Merge pull request #969 from pwpiwi/gcc10_fixes

Gcc10 fixes
gcc10 compiler fixes:
2025-08-19 21:03:23 -07:00 · 2021-03-30 08:59:58 +02:00 · 2021-03-18 08:25:16 +01:00 · 2021-03-18 08:23:17 +01:00 · 2021-01-29 08:26:33 +01:00 · 2021-01-28 09:00:08 +01:00
349 changed files with 95619 additions and 30959 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,6 +12,7 @@
 *.map
 *.bin
 !client/hardnested/*.bin
+!client/sc_upgrade_firmware/*.bin
 *.dll
 *.moc.cpp
 *.z
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,10 +5,47 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 ## [unreleased][unreleased]

 ### Changed
+- Changed hf mfp security. Now it works in all the modes. (drHatson)
+- `hf fido` - show/check DER certificate and signatures (Merlok)
+- Changed `lf hitag reader 0x ... <firstPage> <tagmode>` - to select first page to read and tagmode (0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED)
+- Accept hitagS con0 tags with memory bits set to 11 and handle like 2048 tag

 ### Fixed
+- AC-Mode decoding for HitagS
+- Wrong UID at HitagS simulation
+- `hf 15 sim` now works as expected (piwi)
+- `hf mf chk t` save to emulator memory now works as expected (mwalker)
+- Fix `hf mf sim` - wrong access rights to write key B in trailer (@McEloff)
+- allow files > 512Bytes in 'hf iclass eload' (@Sherhannn79)
+- `hf mf nested` now works with fixed nonce tags too (uzlonewolf, piwi)
 
 ### Added
+- Added to `hf 14a apdu` print apdu and compose apdu (@merlokk)
+- Added `hf 15 csetuid` - set UID on ISO-15693 Magic tags (t0m4)
+- Added `lf config s xxxx` option to allow skipping x samples before capture (marshmellow)
+- Added `lf em 4x05protect` to support changing protection blocks on em4x05 chips (marshmellow)
+- Support Standard Communication Mode in HITAG S
+- Added `hf emv scan` - commands for scan EMV card and dump data to json file (Merlok)
+- `hf mfp` group of commands (Merlok)
+- Added `hf fido` - FIDO U2F authenticator commands https://fidoalliance.org/ (Merlok)
+- Added `lf hitag reader 03` - read block (instead of pages) 
+- Added `lf hitag reader 04` - read block (instead of pages) 
+- Added `hf fido` `assert` and `make` commands from fido2 protocol (authenticatorMakeCredential and authenticatorGetAssertion) (Merlok)
+- Added `lf paradox clone` to clone a Paradox card
+- Added `emv` commands working for both contactless and smart cards (Merlok)
+- Added `hf 15 snoop` (piwi)
+- Added support for standard USB Smartcard Readers (piwi)
+- Added `hf plot` (piwi)
+- Added `hf mfp mad` `hf mf mad` parsing MAD1 and MAD2 (Merlok)
+- Added `hf mfp ndef` `hf mf ndef` parsing NDEF records (Merlok)
+- Added Mifare Mini, Mifare 2K and 4K support to `hf mf sim` (piwi)
+- Added Legic detection to `hf search` (dnet)
+- Added Home (Pos1) and End key bindings to the plot GUI (based on @mcd1992)
+- Added downlink reference mode option r <mode> [ 0 - (or missing) default/fixed bit, 1 - long leading, 2 - leading 0 and 3 - 1 of 4 ] to `lf t55xx detect`, `lf t55xx read`, `lf t55xx write`, and `lf t55xx bruteforce`
+- Added special option `r 4` to bruteforce, to try all downlink modes (0,1,2 and 3) for each password
+- `hf mfu info` now checks the NXP Originality Signature if availabe (piwi)
+- Added `hf mf personalize` to personalize the UID option of Mifare Classic EV1 cards (piwi)
+

 ## [v3.1.0][2018-10-10]

--- a/CI/.travis.yml
+++ b/CI/.travis.yml
@ -1,23 +1,28 @@
 # Travis-CI config
 # variable REPOSITORY_EP must be filled with repository name. as sample: "merlokk/proxmark3"
+
 language: c

 compiler: gcc

 # Test on Linux and MacOS
-matrix:
+jobs:
  include:
-    - os: osx
-      osx_image: xcode7.3	# OS X 10.11
-    - os: osx
-      osx_image: xcode8.3   # OS X 10.12
    - os: osx
      osx_image: xcode9.4   # OS X 10.13
    - os: osx
      osx_image: xcode10    # OS X 10.13
+    - os: osx
+      osx_image: xcode11    # OS X 10.14
    - os: linux
-      dist: trusty
-      sudo: required
+      dist: trusty          # Ubuntu 14.04
+    - os: linux
+      dist: xenial          # Ubuntu 16.04
+    - os: linux
+      dist: bionic          # Ubuntu 18.04
+
+git:
+  depth: false

 before_install:
 ## Install ARM toolchain on Linux.
@ -26,13 +31,13 @@ before_install:
  echo $REPOSITORY_EP;
  if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 
    sudo apt-get update -qq;
-    sudo apt-get install -y gcc-arm-none-eabi;
+    sudo apt-get install -y gcc-arm-none-eabi libnewlib-arm-none-eabi libpcsclite-dev;
  elif [[ "$TRAVIS_OS_NAME" == "osx" ]]; then
    brew update;
    if [[ "$REPOSITORY_EP" == "" ]]; then
-      brew tap proxmark/proxmark3;
+      brew tap --full proxmark/proxmark3;
    else
-      brew tap "$REPOSITORY_EP" --env=std;
+      brew tap --full "$REPOSITORY_EP" --env=std;
    fi
  fi

@ -47,7 +52,7 @@ install:
 before_script:

 script: 
-## for the time being we are satisfied if it can be build and then successfully started
+## for the time being we are satisfied if it can be build and hf mf hardnested runs
  if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then 
    proxmark3 /dev/notexists travis_test_commands.scr ;
  elif [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 
--- a/CI/appveyor.yml
+++ b/CI/appveyor.yml
@ -66,9 +66,20 @@ clone_script:
    Write-Host "[ OK ]" -ForegroundColor Green


-    Write-Host "Fill msys\etc\fstab file..." -NoNewLine
+    Write-Host "Fill msys2\etc\fstab file..." -NoNewLine

-    New-Item c:\ProxSpace\msys\etc\fstab -type file -force -value "#Win32_Path Mount_Point`nc:\ProxSpace\devkitARM /devkitARM`nc:\ProxSpace\Qt\5.6 /qt `nc:\ProxSpace\pm3 /pm3`n"
+    New-Item c:\ProxSpace\msys2\etc\fstab -type file -force -value "# For a description of the file format, see the Users Guide`n# http://cygwin.com/cygwin-ug-net/using.html#mount-table`nnone / cygdrive binary,posix=0,noacl,user 0 0 `nC:\ProxSpace\pm3 /pm3 ntfs noacl 0 0 `nC:\ProxSpace\gcc-arm-none-eabi /gcc-arm-none-eabi ntfs noacl 0 0 `n"
+
+    Write-Host "[ OK ]" -ForegroundColor Green
+
+
+    Write-Host "Update msys2 packages..." -NoNewLine
+
+    $env:Path = "C:\ProxSpace\msys2\usr\bin;C:\ProxSpace\msys2\mingw32\bin;C:\ProxSpace\gcc-arm-none-eabi\bin;$env:Path"
+
+    C:\ProxSpace\msys2\msys2_shell.cmd -mingw32 -defterm -no-start /dev/null 1> msys1.txt 2>&1
+
+    C:\ProxSpace\msys2\msys2_shell.cmd -mingw32 -defterm -no-start /dev/null 1> msys1.txt 2>&1

    Write-Host "[ OK ]" -ForegroundColor Green
 install:
@ -84,12 +95,25 @@ install:
            }
 build_script:
 - ps: >-
-    $env:Path = "C:\ProxSpace\msys\bin;$env:Path"
+    "C:\ProxSpace\msys2\usr\bin;C:\ProxSpace\msys2\mingw32\bin;C:\ProxSpace\gcc-arm-none-eabi\bin;$env:Path"
+
+
+    $env:MINGW_HOME="C:\ProxSpace\msys2\mingw32"
+
+    $env:MSYS_HOME="C:\ProxSpace\msys2"
+
+    $env:MSYSTEM="MINGW32"
+
+    $env:MINGW_PREFIX="/mingw32"
+
+    $env:SHELL="/bin/bash"
+
+    $env:MSYSTEM_CHOST="i686-w64-mingw32"


    #make

-    bash -lc -i "pwd;make all"
+    bash -c -i 'pwd;make clean;make all'


    #some checks
@ -233,14 +257,14 @@ test_script:

      [bool]$res=$false
      # Wait 120 sec timeout for Job
-      if(Wait-Job $Job -Timeout 120){
+      if(Wait-Job $Job -Timeout 150){
        $Results = $Job | Receive-Job
        if($Results -like "true"){
          $res=$true
        }
      } else {
        Write-host "Test [$Name] timeout" -ForegroundColor Red
-        Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Failed -Duration 40000 -ErrorMessage "timeout"
+        Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Failed -Duration 60000 -ErrorMessage "timeout"
      }
      Remove-Job -Force $Job

@ -268,19 +292,19 @@ test_script:

    #proxmark logic tests

-    ExecTest "proxmark help" "proxmark3 -h" {bash -lc 'cd ~/client;proxmark3 -h | grep -q Execute && echo Passed || echo Failed'}
+    ExecTest "proxmark help" "proxmark3 -h" {bash -lc 'cd ~/client;./proxmark3 -h | grep -q Execute && echo Passed || echo Failed'}

-    ExecTest "proxmark help hardnested" "proxmark3 -h" {bash -lc 'cd ~/client;proxmark3 -h | grep -q hardnested && echo Passed || echo Failed'}
+    ExecTest "proxmark help hardnested" "proxmark3 -h" {bash -lc 'cd ~/client;./proxmark3 -h | grep -q hardnested && echo Passed || echo Failed'}


-    ExecTest "hf mf offline text" "hf mf" {bash -lc "cd ~/client;proxmark3 comx -c 'hf mf'"} "at_enc"
+    ExecTest "hf mf offline text" "hf mf" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf mf'"} "at_enc"

-    ExecTest "hf mf hardnested" "hf mf hardnested" {bash -lc "cd ~/client;proxmark3 comx -c 'hf mf hardnested t 1 000000000000'"} "found:"
+    ExecTest "hf mf hardnested" "hf mf hardnested" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf mf hardnested t 1 000000000000'"} "found:"


    #proxmark crypto tests

-    ExecTest "hf emv test" "hf emv test" {bash -lc "cd ~/client;proxmark3 comx -c 'hf emv test'"} "Tests ?OK"
+    ExecTest "hf emv test" "hf emv test" {bash -lc "cd ~/client;./proxmark3 comx -c 'hf emv test'"} "Tests ?OK"


    if ($global:TestsPassed) {
--- a/CI/travis_test_commands.scr
+++ b/CI/travis_test_commands.scr
@ -1,3 +1,3 @@
 hf mf hardnested t 1 000000000000
-hf emv test
+emv test
 exit
--- a/README.md
+++ b/README.md
@ -16,6 +16,7 @@ do something useful with a proxmark3.
 * [The Forum](http://www.proxmark.org/forum)
 * The IRC channel: irc.freenode.org #proxmark3 ([chat in your browser](http://webchat.freenode.net/?channels=#proxmark3))
 * [The Homebrew formula repository](https://github.com/Proxmark/homebrew-proxmark3)
+* [Proxmark3 community discord server](https://discord.gg/86VcRtS)
   
 ## Development

@ -27,12 +28,15 @@ your operating system. Please refer to [the wiki](https://github.com/Proxmark/pr
 The Proxmark3 is available for purchase (assembled and tested) from the
 following locations:

-* [RyscCorp](https://proxmark3.com/) (US)
-* [Hackerwarehouse](https://hackerwarehouse.com/) (US)
-* [Elechouse](http://www.elechouse.com/) (HK)
-* [Lab401](https://lab401.com/) (FR)
-* [RFxSecure](http://www.rfxsecure.com/) (SG)
-* [IceSQL](http://proxmark3.tictail.com/) (SE)
+| Distributor Name | Warehouse Location | Entity Location |
+|------------------|--------------------|-----------------|
+| [RyscCorp](https://proxmark3.com/)         | USA                | USA             |
+| [Hackerwarehouse](https://hackerwarehouse.com/)  | USA                | USA             |
+| [Elechouse](http://www.elechouse.com/)        | HK                 | HK              |
+| [Lab401](https://lab401.com/)           | EU                 | HK              |
+| [RFxSecure](http://www.rfxsecure.com/)       | CN                 | SG              |
+| [Sneaktechnology](https://www.sneaktechnology.com/)  | CN                 | CN              |
+
   
 Most of the ultra-low-volume contract assemblers could put
 something like this together with a reasonable yield. A run of around
--- a/armsrc/BigBuf.c
+++ b/armsrc/BigBuf.c
@ -21,8 +21,8 @@
 /* BigBuf memory layout:
 Pointer to highest available memory: BigBuf_hi

-    high BIGBUF_SIZE
-    reserved = BigBuf_malloc()  subtracts amount from BigBuf_hi,   
+	high BIGBUF_SIZE
+	reserved = BigBuf_malloc()  subtracts amount from BigBuf_hi,
 	low  0x00
 */

@ -36,8 +36,9 @@ static uint16_t BigBuf_hi = BIGBUF_SIZE;
 static uint8_t *emulator_memory = NULL;

 // trace related variables
-static uint16_t traceLen = 0;
-int tracing = 1; //Last global one.. todo static?
+static uint32_t traceLen = 0;
+static bool tracing = true;
+

 // get the address of BigBuf
 uint8_t *BigBuf_get_addr(void)
@ -63,20 +64,25 @@ void BigBuf_Clear(void)
 {
 	BigBuf_Clear_ext(true);
 }
+
+
 // clear ALL of BigBuf
 void BigBuf_Clear_ext(bool verbose)
 {
-	memset(BigBuf,0,BIGBUF_SIZE);
+	memset(BigBuf, 0, BIGBUF_SIZE);
 	if (verbose)
-		Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE);
+		Dbprintf("Buffer cleared (%i bytes)", BIGBUF_SIZE);
 }
+
+
 void BigBuf_Clear_EM(void){
 	memset(BigBuf_get_EM_addr(), 0, CARD_MEMORY_SIZE);
 }

+
 void BigBuf_Clear_keep_EM(void)
 {
-	memset(BigBuf,0,BigBuf_hi);
+	memset(BigBuf, 0, BigBuf_hi);
 }

 // allocate a chunk of memory from BigBuf. We allocate high memory first. The unallocated memory
@ -84,10 +90,10 @@ void BigBuf_Clear_keep_EM(void)
 uint8_t *BigBuf_malloc(uint16_t chunksize)
 {
 	if (BigBuf_hi - chunksize < 0) {
-		return NULL;							// no memory left
+		return NULL;                            // no memory left
 	} else {
-		chunksize = (chunksize + 3) & 0xfffc;	// round to next multiple of 4
-		BigBuf_hi -= chunksize; 		  		// aligned to 4 Byte boundary 
+		chunksize = (chunksize + 3) & 0xfffc;   // round to next multiple of 4
+		BigBuf_hi -= chunksize;                 // aligned to 4 Byte boundary
 		return (uint8_t *)BigBuf + BigBuf_hi;
 	}
 }
@ -128,18 +134,22 @@ uint16_t BigBuf_max_traceLen(void)
 	return BigBuf_hi;
 }

+
 void clear_trace() {
 	traceLen = 0;
 }

+
 void set_tracing(bool enable) {
 	tracing = enable;
 }

+
 bool get_tracing(void) {
 	return tracing;
 }

+
 /**
 * Get the number of bytes traced
 * @return
@ -149,6 +159,7 @@ uint16_t BigBuf_get_traceLen(void)
 	return traceLen;
 }

+
 /**
  This is a function to store traces. All protocols can use this generic tracer-function.
  The traces produced by calling this function can be fetched on the client-side
@ -162,14 +173,14 @@ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_

 	uint8_t *trace = BigBuf_get_addr();

-	uint16_t num_paritybytes = (iLen-1)/8 + 1;	// number of valid paritybytes in *parity
-	uint16_t duration = timestamp_end - timestamp_start;
+	uint32_t num_paritybytes = (iLen-1)/8 + 1;  // number of valid paritybytes in *parity
+	uint32_t duration = timestamp_end - timestamp_start;

 	// Return when trace is full
 	uint16_t max_traceLen = BigBuf_max_traceLen();

 	if (traceLen + sizeof(iLen) + sizeof(timestamp_start) + sizeof(duration) + num_paritybytes + iLen >= max_traceLen) {
-		tracing = false;	// don't trace any more
+		tracing = false;    // don't trace any more
 		return false;
 	}
 	// Traceformat:
@ -200,19 +211,23 @@ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_

 	// data bytes
 	if (btBytes != NULL && iLen != 0) {
-		memcpy(trace + traceLen, btBytes, iLen);
+		for (int i = 0; i < iLen; i++) {
+			trace[traceLen++] = *btBytes++;
+		}
 	}
-	traceLen += iLen;

 	// parity bytes
 	if (num_paritybytes != 0) {
 		if (parity != NULL) {
-			memcpy(trace + traceLen, parity, num_paritybytes);
+			for (int i = 0; i < num_paritybytes; i++) {
+				trace[traceLen++] = *parity++;
+			}
 		} else {
-			memset(trace + traceLen, 0x00, num_paritybytes);
+			for (int i = 0; i < num_paritybytes; i++) {
+				trace[traceLen++] = 0x00;
+			}
 		}
 	}
-	traceLen += num_paritybytes;

 	return true;
 }
@ -229,8 +244,11 @@ int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwP

 	uint8_t *trace = BigBuf_get_addr();
 	uint16_t iLen = nbytes(iBits);
+
 	// Return when trace is full
-	if (traceLen + sizeof(rsamples) + sizeof(dwParity) + sizeof(iBits) + iLen > BigBuf_max_traceLen()) return false;
+	if (traceLen + sizeof(rsamples) + sizeof(dwParity) + sizeof(iBits) + iLen > BigBuf_max_traceLen()) {
+		return false;
+	}

 	//Hitag traces appear to use this traceformat:
 	// 32 bits timestamp (little endian,Highest Bit used as readerToTag flag)
@ -238,6 +256,8 @@ int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwP
 	// 8 bits size (number of bits in the trace entry, not number of bytes)
 	// y Bytes data

+
+
 	rsamples += iSamples;
 	trace[traceLen++] = ((rsamples >> 0) & 0xff);
 	trace[traceLen++] = ((rsamples >> 8) & 0xff);
@ -254,8 +274,9 @@ int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwP
 	trace[traceLen++] = ((dwParity >> 24) & 0xff);
 	trace[traceLen++] = iBits;

-	memcpy(trace + traceLen, btBytes, iLen);
-	traceLen += iLen;
+	for (int i = 0; i < iLen; i++) {
+		trace[traceLen++] = *btBytes++;
+	}

 	return true;
 }
--- a/armsrc/Makefile
+++ b/armsrc/Makefile
@ -21,11 +21,12 @@ else
        SRC_LCD = 
 endif
 SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c protocols.c
-SRC_ISO15693 = iso15693.c iso15693tools.c
+SRC_ISO15693 = iso15693.c
 SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c mifaresim.c
 SRC_ISO14443b = iso14443b.c
-SRC_CRAPTO1 = crypto1.c des.c
-SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c parity.c
+SRC_CRAPTO1 = crypto1.c 
+SRC_DES = platform_util_arm.c des.c
+SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c parity.c iso15693tools.c
 SRC_SMARTCARD = i2c.c

 #the FPGA bitstream files. Note: order matters!
@ -42,7 +43,6 @@ APP_CFLAGS += -I../zlib
 # Compile these in thumb mode (small size)
 THUMBSRC = start.c \
 	$(SRC_LCD) \
-	$(SRC_ISO15693) \
 	$(SRC_LF) \
 	$(SRC_ZLIB) \
 	$(SRC_SMARTCARD) \
@ -50,8 +50,10 @@ THUMBSRC = start.c \
 	printf.c \
 	util.c \
 	string.c \
-	usb_cdc.c \
-	cmd.c
+	usb_cdc.c
+
+# Compile these in thumb mode optimized for speed (still smaller than ARM mode)
+THUMBOPTSRC = $(SRC_ISO15693)

 # These are to be compiled in ARM mode
 ARMSRC = fpgaloader.c \
@ -61,6 +63,7 @@ ARMSRC = fpgaloader.c \
 	$(SRC_ISO14443a) \
 	$(SRC_ISO14443b) \
 	$(SRC_CRAPTO1) \
+	$(SRC_DES) \
 	$(SRC_CRC) \
 	iclass.c \
 	BigBuf.c \
@ -70,7 +73,7 @@ ARMSRC = fpgaloader.c \
 VERSIONSRC = version.c \
 	fpga_version_info.c

-# Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
+# Do not move this inclusion before the definition of {THUMB,THUMBOPT,ASM,ARM}SRC
 include ../common/Makefile.common

 OBJS = $(OBJDIR)/fullimage.s19
@ -80,8 +83,9 @@ all: $(OBJS)

 .DELETE_ON_ERROR:

-# version.c should be remade on every compilation
-.PHONY: version.c
+# version.c and fpga_version_info.c to be remade on every compilation
+.PHONY: version.c fpga_version_info.c
+
 version.c: default_version.c
 	perl ../tools/mkversion.pl .. > $@ || $(COPY) $^ $@ 

@ -97,7 +101,7 @@ $(OBJDIR)/fpga_all.bit.z: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR)
 $(FPGA_COMPRESSOR):
 		make -C ../client $(notdir $(FPGA_COMPRESSOR))

-$(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ)
+$(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(THUMBOPTOBJ) $(ARMOBJ)
 	$(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ $(LIBS)

 $(OBJDIR)/fullimage.nodata.bin: $(OBJDIR)/fullimage.stage1.elf
@ -129,7 +133,7 @@ clean:
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.d
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.z
 	$(DELETE) $(OBJDIR)$(PATHSEP)*.bin
-	$(DELETE) version.c
+	$(DELETE) version.c fpga_version_info.c

 .PHONY: all clean help
 help:
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -16,22 +16,15 @@
 #include <stddef.h>
 #include "common.h"
 #include "usb_cmd.h"
-#include "hitag2.h"
 #include "hitagS.h"
 #include "mifare.h"
 #include "../common/crc32.h"
 #include "BigBuf.h"
-#include "fpgaloader.h"

 extern const uint8_t OddByteParity[256];
 extern int rsamples;   // = 0;
-extern int tracing;    // = TRUE;
 extern uint8_t trigger;

-// This may be used (sparingly) to declare a function to be copied to
-// and executed from RAM
-#define RAMFUNC __attribute((long_call, section(".ramfunc")))
-
 /// appmain.h
 void ReadMem(int addr);
 void __attribute__((noreturn)) AppMain(void);
@ -78,7 +71,7 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realt
 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
 void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
-void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble); // Clone an HID-like card to T5557/T5567
 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5);
 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
@ -91,6 +84,7 @@ void TurnReadLFOn();
 //void T55xxReadTrace(void);
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
+void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd);
 void Cotag(uint32_t arg0);

 /// iso14443.h
@ -101,7 +95,6 @@ void RAMFUNC SnoopIso14443b(void);
 void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);

 // Also used in iclass.c
-bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t len, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
 void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity);

 void RAMFUNC SniffMifare(uint8_t param);
@ -110,87 +103,13 @@ void RAMFUNC SniffMifare(uint8_t param);
 void EPA_PACE_Collect_Nonce(UsbCommand * c);
 void EPA_PACE_Replay(UsbCommand *c);

-// mifarecmd.h
-void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
-void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
-void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
-void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-//void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain);
-void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
-void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
-void MifareChkKeys(uint16_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
-void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);       // Work with "magic Chinese" card
-void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);  
-void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void MifareCIdent();  // is "magic chinese" card?
-void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
-
-//desfire
-void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
-void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);					   
-
 // mifaredesfire.h
-bool 	InitDesfireCard();
-void	MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain);
-void 	MifareDesfireGetInformation();
-void 	MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain);
-void 	ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain);
-int 	DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout);
-size_t	CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout);
-void 	OnSuccess();
-void 	OnError(uint8_t reason);
-
-
-/// iso15693.h
-void RecordRawAdcSamplesIso15693(void);
-void AcquireRawAdcSamplesIso15693(void);
-void ReaderIso15693(uint32_t parameter);	// Simulate an ISO15693 reader - greg
-void SimTagIso15693(uint32_t parameter, uint8_t *uid);	// simulate an ISO15693 tag - greg
-void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox
-void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox 
-void SetDebugIso15693(uint32_t flag);
-
-/// iclass.h
-void RAMFUNC SnoopIClass(void);
-void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
-void ReaderIClass(uint8_t arg0);
-void ReaderIClass_Replay(uint8_t arg0,uint8_t *MAC);
-void IClass_iso14443A_GetPublic(uint8_t arg0);
-void iClass_Authentication(uint8_t *MAC);
-void iClass_WriteBlock(uint8_t blockNo, uint8_t *data);
-void iClass_ReadBlk(uint8_t blockNo);
-bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata);
-void iClass_Dump(uint8_t blockno, uint8_t numblks);
-void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
-void iClass_ReadCheck(uint8_t	blockNo, uint8_t keyType);
-
-// hitag2.h
-void SnoopHitag(uint32_t type);
-void SimulateHitagTag(bool tag_mem_supplied, byte_t* data);
-void ReaderHitag(hitag_function htf, hitag_data* htd);
-void WriterHitag(hitag_function htf, hitag_data* htd, int page);
-
-//hitagS.h
-void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data);
-void ReadHitagS(hitag_function htf, hitag_data* htd);
-void WritePageHitagS(hitag_function htf, hitag_data* htd,int page);
-void check_challenges(bool file_given, byte_t* data);
-
-
-// cmd.h
-bool cmd_receive(UsbCommand* cmd);
-bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
-
-/// util.h
-void HfSnoop(int , int);
+bool    InitDesfireCard();
+void    MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain);
+void    MifareDesfireGetInformation();
+void    MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain);
+void    ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain);
+int     DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout);
+size_t  CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout);

 #endif
--- a/armsrc/epa.c
+++ b/armsrc/epa.c
@ -15,7 +15,7 @@
 #include "iso14443a.h"
 #include "iso14443b.h"
 #include "epa.h"
-#include "cmd.h"
+#include "usb_cdc.h"
 #include "fpgaloader.h"
 #include "string.h"
 #include "util.h"
@ -116,7 +116,7 @@ int EPA_APDU(uint8_t *apdu, size_t length, uint8_t *response)
 	switch(iso_type)
 	{
 		case 'a':
-			return iso14_apdu(apdu, (uint16_t) length, response);
+			return iso14_apdu(apdu, (uint16_t) length, false, response, NULL);
 			break;
 		case 'b':
 			return iso14443b_apdu(apdu, length, response);
@ -453,20 +453,17 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
 //-----------------------------------------------------------------------------
 // Perform the PACE protocol by replaying given APDUs
 //-----------------------------------------------------------------------------
-void EPA_PACE_Replay(UsbCommand *c)
-{
+void EPA_PACE_Replay(UsbCommand *c) {
 	uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};

-	// if an APDU has been passed, save it
+	// if an APDU has been passed, just save it
 	if (c->arg[0] != 0) {
 		// make sure it's not too big
-		if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
-		{
+		if(c->arg[2] > apdus_replay[c->arg[0] - 1].len) {
 			cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
+			return;
 		}
-		memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
-	           c->d.asBytes,
-	           c->arg[2]);
+		memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1], c->d.asBytes, c->arg[2]);
 		// save/update APDU length
 		if (c->arg[1] == 0) {
 			apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
--- a/armsrc/fpgaloader.c
+++ b/armsrc/fpgaloader.c
@ -32,7 +32,7 @@ extern uint8_t _binary_obj_fpga_all_bit_z_start, _binary_obj_fpga_all_bit_z_end;
 static uint8_t *fpga_image_ptr = NULL;
 static uint32_t uncompressed_bytes_cnt;

-#define OUTPUT_BUFFER_LEN 		80
+#define OUTPUT_BUFFER_LEN       80

 //-----------------------------------------------------------------------------
 // Set up the Serial Peripheral Interface as master
@ -49,16 +49,16 @@ void SetupSpi(int mode)

