, int keyType);
 int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum);
-int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum);
-int emlCheckValBl(int blockNum);
-
-#endif
+int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum);
+int emlCheckValBl(int blockNum);
+
+// mifare check keys
+typedef uint8_t TKeyIndex[2][40];
+int MifareChkBlockKeysFixedNonce(uint8_t *ar_par, uint8_t ar_par_cnt, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel);
+int MifareChkBlockKeys(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel);
+int MifareMultisectorChk(uint8_t *keys, uint8_t keyCount, uint8_t SectorCount, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel, TKeyIndex *keyIndex);
+
+#endif

armsrc/optimized_cipher.c

@@ -0,0 +1,300 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or, at your option, any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
+/**
+
+  This file contains an optimized version of the MAC-calculation algorithm. Some measurements on
+  a std laptop showed it runs in about 1/3 of the time:
+
+	Std: 0.428962
+	Opt: 0.151609
+
+  Additionally, it is self-reliant, not requiring e.g. bitstreams from the cipherutils, thus can
+  be easily dropped into a code base.
+
+  The optimizations have been performed in the following steps:
+  * Parameters passed by reference instead of by value.
+  * Iteration instead of recursion, un-nesting recursive loops into for-loops.
+  * Handling of bytes instead of individual bits, for less shuffling and masking
+  * Less creation of "objects", structs, and instead reuse of alloc:ed memory
+  * Inlining some functions via #define:s
+
+  As a consequence, this implementation is less generic. Also, I haven't bothered documenting this.
+  For a thorough documentation, check out the MAC-calculation within cipher.c instead.
+
+  -- MHS 2015
+**/
+
+/**
+
+  The runtime of opt_doTagMAC_2() with the MHS optimized version was 403 microseconds on Proxmark3.
+  This was still to slow for some newer readers which didn't want to wait that long.
+
+  Further optimizations to speedup the MAC calculations:
+  * Optimized opt_Tt logic
+  * Look up table for opt_select
+  * Removing many unnecessary bit maskings (& 0x1)
+  * updating state in place instead of alternating use of a second state structure
+  * remove the necessity to reverse bits of input and output bytes
+ 
+  opt_doTagMAC_2() now completes in 270 microseconds.
+
+  -- piwi 2019
+**/
+
+#include "optimized_cipher.h"
+#include <stddef.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include "string.h"
+
+static const uint8_t opt_select_LUT[256] = {
+	00, 03, 02, 01, 02, 03, 00, 01, 04, 07, 07, 04, 06, 07, 05, 04,
+	01, 02, 03, 00, 02, 03, 00, 01, 05, 06, 06, 05, 06, 07, 05, 04,
+	06, 05, 04, 07, 04, 05, 06, 07, 06, 05, 05, 06, 04, 05, 07, 06,
+	07, 04, 05, 06, 04, 05, 06, 07, 07, 04, 04, 07, 04, 05, 07, 06,
+	06, 05, 04, 07, 04, 05, 06, 07, 02, 01, 01, 02, 00, 01, 03, 02,
+	03, 00, 01, 02, 00, 01, 02, 03, 07, 04, 04, 07, 04, 05, 07, 06,
+	00, 03, 02, 01, 02, 03, 00, 01, 00, 03, 03, 00, 02, 03, 01, 00,
+	05, 06, 07, 04, 06, 07, 04, 05, 05, 06, 06, 05, 06, 07, 05, 04,
+	02, 01, 00, 03, 00, 01, 02, 03, 06, 05, 05, 06, 04, 05, 07, 06,
+	03, 00, 01, 02, 00, 01, 02, 03, 07, 04, 04, 07, 04, 05, 07, 06,
+	02, 01, 00, 03, 00, 01, 02, 03, 02, 01, 01, 02, 00, 01, 03, 02,
+	03, 00, 01, 02, 00, 01, 02, 03, 03, 00, 00, 03, 00, 01, 03, 02,
+	04, 07, 06, 05, 06, 07, 04, 05, 00, 03, 03, 00, 02, 03, 01, 00,
+	01, 02, 03, 00, 02, 03, 00, 01, 05, 06, 06, 05, 06, 07, 05, 04,
+	04, 07, 06, 05, 06, 07, 04, 05, 04, 07, 07, 04, 06, 07, 05, 04,
+	01, 02, 03, 00, 02, 03, 00, 01, 01, 02, 02, 01, 02, 03, 01, 00
+};
+
+/********************** the table above has been generated with this code: ********
+#include "util.h"
+static void init_opt_select_LUT(void) {
+	for (int r = 0; r < 256; r++) {
+		uint8_t r_ls2 = r << 2;
+		uint8_t r_and_ls2 = r & r_ls2;
+		uint8_t r_or_ls2  = r | r_ls2;
+		uint8_t z0 = (r_and_ls2 >> 5) ^ ((r & ~r_ls2) >> 4) ^ ( r_or_ls2 >> 3);
+		uint8_t z1 = (r_or_ls2 >> 6) ^ ( r_or_ls2 >> 1) ^ (r >> 5) ^ r;
+		uint8_t z2 = ((r & ~r_ls2) >> 4) ^ (r_and_ls2 >> 3) ^ r;
+		opt_select_LUT[r] = (z0 & 4) | (z1 & 2) | (z2 & 1);
+	}
+	print_result("", opt_select_LUT, 256);
+}
+***********************************************************************************/
+
+#define opt__select(x,y,r)  (4 & (((r & (r << 2)) >> 5) ^ ((r & ~(r << 2)) >> 4) ^ ( (r | r << 2) >> 3)))\
+	|(2 & (((r | r << 2) >> 6) ^ ( (r | r << 2) >> 1) ^ (r >> 5) ^ r ^ ((x^y) << 1)))\
+	|(1 & (((r & ~(r << 2)) >> 4) ^ ((r & (r << 2)) >> 3) ^ r ^ x))
+
+/*
+ * Some background on the expression above can be found here...
+uint8_t xopt__select(bool x, bool y, uint8_t r)
+{
+
+	//r:      r0 r1 r2 r3 r4 r5 r6 r7
+	//r_ls2:  r2 r3 r4 r5 r6 r7  0  0
+	//                       z0
+	//                          z1
+
+//  uint8_t z0 = (r0 & r2) ^ (r1 & ~r3) ^ (r2 | r4); // <-- original
+	uint8_t z0 = (r_and_ls2 >> 5) ^ ((r & ~r_ls2) >> 4) ^ ( r_or_ls2 >> 3);
+
+//  uint8_t z1 = (r0 | r2) ^ ( r5 | r7) ^ r1 ^ r6 ^ x ^ y;  // <-- original
+	uint8_t z1 = (r_or_ls2 >> 6) ^ ( r_or_ls2 >> 1) ^ (r >> 5) ^ r ^ ((x^y) << 1);
+
+//  uint8_t z2 = (r3 & ~r5) ^ (r4 & r6 ) ^ r7 ^ x;  // <-- original
+	uint8_t z2 = ((r & ~r_ls2) >> 4) ^ (r_and_ls2 >> 3) ^ r ^ x;
+
+	return (z0 & 4) | (z1 & 2) | (z2 & 1);
+}
+*/
+
+static void opt_successor(const uint8_t *k, State *s, uint8_t y) {
+// #define opt_T(s) (0x1 & ((s->t >> 15) ^ (s->t >> 14) ^ (s->t >> 10) ^ (s->t >> 8) ^ (s->t >> 5) ^ (s->t >> 4)^ (s->t >> 1) ^ s->t))
+	// uint8_t Tt = opt_T(s);
+	uint16_t Tt = s->t & 0xc533;
+	Tt = Tt ^ (Tt >> 1);
+	Tt = Tt ^ (Tt >> 4);
+	Tt = Tt ^ (Tt >> 10);
+	Tt = Tt ^ (Tt >> 8);
+
+	s->t = (s->t >> 1);
+	s->t |= (Tt ^ (s->r >> 7) ^ (s->r >> 3)) << 15;
+
+	uint8_t opt_B = s->b;
+	opt_B ^= s->b >> 6;
+	opt_B ^= s->b >> 5;
+	opt_B ^= s->b >> 4;
+
+	s->b = s->b >> 1;
+	s->b |= (opt_B ^ s->r) << 7;
+
+	uint8_t opt_select = opt_select_LUT[s->r] & 0x04;
+	opt_select |= (opt_select_LUT[s->r] ^ ((Tt ^ y) << 1)) & 0x02;
+	opt_select |= (opt_select_LUT[s->r] ^ Tt) & 0x01;
+
+	uint8_t r = s->r;
+	s->r = (k[opt_select] ^ s->b) + s->l ;
+	s->l = s->r + r;
+}
+
+static void opt_suc(const uint8_t *k, State *s, uint8_t *in, uint8_t length, bool add32Zeroes) {
+	for (int i = 0; i < length; i++) {
+		uint8_t head;
+		head = in[i];
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+
+		head >>= 1;
+		opt_successor(k, s, head);
+	}
+	//For tag MAC, an additional 32 zeroes
+	if (add32Zeroes) {
+		for(int i = 0; i < 16; i++) {
+			opt_successor(k, s, 0);
+			opt_successor(k, s, 0);
+		}
+	}
+}
+
+static void opt_output(const uint8_t *k, State *s,  uint8_t *buffer) {
+	for (uint8_t times = 0; times < 4; times++) {
+		uint8_t bout = 0;
+		bout |= (s->r & 0x4) >> 2;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) >> 1;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4);
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 1;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 2;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 3;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 4;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 5;
+		opt_successor(k, s, 0);
+		buffer[times] = bout;
+	}
+}
+
+static void opt_MAC(uint8_t *k, uint8_t *input, uint8_t *out) {
+	State _init  =  {
+		((k[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((k[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};
+
+	opt_suc(k, &_init, input, 12, false);
+	//printf("\noutp ");
+	opt_output(k, &_init, out);
+}
+
+void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]) {
+	uint8_t dest[] = {0, 0, 0, 0, 0, 0, 0, 0};
+	opt_MAC(div_key_p, cc_nr_p, dest);
+	memcpy(mac, dest, 4);
+	return;
+}
+
+void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]) {
+	State _init = {
+		((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};
+	opt_suc(div_key_p, &_init, cc_p, 12, true);
+	opt_output(div_key_p, &_init, mac);
+	return;
+}
+
+/**
+ * The tag MAC can be divided (both can, but no point in dividing the reader mac) into
+ * two functions, since the first 8 bytes are known, we can pre-calculate the state
+ * reached after feeding CC to the cipher.
+ * @param cc_p
+ * @param div_key_p
+ * @return the cipher state
+ */
+State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p) {
+	State _init = {
+		((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};
+	opt_suc(div_key_p, &_init, cc_p, 8, false);
+	return _init;
+}
+
+/**
+ * The second part of the tag MAC calculation, since the CC is already calculated into the state,
+ * this function is fed only the NR, and internally feeds the remaining 32 0-bits to generate the tag
+ * MAC response.
+ * @param _init - precalculated cipher state
+ * @param nr - the reader challenge
+ * @param mac - where to store the MAC
+ * @param div_key_p - the key to use
+ */
+void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p) {
+	opt_suc(div_key_p, &_init, nr, 4, true);
+	opt_output(div_key_p, &_init, mac);
+	return;
+}

armsrc/optimized_cipher.h

@@ -0,0 +1,88 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or, at your option, any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ ****************************************************************************/
+
+#ifndef OPTIMIZED_CIPHER_H__
+#define OPTIMIZED_CIPHER_H__
+
+#include <stdint.h>
+
+/**
+* Definition 1 (Cipher state). A cipher state of iClass s is an element of F 40/2
+* consisting of the following four components:
+*   1. the left register l = (l 0 . . . l 7 ) ∈ F 8/2 ;
+*   2. the right register r = (r 0 . . . r 7 ) ∈ F 8/2 ;
+*   3. the top register t = (t 0 . . . t 15 ) ∈ F 16/2 .
+*   4. the bottom register b = (b 0 . . . b 7 ) ∈ F 8/2 .
+**/
+typedef struct {
+	uint8_t l;
+	uint8_t r;
+	uint8_t b;
+	uint16_t t;
+} State;
+
+/** The reader MAC is MAC(key, CC * NR )
+ **/
+void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]);
+
+/**
+ * The tag MAC is MAC(key, CC * NR * 32x0))
+ */
+void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]);
+
+/**
+ * The tag MAC can be divided (both can, but no point in dividing the reader mac) into
+ * two functions, since the first 8 bytes are known, we can pre-calculate the state
+ * reached after feeding CC to the cipher.
+ * @param cc_p
+ * @param div_key_p
+ * @return the cipher state
+ */
+State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p);
+
+/**
+ * The second part of the tag MAC calculation, since the CC is already calculated into the state,
+ * this function is fed only the NR, and internally feeds the remaining 32 0-bits to generate the tag
+ * MAC response.
+ * @param _init - precalculated cipher state
+ * @param nr - the reader challenge
+ * @param mac - where to store the MAC
+ * @param div_key_p - the key to use
+ */
+void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p);
+
+#endif // OPTIMIZED_CIPHER_H__

armsrc/pcf7931.c

@@ -0,0 +1,589 @@
+#include "proxmark3.h"
+#include "apps.h"
+#include "usb_cdc.h"
+#include "lfsampling.h"
+#include "pcf7931.h"
+#include "util.h"
+#include "string.h"
+#include "fpgaloader.h"
+
+#define T0_PCF 8 //period for the pcf7931 in us
+#define ALLOC 16
+
+size_t DemodPCF7931(uint8_t **outBlocks) {
+	uint8_t bits[256] = {0x00};
+	uint8_t blocks[8][16];
+	uint8_t *dest = BigBuf_get_addr();
+
+	int GraphTraceLen = BigBuf_max_traceLen();
+	if (GraphTraceLen > 18000)
+		GraphTraceLen = 18000;
+
+	int i, j, lastval, bitidx, half_switch;
+	int clock = 64;
+	int tolerance = clock / 8;
+	int pmc, block_done;
+	int lc, warnings = 0;
+	size_t num_blocks = 0;
+	int lmin=128, lmax=128;
+	uint8_t dir;
+	//clear read buffer
+	BigBuf_Clear_keep_EM();
+
+	LFSetupFPGAForADC(95, true);
+	DoAcquisition_default(0, true);
+
+	lmin = 64;
+	lmax = 192;
+
+	i = 2;
+
+	/* Find first local max/min */
+	if(dest[1] > dest[0]) {
+		while(i < GraphTraceLen) {
+			if( !(dest[i] > dest[i-1]) && dest[i] > lmax)
+				break;
+			i++;
+		}
+		dir = 0;
+	} else {
+		while(i < GraphTraceLen) {
+			if( !(dest[i] < dest[i-1]) && dest[i] < lmin)
+				break;
+			i++;
+		}
+		dir = 1;
+	}
+
+	lastval = i++;
+	half_switch = 0;
+	pmc = 0;
+	block_done = 0;
+
+	for (bitidx = 0; i < GraphTraceLen; i++) {
+		if ((dest[i-1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i-1] < dest[i] && dir == 0 && dest[i] < lmin)) {
+			lc = i - lastval;
+			lastval = i;
+
+			// Switch depending on lc length:
+			// Tolerance is 1/8 of clock rate (arbitrary)
+			if (ABS(lc-clock/4) < tolerance) {
+				// 16T0
+				if((i - pmc) == lc) { /* 16T0 was previous one */
+					/* It's a PMC ! */
+					i += (128+127+16+32+33+16)-1;
+					lastval = i;
+					pmc = 0;
+					block_done = 1;
+				} else {
+					pmc = i;
+				}
+			} else if (ABS(lc-clock/2) < tolerance) {
+				// 32TO
+				if((i - pmc) == lc) { /* 16T0 was previous one */
+					/* It's a PMC ! */
+					i += (128+127+16+32+33)-1;
+					lastval = i;
+					pmc = 0;
+					block_done = 1;
+				} else if(half_switch == 1) {
+					bits[bitidx++] = 0;
+					half_switch = 0;
+				}
+				else
+					half_switch++;
+			} else if (ABS(lc-clock) < tolerance) {
+				// 64TO
+				bits[bitidx++] = 1;
+			} else {
+				// Error
+				if (++warnings > 10) {
+					Dbprintf("Error: too many detection errors, aborting.");
+					return 0;
+				}
+			}
+
+			if(block_done == 1) {
+				if(bitidx == 128) {
+					for(j = 0; j < 16; ++j) {
+						blocks[num_blocks][j] =
+							128 * bits[j*8 + 7]+
+											64 * bits[j*8 + 6] +
+							32 * bits[j*8 + 5] +
+							16 * bits[j*8 + 4] +
+							8 * bits[j*8 + 3] +
+							4 * bits[j*8 + 2] +
+							2 * bits[j*8 + 1] +
+							bits[j*8]
+						;
+					}
+					num_blocks++;
+				}
+				bitidx = 0;
+				block_done = 0;
+				half_switch = 0;
+			}
+			if(i < GraphTraceLen)
+				dir = (dest[i-1] > dest[i]) ? 0 : 1;
+		}
+		if(bitidx==255)
+			bitidx=0;
+		warnings = 0;
+		if(num_blocks == 4) break;
+	}
+	memcpy(outBlocks, blocks, 16 * num_blocks);
+	return num_blocks;
+}
+
+bool IsBlock0PCF7931(uint8_t *block) {
+	// assuming all RFU bits are set to 0
+	// if PAC is enabled password is set to 0
+	if (block[7] == 0x01)
+	{
+		if (!memcmp(block, "\x00\x00\x00\x00\x00\x00\x00", 7) && !memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
+			return true;
+	}
+	else if (block[7] == 0x00)
+	{
+		if (!memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
+			return true;
+	}
+	return false;
+}
+
+bool IsBlock1PCF7931(uint8_t *block) {
+	// assuming all RFU bits are set to 0
+
+	uint8_t rb1 = block[14] & 0x80;
+	uint8_t rfb = block[14] & 0x7f;
+	uint8_t rlb = block[15];
+
+	if (block[10] == 0 && block[11] == 0 && block[12] == 0 && block[13] == 0)
+		// block 1 is sent only if (RLB >= 1 && RFB <= 1) or RB1 enabled
+		if(rfb <= rlb && rfb <= 9 && rlb <= 9 && ((rfb <= 1 && rlb >= 1) || rb1))
+			return true;
+
+	return false;
+}
+
+void ReadPCF7931() {
+	int found_blocks = 0; // successfully read blocks
+	int max_blocks = 8; // readable blocks
+	uint8_t memory_blocks[8][17]; // PCF content
+
+	uint8_t single_blocks[8][17]; // PFC blocks with unknown position
+	int single_blocks_cnt = 0;
+
+	size_t n = 0; // transmitted blocks
+	uint8_t tmp_blocks[4][16]; // temporary read buffer
+
+	uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
+	int errors = 0; // error counter
+	int tries = 0; // tries counter
+
+	memset(memory_blocks, 0, 8*17*sizeof(uint8_t));
+	memset(single_blocks, 0, 8*17*sizeof(uint8_t));
+
+	int i = 0, j = 0;
+
+	do {
+		i = 0;
+
+		memset(tmp_blocks, 0, 4*16*sizeof(uint8_t));
+		n = DemodPCF7931((uint8_t**)tmp_blocks);
+		if(!n)
+			++errors;
+
+		// exit if no block is received
+		if (errors >= 10 && found_blocks == 0 && single_blocks_cnt == 0) {
+			Dbprintf("Error, no tag or bad tag");
+			return;
+		}
+
+		// exit if too many errors during reading
+		if (tries > 50 && (2*errors > tries)) {
+			Dbprintf("Error reading the tag");
+			Dbprintf("Here is the partial content");
+			goto end;
+		}
+
+		// our logic breaks if we don't get at least two blocks
+		if (n < 2) {
+			// skip if all 0s block or no blocks
+			if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
+				continue;
+
+			// add block to single blocks list
+			if (single_blocks_cnt < max_blocks) {
+				for (i = 0; i < single_blocks_cnt; ++i) {
+					if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
+						j = 1;
+						break;
+					}
+				}
+				if (j != 1) {
+					memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
+					print_result("got single block", single_blocks[single_blocks_cnt], 16);
+					single_blocks_cnt++;
+				}
+				j = 0;
+			}
+			++tries;
+			continue;
+		}
+
+		Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (max_blocks == 0 ? found_blocks : max_blocks), tries, errors);
+		for (i = 0; i < n; ++i)
+		{
+			print_result("got consecutive blocks", tmp_blocks[i], 16);
+		}
+
+		i = 0;
+		if(!found_0_1) {
+			while (i < n - 1) {
+				if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i+1])) {
+					found_0_1 = 1;
+					memcpy(memory_blocks[0], tmp_blocks[i], 16);
+					memcpy(memory_blocks[1], tmp_blocks[i+1], 16);
+					memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
+					// block 1 tells how many blocks are going to be sent
+					max_blocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
+					found_blocks = 2;
+
+					Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", max_blocks);
+
+					// handle the following blocks
+					for (j = i + 2; j < n; ++j) {
+						memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
+						memory_blocks[found_blocks][ALLOC] = 1;
+						++found_blocks;
+					}
+					break;
+				}
+				++i;
+			}
+		} else {
+			// Trying to re-order blocks
+			// Look for identical block in memory blocks
+			while (i < n-1) {
+				// skip all zeroes blocks
+				if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+					for (j = 1; j < max_blocks - 1; ++j) {
+						if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j+1][ALLOC]) {
+							memcpy(memory_blocks[j+1], tmp_blocks[i+1], 16);
+							memory_blocks[j+1][ALLOC] = 1;
+							if (++found_blocks >= max_blocks) goto end;
+						}
+					}
+				}
+				if (memcmp(tmp_blocks[i+1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+					for (j = 0; j < max_blocks; ++j) {
+						if (!memcmp(tmp_blocks[i+1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? max_blocks : j) -1][ALLOC]) {
+							if (j == 0) {
+								memcpy(memory_blocks[max_blocks - 1], tmp_blocks[i], 16);
+								memory_blocks[max_blocks - 1][ALLOC] = 1;
+							} else {
+								memcpy(memory_blocks[j-1], tmp_blocks[i], 16);
+								memory_blocks[j-1][ALLOC] = 1;
+							}
+							if (++found_blocks >= max_blocks) goto end;
+						}
+					}
+				}
+				++i;
+			}
+		}
+		++tries;
+		if (BUTTON_PRESS()) {
+			Dbprintf("Button pressed, stopping.");
+			goto end;
+		}
+	}
+	while (found_blocks < max_blocks);
+
+ end:
+	Dbprintf("-----------------------------------------");
+	Dbprintf("Memory content:");
+	Dbprintf("-----------------------------------------");
+	for (i = 0; i < max_blocks; ++i) {
+		if (memory_blocks[i][ALLOC])
+			print_result("Block", memory_blocks[i], 16);
+		else
+			Dbprintf("<missing block %d>", i);
+	}
+	Dbprintf("-----------------------------------------");
+
+	if (found_blocks < max_blocks) {
+		Dbprintf("-----------------------------------------");
+		Dbprintf("Blocks with unknown position:");
+		Dbprintf("-----------------------------------------");
+		for (i = 0; i < single_blocks_cnt; ++i)
+			print_result("Block", single_blocks[i], 16);
+
+		Dbprintf("-----------------------------------------");
+	}
+	cmd_send(CMD_ACK,0,0,0,0,0);
+}
+
+static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
+	uint32_t tab[1024]={0}; // data times frame
+	uint32_t u = 0;
+	uint8_t parity = 0;
+	bool comp = 0;
+
+	//BUILD OF THE DATA FRAME
+	//alimentation of the tag (time for initializing)
+	AddPatternPCF7931(init_delay, 0, 8192/2*T0_PCF, tab);
+	AddPatternPCF7931(8192/2*T0_PCF + 319*T0_PCF+70, 3*T0_PCF, 29*T0_PCF, tab);
+	//password indication bit
+	AddBitPCF7931(1, tab, l, p);
+	// password (on 56 bits)
+	AddBytePCF7931(pass[0], tab, l, p);
+	AddBytePCF7931(pass[1], tab, l, p);
+	AddBytePCF7931(pass[2], tab, l, p);
+	AddBytePCF7931(pass[3], tab, l, p);
+	AddBytePCF7931(pass[4], tab, l, p);
+	AddBytePCF7931(pass[5], tab, l, p);
+	AddBytePCF7931(pass[6], tab, l, p);
+	//programming mode (0 or 1)
+	AddBitPCF7931(0, tab, l, p);
+
+	//block adress on 6 bits
+	for (u = 0; u < 6; ++u) {
+		if (address & (1 << u)) {   // bit 1
+			 ++parity;
+			 AddBitPCF7931(1, tab, l, p);
+		} else {                    // bit 0
+			 AddBitPCF7931(0, tab, l, p);
+		}
+	}
+
+	//byte address on 4 bits
+	for (u = 0; u < 4; ++u)
+	{
+		if (byte & (1 << u)) {  // bit 1
+			 parity++;
+			 AddBitPCF7931(1, tab, l, p);
+		}
+		else                // bit 0
+			 AddBitPCF7931(0, tab, l, p);
+	}
+
+	//data on 8 bits
+	for (u=0; u<8; u++)
+	{
+		if (data&(1<<u)) {  // bit 1
+			 parity++;
+			 AddBitPCF7931(1, tab, l, p);
+		}
+		else                //bit 0
+			 AddBitPCF7931(0, tab, l, p);
+	}
+
+	//parity bit
+	if ((parity % 2) == 0)
+		AddBitPCF7931(0, tab, l, p); //even parity
+	else
+		AddBitPCF7931(1, tab, l, p);//odd parity
+
+	//time access memory
+	AddPatternPCF7931(5120+2680, 0, 0, tab);
+
+	//conversion of the scale time
+	for (u = 0; u < 500; ++u)
+		tab[u] = (tab[u] * 3) / 2;
+
+	//compennsation of the counter reload
+	while (!comp) {
+		comp = 1;
+		for (u = 0; tab[u] != 0; ++u)
+			if(tab[u] > 0xFFFF) {
+			  tab[u] -= 0xFFFF;
+			  comp = 0;
+			}
+	}
+
+	SendCmdPCF7931(tab);
+}
+
+void BruteForcePCF7931(uint64_t password, uint8_t tries, uint16_t init_delay, int32_t l, int32_t p) {
+	uint8_t i = 0;
+	uint8_t pass_array[7];
+
+	while (password < 0x00FFFFFFFFFFFFFF) {
+		if (BUTTON_PRESS()) {
+			Dbprintf("Button pressed, stopping bruteforce ...");
+			return;
+		}
+
+		num_to_bytes(password, 7, pass_array);
+
+		Dbprintf("Trying: %02x %02x %02x %02x %02x %02x %02x ...",
+			pass_array[0],
+			pass_array[1],
+			pass_array[2],
+			pass_array[3],
+			pass_array[4],
+			pass_array[5],
+			pass_array[6]);
+
+		for (i = 0; i < tries; ++i)
+			RealWritePCF7931
+			(
+				pass_array,
+				init_delay,
+				l,
+				p,
+				0,
+				7,
+				0x01
+			);
+
+		++password;
+	}
+}
+
+/* Write on a byte of a PCF7931 tag
+ * @param address : address of the block to write
+   @param byte : address of the byte to write
+	@param data : data to write
+ */
+void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
+	Dbprintf("Initialization delay : %d us", init_delay);
+	Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
+	Dbprintf("Password (LSB first on each byte): %02x %02x %02x %02x %02x %02x %02x", pass1, pass2, pass3, pass4, pass5, pass6, pass7);
+	Dbprintf("Block address : %02x", address);
+	Dbprintf("Byte address : %02x", byte);
+	Dbprintf("Data : %02x", data);
+
+	uint8_t password[7] = {pass1, pass2, pass3, pass4, pass5, pass6, pass7};
+
+	RealWritePCF7931 (password, init_delay, l, p, address, byte, data);
+}
+
+
+
+/* Send a trame to a PCF7931 tags
+ * @param tab : array of the data frame
+ */
+
+void SendCmdPCF7931(uint32_t * tab) {
+	uint16_t u=0;
+	uint16_t tempo=0;
+
+	Dbprintf("Sending data frame ...");
+
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU );
+
+	LED_A_ON();
+
+	// steal this pin from the SSP and use it to control the modulation
+	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+
+	//initialization of the timer
+	AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
+	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
+	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;  //clock at 48/32 MHz
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
+	AT91C_BASE_TCB->TCB_BCR = 1;
+
+	tempo = AT91C_BASE_TC0->TC_CV;
+	for (u = 0; tab[u] !=  0; u += 3) {
+		// modulate antenna
+		HIGH(GPIO_SSC_DOUT);
+		while(tempo !=  tab[u])
+			tempo = AT91C_BASE_TC0->TC_CV;
+
+		// stop modulating antenna
+		LOW(GPIO_SSC_DOUT);
+		while(tempo !=  tab[u+1])
+			tempo = AT91C_BASE_TC0->TC_CV;
+
+		// modulate antenna
+		HIGH(GPIO_SSC_DOUT);
+		while(tempo !=  tab[u+2])
+			tempo = AT91C_BASE_TC0->TC_CV;
+	}
+
+	LED_A_OFF();
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	SpinDelay(200);
+
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
+	DbpString("Data frame sent (multiple sends may be needed)");
+	LED(0xFFFF, 1000);
+}
+
+
+/* Add a byte for building the data frame of PCF7931 tags
+ * @param b : byte to add
+ * @param tab : array of the data frame
+ * @param l : offset on low pulse width
+ * @param p : offset on low pulse positioning
+ */
+bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p) {
+	uint32_t u;
+	for (u = 0; u < 8; ++u) {
+		if (byte & (1 << u)) {  //bit is 1
+			if(AddBitPCF7931(1, tab, l, p)==1)return 1;
+		} else { //bit is 0
+			if(AddBitPCF7931(0, tab, l, p)==1)return 1;
+		}
+	}
+
+	return 0;
+}
+
+/* Add a bits for building the data frame of PCF7931 tags
+ * @param b : bit to add
+ * @param tab : array of the data frame
+ * @param l : offset on low pulse width
+ * @param p : offset on low pulse positioning
+ */
+bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p) {
+	uint8_t u = 0;
+
+	for (u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array
+
+	if (b == 1) {   //add a bit 1
+		if (u == 0) tab[u] = 34 * T0_PCF + p;
+		else        tab[u] = 34 * T0_PCF + tab[u-1] + p;
+
+		tab[u+1] = 6 * T0_PCF+tab[u] + l;
+		tab[u+2] = 88 * T0_PCF+tab[u + 1] - l - p;
+		return 0;
+	} else {        //add a bit 0
+
+		if (u == 0) tab[u] = 98 * T0_PCF + p;
+		else        tab[u] = 98 * T0_PCF + tab[u-1] + p;
+
+		tab[u + 1] = 6 * T0_PCF + tab[u] + l;
+		tab[u + 2] = 24 * T0_PCF + tab[u + 1] - l - p;
+		return 0;
+	}
+
+	return 1;
+}
+
+/* Add a custom pattern in the data frame
+ * @param a : delay of the first high pulse
+ * @param b : delay of the low pulse
+ * @param c : delay of the last high pulse
+ * @param tab : array of the data frame
+ */
+bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab) {
+	uint32_t u = 0;
+	for(u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array
+
+	if (u == 0) tab[u] = a;
+	else        tab[u] = a + tab[u - 1];
+
+	tab[u + 1] = b + tab[u];
+	tab[u + 2] = c + tab[u + 1];
+
+	return 0;
+}