 	// Disable PIO control of the following pins, allows use by the SPI peripheral
 	AT91C_BASE_PIOA->PIO_PDR =
-		GPIO_NCS0	|
-		GPIO_NCS2 	|
-		GPIO_MISO	|
-		GPIO_MOSI	|
+		GPIO_NCS0   |
+		GPIO_NCS2   |
+		GPIO_MISO   |
+		GPIO_MOSI   |
 		GPIO_SPCK;

 	AT91C_BASE_PIOA->PIO_ASR =
-		GPIO_NCS0	|
-		GPIO_MISO	|
-		GPIO_MOSI	|
+		GPIO_NCS0   |
+		GPIO_MISO   |
+		GPIO_MOSI   |
 		GPIO_SPCK;

 	AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2;
@ -71,41 +71,41 @@ void SetupSpi(int mode)
 	switch (mode) {
 		case SPI_FPGA_MODE:
 			AT91C_BASE_SPI->SPI_MR =
-				( 0 << 24)	|	// Delay between chip selects (take default: 6 MCK periods)
-				(14 << 16)	|	// Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
-				( 0 << 7)	|	// Local Loopback Disabled
-				( 1 << 4)	|	// Mode Fault Detection disabled
-				( 0 << 2)	|	// Chip selects connected directly to peripheral
-				( 0 << 1) 	|	// Fixed Peripheral Select
-				( 1 << 0);		// Master Mode
+				( 0 << 24)  |   // Delay between chip selects (take default: 6 MCK periods)
+				(14 << 16)  |   // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
+				( 0 << 7)   |   // Local Loopback Disabled
+				( 1 << 4)   |   // Mode Fault Detection disabled
+				( 0 << 2)   |   // Chip selects connected directly to peripheral
+				( 0 << 1)   |   // Fixed Peripheral Select
+				( 1 << 0);      // Master Mode
 			AT91C_BASE_SPI->SPI_CSR[0] =
-				( 1 << 24)	|	// Delay between Consecutive Transfers (32 MCK periods)
-				( 1 << 16)	|	// Delay Before SPCK (1 MCK period)
-				( 6 << 8)	|	// Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
-				( 8 << 4)	|	// Bits per Transfer (16 bits)
-				( 0 << 3)	|	// Chip Select inactive after transfer
-				( 1 << 1)	|	// Clock Phase data captured on leading edge, changes on following edge
-				( 0 << 0);		// Clock Polarity inactive state is logic 0
+				( 1 << 24)  |   // Delay between Consecutive Transfers (32 MCK periods)
+				( 1 << 16)  |   // Delay Before SPCK (1 MCK period)
+				( 6 << 8)   |   // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
+				( 8 << 4)   |   // Bits per Transfer (16 bits)
+				( 0 << 3)   |   // Chip Select inactive after transfer
+				( 1 << 1)   |   // Clock Phase data captured on leading edge, changes on following edge
+				( 0 << 0);      // Clock Polarity inactive state is logic 0
 			break;
 		case SPI_LCD_MODE:
 			AT91C_BASE_SPI->SPI_MR =
-				( 0 << 24)	|	// Delay between chip selects (take default: 6 MCK periods)
-				(11 << 16)	|	// Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
-				( 0 << 7)	|	// Local Loopback Disabled
-				( 1 << 4)	|	// Mode Fault Detection disabled
-				( 0 << 2)	|	// Chip selects connected directly to peripheral
-				( 0 << 1) 	|	// Fixed Peripheral Select
-				( 1 << 0);		// Master Mode
+				( 0 << 24)  |   // Delay between chip selects (take default: 6 MCK periods)
+				(11 << 16)  |   // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
+				( 0 << 7)   |   // Local Loopback Disabled
+				( 1 << 4)   |   // Mode Fault Detection disabled
+				( 0 << 2)   |   // Chip selects connected directly to peripheral
+				( 0 << 1)   |   // Fixed Peripheral Select
+				( 1 << 0);      // Master Mode
 			AT91C_BASE_SPI->SPI_CSR[2] =
-				( 1 << 24)	|	// Delay between Consecutive Transfers (32 MCK periods)
-				( 1 << 16)	|	// Delay Before SPCK (1 MCK period)
-				( 6 << 8)	|	// Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
-				( 1 << 4)	|	// Bits per Transfer (9 bits)
-				( 0 << 3)	|	// Chip Select inactive after transfer
-				( 1 << 1)	|	// Clock Phase data captured on leading edge, changes on following edge
-				( 0 << 0);		// Clock Polarity inactive state is logic 0
+				( 1 << 24)  |   // Delay between Consecutive Transfers (32 MCK periods)
+				( 1 << 16)  |   // Delay Before SPCK (1 MCK period)
+				( 6 << 8)   |   // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
+				( 1 << 4)   |   // Bits per Transfer (9 bits)
+				( 0 << 3)   |   // Chip Select inactive after transfer
+				( 1 << 1)   |   // Clock Phase data captured on leading edge, changes on following edge
+				( 0 << 0);      // Clock Polarity inactive state is logic 0
 			break;
-		default:				// Disable SPI
+		default:                // Disable SPI
 			AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS;
 			break;
 	}
@ -115,13 +115,12 @@ void SetupSpi(int mode)
 // Set up the synchronous serial port with the set of options that fits
 // the FPGA mode. Both RX and TX are always enabled.
 //-----------------------------------------------------------------------------
-void FpgaSetupSsc(uint8_t FPGA_mode)
-{
+void FpgaSetupSsc(uint16_t FPGA_mode) {
 	// First configure the GPIOs, and get ourselves a clock.
 	AT91C_BASE_PIOA->PIO_ASR =
-		GPIO_SSC_FRAME	|
-		GPIO_SSC_DIN	|
-		GPIO_SSC_DOUT	|
+		GPIO_SSC_FRAME  |
+		GPIO_SSC_DIN    |
+		GPIO_SSC_DOUT   |
 		GPIO_SSC_CLK;
 	AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;

@ -130,21 +129,21 @@ void FpgaSetupSsc(uint8_t FPGA_mode)
 	// Now set up the SSC proper, starting from a known state.
 	AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;

-	// RX clock comes from TX clock, RX starts when TX starts, data changes
-	// on RX clock rising edge, sampled on falling edge
+	// RX clock comes from TX clock, RX starts on Transmit Start,
+	// data and frame signal is sampled on falling edge of RK
 	AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);

 	// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
 	// pulse, no output sync
-	if ((FPGA_mode & 0xe0) == FPGA_MAJOR_MODE_HF_READER_RX_XCORR) {
+	if ((FPGA_mode & FPGA_MAJOR_MODE_MASK) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
 		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
 	} else {
 		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
 	}

-	// TX clock comes from TK pin, no clock output, outputs change on falling
-	// edge of TK, sample on rising edge of TK, start on positive-going edge of sync
-	AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) |	SSC_CLOCK_MODE_START(5);
+	// TX clock comes from TK pin, no clock output, outputs change on rising edge of TK, 
+	// TF (frame sync) is sampled on falling edge of TK, start TX on rising edge of TF
+	AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);

 	// tx framing is the same as the rx framing
 	AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
@ -158,15 +157,14 @@ void FpgaSetupSsc(uint8_t FPGA_mode)
 // ourselves, not to another buffer). The stuff to manipulate those buffers
 // is in apps.h, because it should be inlined, for speed.
 //-----------------------------------------------------------------------------
-bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count)
-{
+bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count) {
 	if (buf == NULL) return false;

 	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;        // Disable DMA Transfer
 	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;           // transfer to this memory address
 	AT91C_BASE_PDC_SSC->PDC_RCR = sample_count;             // transfer this many samples
 	AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;          // next transfer to same memory address
-	AT91C_BASE_PDC_SSC->PDC_RNCR = sample_count;            // ... with same number of samples	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;	        // go!
+	AT91C_BASE_PDC_SSC->PDC_RNCR = sample_count;            // ... with same number of samples
 	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;         // go!
 	return true;
 }
@ -178,7 +176,7 @@ bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count)
 //----------------------------------------------------------------------------
 static int get_from_fpga_combined_stream(z_streamp compressed_fpga_stream, uint8_t *output_buffer)
 {
-	if (fpga_image_ptr == compressed_fpga_stream->next_out) {	// need more data
+	if (fpga_image_ptr == compressed_fpga_stream->next_out) {   // need more data
 		compressed_fpga_stream->next_out = output_buffer;
 		compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
 		fpga_image_ptr = output_buffer;
@ -281,20 +279,20 @@ static void DownloadFPGA(int bitstream_version, int FpgaImageLen, z_streamp comp

 	AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
 	AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON;
-	HIGH(GPIO_FPGA_ON);		// ensure everything is powered on
+	HIGH(GPIO_FPGA_ON);     // ensure everything is powered on

 	SpinDelay(50);

 	LED_D_ON();

 	// These pins are inputs
-    AT91C_BASE_PIOA->PIO_ODR =
-    	GPIO_FPGA_NINIT |
-    	GPIO_FPGA_DONE;
+	AT91C_BASE_PIOA->PIO_ODR =
+		GPIO_FPGA_NINIT |
+		GPIO_FPGA_DONE;
 	// PIO controls the following pins
-    AT91C_BASE_PIOA->PIO_PER =
-    	GPIO_FPGA_NINIT |
-    	GPIO_FPGA_DONE;
+	AT91C_BASE_PIOA->PIO_PER =
+		GPIO_FPGA_NINIT |
+		GPIO_FPGA_DONE;
 	// Enable pull-ups
 	AT91C_BASE_PIOA->PIO_PPUER =
 		GPIO_FPGA_NINIT |
@ -306,8 +304,8 @@ static void DownloadFPGA(int bitstream_version, int FpgaImageLen, z_streamp comp
 	LOW(GPIO_FPGA_DIN);
 	// These pins are outputs
 	AT91C_BASE_PIOA->PIO_OER =
-		GPIO_FPGA_NPROGRAM	|
-		GPIO_FPGA_CCLK		|
+		GPIO_FPGA_NPROGRAM  |
+		GPIO_FPGA_CCLK      |
 		GPIO_FPGA_DIN;

 	// enter FPGA configuration mode
@ -417,8 +415,10 @@ void FpgaDownloadAndGo(int bitstream_version)
 	uint8_t output_buffer[OUTPUT_BUFFER_LEN] = {0x00};

 	// check whether or not the bitstream is already loaded
-	if (downloaded_bitstream == bitstream_version)
+	if (downloaded_bitstream == bitstream_version) {
+		FpgaEnableTracing();
 		return;
+	}

 	// make sure that we have enough memory to decompress
 	BigBuf_free(); BigBuf_Clear_ext(false);
@ -448,22 +448,32 @@ void FpgaDownloadAndGo(int bitstream_version)
 // The bit format is:  C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
 // where C is the 4 bit command and D is the 12 bit data
 //-----------------------------------------------------------------------------
-void FpgaSendCommand(uint16_t cmd, uint16_t v)
-{
+void FpgaSendCommand(uint16_t cmd, uint16_t v) {
 	SetupSpi(SPI_FPGA_MODE);
-	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);		// wait for the transfer to complete
-	AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v;		// send the data
+	AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v;     // write the data to be sent
+	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);  // wait for the transfer to complete
 }
+
 //-----------------------------------------------------------------------------
 // Write the FPGA setup word (that determines what mode the logic is in, read
 // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
 // avoid changing this function's occurence everywhere in the source code.
 //-----------------------------------------------------------------------------
-void FpgaWriteConfWord(uint8_t v)
-{
+void FpgaWriteConfWord(uint16_t v) {
 	FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
 }

+//-----------------------------------------------------------------------------
+// enable/disable FPGA internal tracing
+//-----------------------------------------------------------------------------
+void FpgaEnableTracing(void) {
+	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 1);
+}
+
+void FpgaDisableTracing(void) {
+	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 0);
+}
+
 //-----------------------------------------------------------------------------
 // Set up the CMOS switches that mux the ADC: four switches, independently
 // closable, but should only close one at a time. Not an FPGA thing, but
--- a/armsrc/fpgaloader.h
+++ b/armsrc/fpgaloader.h
@ -17,14 +17,16 @@
 #include <stdbool.h>

 void FpgaSendCommand(uint16_t cmd, uint16_t v);
-void FpgaWriteConfWord(uint8_t v);
+void FpgaWriteConfWord(uint16_t v);
 void FpgaDownloadAndGo(int bitstream_version);
-void FpgaSetupSsc(uint8_t mode);
+void FpgaSetupSsc(uint16_t mode);
 void SetupSpi(int mode);
 bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count);
 void Fpga_print_status();
 int FpgaGetCurrent();
-#define FpgaDisableSscDma(void)	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+void FpgaEnableTracing(void);
+void FpgaDisableTracing(void);
+#define FpgaDisableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
 #define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
 void SetAdcMuxFor(uint32_t whichGpio);

@ -33,46 +35,65 @@ void SetAdcMuxFor(uint32_t whichGpio);
 #define FPGA_BITSTREAM_HF 2

 // Definitions for the FPGA commands.
-#define FPGA_CMD_SET_CONFREG						(1<<12)
-#define FPGA_CMD_SET_DIVISOR						(2<<12)
-#define FPGA_CMD_SET_USER_BYTE1						(3<<12)
-// Definitions for the FPGA configuration word.
-// LF
-#define FPGA_MAJOR_MODE_LF_ADC						(0<<5)
-#define FPGA_MAJOR_MODE_LF_EDGE_DETECT				(1<<5)
-#define FPGA_MAJOR_MODE_LF_PASSTHRU					(2<<5)
-// HF
-#define FPGA_MAJOR_MODE_HF_READER_TX				(0<<5)
-#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR			(1<<5)
-#define FPGA_MAJOR_MODE_HF_SIMULATOR				(2<<5)
-#define FPGA_MAJOR_MODE_HF_ISO14443A				(3<<5)
-#define FPGA_MAJOR_MODE_HF_SNOOP				(4<<5)
+#define FPGA_CMD_MASK                               0xF000
 // BOTH
-#define FPGA_MAJOR_MODE_OFF							(7<<5)
+#define FPGA_CMD_SET_CONFREG                       (1<<12)
+// LF
+#define FPGA_CMD_SET_DIVISOR                       (2<<12)
+#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD         (3<<12)
+// HF
+#define FPGA_CMD_TRACE_ENABLE                      (2<<12)
+
+// Definitions for the FPGA configuration word.
+#define FPGA_MAJOR_MODE_MASK                        0x01C0
+// LF
+#define FPGA_MAJOR_MODE_LF_ADC                      (0<<6)
+#define FPGA_MAJOR_MODE_LF_EDGE_DETECT              (1<<6)
+#define FPGA_MAJOR_MODE_LF_PASSTHRU                 (2<<6)
+// HF
+#define FPGA_MAJOR_MODE_HF_READER                   (0<<6)
+#define FPGA_MAJOR_MODE_HF_SIMULATOR                (1<<6)
+#define FPGA_MAJOR_MODE_HF_ISO14443A                (2<<6)
+#define FPGA_MAJOR_MODE_HF_SNOOP                    (3<<6)
+#define FPGA_MAJOR_MODE_HF_GET_TRACE                (4<<6)
+// BOTH
+#define FPGA_MAJOR_MODE_OFF                         (7<<6)
+
+#define FPGA_MINOR_MODE_MASK                        0x003F
 // Options for LF_ADC
-#define FPGA_LF_ADC_READER_FIELD					(1<<0)
+#define FPGA_LF_ADC_READER_FIELD                    (1<<0)
+
 // Options for LF_EDGE_DETECT
-#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD			FPGA_CMD_SET_USER_BYTE1
-#define FPGA_LF_EDGE_DETECT_READER_FIELD 			(1<<0)
-#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE				(1<<1)
-// Options for the HF reader, tx to tag
-#define FPGA_HF_READER_TX_SHALLOW_MOD				(1<<0)
-// Options for the HF reader, correlating against rx from tag
-#define FPGA_HF_READER_RX_XCORR_848_KHZ				(1<<0)
-#define FPGA_HF_READER_RX_XCORR_SNOOP				(1<<1)
-#define FPGA_HF_READER_RX_XCORR_QUARTER_FREQ		(1<<2)
+#define FPGA_LF_EDGE_DETECT_READER_FIELD            (1<<0)
+#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE             (2<<0)
+
+// Options for the HF reader
+#define FPGA_HF_READER_MODE_RECEIVE_IQ              (0<<0)
+#define FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE       (1<<0)
+#define FPGA_HF_READER_MODE_RECEIVE_PHASE           (2<<0)
+#define FPGA_HF_READER_MODE_SEND_FULL_MOD           (3<<0)
+#define FPGA_HF_READER_MODE_SEND_SHALLOW_MOD        (4<<0)
+#define FPGA_HF_READER_MODE_SNOOP_IQ                (5<<0)
+#define FPGA_HF_READER_MODE_SNOOP_AMPLITUDE         (6<<0)
+#define FPGA_HF_READER_MODE_SNOOP_PHASE             (7<<0)
+#define FPGA_HF_READER_MODE_SEND_JAM                (8<<0)
+
+#define FPGA_HF_READER_SUBCARRIER_848_KHZ           (0<<4)
+#define FPGA_HF_READER_SUBCARRIER_424_KHZ           (1<<4)
+#define FPGA_HF_READER_SUBCARRIER_212_KHZ           (2<<4)
+
 // Options for the HF simulated tag, how to modulate
-#define FPGA_HF_SIMULATOR_NO_MODULATION				(0<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_BPSK				(1<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_212K				(2<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_424K				(4<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT		0x5//101
+#define FPGA_HF_SIMULATOR_NO_MODULATION             (0<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_BPSK             (1<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_212K             (2<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K             (4<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT        0x5//101

 // Options for ISO14443A
-#define FPGA_HF_ISO14443A_SNIFFER					(0<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_LISTEN				(1<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_MOD				(2<<0)
-#define FPGA_HF_ISO14443A_READER_LISTEN				(3<<0)
-#define FPGA_HF_ISO14443A_READER_MOD				(4<<0)
+#define FPGA_HF_ISO14443A_SNIFFER                   (0<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_LISTEN             (1<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_MOD                (2<<0)
+#define FPGA_HF_ISO14443A_READER_LISTEN             (3<<0)
+#define FPGA_HF_ISO14443A_READER_MOD                (4<<0)

 #endif
--- a/armsrc/hfsnoop.c
+++ b/armsrc/hfsnoop.c
@ -1,10 +1,22 @@
+//-----------------------------------------------------------------------------
+// piwi, 2019
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to get sample data from FPGA.
+//-----------------------------------------------------------------------------
+
+#include "hfsnoop.h"
+
 #include "proxmark3.h"
-#include "apps.h"
 #include "BigBuf.h"
 #include "util.h"
-#include "usb_cdc.h"	// for usb_poll_validate_length
-
-static void RAMFUNC optimizedSnoop(void);
+#include "apps.h"
+#include "usb_cdc.h"
+#include "fpga.h"
+#include "fpgaloader.h"

 static void RAMFUNC optimizedSnoop(void)
 {
@ -74,3 +86,33 @@ void HfSnoop(int samplesToSkip, int triggersToSkip)
 	LED_D_OFF();
 }

+void HfPlot(void)
+{
+	uint8_t *buf = ToSend;
+	uint8_t *this_buf = buf;
+	
+	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_GET_TRACE);
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;   // Disable DMA Transfer
+	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) this_buf; // start transfer to this memory address
+	AT91C_BASE_PDC_SSC->PDC_RCR = USB_CMD_DATA_SIZE;   // transfer this many samples
+	buf[0] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;         // clear receive register
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;    // Start DMA transfer
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_GET_TRACE);   // let FPGA transfer its internal Block-RAM
+
+	LED_B_ON();
+	for(size_t i = 0; i < FPGA_TRACE_SIZE; i += USB_CMD_DATA_SIZE) {
+		// prepare next DMA transfer:
+		uint8_t *next_buf = buf + ((i + USB_CMD_DATA_SIZE) % (2 * USB_CMD_DATA_SIZE));
+		AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)next_buf;
+		AT91C_BASE_PDC_SSC->PDC_RNCR = USB_CMD_DATA_SIZE;
+		size_t len = MIN(FPGA_TRACE_SIZE - i, USB_CMD_DATA_SIZE);
+		while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX))) ; // wait for DMA transfer to complete
+		cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, i, len, FPGA_TRACE_SIZE, this_buf, len);
+		this_buf = next_buf;
+	}
+	// Trigger a finish downloading signal with an ACK frame
+	cmd_send(CMD_ACK, 1, 0, FPGA_TRACE_SIZE, 0, 0);
+	LED_B_OFF();
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+}
--- a/armsrc/hfsnoop.h
+++ b/armsrc/hfsnoop.h
@ -0,0 +1,17 @@
+//-----------------------------------------------------------------------------
+// piwi, 2019
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to get sample data from FPGA.
+//-----------------------------------------------------------------------------
+
+#ifndef HFSNOOP_H__
+#define HFSNOOP_H__
+
+void HfSnoop(int samplesToSkip, int triggersToSkip);
+void HfPlot(void);
+
+#endif
--- a/armsrc/hitag2.c
+++ b/armsrc/hitag2.c
--- a/armsrc/hitag2.h
+++ b/armsrc/hitag2.h
@ -0,0 +1,24 @@
+//-----------------------------------------------------------------------------
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Hitag2 emulation
+//
+// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+// (c) 2012 Roel Verdult
+//-----------------------------------------------------------------------------
+
+#ifndef HITAG2_H__
+#define HITAG2_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "hitag.h"
+
+extern void SnoopHitag(uint32_t type);
+extern void SimulateHitagTag(bool tag_mem_supplied, uint8_t* data);
+extern void ReaderHitag(hitag_function htf, hitag_data* htd);
+extern void WriterHitag(hitag_function htf, hitag_data* htd, int page);
+
+#endif
--- a/armsrc/hitagS.c
+++ b/armsrc/hitagS.c
--- a/armsrc/hitagS.h
+++ b/armsrc/hitagS.h
@ -0,0 +1,26 @@
+//-----------------------------------------------------------------------------
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// HitagS emulation (preliminary test version)
+//
+// (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
+//     <info@os-s.de>
+//-----------------------------------------------------------------------------
+// Some code was copied from Hitag2.c
+//-----------------------------------------------------------------------------
+
+#ifndef HITAGS_H__
+#define HITAGS_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+#include "hitag.h"
+
+void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock);
+void SimulateHitagSTag(bool tag_mem_supplied, uint8_t* data);
+void WritePageHitagS(hitag_function htf, hitag_data* htd, int page);
+void check_challenges_cmd(bool file_given, uint8_t* data, uint64_t tagMode);
+
+#endif
--- a/armsrc/i2c.c
+++ b/armsrc/i2c.c
@ -18,13 +18,15 @@
 #include "mifareutil.h" // for MF_DBGLEVEL
 #include "BigBuf.h"
 #include "apps.h"
+#include "usb_cdc.h"
+#include "util.h"
+

 #ifdef WITH_SMARTCARD
 #include "smartcard.h"
 #endif


-//	定义连接引脚
 #define GPIO_RST  AT91C_PIO_PA1
 #define GPIO_SCL  AT91C_PIO_PA5
 #define GPIO_SDA  AT91C_PIO_PA7
@ -49,14 +51,41 @@ static void __attribute__((optimize("O0"))) I2CSpinDelayClk(uint16_t delay) {
 	for (c = delay * 2; c; c--) {};
 }

-//	通讯延迟函数     communication delay function	
+// communication delay functions
 #define I2C_DELAY_1CLK    I2CSpinDelayClk(1)
 #define I2C_DELAY_2CLK    I2CSpinDelayClk(2)
 #define I2C_DELAY_XCLK(x) I2CSpinDelayClk((x))

-
 #define  ISO7618_MAX_FRAME 255

+// try i2c bus recovery at 100kHz = 5uS high, 5uS low
+static void I2C_recovery(void) {
+
+	DbpString("Performing i2c bus recovery");	
+			
+	// reset I2C
+	SDA_H; SCL_H;
+	
+	 //9nth cycle acts as NACK
+	for (int i = 0; i < 10; i++)  {
+		SCL_H; WaitUS(5);
+		SCL_L; WaitUS(5);
+	}
+	
+    //a STOP signal (SDA from low to high while CLK is high)	
+	SDA_L; WaitUS(5);
+	SCL_H; WaitUS(2);
+	SDA_H; WaitUS(2);
+	
+	bool isok = (SCL_read && SDA_read); 
+    if (!SDA_read)
+		DbpString("I2C bus recovery  error: SDA still LOW");
+	if (!SCL_read)
+		DbpString("I2C bus recovery  error: SCL still LOW");
+	if (isok)
+		DbpString("I2C bus recovery complete");
+}
+
 static void I2C_init(void) {
 	// Configure reset pin
 	AT91C_BASE_PIOA->PIO_PPUDR = GPIO_RST;  // disable pull up resistor
@ -72,10 +101,13 @@ static void I2C_init(void) {
 	// configure all three pins as output, controlled by PIOA
 	AT91C_BASE_PIOA->PIO_OER |= (GPIO_SCL | GPIO_SDA | GPIO_RST);
 	AT91C_BASE_PIOA->PIO_PER |= (GPIO_SCL | GPIO_SDA | GPIO_RST);
+
+	bool isok =  (SCL_read && SDA_read); 
+	if ( !isok )
+		I2C_recovery();
+	
 }

-
-// 设置复位状态
 // set the reset state
 static void I2C_SetResetStatus(uint8_t LineRST, uint8_t LineSCK, uint8_t LineSDA) {
 	if (LineRST)
@ -94,19 +126,19 @@ static void I2C_SetResetStatus(uint8_t LineRST, uint8_t LineSCK, uint8_t LineSDA
 		LOW(GPIO_SDA);
 }

-// 复位进入主程序
 // Reset the SIM_Adapter, then  enter the main program
 // Note: the SIM_Adapter will not enter the main program after power up. Please run this function before use SIM_Adapter.
 static void I2C_Reset_EnterMainProgram(void) {
-	I2C_SetResetStatus(0, 0, 0);    // 拉低复位线
-	SpinDelay(30);
-	I2C_SetResetStatus(1, 0, 0);    // 解除复位
-	SpinDelay(30);
-	I2C_SetResetStatus(1, 1, 1);    // 拉高数据线
-	SpinDelay(10);
+	StartTicks();
+	I2C_init();
+	I2C_SetResetStatus(0, 0, 0);
+	WaitMS(30);
+	I2C_SetResetStatus(1, 0, 0);
+	WaitMS(30);
+	I2C_SetResetStatus(1, 1, 1);
+	WaitMS(10);
 }

-//	等待时钟变高	
 // Wait for the clock to go High.	
 static bool WaitSCL_H_delay(uint32_t delay) {
 	while (delay--) {
@ -184,7 +216,8 @@ static void I2C_SendByte(uint8_t data) {
 	uint8_t bits = 8;

 	while (bits--) {
-		SCL_L; I2C_DELAY_1CLK;
+		SCL_L; 
+		I2C_DELAY_1CLK;

 		if (data & 0x80)
 			SDA_H;
@ -205,7 +238,6 @@ static void I2C_SendByte(uint8_t data) {
 }

 bool I2C_is_available(void) {
-	I2C_init();
 	I2C_Reset_EnterMainProgram();
 	if (!I2C_Start())  // some other device is active on the bus
 		return true;
@ -219,33 +251,33 @@ bool I2C_is_available(void) {
 }

 #ifdef WITH_SMARTCARD
-// 复位进入引导模式
 // Reset the SIM_Adapter, then enter the bootloader program
 // Reserve£ºFor firmware update.
 static void I2C_Reset_EnterBootloader(void) {
-	I2C_SetResetStatus(0, 1, 1);    // 拉低复位线
-	SpinDelay(100);
-	I2C_SetResetStatus(1, 1, 1);    // 解除复位
-	SpinDelay(10);
+	I2C_SetResetStatus(0, 1, 1);
+	WaitMS(100);
+	I2C_SetResetStatus(1, 1, 1);
+	WaitMS(10);
 }

-// Wait max 300ms or until SCL goes LOW.
+// Wait max 1800ms or until SCL goes LOW.
+// It timeout reading response from card
 // Which ever comes first
-static bool WaitSCL_L_300ms(void) {
-	volatile uint16_t delay = 310;
+bool WaitSCL_L_timeout(void){
+	volatile uint16_t delay = 1800;
 	while ( delay-- ) {
 		// exit on SCL LOW
 		if (!SCL_read)
 			return true;

-		SpinDelay(1);
+		WaitMS(1);
 	}
 	return (delay == 0);
 }

 static bool I2C_WaitForSim() {
-	// variable delay here.
-	if (!WaitSCL_L_300ms())
+	// wait for data from card
+	if (!WaitSCL_L_timeout())
 		return false;