armsrc/pcf7931.h

@@ -0,0 +1,15 @@
+#ifndef __PCF7931_H
+#define __PCF7931_H
+
+size_t DemodPCF7931(uint8_t **outBlocks);
+bool IsBlock0PCF7931(uint8_t *Block);
+bool IsBlock1PCF7931(uint8_t *Block);
+void ReadPCF7931();
+void SendCmdPCF7931(uint32_t * tab);
+bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
+bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
+bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
+void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
+void BruteForcePCF7931(uint64_t start_password, uint8_t tries, uint16_t init_delay, int32_t l, int32_t p);
+
+#endif

armsrc/printf.c

@@ -40,9 +40,6 @@
 #include "util.h"
 #include "string.h"
 
-typedef uint32_t uintmax_t;
-typedef int32_t intmax_t;
-
 typedef unsigned char u_char;
 typedef unsigned int u_int;
 typedef unsigned long u_long;
@@ -178,6 +175,7 @@ reswitch:	switch (ch = (u_char)*fmt++) {
 				padc = '0';
 				goto reswitch;
 			}
+			// intentionally fall through to next case
 		case '1': case '2': case '3': case '4':
 		case '5': case '6': case '7': case '8': case '9':
 				for (n = 0;; ++fmt) {

armsrc/start.c

@@ -11,23 +11,75 @@
 
 #include "proxmark3.h"
 #include "apps.h"
+#include "zlib.h"
+#include "BigBuf.h"
+
+static uint8_t *next_free_memory;
+extern struct common_area common_area;
+extern char __data_src_start__, __data_start__, __data_end__, __bss_start__, __bss_end__;
+
+
+static voidpf inflate_malloc(voidpf opaque, uInt items, uInt size)
+{
+	uint8_t *allocated_memory;
+	
+	allocated_memory = next_free_memory;
+	next_free_memory += items*size;
+	return allocated_memory;
+}
+
+
+static void inflate_free(voidpf opaque, voidpf address)
+{
+	// nothing to do
+	
+}
+
+static void uncompress_data_section(void)
+{
+	z_stream data_section;
+
+	next_free_memory = BigBuf_get_addr();
+	
+	// initialize zstream structure
+	data_section.next_in = (uint8_t *) &__data_src_start__;
+	data_section.avail_in = &__data_end__ - &__data_start__;  // uncompressed size. Wrong but doesn't matter.
+	data_section.next_out = (uint8_t *) &__data_start__;
+	data_section.avail_out = &__data_end__ - &__data_start__;  // uncompressed size. Correct.
+	data_section.zalloc = &inflate_malloc;
+	data_section.zfree = &inflate_free;
+	data_section.opaque = NULL;
+
+	// initialize zlib for inflate
+	inflateInit2(&data_section, 15);
+
+	// uncompress data segment to RAM
+	inflate(&data_section, Z_FINISH);
+	
+	// save the size of the compressed data section
+	common_area.arg1 = data_section.total_in;
+}
+
 
-extern char __data_start__, __data_src_start__,  __data_end__, __bss_start__, __bss_end__;
 void __attribute__((section(".startos"))) Vector(void)
 {
 	/* Stack should have been set up by the bootloader */
-	char *src, *dst, *end;
+	// char *src;
+	char *dst, *end;
+	
+	uncompress_data_section();
 
 	/* Set up (that is: clear) BSS. */
 	dst = &__bss_start__;
 	end = &__bss_end__;
 	while(dst < end) *dst++ = 0;
 
-	/* Set up data segment: Copy from flash to ram */
-	src = &__data_src_start__;
-	dst = &__data_start__;
-	end = &__data_end__;
-	while(dst < end) *dst++ = *src++;
+	// Set up data segment: Copy from flash to ram
+	// src = &__data_src_start__;
+	// dst = &__data_start__;
+	// end = &__data_end__;
+	// while(dst < end) *dst++ = *src++;
+
 
 	AppMain();
 }

armsrc/string.c

@@ -11,8 +11,7 @@
 #include "string.h"
 #include <stdint.h>
 
-void *memcpy(void *dest, const void *src, int len)
-{
+void *memcpy(void *dest, const void *src, size_t len) {
 	uint8_t *d = dest;
 	const uint8_t *s = src;
 	while((len--) > 0) {
@@ -23,8 +22,8 @@ void *memcpy(void *dest, const void *src, int len)
 	return dest;
 }
 
-void *memset(void *dest, int c, int len)
-{
+
+void *memset(void *dest, int c, size_t len) {
 	uint8_t *d = dest;
 	while((len--) > 0) {
 		*d = c;
@@ -33,8 +32,30 @@ void *memset(void *dest, int c, int len)
 	return dest;
 }
 
-int memcmp(const void *av, const void *bv, int len)
-{
+
+void *memmove(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	if (dest <= src) {
+		while((len--) > 0) {
+			*d = *s;
+			d++;
+			s++;
+		} 
+	} else {
+		d = d + len - 1;
+		s = s + len - 1;
+		while((len--) > 0) {
+			*d = *s;
+			d--;
+			s--;
+		}
+	}
+	return dest;
+}
+
+
+int memcmp(const void *av, const void *bv, size_t len) {
 	const uint8_t *a = av;
 	const uint8_t *b = bv;
 
@@ -48,8 +69,8 @@ int memcmp(const void *av, const void *bv, int len)
 	return 0;
 }
 
-int strlen(const char *str)
-{
+
+size_t strlen(const char *str) {
 	int l = 0;
 	while(*str) {
 		l++;
@@ -58,8 +79,8 @@ int strlen(const char *str)
 	return l;
 }
 
-char* strncat(char *dest, const char *src, unsigned int n)
-{
+
+char* strncat(char *dest, const char *src, size_t n) {
 	unsigned int dest_len = strlen(dest);
 	unsigned int i;
 
@@ -70,8 +91,8 @@ char* strncat(char *dest, const char *src, unsigned int n)
 	return dest;
 }
 
-char* strcat(char *dest, const char *src)
-{
+
+char* strcat(char *dest, const char *src) {
 	unsigned int dest_len = strlen(dest);
 	unsigned int i;
 
@@ -81,35 +102,3 @@ char* strcat(char *dest, const char *src)
 
 	return dest;
 }
-////////////////////////////////////////// code to do 'itoa'
-
-/* reverse:  reverse string s in place */
-void strreverse(char s[])
-{
-    int c, i, j;
-
-    for (i = 0, j = strlen(s)-1; i<j; i++, j--) {
-        c = s[i];
-        s[i] = s[j];
-        s[j] = c;
-    }
-}
-
-/* itoa:  convert n to characters in s */
-void itoa(int n, char s[])
-{
-    int i, sign;
-
-    if ((sign = n) < 0)  /* record sign */
-        n = -n;          /* make n positive */
-    i = 0;
-    do {       /* generate digits in reverse order */
-        s[i++] = n % 10 + '0';   /* get next digit */
-    } while ((n /= 10) > 0);     /* delete it */
-    if (sign < 0)
-        s[i++] = '-';
-    s[i] = '\0';
-    strreverse(s);
-}
-
-//////////////////////////////////////// END 'itoa' CODE

armsrc/string.h

@@ -12,14 +12,14 @@
 #ifndef __STRING_H
 #define __STRING_H
 
-int strlen(const char *str);
-void *memcpy(void *dest, const void *src, int len);
-void *memset(void *dest, int c, int len);
-int memcmp(const void *av, const void *bv, int len);
-char *strncat(char *dest, const char *src, unsigned int n);
-char *strcat(char *dest, const char *src);
-void strreverse(char s[]);
-void itoa(int n, char s[]);
+#include <stddef.h>
 
+void *memcpy(void *dest, const void *src, size_t len);
+void *memset(void *dest, int c, size_t len);
+void *memmove(void *dest, const void *src, size_t len);
+int memcmp(const void *av, const void *bv, size_t len);
+size_t strlen(const char *str);
+char *strncat(char *dest, const char *src, size_t n);
+char *strcat(char *dest, const char *src);
 
 #endif /* __STRING_H */

armsrc/util.c

@@ -12,9 +12,30 @@
 #include "util.h"
 #include "string.h"
 #include "apps.h"
+#include "BigBuf.h"
+
+
+
+void print_result(char *name, uint8_t *buf, size_t len) {
+   uint8_t *p = buf;
+
+   if ( len % 16 == 0 ) {
+	   for(; p-buf < len; p += 16)
+	   Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+				name,
+				p-buf,
+				len,
+				p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7],p[8], p[9], p[10], p[11], p[12], p[13], p[14], p[15]
+	   );
+   }
+   else {
+   for(; p-buf < len; p += 8)
+	   Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x", name, p-buf, len, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
+   }
+}
 
 size_t nbytes(size_t nbits) {
-	return (nbits/8)+((nbits%8)>0);
+	return (nbits >> 3)+((nbits % 8) > 0);
 }
 
 uint32_t SwapBits(uint32_t value, int nrbits) {
@@ -45,6 +66,21 @@ uint64_t bytes_to_num(uint8_t* src, size_t len)
 	return num;
 }
 
+// RotateLeft - Ultralight, Desfire
+void rol(uint8_t *data, const size_t len){
+	uint8_t first = data[0];
+	for (size_t i = 0; i < len-1; i++) {
+		data[i] = data[i+1];
+	}
+	data[len-1] = first;
+}
+void lsl (uint8_t *data, size_t len) {
+	for (size_t n = 0; n < len - 1; n++) {
+		data[n] = (data[n] << 1) | (data[n+1] >> 7);
+	}
+	data[len - 1] <<= 1;
+}
+
 void LEDsoff()
 {
 	LED_A_OFF();
@@ -53,6 +89,22 @@ void LEDsoff()
 	LED_D_OFF();
 }
 
+void LEDson()
+{
+	LED_A_ON();
+	LED_B_ON();
+	LED_C_ON();
+	LED_D_ON();
+}
+
+void LEDsinvert()
+{
+	LED_A_INV();
+	LED_B_INV();
+	LED_C_INV();
+	LED_D_INV();
+}
+
 // LEDs: R(C) O(A) G(B) -- R(D) [1, 2, 4 and 8]
 void LED(int led, int ms)
 {
@@ -85,8 +137,7 @@ void LED(int led, int ms)
 // not clicked, or held down (for ms || 1sec)
 // In general, don't use this function unless you expect a
 // double click, otherwise it will waste 500ms -- use BUTTON_HELD instead
-int BUTTON_CLICKED(int ms)
-{
+int BUTTON_CLICKED(int ms) {
 	// Up to 500ms in between clicks to mean a double click
 	int ticks = (48000 * (ms ? ms : 1000)) >> 10;
 
@@ -148,8 +199,7 @@ int BUTTON_CLICKED(int ms)
 }
 
 // Determine if a button is held down
-int BUTTON_HELD(int ms)
-{
+int BUTTON_HELD(int ms) {
 	// If button is held for one second
 	int ticks = (48000 * (ms ? ms : 1000)) >> 10;
 
@@ -166,8 +216,7 @@ int BUTTON_HELD(int ms)
 
 	uint16_t start = AT91C_BASE_PWMC_CH0->PWMC_CCNTR;
 
-	for(;;)
-	{
+	for(;;) {
 		uint16_t now = AT91C_BASE_PWMC_CH0->PWMC_CCNTR;
 
 		// As soon as our button let go, we didn't hold long enough
@@ -175,8 +224,7 @@ int BUTTON_HELD(int ms)
 			return BUTTON_SINGLE_CLICK;
 
 		// Have we waited the full second?
-		else
-			if (now == (uint16_t)(start + ticks))
+		else if (now == (uint16_t)(start + ticks))
 				return BUTTON_HOLD;
 
 		WDT_HIT();
@@ -188,8 +236,7 @@ int BUTTON_HELD(int ms)
 
 // attempt at high resolution microsecond timer
 // beware: timer counts in 21.3uS increments (1024/48Mhz)
-void SpinDelayUs(int us)
-{
+void SpinDelayUs(int us) {
 	int ticks = (48*us) >> 10;
 
 	// Borrow a PWM unit for my real-time clock
@@ -210,8 +257,7 @@ void SpinDelayUs(int us)
 	}
 }
 
-void SpinDelay(int ms)
-{
+void SpinDelay(int ms) {
   // convert to uS and call microsecond delay function
 	SpinDelayUs(ms*1000);
 }
@@ -225,17 +271,17 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers
 {
 	struct version_information *v = (struct version_information*)version_information;
 	dst[0] = 0;
-	strncat(dst, prefix, len);
+	strncat(dst, prefix, len-1);
 	if(v->magic != VERSION_INFORMATION_MAGIC) {
-		strncat(dst, "Missing/Invalid version information", len - strlen(dst) - 1);
+		strncat(dst, "Missing/Invalid version information\n", len - strlen(dst) - 1);
 		return;
 	}
 	if(v->versionversion != 1) {
-		strncat(dst, "Version information not understood", len - strlen(dst) - 1);
+		strncat(dst, "Version information not understood\n", len - strlen(dst) - 1);
 		return;
 	}
 	if(!v->present) {
-		strncat(dst, "Version information not available", len - strlen(dst) - 1);
+		strncat(dst, "Version information not available\n", len - strlen(dst) - 1);
 		return;
 	}
 
@@ -248,41 +294,44 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers
 
 	strncat(dst, " ", len - strlen(dst) - 1);
 	strncat(dst, v->buildtime, len - strlen(dst) - 1);
+	strncat(dst, "\n", len - strlen(dst) - 1);
 }
 
+
 //  -------------------------------------------------------------------------
 //  timer lib
 //  -------------------------------------------------------------------------
 //  test procedure:
 //
-//	ti = GetTickCount();
-//	SpinDelay(1000);
-//	ti = GetTickCount() - ti;
-//	Dbprintf("timer(1s): %d t=%d", ti, GetTickCount());
+//  ti = GetTickCount();
+//  SpinDelay(1000);
+//  ti = GetTickCount() - ti;
+//  Dbprintf("timer(1s): %d t=%d", ti, GetTickCount());
 
-void StartTickCount()
-{
-//  must be 0x40, but on my cpu - included divider is optimal
-//  0x20 - 1 ms / bit 
-//  0x40 - 2 ms / bit
-
-	AT91C_BASE_RTTC->RTTC_RTMR = AT91C_RTTC_RTTRST + 0x001D; // was 0x003B
+void StartTickCount() {
+	// This timer is based on the slow clock. The slow clock frequency is between 22kHz and 40kHz.
+	// We can determine the actual slow clock frequency by looking at the Main Clock Frequency Register.
+	uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & 0xffff;     // = 16 * main clock frequency (16MHz) / slow clock frequency
+	// set RealTimeCounter divider to count at 1kHz:
+	AT91C_BASE_RTTC->RTTC_RTMR = AT91C_RTTC_RTTRST | ((256000 + (mainf/2)) / mainf);
+	// note: worst case precision is approx 2.5%
 }
 
+
 /*
 * Get the current count.
 */
-uint32_t RAMFUNC GetTickCount(){
+uint32_t RAMFUNC GetTickCount(void) {
 	return AT91C_BASE_RTTC->RTTC_RTVR;// was * 2;
 }
 
+
 //  -------------------------------------------------------------------------
-//  microseconds timer 
+//  microseconds timer
 //  -------------------------------------------------------------------------
-void StartCountUS()
-{
+void StartCountUS(void) {
 	AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
-//	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC1XC1S_TIOA0;
+//  AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC1XC1S_TIOA0;
 	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
 
 	// fast clock
@@ -292,22 +341,24 @@ void StartCountUS()
 														AT91C_TC_ACPC_SET | AT91C_TC_ASWTRG_SET;
 	AT91C_BASE_TC0->TC_RA = 1;
 	AT91C_BASE_TC0->TC_RC = 0xBFFF + 1; // 0xC000
-	
-	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; // timer disable  
+
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; // timer disable
 	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_XC1; // from timer 0
-	
+
 	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
 	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN;
 	AT91C_BASE_TCB->TCB_BCR = 1;
 	}
 
-uint32_t RAMFUNC GetCountUS(){
-	return (AT91C_BASE_TC1->TC_CV * 0x8000) + ((AT91C_BASE_TC0->TC_CV / 15) * 10);
+
+uint32_t RAMFUNC GetCountUS(void) {
+	return (AT91C_BASE_TC1->TC_CV * 0x8000) + ((AT91C_BASE_TC0->TC_CV * 2) / 3); //was  /15) * 10);
 }
 
+
 static uint32_t GlobalUsCounter = 0;
 
-uint32_t RAMFUNC GetDeltaCountUS(){
+uint32_t RAMFUNC GetDeltaCountUS(void) {
 	uint32_t g_cnt = GetCountUS();
 	uint32_t g_res = g_cnt - GlobalUsCounter;
 	GlobalUsCounter = g_cnt;
@@ -316,76 +367,201 @@ uint32_t RAMFUNC GetDeltaCountUS(){
 
 
 //  -------------------------------------------------------------------------
-//  Timer for iso14443 commands. Uses ssp_clk from FPGA 
+//  Timer for iso14443 commands. Uses ssp_clk from FPGA
 //  -------------------------------------------------------------------------
-void StartCountSspClk()
-{
+void StartCountSspClk(void) {
 	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1) | (1 << AT91C_ID_TC2);  // Enable Clock to all timers
-	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1 		// XC0 Clock = TIOA1
-							| AT91C_TCB_TC1XC1S_NONE 		// XC1 Clock = none
-							| AT91C_TCB_TC2XC2S_TIOA0;		// XC2 Clock = TIOA0
+	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1       // XC0 Clock = TIOA1
+							| AT91C_TCB_TC1XC1S_NONE        // XC1 Clock = none
+							| AT91C_TCB_TC2XC2S_TIOA0;      // XC2 Clock = TIOA0
 
 	// configure TC1 to create a short pulse on TIOA1 when a rising edge on TIOB1 (= ssp_clk from FPGA) occurs:
-	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; 				// disable TC1
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;               // disable TC1
 	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK // TC1 Clock = MCK(48MHz)/2 = 24MHz
-							| AT91C_TC_CPCSTOP				// Stop clock on RC compare
-							| AT91C_TC_EEVTEDG_RISING		// Trigger on rising edge of Event
-							| AT91C_TC_EEVT_TIOB			// Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16)
-							| AT91C_TC_ENETRG				// Enable external trigger event
-							| AT91C_TC_WAVESEL_UP	 		// Upmode without automatic trigger on RC compare
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_AEEVT_SET 			// Set TIOA1 on external event
-							| AT91C_TC_ACPC_CLEAR; 			// Clear TIOA1 on RC Compare
-	AT91C_BASE_TC1->TC_RC = 0x04; 							// RC Compare value = 0x04
+							| AT91C_TC_CPCSTOP              // Stop clock on RC compare
+							| AT91C_TC_EEVTEDG_RISING       // Trigger on rising edge of Event
+							| AT91C_TC_EEVT_TIOB            // Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16 ... 13,56MHz/4)
+							| AT91C_TC_ENETRG               // Enable external trigger event
+							| AT91C_TC_WAVESEL_UP           // Upmode without automatic trigger on RC compare
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_AEEVT_SET            // Set TIOA1 on external event
+							| AT91C_TC_ACPC_CLEAR;          // Clear TIOA1 on RC Compare
+	AT91C_BASE_TC1->TC_RC = 1;                              // RC Compare value = 1; pulse width to TC0
 
 	// use TC0 to count TIOA1 pulses
-	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;				// disable TC0
-	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_XC0	 			// TC0 clock = XC0 clock = TIOA1
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_WAVESEL_UP	 		// just count
-							| AT91C_TC_ACPA_CLEAR 			// Clear TIOA0 on RA Compare
-							| AT91C_TC_ACPC_SET; 			// Set TIOA0 on RC Compare
-	AT91C_BASE_TC0->TC_RA = 1;								// RA Compare value = 1; pulse width to TC2
-	AT91C_BASE_TC0->TC_RC = 0; 								// RC Compare value = 0; increment TC2 on overflow
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;               // disable TC0
+	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_XC0              // TC0 clock = XC0 clock = TIOA1
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_WAVESEL_UP           // just count
+							| AT91C_TC_ACPA_CLEAR           // Clear TIOA0 on RA Compare
+							| AT91C_TC_ACPC_SET;            // Set TIOA0 on RC Compare
+	AT91C_BASE_TC0->TC_RA = 1;                              // RA Compare value = 1; pulse width to TC2
+	AT91C_BASE_TC0->TC_RC = 0;                              // RC Compare value = 0; increment TC2 on overflow
 
 	// use TC2 to count TIOA0 pulses (giving us a 32bit counter (TC0/TC2) clocked by ssp_clk)
-	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS; 				// disable TC2  
-	AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_XC2	 			// TC2 clock = XC2 clock = TIOA0
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_WAVESEL_UP;	 		// just count
-	
-	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;				// enable TC0
-	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN;				// enable TC1
-	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN;				// enable TC2
+	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS;               // disable TC2
+	AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_XC2              // TC2 clock = XC2 clock = TIOA0
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_WAVESEL_UP;          // just count
+
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;                // enable TC0
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN;                // enable TC1
+	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN;                // enable TC2
 
 	//
-	// synchronize the counter with the ssp_frame signal. Note: FPGA must be in any iso14446 mode, otherwise the frame signal would not be present 
+	// synchronize the counter with the ssp_frame signal. Note: FPGA must be in a FPGA mode with SSC transfer, otherwise SSC_FRAME and SSC_CLK signals would not be present
 	//
-	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); 	// wait for ssp_frame to go high (start of frame)
-	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME); 		// wait for ssp_frame to be low
-	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); 	// wait for ssp_clk to go high
-	// note: up to now two ssp_clk rising edges have passed since the rising edge of ssp_frame
+	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME);      // wait for ssp_frame to be low
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME));   // wait for ssp_frame to go high (start of frame)
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));     // wait for ssp_clk to go high; 1st ssp_clk after start of frame
+	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);        // wait for ssp_clk to go low;
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));     // wait for ssp_clk to go high; 2nd ssp_clk after start of frame
+	if ((AT91C_BASE_SSC->SSC_RFMR & SSC_FRAME_MODE_BITS_IN_WORD(32)) == SSC_FRAME_MODE_BITS_IN_WORD(16)) { // 16bit frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 3rd ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 4th ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 5th ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 6th ssp_clk after start of frame
+	}
 	// it is now safe to assert a sync signal. This sets all timers to 0 on next active clock edge
-	AT91C_BASE_TCB->TCB_BCR = 1;							// assert Sync (set all timers to 0 on next active clock edge)
-	// at the next (3rd) ssp_clk rising edge, TC1 will be reset (and not generate a clock signal to TC0)
-	// at the next (4th) ssp_clk rising edge, TC0 (the low word of our counter) will be reset. From now on,
-	// whenever the last three bits of our counter go 0, we can be sure to be in the middle of a frame transfer.
-	// (just started with the transfer of the 4th Bit).
+	AT91C_BASE_TCB->TCB_BCR = 1;                            // assert Sync (set all timers to 0 on next active clock edge)
+	// at the next (3rd/7th) ssp_clk rising edge, TC1 will be reset (and not generate a clock signal to TC0)
+	// at the next (4th/8th) ssp_clk rising edge, TC0 (the low word of our counter) will be reset. From now on,
+	// whenever the last three/four bits of our counter go 0, we can be sure to be in the middle of a frame transfer.
+
 	// The high word of the counter (TC2) will not reset until the low word (TC0) overflows. Therefore need to wait quite some time before
 	// we can use the counter.
-	while (AT91C_BASE_TC0->TC_CV < 0xFFF0);
+	while (AT91C_BASE_TC0->TC_CV < 0xFFFF);
+	// Note: needs one more SSP_CLK cycle (1.18 us) until TC2 resets. Don't call GetCountSspClk() that soon.
 }
 
 
-uint32_t RAMFUNC GetCountSspClk(){
-	uint32_t tmp_count;
-	tmp_count = (AT91C_BASE_TC2->TC_CV << 16) | AT91C_BASE_TC0->TC_CV;
-	if ((tmp_count & 0x0000ffff) == 0) { //small chance that we may have missed an increment in TC2
-		return (AT91C_BASE_TC2->TC_CV << 16);
-	} 
-	else {
-		return tmp_count;
+void ResetSspClk(void) {
+	//enable clock of timer and software trigger
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	while (AT91C_BASE_TC2->TC_CV > 0);
+}
+
+uint32_t GetCountSspClk(){
+	uint32_t hi, lo;
+
+	do { 
+		hi = AT91C_BASE_TC2->TC_CV;
+		lo = AT91C_BASE_TC0->TC_CV;
+	} while (hi != AT91C_BASE_TC2->TC_CV);
+	
+	return (hi << 16) | lo;
+}
+
+//  -------------------------------------------------------------------------
+//  Timer for bitbanging, or LF stuff when you need a very precis timer
+//  1us = 1.5ticks
+//  -------------------------------------------------------------------------
+void StartTicks(void){
+	// initialization of the timer
+	AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
+	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
+
+	// disable TC0 and TC1 for re-configuration
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+	// first configure TC1 (higher, 0xFFFF0000) 16 bit counter
+	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_XC1; // just connect to TIOA0 from TC0
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // re-enable timer and wait for TC0
+
+	// second configure TC0 (lower, 0x0000FFFF) 16 bit counter
+	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK(48MHz) / 32
+							 AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO |
+							 AT91C_TC_ACPA_CLEAR | // RA comperator clears TIOA (carry bit)
+							 AT91C_TC_ACPC_SET |   // RC comperator sets TIOA (carry bit)
+							 AT91C_TC_ASWTRG_SET;  // SWTriger sets TIOA (carry bit)
+	AT91C_BASE_TC0->TC_RC  = 0; // set TIOA (carry bit) on overflow, return to zero
+	AT91C_BASE_TC0->TC_RA  = 1; // clear carry bit on next clock cycle
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // reset and re-enable timer
+
+	// synchronized startup procedure
+	while (AT91C_BASE_TC0->TC_CV > 0); // wait until TC0 returned to zero
+	while (AT91C_BASE_TC0->TC_CV < 2); // and has started (TC_CV > TC_RA, now TC1 is cleared)
+
+	// return to zero
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+	while (AT91C_BASE_TC0->TC_CV > 0);
+}
+
+
+uint32_t GetTicks(void) {
+	uint32_t hi, lo;
+
+	do {
+		hi = AT91C_BASE_TC1->TC_CV;
+		lo = AT91C_BASE_TC0->TC_CV;
+	} while(hi != AT91C_BASE_TC1->TC_CV);
+
+	return (hi << 16) | lo;
+}
+
+
+// Wait - Spindelay in ticks.
+// if called with a high number, this will trigger the WDT...
+void WaitTicks(uint32_t ticks){
+	if ( ticks == 0 ) return;
+	ticks += GetTicks();
+	while (GetTicks() < ticks);
+}
+
+
+// Wait / Spindelay in us (microseconds)
+// 1us = 1.5ticks.
+void WaitUS(uint16_t us){
+	WaitTicks( (uint32_t)us * 3 / 2 ) ;
+}
+
+
+void WaitMS(uint16_t ms){
+	WaitTicks( (uint32_t)ms * 1500 );
+}
+
+
+// Starts Clock and waits until its reset
+void ResetTicks(void){
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	while (AT91C_BASE_TC0->TC_CV > 0);
+}
+
+
+void ResetTimer(AT91PS_TC timer){
+	timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	while(timer->TC_CV > 0) ;
+}
+
+
+// stop clock
+void StopTicks(void){
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+}
+
+
+static uint64_t next_random = 1;
+
+/* Generates a (non-cryptographically secure) 32-bit random number.
+ *
+ * We don't have an implementation of the "rand" function or a clock to seed it
+ * with, so we just call GetTickCount the first time to seed ourselves.
+ */
+uint32_t prand() {
+	if (next_random == 1) {
+		next_random = GetTickCount();
 	}
+
+	next_random = next_random * 6364136223846793005 + 1;
+	return (uint32_t)(next_random >> 32) % 0xffffffff;
 }
-
-

armsrc/util.h

@@ -8,46 +8,77 @@
 // Utility functions used in many places, not specific to any piece of code.
 //-----------------------------------------------------------------------------
 
-#ifndef __UTIL_H
-#define __UTIL_H
+#ifndef UTIL_H__
+#define UTIL_H__
 
 #include <stddef.h>
 #include <stdint.h>
-#include <common.h>
+#include "common.h"
+#include "at91sam7s512.h"
 
 #define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )
 
-#define LED_RED 1
+#define LED_RED    1
 #define LED_ORANGE 2
-#define LED_GREEN 4
-#define LED_RED2 8
-#define BUTTON_HOLD 1
-#define BUTTON_NO_CLICK 0
-#define BUTTON_SINGLE_CLICK -1
-#define BUTTON_DOUBLE_CLICK -2
-#define BUTTON_ERROR -99
+#define LED_GREEN  4
+#define LED_RED2   8
 
-size_t nbytes(size_t nbits);
-uint32_t SwapBits(uint32_t value, int nrbits);
-void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
-uint64_t bytes_to_num(uint8_t* src, size_t len);
+#define BUTTON_HOLD           1
+#define BUTTON_NO_CLICK       0
+#define BUTTON_SINGLE_CLICK  -1
+#define BUTTON_DOUBLE_CLICK  -2
+#define BUTTON_ERROR        -99
 
-void SpinDelay(int ms);
-void SpinDelayUs(int us);
-void LED(int led, int ms);
-void LEDsoff();
-int BUTTON_CLICKED(int ms);
-int BUTTON_HELD(int ms);
-void FormatVersionInformation(char *dst, int len, const char *prefix, void *version_information);
+#define REV8(x)  ((((x)>>7)&1)|((((x)>>6)&1)<<1)|((((x)>>5)&1)<<2)|((((x)>>4)&1)<<3)|((((x)>>3)&1)<<4)|((((x)>>2)&1)<<5)|((((x)>>1)&1)<<6)|(((x)&1)<<7))
+#define REV16(x) (REV8(x)  | (REV8 (x >> 8) << 8))
+#define REV32(x) (REV16(x) | (REV16(x >> 16) << 16))
+#define REV64(x) (REV32(x) | (REV32(x >> 32) << 32))
 
-void StartTickCount();
-uint32_t RAMFUNC GetTickCount();
+extern void print_result(char *name, uint8_t *buf, size_t len);
+extern size_t nbytes(size_t nbits);
+extern uint32_t SwapBits(uint32_t value, int nrbits);
+extern void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
+extern uint64_t bytes_to_num(uint8_t* src, size_t len);
+extern void rol(uint8_t *data, const size_t len);
+extern void lsl (uint8_t *data, size_t len);
 
-void StartCountUS();
-uint32_t RAMFUNC GetCountUS();
-uint32_t RAMFUNC GetDeltaCountUS();
+extern void LED(int led, int ms);
+extern void LEDsoff();
+extern void LEDson();
+extern void LEDsinvert();
+extern int BUTTON_CLICKED(int ms);
+extern int BUTTON_HELD(int ms);
+extern void FormatVersionInformation(char *dst, int len, const char *prefix, void *version_information);
 
-void StartCountSspClk();
-uint32_t RAMFUNC GetCountSspClk();
+//iceman's ticks.h
+#ifndef GET_TICKS
+# define GET_TICKS GetTicks()
+#endif
+
+extern void SpinDelay(int ms);
+extern void SpinDelayUs(int us);
+
+extern void StartTickCount();
+extern uint32_t RAMFUNC GetTickCount();
+
+extern void StartCountUS();
+extern uint32_t RAMFUNC GetCountUS();
+extern uint32_t RAMFUNC GetDeltaCountUS();
+
+extern void StartCountSspClk();
+extern void ResetSspClk(void);
+extern uint32_t GetCountSspClk();
+
+extern void StartTicks(void);
+extern uint32_t GetTicks(void);
+extern void WaitTicks(uint32_t ticks);
+extern void WaitUS(uint16_t us);
+extern void WaitMS(uint16_t ms);
+extern void ResetTicks();
+extern void ResetTimer(AT91PS_TC timer);
+extern void StopTicks(void);
+// end iceman's ticks.h
+
+extern uint32_t prand();
 
 #endif

bootrom/Makefile

@@ -7,9 +7,10 @@
 #-----------------------------------------------------------------------------
 
 # DO NOT use thumb mode in the phase 1 bootloader since that generates a section with glue code
-ARMSRC = 
-THUMBSRC = cmd.c usb_cdc.c bootrom.c
+ARMSRC = string.c
+THUMBSRC = usb_cdc.c bootrom.c
 ASMSRC = ram-reset.s flash-reset.s
+VERSIONSRC = version.c
 
 ## There is a strange bug with the linker: Sometimes it will not emit the glue to call
 ## BootROM from ARM mode. The symbol is emitted, but the section will be filled with
@@ -18,9 +19,13 @@ ASMSRC = ram-reset.s flash-reset.s
 # ARMSRC := $(ARMSRC) $(THUMBSRC)
 # THUMBSRC := 
 
-# stdint.h provided locally until GCC 4.5 becomes C99 compliant
 APP_CFLAGS = -I.
 
+# version.c should be remade on every compilation
+.PHONY: version.c
+version.c: default_version.c
+	perl ../tools/mkversion.pl .. > $@ || $(COPY) $^ $@
+
 # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
 include ../common/Makefile.common
 

bootrom/bootrom.c

@@ -6,17 +6,15 @@
 // Main code for the bootloader
 //-----------------------------------------------------------------------------
 
-#include <proxmark3.h>
+#include "proxmark3.h"
 #include "usb_cdc.h"
-#include "cmd.h"
-//#include "usb_hid.h"
 
 void DbpString(char *str) {
-  byte_t len = 0;
+  uint8_t len = 0;
   while (str[len] != 0x00) {
     len++;
   }
-  cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
+  cmd_send_old(CMD_DEBUG_PRINT_STRING,len,0,0,(uint8_t*)str,len);
 }
 
 struct common_area common_area __attribute__((section(".commonarea")));
@@ -89,28 +87,22 @@ static void Fatal(void)
   for(;;);
 }
 
-void UsbPacketReceived(uint8_t *packet, int len) {
+void UsbPacketReceived(UsbCommand *c) {
   int i, dont_ack=0;
-  UsbCommand* c = (UsbCommand *)packet;
   volatile uint32_t *p;
   
-  if(len != sizeof(UsbCommand)) {
-    Fatal();
-  }
-  
   uint32_t arg0 = (uint32_t)c->arg[0];
   
   switch(c->cmd) {
     case CMD_DEVICE_INFO: {
       dont_ack = 1;
-//      c->cmd = CMD_DEVICE_INFO;
-      arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM |
-      DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH;
+      arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT 
+		| DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM
+		| DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH;
       if(common_area.flags.osimage_present) {
         arg0 |= DEVICE_INFO_FLAG_OSIMAGE_PRESENT;
       }
-//      UsbSendPacket(packet, len);
-      cmd_send(CMD_DEVICE_INFO,arg0,1,2,0,0);
+      cmd_send_old(CMD_DEVICE_INFO,arg0,1,2,0,0);
     } break;
       
     case CMD_SETUP_WRITE: {
@@ -125,10 +117,8 @@ void UsbPacketReceived(uint8_t *packet, int len) {
       
     case CMD_FINISH_WRITE: {
       uint32_t* flash_mem = (uint32_t*)(&_flash_start);
-//      p = (volatile uint32_t *)&_flash_start;
       for (size_t j=0; j<2; j++) {
         for(i = 0+(64*j); i < 64+(64*j); i++) {
-          //p[i+60] = c->d.asDwords[i];
           flash_mem[i] = c->d.asDwords[i];
         }
         
@@ -138,16 +128,13 @@ void UsbPacketReceived(uint8_t *packet, int len) {
         if( ((flash_address+AT91C_IFLASH_PAGE_SIZE-1) >= end_addr) || (flash_address < start_addr) ) {
           /* Disallow write */
           dont_ack = 1;
-          //        c->cmd = CMD_NACK;
-          //        UsbSendPacket(packet, len);
-          cmd_send(CMD_NACK,0,0,0,0,0);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
         } else {
           uint32_t page_n = (flash_address - ((uint32_t)flash_mem)) / AT91C_IFLASH_PAGE_SIZE;
           /* Translate address to flash page and do flash, update here for the 512k part */
           AT91C_BASE_EFC0->EFC_FCR = MC_FLASH_COMMAND_KEY |
           MC_FLASH_COMMAND_PAGEN(page_n) |
           AT91C_MC_FCMD_START_PROG;
-          //        arg0 = (address - ((uint32_t)flash_s));
         }
         
         // Wait until flashing of page finishes
@@ -155,15 +142,12 @@ void UsbPacketReceived(uint8_t *packet, int len) {
         while(!((sr = AT91C_BASE_EFC0->EFC_FSR) & AT91C_MC_FRDY));
         if(sr & (AT91C_MC_LOCKE | AT91C_MC_PROGE)) {
           dont_ack = 1;
-          //        c->cmd = CMD_NACK;
-          cmd_send(CMD_NACK,0,0,0,0,0);
-          //        UsbSendPacket(packet, len);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
         }
       }
     } break;
       
     case CMD_HARDWARE_RESET: {
-//      USB_D_PLUS_PULLUP_OFF();
       usb_disable();
       AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
     } break;
@@ -189,9 +173,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
         } else {
           start_addr = end_addr = 0;
           dont_ack = 1;
-//          c->cmd = CMD_NACK;
-//          UsbSendPacket(packet, len);
-          cmd_send(CMD_NACK,0,0,0,0,0);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
         }
       }
     } break;
@@ -202,9 +184,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
   }
   
   if(!dont_ack) {
-//    c->cmd = CMD_ACK;
-//    UsbSendPacket(packet, len);
-    cmd_send(CMD_ACK,arg0,0,0,0,0);
+    cmd_send_old(CMD_ACK,arg0,0,0,0,0);
   }
 }
 
@@ -213,29 +193,20 @@ static void flash_mode(int externally_entered)
 	start_addr = 0;
 	end_addr = 0;
 	bootrom_unlocked = 0;
-  byte_t rx[sizeof(UsbCommand)];
-	size_t rx_len;
+    UsbCommand rx;
 
-  usb_enable();
-  for (volatile size_t i=0; i<0x100000; i++);
+	usb_enable();
+	for (volatile size_t i=0; i<0x100000; i++) {};
 
-//	UsbStart();
 	for(;;) {
 		WDT_HIT();
 
-    if (usb_poll()) {
-      rx_len = usb_read(rx,sizeof(UsbCommand));
-      if (rx_len) {
-//        DbpString("starting to flash");
-        UsbPacketReceived(rx,rx_len);
-      }
-    }
-
-//		UsbPoll(TRUE);
+		if (cmd_receive(&rx)) {
+			UsbPacketReceived(&rx);
+		}
 
 		if(!externally_entered && !BUTTON_PRESS()) {
 			/* Perform a reset to leave flash mode */
-//			USB_D_PLUS_PULLUP_OFF();
       usb_disable();
 			LED_B_ON();
 			AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;

bootrom/string.c

@@ -0,0 +1,104 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, Sept 2005
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Common string.h functions
+//-----------------------------------------------------------------------------
+
+#include "string.h"
+#include <stdint.h>
+
+void *memcpy(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	while((len--) > 0) {
+		*d = *s;
+		d++;
+		s++;
+	}
+	return dest;
+}
+
+
+void *memset(void *dest, int c, size_t len) {
+	uint8_t *d = dest;
+	while((len--) > 0) {
+		*d = c;
+		d++;
+	}
+	return dest;
+}
+
+
+void *memmove(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	if (dest <= src) {
+		while((len--) > 0) {
+			*d = *s;
+			d++;
+			s++;
+		} 
+	} else {
+		d = d + len - 1;
+		s = s + len - 1;
+		while((len--) > 0) {
+			*d = *s;
+			d--;
+			s--;
+		}
+	}
+	return dest;
+}
+
+
+int memcmp(const void *av, const void *bv, size_t len) {
+	const uint8_t *a = av;
+	const uint8_t *b = bv;
+
+	while((len--) > 0) {
+		if(*a != *b) {
+			return *a - *b;
+		}
+		a++;
+		b++;
+	}
+	return 0;
+}
+
+
+size_t strlen(const char *str) {
+	int l = 0;
+	while(*str) {
+		l++;
+		str++;
+	}
+	return l;
+}
+
+
+char* strncat(char *dest, const char *src, size_t n) {
+	unsigned int dest_len = strlen(dest);
+	unsigned int i;
+
+	for (i = 0 ; i < n && src[i] != '\0' ; i++)
+		dest[dest_len + i] = src[i];
+	dest[dest_len + i] = '\0';
+
+	return dest;
+}
+
+
+char* strcat(char *dest, const char *src) {
+	unsigned int dest_len = strlen(dest);
+	unsigned int i;
+
+	for (i = 0 ; src[i] != '\0' ; i++)
+		dest[dest_len + i] = src[i];
+	dest[dest_len + i] = '\0';
+
+	return dest;
+}

bootrom/string.h

@@ -1,27 +1,25 @@
 //-----------------------------------------------------------------------------
+// Jonathan Westhues, Aug 2005
 // Copyright (C) 2010 Hector Martin "marcan" <marcan@marcansoft.com>
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //-----------------------------------------------------------------------------
-// Replacement stdint.h because GCC doesn't come with it yet (C99)
+// Common string.h functions
 //-----------------------------------------------------------------------------
 
-#ifndef __STDINT_H
-#define __STDINT_H
+#ifndef __STRING_H
+#define __STRING_H
 
-typedef signed char				int8_t;
-typedef short int				int16_t;
-typedef int						int32_t;
-typedef long long int			int64_t;
+#include <stddef.h>
 
-typedef unsigned char			uint8_t;
-typedef unsigned short int		uint16_t;
-typedef unsigned int			uint32_t;
-typedef unsigned long long int	uint64_t;
+void *memcpy(void *dest, const void *src, size_t len);
+void *memset(void *dest, int c, size_t len);
+void *memmove(void *dest, const void *src, size_t len);
+int memcmp(const void *av, const void *bv, size_t len);
+size_t strlen(const char *str);
+char *strncat(char *dest, const char *src, size_t n);
+char *strcat(char *dest, const char *src);
 
-typedef int						intptr_t;
-typedef unsigned int			uintptr_t;
-
-#endif /* __STDINT_H */
+#endif /* __STRING_H */

client/Info.plist

@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd ">
-<plist version="1.0">
-<dict>
-	<key>CFBundleDevelopmentRegion</key> <string>English</string>
-	<key>CFBundleIdentifier</key> <string>org.proxmark</string>
-	<key>CFBundleIconFile</key> <string></string>
-	<key>CFBundleInfoDictionaryVersion</key> <string>6.0</string>
-	<key>CFBundlePackageType</key> <string>KEXT</string>
-	<key>CFBundleSignature</key> <string>????</string>
-	<key>CFBundleVersion</key> <string>1.0.0</string>
-	<key>IOKitPersonalities</key>
-	<dict>
-		<key>Proxmark3</key>
-		<dict>
-			<key>CFBundleIdentifier</key><string>com.apple.kernel.iokit</string>
-			<key>IOClass</key><string>IOService</string>
-			<key>IOProviderClass</key><string>IOUSBInterface</string>
-			<key>bConfigurationValue</key> <integer>1</integer>
-			<key>bInterfaceNumber</key> <integer>0</integer>
-			<key>idProduct</key><integer>19343</integer>
-			<key>idVendor</key><integer>39620</integer>
-		</dict>
-	</dict>
-	<key>OSBundleLibraries</key>
-	<dict>
-		<key>com.apple.iokit.IOUSBFamily</key><string>1.8</string>
-	</dict>
-</dict>
-</plist>

client/Makefile

@@ -3,70 +3,178 @@
 # at your option, any later version. See the LICENSE.txt file for the text of
 # the license.
 #-----------------------------------------------------------------------------
-include ../common/Makefile.common
 
+CC = gcc
+CXX = g++
+LD = g++
+TAR = tar
+TARFLAGS = -C .. --ignore-failed-read -rvf
+RM = rm -f
+MV = mv
 
-CC=gcc
-CXX=g++
-#COMMON_FLAGS = -m32
-
-VPATH = ../common
+ENV_LDFLAGS := $(LDFLAGS)
+ENV_CFLAGS := $(CFLAGS)
+VPATH = ../common ../zlib ../uart
 OBJDIR = obj
 
-LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread ../liblua/liblua.a
-LDFLAGS = $(COMMON_FLAGS)
-CFLAGS = -std=c99 -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 
-LUAPLATFORM = generic
+LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread -lm
+LUALIB = ../liblua/liblua.a
+JANSSONLIBPATH = ./jansson
+JANSSONLIB = $(JANSSONLIBPATH)/libjansson.a
+MBEDTLSLIBPATH = ../common/mbedtls
+MBEDTLSLIB = $(MBEDTLSLIBPATH)/libmbedtls.a
+CBORLIBPATH = ./tinycbor
+CBORLIB = $(CBORLIBPATH)/tinycbor.a
+LIBINCLUDES = -I../zlib -I../uart -I../liblua -I$(MBEDTLSLIBPATH) -I$(JANSSONLIBPATH) -I$(CBORLIBPATH)
+INCLUDES_CLIENT = -I. -I../include -I../common -I/opt/local/include $(LIBINCLUDES)
+LDFLAGS = $(ENV_LDFLAGS)
+CFLAGS = $(ENV_CFLAGS) -std=c99 -D_ISOC99_SOURCE $(INCLUDES_CLIENT) -Wall -g -O3
+CXXFLAGS = -I../include -Wall -O3
+
+APP_CFLAGS =
+include ../common/Makefile_Enabled_Options.common
+CFLAGS += $(APP_CFLAGS)
+ifneq (,$(findstring WITH_SMARTCARD,$(APP_CFLAGS)))
+	SRC_SMARTCARD = cmdsmartcard.c pcsc.c
+else
+	SRC_SMARTCARD = 
+endif
+
+platform = $(shell uname)
 
 ifneq (,$(findstring MINGW,$(platform)))
-CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui
-QTLDLIBS = -L$(QTDIR)/lib -lQtCore4 -lQtGui4
-MOC = $(QTDIR)/bin/moc
-LUAPLATFORM = mingw
-else ifeq ($(platform),Darwin)
-#CXXFLAGS = -I/Library/Frameworks/QtGui.framework/Versions/Current/Headers -I/Library/Frameworks/QtCore.framework/Versions/Current/Headers
-#QTLDLIBS = -framework QtGui -framework QtCore
-CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui
-QTLDLIBS = -F/opt/local/Library/Frameworks -framework QtGui -framework QtCore
-MOC = moc 
-LUAPLATFORM = macosx
+	PCSC_INCLUDES :=
+	PCSC_LIBS = -lwinscard
 else
-CXXFLAGS = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null) -Wall -O4
-QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null)
-MOC = $(shell pkg-config --variable=moc_location QtCore)
-LDLIBS +=  -ldl
+	ifeq ($(platform),Darwin)
+		PCSC_INCLUDES = 
+		PCSC_LIBS = -framework PCSC
+	else
+		PCSC_INCLUDES := $(shell pkg-config --cflags libpcsclite)
+		PCSC_LIBS := $(shell pkg-config --libs libpcsclite)
+	endif
+endif
 