 	// 8051 speaks with smart card.
@ -303,7 +335,7 @@ static bool I2C_WriteCmd(uint8_t device_cmd, uint8_t device_address) {
 	do {
 		if (!I2C_Start())
 			return false;
-		//[C0]
+		
 		I2C_SendByte(device_address & 0xFE);
 		if (!I2C_WaitAck())
 			break;
@ -323,7 +355,6 @@ static bool I2C_WriteCmd(uint8_t device_cmd, uint8_t device_address) {
 	return true;
 }

-// 写入1字节数据 （待写入数据，待写入地址，器件类型）
 // Sends 1 byte data (Data to be written, command to be written , SlaveDevice address  ).
 static bool I2C_WriteByte(uint8_t data, uint8_t device_cmd, uint8_t device_address) {
 	bool bBreak = true;
@ -354,7 +385,6 @@ static bool I2C_WriteByte(uint8_t data, uint8_t device_cmd, uint8_t device_addre
 	return true;
 }

-//	写入1串数据（待写入数组地址，待写入长度，待写入地址，器件类型）	
 //Sends a string of data (Array, length, command to be written , SlaveDevice address  ).
 // len = uint8 (max buffer to write 256bytes)
 static bool I2C_BufferWrite(uint8_t *data, uint8_t len, uint8_t device_cmd, uint8_t device_address) {
@ -393,7 +423,6 @@ static bool I2C_BufferWrite(uint8_t *data, uint8_t len, uint8_t device_cmd, uint
 	return true;
 }

-// 读出1串数据（存放读出数据，待读出长度，带读出地址，器件类型）
 // read 1 strings of data (Data array, Readout length, command to be written , SlaveDevice address  ).
 // len = uint8 (max buffer to read 256bytes)
 static int16_t I2C_BufferRead(uint8_t *data, uint8_t len, uint8_t device_cmd, uint8_t device_address) {
@ -403,7 +432,7 @@ static int16_t I2C_BufferRead(uint8_t *data, uint8_t len, uint8_t device_cmd, ui

 	// extra wait  500us (514us measured)
 	// 200us  (xx measured)
-	SpinDelayUs(600);
+	WaitUS(600);
 	bool bBreak = true;
 	uint16_t readcount = 0;

@ -462,6 +491,7 @@ static int16_t I2C_BufferRead(uint8_t *data, uint8_t len, uint8_t device_cmd, ui
 	}

 	I2C_Stop();
+	
 	// return bytecount - first byte (which is length byte)
 	return --readcount;
 }
@ -481,12 +511,10 @@ static int16_t I2C_ReadFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb,
 		if (!I2C_WaitAck())
 			break;

-		// msb
 		I2C_SendByte(msb);
 		if (!I2C_WaitAck())
 			break;

-		// lsb
 		I2C_SendByte(lsb);
 		if (!I2C_WaitAck())
 			break;
@ -543,12 +571,10 @@ static bool I2C_WriteFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, ui
 		if (!I2C_WaitAck())
 			break;

-		// msb
 		I2C_SendByte(msb);
 		if (!I2C_WaitAck())
 			break;

-		// lsb
 		I2C_SendByte(lsb);
 		if (!I2C_WaitAck())
 			break;
@ -577,7 +603,6 @@ static bool I2C_WriteFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, ui
 void I2C_print_status(void) {
 	DbpString("Smart card module (ISO 7816)");
 	uint8_t resp[] = {0,0,0,0};
-	I2C_init();
 	I2C_Reset_EnterMainProgram();
 	uint8_t len = I2C_BufferRead(resp, sizeof(resp), I2C_DEVICE_CMD_GETVERSION, I2C_DEVICE_ADDRESS_MAIN);
 	if ( len > 0 )
@ -624,8 +649,6 @@ static bool GetATR(smart_card_atr_t *card_ptr) {
 	// Send ATR
 	// start [C0 01] stop start C1 len aa bb cc stop]
 	I2C_WriteCmd(I2C_DEVICE_CMD_GENERATE_ATR, I2C_DEVICE_ADDRESS_MAIN);
-	uint8_t	cmd[1] = {1};
-	LogTrace(cmd, 1, 0, 0, NULL, true);

 	// wait for sim card to answer.
 	// 1byte = 1ms, max frame 256bytes. Should wait 256ms at least just in case.
@ -637,41 +660,6 @@ static bool GetATR(smart_card_atr_t *card_ptr) {
 	if ( !sc_rx_bytes(card_ptr->atr, &len) )		
 		return false;

-	uint8_t pos_td = 1;
-	if ( (card_ptr->atr[1] & 0x10) == 0x10) pos_td++;
-	if ( (card_ptr->atr[1] & 0x20) == 0x20) pos_td++;
-	if ( (card_ptr->atr[1] & 0x40) == 0x40) pos_td++;
-	
-	// T0 indicate presence T=0 vs T=1.  T=1 has checksum TCK
-	if ( (card_ptr->atr[1] & 0x80) == 0x80) {
-		
-		pos_td++;
-	
-		// 1 == T1 ,  presence of checksum TCK
-		if ( (card_ptr->atr[pos_td] & 0x01) == 0x01) {
- 			uint8_t chksum = 0;
-			// xor property.  will be zero when xored with chksum.
-			for (uint8_t i = 1; i < len; ++i)
-				chksum ^= card_ptr->atr[i];
- 			if ( chksum ) {
-				if ( MF_DBGLEVEL > 2) DbpString("Wrong ATR checksum");
-			}
-		}
-	}
-
-	// for some reason we only get first byte of atr, if that is so, send dummy command to retrieve the rest of the atr 
-	if (len == 1) {
-
-		uint8_t data[1] = {0};
-		I2C_BufferWrite(data, len, I2C_DEVICE_CMD_SEND, I2C_DEVICE_ADDRESS_MAIN);
-
-		if ( !I2C_WaitForSim() )
-			return false;
-
-		uint8_t len2 = I2C_BufferRead(card_ptr->atr + len, sizeof(card_ptr->atr) - len, I2C_DEVICE_CMD_READ, I2C_DEVICE_ADDRESS_MAIN);
-		len = len + len2;
-	}
-
 	card_ptr->atr_len = len;
 	LogTrace(card_ptr->atr, card_ptr->atr_len, 0, 0, NULL, false);

@ -683,7 +671,6 @@ void SmartCardAtr(void) {
 	LED_D_ON();
 	clear_trace();
 	set_tracing(true);
-	I2C_init();
 	I2C_Reset_EnterMainProgram();
 	bool isOK = GetATR( &card );
 	cmd_send(CMD_ACK, isOK, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t));
@ -706,10 +693,9 @@ void SmartCardRaw( uint64_t arg0, uint64_t arg1, uint8_t *data ) {

 	if ((flags & SC_CONNECT)) {	

-		I2C_init();
 		I2C_Reset_EnterMainProgram();

-		if ( !(flags & SC_NO_SELECT) ) {
+		if ((flags & SC_SELECT)) {
 			smart_card_atr_t card;
 			bool gotATR = GetATR( &card );
 			//cmd_send(CMD_ACK, gotATR, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t));
@ -718,25 +704,28 @@ void SmartCardRaw( uint64_t arg0, uint64_t arg1, uint8_t *data ) {
 		}
 	}

-	if ((flags & SC_RAW)) {
+	if ((flags & SC_RAW) || (flags & SC_RAW_T0)) {

 		LogTrace(data, arg1, 0, 0, NULL, true);

 		// Send raw bytes
 		// asBytes = A0 A4 00 00 02
 		// arg1 = len 5
-		I2C_BufferWrite(data, arg1, I2C_DEVICE_CMD_SEND, I2C_DEVICE_ADDRESS_MAIN);
-
-		if ( !I2C_WaitForSim() )
-			goto OUT;
+		bool res = I2C_BufferWrite(data, arg1, ((flags & SC_RAW_T0) ? I2C_DEVICE_CMD_SEND_T0 : I2C_DEVICE_CMD_SEND), I2C_DEVICE_ADDRESS_MAIN);
+		if ( !res && MF_DBGLEVEL > 3 ) DbpString(I2C_ERROR);

 		// read bytes from module
 		len = ISO7618_MAX_FRAME;
-		sc_rx_bytes(resp, &len);
-		LogTrace(resp, len, 0, 0, NULL, false);
+		res = sc_rx_bytes(resp, &len);
+		if ( res ) {
+			LogTrace(resp, len, 0, 0, NULL, false);
+		} else {
+			len = 0;
+		}
 	}
 OUT:
 	cmd_send(CMD_ACK, len, 0, 0, resp, len);
+	BigBuf_free();
 	set_tracing(false);
 	LEDsoff();
 }
@ -749,7 +738,6 @@ void SmartCardUpgrade(uint64_t arg0) {
 	// write.   Sector0,  with 11,22,33,44
 	// erase is 128bytes, and takes 50ms to execute

-	I2C_init();
 	I2C_Reset_EnterBootloader();

 	bool isOK = true;
@ -777,7 +765,7 @@ void SmartCardUpgrade(uint64_t arg0) {
 		}

 		// writing takes time.
-		SpinDelay(50);
+		WaitMS(50);

 		// read
 		res = I2C_ReadFW(verfiydata, size, msb, lsb, I2C_DEVICE_ADDRESS_BOOT);
@ -799,6 +787,7 @@ void SmartCardUpgrade(uint64_t arg0) {
 	}
 	cmd_send(CMD_ACK, isOK, pos, 0, 0, 0);
 	LED_C_OFF();
+	BigBuf_free();	
 }

 // unfinished (or not needed?)
@ -808,7 +797,6 @@ void SmartCardUpgrade(uint64_t arg0) {
 void SmartCardSetClock(uint64_t arg0) {
 	LED_D_ON();
 	set_tracing(true);
-	I2C_init();
 	I2C_Reset_EnterMainProgram();

 	// Send SIM CLC
--- a/armsrc/i2c.h
+++ b/armsrc/i2c.h
@ -23,6 +23,8 @@
 #define I2C_DEVICE_CMD_SETBAUD        0x04
 #define I2C_DEVICE_CMD_SIM_CLC        0x05
 #define I2C_DEVICE_CMD_GETVERSION     0x06
+#define I2C_DEVICE_CMD_SEND_T0        0x07
+

 bool I2C_is_available(void);

--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
--- a/armsrc/iclass.h
+++ b/armsrc/iclass.h
@ -0,0 +1,32 @@
+//-----------------------------------------------------------------------------
+// Gerhard de Koning Gans - May 2008
+// Hagen Fritsch - June 2010
+// Gerhard de Koning Gans - May 2011
+// Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support iClass.
+//-----------------------------------------------------------------------------
+
+#ifndef ICLASS_H__
+#define ICLASS_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+
+extern void SnoopIClass(uint8_t jam_search_len, uint8_t *jam_search_string);
+extern void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void ReaderIClass(uint8_t arg0);
+extern void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC);
+extern void IClass_iso14443A_GetPublic(uint8_t arg0);
+extern void iClass_Readcheck(uint8_t block, bool use_credit_key);
+extern void iClass_Check(uint8_t *MAC);
+extern void iClass_WriteBlock(uint8_t blockNo, uint8_t *data);
+extern void iClass_ReadBlk(uint8_t blockNo);
+extern void iClass_Dump(uint8_t blockno, uint8_t numblks);
+extern void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
+
+#endif
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
--- a/armsrc/iso14443a.h
+++ b/armsrc/iso14443a.h
@ -13,6 +13,7 @@
 #ifndef __ISO14443A_H
 #define __ISO14443A_H

+#include <stddef.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include "usb_cmd.h"
@ -31,7 +32,7 @@ extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);
 extern void AppendCrc14443a(uint8_t *data, int len);

 extern void RAMFUNC SnoopIso14443a(uint8_t param);
-extern void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t *data);
+extern void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, uint8_t *data);
 extern void ReaderIso14443a(UsbCommand *c);
 extern void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
 extern void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
@ -41,7 +42,6 @@ extern void ReaderMifare(bool first_try);

 extern int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity);
 extern int EmSendCmd(uint8_t *resp, uint16_t respLen);
-extern int EmSendCmdEx(uint8_t *resp, uint16_t respLen);
 extern int EmSend4bit(uint8_t resp);
 extern int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
 extern int EmSendPrecompiledCmd(tag_response_info_t *response_info);
@ -49,8 +49,9 @@ extern int EmSendPrecompiledCmd(tag_response_info_t *response_info);
 extern bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_t **buffer, size_t *buffer_size);

 extern void iso14443a_setup(uint8_t fpga_minor_mode);
-extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data);
+extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, bool send_chaining, void *data, uint8_t *res);
 extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats);
 extern void iso14a_set_trigger(bool enable);
 extern void iso14a_set_timeout(uint32_t timeout);
+extern uint32_t iso14a_get_timeout(void);
 #endif /* __ISO14443A_H */
--- a/armsrc/iso14443b.c
+++ b/armsrc/iso14443b.c
@ -10,14 +10,18 @@
 // the `fake tag' modes.
 //-----------------------------------------------------------------------------

+#include "iso14443b.h"
+
 #include "proxmark3.h"
 #include "apps.h"
+#include "usb_cdc.h"
 #include "util.h"
 #include "string.h"
-
 #include "iso14443crc.h"
+#include "fpgaloader.h"
+#include "BigBuf.h"

-#define RECEIVE_SAMPLES_TIMEOUT 1000 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA. 1000 seems to be much too high?
+#define RECEIVE_SAMPLES_TIMEOUT 64 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA
 #define ISO14443B_DMA_BUFFER_SIZE 128

 // PCB Block number for APDUs
@ -325,6 +329,7 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
 //-----------------------------------------------------------------------------
 void SimulateIso14443bTag(void)
 {
+	LED_A_ON();
 	// the only commands we understand is WUPB, AFI=0, Select All, N=1:
 	static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // WUPB
 	// ... and REQB, AFI=0, Normal Request, N=1:
@ -386,10 +391,7 @@ void SimulateIso14443bTag(void)
 			break;
 		}

-		if (tracing) {
-			uint8_t parity[MAX_PARITY_SIZE];
-			LogTrace(receivedCmd, len, 0, 0, parity, true);
-		}
+		LogTrace(receivedCmd, len, 0, 0, NULL, true);

 		// Good, look at the command now.
 		if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
@ -463,12 +465,12 @@ void SimulateIso14443bTag(void)
 		}

 		// trace the response:
-		if (tracing) {
-			uint8_t parity[MAX_PARITY_SIZE];
-			LogTrace(resp, respLen, 0, 0, parity, false);
-		}
+		LogTrace(resp, respLen, 0, 0, NULL, false);

 	}
+	
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	LED_A_OFF();
 }

 //=============================================================================
@ -585,9 +587,10 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 					Demod.state = DEMOD_UNSYNCD;
 				} else {
 					LED_C_ON(); // Got SOF
-					Demod.state = DEMOD_AWAITING_START_BIT;
 					Demod.posCount = 0;
+					Demod.bitCount = 0;
 					Demod.len = 0;
+					Demod.state = DEMOD_AWAITING_START_BIT;
 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
 					Demod.metricN = 0;
 					Demod.metric = 0;
@ -604,13 +607,16 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 		case DEMOD_AWAITING_START_BIT:
 			Demod.posCount++;
 			MAKE_SOFT_DECISION();
-			if(v > 0) {
-				if(Demod.posCount > 3*2) { 		// max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
-					Demod.state = DEMOD_UNSYNCD;
+			if (v > 0) {
+				if (Demod.posCount > 3*2) { 		// max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
 					LED_C_OFF();
+					if (Demod.bitCount == 0 && Demod.len == 0) { // received SOF only, this is valid for iClass/Picopass
+						return true;
+					} else {
+						Demod.state = DEMOD_UNSYNCD;
+					}
 				}
 			} else {							// start bit detected
-				Demod.bitCount = 0;
 				Demod.posCount = 1;				// this was the first half
 				Demod.thisBit = v;
 				Demod.shiftReg = 0;
@ -620,7 +626,7 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)

 		case DEMOD_RECEIVING_DATA:
 			MAKE_SOFT_DECISION();
-			if(Demod.posCount == 0) { 			// first half of bit
+			if (Demod.posCount == 0) { 			// first half of bit
 				Demod.thisBit = v;
 				Demod.posCount = 1;
 			} else {							// second half of bit
@ -636,22 +642,23 @@ static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
 */

 				Demod.shiftReg >>= 1;
-				if(Demod.thisBit > 0) {	// logic '1'
+				if (Demod.thisBit > 0) {	// logic '1'
 					Demod.shiftReg |= 0x200;
 				}

 				Demod.bitCount++;
-				if(Demod.bitCount == 10) {
+				if (Demod.bitCount == 10) {
 					uint16_t s = Demod.shiftReg;
-					if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
+					if ((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
 						uint8_t b = (s >> 1);
 						Demod.output[Demod.len] = b;
 						Demod.len++;
+						Demod.bitCount = 0;
 						Demod.state = DEMOD_AWAITING_START_BIT;
 					} else {
 						Demod.state = DEMOD_UNSYNCD;
 						LED_C_OFF();
-						if(s == 0x000) {
+						if (s == 0x000) {
 							// This is EOF (start, stop and all data bits == '0'
 							return true;
 						}
@ -692,8 +699,8 @@ static void DemodInit(uint8_t *data)
 *  Demodulate the samples we received from the tag, also log to tracebuffer
 *  quiet: set to 'true' to disable debug output
 */
-static void GetSamplesFor14443bDemod(int n, bool quiet)
-{
+static int GetSamplesFor14443bDemod(int timeout, bool quiet) {
+	int ret = 0;
 	int maxBehindBy = 0;
 	bool gotFrame = false;
 	int lastRxCounter, samples = 0;
@ -716,7 +723,7 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 	while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY))

 	// Setup and start DMA.
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
 	FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);

 	uint16_t *upTo = dmaBuf;
@ -725,7 +732,7 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 	// Signal field is ON with the appropriate LED:
 	LED_D_ON();
 	// And put the FPGA in the appropriate mode
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);

 	for(;;) {
 		int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
@ -749,12 +756,15 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 		}
 		samples++;

-		if(Handle14443bSamplesDemod(ci, cq)) {
+		if (Handle14443bSamplesDemod(ci, cq)) {
+			ret = Demod.len;
 			gotFrame = true;
 			break;
 		}

-		if(samples > n) {
+		if(samples > timeout && Demod.state < DEMOD_PHASE_REF_TRAINING) {
+			ret = -1;
+			LED_C_OFF();
 			break;
 		}
 	}
@ -762,11 +772,14 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 	FpgaDisableSscDma();

 	if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", maxBehindBy, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
-	//Tracing
-	if (tracing && Demod.len > 0) {
-		uint8_t parity[MAX_PARITY_SIZE];
-		LogTrace(Demod.output, Demod.len, 0, 0, parity, false);
+
+	if (ret < 0) {
+		return ret;
 	}
+ 	//Tracing
+	LogTrace(Demod.output, Demod.len, 0, 0, NULL, false);
+
+	return ret;
 }


@ -775,28 +788,21 @@ static void GetSamplesFor14443bDemod(int n, bool quiet)
 //-----------------------------------------------------------------------------
 static void TransmitFor14443b(void)
 {
-	int c;
-
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
-
-	// Signal field is ON with the appropriate Red LED
-	LED_D_ON();
-	// Signal we are transmitting with the Green LED
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
 	LED_B_ON();
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
-
-	c = 0;
-	for(;;) {
-		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-			AT91C_BASE_SSC->SSC_THR = ~ToSend[c];
-			c++;
-			if(c >= ToSendMax) {
-				break;
-			}
+	for(int c = 0; c < ToSendMax; c++) {
+		uint8_t data = ToSend[c];
+		for (int i = 0; i < 8; i++) {
+			uint16_t send_word = (data & 0x80) ? 0x0000 : 0xffff;
+			while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
+			AT91C_BASE_SSC->SSC_THR = send_word;
+			while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
+			AT91C_BASE_SSC->SSC_THR = send_word;
+			data <<= 1;
 		}
 		WDT_HIT();
 	}
-	LED_B_OFF(); // Finished sending
+	LED_B_OFF();
 }


@ -858,17 +864,14 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
 {
 	CodeIso14443bAsReader(cmd, len);
 	TransmitFor14443b();
-	if (tracing) {
-		uint8_t parity[MAX_PARITY_SIZE];
-		LogTrace(cmd,len, 0, 0, parity, true);
-	}
+	LogTrace(cmd,len, 0, 0, NULL, true);
 }

 /* Sends an APDU to the tag
 * TODO: check CRC and preamble
 */
-int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response)
-{
+int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response) {
+	LED_A_ON();
 	uint8_t message_frame[message_length + 4];
 	// PCB
 	message_frame[0] = 0x0A | pcb_blocknum;
@ -882,18 +885,19 @@ int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *respo
 	// send
 	CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
 	// get response
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
-	if(Demod.len < 3)
-	{
+	int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+	FpgaDisableTracing();
+	if (ret < 3) {
+		LED_A_OFF();
 		return 0;
 	}
 	// TODO: Check CRC
 	// copy response contents
-	if(response != NULL)
-	{
+	if (response != NULL) {
 		memcpy(response, Demod.output, Demod.len);
 	}
-	return Demod.len;
+	LED_A_OFF();
+	return ret;
 }

 /* Perform the ISO 14443 B Card Selection procedure
@ -912,10 +916,9 @@ int iso14443b_select_card()

 	// first, wake up the tag
 	CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+	int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	// ATQB too short?
-	if (Demod.len < 14)
-	{
+	if (ret < 14) {
 		return 2;
 	}

@ -927,10 +930,9 @@ int iso14443b_select_card()
    attrib[7] = Demod.output[10] & 0x0F;
    ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
    CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
-    GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+    ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
    // Answer to ATTRIB too short?
-    if(Demod.len < 3)
-	{
+    if (ret < 3) {
 		return 2;
 	}
 	// reset PCB block number
@ -942,13 +944,13 @@ int iso14443b_select_card()
 void iso14443b_setup() {
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	// Set up the synchronous serial port
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
 	// connect Demodulated Signal to ADC:
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);

 	// Signal field is on with the appropriate LED
    LED_D_ON();
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);

 	DemodReset();
 	UartReset();
@ -965,6 +967,7 @@ void iso14443b_setup() {
 //-----------------------------------------------------------------------------
 void ReadSTMemoryIso14443b(uint32_t dwLast)
 {
+	LED_A_ON();
 	uint8_t i = 0x00;

 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -975,12 +978,12 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	SpinDelay(200);

 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);

 	// Now give it time to spin up.
 	// Signal field is on with the appropriate LED
 	LED_D_ON();
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
 	SpinDelay(200);

 	clear_trace();
@ -989,12 +992,12 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	// First command: wake up the tag using the INITIATE command
 	uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
 	CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+	int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);

-	if (Demod.len == 0) {
-		DbpString("No response from tag");
-		LED_D_OFF();
+	if (ret < 0) {
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		DbpString("No response from tag");
+		LEDsoff();
 		return;
 	} else {
 		Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
@ -1007,26 +1010,26 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	cmd1[1] = Demod.output[0];
 	ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
 	CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+	ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
 	if (Demod.len != 3) {
-		Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
-		LED_D_OFF();
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
+		LEDsoff();
 		return;
 	}
 	// Check the CRC of the answer:
 	ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
 	if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
-		DbpString("CRC Error reading select response.");
-		LED_D_OFF();
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		DbpString("CRC Error reading select response.");
+		LEDsoff();
 		return;
 	}
 	// Check response from the tag: should be the same UID as the command we just sent:
 	if (cmd1[1] != Demod.output[0]) {
-		Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
-		LED_D_OFF();
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
+		LEDsoff();
 		return;
 	}

@ -1035,11 +1038,11 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 	cmd1[0] = 0x0B;
 	ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
 	CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
-	GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
-	if (Demod.len != 10) {
-		Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
-		LED_D_OFF();
+	ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+	if (ret != 10) {
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
+		LEDsoff();
 		return;
 	}
 	// The check the CRC of the answer (use cmd1 as temporary variable):
@ -1066,16 +1069,16 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 		cmd1[1] = i;
 		ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
 		CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-		GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
-		if (Demod.len != 6) { // Check if we got an answer from the tag
-			DbpString("Expected 6 bytes from tag, got less...");
-			LED_D_OFF();
+		ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+		if (ret != 6) { // Check if we got an answer from the tag
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+			DbpString("Expected 6 bytes from tag, got less...");
+			LEDsoff();
 			return;
 		}
 		// The check the CRC of the answer (use cmd1 as temporary variable):
 		ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
-		if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
+		if (cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
 			Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
 					(cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
 			// Do not return;, let's go on... (we should retry, maybe ?)
@ -1090,8 +1093,8 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 		i++;
 	}
 	
-	LED_D_OFF();
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	LEDsoff();
 }


@ -1114,6 +1117,7 @@ void ReadSTMemoryIso14443b(uint32_t dwLast)
 */
 void RAMFUNC SnoopIso14443b(void)
 {
+	LED_A_ON();
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	BigBuf_free();

@ -1141,19 +1145,18 @@ void RAMFUNC SnoopIso14443b(void)
 	Dbprintf("  tag -> Reader: %i bytes", MAX_FRAME_SIZE);
 	Dbprintf("  DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);

-	// Signal field is off, no reader signal, no tag signal
-	LEDsoff();
+	// Signal field is off
+	LED_D_OFF();

 	// And put the FPGA in the appropriate mode
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_SNOOP_IQ);
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);

 	// Setup for the DMA.
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
 	upTo = dmaBuf;
 	lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
 	FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
-	uint8_t parity[MAX_PARITY_SIZE];

 	bool TagIsActive = false;
 	bool ReaderIsActive = false;
@ -1198,9 +1201,7 @@ void RAMFUNC SnoopIso14443b(void)
 		if (!TagIsActive) {							// no need to try decoding reader data if the tag is sending
 			if(Handle14443bUartBit(ci & 0x01)) {
 				triggered = true;
-				if(tracing) {
-					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, true);
-				}
+				LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
 				/* And ready to receive another command. */
 				UartReset();
 				/* And also reset the demod code, which might have been */
@ -1209,9 +1210,7 @@ void RAMFUNC SnoopIso14443b(void)
 			}
 			if(Handle14443bUartBit(cq & 0x01)) {
 				triggered = true;
-				if(tracing) {
-					LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, true);
-				}
+				LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
 				/* And ready to receive another command. */
 				UartReset();
 				/* And also reset the demod code, which might have been */
@ -1221,15 +1220,10 @@ void RAMFUNC SnoopIso14443b(void)
 			ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
 		}

-		if(!ReaderIsActive && triggered) {						// no need to try decoding tag data if the reader is sending or not yet triggered
-			if(Handle14443bSamplesDemod(ci/2, cq/2)) {
-
+		if (!ReaderIsActive && triggered) {						// no need to try decoding tag data if the reader is sending or not yet triggered
+			if (Handle14443bSamplesDemod(ci/2, cq/2) >= 0) {
 				//Use samples as a time measurement
-				if(tracing)
-				{
-					uint8_t parity[MAX_PARITY_SIZE];
-					LogTrace(Demod.output, Demod.len, samples, samples, parity, false);
-				}
+				LogTrace(Demod.output, Demod.len, samples, samples, NULL, false);
 				// And ready to receive another response.
 				DemodReset();
 			}
@ -1239,13 +1233,13 @@ void RAMFUNC SnoopIso14443b(void)
 	}

 	FpgaDisableSscDma();
-	LEDsoff();
 	DbpString("Snoop statistics:");
 	Dbprintf("  Max behind by: %i", maxBehindBy);
 	Dbprintf("  Uart State: %x", Uart.state);
 	Dbprintf("  Uart ByteCnt: %i", Uart.byteCnt);
 	Dbprintf("  Uart ByteCntMax: %i", Uart.byteCntMax);
 	Dbprintf("  Trace length: %i", BigBuf_get_traceLen());
+	LEDsoff();
 }


@ -1263,12 +1257,14 @@ void RAMFUNC SnoopIso14443b(void)
 */
 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
 {
+	LED_A_ON();
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);

 	// switch field on and give tag some time to power up
 	LED_D_ON();
-	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_TX);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
+	FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
 	SpinDelay(10);

 	if (datalen){
@ -1276,16 +1272,21 @@ void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, u
 		
 		CodeAndTransmit14443bAsReader(data, datalen);