-# Below is a variant you can use if you have problems compiling with QT5 on ubuntu. see http://www.proxmark.org/forum/viewtopic.php?id=1661 for more info. 
-#MOC = /usr/lib/x86_64-linux-gnu/qt4/bin/moc
-LUAPLATFORM = linux
+LUAPLATFORM = generic
+ifneq (,$(findstring MINGW,$(platform)))
+		LUAPLATFORM = mingw
+else
+	ifeq ($(platform),Darwin)
+		LUAPLATFORM = macosx
+		OBJCSRCS = util_darwin.m
+		LDFLAGS += -framework Foundation -framework AppKit
+	else
+		LUALIB +=  -ldl
+		LDLIBS +=  -ltermcap -lncurses
+		LUAPLATFORM = linux
+	endif
+endif
+
+ifneq (,$(findstring WITH_GUI,$(APP_CFLAGS)))
+	# Check for correctly configured Qt5
+	QTINCLUDES = $(shell pkg-config --cflags Qt5Core Qt5Widgets 2>/dev/null)
+	QTLDLIBS = $(shell pkg-config --libs Qt5Core Qt5Widgets 2>/dev/null)
+	MOC = $(shell pkg-config --variable=host_bins Qt5Core)/moc
+	UIC = $(shell pkg-config --variable=host_bins Qt5Core)/uic
+	ifeq ($(QTINCLUDES), )
+	# if Qt5 not found check for correctly configured Qt4	
+		QTINCLUDES = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null)
+		QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null)
+		MOC = $(shell pkg-config --variable=moc_location QtCore)
+		UIC = $(shell pkg-config --variable=uic_location QtCore)
+	else
+		CXXFLAGS += -std=c++11 -fPIC
+	endif
+	ifeq ($(QTINCLUDES), )
+	# if both pkg-config commands failed, search in common places
+		ifneq ($(QTDIR), )
+			QTINCLUDES = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui
+			QTLDLIBS = -L$(QTDIR)/lib -lQtCore4 -lQtGui4
+			ifneq ($(wildcard $(QTDIR)/include/QtWidgets),)
+				QTINCLUDES += -I$(QTDIR)/include/QtWidgets
+				QTLDLIBS = -L$(QTDIR)/lib -lQt5Widgets -lQt5Gui -lQt5Core
+				CXXFLAGS += -std=c++11 -fPIC
+			endif
+			MOC = $(QTDIR)/bin/moc
+			UIC = $(QTDIR)/bin/uic
+		endif
+	endif
 endif
 
 
-ifneq ($(QTLDLIBS),)
-QTGUI = $(OBJDIR)/proxgui.o $(OBJDIR)/proxguiqt.o $(OBJDIR)/proxguiqt.moc.o
-CFLAGS += -DHAVE_GUI
-LINK.o = $(LINK.cpp)
+ifneq ($(QTLDLIBS), )
+    QTGUIOBJS = $(OBJDIR)/proxgui.o $(OBJDIR)/proxguiqt.o $(OBJDIR)/proxguiqt.moc.o
+    CFLAGS += -DHAVE_GUI
 else
-QTGUI = guidummy.o
+    QTGUIOBJS = $(OBJDIR)/guidummy.o
 endif
 
-CORESRCS = 	uart.c \
-		util.c \
-		sleep.c
+# Flags to generate temporary dependency files
+DEPFLAGS = -MT $@ -MMD -MP -MF $(OBJDIR)/$*.Td
+# make temporary to final dependeny files after successful compilation
+POSTCOMPILE = $(MV) -f $(OBJDIR)/$*.Td $(OBJDIR)/$*.d
 
 
-CMDSRCS = 	nonce2key/crapto1.c\
-		nonce2key/crypto1.c\
-		nonce2key/nonce2key.c\
-			mifarehost.c\
+CORESRCS = 	uart_posix.c \
+			uart_win32.c \
+			util.c \
+			util_posix.c \
+			ui.c \
+			comms.c
+
+CMDSRCS = 	$(SRC_SMARTCARD) \
+			crapto1/crapto1.c\
+			crapto1/crypto1.c\
+			crypto/libpcrypto.c\
+			crypto/asn1utils.c\
+			crypto/asn1dump.c\
+			cliparser/argtable3.c\
+			cliparser/cliparser.c\
+			fido/additional_ca.c \
+			fido/cose.c \
+			fido/cbortools.c \
+			fido/fidocore.c \
+			mifare/mfkey.c \
+			loclass/cipher.c \
+			loclass/cipherutils.c \
+			loclass/ikeys.c \
+			loclass/elite_crack.c\
+			loclass/fileutils.c\
+			whereami.c\
+			mifare/mifarehost.c\
+			mifare/mifare4.c\
+			mifare/mad.c \
+			mifare/ndef.c \
+			parity.c\
+			crc.c \
 			crc16.c \
+			crc64.c \
 			iso14443crc.c \
 			iso15693tools.c \
-			data.c \
 			graph.c \
-			ui.c \
 			cmddata.c \
+			lfdemod.c \
+			emv/crypto_polarssl.c\
+			emv/crypto.c\
+			emv/emv_pk.c\
+			emv/emv_pki.c\
+			emv/emv_pki_priv.c\
+			emv/test/cryptotest.c\
+			emv/apduinfo.c\
+			emv/dump.c\
+			emv/tlv.c\
+			emv/emv_tags.c\
+			emv/dol.c\
+			emv/emvjson.c\
+			emv/emvcore.c\
+			emv/test/crypto_test.c\
+			emv/test/sda_test.c\
+			emv/test/dda_test.c\
+			emv/test/cda_test.c\
+			emv/cmdemv.c\
+			emv/emv_roca.c \
 			cmdhf.c \
+			cmdhflist.c \
 			cmdhf14a.c \
 			cmdhf14b.c \
 			cmdhf15.c \
@@ -74,77 +182,200 @@ CMDSRCS = 	nonce2key/crapto1.c\
 			cmdhflegic.c \
 			cmdhficlass.c \
 			cmdhfmf.c \
+			cmdhfmfp.c \
+			cmdhfmfu.c \
+			cmdhfmfhard.c \
+			hardnested/hardnested_bruteforce.c \
+			cmdhftopaz.c \
+			cmdhffido.c \
 			cmdhw.c \
 			cmdlf.c \
-			cmdlfhid.c \
-			cmdlfio.c \
+			cmdlfawid.c \
+			cmdlfcotag.c\
 			cmdlfem4x.c \
+			cmdlffdx.c \
+			cmdlfgproxii.c \
+			hidcardformatutils.c\
+			hidcardformats.c\
+			cmdlfhid.c \
 			cmdlfhitag.c \
+			cmdlfio.c \
+			cmdlfindala.c \
+			cmdlfjablotron.c \
+			cmdlfnexwatch.c \
+			cmdlfnoralsy.c \
+			cmdlfparadox.c \
+			cmdlfpcf7931.c \
+			cmdlfpresco.c \
+			cmdlfpyramid.c \
+			cmdlfsecurakey.c \
+			cmdlft55xx.c \
 			cmdlfti.c \
+			cmdlfviking.c\
+			cmdlfvisa2000.c\
+			cmdlfpac.c\
 			cmdparser.c \
 			cmdmain.c \
-			cmdlft55xx.c \
-			cmdlfpcf7931.c\
-			pm3_binlib.c\
 			scripting.c\
 			cmdscript.c\
+			pm3_binlib.c\
 			pm3_bitlib.c\
+			protocols.c\
+			taginfo.c
 
+cpu_arch = $(shell uname -m)
+ifneq ($(findstring 86, $(cpu_arch)), )
+	MULTIARCHSRCS = hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c
+endif
+ifneq ($(findstring amd64, $(cpu_arch)), )
+	MULTIARCHSRCS = hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c
+endif
+ifeq ($(MULTIARCHSRCS), )
+	CMDSRCS += hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c
+endif
+
+ZLIBSRCS = deflate.c adler32.c trees.c zutil.c inflate.c inffast.c inftrees.c
+ZLIBFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED 
+#-DDEBUG -Dverbose=1
+
+QTGUISRCS = proxgui.cpp proxguiqt.cpp proxguiqt.moc.cpp guidummy.cpp
 
 COREOBJS = $(CORESRCS:%.c=$(OBJDIR)/%.o)
 CMDOBJS = $(CMDSRCS:%.c=$(OBJDIR)/%.o)
+OBJCOBJS = $(OBJCSRCS:%.m=$(OBJDIR)/%.o)
+ZLIBOBJS = $(ZLIBSRCS:%.c=$(OBJDIR)/%.o)
+MULTIARCHOBJS = $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_NOSIMD.o) \
+			$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_MMX.o) \
+			$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_SSE2.o) \
+			$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX.o) \
+			$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX2.o)
 
-RM = rm -f
-BINS = proxmark3 flasher #snooper cli
-CLEAN = cli cli.exe flasher flasher.exe proxmark3 proxmark3.exe snooper snooper.exe $(CMDOBJS) $(OBJDIR)/*.o *.o *.moc.cpp
+SUPPORTS_AVX512 :=  $(shell echo | gcc -E -mavx512f - > /dev/null 2>&1 && echo "True" )
+HARD_SWITCH_NOSIMD = -mno-mmx -mno-sse2 -mno-avx -mno-avx2
+HARD_SWITCH_MMX = -mmmx -mno-sse2 -mno-avx -mno-avx2
+HARD_SWITCH_SSE2 = -mmmx -msse2 -mno-avx -mno-avx2
+HARD_SWITCH_AVX = -mmmx -msse2 -mavx -mno-avx2
+HARD_SWITCH_AVX2 = -mmmx -msse2 -mavx -mavx2
+HARD_SWITCH_AVX512 = -mmmx -msse2 -mavx -mavx2 -mavx512f
+ifeq "$(SUPPORTS_AVX512)" "True"
+	HARD_SWITCH_NOSIMD += -mno-avx512f
+	HARD_SWITCH_MMX += -mno-avx512f
+	HARD_SWITCH_SSE2 += -mno-avx512f
+	HARD_SWITCH_AVX += -mno-avx512f
+	HARD_SWITCH_AVX2 += -mno-avx512f
+	MULTIARCHOBJS +=  $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX512.o)
+endif
+			
+BINS = proxmark3 flasher fpga_compress
+WINBINS = $(patsubst %, %.exe, $(BINS))
+CLEAN = $(BINS) $(WINBINS) $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(ZLIBOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(OBJDIR)/*.o *.moc.cpp ui/ui_overlays.h lualibs/usb_cmd.lua
 
-all: lua_build $(BINS) 
+# need to assign dependancies to build these first...
+all: lua_build jansson_build mbedtls_build cbor_build $(BINS)
 
 all-static: LDLIBS:=-static $(LDLIBS)
-all-static: snooper cli flasher
-	
-proxmark3: LDLIBS+=$(QTLDLIBS)
-proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUI)
-	$(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
+all-static: proxmark3 flasher fpga_compress
 
-snooper: $(OBJDIR)/snooper.o $(COREOBJS) $(CMDOBJS) $(OBJDIR)/guidummy.o
-	$(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
+proxmark3: LDLIBS+=$(LUALIB) $(JANSSONLIB) $(MBEDTLSLIB) $(CBORLIB) $(QTLDLIBS) $(PCSC_LIBS)
+proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(ZLIBOBJS) lualibs/usb_cmd.lua
+	$(LD) $(LDFLAGS) $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(ZLIBOBJS) $(LDLIBS) -o $@
 
-cli: $(OBJDIR)/cli.o $(COREOBJS) $(CMDOBJS) $(OBJDIR)/guidummy.o
-	$(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
+flasher: $(OBJDIR)/flash.o $(OBJDIR)/flasher.o $(COREOBJS) $(OBJCOBJS)
+	$(LD) $(LDFLAGS) $^ $(LDLIBS) -o $@
 
-flasher: $(OBJDIR)/flash.o $(OBJDIR)/flasher.o $(COREOBJS)
-	$(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
+fpga_compress: $(OBJDIR)/fpga_compress.o $(ZLIBOBJS)
+	$(LD) $(LDFLAGS) $(ZLIBFLAGS) $^ $(LDLIBS) -o $@
 
-$(OBJDIR)/%.o: %.c
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-$(OBJDIR)/%.o: %.cpp
-	$(CXX) $(CXXFLAGS) -c -o $@ $<
+proxgui.cpp: ui/ui_overlays.h
 
 proxguiqt.moc.cpp: proxguiqt.h
 	$(MOC) -o$@ $^
 
+ui/ui_overlays.h: ui/overlays.ui
+	$(UIC) $^ > $@
+
+lualibs/usb_cmd.lua: ../include/usb_cmd.h
+	awk -f usb_cmd_h2lua.awk $^ > $@
+	
 clean:
 	$(RM) $(CLEAN)
 	cd ../liblua && make clean
+	cd $(JANSSONLIBPATH) && make clean
+	cd $(MBEDTLSLIBPATH) && make clean
+	cd $(CBORLIBPATH) && make clean
 
 tarbin: $(BINS)
-	$(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(BINS:%=client/%)
-
-# must be run as root
-install_kext: Info.plist
-	mkdir -p /System/Library/Extensions/Proxmark3.kext/Contents
-	cp Info.plist /System/Library/Extensions/Proxmark3.kext/Contents
-	chown -R root:wheel /System/Library/Extensions/Proxmark3.kext
-	chmod 755 /System/Library/Extensions/Proxmark3.kext /System/Library/Extensions/Proxmark3.kext/Contents
-	chmod 644 /System/Library/Extensions/Proxmark3.kext/Contents/Info.plist
-	rm -rf /System/Library/Caches/com.apple.kext.caches
-	touch /System/Library/Extensions
-	@echo "*** You may need to reboot for the kext to take effect."
+	$(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(BINS:%=client/%) $(WINBINS:%=client/%)
 
 lua_build:
 	@echo Compiling liblua, using platform $(LUAPLATFORM)
 	cd ../liblua && make $(LUAPLATFORM)
-
+	
+jansson_build:
+	@echo Compiling jansson
+	cd $(JANSSONLIBPATH) && make all
+	
+mbedtls_build:
+	@echo Compiling mbedtls
+	cd $(MBEDTLSLIBPATH) && make all
+	
+cbor_build:
+	@echo Compiling tinycbor
+	cd $(CBORLIBPATH) && make all
+	
 .PHONY: all clean
+
+$(OBJDIR)/%_NOSIMD.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_NOSIMD) -c -o $@ $<
+
+$(OBJDIR)/%_MMX.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_MMX) -c -o $@ $<
+
+$(OBJDIR)/%_SSE2.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_SSE2) -c -o $@ $<
+
+$(OBJDIR)/%_AVX.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_AVX) -c -o $@ $<
+
+$(OBJDIR)/%_AVX2.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_AVX2) -c -o $@ $<
+
+$(OBJDIR)/%_AVX512.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(HARD_SWITCH_AVX512) -c -o $@ $<
+
+%.o: %.c
+$(OBJDIR)/%.o : %.c $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(ZLIBFLAGS) $(PCSC_INCLUDES) -c -o $@ $<
+	$(POSTCOMPILE)
+
+%.o: %.cpp
+$(OBJDIR)/%.o : %.cpp $(OBJDIR)/%.d
+	$(CXX) $(DEPFLAGS) $(CXXFLAGS) $(QTINCLUDES) -c -o $@ $<
+	$(POSTCOMPILE)
+
+%.o: %.m
+$(OBJDIR)/%.o : %.m $(OBJDIR)/%.d
+	$(CC) $(DEPFLAGS) $(CFLAGS) -c -o $@ $<
+	$(POSTCOMPILE)
+
+#$(CMDOBJS) $(COREOBJS): $(notdir $(%.c)) %.d
+#	$(CC) $(DEPFLAGS) $(CFLAGS) -c -o $@ $<
+#	$(POSTCOMPILE)
+
+#$(ZLIBOBJS): $(notdir $(%.c)) %.d
+#	$(CC) $(DEPFLAGS) $(CFLAGS) $(ZLIBFLAGS) -c -o $@ $<
+#	$(POSTCOMPILE)
+
+#$(QTGUIOBJS): $(notdir $(%.cpp)) %.d
+#	$(CXX) $(DEPFLAGS) $(CXXFLAGS) -c -o $@ $<
+#	$(POSTCOMPILE)
+
+DEPENDENCY_FILES = $(patsubst %.c, $(OBJDIR)/%.d, $(CORESRCS) $(CMDSRCS) $(ZLIBSRCS) $(MULTIARCHSRCS)) \
+	$(patsubst %.cpp, $(OBJDIR)/%.d, $(QTGUISRCS)) \
+	$(patsubst %.m, $(OBJDIR)/%.d, $(OBJCSRCS)) \
+	$(OBJDIR)/proxmark3.d $(OBJDIR)/flash.d $(OBJDIR)/flasher.d $(OBJDIR)/fpga_compress.d
+
+$(DEPENDENCY_FILES): ;
+.PRECIOUS: $(DEPENDENCY_FILES)
+
+-include $(DEPENDENCY_FILES)

client/cli.c

@@ -1,58 +0,0 @@
-//-----------------------------------------------------------------------------
-// This code is licensed to you under the terms of the GNU GPL, version 2 or,
-// at your option, any later version. See the LICENSE.txt file for the text of
-// the license.
-//-----------------------------------------------------------------------------
-// Command line binary
-//-----------------------------------------------------------------------------
-
-#include <stdio.h>
-#include "sleep.h"
-#include "ui.h"
-#include "proxusb.h"
-#include "cmdmain.h"
-
-#define HANDLE_ERROR if (error_occured) { \
-  error_occured = 0;\
-  break;\
-}
-
-int main(int argc, char **argv)
-{
-  if (argc != 3 && argc != 4)
-  {
-    printf("\n\tusage: cli <command 1> <command 2> [logfile (default cli.log)]\n");
-    printf("\n");
-    printf("\texample: cli hi14asnoop hi14alist h14a.log\n");
-    printf("\n");
-    return -1;
-  }
-
-  usb_init();
-  if (argc == 4)
-    SetLogFilename(argv[3]);
-  else
-    SetLogFilename("cli.log");
-
-  return_on_error = 1;
-
-  while (1) {
-    while (!OpenProxmark(0)) { sleep(1); }
-    while (1) {
-      UsbCommand cmdbuf;
-      CommandReceived(argv[1]);
-      HANDLE_ERROR;
-      ReceiveCommand(&cmdbuf);
-      HANDLE_ERROR;
-      for (int i = 0; i < 5; ++i) {
-        ReceiveCommandPoll(&cmdbuf);
-      }
-      HANDLE_ERROR;
-      CommandReceived(argv[2]);
-      HANDLE_ERROR;
-    }
-  }
-
-  CloseProxmark();
-  return 0;
-}

client/cliparser/README.md

@@ -0,0 +1,13 @@
+# Command line parser
+
+cliparser - librari for proxmark with command line parsing high level functions.
+
+## External libraries:
+
+### argtable
+
+Argtable3 is a single-file, ANSI C, command-line parsing library that parses GNU-style command-line options.
+
+You can download argtable3 from this repository https://github.com/argtable/argtable3
+
+[argtable3 license](https://github.com/argtable/argtable3/blob/master/LICENSE)

client/cliparser/argtable3.h

@@ -0,0 +1,273 @@
+/*******************************************************************************
+ * argtable3: Declares the main interfaces of the library
+ *
+ * This file is part of the argtable3 library.
+ *
+ * Copyright (C) 1998-2001,2003-2011,2013 Stewart Heitmann
+ * <sheitmann@users.sourceforge.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of STEWART HEITMANN nor the  names of its contributors
+ *       may be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL STEWART HEITMANN BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ ******************************************************************************/
+
+#ifndef ARGTABLE3
+#define ARGTABLE3
+
+#include <stdio.h> /* FILE */
+#include <time.h>  /* struct tm */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ARG_REX_ICASE 1
+#define ARG_DSTR_SIZE 200
+#define ARG_CMD_NAME_LEN 100
+#define ARG_CMD_DESCRIPTION_LEN 256
+
+#ifndef ARG_REPLACE_GETOPT
+#define ARG_REPLACE_GETOPT 1 /* use the embedded getopt as the system getopt(3) */
+#endif /* ARG_REPLACE_GETOPT */
+
+/* bit masks for arg_hdr.flag */
+enum { ARG_TERMINATOR = 0x1, ARG_HASVALUE = 0x2, ARG_HASOPTVALUE = 0x4 };
+
+#if defined(_WIN32)
+  #if defined(argtable3_EXPORTS)
+    #define ARG_EXTERN __declspec(dllexport)
+  #elif defined(argtable3_IMPORTS)
+    #define ARG_EXTERN __declspec(dllimport)
+  #else
+    #define ARG_EXTERN
+  #endif
+#else
+  #define ARG_EXTERN
+#endif
+
+typedef struct _internal_arg_dstr* arg_dstr_t;
+typedef void* arg_cmd_itr_t;
+
+typedef void(arg_resetfn)(void* parent);
+typedef int(arg_scanfn)(void* parent, const char* argval);
+typedef int(arg_checkfn)(void* parent);
+typedef void(arg_errorfn)(void* parent, arg_dstr_t ds, int error, const char* argval, const char* progname);
+typedef void(arg_dstr_freefn)(char* buf);
+typedef int(arg_cmdfn)(int argc, char* argv[], arg_dstr_t res);
+typedef int(arg_comparefn)(const void* k1, const void* k2);
+
+/*
+ * The arg_hdr struct defines properties that are common to all arg_xxx structs.
+ * The argtable library requires each arg_xxx struct to have an arg_hdr
+ * struct as its first data member.
+ * The argtable library functions then use this data to identify the
+ * properties of the command line option, such as its option tags,
+ * datatype string, and glossary strings, and so on.
+ * Moreover, the arg_hdr struct contains pointers to custom functions that
+ * are provided by each arg_xxx struct which perform the tasks of parsing
+ * that particular arg_xxx arguments, performing post-parse checks, and
+ * reporting errors.
+ * These functions are private to the individual arg_xxx source code
+ * and are the pointer to them are initiliased by that arg_xxx struct's
+ * constructor function. The user could alter them after construction
+ * if desired, but the original intention is for them to be set by the
+ * constructor and left unaltered.
+ */
+typedef struct arg_hdr {
+    char flag;             /* Modifier flags: ARG_TERMINATOR, ARG_HASVALUE. */
+    const char* shortopts; /* String defining the short options */
+    const char* longopts;  /* String defiing the long options */
+    const char* datatype;  /* Description of the argument data type */
+    const char* glossary;  /* Description of the option as shown by arg_print_glossary function */
+    int mincount;          /* Minimum number of occurences of this option accepted */
+    int maxcount;          /* Maximum number of occurences if this option accepted */
+    void* parent;          /* Pointer to parent arg_xxx struct */
+    arg_resetfn* resetfn;  /* Pointer to parent arg_xxx reset function */
+    arg_scanfn* scanfn;    /* Pointer to parent arg_xxx scan function */
+    arg_checkfn* checkfn;  /* Pointer to parent arg_xxx check function */
+    arg_errorfn* errorfn;  /* Pointer to parent arg_xxx error function */
+    void* priv;            /* Pointer to private header data for use by arg_xxx functions */
+} arg_hdr_t;
+
+typedef struct arg_rem {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+} arg_rem_t;
+
+typedef struct arg_lit {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+} arg_lit_t;
+
+typedef struct arg_int {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    int* ival;          /* Array of parsed argument values */
+} arg_int_t;
+
+typedef struct arg_dbl {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    double* dval;       /* Array of parsed argument values */
+} arg_dbl_t;
+
+typedef struct arg_str {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    const char** sval;  /* Array of parsed argument values */
+} arg_str_t;
+
+typedef struct arg_rex {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    const char** sval;  /* Array of parsed argument values */
+} arg_rex_t;
+
+typedef struct arg_file {
+    struct arg_hdr hdr;     /* The mandatory argtable header struct */
+    int count;              /* Number of matching command line args*/
+    const char** filename;  /* Array of parsed filenames  (eg: /home/foo.bar) */
+    const char** basename;  /* Array of parsed basenames  (eg: foo.bar) */
+    const char** extension; /* Array of parsed extensions (eg: .bar) */
+} arg_file_t;
+
+typedef struct arg_date {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    const char* format; /* strptime format string used to parse the date */
+    int count;          /* Number of matching command line args */
+    struct tm* tmval;   /* Array of parsed time values */
+} arg_date_t;
+
+enum { ARG_ELIMIT = 1, ARG_EMALLOC, ARG_ENOMATCH, ARG_ELONGOPT, ARG_EMISSARG };
+typedef struct arg_end {
+    struct arg_hdr hdr;  /* The mandatory argtable header struct */
+    int count;           /* Number of errors encountered */
+    int* error;          /* Array of error codes */
+    void** parent;       /* Array of pointers to offending arg_xxx struct */
+    const char** argval; /* Array of pointers to offending argv[] string */
+} arg_end_t;
+
+typedef struct arg_cmd_info {
+    char name[ARG_CMD_NAME_LEN];
+    char description[ARG_CMD_DESCRIPTION_LEN];
+    arg_cmdfn* proc;
+} arg_cmd_info_t;
+
+/**** arg_xxx constructor functions *********************************/
+
+ARG_EXTERN struct arg_rem* arg_rem(const char* datatype, const char* glossary);
+
+ARG_EXTERN struct arg_lit* arg_lit0(const char* shortopts, const char* longopts, const char* glossary);
+ARG_EXTERN struct arg_lit* arg_lit1(const char* shortopts, const char* longopts, const char* glossary);
+ARG_EXTERN struct arg_lit* arg_litn(const char* shortopts, const char* longopts, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_int* arg_int0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_int* arg_int1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_int* arg_intn(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_dbl* arg_dbl0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_dbl* arg_dbl1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_dbl* arg_dbln(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_str* arg_str0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_str* arg_str1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_str* arg_strn(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_rex* arg_rex0(const char* shortopts, const char* longopts, const char* pattern, const char* datatype, int flags, const char* glossary);
+ARG_EXTERN struct arg_rex* arg_rex1(const char* shortopts, const char* longopts, const char* pattern, const char* datatype, int flags, const char* glossary);
+ARG_EXTERN struct arg_rex* arg_rexn(const char* shortopts,
+                         const char* longopts,
+                         const char* pattern,
+                         const char* datatype,
+                         int mincount,
+                         int maxcount,
+                         int flags,
+                         const char* glossary);
+
+ARG_EXTERN struct arg_file* arg_file0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_file* arg_file1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_file* arg_filen(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_date* arg_date0(const char* shortopts, const char* longopts, const char* format, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_date* arg_date1(const char* shortopts, const char* longopts, const char* format, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_date* arg_daten(const char* shortopts, const char* longopts, const char* format, const char* datatype, int mincount, int maxcount, const char* glossary);
+
+ARG_EXTERN struct arg_end* arg_end(int maxerrors);
+
+#define ARG_DSTR_STATIC ((arg_dstr_freefn*)0)
+#define ARG_DSTR_VOLATILE ((arg_dstr_freefn*)1)
+#define ARG_DSTR_DYNAMIC ((arg_dstr_freefn*)3)
+
+/**** other functions *******************************************/
+ARG_EXTERN int arg_nullcheck(void** argtable);
+ARG_EXTERN int arg_parse(int argc, char** argv, void** argtable);
+ARG_EXTERN void arg_print_option(FILE* fp, const char* shortopts, const char* longopts, const char* datatype, const char* suffix);
+ARG_EXTERN void arg_print_syntax(FILE* fp, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_syntaxv(FILE* fp, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_glossary(FILE* fp, void** argtable, const char* format);
+ARG_EXTERN void arg_print_glossary_gnu(FILE* fp, void** argtable);
+ARG_EXTERN void arg_print_errors(FILE* fp, struct arg_end* end, const char* progname);
+ARG_EXTERN void arg_print_option_ds(arg_dstr_t ds, const char* shortopts, const char* longopts, const char* datatype, const char* suffix);
+ARG_EXTERN void arg_print_syntax_ds(arg_dstr_t ds, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_syntaxv_ds(arg_dstr_t ds, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_glossary_ds(arg_dstr_t ds, void** argtable, const char* format);
+ARG_EXTERN void arg_print_glossary_gnu_ds(arg_dstr_t ds, void** argtable);
+ARG_EXTERN void arg_print_errors_ds(arg_dstr_t ds, struct arg_end* end, const char* progname);
+ARG_EXTERN void arg_freetable(void** argtable, size_t n);
+
+ARG_EXTERN arg_dstr_t arg_dstr_create(void);
+ARG_EXTERN void arg_dstr_destroy(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_reset(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_free(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_set(arg_dstr_t ds, char* str, arg_dstr_freefn* free_proc);
+ARG_EXTERN void arg_dstr_cat(arg_dstr_t ds, const char* str);
+ARG_EXTERN void arg_dstr_catc(arg_dstr_t ds, char c);
+ARG_EXTERN void arg_dstr_catf(arg_dstr_t ds, const char* fmt, ...);
+ARG_EXTERN char* arg_dstr_cstr(arg_dstr_t ds);
+
+ARG_EXTERN void arg_cmd_init(void);
+ARG_EXTERN void arg_cmd_uninit(void);
+ARG_EXTERN void arg_cmd_register(const char* name, arg_cmdfn* proc, const char* description);
+ARG_EXTERN void arg_cmd_unregister(const char* name);
+ARG_EXTERN int arg_cmd_dispatch(const char* name, int argc, char* argv[], arg_dstr_t res);
+ARG_EXTERN unsigned int arg_cmd_count(void);
+ARG_EXTERN arg_cmd_info_t* arg_cmd_info(const char* name);
+ARG_EXTERN arg_cmd_itr_t arg_cmd_itr_create(void);
+ARG_EXTERN void arg_cmd_itr_destroy(arg_cmd_itr_t itr);
+ARG_EXTERN int arg_cmd_itr_advance(arg_cmd_itr_t itr);
+ARG_EXTERN char* arg_cmd_itr_key(arg_cmd_itr_t itr);
+ARG_EXTERN arg_cmd_info_t* arg_cmd_itr_value(arg_cmd_itr_t itr);
+ARG_EXTERN int arg_cmd_itr_search(arg_cmd_itr_t itr, void* k);
+ARG_EXTERN void arg_mgsort(void* data, int size, int esize, int i, int k, arg_comparefn* comparefn);
+ARG_EXTERN void arg_make_get_help_msg(arg_dstr_t res);
+ARG_EXTERN void arg_make_help_msg(arg_dstr_t ds, char* cmd_name, void** argtable);
+ARG_EXTERN void arg_make_syntax_err_msg(arg_dstr_t ds, void** argtable, struct arg_end* end);
+ARG_EXTERN int arg_make_syntax_err_help_msg(arg_dstr_t ds, char* name, int help, int nerrors, void** argtable, struct arg_end* end, int* exitcode);
+ARG_EXTERN void arg_set_module_name(const char* name);
+ARG_EXTERN void arg_set_module_version(int major, int minor, int patch, const char* tag);
+
+/**** deprecated functions, for back-compatibility only ********/
+ARG_EXTERN void arg_free(void** argtable);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