-		if(recv) {
-			GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
+		if (recv) {
+			int ret = GetSamplesFor14443bDemod(5*RECEIVE_SAMPLES_TIMEOUT, true);
+			FpgaDisableTracing();
 			uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
-			cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
+			cmd_send(CMD_ACK, ret, 0, 0, Demod.output, iLen);
 		}
+
+		FpgaDisableTracing();
 	}

-	if(!powerfield) {
+	if (!powerfield) {
 		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 		LED_D_OFF();
 	}
+	
+	LED_A_OFF();
 }

--- a/armsrc/iso14443b.h
+++ b/armsrc/iso14443b.h
@ -10,12 +10,18 @@
 // Routines to support ISO 14443 type B.
 //-----------------------------------------------------------------------------

-#ifndef __ISO14443B_H
-#define __ISO14443B_H
-#include "common.h"
+#ifndef ISO14443B_H__
+#define ISO14443B_H__

-int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response);
-void iso14443b_setup();
-int iso14443b_select_card();
+#include <stdint.h>
+#include <stddef.h>
+
+extern int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response);
+extern void iso14443b_setup();
+extern int iso14443b_select_card();
+extern void SimulateIso14443bTag(void);
+extern void ReadSTMemoryIso14443b(uint32_t);
+extern void SnoopIso14443b(void);
+extern void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);

 #endif /* __ISO14443B_H */
--- a/armsrc/iso15693.c
+++ b/armsrc/iso15693.c
--- a/armsrc/iso15693.h
+++ b/armsrc/iso15693.h
@ -0,0 +1,43 @@
+//-----------------------------------------------------------------------------
+// Piwi - October 2018
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support ISO 15693.
+//-----------------------------------------------------------------------------
+
+#ifndef ISO15693_H__
+#define ISO15693_H__
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+
+// Delays in SSP_CLK ticks.
+// SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag
+#define DELAY_ISO15693_VCD_TO_VICC_SIM     132  // 132/423.75kHz = 311.5us from end of command EOF to start of tag response
+//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16
+#define DELAY_ISO15693_VCD_TO_VICC_READER 1056 // 1056/3,39MHz = 311.5us from end of command EOF to start of tag response
+#define DELAY_ISO15693_VICC_TO_VCD_READER 1024 // 1024/3.39MHz = 302.1us between end of tag response and next reader command
+
+extern void Iso15693InitReader(void);
+extern void Iso15693InitTag(void);
+extern void CodeIso15693AsReader(uint8_t *cmd, int n);
+extern void CodeIso15693AsTag(uint8_t *cmd, size_t len);
+extern void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow);
+extern int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time);
+extern void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time);
+extern int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time);
+extern void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string);
+extern void AcquireRawAdcSamplesIso15693(void);
+extern void ReaderIso15693(uint32_t parameter);
+extern void SimTagIso15693(uint32_t parameter, uint8_t *uid);
+extern void BruteforceIso15693Afi(uint32_t speed);
+extern void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]);
+extern void SetTag15693Uid(uint8_t *uid);
+extern void SetDebugIso15693(uint32_t flag);
+extern bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
+
+#endif
--- a/armsrc/legicrf.c
+++ b/armsrc/legicrf.c
@ -10,15 +10,17 @@
 // LEGIC RF simulation code
 //-----------------------------------------------------------------------------

+#include "legicrf.h"
+
 #include "proxmark3.h"
 #include "apps.h"
+#include "usb_cdc.h"
 #include "util.h"
 #include "string.h"
-
-#include "legicrf.h"
 #include "legic_prng.h"
 #include "legic.h"
 #include "crc.h"
+#include "fpgaloader.h"

 static legic_card_select_t card;/* metadata of currently selected card */
 static crc_t legic_crc;
@ -151,7 +153,7 @@ static inline void tx_bit(bool bit) {
 //-----------------------------------------------------------------------------

 static void tx_frame(uint32_t frame, uint8_t len) {
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD);

  // wait for next tx timeslot
  last_frame_end += RWD_FRAME_WAIT;
@ -172,9 +174,7 @@ static void tx_frame(uint32_t frame, uint8_t len) {
 }

 static uint32_t rx_frame(uint8_t len) {
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
-                  | FPGA_HF_READER_RX_XCORR_848_KHZ
-                  | FPGA_HF_READER_RX_XCORR_QUARTER_FREQ);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);

  // hold sampling until card is expected to respond
  last_frame_end += TAG_FRAME_WAIT;
@ -195,9 +195,7 @@ static uint32_t rx_frame(uint8_t len) {

 static bool rx_ack() {
  // change fpga into rx mode
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
-                  | FPGA_HF_READER_RX_XCORR_848_KHZ
-                  | FPGA_HF_READER_RX_XCORR_QUARTER_FREQ);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);

  // hold sampling until card is expected to respond
  last_frame_end += TAG_FRAME_WAIT;
@ -257,14 +255,12 @@ static int init_card(uint8_t cardtype, legic_card_select_t *p_card) {
 static void init_reader(bool clear_mem) {
  // configure FPGA
  FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
-                  | FPGA_HF_READER_RX_XCORR_848_KHZ
-                  | FPGA_HF_READER_RX_XCORR_QUARTER_FREQ);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
  SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  LED_D_ON();

  // configure SSC with defaults
-  FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
+  FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);

  // re-claim GPIO_SSC_DOUT as GPIO and enable output
  AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
@ -384,8 +380,9 @@ void LegicRfReader(int offset, int bytes) {
  // establish shared secret and detect card type
  DbpString("Reading card ...");
  uint8_t card_type = setup_phase(SESSION_IV);
+  uint8_t result = 0;
  if(init_card(card_type, &card) != 0) {
-    Dbprintf("No or unknown card found, aborting");
+    result = 1;
    goto OUT;
  }

@ -402,17 +399,14 @@ void LegicRfReader(int offset, int bytes) {
  for(uint16_t i = 0; i < bytes; ++i) {
    int16_t byte = read_byte(offset + i, card.cmdsize);
    if(byte == -1) {
-      Dbprintf("operation failed @ 0x%03.3x", bytes);
+      result = 2;
      goto OUT;
    }
    BigBuf[i] = byte;
  }

-  // OK
-  Dbprintf("Card (MIM %i) read, use 'hf legic decode' or", card.cardsize);
-  Dbprintf("'data hexsamples %d' to view results", (bytes+7) & ~7);
-
 OUT:
+  cmd_send(CMD_ACK, result, bytes, 0, &card, sizeof(card));
  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
  LED_B_OFF();
  LED_C_OFF();
--- a/armsrc/legicrfsim.c
+++ b/armsrc/legicrfsim.c
@ -10,16 +10,17 @@
 // LEGIC RF simulation code
 //-----------------------------------------------------------------------------

+#include "legicrfsim.h"
+
 #include "proxmark3.h"
 #include "apps.h"
 #include "util.h"
 #include "string.h"
-
-#include "legicrfsim.h"
 #include "legic_prng.h"
 #include "legic.h"
 #include "crc.h"
 #include "usb_cdc.h"  // for usb_poll_validate_length
+#include "fpgaloader.h"

 static uint8_t* legic_mem;      /* card memory, used for sim */
 static legic_card_select_t card;/* metadata of currently selected card */
@ -51,7 +52,7 @@ static uint32_t last_frame_end; /* ts of last bit of previews rx or tx frame */
 #define RWD_TIME_PAUSE        4 /* 18.9us */
 #define RWD_TIME_1           21 /* RWD_TIME_PAUSE 18.9us off + 80.2us on = 99.1us */
 #define RWD_TIME_0           13 /* RWD_TIME_PAUSE 18.9us off + 42.4us on = 61.3us */
-#define RWD_CMD_TIMEOUT      40 /* 40 * 99.1us (arbitrary value) */
+#define RWD_CMD_TIMEOUT     120 /* 120 * 99.1us (arbitrary value) */
 #define RWD_MIN_FRAME_LEN     6 /* Shortest frame is 6 bits */
 #define RWD_MAX_FRAME_LEN    23 /* Longest frame is 23 bits */

--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -17,7 +17,8 @@
 #include "lfdemod.h"
 #include "lfsampling.h"
 #include "protocols.h"
-#include "usb_cdc.h" // for usb_poll_validate_length
+#include "usb_cdc.h"
+#include "fpgaloader.h"

 /**
 * Function to do a modulation and then get samples.
@ -1197,12 +1198,79 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 * and enlarge the gap ones.
 * Q5 tags seems to have issues when these values changes. 
 */
+
+ /*
+ // Original Timings for reference
+//note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds)
+ 
 #define START_GAP 31*8 // was 250 // SPEC:  1*8 to 50*8 - typ 15*8 (or 15fc)
 #define WRITE_GAP 20*8 // was 160 // SPEC:  1*8 to 20*8 - typ 10*8 (or 10fc)
 #define WRITE_0   18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
 #define WRITE_1   50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc)  432 for T55x7; 448 for E5550
 #define READ_GAP  15*8 

+*/
+/* Q5 timing datasheet:
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |  10*8  |    ?    |  50*8  |
+ * Write_Gap Normal mode |   8*8  |   14*8  |  20*8  | 
+ * Write_Gap Fast Mode   |   8*8  |    ?    |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  32*8  |
+ * Write_1   Normal mode |  48*8  |   56*8  |  64*8  |
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  16*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  32*8  |
+*/
+
+/* T5557 timing datasheet:
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |  10*8  |    ?    |  50*8  |
+ * Write_Gap Normal mode |   8*8  |50-150us |  30*8  | 
+ * Write_Gap Fast Mode   |   8*8  |    ?    |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  31*8  | 
+ * Write_1   Normal mode |  48*8  |   54*8  |  63*8  | 
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  15*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  31*8  |
+*/
+
+/* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt):
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |   8*8  |   15*8  |  50*8  |
+ * Write_Gap Normal mode |   8*8  |   10*8  |  20*8  | 
+ * Write_Gap Fast Mode   |   8*8  |   10*8  |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  32*8  | 
+ * Write_1   Normal mode |  48*8  |   56*8  |  64*8  | 
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  16*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  32*8  |
+*/
+
+// Structure to hold Timing values.  In future will be simplier to add user changable timings.
+typedef struct  {
+	uint16_t  START_GAP;
+	uint16_t  WRITE_GAP;
+	uint16_t  WRITE_0;
+	uint16_t  WRITE_1;
+	uint16_t  WRITE_2;
+	uint16_t  WRITE_3;
+	uint16_t  READ_GAP;
+} T55xx_Timing;
+
+// Set Initial/Default Values.  Note: *8 can occure when used.  This should keep things simplier here.
+T55xx_Timing T55xx_Timing_FixedBit = { 31 * 8   , 20 * 8   , 18 * 8 , 50 * 8 , 0      , 0      , 15 * 8   };
+T55xx_Timing T55xx_Timing_LLR      = { 31 * 8   , 20 * 8   , 18 * 8 , 50 * 8 , 0      , 0      , 15 * 8   };
+T55xx_Timing T55xx_Timing_Leading0 = { 31 * 8   , 20 * 8   , 18 * 8 , 40 * 8 , 0      , 0      , 15 * 8   };
+T55xx_Timing T55xx_Timing_1of4     = { 31 * 8   , 20 * 8   , 18 * 8 , 34 * 8 , 50 * 8 , 66 * 8 , 15 * 8   };
+
+// Some defines for readability
+#define T55xx_DLMode_Fixed         0 // Default Mode
+#define T55xx_DLMode_LLR           1 // Long Leading Reference
+#define T55xx_DLMode_Leading0      2 // Leading Zero
+#define T55xx_DLMode_1of4          3 // 1 of 4
+#define T55xx_LongLeadingReference 4 // Value to tell Write Bit to send long reference
+// Macro for code readability
+#define BitStream_Byte(X) ((X) >> 3)
+#define BitStream_Bit(X)  ((X) &  7)  
+
+
 void TurnReadLFOn(int delay) {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	// Give it a bit of time for the resonant antenna to settle.
@ -1210,36 +1278,179 @@ void TurnReadLFOn(int delay) {
 }

 // Write one bit to card
-void T55xxWriteBit(int bit) {
-	if (!bit)
-		TurnReadLFOn(WRITE_0);
-	else
-		TurnReadLFOn(WRITE_1);
+void T55xxWriteBit(int bit, T55xx_Timing *Timings) {
+
+	// If bit = 4 Send Long Leading Reference which is 138 + WRITE_0	
+	// Dbprintf ("Bits : %d",bit);
+	switch (bit){
+		case 0 : TurnReadLFOn(Timings->WRITE_0);             break; // Send bit  0/00
+		case 1 : TurnReadLFOn(Timings->WRITE_1);             break; // Send bit  1/01
+		case 2 : TurnReadLFOn(Timings->WRITE_2);             break; // Send bits   10
+		case 3 : TurnReadLFOn(Timings->WRITE_3);             break; // Send bits   11
+		case 4 : TurnReadLFOn(Timings->WRITE_0 + (136 * 8)); break; // Send Long Leading Reference
+	}
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	WaitUS(WRITE_GAP);
+	WaitUS(Timings->WRITE_GAP);
 }

-// Send T5577 reset command then read stream (see if we can identify the start of the stream)
-void T55xxResetRead(void) {
-	LED_A_ON();
-	//clear buffer now so it does not interfere with timing later
-	BigBuf_Clear_keep_EM();
+// Function to abstract an Arbitrary length byte array to store bit pattern.
+// bit_array    - Array to hold data/bit pattern
+// start_offset - bit location to start storing new bits.
+// data         - upto 32 bits of data to store
+// num_bits     - how many bits (low x bits of data)  Max 32 bits at a time
+// max_len         - how many bytes can the bit_array hold (ensure no buffer overflow)
+// returns "Next" bit offset / bits stored (for next store)
+//int T55xx_SetBits (uint8_t *bit_array, int start_offset, uint32_t data      , int num_bits, int max_len)
+int T55xx_SetBits (uint8_t *BitStream, uint8_t start_offset, uint32_t data , uint8_t num_bits, uint8_t max_len)
+{
+	int8_t offset;
+	int8_t NextOffset = start_offset;

+	// Check if data will fit.
+	if ((start_offset + num_bits) <= (max_len*8)) {
+		// Loop through the data and store
+		for (offset = (num_bits-1); offset >= 0; offset--) {
+
+			if ((data >> offset) & 1)  BitStream[BitStream_Byte(NextOffset)] |= (1         << BitStream_Bit(NextOffset));     // Set the bit to 1
+			else                       BitStream[BitStream_Byte(NextOffset)] &= (0xff ^ (1 << BitStream_Bit(NextOffset)));    // Set the bit to 0
+
+			NextOffset++;
+		}
+	}
+	else {
+		// Note: This should never happen unless some code changes cause it.  
+		// So short message for coders when testing.
+		Dbprintf ("T55 too many bits"); 
+	}
+	return NextOffset;
+}
+
+// Send one downlink command to the card 
+void T55xx_SendCMD (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { 
+
+	/*
+		arg bits
+		xxxxxxx1 0x01 PwdMode
+		xxxxxx1x 0x02 Page
+		xxxxx1xx 0x04 testMode
+		xxx11xxx 0x18 downlink mode
+		xx1xxxxx 0x20 !reg_readmode
+		x1xxxxxx 0x40 called for a read, so no data packet
+		1xxxxxxx 0x80 reset
+
+	*/
+	bool PwdMode      = ((arg & 0x01) == 0x01);
+	bool Page         =  (arg & 0x02);
+	bool testMode     = ((arg & 0x04) == 0x04);
+	uint8_t downlink_mode = (arg >> 3) & 0x03;
+	bool reg_readmode = ((arg & 0x20) == 0x20);
+	bool read_cmd     = ((arg & 0x40) == 0x40);
+	bool reset        =  (arg & 0x80);
+
+	uint8_t i = 0;
+	uint8_t BitStream[10];  // Max Downlink Command size ~74 bits, so 10 bytes (80 bits)
+	uint8_t BitStreamLen;
+	T55xx_Timing *Timing;
+	uint8_t SendBits;
+
+	// Assigning Downlink Timeing for write
+	switch (downlink_mode)
+	{
+		case T55xx_DLMode_Fixed    : Timing = &T55xx_Timing_FixedBit;  break; 
+		case T55xx_DLMode_LLR      : Timing = &T55xx_Timing_LLR;       break;
+		case T55xx_DLMode_Leading0 : Timing = &T55xx_Timing_Leading0;  break;
+		case T55xx_DLMode_1of4     : Timing = &T55xx_Timing_1of4;      break;
+		default:
+				Timing = &T55xx_Timing_FixedBit;
+	}
+
+	// Build Bit Stream to send.
+	memset (BitStream,0x00,sizeof(BitStream));
+	
+	BitStreamLen = 0; // Ensure 0 bit index to start.
+	
+	// Add Leading 0 and 1 of 4 reference bit
+	if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4))
+		BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream)); 
+
+	// Add extra reference 0 for 1 of 4
+	if (downlink_mode == T55xx_DLMode_1of4)
+		BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream)); 
+
+	// Add Opcode 
+	if (reset) {
+		//  Reset : r*) 00
+		BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream)); 
+	}
+	else
+	{
+		if (testMode) Dbprintf("TestMODE");
+		BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 0 : 1    , 1,sizeof(BitStream));
+		BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 1 : Page , 1,sizeof(BitStream));
+
+		if (PwdMode) {
+			// Leading 0 and 1 of 4 00 fixed bits if passsword used		
+			if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4)) {
+				BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream));
+			}
+			BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Pwd, 32,sizeof(BitStream));
+		}
+
+		// Add Lock bit 0
+		if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
+
+		// Add Data if a write command
+		if (!read_cmd)	BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Data, 32,sizeof(BitStream));
+
+		// Add Address
+		if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Block, 3,sizeof(BitStream));
+	}
+
+	// Send Bits to T55xx
 	// Set up FPGA, 125kHz
 	LFSetupFPGAForADC(95, true);
 	StartTicks();
 	// make sure tag is fully powered up...
 	WaitMS(5);
-	
 	// Trigger T55x7 in mode.
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	WaitUS(START_GAP);
+	WaitUS(Timing->START_GAP);

-	// reset tag - op code 00
-	T55xxWriteBit(0);
-	T55xxWriteBit(0);
+	// If long leading 0 send long reference pulse
+	if (downlink_mode ==  T55xx_DLMode_LLR) 
+		T55xxWriteBit (T55xx_LongLeadingReference,Timing); // Send Long Leading Start Reference

-	TurnReadLFOn(READ_GAP);
+	if ((downlink_mode ==  T55xx_DLMode_1of4) && (BitStreamLen > 0)) { // 1 of 4 need to send 2 bits at a time
+		for ( i = 0; i < BitStreamLen-1; i+=2 ) {
+			SendBits  = (BitStream[BitStream_Byte(i  )] >> (BitStream_Bit(i  )) & 1) << 1;   // Bit i
+			SendBits += (BitStream[BitStream_Byte(i+1)] >> (BitStream_Bit(i+1)) & 1);        // Bit i+1;
+			T55xxWriteBit (SendBits & 3,Timing);
+		}
+	}
+	else {
+		for (i = 0; i < BitStreamLen; i++) {
+			SendBits = (BitStream[BitStream_Byte(i)] >> BitStream_Bit(i));
+			T55xxWriteBit (SendBits & 1,Timing);
+		}
+	}
+}
+
+// Send T5577 reset command then read stream (see if we can identify the start of the stream)
+void T55xxResetRead(void) {
+	LED_A_ON();
+
+	//  send  r* 00 
+	uint8_t arg = 0x80;  // SendCMD will add correct reference mode based on flags (when added).
+
+	// Add in downlink_mode when ready
+	//    arg |= 0x00;  // dlmode << 3  (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )
+
+	//clear buffer now so it does not interfere with timing later
+	BigBuf_Clear_keep_EM();
+
+	T55xx_SendCMD (0, 0, 0, arg); //, true);
+
+	TurnReadLFOn(T55xx_Timing_FixedBit.READ_GAP);

 	// Acquisition
 	DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
@ -1251,42 +1462,23 @@ void T55xxResetRead(void) {
 }

 // Write one card block in page 0, no lock
-void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
-	LED_A_ON();
-	bool PwdMode = arg & 0x1;
-	uint8_t Page = (arg & 0x2)>>1;
-	bool testMode = arg & 0x4;
-	uint32_t i = 0;
+void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
+	/*
+		arg bits
+		xxxxxxx1 0x01 PwdMode
+		xxxxxx1x 0x02 Page
+		xxxxx1xx 0x04 testMode
+		xxx11xxx 0x18 downlink mode
+		xx1xxxxx 0x20 !reg_readmode
+		x1xxxxxx 0x40 called for a read, so no data packet
+		1xxxxxxx 0x80 reset
+	*/
 	
-	// Set up FPGA, 125kHz
-	LFSetupFPGAForADC(95, true);
-	StartTicks();
-	// make sure tag is fully powered up...
-	WaitMS(5);
-	// Trigger T55x7 in mode.
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	WaitUS(START_GAP);
+	bool testMode = ((arg & 0x04) == 0x04);
+	arg &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
 	
-	if (testMode) Dbprintf("TestMODE");
-	// Std Opcode 10
-	T55xxWriteBit(testMode ? 0 : 1);
-	T55xxWriteBit(testMode ? 1 : Page); //Page 0
-
-	if (PwdMode) {
-		// Send Pwd
-		for (i = 0x80000000; i != 0; i >>= 1)
-			T55xxWriteBit(Pwd & i);
-	}
-	// Send Lock bit
-	T55xxWriteBit(0);
-
-	// Send Data
-	for (i = 0x80000000; i != 0; i >>= 1)
-		T55xxWriteBit(Data & i);
-
-	// Send Block number
-	for (i = 0x04; i != 0; i >>= 1)
-		T55xxWriteBit(Block & i);
+	LED_A_ON ();
+	T55xx_SendCMD (Data, Block, Pwd, arg) ;//, false); 

 	// Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
 	// so wait a little more)
@ -1315,57 +1507,43 @@ void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg

 		//DoPartialAcquisition(20, true, 12000);
 	}
-
 	// turn field off
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LED_A_OFF();
-}

-// Write one card block in page 0, no lock
-void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
-	T55xxWriteBlockExt(Data, Block, Pwd, arg);
 	cmd_send(CMD_ACK,0,0,0,0,0);
+
+	LED_A_OFF ();
 }

 // Read one card block in page [page]
-void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
-	LED_A_ON();
-	bool PwdMode = arg0 & 0x1;
-	uint8_t Page = (arg0 & 0x2) >> 1;
-	uint32_t i = 0;
-	bool RegReadMode = (Block == 0xFF);//regular read mode
+void T55xxReadBlock (uint16_t arg0, uint8_t Block, uint32_t Pwd) {//, struct T55xx_Timing *Timing) {

-	//clear buffer now so it does not interfere with timing later
-	BigBuf_Clear_ext(false);
+	LED_A_ON();
+
+	/*
+		arg bits
+		xxxxxxx1 0x01 PwdMode
+		xxxxxx1x 0x02 Page
+		xxxxx1xx 0x04 testMode
+		xxx11xxx 0x18 downlink mode
+		xx1xxxxx 0x20 !reg_readmode
+		x1xxxxxx 0x40 called for a read, so no data packet
+		1xxxxxxx 0x80 reset
+	*/
+
+	// Set Read Flag to ensure SendCMD does not add "data" to the packet
+	arg0 |= 0x40;
+
+	// RegRead Mode true of block 0xff
+	if (Block == 0xff) arg0 |= 0x20;
 	
 	//make sure block is at max 7
 	Block &= 0x7;

-	// Set up FPGA, 125kHz to power up the tag
-	LFSetupFPGAForADC(95, true);
-	StartTicks();
-	// make sure tag is fully powered up...
-	WaitMS(5);
-	// Trigger T55x7 Direct Access Mode with start gap
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	WaitUS(START_GAP);
+	//clear buffer now so it does not interfere with timing later
+	BigBuf_Clear_ext(false);

-	// Opcode 1[page]
-	T55xxWriteBit(1);
-	T55xxWriteBit(Page); //Page 0
-
-	if (PwdMode){
-		// Send Pwd
-		for (i = 0x80000000; i != 0; i >>= 1)
-			T55xxWriteBit(Pwd & i);
-	}
-	// Send a zero bit separation
-	T55xxWriteBit(0);
-
-	// Send Block number (if direct access mode)
-	if (!RegReadMode)
-		for (i = 0x04; i != 0; i >>= 1)
-			T55xxWriteBit(Block & i);		
+	T55xx_SendCMD (0, Block, Pwd, arg0); //, true);

 	// Turn field on to read the response
 	// 137*8 seems to get to the start of data pretty well... 
@ -1379,30 +1557,31 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
 	// Turn the field off
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	cmd_send(CMD_ACK,0,0,0,0,0);    
+
 	LED_A_OFF();
 }

 void T55xxWakeUp(uint32_t Pwd){
 	LED_B_ON();
-	uint32_t i = 0;
+	/*
+		arg bits
+		xxxxxxx1 0x01 PwdMode
+		xxxxxx1x 0x02 Page
+		xxxxx1xx 0x04 testMode
+		xxx11xxx 0x18 downlink mode
+		xx1xxxxx 0x20 !reg_readmode 
+		x1xxxxxx 0x40 called for a read, so no data packet
+		1xxxxxxx 0x80 reset
+	*/

-	// Set up FPGA, 125kHz
-	LFSetupFPGAForADC(95, true);
-	StartTicks();
-	// make sure tag is fully powered up...
-	WaitMS(5);
+	// r* 10 (00) <pwd>   r* for llr , L0 and 1/4 - (00) for L0 and 1/4 - All handled in SendCMD
+	// So, default Opcode 10 and pwd.
+	uint8_t arg = 0x01 | 0x40 | 0x20; //Password Read Call no data | reg_read no block

-	// Trigger T55x7 Direct Access Mode
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	WaitUS(START_GAP);
+	// Add in downlink_mode when ready
+	//    arg |= 0x00;  // dlmode << 3  (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )

-	// Opcode 10
-	T55xxWriteBit(1);
-	T55xxWriteBit(0); //Page 0
-
-	// Send Pwd
-	for (i = 0x80000000; i != 0; i >>= 1)
-		T55xxWriteBit(Pwd & i);
+	T55xx_SendCMD (0, 0, Pwd, arg); //, true);

 	// Turn and leave field on to let the begin repeating transmission
 	TurnReadLFOn(20*1000);
@ -1413,12 +1592,13 @@ void T55xxWakeUp(uint32_t Pwd){
 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
 	// write last block first and config block last (if included)
 	for (uint8_t i = numblocks+startblock; i > startblock; i--) {
-		T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
+		T55xxWriteBlock(blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
+		//T55xx_SendCMD (blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
 	}
 }

-// Copy HID id to card and setup block 0 config
-void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
+// Copy a HID-like card (e.g. HID Proximity, Paradox) to a T55x7 compatible card
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble) {
 	uint32_t data[] = {0,0,0,0,0,0,0};
 	uint8_t last_block = 0;

@ -1430,15 +1610,15 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
 		}
 		// Build the 6 data blocks for supplied 84bit ID
 		last_block = 6;
-		// load preamble (1D) & long format identifier (9E manchester encoded)
-		data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
+		// load preamble & long format identifier (9E manchester encoded)
+		data[1] = (preamble << 24) | 0x96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
 		// load raw id from hi2, hi, lo to data blocks (manchester encoded)
 		data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
 		data[3] = manchesterEncode2Bytes(hi >> 16);
 		data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
 		data[5] = manchesterEncode2Bytes(lo >> 16);
 		data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
-	}	else {
+	} else {
 		// Ensure no more than 44 bits supplied
 		if (hi>0xFFF) {
 			DbpString("Tags can only have 44 bits.");
@ -1447,7 +1627,7 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
 		// Build the 3 data blocks for supplied 44bit ID
 		last_block = 3;
 		// load preamble
-		data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
+		data[1] = (preamble << 24) | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
 		data[2] = manchesterEncode2Bytes(lo >> 16);
 		data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
 	}
@ -1613,6 +1793,7 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
 #define FWD_CMD_WRITE 0xA
 #define FWD_CMD_READ 0x9
 #define FWD_CMD_DISABLE 0x5
+#define FWD_CMD_PROTECT 0x3

 uint8_t forwardLink_data[64]; //array of forwarded bits
 uint8_t * forward_ptr; //ptr for forward message preparation
@ -1726,7 +1907,7 @@ void SendForward(uint8_t fwd_bit_count) {
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
 	WaitUS(18*8); //18 cycles on (8us each)

-	// now start writting
+	// now start writting - each bit should be 32*8 total length
 	while(fwd_bit_sz-- > 0) { //prepare next bit modulation
 		if(((*fwd_write_ptr++) & 1) == 1)
 			WaitUS(32*8); //32 cycles at 125Khz (8us each)
@ -1735,7 +1916,7 @@ void SendForward(uint8_t fwd_bit_count) {
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 			WaitUS(23*8); //23 cycles off (8us each)
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
-			WaitUS(18*8); //18 cycles on (8us each)
+			WaitUS((32-23)*8); //remaining cycles on (8us each)
 		}
 	}
 }
@ -1782,7 +1963,7 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {

 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
 	
-	bool PwdMode = (flag & 0xF);
+	bool PwdMode = (flag & 0x1);
 	uint8_t Address = (flag >> 8) & 0xFF;
 	uint8_t fwd_bit_count;

@ -1812,6 +1993,39 @@ void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
 	LED_A_OFF();
 	cmd_send(CMD_ACK,0,0,0,0,0);
 }
+
+void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) {
+	
+	bool PwdMode = (flag & 0x1);
+	uint8_t fwd_bit_count;
+
+	//clear buffer now so it does not interfere with timing later
+	BigBuf_Clear_ext(false);
+
+	LED_A_ON();
+	StartTicks();
+	//If password mode do login
+	if (PwdMode) EM4xLogin(Pwd);
+
+	forward_ptr = forwardLink_data;
+	fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT );
+
+	//unsure if this needs the full packet config...
+	fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
+
+	SendForward(fwd_bit_count);
+
+	//Wait for write to complete
+	//SpinDelay(10);
+
+	WaitUS(6500);
+	//Capture response if one exists
+	DoPartialAcquisition(20, true, 6000, 1000);
+
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+	LED_A_OFF();
+	cmd_send(CMD_ACK,0,0,0,0,0);
+}
 /*
 Reading a COTAG.

--- a/armsrc/lfsampling.c
+++ b/armsrc/lfsampling.c
@ -12,9 +12,9 @@
 #include "string.h"
 #include "lfsampling.h"
 #include "usb_cdc.h"	// for usb_poll_validate_length
-//#include "ticks.h"		// for StartTicks
+#include "fpgaloader.h"

-sample_config config = { 1, 8, 1, 95, 0 } ;
+sample_config config = { 1, 8, 1, 95, 0, 0 } ;

 void printConfig()
 {
@ -24,6 +24,7 @@ void printConfig()
 	Dbprintf("  [d] decimation:        %d ", config.decimation);
 	Dbprintf("  [a] averaging:         %d ", config.averaging);
 	Dbprintf("  [t] trigger threshold: %d ", config.trigger_threshold);
+	Dbprintf("  [s] samples to skip:   %d ", config.samples_to_skip);
 }


@ -34,20 +35,21 @@ void printConfig()
 * Other functions may read samples and ignore the sampling config,
 * such as functions to read the UID from a prox tag or similar.
 *
- * Values set to '0' implies no change (except for averaging)
+ * Values set to '0' implies no change (except for averaging, threshold, samples_to_skip)
 * @brief setSamplingConfig
 * @param sc
 */
-void setSamplingConfig(sample_config *sc)
-{
-	if(sc->divisor != 0) config.divisor = sc->divisor;
-	if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample;
-	if(sc->decimation!= 0) config.decimation= sc->decimation;
-	if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold;
+void setSamplingConfig(uint8_t *config_data) {
+	sample_config *sc = (sample_config *)config_data;
+	if (sc->divisor != 0) config.divisor = sc->divisor;
+	if (sc->bits_per_sample != 0) config.bits_per_sample = sc->bits_per_sample;
+	if (sc->decimation != 0) config.decimation = sc->decimation;
+	if (sc->trigger_threshold != -1) config.trigger_threshold = sc->trigger_threshold;
+	if (sc->samples_to_skip != -1) config.samples_to_skip = sc->samples_to_skip;

 	config.averaging= sc->averaging;
-	if(config.bits_per_sample > 8)	config.bits_per_sample = 8;
-	if(config.decimation < 1)	config.decimation = 1;
+	if (config.bits_per_sample > 8)	config.bits_per_sample = 8;
+	if (config.decimation < 1)	config.decimation = 1;

 	printConfig();
 }
@ -119,7 +121,7 @@ void LFSetupFPGAForADC(int divisor, bool lf_field)
 * @param silent - is true, now outputs are made. If false, dbprints the status
 * @return the number of bits occupied by the samples.
 */
-uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after)
+uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
 {
 	//.
 	uint8_t *dest = BigBuf_get_addr();
@ -141,6 +143,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
 	uint32_t sample_total_numbers =0 ;
 	uint32_t sample_total_saved =0 ;
 	uint32_t cancel_counter = 0;
+	uint32_t samples_skipped = 0;

 	while(!BUTTON_PRESS() && !usb_poll_validate_length() ) {
 		WDT_HIT();
@ -160,6 +163,10 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
 				continue;
 			}
 			trigger_threshold = 0;
+			if (samples_to_skip > samples_skipped) {
+				samples_skipped++;
+				continue;
+			}
 			sample_total_numbers++;

 			if(averaging)
@ -218,7 +225,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
 */
 uint32_t DoAcquisition_default(int trigger_threshold, bool silent)
 {
-	return DoAcquisition(1,8,0,trigger_threshold,silent,0,0);
+	return DoAcquisition(1,8,0,trigger_threshold,silent,0,0,0);
 }
 uint32_t DoAcquisition_config(bool silent, int sample_size)
 {
@ -228,11 +235,12 @@ uint32_t DoAcquisition_config(bool silent, int sample_size)
 				  ,config.trigger_threshold
 				  ,silent
 				  ,sample_size
-				  ,0);
+				  ,0
+				  ,config.samples_to_skip);
 }

 uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after) {
-	return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after);
+	return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after,0);
 }

 uint32_t ReadLF(bool activeField, bool silent, int sample_size)
--- a/armsrc/lfsampling.h
+++ b/armsrc/lfsampling.h
@ -1,5 +1,5 @@
-#ifndef LFSAMPLING_H
-#define LFSAMPLING_H
+#ifndef LFSAMPLING_H__
+#define LFSAMPLING_H__

 /**
 * acquisition of Cotag LF signal. Similar to other LF,  since the Cotag has such long datarate RF/384
@ -45,7 +45,7 @@ uint32_t DoAcquisition_config(bool silent, int sample_size);
 * Setup the FPGA to listen for samples. This method downloads the FPGA bitstream
 * if not already loaded, sets divisor and starts up the antenna.
 * @param divisor : 1, 88> 255 or negative ==> 134.8 KHz
-* 				   0 or 95 ==> 125 KHz
+*                  0 or 95 ==> 125 KHz
 *
 **/
 void LFSetupFPGAForADC(int divisor, bool lf_field);
@ -61,9 +61,9 @@ void LFSetupFPGAForADC(int divisor, bool lf_field);
 * @brief setSamplingConfig
 * @param sc
 */
-void setSamplingConfig(sample_config *sc);
+void setSamplingConfig(uint8_t *config_data);

-sample_config * getSamplingConfig();
+sample_config *getSamplingConfig();

 void printConfig();

--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
--- a/armsrc/mifarecmd.h
+++ b/armsrc/mifarecmd.h
@ -10,18 +10,36 @@
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------

-#ifndef __MIFARECMD_H
-#define __MIFARECMD_H
+#ifndef MIFARECMD_H__
+#define MIFARECMD_H__

-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
+#include <stdint.h>

-#include "iso14443crc.h"
-#include "iso14443a.h"
-#include "crapto1/crapto1.h"
-#include "mifareutil.h"
-#include "common.h"
+extern void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
+extern void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
+extern void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
+extern void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+//extern void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain);
+extern void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
+extern void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
+extern void MifareChkKeys(uint16_t arg0, uint32_t arg1, uint8_t arg2, uint8_t *datain);
+extern void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);       // Work with "magic Chinese" card
+extern void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+extern void MifareCIdent();  // is "magic chinese" card?
+extern void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
+extern void MifarePersonalizeUID(uint8_t keyType, uint8_t perso_option, uint8_t *datain);

+//desfire
+extern void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
+extern void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);

 #endif
--- a/armsrc/mifaresim.c
+++ b/armsrc/mifaresim.c
@ -20,31 +20,30 @@
 #include "fpgaloader.h"
 #include "proxmark3.h"
 #include "usb_cdc.h"
-#include "cmd.h"
 #include "protocols.h"
 #include "apps.h"
+#include "util.h"
+

 //mifare emulator states
-#define MFEMUL_NOFIELD      0
-#define MFEMUL_IDLE         1
-#define MFEMUL_SELECT1      2
-#define MFEMUL_SELECT2      3
-#define MFEMUL_SELECT3      4
-#define MFEMUL_AUTH1        5
-#define MFEMUL_AUTH2        6
-#define MFEMUL_WORK	        7
-#define MFEMUL_WRITEBL2     8
-#define MFEMUL_INTREG_INC   9
-#define MFEMUL_INTREG_DEC  10
-#define MFEMUL_INTREG_REST 11
-#define MFEMUL_HALTED      12
-
-#define cardSTATE_TO_IDLE() { cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF(); }
+#define MFEMUL_NOFIELD           0
+#define MFEMUL_IDLE              1
+#define MFEMUL_SELECT1           2
+#define MFEMUL_SELECT2           3
+#define MFEMUL_SELECT3           4
+#define MFEMUL_AUTH1             5
+#define MFEMUL_AUTH2             6
+#define MFEMUL_WORK              7
+#define MFEMUL_WRITEBL2          8
+#define MFEMUL_INTREG_INC        9
+#define MFEMUL_INTREG_DEC       10
+#define MFEMUL_INTREG_REST      11
+#define MFEMUL_HALTED           12

 #define AC_DATA_READ             0
 #define AC_DATA_WRITE            1
-#define AC_DATA_INC				 2
-#define AC_DATA_DEC_TRANS_REST	 3
+#define AC_DATA_INC              2
+#define AC_DATA_DEC_TRANS_REST   3
 #define AC_KEYA_READ             0
 #define AC_KEYA_WRITE            1
 #define AC_KEYB_READ             2
@ -57,11 +56,30 @@
 #define AUTHKEYNONE              0xff


+static int ParamCardSizeBlocks(const char c) {
+	int numBlocks = 16 * 4;
+	switch (c) {
+		case '0' : numBlocks = 5 * 4; break;
+		case '2' : numBlocks = 32 * 4; break;
+		case '4' : numBlocks = 32 * 4 + 8 * 16; break;
+		default:   numBlocks = 16 * 4;
+	}
+	return numBlocks;
+}
+
+static uint8_t BlockToSector(int block_num) {
+	if (block_num < 32 * 4) {    // 4 blocks per sector
+		return (block_num / 4);
+	} else {                     // 16 blocks per sector
+		return 32 + (block_num - 32 * 4) / 16;
+	}
+}
+
 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
 	uint8_t sector_trailer[16];
 	emlGetMem(sector_trailer, blockNo, 1);
 	uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
-	           | ((sector_trailer[8] >> 2) & 0x02)
+			   | ((sector_trailer[8] >> 2) & 0x02)
 			   | ((sector_trailer[8] >> 7) & 0x01);
 	switch (action) {
 		case AC_KEYA_READ: {
@ -70,7 +88,7 @@ static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t act
 		}
 		case AC_KEYA_WRITE: {
 			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
-			     || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
+				 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
 			break;
 		}
 		case AC_KEYB_READ: {
@ -78,18 +96,18 @@ static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t act
 			break;
 		}
 		case AC_KEYB_WRITE: {
-			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x04))
-			     || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
+			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
+				 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
 			break;
 		}
 		case AC_AC_READ: {
 			return ((keytype == AUTHKEYA)
-			     || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
+				 || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
 			break;
 		}
 		case AC_AC_WRITE: {
 			return ((keytype == AUTHKEYA && (AC == 0x01))
-			     || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
+				 || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
 			break;
 		}
 		default: return false;
@ -136,22 +154,22 @@ static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action
 	switch (action) {
 		case AC_DATA_READ: {
 			return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
-			     || (keytype == AUTHKEYB && !(AC == 0x07)));
+				 || (keytype == AUTHKEYB && !(AC == 0x07)));
 			break;
 		}
 		case AC_DATA_WRITE: {
 			return ((keytype == AUTHKEYA && (AC == 0x00))
-			     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
 			break;
 		}
 		case AC_DATA_INC: {
 			return ((keytype == AUTHKEYA && (AC == 0x00))
-			     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
 			break;
 		}
 		case AC_DATA_DEC_TRANS_REST: {
 			return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
-			     || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
+				 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
 			break;
 		}
 	}
@ -169,18 +187,18 @@ static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
 }


-static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len) {
+static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t cardsize) {

-	#define TAG_RESPONSE_COUNT 5								// number of precompiled responses
-	static uint8_t rATQA[]    = {0x04, 0x00}; 					// indicate Mifare classic 1k 4Byte UID
-	static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00};	// UID 1st cascade level
-	static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00};	// UID 2nd cascade level
-	static uint8_t rSAKfinal[]= {0x08, 0xb6, 0xdd};				// mifare 1k indicated
-	static uint8_t rSAK1[]    = {0x04, 0xda, 0x17}; 			// indicate UID not finished
+	#define TAG_RESPONSE_COUNT 5                                // number of precompiled responses
+	static uint8_t rATQA[]    = {0x00, 0x00};
+	static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
+	static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
+	static uint8_t rSAKfinal[]= {0x00, 0x00, 0x00};             // SAK after UID complete
+	static uint8_t rSAK1[]    = {0x00, 0x00, 0x00};             // indicate UID not finished

 	*uid_len = 4;
 	// UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
-	if (flags & FLAG_4B_UID_IN_DATA) { 	// get UID from datain
+	if (flags & FLAG_4B_UID_IN_DATA) {  // get UID from datain
 		memcpy(rUIDBCC1, datain, 4);
 	} else if (flags & FLAG_7B_UID_IN_DATA) {
 		rUIDBCC1[0] = 0x88;
@ -189,10 +207,10 @@ static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **
 		*uid_len = 7;
 	} else {
 		uint8_t probable_atqa;
-		emlGetMemBt(&probable_atqa, 7, 1);	// get UID from emul memory - weak guess at length
-		if (probable_atqa == 0x00) {      	// ---------- 4BUID
+		emlGetMemBt(&probable_atqa, 7, 1);  // get UID from emul memory - weak guess at length
+		if (probable_atqa == 0x00) {        // ---------- 4BUID
 			emlGetMemBt(rUIDBCC1, 0, 4);
-		} else {                           	// ---------- 7BUID
+		} else {                            // ---------- 7BUID
 			rUIDBCC1[0] = 0x88;
 			emlGetMemBt(rUIDBCC1+1, 0, 3);
 			emlGetMemBt(rUIDBCC2, 3, 4);
@ -204,17 +222,16 @@ static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **
 		case 4:
 			*cuid = bytes_to_num(rUIDBCC1, 4);
 			rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-			if (MF_DBGLEVEL >= 2)	{
+			if (MF_DBGLEVEL >= MF_DBG_INFO)   {
 				Dbprintf("4B UID: %02x%02x%02x%02x",
-					rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]	);
+					rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]  );
 			}
 			break;
 		case 7:
-			rATQA[0] |= 0x40;
 			*cuid = bytes_to_num(rUIDBCC2, 4);
 			rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
 			rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
-			if (MF_DBGLEVEL >= 2)	{
+			if (MF_DBGLEVEL >= MF_DBG_INFO)   {
 				Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
 					rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3]  );
 			}
@ -223,18 +240,47 @@ static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **
 			break;
 	}

+	// set SAK based on cardsize
+	switch (cardsize) {
+		case '0': rSAKfinal[0] = 0x09; break; // Mifare Mini
+		case '2': rSAKfinal[0] = 0x10; break; // Mifare 2K
+		case '4': rSAKfinal[0] = 0x18; break; // Mifare 4K
+		default: rSAKfinal[0] = 0x08;         // Mifare 1K
+	}
+	ComputeCrc14443(CRC_14443_A, rSAKfinal, 1, rSAKfinal + 1, rSAKfinal + 2);
+	if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+		Dbprintf("SAK:    %02x", rSAKfinal[0]);
+	}
+
+	// set SAK for incomplete UID
+	rSAK1[0] = 0x04;                          // Bit 3 indicates incomplete UID
+	ComputeCrc14443(CRC_14443_A, rSAK1, 1, rSAK1 + 1, rSAK1 + 2);
+
+	// set ATQA based on cardsize and UIDlen
+	if (cardsize == '4') {
+		rATQA[0] = 0x02;
+	} else {
+		rATQA[0] = 0x04;
+	}
+	if (*uid_len == 7) {
+		rATQA[0] |= 0x40;
+	}
+	if (MF_DBGLEVEL >= MF_DBG_INFO)   {
+		Dbprintf("ATQA:   %02x %02x", rATQA[1], rATQA[0]);
+	}
+
 	static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
-		{ .response = rATQA,     .response_n = sizeof(rATQA)  },		// Answer to request - respond with card type
-		{ .response = rUIDBCC1,  .response_n = sizeof(rUIDBCC1) },		// Anticollision cascade1 - respond with first part of uid
-		{ .response = rUIDBCC2,  .response_n = sizeof(rUIDBCC2) },		// Anticollision cascade2 - respond with 2nd part of uid 
-		{ .response = rSAKfinal, .response_n = sizeof(rSAKfinal)  },	// Acknowledge select - last cascade
-		{ .response = rSAK1,     .response_n = sizeof(rSAK1) }			// Acknowledge select - previous cascades
+		{ .response = rATQA,     .response_n = sizeof(rATQA)  },        // Answer to request - respond with card type
+		{ .response = rUIDBCC1,  .response_n = sizeof(rUIDBCC1) },      // Anticollision cascade1 - respond with first part of uid
+		{ .response = rUIDBCC2,  .response_n = sizeof(rUIDBCC2) },      // Anticollision cascade2 - respond with 2nd part of uid
+		{ .response = rSAKfinal, .response_n = sizeof(rSAKfinal)  },    // Acknowledge select - last cascade
+		{ .response = rSAK1,     .response_n = sizeof(rSAK1) }          // Acknowledge select - previous cascades
 	};

 	// Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
-	// There are 7 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
+	// There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
 	// 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits  ->   need 177 bytes buffer
-	#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177	// number of bytes required for precompiled responses
+	#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177    // number of bytes required for precompiled responses

 	uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 	size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
@ -262,20 +308,21 @@ static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {


 /**
-  *MIFARE 1K simulate.
+  *MIFARE simulate.
  *
  *@param flags :
-  *	FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
+  * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
  * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
  * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
-  * FLAG_10B_UID_IN_DATA	- use 10-byte UID in the data-section not finished
-  *	FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
+  * FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
  * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
  *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
  * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
  */
-void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
+void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain)
 {
+	LED_A_ON();
+
 	tag_response_info_t *responses;
 	uint8_t uid_len = 4;
 	uint32_t cuid = 0;
@ -288,47 +335,46 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 	uint32_t cardINTREG = 0;
 	uint8_t cardINTBLOCK = 0;
 	struct Crypto1State mpcs = {0, 0};
-	struct Crypto1State *pcs;
-	pcs = &mpcs;
-	uint32_t numReads = 0;//Counts numer of times reader reads a block
+	struct Crypto1State *pcs = &mpcs;
+	uint32_t numReads = 0; //Counts numer of times reader reads a block
 	uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
 	uint16_t receivedCmd_len;
 	uint8_t response[MAX_MIFARE_FRAME_SIZE];
 	uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
+	uint8_t fixed_nonce[] = {0x01, 0x02, 0x03, 0x04};

-	uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
-	uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
+	int num_blocks = ParamCardSizeBlocks(cardsize);

-	//Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
+	// Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
 	// This will be used in the reader-only attack.

-	//allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
+	// allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
 	#define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
-	nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
+	nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
 	memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));

-	uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; //*2 for 2nd attack type (moebius)
+	uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // *2 for 2nd attack type (moebius)
 	memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-	uint8_t	nonce1_count = 0;
-	uint8_t	nonce2_count = 0;
-	uint8_t	moebius_n_count = 0;
+	uint8_t nonce1_count = 0;
+	uint8_t nonce2_count = 0;
+	uint8_t moebius_n_count = 0;
 	bool gettingMoebius = false;
-	uint8_t	mM = 0; //moebius_modifier for collection storage
+	uint8_t mM = 0; // moebius_modifier for collection storage

 	// Authenticate response - nonce
 	uint32_t nonce;
 	if (flags & FLAG_RANDOM_NONCE) {
 		nonce = prand();
 	} else {
-		nonce = bytes_to_num(rAUTH_NT, 4);
+		nonce = bytes_to_num(fixed_nonce, 4);
 	}

 	// free eventually allocated BigBuf memory but keep Emulator Memory
 	BigBuf_free_keep_EM();

-	MifareSimInit(flags, datain, &responses, &cuid, &uid_len);
+	MifareSimInit(flags, datain, &responses, &cuid, &uid_len, cardsize);

 	// We need to listen to the high-frequency, peak-detected path.
 	iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
@ -345,25 +391,28 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 	while (!button_pushed && !finished && !usb_poll_validate_length()) {
 		WDT_HIT();

-		// find reader field
 		if (cardSTATE == MFEMUL_NOFIELD) {
+			// wait for reader HF field
 			int vHf = (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
 			if (vHf > MF_MINFIELDV) {
-				LED_A_ON();
-				cardSTATE_TO_IDLE();
+				LED_D_ON();
+				cardSTATE = MFEMUL_IDLE;
 			}
 			button_pushed = BUTTON_PRESS();
 			continue;
 		}

 		//Now, get data
+		FpgaEnableTracing();
 		int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);

-		if (res == 2) { //Field is off!
-			LEDsoff();
+		if (res == 2) { //  Reader has dropped the HF field. Power off.
+			FpgaDisableTracing();
+			LED_D_OFF();
 			cardSTATE = MFEMUL_NOFIELD;
 			continue;
 		} else if (res == 1) { // button pressed
+			FpgaDisableTracing();
 			button_pushed = true;
 			break;
 		}
@ -371,6 +420,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 		// WUPA in HALTED state or REQA or WUPA in any other state
 		if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
 			EmSendPrecompiledCmd(&responses[ATQA]);
+			FpgaDisableTracing();

 			// init crypto block
 			crypto1_destroy(pcs);
@ -378,8 +428,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 			if (flags & FLAG_RANDOM_NONCE) {
 				nonce = prand();
 			}
-			LED_B_OFF();
-			LED_C_OFF();
 			cardSTATE = MFEMUL_SELECT1;
 			continue;
 		}
@ -390,54 +438,58 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 			case MFEMUL_IDLE:{
 				break;
 			}
+
 			case MFEMUL_SELECT1:{
 				// select all - 0x93 0x20
 				if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
-					if (MF_DBGLEVEL >= 4)	Dbprintf("SELECT ALL CL1 received");
 					EmSendPrecompiledCmd(&responses[UIDBCC1]);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("SELECT ALL CL1 received");
 					break;
 				}
 				// select card - 0x93 0x70 ...
 				if (receivedCmd_len == 9 &&
 						(receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
-					if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
 					if (uid_len == 4) {
 						EmSendPrecompiledCmd(&responses[SAKfinal]);
-						LED_B_ON();
 						cardSTATE = MFEMUL_WORK;
-						break;
 					} else if (uid_len == 7) {
 						EmSendPrecompiledCmd(&responses[SAK1]);
-						cardSTATE	= MFEMUL_SELECT2;
-						break;
+						cardSTATE = MFEMUL_SELECT2;
 					}
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
+					break;
 				}
-				cardSTATE_TO_IDLE();
+				cardSTATE = MFEMUL_IDLE;
 				break;
 			}
+
 			case MFEMUL_SELECT2:{
 				// select all cl2 - 0x95 0x20
 				if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
-					if (MF_DBGLEVEL >= 4)	Dbprintf("SELECT ALL CL2 received");
 					EmSendPrecompiledCmd(&responses[UIDBCC2]);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("SELECT ALL CL2 received");
 					break;
 				}
 				// select cl2 card - 0x95 0x70 xxxxxxxxxxxx
 				if (receivedCmd_len == 9 &&
 						(receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
 					if (uid_len == 7) {
-						if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
 						EmSendPrecompiledCmd(&responses[SAKfinal]);
-						LED_B_ON();
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
 						cardSTATE = MFEMUL_WORK;
 						break;
 					}
 				}
-				cardSTATE_TO_IDLE();
+				cardSTATE = MFEMUL_IDLE;
 				break;
 			}
+
 			case MFEMUL_WORK:{
-				if (receivedCmd_len != 4) {	// all commands must have exactly 4 bytes
+				if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
 					break;
 				}
 				bool encrypted_data = (cardAUTHKEY != AUTHKEYNONE) ;
@ -448,76 +500,92 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 					memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
 				}
 				if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
-					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_TR));
 					break;
 				}
+
 				if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
 					// if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
-					if (receivedCmd_dec[1] >= 16 * 4 && !(flags & FLAG_NR_AR_ATTACK)) {
+					if (receivedCmd_dec[1] >= num_blocks && !(flags & FLAG_NR_AR_ATTACK)) {
 						//is this the correct response to an auth on a out of range block? marshmellow
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-						if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], receivedCmd_dec[1]);
 						break;
 					}
-					cardAUTHSC = receivedCmd_dec[1] / 4;  // received block num
+					cardAUTHSC = BlockToSector(receivedCmd_dec[1]);  // received block num
 					cardAUTHKEY = receivedCmd_dec[0] & 0x01;
 					crypto1_destroy(pcs);//Added by martin
 					crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
 					if (!encrypted_data) { // first authentication
-						if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
-						crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
-						num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
+						crypto1_word(pcs, cuid ^ nonce, 0); // Update crypto state
+						num_to_bytes(nonce, 4, response);   // Send unencrypted nonce
+						EmSendCmd(response, sizeof(nonce));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
 					} else { // nested authentication
-						if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
-						ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
-						num_to_bytes(ans, 4, rAUTH_AT);
+						num_to_bytes(nonce, sizeof(nonce), response);
+						uint8_t pcs_in[4] = {0};
+						num_to_bytes(cuid ^ nonce, sizeof(nonce), pcs_in);
+						mf_crypto1_encryptEx(pcs, response, pcs_in, sizeof(nonce), response_par);
+						EmSendCmdPar(response, sizeof(nonce), response_par); // send encrypted nonce
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
 					}
-					EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
 					cardSTATE = MFEMUL_AUTH1;
 					break;
 				}
-				if (!encrypted_data) { // all other commands must be encrypted (authenticated)
+
+				// halt can be sent encrypted or in clear
+				if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("--> HALTED.");
+					cardSTATE = MFEMUL_HALTED;
 					break;
 				}
-				if(receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK
-					|| receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK
+
+				if(receivedCmd_dec[0] == MIFARE_CMD_READBLOCK
+					|| receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK
 					|| receivedCmd_dec[0] == MIFARE_CMD_INC
 					|| receivedCmd_dec[0] == MIFARE_CMD_DEC
 					|| receivedCmd_dec[0] == MIFARE_CMD_RESTORE
 					|| receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
-					if (receivedCmd_dec[1] >= 16 * 4) {
+					if (receivedCmd_dec[1] >= num_blocks) {
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-						if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
 						break;
 					}
-					if (receivedCmd_dec[1] / 4 != cardAUTHSC) {
+					if (BlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-						if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
 						break;
 					}
 				}
-				if (receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) {
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_READBLOCK) {
 					uint8_t blockNo = receivedCmd_dec[1];
-					if (MF_DBGLEVEL >= 4) {
-						Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
-					}
 					emlGetMem(response, blockNo, 1);
 					if (IsSectorTrailer(blockNo)) {
-						memset(response, 0x00, 6); 	// keyA can never be read
+						memset(response, 0x00, 6);  // keyA can never be read
 						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
-							memset(response+10, 0x00, 6); 	// keyB cannot be read
+							memset(response+10, 0x00, 6);   // keyB cannot be read
 						}
 						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
-							memset(response+6, 0x00, 4); 	// AC bits cannot be read
+							memset(response+6, 0x00, 4);    // AC bits cannot be read
 						}
 					} else {
 						if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
-							memset(response, 0x00, 16);		// datablock cannot be read
+							memset(response, 0x00, 16);     // datablock cannot be read
 						}
 					}
 					AppendCrc14443a(response, 16);
 					mf_crypto1_encrypt(pcs, response, 18, response_par);
 					EmSendCmdPar(response, 18, response_par);
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+						Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
+					}
 					numReads++;
 					if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
 						Dbprintf("%d reads done, exiting", numReads);
@ -525,23 +593,33 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 					}
 					break;
 				}
-				if (receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK) {
+
+				if (receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK) {
 					uint8_t blockNo = receivedCmd_dec[1];
-					if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
 					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
 					cardWRBL = blockNo;
 					cardSTATE = MFEMUL_WRITEBL2;
 					break;
 				}
+
 				if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
 					uint8_t blockNo = receivedCmd_dec[1];
-					if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
 					if (emlCheckValBl(blockNo)) {
-						if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+						FpgaDisableTracing();
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+							Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
+						}
+						if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
 						break;
 					}
 					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+						Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
+					}
 					cardWRBL = blockNo;
 					if (receivedCmd_dec[0] == MIFARE_CMD_INC)
 						cardSTATE = MFEMUL_INTREG_INC;
@ -551,31 +629,29 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 						cardSTATE = MFEMUL_INTREG_REST;
 					break;
 				}
+
 				if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
 					uint8_t blockNo = receivedCmd_dec[1];
-					if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
 					if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
 					else
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
 					break;
 				}
-				// halt
-				if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
-					if (MF_DBGLEVEL >= 4)	Dbprintf("--> HALTED.");
-					LED_B_OFF();
-					LED_C_OFF();
-					cardSTATE = MFEMUL_HALTED;
-					break;
-				}
+
 				// command not allowed
-				if (MF_DBGLEVEL >= 4)	Dbprintf("Received command not allowed, nacking");
 				EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+				FpgaDisableTracing();
+				if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
+				cardSTATE = MFEMUL_IDLE;
 				break;
 			}
+
 			case MFEMUL_AUTH1:{
 				if (receivedCmd_len != 8) {
-					cardSTATE_TO_IDLE();
+					cardSTATE = MFEMUL_IDLE;
 					break;
 				}