client/cliparser/cliparser.c

@@ -0,0 +1,205 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2017 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Command line parser core commands
+//-----------------------------------------------------------------------------
+
+#include "cliparser.h"
+#include <stdio.h>
+#include <string.h>
+
+void **argtable = NULL;
+size_t argtableLen = 0;
+char *programName = NULL;
+char *programHint = NULL;
+char *programHelp = NULL;
+char buf[500] = {0};
+
+int CLIParserInit(char *vprogramName, char *vprogramHint, char *vprogramHelp) {
+	argtable = NULL;
+	argtableLen = 0;
+	programName = vprogramName;
+	programHint = vprogramHint;
+	programHelp = vprogramHelp;
+	memset(buf, 0x00, 500);
+	
+	return 0;
+}
+
+int CLIParserParseArg(int argc, char **argv, void* vargtable[], size_t vargtableLen, bool allowEmptyExec) { 
+	int nerrors;
+	
+	argtable = vargtable;
+	argtableLen = vargtableLen;
+	
+	/* verify the argtable[] entries were allocated sucessfully */
+	if (arg_nullcheck(argtable) != 0) {
+		/* NULL entries were detected, some allocations must have failed */
+		printf("ERROR: Insufficient memory\n");
+		return 2;
+	}
+	/* Parse the command line as defined by argtable[] */
+	nerrors = arg_parse(argc, argv, argtable);
+	
+	/* special case: '--help' takes precedence over error reporting */
+	if ((argc < 2 && !allowEmptyExec) ||((struct arg_lit *)argtable[0])->count > 0) { // help must be the first record  
+		printf("Usage: %s", programName);
+		arg_print_syntaxv(stdout, argtable, "\n");
+		if (programHint)
+			printf("%s\n\n", programHint);
+		arg_print_glossary(stdout, argtable, "    %-20s %s\n");
+		printf("\n");
+		if (programHelp)
+			printf("%s \n", programHelp);
+		
+		return 1;
+	}
+
+	/* If the parser returned any errors then display them and exit */
+	if (nerrors > 0) {
+		/* Display the error details contained in the arg_end struct.*/
+		arg_print_errors(stdout, ((struct arg_end *)argtable[vargtableLen - 1]), programName);
+		printf("Try '%s --help' for more information.\n", programName);
+		
+		return 3;
+	}	
+	
+	return 0;
+}
+
+enum ParserState {
+	PS_FIRST,
+	PS_ARGUMENT,
+	PS_OPTION,
+};
+
+#define isSpace(c)(c == ' ' || c == '\t')
+
+int CLIParserParseString(const char* str, void* vargtable[], size_t vargtableLen, bool allowEmptyExec) {
+	return CLIParserParseStringEx(str, vargtable, vargtableLen, allowEmptyExec, false);
+}
+
+int CLIParserParseStringEx(const char* str, void* vargtable[], size_t vargtableLen, bool allowEmptyExec, bool clueData) {
+	int argc = 0;
+	char *argv[200] = {NULL};
+	
+	int len = strlen(str);
+	char *bufptr = buf;
+	char *spaceptr = NULL;
+	enum ParserState state = PS_FIRST;
+	
+	argv[argc++] = bufptr;	
+	// param0 = program name
+	memcpy(buf, programName, strlen(programName) + 1); // with 0x00
+	bufptr += strlen(programName) + 1;
+	if (len)
+		argv[argc++] = bufptr;	
+	
+	// parse params
+	for (int i = 0; i < len; i++) {
+		switch(state){
+			case PS_FIRST: // first char
+				if (!clueData || str[i] == '-'){ // first char before space is '-' - next element - option OR not "clueData" for not-option fields
+					state = PS_OPTION;
+
+					if (spaceptr) {
+						bufptr = spaceptr;
+						*bufptr = 0x00;
+						bufptr++;
+						argv[argc++] = bufptr;	
+					}
+				}
+				spaceptr = NULL;
+			case PS_ARGUMENT:
+				if (state == PS_FIRST)
+					state = PS_ARGUMENT;
+				if (isSpace(str[i])) {
+					spaceptr = bufptr;
+					state = PS_FIRST;
+				}
+				*bufptr = str[i];
+				bufptr++;
+				break;
+			case PS_OPTION:
+				if (isSpace(str[i])){
+					state = PS_FIRST;
+
+					*bufptr = 0x00;
+					bufptr++;
+					argv[argc++] = bufptr;	
+					break;
+				}
+				
+				*bufptr = str[i];
+				bufptr++;
+				break;
+		}
+	}
+
+	return CLIParserParseArg(argc, argv, vargtable, vargtableLen, allowEmptyExec);
+}
+
+void CLIParserFree() {
+	arg_freetable(argtable, argtableLen);
+	argtable = NULL;
+	
+	return;
+}
+
+// convertors
+int CLIParamHexToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen) {
+	*datalen = 0;
+	
+	int ibuf = 0;
+	uint8_t buf[256] = {0};
+	int res = CLIParamStrToBuf(argstr, buf, maxdatalen * 2, &ibuf); // *2 because here HEX
+	if (res || !ibuf)
+		return res;
+	
+	switch(param_gethex_to_eol((char *)buf, 0, data, maxdatalen, datalen)) {
+	case 1:
+		printf("Parameter error: Invalid HEX value.\n");
+		return 1;
+	case 2:
+		printf("Parameter error: parameter too large.\n");
+		return 2;
+	case 3:
+		printf("Parameter error: Hex string must have even number of digits.\n");
+		return 3;
+	}
+	
+	return 0;
+}
+
+int CLIParamStrToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen) {
+	*datalen = 0;
+	if (!argstr->count)
+		return 0;
+	
+	uint8_t buf[256] = {0};
+	int ibuf = 0;
+	
+	for (int i = 0; i < argstr->count; i++) {
+		int len = strlen(argstr->sval[i]);
+		memcpy(&buf[ibuf], argstr->sval[i], len);
+		ibuf += len;
+	}
+	buf[ibuf] = 0;
+  
+	if (!ibuf)
+		return 0;
+
+	if (ibuf > maxdatalen)
+		return 2;
+	
+	memcpy(data, buf, ibuf);
+	*datalen = ibuf;
+	
+	return 0;
+}
+
+

client/cliparser/cliparser.h

@@ -0,0 +1,41 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2017 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Command line parser core commands
+//-----------------------------------------------------------------------------
+
+#include "argtable3.h"
+#include "util.h"
+#include <stdbool.h>
+
+#define arg_param_begin arg_lit0("hH",  "help",    "print this help and exit")
+#define arg_param_end arg_end(20)
+
+#define arg_getsize(a) (sizeof(a) / sizeof(a[0]))
+#define arg_get_lit(n)(((struct arg_lit*)argtable[n])->count)
+#define arg_get_int_count(n)(((struct arg_int*)argtable[n])->count)
+#define arg_get_int(n)(((struct arg_int*)argtable[n])->ival[0])
+#define arg_get_int_def(n,def)(arg_get_int_count(n)?(arg_get_int(n)):(def))
+#define arg_get_str(n)((struct arg_str*)argtable[n])
+#define arg_get_str_len(n)(strlen(((struct arg_str*)argtable[n])->sval[0]))
+
+#define arg_strx1(shortopts, longopts, datatype, glossary) (arg_strn((shortopts), (longopts), (datatype), 1, 250, (glossary)))
+#define arg_strx0(shortopts, longopts, datatype, glossary) (arg_strn((shortopts), (longopts), (datatype), 0, 250, (glossary)))
+
+#define CLIExecWithReturn(cmd, atbl, ifempty) if (CLIParserParseString(cmd, atbl, arg_getsize(atbl), ifempty)){CLIParserFree();return 0;}
+#define CLIGetHexBLessWithReturn(paramnum, data, datalen, delta) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data) - (delta), datalen)) {CLIParserFree();return 1;}
+#define CLIGetHexWithReturn(paramnum, data, datalen) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data), datalen)) {CLIParserFree();return 1;}
+#define CLIGetStrWithReturn(paramnum, data, datalen) if (CLIParamStrToBuf(arg_get_str(paramnum), data, sizeof(data), datalen)) {CLIParserFree();return 1;}
+
+extern int CLIParserInit(char *vprogramName, char *vprogramHint, char *vprogramHelp);
+extern int CLIParserParseString(const char* str, void* argtable[], size_t vargtableLen, bool allowEmptyExec);
+extern int CLIParserParseStringEx(const char* str, void* vargtable[], size_t vargtableLen, bool allowEmptyExec, bool clueData);
+extern int CLIParserParseArg(int argc, char **argv, void* argtable[], size_t vargtableLen, bool allowEmptyExec);
+extern void CLIParserFree();
+
+extern int CLIParamHexToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen);
+extern int CLIParamStrToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen);

client/cmddata.h

@@ -11,34 +11,70 @@
 #ifndef CMDDATA_H__
 #define CMDDATA_H__
 
+#include <stdlib.h>  //size_t
+#include <stdint.h>  //uint_32+
+#include <stdbool.h> //bool
+
+#include "cmdparser.h" // for command_t
+
 command_t * CmdDataCommands();
 
 int CmdData(const char *Cmd);
-
-int CmdAmp(const char *Cmd);
-int Cmdaskdemod(const char *Cmd);
+void printDemodBuff(void);
+void setDemodBuf(uint8_t *buff, size_t size, size_t startIdx);
+bool getDemodBuf(uint8_t *buff, size_t *size);
+void save_restoreDB(uint8_t saveOpt);// option '1' to save DemodBuffer any other to restore
+int CmdPrintDemodBuff(const char *Cmd);
+int Cmdaskrawdemod(const char *Cmd);
+int Cmdaskmandemod(const char *Cmd);
+int AutoCorrelate(const int *in, int *out, size_t len, int window, bool SaveGrph, bool verbose);
 int CmdAutoCorr(const char *Cmd);
+int CmdBiphaseDecodeRaw(const char *Cmd);
 int CmdBitsamples(const char *Cmd);
-int CmdBitstream(const char *Cmd);
 int CmdBuffClear(const char *Cmd);
 int CmdDec(const char *Cmd);
 int CmdDetectClockRate(const char *Cmd);
-int CmdFSKdemod(const char *Cmd);
+int CmdFSKrawdemod(const char *Cmd);
+int CmdPSK1rawDemod(const char *Cmd);
+int CmdPSK2rawDemod(const char *Cmd);
 int CmdGrid(const char *Cmd);
+int CmdGetBitStream(const char *Cmd);
 int CmdHexsamples(const char *Cmd);
 int CmdHide(const char *Cmd);
 int CmdHpf(const char *Cmd);
 int CmdLoad(const char *Cmd);
 int CmdLtrim(const char *Cmd);
-int CmdManchesterDemod(const char *Cmd);
-int CmdManchesterMod(const char *Cmd);
+int CmdRtrim(const char *Cmd);
+int Cmdmandecoderaw(const char *Cmd);
 int CmdNorm(const char *Cmd);
+int CmdNRZrawDemod(const char *Cmd);
 int CmdPlot(const char *Cmd);
+int CmdPrintDemodBuff(const char *Cmd);
+int CmdRawDemod(const char *Cmd);
 int CmdSamples(const char *Cmd);
+int CmdTuneSamples(const char *Cmd);
 int CmdSave(const char *Cmd);
 int CmdScale(const char *Cmd);
-int CmdThreshold(const char *Cmd);
 int CmdDirectionalThreshold(const char *Cmd);
 int CmdZerocrossings(const char *Cmd);
+int ASKbiphaseDemod(const char *Cmd, bool verbose);
+int ASKDemod(const char *Cmd, bool verbose, bool emSearch, uint8_t askType);
+int ASKDemod_ext(const char *Cmd, bool verbose, bool emSearch, uint8_t askType, bool *stCheck);
+int FSKrawDemod(const char *Cmd, bool verbose);
+int PSKDemod(const char *Cmd, bool verbose);
+int NRZrawDemod(const char *Cmd, bool verbose);
+int getSamples(int n, bool silent);
+void setClockGrid(int clk, int offset);
+int directionalThreshold(const int* in, int *out, size_t len, int8_t up, int8_t down);
+extern int AskEdgeDetect(const int *in, int *out, int len, int threshold);
+//int autoCorr(const int* in, int *out, size_t len, int window);
+
+#define MAX_DEMOD_BUF_LEN (1024*128)
+extern uint8_t DemodBuffer[MAX_DEMOD_BUF_LEN];
+extern size_t DemodBufferLen;
+extern int g_DemodStartIdx;
+extern int g_DemodClock;
+extern uint8_t g_debugMode;
+#define BIGBUF_SIZE 40000
 
 #endif

client/cmdhf.c

@@ -1,5 +1,6 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+// Merlok - 2017
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -8,13 +9,14 @@
 // High frequency commands
 //-----------------------------------------------------------------------------
 
-#include <stdio.h>
-//#include "proxusb.h"
-#include "proxmark3.h"
-#include "graph.h"
+#include "cmdhf.h"
+
+#include <math.h>
+#include "usb_cmd.h"
+#include "comms.h"
 #include "ui.h"
 #include "cmdparser.h"
-#include "cmdhf.h"
+#include "cliparser/cliparser.h"
 #include "cmdhf14a.h"
 #include "cmdhf14b.h"
 #include "cmdhf15.h"
@@ -22,6 +24,14 @@
 #include "cmdhflegic.h"
 #include "cmdhficlass.h"
 #include "cmdhfmf.h"
+#include "cmdhfmfp.h"
+#include "cmdhfmfu.h"
+#include "cmdhftopaz.h"
+#include "cmdhflist.h"
+#include "cmdhffido.h"
+#include "cmddata.h"
+#include "graph.h"
+#include "fpga.h"
 
 static int CmdHelp(const char *Cmd);
 
@@ -32,24 +42,124 @@ int CmdHFTune(const char *Cmd)
   return 0;
 }
 
-static command_t CommandTable[] = 
+int CmdHFSearch(const char *Cmd){
+	int ans = 0;
+	PrintAndLog("");
+	ans = CmdHF14AInfo("s");
+	if (ans > 0) {
+		PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n");
+		return ans;
+	}
+	ans = HFiClassReader(false, false);
+	if (ans) {
+		PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n");
+		return ans;
+	}
+	ans = HF15Reader("", false);
+	if (ans) {
+		PrintAndLog("\nValid ISO15693 Tag Found - Quiting Search\n");
+		return ans;
+	}
+	//14b is longest test currently (and rarest chip type) ... put last
+	ans = infoHF14B(false);
+	if (ans) {
+		PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
+		return ans;
+	}
+	ans = CmdLegicRFRead("");
+	if (ans == 0) {
+		PrintAndLog("\nValid Legic Tag Found - Quiting Search\n");
+		return ans;
+	}
+	PrintAndLog("\nno known/supported 13.56 MHz tags found\n");
+	return 0;
+}
+
+int CmdHFSnoop(const char *Cmd)
 {
-  {"help",        CmdHelp,          1, "This help"},
-  {"14a",         CmdHF14A,         1, "{ ISO14443A RFIDs... }"},
-  {"14b",         CmdHF14B,         1, "{ ISO14443B RFIDs... }"},
-  {"15",          CmdHF15,          1, "{ ISO15693 RFIDs... }"},
-  {"epa",         CmdHFEPA,         1, "{ German Identification Card... }"},
-  {"legic",       CmdHFLegic,       0, "{ LEGIC RFIDs... }"},
-  {"iclass",      CmdHFiClass,      1, "{ ICLASS RFIDs... }"},
-  {"mf",      		CmdHFMF,		      1, "{ MIFARE RFIDs... }"},
-  {"tune",        CmdHFTune,        0, "Continuously measure HF antenna tuning"},
-  {NULL, NULL, 0, NULL}
+	char * pEnd;
+	UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}};
+	SendCommand(&c);
+	return 0;
+}
+
+
+// static void InterpolateShannon(int *source, size_t source_len, int *dest, size_t dest_len)
+// {
+	// int *buf = (int*)malloc(source_len * sizeof(int));
+	// memcpy(buf, source, source_len * sizeof(int));
+	// for (int i = 0; i < source_len; i++) {
+		// buf[i] += 128;
+	// }
+	// for (int i = 0; i < dest_len; i++) {
+		// float value = 0.0;
+		// for (int j = 0; j < source_len; j++) {
+			// if (i * source_len == j * dest_len) { // sin(0) / 0 = 1
+				// value += (float)buf[j];
+			// } else {
+				// value += (float)buf[j] * sin(((float)i*source_len/dest_len-j)*3.1415) / (((float)i*source_len/dest_len-j)*3.1415);
+			// }
+		// }
+		// dest[i] = value - 128;
+	// }
+	// free(buf);
+// }
+
+
+static int CmdHFPlot(const char *Cmd)
+{
+	CLIParserInit("hf plot",
+		"Plots HF signal after RF signal path and A/D conversion.",
+		"This can be used after any hf command and will show the last few milliseconds of the HF signal.\n"
+		"Note: If the last hf command terminated because of a timeout you will most probably see nothing.\n");
+	void* argtable[] = {
+		arg_param_begin,
+		arg_param_end
+	};
+	CLIExecWithReturn(Cmd, argtable, true);
+
+	uint8_t buf[FPGA_TRACE_SIZE];
+
+	if (GetFromFpgaRAM(buf, FPGA_TRACE_SIZE)) {
+		for (size_t i = 0; i < FPGA_TRACE_SIZE; i++) {
+			GraphBuffer[i] = (int)buf[i] - 128;
+		}
+		GraphTraceLen = FPGA_TRACE_SIZE;
+		// InterpolateShannon(GraphBuffer, FPGA_TRACE_SIZE, GraphBuffer, FPGA_TRACE_SIZE*8/7);
+		// GraphTraceLen = FPGA_TRACE_SIZE*8/7;
+		ShowGraphWindow();
+		RepaintGraphWindow();
+	}
+	return 0;
+}
+
+
+static command_t CommandTable[] =
+{
+	{"help",    CmdHelp,        1, "This help"},
+	{"14a",     CmdHF14A,       0, "{ ISO14443A RFIDs... }"},
+	{"14b",     CmdHF14B,       0, "{ ISO14443B RFIDs... }"},
+	{"15",      CmdHF15,        1, "{ ISO15693 RFIDs... }"},
+	{"epa",     CmdHFEPA,       0, "{ German Identification Card... }"},
+	{"legic",   CmdHFLegic,     0, "{ LEGIC RFIDs... }"},
+	{"iclass",  CmdHFiClass,    1, "{ ICLASS RFIDs... }"},
+	{"mf",      CmdHFMF,        1, "{ MIFARE RFIDs... }"},
+	{"mfu",     CmdHFMFUltra,   1, "{ MIFARE Ultralight RFIDs... }"},
+	{"mfp",     CmdHFMFP,       0, "{ MIFARE Plus RFIDs... }"},
+	{"topaz",   CmdHFTopaz,     0, "{ TOPAZ (NFC Type 1) RFIDs... }"},
+	{"fido",    CmdHFFido,      0, "{ FIDO and FIDO2 authenticators... }"},
+	{"tune",    CmdHFTune,      0, "Continuously measure HF antenna tuning"},
+	{"list",    CmdHFList,      1, "List protocol data in trace buffer"},
+	{"plot",    CmdHFPlot,      0, "Plot signal"},
+	{"search",  CmdHFSearch,    0, "Search for known HF tags [preliminary]"},
+	{"snoop",   CmdHFSnoop,     0, "<samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop"},
+	{NULL,      NULL,           0, NULL}
 };
 
 int CmdHF(const char *Cmd)
 {
   CmdsParse(CommandTable, Cmd);
-  return 0; 
+  return 0;
 }
 
 int CmdHelp(const char *Cmd)

client/cmdhf14a.h

@@ -12,12 +12,23 @@
 #ifndef CMDHF14A_H__
 #define CMDHF14A_H__
 
-int CmdHF14A(const char *Cmd);
+#include <stdint.h>
+#include <stdbool.h>
+#include "mifare.h"
 
-int CmdHF14AList(const char *Cmd);
-int CmdHF14AMifare(const char *Cmd);
-int CmdHF14AReader(const char *Cmd);
-int CmdHF14ASim(const char *Cmd);
-int CmdHF14ASnoop(const char *Cmd);
+extern int CmdHF14A(const char *Cmd);
+extern int CmdHF14AMfDbg(const char* cmd);
+extern int CmdHF14AList(const char *Cmd);
+extern int CmdHF14AMifare(const char *Cmd);
+extern int CmdHF14AReader(const char *Cmd);
+extern int CmdHF14AInfo(const char *Cmd);
+extern int CmdHF14ASim(const char *Cmd);
+extern int CmdHF14ASnoop(const char *Cmd);
+
+extern void DropField();
+
+extern int Hf14443_4aGetCardData(iso14a_card_select_t * card);
+extern int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
+extern int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
 
 #endif

client/cmdhf14b.h

@@ -11,15 +11,16 @@
 #ifndef CMDHF14B_H__
 #define CMDHF14B_H__
 
-int CmdHF14B(const char *Cmd);
+#include <stdbool.h>
 
-int CmdHF14BDemod(const char *Cmd);
+int CmdHF14B(const char *Cmd);
 int CmdHF14BList(const char *Cmd);
-int CmdHF14BRead(const char *Cmd);
-int CmdHF14Sim(const char *Cmd);
-int CmdHFSimlisten(const char *Cmd);
+int CmdHF14BInfo(const char *Cmd);
+int CmdHF14BSim(const char *Cmd);
 int CmdHF14BSnoop(const char *Cmd);
 int CmdSri512Read(const char *Cmd);
 int CmdSrix4kRead(const char *Cmd);
+int CmdHF14BWrite( const char *cmd);
+int infoHF14B(bool verbose);
 
 #endif

client/cmdhf15.h

@@ -11,15 +11,9 @@
 #ifndef CMDHF15_H__
 #define CMDHF15_H__
 
-int CmdHF15(const char *Cmd);
+#include <stdbool.h>
 
-int CmdHF15Demod(const char *Cmd);
-int CmdHF15Read(const char *Cmd);
-int CmdHF15Reader(const char *Cmd);
-int CmdHF15Sim(const char *Cmd);
-int CmdHF15Record(const char *Cmd);
-int CmdHF15Cmd(const char*Cmd);
-int CmdHF15CmdHelp(const char*Cmd);
-int CmdHF15Help(const char*Cmd);
+extern int CmdHF15(const char *Cmd);
+extern int HF15Reader(const char *Cmd, bool verbose);
 