@ -650,25 +726,28 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *

 				// test if auth OK
 				if (cardRr != prng_successor(nonce, 64)){
-					if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+					FpgaDisableTracing();
+					if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
 							cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B',
 							cardRr, prng_successor(nonce, 64));
 					// Shouldn't we respond anything here?
 					// Right now, we don't nack or anything, which causes the
 					// reader to do a WUPA after a while. /Martin
 					// -- which is the correct response. /piwi
-					cardAUTHKEY = AUTHKEYNONE;	// not authenticated
-					cardSTATE_TO_IDLE();
+					cardAUTHKEY = AUTHKEYNONE;  // not authenticated
+					cardSTATE = MFEMUL_IDLE;
 					break;
 				}
-				ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
-				num_to_bytes(ans, 4, rAUTH_AT);
-				EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-				if (MF_DBGLEVEL >= 4)	Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
-				LED_C_ON();
+				ans = prng_successor(nonce, 96);
+				num_to_bytes(ans, 4, response);
+				mf_crypto1_encrypt(pcs, response, 4, response_par);
+				EmSendCmdPar(response, 4, response_par);
+				FpgaDisableTracing();
+				if (MF_DBGLEVEL >= MF_DBG_EXTENDED)   Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
 				cardSTATE = MFEMUL_WORK;
 				break;
 			}
+
 			case MFEMUL_WRITEBL2:{
 				if (receivedCmd_len == 18) {
 					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
@ -676,73 +755,80 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 						if (IsSectorTrailer(cardWRBL)) {
 							emlGetMem(response, cardWRBL, 1);
 							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
-								memcpy(receivedCmd_dec, response, 6);	// don't change KeyA
+								memcpy(receivedCmd_dec, response, 6);   // don't change KeyA
 							}
 							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
-								memcpy(receivedCmd_dec+10, response+10, 6);	// don't change KeyA
+								memcpy(receivedCmd_dec+10, response+10, 6); // don't change KeyA
 							}
 							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
-								memcpy(receivedCmd_dec+6, response+6, 4);	// don't change AC bits
+								memcpy(receivedCmd_dec+6, response+6, 4);   // don't change AC bits
 							}
 						} else {
 							if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
-								memcpy(receivedCmd_dec, response, 16);	// don't change anything
+								memcpy(receivedCmd_dec, response, 16);  // don't change anything
 							}
 						}
 						emlSetMem(receivedCmd_dec, cardWRBL, 1);
-						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));	// always ACK?
+						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));  // always ACK?
 						cardSTATE = MFEMUL_WORK;
 						break;
 					}
 				}
-				cardSTATE_TO_IDLE();
+				cardSTATE = MFEMUL_IDLE;
 				break;
 			}
+
 			case MFEMUL_INTREG_INC:{
 				if (receivedCmd_len == 6) {
 					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
 					if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-						cardSTATE_TO_IDLE();
+						cardSTATE = MFEMUL_IDLE;
 						break;
 					}
 					cardINTREG = cardINTREG + ans;
+					cardSTATE = MFEMUL_WORK;
 				}
-				cardSTATE = MFEMUL_WORK;
 				break;
 			}
+
 			case MFEMUL_INTREG_DEC:{
 				if (receivedCmd_len == 6) {
 					mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
 					if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
 						EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-						cardSTATE_TO_IDLE();
+						cardSTATE = MFEMUL_IDLE;
 						break;
 					}
+					cardINTREG = cardINTREG - ans;
+					cardSTATE = MFEMUL_WORK;
 				}
-				cardINTREG = cardINTREG - ans;
-				cardSTATE = MFEMUL_WORK;
 				break;
 			}
+
 			case MFEMUL_INTREG_REST:{
 				mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
 				if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
 					EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-					cardSTATE_TO_IDLE();
+					cardSTATE = MFEMUL_IDLE;
 					break;
 				}
 				cardSTATE = MFEMUL_WORK;
 				break;
 			}
-		}
+
+		} // end of switch
+
+		FpgaDisableTracing();
 		button_pushed = BUTTON_PRESS();
-	}
+
+	} // end of while

 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	LEDsoff();

-	if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
-		for ( uint8_t	i = 0; i < ATTACK_KEY_COUNT; i++) {
+	if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= MF_DBG_INFO) {
+		for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
 			if (ar_nr_collected[i] == 2) {
 				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
 				Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
@ -755,10 +841,10 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 						);
 			}
 		}
-		for ( uint8_t	i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+		for ( uint8_t   i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
 			if (ar_nr_collected[i] == 2) {
 				Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
-				Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+				Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
 						ar_nr_resp[i].cuid,  //UID
 						ar_nr_resp[i].nonce, //NT
 						ar_nr_resp[i].nr,    //NR1
@ -770,10 +856,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 			}
 		}
 	}
-	if (MF_DBGLEVEL >= 1)	Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", get_tracing(), BigBuf_get_traceLen());
+	if (MF_DBGLEVEL >= MF_DBG_INFO) Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", get_tracing(), BigBuf_get_traceLen());

 	if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
 		//Send the collected ar_nr in the response
-		cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,button_pushed,0,&ar_nr_resp,sizeof(ar_nr_resp));
+		cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
 	}
+
+	LED_A_OFF();
 }
--- a/armsrc/mifaresim.h
+++ b/armsrc/mifaresim.h
@ -15,6 +15,6 @@

 #include <stdint.h>

-extern void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain);
+extern void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain);

 #endif
--- a/armsrc/mifaresniff.c
+++ b/armsrc/mifaresniff.c
@ -9,7 +9,7 @@
 //-----------------------------------------------------------------------------

 #include "mifaresniff.h"
-#include "apps.h"
+
 #include "proxmark3.h"
 #include "util.h"
 #include "string.h"
@ -18,6 +18,9 @@
 #include "crapto1/crapto1.h"
 #include "mifareutil.h"
 #include "common.h"
+#include "usb_cdc.h"
+#include "BigBuf.h"
+#include "fpgaloader.h"


 static int sniffState = SNF_INIT;
@ -149,7 +152,7 @@ bool intMfSniffSend() {
 	while (pckLen > 0) {
 		pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
 		LED_B_ON();
-		cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
+		cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
 		LED_B_OFF();

 		pckLen -= pckSize;
@ -157,7 +160,7 @@ bool intMfSniffSend() {
 	}

 	LED_B_ON();
-	cmd_send(CMD_ACK,2,0,0,0,0);
+	cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,2,0,0,0,0);
 	LED_B_OFF();

 	clear_trace();
--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@ -21,13 +21,14 @@
 #include "iso14443crc.h"
 #include "iso14443a.h"
 #include "crapto1/crapto1.h"
-#include "polarssl/des.h"
+#include "mbedtls/des.h"
+#include "protocols.h"

-int MF_DBGLEVEL = MF_DBG_ALL;
+int MF_DBGLEVEL = MF_DBG_INFO;

 // crypto1 helpers
 void mf_crypto1_decryptEx(struct Crypto1State *pcs, uint8_t *data_in, int len, uint8_t *data_out){
-	uint8_t	bt = 0;
+	uint8_t bt = 0;
 	int i;

 	if (len != 1) {
@ -47,14 +48,14 @@ void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len){
 	mf_crypto1_decryptEx(pcs, data, len, data);
 }

-void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par) {
+void mf_crypto1_encryptEx(struct Crypto1State *pcs, uint8_t *data, uint8_t *in, uint16_t len, uint8_t *par) {
 	uint8_t bt = 0;
 	int i;
 	par[0] = 0;

 	for (i = 0; i < len; i++) {
 		bt = data[i];
-		data[i] = crypto1_byte(pcs, 0x00, 0) ^ data[i];
+		data[i] = crypto1_byte(pcs, in==NULL?0x00:in[i], 0) ^ data[i];
 		if((i&0x0007) == 0)
 			par[i>>3] = 0;
 		par[i>>3] |= (((filter(pcs->odd) ^ oddparity8(bt)) & 0x01)<<(7-(i&0x0007)));
@ -62,6 +63,10 @@ void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, u
 	return;
 }

+void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par) {
+	mf_crypto1_encryptEx(pcs, data, NULL, len, par);
+}
+
 uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data) {
 	uint8_t bt = 0;
 	int i;
@ -73,8 +78,7 @@ uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data) {
 }

 // send X byte basic commands
-int mifare_sendcmd(uint8_t cmd, uint8_t* data, uint8_t data_size, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
-{
+int mifare_sendcmd(uint8_t cmd, uint8_t* data, uint8_t data_size, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing) {
 	uint8_t dcmd[data_size+3];
 	dcmd[0] = cmd;
 	memcpy(dcmd+1,data,data_size);
@ -90,11 +94,10 @@ int mifare_sendcmd(uint8_t cmd, uint8_t* data, uint8_t data_size, uint8_t* answe
 }

 // send 2 byte commands
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)
-{
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing) {
 	uint8_t dcmd[4], ecmd[4];
 	uint16_t pos, res;
-	uint8_t par[1];			// 1 Byte parity is enough here
+	uint8_t par[1];         // 1 Byte parity is enough here
 	dcmd[0] = cmd;
 	dcmd[1] = data;
 	AppendCrc14443a(dcmd, 2);
@ -108,9 +111,7 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,
 			ecmd[pos] = crypto1_byte(pcs, 0x00, 0) ^ dcmd[pos];
 			par[0] |= (((filter(pcs->odd) ^ oddparity8(dcmd[pos])) & 0x01) << (7-pos));
 		}
-
 		ReaderTransmitPar(ecmd, sizeof(ecmd), par, timing);
-
 	} else {
 		ReaderTransmit(dcmd, sizeof(dcmd), timing);
 	}
@ -138,18 +139,18 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,
 	return len;
 }

+
 // mifare classic commands
-int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested) 
-{
-	return mifare_classic_authex(pcs, uid, blockNo, keyType, ui64Key, isNested, NULL, NULL);
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t *auth_timeout) {
+
+	return mifare_classic_authex(pcs, uid, blockNo, keyType, ui64Key, isNested, NULL, NULL, auth_timeout);
 }

-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t *ntptr, uint32_t *timing) 
-{
-	// variables
+
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t *ntptr, uint32_t *timing, uint32_t *auth_timeout) {
+
 	int len;
 	uint32_t pos;
-	uint8_t tmp4[4];
 	uint8_t par[1] = {0x00};
 	byte_t nr[4];
 	uint32_t nt, ntpp; // Supplied tag nonce
@ -159,8 +160,8 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];

 	// Transmit MIFARE_CLASSIC_AUTH
-	len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer, receivedAnswerPar, timing);
-	if (MF_DBGLEVEL >= 4)	Dbprintf("rand tag nonce len: %x", len);  
+	len = mifare_sendcmd_short(pcs, isNested, keyType & 0x01 ? MIFARE_AUTH_KEYB : MIFARE_AUTH_KEYA, blockNo, receivedAnswer, receivedAnswerPar, timing);
+	if (MF_DBGLEVEL >= 4)   Dbprintf("rand tag nonce len: %x", len);
 	if (len != 4) return 1;

 	// "random" reader nonce:
@ -197,8 +198,7 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN

 	// Generate (encrypted) nr+parity by loading it into the cipher (Nr)
 	par[0] = 0;
-	for (pos = 0; pos < 4; pos++)
-	{
+	for (pos = 0; pos < 4; pos++) {
 		mf_nr_ar[pos] = crypto1_byte(pcs, nr[pos], 0) ^ nr[pos];
 		par[0] |= (((filter(pcs->odd) ^ oddparity8(nr[pos])) & 0x01) << (7-pos));
 	}
@ -207,10 +207,9 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
 	nt = prng_successor(nt,32);

 	//  ar+parity
-	for (pos = 4; pos < 8; pos++)
-	{
+	for (pos = 4; pos < 8; pos++) {
 		nt = prng_successor(nt,8);
-		mf_nr_ar[pos] = crypto1_byte(pcs,0x00,0) ^ (nt & 0xff);
+		mf_nr_ar[pos] = crypto1_byte(pcs, 0x00, 0) ^ (nt & 0xff);
 		par[0] |= (((filter(pcs->odd) ^ oddparity8(nt)) & 0x01) << (7-pos));
 	}

@ -218,48 +217,55 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
 	ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);

 	// Receive 4 byte tag answer
+	uint32_t save_timeout = iso14a_get_timeout(); // save standard timeout
+	if (auth_timeout && *auth_timeout) {
+		iso14a_set_timeout(*auth_timeout);        // set timeout for authentication response
+	}
+	uint32_t auth_timeout_start = GetCountSspClk();
 	len = ReaderReceive(receivedAnswer, receivedAnswerPar);
-	if (!len)
-	{
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Authentication failed. Card timeout.");
+	iso14a_set_timeout(save_timeout);             // restore standard timeout
+	if (!len) {
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Authentication failed. Card timeout.");
 		return 2;
 	}
+	if (auth_timeout && !*auth_timeout) {         // measure time for future authentication response timeout
+		*auth_timeout = (GetCountSspClk() - auth_timeout_start - (len * 9 + 2) * 8) / 8 + 1;
+	}

-	memcpy(tmp4, receivedAnswer, 4);
-	ntpp = prng_successor(nt, 32) ^ crypto1_word(pcs, 0,0);
+	ntpp = prng_successor(nt, 32) ^ crypto1_word(pcs, 0, 0);

-	if (ntpp != bytes_to_num(tmp4, 4)) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Authentication failed. Error card response.");
+	if (ntpp != bytes_to_num(receivedAnswer, 4)) {
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Authentication failed. Error card response.");
 		return 3;
 	}

 	return 0;
 }

-int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) 
-{
+
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) {
 	// variables
 	int len;
-	uint8_t	bt[2];
+	uint8_t bt[2];

 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];

 	// command MIFARE_CLASSIC_READBLOCK
-	len = mifare_sendcmd_short(pcs, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
+	len = mifare_sendcmd_short(pcs, 1, MIFARE_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL);
 	if (len == 1) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Cmd Error: %02x", receivedAnswer[0]);  
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
 		return 1;
 	}
 	if (len != 18) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Cmd Error: card timeout. len: %x", len);  
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Cmd Error: card timeout. len: %x", len);
 		return 2;
 	}

 	memcpy(bt, receivedAnswer + 16, 2);
 	AppendCrc14443a(receivedAnswer, 16);
 	if (bt[0] != receivedAnswer[16] || bt[1] != receivedAnswer[17]) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Cmd CRC response error.");  
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Cmd CRC response error.");
 		return 3;
 	}

@ -277,8 +283,8 @@ int mifare_ul_ev1_auth(uint8_t *keybytes, uint8_t *pack){
 	memcpy(key, keybytes, 4);

 	if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
-		Dbprintf("EV1 Auth : %02x%02x%02x%02x",	key[0], key[1], key[2], key[3]);
-	len = mifare_sendcmd(0x1B, key, sizeof(key), resp, respPar, NULL);
+		Dbprintf("EV1 Auth : %02x%02x%02x%02x", key[0], key[1], key[2], key[3]);
+	len = mifare_sendcmd(MIFARE_ULEV1_AUTH, key, sizeof(key), resp, respPar, NULL);
 	//len = mifare_sendcmd_short_mfuev1auth(NULL, 0, 0x1B, key, resp, respPar, NULL);
 	if (len != 4) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x %u", resp[0], len);
@ -296,7 +302,7 @@ int mifare_ultra_auth(uint8_t *keybytes){

 	/// 3des2k

-	des3_context ctx = { 0x00 };
+	mbedtls_des3_context ctx = { {0} };
 	uint8_t random_a[8] = {1,1,1,1,1,1,1,1};
 	uint8_t random_b[8] = {0x00};
 	uint8_t enc_random_b[8] = {0x00};
@ -310,7 +316,7 @@ int mifare_ultra_auth(uint8_t *keybytes){
 	uint8_t respPar[3] = {0,0,0};

 	// REQUEST AUTHENTICATION
-	len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, resp, respPar ,NULL);
+	len = mifare_sendcmd_short(NULL, 1, MIFARE_ULC_AUTH_1, 0x00, resp, respPar ,NULL);
 	if (len != 11) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);
 		return 0;
@ -321,13 +327,13 @@ int mifare_ultra_auth(uint8_t *keybytes){

 	// decrypt nonce.
 	// tdes_2key_dec(random_b, enc_random_b, sizeof(random_b), key, IV );
-	des3_set2key_dec(&ctx, key);
-	des3_crypt_cbc(&ctx  	// des3_context
-		, DES_DECRYPT    	// int mode
-		, sizeof(random_b)	// length
-		, IV            	// iv[8]
-		, enc_random_b		// input
-		, random_b			// output
+	mbedtls_des3_set2key_dec(&ctx, key);
+	mbedtls_des3_crypt_cbc(&ctx     // des3_context
+		, MBEDTLS_DES_DECRYPT       // int mode
+		, sizeof(random_b)  // length
+		, IV                // iv[8]
+		, enc_random_b      // input
+		, random_b          // output
 		);

 	rol(random_b,8);
@ -350,17 +356,17 @@ int mifare_ultra_auth(uint8_t *keybytes){

 	// encrypt    out, in, length, key, iv
 	//tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);
-	des3_set2key_enc(&ctx, key);
-	des3_crypt_cbc(&ctx  	// des3_context
-		, DES_ENCRYPT    	// int mode
-		, sizeof(rnd_ab)	// length
-		, enc_random_b     	// iv[8]
-		, rnd_ab			// input
-		, rnd_ab			// output
+	mbedtls_des3_set2key_enc(&ctx, key);
+	mbedtls_des3_crypt_cbc(&ctx     // des3_context
+		, MBEDTLS_DES_ENCRYPT       // int mode
+		, sizeof(rnd_ab)    // length
+		, enc_random_b      // iv[8]
+		, rnd_ab            // input
+		, rnd_ab            // output
 		);

 	//len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, resp, respPar, NULL);
-	len = mifare_sendcmd(0xAF, rnd_ab, sizeof(rnd_ab), resp, respPar, NULL);
+	len = mifare_sendcmd(MIFARE_ULC_AUTH_2, rnd_ab, sizeof(rnd_ab), resp, respPar, NULL);
 	if (len != 11) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);
 		return 0;
@ -372,13 +378,13 @@ int mifare_ultra_auth(uint8_t *keybytes){

 	// decrypt    out, in, length, key, iv
 	// tdes_2key_dec(resp_random_a, enc_resp, 8, key, enc_random_b);
-	des3_set2key_dec(&ctx, key);
-	des3_crypt_cbc(&ctx  	// des3_context
-		, DES_DECRYPT    	// int mode
-		, 8					// length
-		, enc_random_b     	// iv[8]
-		, enc_resp			// input
-		, resp_random_a		// output
+	mbedtls_des3_set2key_dec(&ctx, key);
+	mbedtls_des3_crypt_cbc(&ctx     // des3_context
+		, MBEDTLS_DES_DECRYPT       // int mode
+		, 8                 // length
+		, enc_random_b      // iv[8]
+		, enc_resp          // input
+		, resp_random_a     // output
 		);
 	if ( memcmp(resp_random_a, random_a, 8) != 0 ) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("failed authentication");
@ -410,14 +416,14 @@ int mifare_ultra_auth(uint8_t *keybytes){
 int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData)
 {
 	uint16_t len;
-	uint8_t	bt[2];
+	uint8_t bt[2];
 	uint8_t receivedAnswer[MAX_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
 	uint8_t retries;
 	int result = 0;

 	for (retries = 0; retries < MFU_MAX_RETRIES; retries++) {
-		len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
+		len = mifare_sendcmd_short(NULL, 1, MIFARE_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL);
 		if (len == 1) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
 			result = 1;
@ -447,7 +453,7 @@ int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData)
 		return result;
 	}

-	memcpy(blockData, receivedAnswer, 14);
+	memcpy(blockData, receivedAnswer, 16);
 	return 0;
 }

@ -456,7 +462,7 @@ int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t bl
 	// variables
 	uint16_t len, i;
 	uint32_t pos;
-	uint8_t par[3] = {0};		// enough for 18 Bytes to send
+	uint8_t par[3] = {0};       // enough for 18 Bytes to send
 	byte_t res;

 	uint8_t d_block[18], d_block_enc[18];
@ -464,10 +470,10 @@ int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t bl
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];

 	// command MIFARE_CLASSIC_WRITEBLOCK
-	len = mifare_sendcmd_short(pcs, 1, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);
+	len = mifare_sendcmd_short(pcs, 1, MIFARE_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL);

 	if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Cmd Error: %02x", receivedAnswer[0]);  
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
 		return 1;
 	}

@ -491,7 +497,7 @@ int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t bl
 		res |= (crypto1_bit(pcs, 0, 0) ^ BIT(receivedAnswer[0], i)) << i;

 	if ((len != 1) || (res != 0x0A)) {
-		if (MF_DBGLEVEL >= 1)	Dbprintf("Cmd send data2 Error: %02x", res);  
+		if (MF_DBGLEVEL >= 1)   Dbprintf("Cmd send data2 Error: %02x", res);
 		return 2;
 	}

@ -507,7 +513,7 @@ int mifare_ultra_writeblock_compat(uint8_t blockNo, uint8_t *blockData)
 	uint8_t receivedAnswer[MAX_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];

-	len = mifare_sendcmd_short(NULL, true, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);
+	len = mifare_sendcmd_short(NULL, true, MIFARE_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL);

 	if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
@ -559,7 +565,7 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];

-	len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
+	len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, ISO14443A_CMD_HALT, 0x00, receivedAnswer, receivedAnswerPar, NULL);
 	if (len != 0) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("halt error. response len: %x", len);
@ -575,7 +581,7 @@ int mifare_ultra_halt()
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];

-	len = mifare_sendcmd_short(NULL, true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
+	len = mifare_sendcmd_short(NULL, true, ISO14443A_CMD_HALT, 0x00, receivedAnswer, receivedAnswerPar, NULL);
 	if (len != 0) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("halt error. response len: %x", len);
@ -710,9 +716,9 @@ void emlClearMem(void) {
 // Mifare desfire commands
 int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
 {
-    uint8_t dcmd[5] = {0x00};
-    dcmd[0] = cmd;
-    memcpy(dcmd+1,data,2);
+	uint8_t dcmd[5] = {0x00};
+	dcmd[0] = cmd;
+	memcpy(dcmd+1,data,2);
 	AppendCrc14443a(dcmd, 3);

 	ReaderTransmit(dcmd, sizeof(dcmd), NULL);
@ -721,24 +727,24 @@ int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cm
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("Authentication failed. Card timeout.");
 		return 1;
-    }
+	}
 	return len;
 }

 int mifare_sendcmd_special2(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer,uint8_t *answer_parity, uint32_t *timing)
 {
-    uint8_t dcmd[20] = {0x00};
-    dcmd[0] = cmd;
-    memcpy(dcmd+1,data,17);
+	uint8_t dcmd[20] = {0x00};
+	dcmd[0] = cmd;
+	memcpy(dcmd+1,data,17);
 	AppendCrc14443a(dcmd, 18);

 	ReaderTransmit(dcmd, sizeof(dcmd), NULL);
 	int len = ReaderReceive(answer, answer_parity);
 	if(!len){
-        if (MF_DBGLEVEL >= MF_DBG_ERROR)
+		if (MF_DBGLEVEL >= MF_DBG_ERROR)
 			Dbprintf("Authentication failed. Card timeout.");
 		return 1;
-    }
+	}
 	return len;
 }

@ -758,14 +764,14 @@ int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData){
 	}

 	if (len == 12) {
-		if (MF_DBGLEVEL >= MF_DBG_EXTENDED)	{
+		if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
 			Dbprintf("Auth1 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
 				receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],
 				receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],
 				receivedAnswer[10],receivedAnswer[11]);
 			}
 			memcpy(blockData, receivedAnswer, 12);
-	        return 0;
+			return 0;
 	}
 	return 1;
 }
@ -806,18 +812,17 @@ int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){
 //
 //-----------------------------------------------------------------------------
 // one key check
-int MifareChkBlockKey(uint8_t *uid, uint32_t *cuid, uint8_t *cascade_levels, uint64_t ui64Key, uint8_t blockNo, uint8_t keyType, uint8_t debugLevel) {
+static int MifareChkBlockKey(uint8_t *uid, uint32_t *cuid, uint8_t *cascade_levels, uint8_t *key, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel, bool fixed_nonce) {

 	struct Crypto1State mpcs = {0, 0};
 	struct Crypto1State *pcs;
 	pcs = &mpcs;

-	// Iceman: use piwi's faster nonce collecting part in hardnested.
 	if (*cascade_levels == 0) { // need a full select cycle to get the uid first
 		iso14a_card_select_t card_info;
-		if(!iso14443a_select_card(uid, &card_info, cuid, true, 0, true)) {
-			if (debugLevel >= 1) 	Dbprintf("ChkKeys: Can't select card");
-			return  1;
+		if (!iso14443a_select_card(uid, &card_info, cuid, true, 0, true)) {
+			if (debugLevel >= 1)    Dbprintf("ChkKeys: Can't select card");
+			return  -1;
 		}
 		switch (card_info.uidlen) {
 			case 4 : *cascade_levels = 1; break;
@ -826,99 +831,114 @@ int MifareChkBlockKey(uint8_t *uid, uint32_t *cuid, uint8_t *cascade_levels, uin
 			default: break;
 		}
 	} else { // no need for anticollision. We can directly select the card
-		if(!iso14443a_select_card(uid, NULL, NULL, false, *cascade_levels, true)) {
-			if (debugLevel >= 1)	Dbprintf("ChkKeys: Can't select card (UID) lvl=%d", *cascade_levels);
-			return  1;
+		if (!iso14443a_select_card(uid, NULL, NULL, false, *cascade_levels, true)) {
+			if (debugLevel >= 1)    Dbprintf("ChkKeys: Can't select card (UID) lvl=%d", *cascade_levels);
+			return  -1;
 		}
 	}

-	if(mifare_classic_auth(pcs, *cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
-//		SpinDelayUs(AUTHENTICATION_TIMEOUT); // it not needs because mifare_classic_auth have timeout from iso14a_set_timeout()
-		return 2;
+	if (!fixed_nonce) {
+		uint64_t ui64Key = bytes_to_num(key, 6);
+		if (mifare_classic_auth(pcs, *cuid, blockNo, keyType, ui64Key, AUTH_FIRST, auth_timeout)) { // authentication failed
+			return -2;
+		} else {
+			mifare_classic_halt(pcs, *cuid);
+		}
 	} else {
-/*		// let it be here. it like halt command, but maybe it will work in some strange cases
-		uint8_t dummy_answer = 0;
-		ReaderTransmit(&dummy_answer, 1, NULL);
-		int timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;			
-		// wait for the card to become ready again
-		while(GetCountSspClk() < timeout) {};
-*/
-		// it needs after success authentication
-		mifare_classic_halt(pcs, *cuid);
+		uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
+		uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
+		// Transmit MIFARE_CLASSIC_AUTH
+		int len = mifare_sendcmd_short(pcs, false, keyType & 0x01 ? MIFARE_AUTH_KEYB : MIFARE_AUTH_KEYA, blockNo, receivedAnswer, receivedAnswerPar, NULL);
+		if (len != 4) return -2;
+		// Transmit encrypted reader nonce and reader answer
+		uint8_t mf_nr_ar[8] = NESTED_FIXED_NR_ENC;
+		memcpy(mf_nr_ar + 4, key, 4);
+		ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), key + 4, NULL);
+		uint32_t save_timeout = iso14a_get_timeout(); // save standard timeout
+		iso14a_set_timeout(*auth_timeout);            // set timeout for authentication response
+		len = ReaderReceive(receivedAnswer, receivedAnswerPar);
+		iso14a_set_timeout(save_timeout);             // restore standard timeout
+		if (!len) return -2;
 	}