 #endif

client/cmdhfepa.c

@@ -8,15 +8,20 @@
 // Commands related to the German electronic Identification Card
 //-----------------------------------------------------------------------------
 
+#include "cmdhfepa.h"
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
 #include "util.h"
-//#include "proxusb.h"
-#include "proxmark3.h"
+#include "util_posix.h"
+#include "comms.h"
 #include "ui.h"
 #include "cmdparser.h"
 #include "common.h"
 #include "cmdmain.h"
-#include "sleep.h"
-#include "cmdhfepa.h"
 
 static int CmdHelp(const char *Cmd);
 
@@ -29,23 +34,23 @@ int CmdHFEPACollectPACENonces(const char *Cmd)
 	unsigned int n = 0;
 	// delay between requests
 	unsigned int d = 0;
-	
+
 	sscanf(Cmd, "%u %u %u", &m, &n, &d);
-	
+
 	// values are expected to be > 0
 	m = m > 0 ? m : 1;
 	n = n > 0 ? n : 1;
 
-	PrintAndLog("Collecting %u %"hhu"-byte nonces", n, m);
-	PrintAndLog("Start: %u", time(NULL));
+	PrintAndLog("Collecting %u %u-byte nonces", n, m);
+	PrintAndLog("Start: %" PRIu64 , msclock()/1000);
 	// repeat n times
 	for (unsigned int i = 0; i < n; i++) {
 		// execute PACE
 		UsbCommand c = {CMD_EPA_PACE_COLLECT_NONCE, {(int)m, 0, 0}};
 		SendCommand(&c);
 		UsbCommand resp;
-    
-    WaitForResponse(CMD_ACK,&resp);
+
+		WaitForResponse(CMD_ACK,&resp);
 
 		// check if command failed
 		if (resp.arg[0] != 0) {
@@ -54,27 +59,138 @@ int CmdHFEPACollectPACENonces(const char *Cmd)
 			size_t nonce_length = resp.arg[1];
 			char *nonce = (char *) malloc(2 * nonce_length + 1);
 			for(int j = 0; j < nonce_length; j++) {
-				snprintf(nonce + (2 * j), 3, "%02X", resp.d.asBytes[j]);
+				sprintf(nonce + (2 * j), "%02X", resp.d.asBytes[j]);
 			}
 			// print nonce
-			PrintAndLog("Length: %d, Nonce: %s",resp.arg[1], nonce);
+			PrintAndLog("Length: %d, Nonce: %s", nonce_length, nonce);
+			free(nonce);
 		}
 		if (i < n - 1) {
 			sleep(d);
 		}
 	}
-	PrintAndLog("End: %u", time(NULL));
+	PrintAndLog("End: %" PRIu64, msclock()/1000);
 
 	return 1;
 }
 
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+////////////////////////////////The commands lie below here/////////////////////////////////////////////////////////////////////////////////////////
+
+// perform the PACE protocol by replaying APDUs
+int CmdHFEPAPACEReplay(const char *Cmd)
+{
+	// the 4 APDUs which are replayed + their lengths
+	uint8_t msesa_apdu[41], gn_apdu[8], map_apdu[75];
+	uint8_t pka_apdu[75], ma_apdu[18], apdu_lengths[5] = {0};
+	// pointers to the arrays to be able to iterate
+	uint8_t *apdus[] = {msesa_apdu, gn_apdu, map_apdu, pka_apdu, ma_apdu};
+
+	// usage message
+	static const char *usage_msg =
+		"Please specify 5 APDUs separated by spaces. "
+		"Example:\n preplay 0022C1A4 1068000000 1086000002 1234ABCDEF 1A2B3C4D";
+
+	// Proxmark response
+	UsbCommand resp;
+
+	int skip = 0, skip_add = 0, scan_return = 0;
+	// for each APDU
+	for (int i = 0; i < sizeof(apdu_lengths); i++) {
+		// scan to next space or end of string
+		while (Cmd[skip] != ' ' && Cmd[skip] != '\0') {
+			// convert
+			scan_return = sscanf(Cmd + skip, "%2X%n",
+			                     (unsigned int *) (apdus[i] + apdu_lengths[i]),
+			                     &skip_add);
+			if (scan_return < 1) {
+				PrintAndLog((char *)usage_msg);
+				PrintAndLog("Not enough APDUs! Try again!");
+				return 0;
+			}
+			skip += skip_add;
+            apdu_lengths[i]++;
+		}
+
+		// break on EOF
+		if (Cmd[skip] == '\0') {
+			if (i < sizeof(apdu_lengths) - 1) {
+
+				PrintAndLog((char *)usage_msg);
+				return 0;
+			}
+			break;
+		}
+		// skip the space
+		skip++;
+	}
+
+	// transfer the APDUs to the Proxmark
+	UsbCommand usb_cmd;
+	usb_cmd.cmd = CMD_EPA_PACE_REPLAY;
+	for (int i = 0; i < sizeof(apdu_lengths); i++) {
+		// APDU number
+		usb_cmd.arg[0] = i + 1;
+		// transfer the APDU in several parts if necessary
+		for (int j = 0; j * sizeof(usb_cmd.d.asBytes) < apdu_lengths[i]; j++) {
+			// offset into the APDU
+			usb_cmd.arg[1] = j * sizeof(usb_cmd.d.asBytes);
+			// amount of data in this packet
+			int packet_length = apdu_lengths[i] - (j * sizeof(usb_cmd.d.asBytes));
+			if (packet_length > sizeof(usb_cmd.d.asBytes)) {
+				packet_length = sizeof(usb_cmd.d.asBytes);
+			}
+			usb_cmd.arg[2] = packet_length;
+
+			memcpy(usb_cmd.d.asBytes, // + (j * sizeof(usb_cmd.d.asBytes)),
+			       apdus[i] + (j * sizeof(usb_cmd.d.asBytes)),
+			       packet_length);
+			SendCommand(&usb_cmd);
+			WaitForResponse(CMD_ACK, &resp);
+			if (resp.arg[0] != 0) {
+				PrintAndLog("Transfer of APDU #%d Part %d failed!", i, j);
+				return 0;
+			}
+		}
+	}
+
+	// now perform the replay
+	usb_cmd.arg[0] = 0;
+	SendCommand(&usb_cmd);
+	WaitForResponse(CMD_ACK, &resp);
+	if (resp.arg[0] != 0) {
+		PrintAndLog("\nPACE replay failed in step %u!", (uint32_t)resp.arg[0]);
+		PrintAndLog("Measured times:");
+		PrintAndLog("MSE Set AT: %u us", resp.d.asDwords[0]);
+		PrintAndLog("GA Get Nonce: %u us", resp.d.asDwords[1]);
+		PrintAndLog("GA Map Nonce: %u us", resp.d.asDwords[2]);
+		PrintAndLog("GA Perform Key Agreement: %u us", resp.d.asDwords[3]);
+		PrintAndLog("GA Mutual Authenticate: %u us", resp.d.asDwords[4]);
+	} else {
+		PrintAndLog("PACE replay successfull!");
+		PrintAndLog("MSE Set AT: %u us", resp.d.asDwords[0]);
+		PrintAndLog("GA Get Nonce: %u us", resp.d.asDwords[1]);
+		PrintAndLog("GA Map Nonce: %u us", resp.d.asDwords[2]);
+		PrintAndLog("GA Perform Key Agreement: %u us", resp.d.asDwords[3]);
+		PrintAndLog("GA Mutual Authenticate: %u us", resp.d.asDwords[4]);
+	}
+
+
+	return 1;
+}
+
+////////////////////////////////The new commands lie above here/////////////////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
 // UI-related stuff
 
-static const command_t CommandTable[] = 
+static const command_t CommandTable[] =
 {
   {"help",    CmdHelp,                   1, "This help"},
   {"cnonces", CmdHFEPACollectPACENonces, 0,
               "<m> <n> <d> Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses"},
+  {"preplay", CmdHFEPAPACEReplay,        0,
+   "<mse> <get> <map> <pka> <ma> Perform PACE protocol by replaying given APDUs"},
   {NULL, NULL, 0, NULL}
 };
 
@@ -86,10 +202,7 @@ int CmdHelp(const char *Cmd)
 
 int CmdHFEPA(const char *Cmd)
 {
-	// flush
-	WaitForResponseTimeout(CMD_ACK,NULL,100);
-
-	// parse
-  CmdsParse(CommandTable, Cmd);
-  return 0;
-}
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}

client/cmdhffido.c

@@ -0,0 +1,926 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+//
+//  Documentation here:
+//
+// FIDO Alliance specifications
+// https://fidoalliance.org/download/
+// FIDO NFC Protocol Specification v1.0
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-nfc-protocol-v1.2-ps-20170411.html
+// FIDO U2F Raw Message Formats
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html
+//-----------------------------------------------------------------------------
+
+
+#include "cmdhffido.h"
+
+#include <inttypes.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <jansson.h>
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/x509.h>
+#include <mbedtls/pk.h>
+#include "comms.h"
+#include "cmdmain.h"
+#include "util.h"
+#include "ui.h"
+#include "proxmark3.h"
+#include "mifare.h"
+#include "emv/emvcore.h"
+#include "emv/emvjson.h"
+#include "emv/dump.h"
+#include "emv/apduinfo.h"
+#include "cliparser/cliparser.h"
+#include "crypto/asn1utils.h"
+#include "crypto/libpcrypto.h"
+#include "fido/cbortools.h"
+#include "fido/fidocore.h"
+#include "fido/cose.h"
+
+static int CmdHelp(const char *Cmd);
+
+int CmdHFFidoInfo(const char *cmd) {
+	
+	if (cmd && strlen(cmd) > 0)
+		PrintAndLog("WARNING: command don't have any parameters.\n");
+	
+	// info about 14a part
+	CmdHF14AInfo("");
+
+	// FIDO info
+	PrintAndLog("--------------------------------------------"); 
+	SetAPDULogging(false);
+	
+	uint8_t buf[APDU_RESPONSE_LEN] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		if (sw)
+			PrintAndLog("Not a FIDO card! APDU response: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		else
+			PrintAndLog("APDU exchange error. Card returns 0x0000."); 
+		
+		DropField();
+		return 0;
+	}
+	
+	if (!strncmp((char *)buf, "U2F_V2", 7)) {
+		if (!strncmp((char *)buf, "FIDO_2_0", 8)) {
+			PrintAndLog("FIDO2 authenricator detected. Version: %.*s", len, buf); 
+		} else {
+			PrintAndLog("FIDO authenricator detected (not standard U2F)."); 
+			PrintAndLog("Non U2F authenticator version:"); 
+			dump_buffer((const unsigned char *)buf, len, NULL, 0);
+		}
+	} else {
+		PrintAndLog("FIDO U2F authenricator detected. Version: %.*s", len, buf); 
+	}
+
+	res = FIDO2GetInfo(buf, sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		return res;
+	}
+	if (sw != 0x9000) {
+		PrintAndLog("FIDO2 version not exists (%04x - %s).", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		
+		return 0;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 ger version error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	if (len > 1) {
+//		if (false) {
+//			PrintAndLog("FIDO2 version: (len=%d)", len); 
+//			dump_buffer((const unsigned char *)buf, len, NULL, 0);
+//		}
+
+		PrintAndLog("FIDO2 version CBOR decoded:"); 
+		TinyCborPrintFIDOPackage(fido2CmdGetInfo, true, &buf[1], len - 1);
+	} else {
+		PrintAndLog("FIDO2 version length error"); 
+	}
+	
+	return 0;
+}
+
+json_t *OpenJson(int paramnum, char *fname, void* argtable[], bool *err) {	
+	json_t *root = NULL;
+	json_error_t error;
+	*err = false;
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	
+	// CLIGetStrWithReturn(paramnum, jsonname, &jsonnamelen);
+	if (CLIParamStrToBuf(arg_get_str(paramnum), jsonname, sizeof(jsonname), &jsonnamelen))  {
+		CLIParserFree();
+		return NULL;
+	}
+	
+	// current path + file name
+	if (!strstr(cjsonname, ".json"))
+		strcat(cjsonname, ".json");
+	
+	if (jsonnamelen) {
+		strcpy(fname, get_my_executable_directory());
+		strcat(fname, cjsonname);
+		if (access(fname, F_OK) != -1) {
+			root = json_load_file(fname, 0, &error);
+			if (!root) {
+				PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+				*err = true;
+				return NULL; 
+			}
+			
+			if (!json_is_object(root)) {
+				PrintAndLog("ERROR: Invalid json format. root must be an object.");
+				json_decref(root);
+				*err = true;
+				return NULL; 
+			}
+			
+		} else {
+			root = json_object();
+		}
+	}
+	return root;
+}
+
+int CmdHFFidoRegister(const char *cmd) {
+	uint8_t data[64] = {0};
+	int chlen = 0;
+	uint8_t cdata[250] = {0};
+	int applen = 0;
+	uint8_t adata[250] = {0};
+	json_t *root = NULL;
+	
+	CLIParserInit("hf fido reg", 
+		"Initiate a U2F token registration. Needs two 32-byte hash number. \nchallenge parameter (32b) and application parameter (32b).", 
+		"Usage:\n\thf fido reg -> execute command with 2 parameters, filled 0x00\n"
+			"\thf fido reg 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters"
+			"\thf fido reg -p s0 s1 -> execute command with plain parameters");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("pP",  "plain",    "send plain ASCII to challenge and application parameters instead of HEX"),
+		arg_lit0("tT",  "tlv",      "Show DER certificate contents in TLV representation"),
+		arg_str0("jJ",  "json",		"fido.json", "JSON input / output file name for parameters."),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII challenge parameter (32b HEX/1..16 chars)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII application parameter (32b HEX/1..16 chars)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool paramsPlain = arg_get_lit(3);
+	bool showDERTLV = arg_get_lit(4);
+
+	char fname[250] = {0};
+	bool err;
+	root = OpenJson(5, fname, argtable, &err);
+	if(err)
+		return 1;
+	if (root) {	
+		size_t jlen;
+		JsonLoadBufAsHex(root, "$.ChallengeParam", data, 32, &jlen);
+		JsonLoadBufAsHex(root, "$.ApplicationParam", &data[32], 32, &jlen);
+	}
+	
+	if (paramsPlain) {
+		memset(cdata, 0x00, 32);
+		CLIGetStrWithReturn(6, cdata, &chlen);
+		if (chlen && chlen > 16) {
+			PrintAndLog("ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", chlen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(6, cdata, &chlen);
+		if (chlen && chlen != 32) {
+			PrintAndLog("ERROR: challenge parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (chlen)
+		memmove(data, cdata, 32);
+	
+	
+	if (paramsPlain) {
+		memset(adata, 0x00, 32);
+		CLIGetStrWithReturn(7, adata, &applen);
+		if (applen && applen > 16) {
+			PrintAndLog("ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", applen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(7, adata, &applen);
+		if (applen && applen != 32) {
+			PrintAndLog("ERROR: application parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (applen)
+		memmove(&data[32], adata, 32);
+	
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	// challenge parameter [32 bytes] - The challenge parameter is the SHA-256 hash of the Client Data, a stringified JSON data structure that the FIDO Client prepares
+	// application parameter [32 bytes] - The application parameter is the SHA-256 hash of the UTF-8 encoding of the application identity
+	
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDORegister(data, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute register command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute register command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	PrintAndLog("");
+	if (APDULogging)
+		PrintAndLog("---------------------------------------------------------------");
+	PrintAndLog("data len: %d", len);
+	if (verbose2) {
+		PrintAndLog("--------------data----------------------");
+		dump_buffer((const unsigned char *)buf, len, NULL, 0);
+		PrintAndLog("--------------data----------------------");
+	}
+
+	if (buf[0] != 0x05) {
+		PrintAndLog("ERROR: First byte must be 0x05, but it %2x", buf[0]);
+		return 5;
+	}
+	PrintAndLog("User public key: %s", sprint_hex(&buf[1], 65));
+	
+	uint8_t keyHandleLen = buf[66];
+	PrintAndLog("Key handle[%d]: %s", keyHandleLen, sprint_hex(&buf[67], keyHandleLen));
+	
+	int derp = 67 + keyHandleLen;
+	int derLen = (buf[derp + 2] << 8) + buf[derp + 3] + 4;
+	if (verbose2) {
+		PrintAndLog("DER certificate[%d]:\n------------------DER-------------------", derLen);
+		dump_buffer_simple((const unsigned char *)&buf[derp], derLen, NULL);
+		PrintAndLog("\n----------------DER---------------------");
+	} else {
+		if (verbose)
+			PrintAndLog("------------------DER-------------------");
+		PrintAndLog("DER certificate[%d]: %s...", derLen, sprint_hex(&buf[derp], 20));
+	}
+	
+	// check and print DER certificate
+	uint8_t public_key[65] = {0};
+	
+	// print DER certificate in TLV view
+	if (showDERTLV) {
+		PrintAndLog("----------------DER TLV-----------------");
+		asn1_print(&buf[derp], derLen, "  ");
+		PrintAndLog("----------------DER TLV-----------------");
+	}
+	
+    FIDOCheckDERAndGetKey(&buf[derp], derLen, verbose, public_key, sizeof(public_key));
+	
+	// get hash
+	int hashp = 1 + 65 + 1 + keyHandleLen + derLen;
+	PrintAndLog("Hash[%d]: %s", len - hashp, sprint_hex(&buf[hashp], len - hashp));
+
+	// check ANSI X9.62 format ECDSA signature (on P-256)
+	uint8_t rval[300] = {0}; 
+	uint8_t sval[300] = {0}; 
+	res = ecdsa_asn1_get_signature(&buf[hashp], len - hashp, rval, sval);
+	if (!res) {
+		if (verbose) {
+			PrintAndLog("  r: %s", sprint_hex(rval, 32));
+			PrintAndLog("  s: %s", sprint_hex(sval, 32));
+		}
+
+		uint8_t xbuf[4096] = {0};
+		size_t xbuflen = 0;
+		res = FillBuffer(xbuf, sizeof(xbuf), &xbuflen,
+			"\x00", 1,
+			&data[32], 32,           // application parameter  
+			&data[0], 32,            // challenge parameter
+			&buf[67], keyHandleLen,  // keyHandle
+			&buf[1], 65,             // user public key
+			NULL, 0);
+		//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
+		res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[hashp], len - hashp, true);
+		if (res) {
+			if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
+				PrintAndLog("Signature is NOT VALID.");
+			} else {
+				PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));
+			}
+		} else {
+			PrintAndLog("Signature is OK.");
+		}
+		
+	} else {
+		PrintAndLog("Invalid signature. res=%d.", res);
+	}
+	
+	PrintAndLog("\nauth command: ");
+	printf("hf fido auth %s%s", paramsPlain?"-p ":"", sprint_hex_inrow(&buf[67], keyHandleLen));
+	if(chlen || applen)
+		printf(" %s", paramsPlain?(char *)cdata:sprint_hex_inrow(cdata, 32));
+	if(applen)
+		printf(" %s", paramsPlain?(char *)adata:sprint_hex_inrow(adata, 32));
+	printf("\n");
+	
+	if (root) {
+		JsonSaveBufAsHex(root, "ChallengeParam", data, 32);
+		JsonSaveBufAsHex(root, "ApplicationParam", &data[32], 32);
+		JsonSaveBufAsHexCompact(root, "PublicKey", &buf[1], 65);
+		JsonSaveInt(root, "KeyHandleLen", keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "KeyHandle", &buf[67], keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "DER", &buf[67 + keyHandleLen], derLen);
+	
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+		
+		// free json object
+		json_decref(root);
+	}
+	
+	return 0;
+};
+
+int CmdHFFidoAuthenticate(const char *cmd) {
+	uint8_t data[512] = {0};
+	uint8_t hdata[250] = {0};
+	bool public_key_loaded = false;
+	uint8_t public_key[65] = {0}; 
+	int hdatalen = 0;
+	uint8_t keyHandleLen = 0;
+	json_t *root = NULL;
+	
+	CLIParserInit("hf fido auth", 
+		"Initiate a U2F token authentication. Needs key handle and two 32-byte hash number. \nkey handle(var 0..255), challenge parameter (32b) and application parameter (32b).", 
+		"Usage:\n\thf fido auth 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with 2 parameters, filled 0x00 and key handle\n"
+			"\thf fido auth 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f "
+				"000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_lit0("vV",  "verbose",  "show technical data"),
+		arg_lit0("pP",  "plain",    "send plain ASCII to challenge and application parameters instead of HEX"),
+		arg_rem("default mode:",    "dont-enforce-user-presence-and-sign"),
+		arg_lit0("uU",  "user",     "mode: enforce-user-presence-and-sign"),
+		arg_lit0("cC",  "check",    "mode: check-only"),
+		arg_str0("jJ",  "json",		"fido.json", "JSON input / output file name for parameters."),
+		arg_str0("kK",  "key",		"public key to verify signature", NULL),
+		arg_str0(NULL,  NULL,       "<HEX key handle (var 0..255b)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII challenge parameter (32b HEX/1..16 chars)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII application parameter (32b HEX/1..16 chars)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool paramsPlain = arg_get_lit(3);
+	uint8_t controlByte = 0x08;
+	if (arg_get_lit(5))
+		controlByte = 0x03;
+	if (arg_get_lit(6))
+		controlByte = 0x07;
+
+	char fname[250] = {0};
+	bool err;
+	root = OpenJson(7, fname, argtable, &err);
+	if(err)
+		return 1;
+	if (root) {	
+		size_t jlen;
+		JsonLoadBufAsHex(root, "$.ChallengeParam", data, 32, &jlen);
+		JsonLoadBufAsHex(root, "$.ApplicationParam", &data[32], 32, &jlen);
+		JsonLoadBufAsHex(root, "$.KeyHandle", &data[65], 512 - 67, &jlen);
+		keyHandleLen = jlen & 0xff;
+		data[64] = keyHandleLen;
+		JsonLoadBufAsHex(root, "$.PublicKey", public_key, 65, &jlen);
+		public_key_loaded = (jlen > 0);
+	} 
+
+	// public key
+	CLIGetHexWithReturn(8, hdata, &hdatalen);
+	if (hdatalen && hdatalen != 65) {
+		PrintAndLog("ERROR: public key length must be 65 bytes only.");
+		return 1;
+	}
+	if (hdatalen) {
+		memmove(public_key, hdata, hdatalen);
+		public_key_loaded = true;
+	}	
+	
+	CLIGetHexWithReturn(9, hdata, &hdatalen);
+	if (hdatalen > 255) {
+		PrintAndLog("ERROR: application parameter length must be less than 255.");
+		return 1;
+	}
+	if (hdatalen) {
+		keyHandleLen = hdatalen;
+		data[64] = keyHandleLen;
+		memmove(&data[65], hdata, keyHandleLen);
+	}
+
+	if (paramsPlain) {
+		memset(hdata, 0x00, 32);
+		CLIGetStrWithReturn(9, hdata, &hdatalen);
+		if (hdatalen && hdatalen > 16) {
+			PrintAndLog("ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(10, hdata, &hdatalen);
+		if (hdatalen && hdatalen != 32) {
+			PrintAndLog("ERROR: challenge parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (hdatalen)
+		memmove(data, hdata, 32);
+
+	if (paramsPlain) {
+		memset(hdata, 0x00, 32);
+		CLIGetStrWithReturn(11, hdata, &hdatalen);
+		if (hdatalen && hdatalen > 16) {
+			PrintAndLog("ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(10, hdata, &hdatalen);
+		if (hdatalen && hdatalen != 32) {
+			PrintAndLog("ERROR: application parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (hdatalen)
+		memmove(&data[32], hdata, 32);
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	// (in parameter) conrtol byte 0x07 - check only, 0x03 - user presense + cign. 0x08 - sign only
+ 	// challenge parameter [32 bytes]
+	// application parameter [32 bytes]
+	// key handle length [1b] = N
+	// key handle [N]
+
+	uint8_t datalen = 32 + 32 + 1 + keyHandleLen;
+	
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDOAuthentication(data, datalen, controlByte,  buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute authentication command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute authentication command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	PrintAndLog("---------------------------------------------------------------");
+	PrintAndLog("User presence: %s", (buf[0]?"verified":"not verified"));
+	uint32_t cntr =  (uint32_t)bytes_to_num(&buf[1], 4);
+	PrintAndLog("Counter: %d", cntr);
+	PrintAndLog("Hash[%d]: %s", len - 5, sprint_hex(&buf[5], len - 5));
+
+	// check ANSI X9.62 format ECDSA signature (on P-256)
+	uint8_t rval[300] = {0}; 
+	uint8_t sval[300] = {0}; 
+	res = ecdsa_asn1_get_signature(&buf[5], len - 5, rval, sval);
+	if (!res) {
+		if (verbose) {
+			PrintAndLog("  r: %s", sprint_hex(rval, 32));
+			PrintAndLog("  s: %s", sprint_hex(sval, 32));
+		}
+		if (public_key_loaded) {
+			uint8_t xbuf[4096] = {0};
+			size_t xbuflen = 0;
+			res = FillBuffer(xbuf, sizeof(xbuf), &xbuflen,
+				&data[32], 32, // application parameter
+				&buf[0], 1,    // user presence
+				&buf[1], 4,    // counter
+				data, 32,      // challenge parameter
+				NULL, 0);
+			//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
+			res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[5], len - 5, true);
+			if (res) {
+				if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
+					PrintAndLog("Signature is NOT VALID.");
+				} else {
+					PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));
+				}
+			} else {
+				PrintAndLog("Signature is OK.");
+			}
+		} else {		
+			PrintAndLog("No public key provided. can't check signature.");
+		}
+	} else {
+		PrintAndLog("Invalid signature. res=%d.", res);
+	}
+	
+	if (root) {
+		JsonSaveBufAsHex(root, "ChallengeParam", data, 32);
+		JsonSaveBufAsHex(root, "ApplicationParam", &data[32], 32);
+		JsonSaveInt(root, "KeyHandleLen", keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "KeyHandle", &data[65], keyHandleLen);
+		JsonSaveInt(root, "Counter", cntr);
+	
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+		
+		// free json object
+		json_decref(root);
+	}
+	return 0;
+};
+
+void CheckSlash(char *fileName) {
+	if ((fileName[strlen(fileName) - 1] != '/') && 
+		(fileName[strlen(fileName) - 1] != '\\'))
+		strcat(fileName, "/");
+}
+
+int GetExistsFileNameJson(char *prefixDir, char *reqestedFileName, char *fileName) {
+	fileName[0] = 0x00;
+	strcpy(fileName, get_my_executable_directory());
+	CheckSlash(fileName);
+	
+	strcat(fileName, prefixDir);
+	CheckSlash(fileName);
+	
+	strcat(fileName, reqestedFileName);
+	if (!strstr(fileName, ".json"))
+		strcat(fileName, ".json");
+	
+	if (access(fileName, F_OK) < 0) {
+		strcpy(fileName, get_my_executable_directory());
+		CheckSlash(fileName);
+		
+		strcat(fileName, reqestedFileName);
+		if (!strstr(fileName, ".json"))
+			strcat(fileName, ".json");
+		
+		if (access(fileName, F_OK) < 0) {
+			return 1; // file not found
+		}
+	}
+	return 0;
+}
+
+int CmdHFFido2MakeCredential(const char *cmd) {
+	json_error_t error;
+	json_t *root = NULL;
+	char fname[300] = {0};
+	
+	CLIParserInit("hf fido make", 
+		"Execute a FIDO2 Make Credentional command. Needs json file with parameters. Sample file `fido2.json`. File can be placed in proxmark directory or in `proxmark/fido` directory.", 
+		"Usage:\n\thf fido make -> execute command default parameters file `fido2.json`\n"
+			"\thf fido make test.json -> execute command with parameters file `text.json`");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("tT",  "tlv",      "Show DER certificate contents in TLV representation"),
+		arg_lit0("cC",  "cbor",     "show CBOR decoded data"),
+		arg_str0(NULL,  NULL,		"<json file name>", "JSON input / output file name for parameters. Default `fido2.json`"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool showDERTLV = arg_get_lit(3);
+	bool showCBOR = arg_get_lit(4);
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	CLIGetStrWithReturn(5, jsonname, &jsonnamelen);
+
+	if (!jsonnamelen) {
+		strcat(cjsonname, "fido2");
+		jsonnamelen = strlen(cjsonname);
+	}
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	int res = GetExistsFileNameJson("fido", cjsonname, fname);
+	if(res) {
+		PrintAndLog("ERROR: Can't found the json file.");
+		return res;
+	}
+	PrintAndLog("fname: %s\n", fname);
+	root = json_load_file(fname, 0, &error);	
+	if (!root) {
+		PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+		return 1;
+	}
+	
+	uint8_t data[2048] = {0};
+	size_t datalen = 0;
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDO2CreateMakeCredentionalReq(root, data, sizeof(data), &datalen);
+	if (res)
+		return res;
+	
+	if (showCBOR) {
+		PrintAndLog("CBOR make credentional request:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdMakeCredential, false, data, datalen);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+	
+	res = FIDO2MakeCredential(data, datalen, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute make credential command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute make credential command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 make credential error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	PrintAndLog("MakeCredential result (%d b) OK.", len);
+	if (showCBOR) {
+		PrintAndLog("CBOR make credentional response:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdMakeCredential, true, &buf[1], len - 1);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+
+	// parse returned cbor
+	FIDO2MakeCredentionalParseRes(root, &buf[1], len - 1, verbose, verbose2, showCBOR, showDERTLV);
+	
+	if (root) {
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+	}
+	
+	json_decref(root);
+
+	return 0;
+};
+
+int CmdHFFido2GetAssertion(const char *cmd) {
+	json_error_t error;
+	json_t *root = NULL;
+	char fname[300] = {0};
+	
+	CLIParserInit("hf fido assert", 
+		"Execute a FIDO2 Get Assertion command. Needs json file with parameters. Sample file `fido2.json`. File can be placed in proxmark directory or in `proxmark/fido` directory.", 
+		"Usage:\n\thf fido assert -> execute command default parameters file `fido2.json`\n"
+			"\thf fido assert test.json -l -> execute command with parameters file `text.json` and add to request CredentialId");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("cC",  "cbor",     "show CBOR decoded data"),
+		arg_lit0("lL",  "list",     "add CredentialId from json to allowList. Needs if `rk` option is `false` (authenticator don't store credential to its memory)"),
+		arg_str0(NULL,  NULL,		"<json file name>", "JSON input / output file name for parameters. Default `fido2.json`"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool showCBOR = arg_get_lit(3);
+	bool createAllowList = arg_get_lit(4);
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	CLIGetStrWithReturn(5, jsonname, &jsonnamelen);
+
+	if (!jsonnamelen) {
+		strcat(cjsonname, "fido2");
+		jsonnamelen = strlen(cjsonname);
+	}
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	int res = GetExistsFileNameJson("fido", "fido2", fname);
+	if(res) {
+		PrintAndLog("ERROR: Can't found the json file.");
+		return res;
+	}
+	PrintAndLog("fname: %s\n", fname);
+	root = json_load_file(fname, 0, &error);	
+	if (!root) {
+		PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+		return 1;
+	}
+	
+	uint8_t data[2048] = {0};
+	size_t datalen = 0;
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDO2CreateGetAssertionReq(root, data, sizeof(data), &datalen, createAllowList);
+	if (res)
+		return res;
+	
+	if (showCBOR) {
+		PrintAndLog("CBOR get assertion request:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdGetAssertion, false, data, datalen);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+	
+	res = FIDO2GetAssertion(data, datalen, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute get assertion command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute get assertion command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 get assertion error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	PrintAndLog("GetAssertion result (%d b) OK.", len);
+	if (showCBOR) {
+		PrintAndLog("CBOR get assertion response:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdGetAssertion, true, &buf[1], len - 1);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+
+	// parse returned cbor
+	FIDO2GetAssertionParseRes(root, &buf[1], len - 1, verbose, verbose2, showCBOR);
+	
+	if (root) {
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+	}
+
+	json_decref(root);
+	
+	return 0;
+};
+
+static command_t CommandTable[] =
+{
+  {"help",             CmdHelp,					1, "This help."},
+  {"info",  	       CmdHFFidoInfo,			0, "Info about FIDO tag."},
+  {"reg",  	  	 	   CmdHFFidoRegister,		0, "FIDO U2F Registration Message."},
+  {"auth",  	       CmdHFFidoAuthenticate,	0, "FIDO U2F Authentication Message."},
+  {"make",  	       CmdHFFido2MakeCredential,	0, "FIDO2 MakeCredential command."},
+  {"assert",  	       CmdHFFido2GetAssertion,		0, "FIDO2 GetAssertion command."},
+  {NULL,               NULL,					0, NULL}
+};
+
+int CmdHFFido(const char *Cmd) {
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}
+
+int CmdHelp(const char *Cmd) {
+  CmdsHelp(CommandTable);
+  return 0;
+}