-	return 0;
+	return 0; // success
 }

 // multi key check
-int MifareChkBlockKeys(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint8_t debugLevel) {
+static int MifareChkBlockKeysEx(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel, bool fixed_nonce) {
+
 	uint8_t uid[10];
 	uint32_t cuid = 0;
 	uint8_t cascade_levels = 0;
-	uint64_t ui64Key = 0;

 	int retryCount = 0;
 	for (uint8_t i = 0; i < keyCount; i++) {
-
-		// Allow button press / usb cmd to interrupt device
-		if (BUTTON_PRESS() && !usb_poll_validate_length()) { 
-			Dbprintf("ChkKeys: Cancel operation. Exit...");
-			return -2;
-		}
-
-		ui64Key = bytes_to_num(keys + i * 6, 6);
-		int res = MifareChkBlockKey(uid, &cuid, &cascade_levels, ui64Key, blockNo, keyType, debugLevel);
-		
-		// can't select
-		if (res == 1) {
+		uint8_t bytes_per_key = fixed_nonce ? 5 : 6;
+		int res = MifareChkBlockKey(uid, &cuid, &cascade_levels, keys + i*bytes_per_key, blockNo, keyType, auth_timeout, debugLevel, fixed_nonce);
+		if (res == -1) { 		// couldn't select
 			retryCount++;
 			if (retryCount >= 5) {
-				Dbprintf("ChkKeys: block=%d key=%d. Can't select. Exit...", blockNo, keyType);
+				Dbprintf("ChkKeys: block=%d key=%d. Couldn't select. Exit...", blockNo, keyType);
 				return -1;
+			} else {
+				--i; // try the same key once again
+				SpinDelay(20);
+				// Dbprintf("ChkKeys: block=%d key=%d. Try the same key once again...", blockNo, keyType);
+				continue;
 			}
-			--i; // try the same key once again
-
-			SpinDelay(20);
-//			Dbprintf("ChkKeys: block=%d key=%d. Try the same key once again...", blockNo, keyType);
+		}
+		if (res == -2) { 		// couldn't authenticate with this key
+			retryCount = 0;
 			continue;
 		}

-		// can't authenticate
-		if (res == 2) {
-			retryCount = 0;
-			continue; // can't auth. wrong key.
-		}
+		return i + 1;           // successful authentication

-		return i + 1;
 	}

-	return 0;
+	if (BUTTON_PRESS()) {
+		return -2;
+	}
+
+	return 0;                   // couldn't authenticate with any key
 }

+
+int MifareChkBlockKeys(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel) {
+	return MifareChkBlockKeysEx(keys, keyCount, blockNo, keyType, auth_timeout, debugLevel, false);
+}
+
+
+// fixed nonce check
+int MifareChkBlockKeysFixedNonce(uint8_t *ar_par, uint8_t ar_par_cnt, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel) {
+	return MifareChkBlockKeysEx(ar_par, ar_par_cnt, blockNo, keyType, auth_timeout, debugLevel, true);
+}
+
+
 // multisector multikey check
-int MifareMultisectorChk(uint8_t *keys, uint8_t keyCount, uint8_t SectorCount, uint8_t keyType, uint8_t debugLevel, TKeyIndex *keyIndex) {
+int MifareMultisectorChk(uint8_t *keys, uint8_t keyCount, uint8_t SectorCount, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel, TKeyIndex *keyIndex) {
 	int res = 0;

-//	int clk = GetCountSspClk();
+//  int clk = GetCountSspClk();

 	for(int sc = 0; sc < SectorCount; sc++){
 		WDT_HIT();

 		int keyAB = keyType;
 		do {
-			res = MifareChkBlockKeys(keys, keyCount, FirstBlockOfSector(sc), keyAB & 0x01, debugLevel);
-			if (res < 0){
+			res = MifareChkBlockKeys(keys, keyCount, FirstBlockOfSector(sc), keyAB & 0x01, auth_timeout, debugLevel);
+			if (res < 0) {
 				return res;
 			}
-			if (res > 0){
+			if (res > 0) {
 				(*keyIndex)[keyAB & 0x01][sc] = res;
 			}
 		} while(--keyAB > 0);
 	}

-//	Dbprintf("%d %d", GetCountSspClk() - clk, (GetCountSspClk() - clk)/(SectorCount*keyCount*(keyType==2?2:1)));
+//  Dbprintf("%d %d", GetCountSspClk() - clk, (GetCountSspClk() - clk)/(SectorCount*keyCount*(keyType==2?2:1)));

-	return 0;
+	return 1;
 }


--- a/armsrc/mifareutil.h
+++ b/armsrc/mifareutil.h
@ -9,8 +9,8 @@
 // code for work with mifare cards.
 //-----------------------------------------------------------------------------

-#ifndef __MIFAREUTIL_H
-#define __MIFAREUTIL_H
+#ifndef MIFAREUTIL_H__
+#define MIFAREUTIL_H__

 #include <stdint.h>
 #include <stdbool.h>
@ -19,26 +19,21 @@
 #include "usb_cdc.h"

 // mifare authentication
-#define CRYPT_NONE    0
-#define CRYPT_ALL     1
-#define CRYPT_REQUEST 2
-#define AUTH_FIRST    0	
-#define AUTH_NESTED   2
-
-// mifare 4bit card answers
-#define CARD_ACK      0x0A  // 1010 - ACK
-#define CARD_NACK_NA  0x04  // 0100 - NACK, not allowed (command not allowed)
-#define CARD_NACK_TR  0x05  // 0101 - NACK, transmission error
+#define CRYPT_NONE           0
+#define CRYPT_ALL            1
+#define CRYPT_REQUEST        2
+#define AUTH_FIRST           0
+#define AUTH_NESTED          2

 // reader voltage field detector
 #define MF_MINFIELDV      4000

 // debug
-// 0 - no debug messages 1 - error messages 2 - all messages 4 - extended debug mode
-#define MF_DBG_NONE          0
-#define MF_DBG_ERROR         1
-#define MF_DBG_ALL           2
-#define MF_DBG_EXTENDED      4
+#define MF_DBG_NONE          0  // no messages
+#define MF_DBG_ERROR         1  // errors only
+#define MF_DBG_INFO          2  // errors + info messages
+#define MF_DBG_DEBUG         3  // errors + info + debug messages
+#define MF_DBG_EXTENDED      4  // errors + info + debug + breaking debug messages

 extern int MF_DBGLEVEL;

@ -47,8 +42,8 @@ int mifare_sendcmd(uint8_t cmd, uint8_t *data, uint8_t data_size, uint8_t* answe
 int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);

 // mifare classic
-int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);
-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t *auth_timeout);
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing, uint32_t *auth_timeout);
 int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
 int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid);
 int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
@ -71,6 +66,7 @@ int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData);
 void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
 void mf_crypto1_decryptEx(struct Crypto1State *pcs, uint8_t *data_in, int len, uint8_t *data_out);
 void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par);
+void mf_crypto1_encryptEx(struct Crypto1State *pcs, uint8_t *data, uint8_t *in, uint16_t len, uint8_t *par);
 uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data);

 // Mifare memory structure
@ -91,8 +87,8 @@ int emlCheckValBl(int blockNum);

 // mifare check keys
 typedef uint8_t TKeyIndex[2][40];
-int MifareChkBlockKey(uint8_t *uid, uint32_t *cuid, uint8_t *cascade_levels, uint64_t ui64Key, uint8_t blockNo, uint8_t keyType, uint8_t debugLevel);
-int MifareChkBlockKeys(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint8_t debugLevel);
-int MifareMultisectorChk(uint8_t *keys, uint8_t keyCount, uint8_t SectorCount, uint8_t keyType, uint8_t debugLevel, TKeyIndex *keyIndex);
+int MifareChkBlockKeysFixedNonce(uint8_t *ar_par, uint8_t ar_par_cnt, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel);
+int MifareChkBlockKeys(uint8_t *keys, uint8_t keyCount, uint8_t blockNo, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel);
+int MifareMultisectorChk(uint8_t *keys, uint8_t keyCount, uint8_t SectorCount, uint8_t keyType, uint32_t *auth_timeout, uint8_t debugLevel, TKeyIndex *keyIndex);

 #endif
--- a/armsrc/optimized_cipher.c
+++ b/armsrc/optimized_cipher.c
@ -60,15 +60,63 @@
  -- MHS 2015
 **/

+/**
+
+  The runtime of opt_doTagMAC_2() with the MHS optimized version was 403 microseconds on Proxmark3.
+  This was still to slow for some newer readers which didn't want to wait that long.
+
+  Further optimizations to speedup the MAC calculations:
+  * Optimized opt_Tt logic
+  * Look up table for opt_select
+  * Removing many unnecessary bit maskings (& 0x1)
+  * updating state in place instead of alternating use of a second state structure
+  * remove the necessity to reverse bits of input and output bytes
+ 
+  opt_doTagMAC_2() now completes in 270 microseconds.
+
+  -- piwi 2019
+**/
+
 #include "optimized_cipher.h"
 #include <stddef.h>
 #include <stdbool.h>
 #include <stdint.h>
+#include "string.h"

+static const uint8_t opt_select_LUT[256] = {
+	00, 03, 02, 01, 02, 03, 00, 01, 04, 07, 07, 04, 06, 07, 05, 04,
+	01, 02, 03, 00, 02, 03, 00, 01, 05, 06, 06, 05, 06, 07, 05, 04,
+	06, 05, 04, 07, 04, 05, 06, 07, 06, 05, 05, 06, 04, 05, 07, 06,
+	07, 04, 05, 06, 04, 05, 06, 07, 07, 04, 04, 07, 04, 05, 07, 06,
+	06, 05, 04, 07, 04, 05, 06, 07, 02, 01, 01, 02, 00, 01, 03, 02,
+	03, 00, 01, 02, 00, 01, 02, 03, 07, 04, 04, 07, 04, 05, 07, 06,
+	00, 03, 02, 01, 02, 03, 00, 01, 00, 03, 03, 00, 02, 03, 01, 00,
+	05, 06, 07, 04, 06, 07, 04, 05, 05, 06, 06, 05, 06, 07, 05, 04,
+	02, 01, 00, 03, 00, 01, 02, 03, 06, 05, 05, 06, 04, 05, 07, 06,
+	03, 00, 01, 02, 00, 01, 02, 03, 07, 04, 04, 07, 04, 05, 07, 06,
+	02, 01, 00, 03, 00, 01, 02, 03, 02, 01, 01, 02, 00, 01, 03, 02,
+	03, 00, 01, 02, 00, 01, 02, 03, 03, 00, 00, 03, 00, 01, 03, 02,
+	04, 07, 06, 05, 06, 07, 04, 05, 00, 03, 03, 00, 02, 03, 01, 00,
+	01, 02, 03, 00, 02, 03, 00, 01, 05, 06, 06, 05, 06, 07, 05, 04,
+	04, 07, 06, 05, 06, 07, 04, 05, 04, 07, 07, 04, 06, 07, 05, 04,
+	01, 02, 03, 00, 02, 03, 00, 01, 01, 02, 02, 01, 02, 03, 01, 00
+};

-#define opt_T(s) (0x1 & ((s->t >> 15) ^ (s->t >> 14)^ (s->t >> 10)^ (s->t >> 8)^ (s->t >> 5)^ (s->t >> 4)^ (s->t >> 1)^ s->t))
-
-#define opt_B(s) (((s->b >> 6) ^ (s->b >> 5) ^ (s->b >> 4) ^ (s->b)) & 0x1)
+/********************** the table above has been generated with this code: ********
+#include "util.h"
+static void init_opt_select_LUT(void) {
+	for (int r = 0; r < 256; r++) {
+		uint8_t r_ls2 = r << 2;
+		uint8_t r_and_ls2 = r & r_ls2;
+		uint8_t r_or_ls2  = r | r_ls2;
+		uint8_t z0 = (r_and_ls2 >> 5) ^ ((r & ~r_ls2) >> 4) ^ ( r_or_ls2 >> 3);
+		uint8_t z1 = (r_or_ls2 >> 6) ^ ( r_or_ls2 >> 1) ^ (r >> 5) ^ r;
+		uint8_t z2 = ((r & ~r_ls2) >> 4) ^ (r_and_ls2 >> 3) ^ r;
+		opt_select_LUT[r] = (z0 & 4) | (z1 & 2) | (z2 & 1);
+	}
+	print_result("", opt_select_LUT, 256);
+}
+***********************************************************************************/

 #define opt__select(x,y,r)  (4 & (((r & (r << 2)) >> 5) ^ ((r & ~(r << 2)) >> 4) ^ ( (r | r << 2) >> 3)))\
 	|(2 & (((r | r << 2) >> 6) ^ ( (r | r << 2) >> 1) ^ (r >> 5) ^ r ^ ((x^y) << 1)))\
@ -78,169 +126,145 @@
 * Some background on the expression above can be found here...
 uint8_t xopt__select(bool x, bool y, uint8_t r)
 {
-	uint8_t r_ls2 = r << 2;
-	uint8_t r_and_ls2 = r & r_ls2;
-	uint8_t r_or_ls2  = r | r_ls2;

 	//r:      r0 r1 r2 r3 r4 r5 r6 r7
 	//r_ls2:  r2 r3 r4 r5 r6 r7  0  0
 	//                       z0
 	//                          z1

-//	uint8_t z0 = (r0 & r2) ^ (r1 & ~r3) ^ (r2 | r4); // <-- original
+//  uint8_t z0 = (r0 & r2) ^ (r1 & ~r3) ^ (r2 | r4); // <-- original
 	uint8_t z0 = (r_and_ls2 >> 5) ^ ((r & ~r_ls2) >> 4) ^ ( r_or_ls2 >> 3);

-//	uint8_t z1 = (r0 | r2) ^ ( r5 | r7) ^ r1 ^ r6 ^ x ^ y;  // <-- original
+//  uint8_t z1 = (r0 | r2) ^ ( r5 | r7) ^ r1 ^ r6 ^ x ^ y;  // <-- original
 	uint8_t z1 = (r_or_ls2 >> 6) ^ ( r_or_ls2 >> 1) ^ (r >> 5) ^ r ^ ((x^y) << 1);

-//	uint8_t z2 = (r3 & ~r5) ^ (r4 & r6 ) ^ r7 ^ x;  // <-- original
+//  uint8_t z2 = (r3 & ~r5) ^ (r4 & r6 ) ^ r7 ^ x;  // <-- original
 	uint8_t z2 = ((r & ~r_ls2) >> 4) ^ (r_and_ls2 >> 3) ^ r ^ x;

 	return (z0 & 4) | (z1 & 2) | (z2 & 1);
 }
 */

-void opt_successor(const uint8_t* k, State *s, bool y, State* successor)
-{
+static void opt_successor(const uint8_t *k, State *s, uint8_t y) {
+// #define opt_T(s) (0x1 & ((s->t >> 15) ^ (s->t >> 14) ^ (s->t >> 10) ^ (s->t >> 8) ^ (s->t >> 5) ^ (s->t >> 4)^ (s->t >> 1) ^ s->t))
+	// uint8_t Tt = opt_T(s);
+	uint16_t Tt = s->t & 0xc533;
+	Tt = Tt ^ (Tt >> 1);
+	Tt = Tt ^ (Tt >> 4);
+	Tt = Tt ^ (Tt >> 10);
+	Tt = Tt ^ (Tt >> 8);

-	uint8_t Tt = 1 & opt_T(s);
+	s->t = (s->t >> 1);
+	s->t |= (Tt ^ (s->r >> 7) ^ (s->r >> 3)) << 15;

-	successor->t = (s->t >> 1);
-	successor->t |= (Tt ^ (s->r >> 7 & 0x1) ^ (s->r >> 3 & 0x1)) << 15;
+	uint8_t opt_B = s->b;
+	opt_B ^= s->b >> 6;
+	opt_B ^= s->b >> 5;
+	opt_B ^= s->b >> 4;

-	successor->b = s->b >> 1;
-	successor->b |= (opt_B(s) ^ (s->r & 0x1)) << 7;
+	s->b = s->b >> 1;
+	s->b |= (opt_B ^ s->r) << 7;

-	successor->r = (k[opt__select(Tt,y,s->r)] ^ successor->b) + s->l ;
-	successor->l = successor->r+s->r;
+	uint8_t opt_select = opt_select_LUT[s->r] & 0x04;
+	opt_select |= (opt_select_LUT[s->r] ^ ((Tt ^ y) << 1)) & 0x02;
+	opt_select |= (opt_select_LUT[s->r] ^ Tt) & 0x01;

+	uint8_t r = s->r;
+	s->r = (k[opt_select] ^ s->b) + s->l ;
+	s->l = s->r + r;
 }

-void opt_suc(const uint8_t* k,State* s, uint8_t *in, uint8_t length, bool add32Zeroes)
-{
-	State x2;
-	int i;
-	uint8_t head = 0;
-	for(i =0 ; i < length  ; i++)
-	{
-		head = 1 & (in[i] >> 7);
-		opt_successor(k,s,head,&x2);
+static void opt_suc(const uint8_t *k, State *s, uint8_t *in, uint8_t length, bool add32Zeroes) {
+	for (int i = 0; i < length; i++) {
+		uint8_t head;
+		head = in[i];
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 6);
-		opt_successor(k,&x2,head,s);
+		head >>= 1;
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 5);
-		opt_successor(k,s,head,&x2);
+		head >>= 1;
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 4);
-		opt_successor(k,&x2,head,s);
+		head >>= 1;
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 3);
-		opt_successor(k,s,head,&x2);
+		head >>= 1;
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 2);
-		opt_successor(k,&x2,head,s);
+		head >>= 1;
+		opt_successor(k, s, head);

-		head = 1 & (in[i] >> 1);
-		opt_successor(k,s,head,&x2);
-
-		head = 1 & in[i];
-		opt_successor(k,&x2,head,s);
+		head >>= 1;
+		opt_successor(k, s, head);

+		head >>= 1;
+		opt_successor(k, s, head);
 	}
 	//For tag MAC, an additional 32 zeroes
-	if(add32Zeroes)
-		for(i =0 ; i < 16 ; i++)
-		{
-			opt_successor(k,s,0,&x2);
-			opt_successor(k,&x2,0,s);
+	if (add32Zeroes) {
+		for(int i = 0; i < 16; i++) {
+			opt_successor(k, s, 0);
+			opt_successor(k, s, 0);
 		}
+	}
 }

-void opt_output(const uint8_t* k,State* s,  uint8_t *buffer)
-{
-	uint8_t times = 0;
-	uint8_t bout = 0;
-	State temp = {0,0,0,0};
-	for( ; times < 4 ; times++)
-	{
-		bout =0;
-		bout |= (s->r & 0x4) << 5;
-		opt_successor(k,s,0,&temp);
-		bout |= (temp.r & 0x4) << 4;
-		opt_successor(k,&temp,0,s);
-		bout |= (s->r & 0x4) << 3;
-		opt_successor(k,s,0,&temp);
-		bout |= (temp.r & 0x4) << 2;
-		opt_successor(k,&temp,0,s);
-		bout |= (s->r & 0x4) << 1;
-		opt_successor(k,s,0,&temp);
-		bout |= (temp.r & 0x4) ;
-		opt_successor(k,&temp,0,s);
+static void opt_output(const uint8_t *k, State *s,  uint8_t *buffer) {
+	for (uint8_t times = 0; times < 4; times++) {
+		uint8_t bout = 0;
+		bout |= (s->r & 0x4) >> 2;
+		opt_successor(k, s, 0);
 		bout |= (s->r & 0x4) >> 1;
-		opt_successor(k,s,0,&temp);
-		bout |= (temp.r & 0x4) >> 2;
-		opt_successor(k,&temp,0,s);
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4);
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 1;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 2;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 3;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 4;
+		opt_successor(k, s, 0);
+		bout |= (s->r & 0x4) << 5;
+		opt_successor(k, s, 0);
 		buffer[times] = bout;
 	}
-
 }

-void opt_MAC(uint8_t* k, uint8_t* input, uint8_t* out)
-{
+static void opt_MAC(uint8_t *k, uint8_t *input, uint8_t *out) {
 	State _init  =  {
-			((k[0] ^ 0x4c) + 0xEC) & 0xFF,// l
-			((k[0] ^ 0x4c) + 0x21) & 0xFF,// r
-			0x4c, // b
-			0xE012 // t
-			};
+		((k[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((k[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};

-	opt_suc(k,&_init,input,12, false);
+	opt_suc(k, &_init, input, 12, false);
 	//printf("\noutp ");
-	opt_output(k,&_init, out);
-}
-uint8_t rev_byte(uint8_t b) {
-	b = (b & 0xF0) >> 4 | (b & 0x0F) << 4;
-	b = (b & 0xCC) >> 2 | (b & 0x33) << 2;
-	b = (b & 0xAA) >> 1 | (b & 0x55) << 1;
-   return b;
-}
-void opt_reverse_arraybytecpy(uint8_t* dest, uint8_t *src, size_t len)
-{
-	uint8_t i;
-	for( i =0; i< len ; i++)
-		dest[i] = rev_byte(src[i]);
+	opt_output(k, &_init, out);
 }

-void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4])
-{
-	static uint8_t cc_nr[12];
-
-	opt_reverse_arraybytecpy(cc_nr, cc_nr_p,12);
-	uint8_t dest []= {0,0,0,0,0,0,0,0};
-	opt_MAC(div_key_p,cc_nr, dest);
-	//The output MAC must also be reversed
-	opt_reverse_arraybytecpy(mac, dest,4);
+void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]) {
+	uint8_t dest[] = {0, 0, 0, 0, 0, 0, 0, 0};
+	opt_MAC(div_key_p, cc_nr_p, dest);
+	memcpy(mac, dest, 4);
 	return;
 }
-void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4])
-{
-	static uint8_t cc_nr[8+4+4];
-	opt_reverse_arraybytecpy(cc_nr, cc_p,12);
-	State _init  =  {
-			((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
-			((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
-			0x4c, // b
-			0xE012 // t
-			};
-	opt_suc(div_key_p,&_init,cc_nr, 12,true);
-	uint8_t dest []= {0,0,0,0};
-	opt_output(div_key_p,&_init, dest);
-	//The output MAC must also be reversed
-	opt_reverse_arraybytecpy(mac, dest,4);
-	return;

+void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]) {
+	State _init = {
+		((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};
+	opt_suc(div_key_p, &_init, cc_p, 12, true);
+	opt_output(div_key_p, &_init, mac);
+	return;
 }
+
 /**
 * The tag MAC can be divided (both can, but no point in dividing the reader mac) into
 * two functions, since the first 8 bytes are known, we can pre-calculate the state
@ -249,19 +273,17 @@ void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4])
 * @param div_key_p
 * @return the cipher state
 */
-State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p)
-{
-	static uint8_t cc_nr[8];
-	opt_reverse_arraybytecpy(cc_nr, cc_p,8);
-	State _init  =  {
-			((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
-			((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
-			0x4c, // b
-			0xE012 // t
-			};
-	opt_suc(div_key_p,&_init,cc_nr, 8,false);
+State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p) {
+	State _init = {
+		((div_key_p[0] ^ 0x4c) + 0xEC) & 0xFF,// l
+		((div_key_p[0] ^ 0x4c) + 0x21) & 0xFF,// r
+		0x4c, // b
+		0xE012 // t
+	};
+	opt_suc(div_key_p, &_init, cc_p, 8, false);
 	return _init;
 }
+
 /**
 * The second part of the tag MAC calculation, since the CC is already calculated into the state,
 * this function is fed only the NR, and internally feeds the remaining 32 0-bits to generate the tag
@ -271,15 +293,8 @@ State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p)
 * @param mac - where to store the MAC
 * @param div_key_p - the key to use
 */
-void opt_doTagMAC_2(State _init,  uint8_t* nr, uint8_t mac[4], const uint8_t* div_key_p)
-{
-	static uint8_t _nr [4];
-	opt_reverse_arraybytecpy(_nr, nr, 4);
-	opt_suc(div_key_p,&_init,_nr, 4, true);
-	//opt_suc(div_key_p,&_init,nr, 4, false);
-	uint8_t dest []= {0,0,0,0};
-	opt_output(div_key_p,&_init, dest);
-	//The output MAC must also be reversed
-	opt_reverse_arraybytecpy(mac, dest,4);
+void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p) {
+	opt_suc(div_key_p, &_init, nr, 4, true);
+	opt_output(div_key_p, &_init, mac);
 	return;
 }
--- a/armsrc/optimized_cipher.h
+++ b/armsrc/optimized_cipher.h
@ -35,17 +35,18 @@
 *
 ****************************************************************************/

- #ifndef OPTIMIZED_CIPHER_H
-#define OPTIMIZED_CIPHER_H
+#ifndef OPTIMIZED_CIPHER_H__
+#define OPTIMIZED_CIPHER_H__
+
 #include <stdint.h>

 /**
 * Definition 1 (Cipher state). A cipher state of iClass s is an element of F 40/2
 * consisting of the following four components:
-* 	1. the left register l = (l 0 . . . l 7 ) ∈ F 8/2 ;
-* 	2. the right register r = (r 0 . . . r 7 ) ∈ F 8/2 ;
-* 	3. the top register t = (t 0 . . . t 15 ) ∈ F 16/2 .
-* 	4. the bottom register b = (b 0 . . . b 7 ) ∈ F 8/2 .
+*   1. the left register l = (l 0 . . . l 7 ) ∈ F 8/2 ;
+*   2. the right register r = (r 0 . . . r 7 ) ∈ F 8/2 ;
+*   3. the top register t = (t 0 . . . t 15 ) ∈ F 16/2 .
+*   4. the bottom register b = (b 0 . . . b 7 ) ∈ F 8/2 .
 **/
 typedef struct {
 	uint8_t l;
@ -57,6 +58,7 @@ typedef struct {
 /** The reader MAC is MAC(key, CC * NR )
 **/
 void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]);
+
 /**
 * The tag MAC is MAC(key, CC * NR * 32x0))
 */
@ -71,6 +73,7 @@ void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]);
 * @return the cipher state
 */
 State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p);
+
 /**
 * The second part of the tag MAC calculation, since the CC is already calculated into the state,
 * this function is fed only the NR, and internally feeds the remaining 32 0-bits to generate the tag
@ -80,6 +83,6 @@ State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p);
 * @param mac - where to store the MAC
 * @param div_key_p - the key to use
 */
-void opt_doTagMAC_2(State _init, uint8_t* nr, uint8_t mac[4], const uint8_t* div_key_p);
+void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p);

-#endif // OPTIMIZED_CIPHER_H
+#endif // OPTIMIZED_CIPHER_H__
--- a/armsrc/pcf7931.c
+++ b/armsrc/pcf7931.c
@ -1,30 +1,30 @@
 #include "proxmark3.h"
 #include "apps.h"
+#include "usb_cdc.h"
 #include "lfsampling.h"
 #include "pcf7931.h"
 #include "util.h"
 #include "string.h"
+#include "fpgaloader.h"

 #define T0_PCF 8 //period for the pcf7931 in us
 #define ALLOC 16

-int DemodPCF7931(uint8_t **outBlocks) {
-
-    uint8_t bits[256] = {0x00};
+size_t DemodPCF7931(uint8_t **outBlocks) {
+	uint8_t bits[256] = {0x00};
 	uint8_t blocks[8][16];
-    uint8_t *dest = BigBuf_get_addr();
+	uint8_t *dest = BigBuf_get_addr();

 	int GraphTraceLen = BigBuf_max_traceLen();
-	if (  GraphTraceLen > 18000 )
+	if (GraphTraceLen > 18000)
 		GraphTraceLen = 18000;