client/cmdhffido.h

@@ -0,0 +1,27 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency FIDO U2F and FIDO2 contactless authenticators
+//-----------------------------------------------------------------------------
+//
+//  Documentation here:
+//
+// FIDO Alliance specifications
+// https://fidoalliance.org/download/
+// FIDO NFC Protocol Specification v1.0
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-nfc-protocol-v1.2-ps-20170411.html
+// FIDO U2F Raw Message Formats
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html
+//-----------------------------------------------------------------------------
+
+#ifndef CMDHFFIDO_H__
+#define CMDHFFIDO_H__
+
+extern int CmdHFFido(const char *Cmd);
+
+
+#endif

client/cmdhficlass.h

@@ -13,11 +13,6 @@
 #define CMDHFICLASS_H__
 
 int CmdHFiClass(const char *Cmd);
-
-int CmdHFiClassSnoop(const char *Cmd);
-int CmdHFiClassSim(const char *Cmd);
-int CmdHFiClassList(const char *Cmd);
-int CmdHFiClassReader(const char *Cmd);
-int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen);
+int HFiClassReader(bool loop, bool verbose);
 
 #endif

client/cmdhflegic.c

@@ -8,41 +8,43 @@
 // High frequency Legic commands
 //-----------------------------------------------------------------------------
 
+#include "cmdhflegic.h"
+
 #include <stdio.h>
 #include <string.h>
-//#include "proxusb.h"
-#include "proxmark3.h"
-#include "data.h"
+#include <inttypes.h>
+#include "comms.h"
 #include "ui.h"
 #include "cmdparser.h"
-#include "cmdhflegic.h"
 #include "cmdmain.h"
+#include "util.h"
+#include "../include/legic.h"
 
 static int CmdHelp(const char *Cmd);
 
-static command_t CommandTable[] = 
+static command_t CommandTable[] =
 {
-  {"help",        CmdHelp,        1, "This help"},
-  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
-  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
-  {"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
-  {"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
-  {"sim",         CmdLegicRfSim,  0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
-  {"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
-  {"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
-  {NULL, NULL, 0, NULL}
+	{"help",        CmdHelp,        1, "This help"},
+	{"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
+	{"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
+	{"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
+	{"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
+	{"sim",         CmdLegicRfSim,  0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
+	{"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
+	{"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
+	{NULL,          NULL,           0, NULL}
 };
 
 int CmdHFLegic(const char *Cmd)
 {
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+	CmdsParse(CommandTable, Cmd);
+	return 0;
 }
 
 int CmdHelp(const char *Cmd)
 {
-  CmdsHelp(CommandTable);
-  return 0;
+	CmdsHelp(CommandTable);
+	return 0;
 }
 
 /*
@@ -52,299 +54,327 @@ int CmdHelp(const char *Cmd)
  */
 int CmdLegicDecode(const char *Cmd)
 {
-  int i, j, k, n;
-  int segment_len = 0;
-  int segment_flag = 0;
-  int stamp_len = 0;
-  int crc = 0;
-  int wrp = 0;
-  int wrc = 0;
-  uint8_t data_buf[1024]; // receiver buffer
-  char out_string[3076]; // just use big buffer - bad practice
-  char token_type[4];
-  
-  // copy data from proxmark into buffer
-   GetFromBigBuf(data_buf,sizeof(data_buf),0);
-   WaitForResponse(CMD_ACK,NULL);
-    
-  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
-  
-  PrintAndLog("\nCDF: System Area");
-  
-  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
-    data_buf[0],
-    data_buf[1],
-    data_buf[2],
-    data_buf[3],
-    data_buf[4]
-  );
-  
-  crc = data_buf[4];
- 
-  switch (data_buf[5]&0x7f) {
-    case 0x00 ... 0x2f:
-      strncpy(token_type, "IAM",sizeof(token_type));
-      break;
-    case 0x30 ... 0x6f:
-      strcpy(token_type, "SAM");
-      break;
-    case 0x70 ... 0x7f:
-      strcpy(token_type, "GAM");
-      break;
-    default:
-      strcpy(token_type, "???");
-      break;
-  }
-  
-  stamp_len = 0xfc - data_buf[6];
-  
-  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
-    data_buf[5],
-    data_buf[6],
-    token_type,
-    (data_buf[5]&0x80)>>7,
-    stamp_len
-  );
-  
-  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
-    data_buf[7]&0x0f,
-    (data_buf[7]&0x70)>>4,
-    (data_buf[7]&0x80)>>7,
-    data_buf[7],
-    data_buf[8]
-  );
-  
-  PrintAndLog("Remaining Header Area");
-  
-  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-      data_buf[9],
-    data_buf[10],
-    data_buf[11],
-    data_buf[12],
-    data_buf[13],
-    data_buf[14],
-    data_buf[15],
-    data_buf[16],
-    data_buf[17],
-    data_buf[18],
-    data_buf[19],
-    data_buf[20],
-    data_buf[21]
-  );
-  
-  PrintAndLog("\nADF: User Area");
-  
-  i = 22;  
-  for (n=0; n<64; n++) {
-    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
-    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
-    
-    wrp = (data_buf[i+2]^crc);
-    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
-    
-     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
-      n,
-      data_buf[i]^crc,
-      data_buf[i+1]^crc,
-      data_buf[i+2]^crc,
-      data_buf[i+3]^crc,
-      segment_flag,
-      (segment_flag&0x4)>>2,
-      (segment_flag&0x8)>>3,
-      segment_len,
-      wrp,
-      wrc,
-      ((data_buf[i+3]^crc)&0x80)>>7,
-      (data_buf[i+4]^crc)
-    );
-    
-    i+=5;
-    
-    if (wrc>0) {
-      PrintAndLog("WRC protected area:");
-      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-        out_string[j+2] = ' ';
-      };
-        
-      out_string[j] = '\0';
-    
-      PrintAndLog("%s", out_string);
-    }
-    
-    if (wrp>wrc) {
-      PrintAndLog("Remaining write protected area:");
-      
-      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-        out_string[j+2] = ' ';
-      };
-    
-      out_string[j] = '\0';
-    
-      PrintAndLog("%s", out_string);
-      if((wrp-wrc) == 8) {
-        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
-        PrintAndLog("%s", out_string);
-      }
-    }
-    
-    PrintAndLog("Remaining segment payload:");
-    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-      out_string[j+2] = ' ';
-    };
-    
-    out_string[j] = '\0';
-    
-    PrintAndLog("%s", out_string);
-    
-    // end with last segment
-    if (segment_flag & 0x8)
-      return 0;
-  };
-  return 0;
+	int i, j, k, n;
+	int segment_len = 0;
+	int segment_flag = 0;
+	int stamp_len = 0;
+	int crc = 0;
+	int wrp = 0;
+	int wrc = 0;
+	uint8_t data_buf[1053]; // receiver buffer
+	char out_string[3076]; // just use big buffer - bad practice
+	char token_type[4];
+
+	// copy data from proxmark into buffer
+	GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
+
+	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
+
+	PrintAndLog("\nCDF: System Area");
+
+	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
+		data_buf[0],
+		data_buf[1],
+		data_buf[2],
+		data_buf[3],
+		data_buf[4]
+	);
+
+	crc = data_buf[4];
+
+	switch (data_buf[5]&0x7f) {
+	case 0x00 ... 0x2f:
+		strncpy(token_type, "IAM",sizeof(token_type));
+		break;
+	case 0x30 ... 0x6f:
+		strcpy(token_type, "SAM");
+		break;
+	case 0x70 ... 0x7f:
+		strcpy(token_type, "GAM");
+		break;
+	default:
+		strcpy(token_type, "???");
+		break;
+	}
+
+	stamp_len = 0xfc - data_buf[6];
+
+	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
+		data_buf[5],
+		data_buf[6],
+		token_type,
+		(data_buf[5]&0x80)>>7,
+		stamp_len
+	);
+
+	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
+		data_buf[7]&0x0f,
+		(data_buf[7]&0x70)>>4,
+		(data_buf[7]&0x80)>>7,
+		data_buf[7],
+		data_buf[8]
+	);
+
+	PrintAndLog("Remaining Header Area");
+
+	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+		data_buf[9],
+		data_buf[10],
+		data_buf[11],
+		data_buf[12],
+		data_buf[13],
+		data_buf[14],
+		data_buf[15],
+		data_buf[16],
+		data_buf[17],
+		data_buf[18],
+		data_buf[19],
+		data_buf[20],
+		data_buf[21]
+	);
+
+	PrintAndLog("\nADF: User Area");
+
+	i = 22;
+	for (n=0; n<64; n++) {
+		segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
+		segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
+
+		wrp = (data_buf[i+2]^crc);
+		wrc = ((data_buf[i+3]^crc)&0x70)>>4;
+
+		PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
+			n,
+			data_buf[i]^crc,
+			data_buf[i+1]^crc,
+			data_buf[i+2]^crc,
+			data_buf[i+3]^crc,
+			segment_flag,
+			(segment_flag&0x4)>>2,
+			(segment_flag&0x8)>>3,
+			segment_len,
+			wrp,
+			wrc,
+			((data_buf[i+3]^crc)&0x80)>>7,
+			(data_buf[i+4]^crc)
+		);
+
+		i+=5;
+
+		if (wrc>0) {
+			PrintAndLog("WRC protected area:");
+			for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+				out_string[j+2] = ' ';
+			};
+
+			out_string[j] = '\0';
+
+			PrintAndLog("%s", out_string);
+		}
+
+		if (wrp>wrc) {
+			PrintAndLog("Remaining write protected area:");
+
+			for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+				out_string[j+2] = ' ';
+			};
+
+			out_string[j] = '\0';
+
+			PrintAndLog("%s", out_string);
+			if((wrp-wrc) == 8) {
+				sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
+				PrintAndLog("%s", out_string);
+			}
+		}
+
+		PrintAndLog("Remaining segment payload:");
+		for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+			sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+			out_string[j+2] = ' ';
+		};
+
+		out_string[j] = '\0';
+
+		PrintAndLog("%s", out_string);
+
+		// end with last segment
+		if (segment_flag & 0x8)
+			return 0;
+	};
+	return 0;
 }
 
 int CmdLegicRFRead(const char *Cmd)
 {
-  int byte_count=0,offset=0;
-  sscanf(Cmd, "%i %i", &offset, &byte_count);
-  if(byte_count == 0) byte_count = -1;
-  if(byte_count + offset > 1024) byte_count = 1024 - offset;
-  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
-  SendCommand(&c);
-  return 0;
+	int byte_count=0,offset=0;
+	sscanf(Cmd, "%i %i", &offset, &byte_count);
+	if(byte_count == 0) byte_count = -1;
+	if(byte_count + offset > 1024) byte_count = 1024 - offset;
+	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
+	SendCommand(&c);
+	UsbCommand resp;
+	WaitForResponse(CMD_ACK,&resp);
+	switch (resp.arg[0]) {
+		legic_card_select_t card;
+		case 0:
+			memcpy(&card, resp.d.asBytes, sizeof(card));
+			PrintAndLog("Card (MIM %i) read, use 'hf legic decode' or", card.cardsize);
+			PrintAndLog("'data hexsamples %d' to view results", (resp.arg[1] + 7) & ~7);
+			break;
+		case 1:
+			PrintAndLog("No or unknown card found, aborting");
+			break;
+		case 2:
+			PrintAndLog("operation failed @ 0x%03.3x", resp.arg[1]);
+			break;
+		}
+	return resp.arg[0];
 }
 
 int CmdLegicLoad(const char *Cmd)
 {
-    FILE *f = fopen(Cmd, "r");
-    if(!f) {
-        PrintAndLog("couldn't open '%s'", Cmd);
-        return -1;
-    }
-    char line[80]; int offset = 0; unsigned int data[8];
-    while(fgets(line, sizeof(line), f)) {
-        int res = sscanf(line, "%x %x %x %x %x %x %x %x", 
-            &data[0], &data[1], &data[2], &data[3],
-            &data[4], &data[5], &data[6], &data[7]);
-        if(res != 8) {
-          PrintAndLog("Error: could not read samples");
-          fclose(f);
-          return -1;
-        }
-        UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
-        int j; for(j = 0; j < 8; j++) {
-            c.d.asBytes[j] = data[j];
-        }
-        SendCommand(&c);
-        WaitForResponse(CMD_ACK, NULL);
-        offset += 8;
-    }
-    fclose(f);
-    PrintAndLog("loaded %u samples", offset);
-    return 0;
+	char filename[FILE_PATH_SIZE] = {0x00};
+	int len = 0;
+
+	if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
+		PrintAndLog("It loads datasamples from the file `filename`");
+		PrintAndLog("Usage:  hf legic load <file name>");
+		PrintAndLog(" sample: hf legic load filename");
+		return 0;
+	}
+
+	len = strlen(Cmd);
+	if (len > FILE_PATH_SIZE) {
+		PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
+		return 0;
+	}
+	memcpy(filename, Cmd, len);
+
+	FILE *f = fopen(filename, "r");
+	if (!f) {
+		PrintAndLog("couldn't open '%s'", Cmd);
+		return -1;
+	}
+	char line[80]; int offset = 0; unsigned int data[8];
+	while (fgets(line, sizeof(line), f)) {
+		int res = sscanf(line, "%x %x %x %x %x %x %x %x",
+			&data[0], &data[1], &data[2], &data[3],
+			&data[4], &data[5], &data[6], &data[7]);
+		if (res != 8) {
+			PrintAndLog("Error: could not read samples");
+			fclose(f);
+			return -1;
+		}
+		UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
+		int j; for(j = 0; j < 8; j++) {
+			c.d.asBytes[j] = data[j];
+		}
+		SendCommand(&c);
+		WaitForResponse(CMD_ACK, NULL);
+		offset += 8;
+	}
+	fclose(f);
+	PrintAndLog("loaded %u samples", offset);
+	return 0;
 }
 
 int CmdLegicSave(const char *Cmd)
 {
-  int requested = 1024;
-  int offset = 0;
-  int delivered = 0;
-  char filename[1024];
-  uint8_t got[1024];
-  
-  sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
+	int requested = 1024;
+	int offset = 0;
+	int delivered = 0;
+	char filename[FILE_PATH_SIZE];
+	uint8_t got[1024];
 
-  /* If no length given save entire legic read buffer */
-  /* round up to nearest 8 bytes so the saved data can be used with legicload */
-  if (requested == 0) {
-    requested = 1024;
-  }
-  if (requested % 8 != 0) {
-    int remainder = requested % 8;
-    requested = requested + 8 - remainder;
-  }
-  
-  if (offset + requested > sizeof(got)) {
-    PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
-    return 0;
-  }
-  
-  FILE *f = fopen(filename, "w");
-  if(!f) {
-    PrintAndLog("couldn't open '%s'", Cmd+1);
-    return -1;
-  }
+	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
 
-  GetFromBigBuf(got,requested,offset);
-  WaitForResponse(CMD_ACK,NULL);
+	/* If no length given save entire legic read buffer */
+	/* round up to nearest 8 bytes so the saved data can be used with legicload */
+	if (requested == 0) {
+		requested = 1024;
+	}
+	if (requested % 8 != 0) {
+		int remainder = requested % 8;
+		requested = requested + 8 - remainder;
+	}
+	if (offset + requested > sizeof(got)) {
+		PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
+		return 0;
+	}
 
-  for (int j = 0; j < requested; j += 8) {
-    fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
-      got[j+0],
-      got[j+1],
-      got[j+2],
-      got[j+3],
-      got[j+4],
-      got[j+5],
-      got[j+6],
-      got[j+7]
-    );
-    delivered += 8;
-    if (delivered >= requested)
-      break;
-  }
+	FILE *f = fopen(filename, "w");
+	if (!f) {
+		PrintAndLog("couldn't open '%s'", Cmd+1);
+		return -1;
+	}
 
-  fclose(f);
-  PrintAndLog("saved %u samples", delivered);
-  return 0;
+	GetFromBigBuf(got, requested, offset, NULL, -1, false);
+
+	for (int j = 0; j < requested; j += 8) {
+		fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
+			got[j+0],
+			got[j+1],
+			got[j+2],
+			got[j+3],
+			got[j+4],
+			got[j+5],
+			got[j+6],
+			got[j+7]
+		);
+		delivered += 8;
+		if (delivered >= requested)
+			break;
+	}
+
+	fclose(f);
+	PrintAndLog("saved %u samples", delivered);
+	return 0;
 }
 
 int CmdLegicRfSim(const char *Cmd)
 {
    UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
-   c.arg[0] = 6;
-   c.arg[1] = 3;
-   c.arg[2] = 0;
-   sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
+   c.arg[0] = 1;
+   sscanf(Cmd, " %" SCNi64, &c.arg[0]);
    SendCommand(&c);
    return 0;
 }
 
 int CmdLegicRfWrite(const char *Cmd)
 {
-    UsbCommand c={CMD_WRITER_LEGIC_RF};
-    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
-	if(res != 2) {
+	UsbCommand c={CMD_WRITER_LEGIC_RF};
+	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
+	if (res != 2) {
 		PrintAndLog("Please specify the offset and length as two hex strings");
-        return -1;
-    }
-    SendCommand(&c);
-    return 0;
+		return -1;
+	}
+	SendCommand(&c);
+	return 0;
 }
 
 int CmdLegicRfFill(const char *Cmd)
 {
-    UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
-    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
-    if(res != 3) {
-        PrintAndLog("Please specify the offset, length and value as two hex strings");
-        return -1;
-    }
+	UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
+	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
+	if (res != 3) {
+		PrintAndLog("Please specify the offset, length and value as two hex strings");
+		return -1;
+	}
 
-    int i;
-    UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
-    for(i = 0; i < 48; i++) {
-      c.d.asBytes[i] = cmd.arg[2];
-    }
-    for(i = 0; i < 22; i++) {
-      c.arg[0] = i*48;
-      SendCommand(&c);
-      WaitForResponse(CMD_ACK,NULL);
-    }
-    SendCommand(&cmd);
-    return 0;
+	int i;
+	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
+	for (i = 0; i < 48; i++) {
+		c.d.asBytes[i] = cmd.arg[2];
+	}
+	for (i = 0; i < 22; i++) {
+		c.arg[0] = i*48;
+		SendCommand(&c);
+		WaitForResponse(CMD_ACK,NULL);
+	}
+	SendCommand(&cmd);
+	return 0;
  }
 

client/cmdhflist.h

@@ -0,0 +1,16 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+// Copyright (C) Merlok - 2017
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Command: hf mf list. It shows data from arm buffer.
+//-----------------------------------------------------------------------------
+#ifndef CMDHFLIST_H
+#define CMDHFLIST_H
+
+extern int CmdHFList(const char *Cmd);
+
+#endif // CMDHFLIST_H

client/cmdhfmf.h

@@ -11,48 +11,6 @@
 #ifndef CMDHFMF_H__
 #define CMDHFMF_H__
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include "proxmark3.h"
-#include "iso14443crc.h"
-#include "data.h"
-//#include "proxusb.h"
-#include "ui.h"
-#include "cmdparser.h"
-#include "common.h"
-#include "util.h"
-#include "mifarehost.h"
-
-int CmdHFMF(const char *Cmd);
-
-int CmdHF14AMfDbg(const char* cmd);
-int CmdHF14AMfRdBl(const char* cmd);
-int CmdHF14AMfURdBl(const char* cmd);
-int CmdHF14AMfRdSc(const char* cmd);
-int CmdHF14SMfURdCard(const char* cmd);
-int CmdHF14AMfDump(const char* cmd);
-int CmdHF14AMfRestore(const char* cmd);
-int CmdHF14AMfWrBl(const char* cmd);
-int CmdHF14AMfUWrBl(const char* cmd);
-int CmdHF14AMfChk(const char* cmd);
-int CmdHF14AMifare(const char* cmd);
-int CmdHF14AMfNested(const char* cmd);
-int CmdHF14AMfSniff(const char* cmd);
-int CmdHF14AMf1kSim(const char* cmd);
-int CmdHF14AMfEClear(const char* cmd);
-int CmdHF14AMfEGet(const char* cmd);
-int CmdHF14AMfESet(const char* cmd);
-int CmdHF14AMfELoad(const char* cmd);
-int CmdHF14AMfESave(const char* cmd);
-int CmdHF14AMfECFill(const char* cmd);
-int CmdHF14AMfEKeyPrn(const char* cmd);
-int CmdHF14AMfCSetUID(const char* cmd);
-int CmdHF14AMfCSetBlk(const char* cmd);
-int CmdHF14AMfCGetBlk(const char* cmd);
-int CmdHF14AMfCGetSc(const char* cmd);
-int CmdHF14AMfCLoad(const char* cmd);
-int CmdHF14AMfCSave(const char* cmd);
+extern int CmdHFMF(const char *Cmd);
 
 #endif

client/cmdhfmfhard.h

@@ -0,0 +1,48 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2015 piwi
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// hf mf hardnested command
+//-----------------------------------------------------------------------------
+
+#ifndef CMDHFMFHARD_H__
+#define CMDHFMFHARD_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#define NUM_SUMS 						19		// number of possible sum property values
+
+typedef struct guess_sum_a8 {
+	float prob;
+	uint64_t num_states;
+	uint8_t sum_a8_idx;
+} guess_sum_a8_t;
+
+typedef struct noncelistentry {
+	uint32_t nonce_enc;
+	uint8_t par_enc;
+	void *next;
+} noncelistentry_t;
+
+typedef struct noncelist {
+	uint16_t num;
+	uint16_t Sum;
+	guess_sum_a8_t sum_a8_guess[NUM_SUMS];
+	bool sum_a8_guess_dirty;
+	float expected_num_brute_force;
+	uint8_t BitFlips[0x400];
+	uint32_t *states_bitarray[2];
+	uint32_t num_states_bitarray[2];
+	bool all_bitflips_dirty[2];
+	noncelistentry_t *first;
+} noncelist_t;
+
+int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t *trgkey, bool nonce_file_read, bool nonce_file_write, bool slow, int tests);
+void hardnested_print_progress(uint32_t nonces, char *activity, float brute_force, uint64_t min_diff_print_time);
+
+#endif
+

client/cmdhfmfp.c

@@ -0,0 +1,867 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+// Copyright (C) 2018 drHatson
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+
+#include "cmdhfmfp.h"
+
+#include <inttypes.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include "comms.h"
+#include "cmdmain.h"
+#include "util.h"
+#include "ui.h"
+#include "cmdhf14a.h"
+#include "mifare.h"
+#include "mifare/mifare4.h"
+#include "mifare/mad.h"
+#include "mifare/ndef.h"
+#include "cliparser/cliparser.h"
+#include "crypto/libpcrypto.h"
+#include "emv/dump.h"
+
+static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+
+static int CmdHelp(const char *Cmd);
+
+int CmdHFMFPInfo(const char *cmd) {
+	
+	if (cmd && strlen(cmd) > 0)
+		PrintAndLog("WARNING: command don't have any parameters.\n");
+	
+	// info about 14a part
+	CmdHF14AInfo("");
+
+	// Mifare Plus info
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
+	SendCommand(&c);
+
+	UsbCommand resp;
+	WaitForResponse(CMD_ACK,&resp);
+	
+	iso14a_card_select_t card;
+	memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
+
+	uint64_t select_status = resp.arg[0];		// 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+	
+	if (select_status == 1 || select_status == 2) {
+		PrintAndLog("----------------------------------------------");
+		PrintAndLog("Mifare Plus info:");
+		
+		// MIFARE Type Identification Procedure
+		// https://www.nxp.com/docs/en/application-note/AN10833.pdf
+		uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8);
+		if (ATQA == 0x0004) PrintAndLog("ATQA: Mifare Plus 2k 4bUID");
+		if (ATQA == 0x0002) PrintAndLog("ATQA: Mifare Plus 4k 4bUID");
+		if (ATQA == 0x0044) PrintAndLog("ATQA: Mifare Plus 2k 7bUID");
+		if (ATQA == 0x0042) PrintAndLog("ATQA: Mifare Plus 4k 7bUID");
+		
+		uint8_t SLmode = 0xff;
+		if (card.sak == 0x08) {
+			PrintAndLog("SAK: Mifare Plus 2k 7bUID");
+			if (select_status == 2) SLmode = 1;
+		}
+		if (card.sak == 0x18) {
+			PrintAndLog("SAK: Mifare Plus 4k 7bUID");
+			if (select_status == 2) SLmode = 1;
+		}
+		if (card.sak == 0x10) {
+			PrintAndLog("SAK: Mifare Plus 2k");
+			if (select_status == 2) SLmode = 2;
+		}
+		if (card.sak == 0x11) {
+			PrintAndLog("SAK: Mifare Plus 4k");
+			if (select_status == 2) SLmode = 2;
+		}
+		if (card.sak == 0x20) {
+			PrintAndLog("SAK: Mifare Plus SL0/SL3 or Mifare desfire");
+			if (card.ats_len > 0) {
+				SLmode = 3;
+
+				// check SL0
+				uint8_t data[250] = {0};
+				int datalen = 0;
+				// https://github.com/Proxmark/proxmark3/blob/master/client/scripts/mifarePlus.lua#L161
+				uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00};
+				int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen);
+				if (!res && datalen > 1 && data[0] == 0x09) {
+					SLmode = 0;
+				}
+			}
+		}
+		
+		if (SLmode != 0xff)
+			PrintAndLog("Mifare Plus SL mode: SL%d", SLmode);
+		else
+			PrintAndLog("Mifare Plus SL mode: unknown(");
+	} else {
+		PrintAndLog("Mifare Plus info not available.");
+	}
+	
+	DropField();
+	
+	return 0;
+}
+
+int CmdHFMFPWritePerso(const char *cmd) {
+	uint8_t keyNum[64] = {0};
+	int keyNumLen = 0;
+	uint8_t key[64] = {0};
+	int keyLen = 0;
+
+	CLIParserInit("hf mfp wrp", 
+		"Executes Write Perso command. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp wrp 4000 000102030405060708090a0b0c0d0e0f -> write key (00..0f) to key number 4000 \n"
+			"\thf mfp wrp 4000 -> write default key(0xff..0xff) to key number 4000");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_str1(NULL,  NULL,      "<HEX key number (2b)>", NULL),
+		arg_strx0(NULL,  NULL,     "<HEX key (16b)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIGetHexWithReturn(2, keyNum, &keyNumLen);
+	CLIGetHexWithReturn(3, key, &keyLen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+	
+	if (!keyLen) {
+		memmove(key, DefaultKey, 16);
+		keyLen = 16;
+	}
+	
+	if (keyNumLen != 2) {
+		PrintAndLog("Key number length must be 2 bytes instead of: %d", keyNumLen);
+		return 1;
+	}
+	if (keyLen != 16) {
+		PrintAndLog("Key length must be 16 bytes instead of: %d", keyLen);
+		return 1;
+	}
+
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	int res = MFPWritePerso(keyNum, key, true, false, data, sizeof(data), &datalen);
+	if (res) {
+		PrintAndLog("Exchange error: %d", res);
+		return res;
+	}
+	
+	if (datalen != 3) {
+		PrintAndLog("Command must return 3 bytes instead of: %d", datalen);
+		return 1;
+	}
+
+	if (data[0] != 0x90) {
+		PrintAndLog("Command error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 1;
+	}
+	PrintAndLog("Write OK.");
+	
+	return 0;
+}
+
+uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA001, 0xA080, 0xA081, 0xC000, 0xC001};
+
+int CmdHFMFPInitPerso(const char *cmd) {
+	int res;
+	uint8_t key[256] = {0};
+	int keyLen = 0;
+	uint8_t keyNum[2] = {0};
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	CLIParserInit("hf mfp initp", 
+		"Executes Write Perso command for all card's keys. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp initp 000102030405060708090a0b0c0d0e0f -> fill all the keys with key (00..0f)\n"
+			"\thf mfp initp -vv -> fill all the keys with default key(0xff..0xff) and show all the data exchange");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_litn("vV",  "verbose", 0, 2, "show internal data."),
+		arg_strx0(NULL,  NULL,      "<HEX key (16b)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	bool verbose2 = arg_get_lit(1) > 1;
+	CLIGetHexWithReturn(2, key, &keyLen);
+	CLIParserFree();
+
+	if (keyLen && keyLen != 16) {
+		PrintAndLog("Key length must be 16 bytes instead of: %d", keyLen);
+		return 1;
+	}
+	
+	if (!keyLen)
+		memmove(key, DefaultKey, 16);
+
+	mfpSetVerboseMode(verbose2);
+	for (uint16_t sn = 0x4000; sn < 0x4050; sn++) {
+		keyNum[0] = sn >> 8;
+		keyNum[1] = sn & 0xff;
+		res = MFPWritePerso(keyNum, key, (sn == 0x4000), true, data, sizeof(data), &datalen);
+		if (!res && (datalen == 3) && data[0] == 0x09) {
+			PrintAndLog("2k card detected.");
+			break;
+		}
+		if (res || (datalen != 3) || data[0] != 0x90) {
+			PrintAndLog("Write error on address %04x", sn);
+			break;
+		}
+	}
+	
+	mfpSetVerboseMode(verbose);
+	for (int i = 0; i < sizeof(CardAddresses) / 2; i++) {
+		keyNum[0] = CardAddresses[i] >> 8;
+		keyNum[1] = CardAddresses[i] & 0xff;
+		res = MFPWritePerso(keyNum, key, false, true, data, sizeof(data), &datalen);
+		if (!res && (datalen == 3) && data[0] == 0x09) {
+			PrintAndLog("Skipped[%04x]...", CardAddresses[i]);
+		} else {
+			if (res || (datalen != 3) || data[0] != 0x90) {
+				PrintAndLog("Write error on address %04x", CardAddresses[i]);
+				break;
+			}
+		}
+	}
+	
+	DropField();
+	
+	if (res)
+		return res;
+	
+	PrintAndLog("Done.");
+	
+	return 0;
+}
+
+int CmdHFMFPCommitPerso(const char *cmd) {
+	CLIParserInit("hf mfp commitp", 
+		"Executes Commit Perso command. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp commitp ->  \n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_int0(NULL,  NULL,      "SL mode", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	int res = MFPCommitPerso(true, false, data, sizeof(data), &datalen);
+	if (res) {
+		PrintAndLog("Exchange error: %d", res);
+		return res;
+	}
+	
+	if (datalen != 3) {
+		PrintAndLog("Command must return 3 bytes instead of: %d", datalen);
+		return 1;
+	}
+
+	if (data[0] != 0x90) {
+		PrintAndLog("Command error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 1;
+	}
+	PrintAndLog("Switch level OK.");
+
+	return 0;
+}
+
+int CmdHFMFPAuth(const char *cmd) {
+	uint8_t keyn[250] = {0};
+	int keynlen = 0;
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp auth", 
+		"Executes AES authentication command for Mifare Plus card", 
+		"Usage:\n\thf mfp auth 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"
+			"\thf mfp auth 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -v -> executes authentication and shows all the system data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_str1(NULL,  NULL,     "<Key Num (HEX 2 bytes)>", NULL),
+		arg_str1(NULL,  NULL,     "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIGetHexWithReturn(2, keyn, &keynlen);
+	CLIGetHexWithReturn(3, key, &keylen);
+	CLIParserFree();
+	
+	if (keynlen != 2) {
+		PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	return MifareAuth4(NULL, keyn, key, true, false, verbose);
+}
+
+int CmdHFMFPRdbl(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp rdbl", 
+		"Reads several blocks from Mifare Plus card.", 
+		"Usage:\n\thf mfp rdbl 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read block 0 data\n"
+			"\thf mfp rdbl 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_int0("nN",  "count",   "blocks count (by default 1).", NULL),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_lit0("pP",  "plain",   "plain communication mode between reader and card."),
+		arg_int1(NULL,  NULL,      "<Block Num (0..255)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	int blocksCount = arg_get_int_def(2, 1);
+	bool keyB = arg_get_lit(3);
+	int plain = arg_get_lit(4);
+	uint32_t blockn = arg_get_int(5);
+	CLIGetHexWithReturn(6, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (blockn > 255) {
+		PrintAndLog("ERROR: <Block Num> must be in range [0..255] instead of: %d", blockn);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	// 3 blocks - wo iso14443-4 chaining
+	if (blocksCount > 3) {
+		PrintAndLog("ERROR: blocks count must be less than 3 instead of: %d", blocksCount);
+		return 1;
+	}
+	
+	if (blocksCount > 1 && mfIsSectorTrailer(blockn)) {
+		PrintAndLog("WARNING: trailer!");
+	}
+	
+	uint8_t sectorNum = mfSectorNum(blockn & 0xff);
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--block:%d sector[%d]:%02x key:%04x", blockn, mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	res = MFPReadBlock(&session, plain, blockn & 0xff, blocksCount, false, false, data, sizeof(data), &datalen, mac);
+	if (res) {
+		PrintAndLog("Read error: %d", res);
+		return res;
+	}
+	
+	if (datalen && data[0] != 0x90) {
+		PrintAndLog("Card read error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 6;
+	}
+	
+	if (datalen != 1 + blocksCount * 16 + 8 + 2) {
+		PrintAndLog("Error return length:%d", datalen);
+		return 5;
+	}
+
+	int indx = blockn;
+	for(int i = 0; i < blocksCount; i++)  {
+		PrintAndLog("data[%03d]: %s", indx, sprint_hex(&data[1 + i * 16], 16));
+		indx++;
+		if (mfIsSectorTrailer(indx) && i != blocksCount - 1){
+			PrintAndLog("data[%03d]: ------------------- trailer -------------------", indx);
+			indx++;
+		}
+	}
+
+	if (memcmp(&data[blocksCount * 16 + 1], mac, 8)) {
+		PrintAndLog("WARNING: mac not equal...");
+		PrintAndLog("MAC   card: %s", sprint_hex(&data[blocksCount * 16 + 1], 8));
+		PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+	} else {	
+		if(verbose)
+			PrintAndLog("MAC: %s", sprint_hex(&data[blocksCount * 16 + 1], 8));
+	}
+	
+	return 0;
+}
+
+int CmdHFMFPRdsc(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp rdsc", 
+		"Reads one sector from Mifare Plus card.", 
+		"Usage:\n\thf mfp rdsc 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read sector 0 data\n"
+			"\thf mfp rdsc 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_lit0("pP",  "plain",   "plain communication mode between reader and card."),
+		arg_int1(NULL,  NULL,      "<Sector Num (0..255)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	bool keyB = arg_get_lit(2);
+	bool plain = arg_get_lit(3);
+	uint32_t sectorNum = arg_get_int(4);
+	CLIGetHexWithReturn(5, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (sectorNum > 39) {
+		PrintAndLog("ERROR: <Sector Num> must be in range [0..39] instead of: %d", sectorNum);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+	
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--sector[%d]:%02x key:%04x", mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	for(int n = mfFirstBlockOfSector(sectorNum); n < mfFirstBlockOfSector(sectorNum) + mfNumBlocksPerSector(sectorNum); n++) {
+		res = MFPReadBlock(&session, plain, n & 0xff, 1, false, true, data, sizeof(data), &datalen, mac);
+		if (res) {
+			PrintAndLog("Read error: %d", res);
+			DropField();
+			return res;
+		}
+		
+		if (datalen && data[0] != 0x90) {
+			PrintAndLog("Card read error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+			DropField();
+			return 6;
+		}
+		if (datalen != 1 + 16 + 8 + 2) {
+			PrintAndLog("Error return length:%d", datalen);
+			DropField();
+			return 5;
+		}
+
+		PrintAndLog("data[%03d]: %s", n, sprint_hex(&data[1], 16));
+			
+		if (memcmp(&data[1 + 16], mac, 8)) {
+			PrintAndLog("WARNING: mac on block %d not equal...", n);
+			PrintAndLog("MAC   card: %s", sprint_hex(&data[1 + 16], 8));
+			PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+		} else {	
+			if(verbose)
+				PrintAndLog("MAC: %s", sprint_hex(&data[1 + 16], 8));
+		}
+	}
+	DropField();
+	
+	return 0;
+}
+
+int CmdHFMFPWrbl(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	uint8_t datain[250] = {0};
+	int datainlen = 0;
+	
+	CLIParserInit("hf mfp wrbl", 
+		"Writes one block to Mifare Plus card.", 
+		"Usage:\n\thf mfp wrbl 1 ff0000000000000000000000000000ff 000102030405060708090a0b0c0d0e0f -> writes block 1 data\n"
+			"\thf mfp wrbl 2 ff0000000000000000000000000000ff -v -> writes block 2 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_int1(NULL,  NULL,      "<Block Num (0..255)>", NULL),
+		arg_str1(NULL,  NULL,      "<Data (HEX 16 bytes)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	bool keyB = arg_get_lit(2);
+	uint32_t blockNum = arg_get_int(3);
+	CLIGetHexWithReturn(4, datain, &datainlen);
+	CLIGetHexWithReturn(5, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (blockNum > 39) {
+		PrintAndLog("ERROR: <Block Num> must be in range [0..255] instead of: %d", blockNum);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	if (datainlen != 16) {
+		PrintAndLog("ERROR: <Data> must be 16 bytes long instead of: %d", datainlen);
+		return 1;
+	}
+	
+	uint8_t sectorNum = mfSectorNum(blockNum & 0xff);
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--block:%d sector[%d]:%02x key:%04x", blockNum & 0xff, mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	res = MFPWriteBlock(&session, blockNum & 0xff, datain, false, false, data, sizeof(data), &datalen, mac);
+	if (res) {
+		PrintAndLog("Write error: %d", res);
+		DropField();
+		return res;
+	}
+	
+	if (datalen != 3 && (datalen != 3 + 8)) {
+		PrintAndLog("Error return length:%d", datalen);
+		DropField();
+		return 5;
+	}
+	
+	if (datalen && data[0] != 0x90) {
+		PrintAndLog("Card write error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		DropField();
+		return 6;
+	}
+	
+	if (memcmp(&data[1], mac, 8)) {
+		PrintAndLog("WARNING: mac not equal...");
+		PrintAndLog("MAC   card: %s", sprint_hex(&data[1], 8));
+		PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+	} else {	
+		if(verbose)
+			PrintAndLog("MAC: %s", sprint_hex(&data[1], 8));
+	}
+	
+	DropField();
+	PrintAndLog("Write OK.");	
+	return 0;
+}
+
+int CmdHFMFPMAD(const char *cmd) {
+
+    CLIParserInit("hf mfp mad",
+                  "Checks and prints Mifare Application Directory (MAD)",
+                  "Usage:\n\thf mfp mad -> shows MAD if exists\n"
+                  "\thf mfp mad -a 03e1 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data if exists\n");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_lit0("vV",  "verbose",  "show technical data"),
+        arg_str0("aA",  "aid",      "print all sectors with aid", NULL),
+        arg_str0("kK",  "key",      "key for printing sectors", NULL),
+        arg_lit0("bB",  "keyb",     "use key B for access printing sectors (by default: key A)"),
+        arg_param_end
+    };
+    CLIExecWithReturn(cmd, argtable, true);
+
+    bool verbose = arg_get_lit(1);
+    uint8_t aid[2] = {0};
+    int aidlen;
+    CLIGetHexWithReturn(2, aid, &aidlen);
+    uint8_t key[16] = {0};
+    int keylen;
+    CLIGetHexWithReturn(3, key, &keylen);
+    bool keyB = arg_get_lit(4);
+
+    CLIParserFree();
+
+    if (aidlen != 2 && keylen > 0) {
+        PrintAndLogEx(WARNING, "do not need a key without aid.");
+    }
+
+    uint8_t sector0[16 * 4] = {0};
+    uint8_t sector10[16 * 4] = {0};
+
+    if (mfpReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector0, verbose)) {
+        PrintAndLogEx(NORMAL, "");
+        PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+        return 2;
+    }
+
+    if (verbose) {
+        for (int i = 0; i < 4; i ++)
+            PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(&sector0[i * 16], 16));
+    }
+
+    bool haveMAD2 = false;
+    MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);
+
+    if (haveMAD2) {
+        if (mfpReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector10, verbose)) {
+            PrintAndLogEx(NORMAL, "");
+            PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+            return 2;
+        }
+
+        MAD2DecodeAndPrint(sector10, verbose);
+    }
+
+    if (aidlen == 2) {
+        uint16_t aaid = (aid[0] << 8) + aid[1];
+        PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);
+
+        uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+        size_t madlen = 0;
+        if (MADDecode(sector0, sector10, mad, &madlen)) {
+            PrintAndLogEx(ERR, "can't decode mad.");
+            return 10;
+        }
+
+        uint8_t akey[16] = {0};
+        memcpy(akey, g_mifarep_ndef_key, 16);
+        if (keylen == 16) {
+            memcpy(akey, key, 16);
+        }
+
+        for (int i = 0; i < madlen; i++) {
+            if (aaid == mad[i]) {
+                uint8_t vsector[16 * 4] = {0};
+                if (mfpReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector, false)) {
+                    PrintAndLogEx(NORMAL, "");
+                    PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+                    return 2;
+                }
+
+                for (int j = 0; j < (verbose ? 4 : 3); j ++)
+                    PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));
+            }
+        }
+    }
+
+    return 0;
+}
+
+int CmdHFMFPNDEF(const char *cmd) {
+
+    CLIParserInit("hf mfp ndef",
+                  "Prints NFC Data Exchange Format (NDEF)",
+                  "Usage:\n\thf mfp ndef -> shows NDEF data\n"
+                  "\thf mfp ndef -a 03e1 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key\n");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_litn("vV",  "verbose",  0, 2, "show technical data"),
+        arg_str0("aA",  "aid",      "replace default aid for NDEF", NULL),
+        arg_str0("kK",  "key",      "replace default key for NDEF", NULL),
+        arg_lit0("bB",  "keyb",     "use key B for access sectors (by default: key A)"),
+        arg_param_end
+    };
+    CLIExecWithReturn(cmd, argtable, true);
+
+    bool verbose = arg_get_lit(1);
+    bool verbose2 = arg_get_lit(1) > 1;
+    uint8_t aid[2] = {0};
+    int aidlen;
+    CLIGetHexWithReturn(2, aid, &aidlen);
+    uint8_t key[16] = {0};
+    int keylen;
+    CLIGetHexWithReturn(3, key, &keylen);
+    bool keyB = arg_get_lit(4);
+
+    CLIParserFree();
+
+    uint16_t ndefAID = 0x03e1;
+    if (aidlen == 2)
+        ndefAID = (aid[0] << 8) + aid[1];
+
+    uint8_t ndefkey[16] = {0};
+    memcpy(ndefkey, g_mifarep_ndef_key, 16);
+    if (keylen == 16) {
+        memcpy(ndefkey, key, 16);
+    }
+
+    uint8_t sector0[16 * 4] = {0};
+    uint8_t sector10[16 * 4] = {0};
+    uint8_t data[4096] = {0};
+    int datalen = 0;
+
+    PrintAndLogEx(NORMAL, "");
+
+    if (mfpReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector0, verbose)) {
+        PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+        return 2;
+    }
+
+    bool haveMAD2 = false;
+    int res = MADCheck(sector0, NULL, verbose, &haveMAD2);
+    if (res) {
+        PrintAndLogEx(ERR, "MAD error %d.", res);
+        return res;
+    }
+
+    if (haveMAD2) {
+        if (mfpReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector10, verbose)) {
+            PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+            return 2;
+        }
+    }
+
+    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+    size_t madlen = 0;
+    if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {
+        PrintAndLogEx(ERR, "can't decode mad.");
+        return 10;
+    }
+
+    printf("data reading:");
+    for (int i = 0; i < madlen; i++) {
+        if (ndefAID == mad[i]) {
+            uint8_t vsector[16 * 4] = {0};
+            if (mfpReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector, false)) {
+                PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+                return 2;
+            }
+
+            memcpy(&data[datalen], vsector, 16 * 3);
+            datalen += 16 * 3;
+
+            printf(".");
+        }
+    }
+    printf(" OK\n");
+
+    if (!datalen) {
+        PrintAndLogEx(ERR, "no NDEF data.");
+        return 11;
+    }
+
+    if (verbose2) {
+        PrintAndLogEx(NORMAL, "NDEF data:");
+        dump_buffer(data, datalen, stdout, 1);
+    }
+
+    NDEFDecodeAndPrint(data, datalen, verbose);
+
+    return 0;
+}
+
+static command_t CommandTable[] =
+{
+  {"help",             CmdHelp,					1, "This help"},
+  {"info",  	       CmdHFMFPInfo,			0, "Info about Mifare Plus tag"},
+  {"wrp",	  	       CmdHFMFPWritePerso,		0, "Write Perso command"},
+  {"initp",  	       CmdHFMFPInitPerso,		0, "Fills all the card's keys"},
+  {"commitp",  	       CmdHFMFPCommitPerso,		0, "Move card to SL1 or SL3 mode"},
+  {"auth",  	       CmdHFMFPAuth,			0, "Authentication"},
+  {"rdbl",  	       CmdHFMFPRdbl,			0, "Read blocks"},
+  {"rdsc",  	       CmdHFMFPRdsc,			0, "Read sectors"},
+  {"wrbl",  	       CmdHFMFPWrbl,			0, "Write blocks"},
+  {"mad",              CmdHFMFPMAD,             0, "Checks and prints MAD"},
+  {"ndef",             CmdHFMFPNDEF,            0, "Prints NDEF records from card"},
+  {NULL,               NULL,					0, NULL}
+};
+
+int CmdHFMFP(const char *Cmd) {
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}
+
+int CmdHelp(const char *Cmd) {
+  CmdsHelp(CommandTable);
+  return 0;
+}

client/cmdhfmfp.h

@@ -0,0 +1,18 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+#ifndef CMDHFMFP_H__
+#define CMDHFMFP_H__
+
+#include "mifare/mifaredefault.h"
+
+extern int CmdHFMFP(const char *Cmd);
+
+
+#endif

client/cmdhfmfu.h

@@ -0,0 +1,10 @@
+#ifndef CMDHFMFU_H__
+#define CMDHFMFU_H__
+
+#include <stdint.h>
+
+extern int CmdHFMFUltra(const char *Cmd);
+extern uint32_t GetHF14AMfU_Type(void);
+extern int ul_print_type(uint32_t tagtype, uint8_t spacer);
+
+#endif