-	
 	int i, j, lastval, bitidx, half_switch;
 	int clock = 64;
 	int tolerance = clock / 8;
 	int pmc, block_done;
 	int lc, warnings = 0;
-	int num_blocks = 0;
+	size_t num_blocks = 0;
 	int lmin=128, lmax=128;
 	uint8_t dir;
 	//clear read buffer
@ -39,17 +39,16 @@ int DemodPCF7931(uint8_t **outBlocks) {
 	i = 2;

 	/* Find first local max/min */
-    if(dest[1] > dest[0]) {
+	if(dest[1] > dest[0]) {
 		while(i < GraphTraceLen) {
-            if( !(dest[i] > dest[i-1]) && dest[i] > lmax)
+			if( !(dest[i] > dest[i-1]) && dest[i] > lmax)
 				break;
 			i++;
 		}
 		dir = 0;
-	}
-	else {
+	} else {
 		while(i < GraphTraceLen) {
-            if( !(dest[i] < dest[i-1]) && dest[i] < lmin)
+			if( !(dest[i] < dest[i-1]) && dest[i] < lmin)
 				break;
 			i++;
 		}
@ -61,10 +60,8 @@ int DemodPCF7931(uint8_t **outBlocks) {
 	pmc = 0;
 	block_done = 0;

-	for (bitidx = 0; i < GraphTraceLen; i++)
-	{
-        if ( (dest[i-1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i-1] < dest[i] && dir == 0 && dest[i] < lmin))
-		{
+	for (bitidx = 0; i < GraphTraceLen; i++) {
+		if ((dest[i-1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i-1] < dest[i] && dir == 0 && dest[i] < lmin)) {
 			lc = i - lastval;
 			lastval = i;

@ -78,8 +75,7 @@ int DemodPCF7931(uint8_t **outBlocks) {
 					lastval = i;
 					pmc = 0;
 					block_done = 1;
-				}
-				else {
+				} else {
 					pmc = i;
 				}
 			} else if (ABS(lc-clock/2) < tolerance) {
@ -90,21 +86,18 @@ int DemodPCF7931(uint8_t **outBlocks) {
 					lastval = i;
 					pmc = 0;
 					block_done = 1;
-				}
-				else if(half_switch == 1) {
-                    bits[bitidx++] = 0;
+				} else if(half_switch == 1) {
+					bits[bitidx++] = 0;
 					half_switch = 0;
 				}
 				else
 					half_switch++;
 			} else if (ABS(lc-clock) < tolerance) {
 				// 64TO
-                bits[bitidx++] = 1;
+				bits[bitidx++] = 1;
 			} else {
 				// Error
-				warnings++;
-				if (warnings > 10)
-				{
+				if (++warnings > 10) {
 					Dbprintf("Error: too many detection errors, aborting.");
 					return 0;
 				}
@ -112,16 +105,17 @@ int DemodPCF7931(uint8_t **outBlocks) {

 			if(block_done == 1) {
 				if(bitidx == 128) {
-					for(j=0; j<16; j++) {
-                        blocks[num_blocks][j] = 128*bits[j*8+7]+
-                                64*bits[j*8+6]+
-                                32*bits[j*8+5]+
-                                16*bits[j*8+4]+
-                                8*bits[j*8+3]+
-                                4*bits[j*8+2]+
-                                2*bits[j*8+1]+
-                                bits[j*8];
-						
+					for(j = 0; j < 16; ++j) {
+						blocks[num_blocks][j] =
+							128 * bits[j*8 + 7]+
+											64 * bits[j*8 + 6] +
+							32 * bits[j*8 + 5] +
+							16 * bits[j*8 + 4] +
+							8 * bits[j*8 + 3] +
+							4 * bits[j*8 + 2] +
+							2 * bits[j*8 + 1] +
+							bits[j*8]
+						;
 					}
 					num_blocks++;
 				}
@ -130,272 +124,357 @@ int DemodPCF7931(uint8_t **outBlocks) {
 				half_switch = 0;
 			}
 			if(i < GraphTraceLen)
-                dir =(dest[i-1] > dest[i]) ? 0 : 1;
+				dir = (dest[i-1] > dest[i]) ? 0 : 1;
 		}
 		if(bitidx==255)
 			bitidx=0;
 		warnings = 0;
 		if(num_blocks == 4) break;
 	}
-    memcpy(outBlocks, blocks, 16*num_blocks);
+	memcpy(outBlocks, blocks, 16 * num_blocks);
 	return num_blocks;
 }

-int IsBlock0PCF7931(uint8_t *Block) {
-	// Assume RFU means 0 :)
-	if((memcmp(Block, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) == 0) && memcmp(Block+9, "\x00\x00\x00\x00\x00\x00\x00", 7) == 0) // PAC enabled
-		return 1;
-	if((memcmp(Block+9, "\x00\x00\x00\x00\x00\x00\x00", 7) == 0) && Block[7] == 0) // PAC disabled, can it *really* happen ?
-		return 1;
-	return 0;
+bool IsBlock0PCF7931(uint8_t *block) {
+	// assuming all RFU bits are set to 0
+	// if PAC is enabled password is set to 0
+	if (block[7] == 0x01)
+	{
+		if (!memcmp(block, "\x00\x00\x00\x00\x00\x00\x00", 7) && !memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
+			return true;
+	}
+	else if (block[7] == 0x00)
+	{
+		if (!memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
+			return true;
+	}
+	return false;
 }

-int IsBlock1PCF7931(uint8_t *Block) {
-	// Assume RFU means 0 :)
-	if(Block[10] == 0 && Block[11] == 0 && Block[12] == 0 && Block[13] == 0)
-		if((Block[14] & 0x7f) <= 9 && Block[15] <= 9)
-			return 1;
+bool IsBlock1PCF7931(uint8_t *block) {
+	// assuming all RFU bits are set to 0

-	return 0;
+	uint8_t rb1 = block[14] & 0x80;
+	uint8_t rfb = block[14] & 0x7f;
+	uint8_t rlb = block[15];
+
+	if (block[10] == 0 && block[11] == 0 && block[12] == 0 && block[13] == 0)
+		// block 1 is sent only if (RLB >= 1 && RFB <= 1) or RB1 enabled
+		if(rfb <= rlb && rfb <= 9 && rlb <= 9 && ((rfb <= 1 && rlb >= 1) || rb1))
+			return true;
+
+	return false;
 }

 void ReadPCF7931() {
-	uint8_t Blocks[8][17];
-	uint8_t tmpBlocks[4][16];
-	int i, j, ind, ind2, n;
-	int num_blocks = 0;
-	int max_blocks = 8;
-	int ident = 0;
-	int error = 0;
-	int tries = 0;
+	int found_blocks = 0; // successfully read blocks
+	int max_blocks = 8; // readable blocks
+	uint8_t memory_blocks[8][17]; // PCF content

-	memset(Blocks, 0, 8*17*sizeof(uint8_t));
+	uint8_t single_blocks[8][17]; // PFC blocks with unknown position
+	int single_blocks_cnt = 0;
+
+	size_t n = 0; // transmitted blocks
+	uint8_t tmp_blocks[4][16]; // temporary read buffer
+
+	uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
+	int errors = 0; // error counter
+	int tries = 0; // tries counter
+
+	memset(memory_blocks, 0, 8*17*sizeof(uint8_t));
+	memset(single_blocks, 0, 8*17*sizeof(uint8_t));
+
+	int i = 0, j = 0;

 	do {
-		memset(tmpBlocks, 0, 4*16*sizeof(uint8_t));
-		n = DemodPCF7931((uint8_t**)tmpBlocks);
+		i = 0;
+
+		memset(tmp_blocks, 0, 4*16*sizeof(uint8_t));
+		n = DemodPCF7931((uint8_t**)tmp_blocks);
 		if(!n)
-			error++;
-		if(error==10 && num_blocks == 0) {
+			++errors;
+
+		// exit if no block is received
+		if (errors >= 10 && found_blocks == 0 && single_blocks_cnt == 0) {
 			Dbprintf("Error, no tag or bad tag");
 			return;
 		}
-		else if (tries==20 || error==10) {
+
+		// exit if too many errors during reading
+		if (tries > 50 && (2*errors > tries)) {
 			Dbprintf("Error reading the tag");
 			Dbprintf("Here is the partial content");
 			goto end;
 		}

-		for(i=0; i<n; i++)
-			Dbprintf("(dbg) %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-					 tmpBlocks[i][0], tmpBlocks[i][1], tmpBlocks[i][2], tmpBlocks[i][3], tmpBlocks[i][4], tmpBlocks[i][5], tmpBlocks[i][6], tmpBlocks[i][7],
-					tmpBlocks[i][8], tmpBlocks[i][9], tmpBlocks[i][10], tmpBlocks[i][11], tmpBlocks[i][12], tmpBlocks[i][13], tmpBlocks[i][14], tmpBlocks[i][15]);
-		if(!ident) {
-			for(i=0; i<n; i++) {
-				if(IsBlock0PCF7931(tmpBlocks[i])) {
-					// Found block 0 ?
-					if(i < n-1 && IsBlock1PCF7931(tmpBlocks[i+1])) {
-						// Found block 1!
-						// \o/
-						ident = 1;
-						memcpy(Blocks[0], tmpBlocks[i], 16);
-						Blocks[0][ALLOC] = 1;
-						memcpy(Blocks[1], tmpBlocks[i+1], 16);
-						Blocks[1][ALLOC] = 1;
-						max_blocks = MAX((Blocks[1][14] & 0x7f), Blocks[1][15]) + 1;
-						// Debug print
-						Dbprintf("(dbg) Max blocks: %d", max_blocks);
-						num_blocks = 2;
-						// Handle following blocks
-						for(j=i+2, ind2=2; j!=i; j++, ind2++, num_blocks++) {
-							if(j==n) j=0;
-							if(j==i) break;
-							memcpy(Blocks[ind2], tmpBlocks[j], 16);
-							Blocks[ind2][ALLOC] = 1;
-						}
+		// our logic breaks if we don't get at least two blocks
+		if (n < 2) {
+			// skip if all 0s block or no blocks
+			if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
+				continue;
+
+			// add block to single blocks list
+			if (single_blocks_cnt < max_blocks) {
+				for (i = 0; i < single_blocks_cnt; ++i) {
+					if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
+						j = 1;
 						break;
 					}
 				}
+				if (j != 1) {
+					memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
+					print_result("got single block", single_blocks[single_blocks_cnt], 16);
+					single_blocks_cnt++;
+				}
+				j = 0;
 			}
+			++tries;
+			continue;
 		}
-		else {
-			for(i=0; i<n; i++) { // Look for identical block in known blocks
-				if(memcmp(tmpBlocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) { // Block is not full of 00
-					for(j=0; j<max_blocks; j++) {
-						if(Blocks[j][ALLOC] == 1 && !memcmp(tmpBlocks[i], Blocks[j], 16)) {
-							// Found an identical block
-							for(ind=i-1,ind2=j-1; ind >= 0; ind--,ind2--) {
-								if(ind2 < 0)
-									ind2 = max_blocks;
-								if(!Blocks[ind2][ALLOC]) { // Block ind2 not already found
-									// Dbprintf("Tmp %d -> Block %d", ind, ind2);
-									memcpy(Blocks[ind2], tmpBlocks[ind], 16);
-									Blocks[ind2][ALLOC] = 1;
-									num_blocks++;
-									if(num_blocks == max_blocks) goto end;
-								}
-							}
-							for(ind=i+1,ind2=j+1; ind < n; ind++,ind2++) {
-								if(ind2 > max_blocks)
-									ind2 = 0;
-								if(!Blocks[ind2][ALLOC]) { // Block ind2 not already found
-									// Dbprintf("Tmp %d -> Block %d", ind, ind2);
-									memcpy(Blocks[ind2], tmpBlocks[ind], 16);
-									Blocks[ind2][ALLOC] = 1;
-									num_blocks++;
-									if(num_blocks == max_blocks) goto end;
-								}
-							}
+
+		Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (max_blocks == 0 ? found_blocks : max_blocks), tries, errors);
+		for (i = 0; i < n; ++i)
+		{
+			print_result("got consecutive blocks", tmp_blocks[i], 16);
+		}
+
+		i = 0;
+		if(!found_0_1) {
+			while (i < n - 1) {
+				if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i+1])) {
+					found_0_1 = 1;
+					memcpy(memory_blocks[0], tmp_blocks[i], 16);
+					memcpy(memory_blocks[1], tmp_blocks[i+1], 16);
+					memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
+					// block 1 tells how many blocks are going to be sent
+					max_blocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
+					found_blocks = 2;
+
+					Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", max_blocks);
+
+					// handle the following blocks
+					for (j = i + 2; j < n; ++j) {
+						memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
+						memory_blocks[found_blocks][ALLOC] = 1;
+						++found_blocks;
+					}
+					break;
+				}
+				++i;
+			}
+		} else {
+			// Trying to re-order blocks
+			// Look for identical block in memory blocks
+			while (i < n-1) {
+				// skip all zeroes blocks
+				if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+					for (j = 1; j < max_blocks - 1; ++j) {
+						if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j+1][ALLOC]) {
+							memcpy(memory_blocks[j+1], tmp_blocks[i+1], 16);
+							memory_blocks[j+1][ALLOC] = 1;
+							if (++found_blocks >= max_blocks) goto end;
 						}
 					}
 				}
+				if (memcmp(tmp_blocks[i+1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
+					for (j = 0; j < max_blocks; ++j) {
+						if (!memcmp(tmp_blocks[i+1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? max_blocks : j) -1][ALLOC]) {
+							if (j == 0) {
+								memcpy(memory_blocks[max_blocks - 1], tmp_blocks[i], 16);
+								memory_blocks[max_blocks - 1][ALLOC] = 1;
+							} else {
+								memcpy(memory_blocks[j-1], tmp_blocks[i], 16);
+								memory_blocks[j-1][ALLOC] = 1;
+							}
+							if (++found_blocks >= max_blocks) goto end;
+						}
+					}
+				}
+				++i;
 			}
 		}
-		tries++;
-		if (BUTTON_PRESS()) return;
-	} while (num_blocks != max_blocks);
+		++tries;
+		if (BUTTON_PRESS()) {
+			Dbprintf("Button pressed, stopping.");
+			goto end;
+		}
+	}
+	while (found_blocks < max_blocks);
+
 end:
 	Dbprintf("-----------------------------------------");
 	Dbprintf("Memory content:");
 	Dbprintf("-----------------------------------------");
-	for(i=0; i<max_blocks; i++) {
-		if(Blocks[i][ALLOC]==1)
-			Dbprintf("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-					 Blocks[i][0], Blocks[i][1], Blocks[i][2], Blocks[i][3], Blocks[i][4], Blocks[i][5], Blocks[i][6], Blocks[i][7],
-					Blocks[i][8], Blocks[i][9], Blocks[i][10], Blocks[i][11], Blocks[i][12], Blocks[i][13], Blocks[i][14], Blocks[i][15]);
+	for (i = 0; i < max_blocks; ++i) {
+		if (memory_blocks[i][ALLOC])
+			print_result("Block", memory_blocks[i], 16);
 		else
 			Dbprintf("<missing block %d>", i);
 	}
 	Dbprintf("-----------------------------------------");

+	if (found_blocks < max_blocks) {
+		Dbprintf("-----------------------------------------");
+		Dbprintf("Blocks with unknown position:");
+		Dbprintf("-----------------------------------------");
+		for (i = 0; i < single_blocks_cnt; ++i)
+			print_result("Block", single_blocks[i], 16);
+
+		Dbprintf("-----------------------------------------");
+	}
 	cmd_send(CMD_ACK,0,0,0,0,0);
 }

-
-/* Write on a byte of a PCF7931 tag
- * @param address : address of the block to write
-   @param byte : address of the byte to write
-    @param data : data to write
- */
-void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data)
-{
-
+static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
 	uint32_t tab[1024]={0}; // data times frame
 	uint32_t u = 0;
 	uint8_t parity = 0;
 	bool comp = 0;

 	//BUILD OF THE DATA FRAME
-
 	//alimentation of the tag (time for initializing)
 	AddPatternPCF7931(init_delay, 0, 8192/2*T0_PCF, tab);
-
-	//PMC
-	Dbprintf("Initialization delay : %d us", init_delay);
 	AddPatternPCF7931(8192/2*T0_PCF + 319*T0_PCF+70, 3*T0_PCF, 29*T0_PCF, tab);
-
-	Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
-
 	//password indication bit
 	AddBitPCF7931(1, tab, l, p);
-
-
-	//password (on 56 bits)
-	Dbprintf("Password (LSB first on each byte) : %02x %02x %02x %02x %02x %02x %02x", pass1,pass2,pass3,pass4,pass5,pass6,pass7);
-	AddBytePCF7931(pass1, tab, l, p);
-	AddBytePCF7931(pass2, tab, l, p);
-	AddBytePCF7931(pass3, tab, l, p);
-	AddBytePCF7931(pass4, tab, l, p);
-	AddBytePCF7931(pass5, tab, l, p);
-	AddBytePCF7931(pass6, tab, l, p);
-	AddBytePCF7931(pass7, tab, l, p);
-
+	// password (on 56 bits)
+	AddBytePCF7931(pass[0], tab, l, p);
+	AddBytePCF7931(pass[1], tab, l, p);
+	AddBytePCF7931(pass[2], tab, l, p);
+	AddBytePCF7931(pass[3], tab, l, p);
+	AddBytePCF7931(pass[4], tab, l, p);
+	AddBytePCF7931(pass[5], tab, l, p);
+	AddBytePCF7931(pass[6], tab, l, p);
 	//programming mode (0 or 1)
 	AddBitPCF7931(0, tab, l, p);

 	//block adress on 6 bits
-	Dbprintf("Block address : %02x", address);
-	for (u=0; u<6; u++)
-	{
-		if (address&(1<<u)) {	// bit 1
-			 parity++;
+	for (u = 0; u < 6; ++u) {
+		if (address & (1 << u)) {   // bit 1
+			 ++parity;
 			 AddBitPCF7931(1, tab, l, p);
-		} else{					// bit 0
+		} else {                    // bit 0
 			 AddBitPCF7931(0, tab, l, p);
 		}
 	}

 	//byte address on 4 bits
-	Dbprintf("Byte address : %02x", byte);
-	for (u=0; u<4; u++)
+	for (u = 0; u < 4; ++u)
 	{
-		if (byte&(1<<u)) {	// bit 1
+		if (byte & (1 << u)) {  // bit 1
 			 parity++;
 			 AddBitPCF7931(1, tab, l, p);
-		} else{				// bit 0
-			 AddBitPCF7931(0, tab, l, p);
 		}
+		else                // bit 0
+			 AddBitPCF7931(0, tab, l, p);
 	}

 	//data on 8 bits
-	Dbprintf("Data : %02x", data);
 	for (u=0; u<8; u++)
 	{
-		if (data&(1<<u)) {	// bit 1
+		if (data&(1<<u)) {  // bit 1
 			 parity++;
 			 AddBitPCF7931(1, tab, l, p);
-		} else{				//bit 0
-			 AddBitPCF7931(0, tab, l, p);
 		}
+		else                //bit 0
+			 AddBitPCF7931(0, tab, l, p);
 	}

-
 	//parity bit
-	if((parity%2)==0){
-	 	AddBitPCF7931(0, tab, l, p); //even parity
-	}else{
+	if ((parity % 2) == 0)
+		AddBitPCF7931(0, tab, l, p); //even parity
+	else
 		AddBitPCF7931(1, tab, l, p);//odd parity
-	}

 	//time access memory
 	AddPatternPCF7931(5120+2680, 0, 0, tab);

 	//conversion of the scale time
-	for(u=0;u<500;u++){
-		tab[u]=(tab[u] * 3)/2;
-	}
-
+	for (u = 0; u < 500; ++u)
+		tab[u] = (tab[u] * 3) / 2;

 	//compennsation of the counter reload
-	while (!comp){
+	while (!comp) {
 		comp = 1;
-		for(u=0;tab[u]!=0;u++){
-			if(tab[u] > 0xFFFF){
+		for (u = 0; tab[u] != 0; ++u)
+			if(tab[u] > 0xFFFF) {
 			  tab[u] -= 0xFFFF;
 			  comp = 0;
 			}
-		}
 	}

 	SendCmdPCF7931(tab);
 }

+void BruteForcePCF7931(uint64_t password, uint8_t tries, uint16_t init_delay, int32_t l, int32_t p) {
+	uint8_t i = 0;
+	uint8_t pass_array[7];
+
+	while (password < 0x00FFFFFFFFFFFFFF) {
+		if (BUTTON_PRESS()) {
+			Dbprintf("Button pressed, stopping bruteforce ...");
+			return;
+		}
+
+		num_to_bytes(password, 7, pass_array);
+
+		Dbprintf("Trying: %02x %02x %02x %02x %02x %02x %02x ...",
+			pass_array[0],
+			pass_array[1],
+			pass_array[2],
+			pass_array[3],
+			pass_array[4],
+			pass_array[5],
+			pass_array[6]);
+
+		for (i = 0; i < tries; ++i)
+			RealWritePCF7931
+			(
+				pass_array,
+				init_delay,
+				l,
+				p,
+				0,
+				7,
+				0x01
+			);
+
+		++password;
+	}
+}
+
+/* Write on a byte of a PCF7931 tag
+ * @param address : address of the block to write
+   @param byte : address of the byte to write
+	@param data : data to write
+ */
+void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
+	Dbprintf("Initialization delay : %d us", init_delay);
+	Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
+	Dbprintf("Password (LSB first on each byte): %02x %02x %02x %02x %02x %02x %02x", pass1, pass2, pass3, pass4, pass5, pass6, pass7);
+	Dbprintf("Block address : %02x", address);
+	Dbprintf("Byte address : %02x", byte);
+	Dbprintf("Data : %02x", data);
+
+	uint8_t password[7] = {pass1, pass2, pass3, pass4, pass5, pass6, pass7};
+
+	RealWritePCF7931 (password, init_delay, l, p, address, byte, data);
+}
+


 /* Send a trame to a PCF7931 tags
 * @param tab : array of the data frame
 */

-void SendCmdPCF7931(uint32_t * tab){
+void SendCmdPCF7931(uint32_t * tab) {
 	uint16_t u=0;
 	uint16_t tempo=0;

-	Dbprintf("SENDING DATA FRAME...");
+	Dbprintf("Sending data frame ...");

 	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
-
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU );

 	LED_A_ON();
@ -412,41 +491,30 @@ void SendCmdPCF7931(uint32_t * tab){
 	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
 	AT91C_BASE_TCB->TCB_BCR = 1;

-
 	tempo = AT91C_BASE_TC0->TC_CV;
-	for(u=0;tab[u]!= 0;u+=3){
-
-
+	for (u = 0; tab[u] !=  0; u += 3) {
 		// modulate antenna
 		HIGH(GPIO_SSC_DOUT);
-		while(tempo !=  tab[u]){
+		while(tempo !=  tab[u])
 			tempo = AT91C_BASE_TC0->TC_CV;
-		}

 		// stop modulating antenna
 		LOW(GPIO_SSC_DOUT);
-		while(tempo !=  tab[u+1]){
+		while(tempo !=  tab[u+1])
 			tempo = AT91C_BASE_TC0->TC_CV;
-		}
-

 		// modulate antenna
 		HIGH(GPIO_SSC_DOUT);
-		while(tempo !=  tab[u+2]){
+		while(tempo !=  tab[u+2])
 			tempo = AT91C_BASE_TC0->TC_CV;
-		}
-
-
 	}

 	LED_A_OFF();
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelay(200);

-
 	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
-	DbpString("FINISH !");
-	DbpString("(Could be usefull to send the same trame many times)");
+	DbpString("Data frame sent (multiple sends may be needed)");
 	LED(0xFFFF, 1000);
 }

@ -457,15 +525,12 @@ void SendCmdPCF7931(uint32_t * tab){
 * @param l : offset on low pulse width
 * @param p : offset on low pulse positioning
 */
-
-bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p){
-
+bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p) {
 	uint32_t u;
-	for (u=0; u<8; u++)
-	{
-		if (byte&(1<<u)) {	//bit à 1
+	for (u = 0; u < 8; ++u) {
+		if (byte & (1 << u)) {  //bit is 1
 			if(AddBitPCF7931(1, tab, l, p)==1)return 1;
-		} else { //bit à 0
+		} else { //bit is 0
 			if(AddBitPCF7931(0, tab, l, p)==1)return 1;
 		}
 	}
@ -479,30 +544,28 @@ bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p){
 * @param l : offset on low pulse width
 * @param p : offset on low pulse positioning
 */
-bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p){
+bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p) {
 	uint8_t u = 0;

-	for(u=0;tab[u]!=0;u+=3){} //we put the cursor at the last value of the array
+	for (u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array

+	if (b == 1) {   //add a bit 1
+		if (u == 0) tab[u] = 34 * T0_PCF + p;
+		else        tab[u] = 34 * T0_PCF + tab[u-1] + p;

-	if(b==1){	//add a bit 1
-		if(u==0) tab[u] = 34*T0_PCF+p;
-		else 	 tab[u] = 34*T0_PCF+tab[u-1]+p;
-
-		tab[u+1] = 6*T0_PCF+tab[u]+l;
-		tab[u+2] = 88*T0_PCF+tab[u+1]-l-p;
+		tab[u+1] = 6 * T0_PCF+tab[u] + l;
+		tab[u+2] = 88 * T0_PCF+tab[u + 1] - l - p;
 		return 0;
-	}else{ 		//add a bit 0
+	} else {        //add a bit 0

-		if(u==0) tab[u] = 98*T0_PCF+p;
-		else  	 tab[u] = 98*T0_PCF+tab[u-1]+p;
+		if (u == 0) tab[u] = 98 * T0_PCF + p;
+		else        tab[u] = 98 * T0_PCF + tab[u-1] + p;

-		tab[u+1] = 6*T0_PCF+tab[u]+l;
-		tab[u+2] = 24*T0_PCF+tab[u+1]-l-p;
+		tab[u + 1] = 6 * T0_PCF + tab[u] + l;
+		tab[u + 2] = 24 * T0_PCF + tab[u + 1] - l - p;
 		return 0;
 	}

-	
 	return 1;
 }

@ -512,15 +575,15 @@ bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p){
 * @param c : delay of the last high pulse
 * @param tab : array of the data frame
 */
-bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab){
+bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab) {
 	uint32_t u = 0;
-	for(u=0;tab[u]!=0;u+=3){} //we put the cursor at the last value of the array
+	for(u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array

-	if(u==0) tab[u] = a;
-	else tab[u] = a + tab[u-1];
+	if (u == 0) tab[u] = a;
+	else        tab[u] = a + tab[u - 1];

-	tab[u+1] = b+tab[u];
-	tab[u+2] = c+tab[u+1];
+	tab[u + 1] = b + tab[u];
+	tab[u + 2] = c + tab[u + 1];

 	return 0;
 }
--- a/armsrc/pcf7931.h
+++ b/armsrc/pcf7931.h
@ -1,14 +1,15 @@
 #ifndef __PCF7931_H
 #define __PCF7931_H

-int DemodPCF7931(uint8_t **outBlocks);
-int IsBlock0PCF7931(uint8_t *Block);
-int IsBlock1PCF7931(uint8_t *Block);
+size_t DemodPCF7931(uint8_t **outBlocks);
+bool IsBlock0PCF7931(uint8_t *Block);
+bool IsBlock1PCF7931(uint8_t *Block);
 void ReadPCF7931();
 void SendCmdPCF7931(uint32_t * tab);
 bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
 bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
 void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
+void BruteForcePCF7931(uint64_t start_password, uint8_t tries, uint16_t init_delay, int32_t l, int32_t p);

 #endif
--- a/armsrc/string.c
+++ b/armsrc/string.c
@ -11,8 +11,7 @@
 #include "string.h"
 #include <stdint.h>

-void *memcpy(void *dest, const void *src, int len)
-{
+void *memcpy(void *dest, const void *src, size_t len) {
 	uint8_t *d = dest;
 	const uint8_t *s = src;
 	while((len--) > 0) {
@ -23,8 +22,8 @@ void *memcpy(void *dest, const void *src, int len)
 	return dest;
 }

-void *memset(void *dest, int c, int len)
-{
+
+void *memset(void *dest, int c, size_t len) {
 	uint8_t *d = dest;
 	while((len--) > 0) {
 		*d = c;
@ -33,8 +32,30 @@ void *memset(void *dest, int c, int len)
 	return dest;
 }

-int memcmp(const void *av, const void *bv, int len)
-{
+
+void *memmove(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	if (dest <= src) {
+		while((len--) > 0) {
+			*d = *s;
+			d++;
+			s++;
+		} 
+	} else {
+		d = d + len - 1;
+		s = s + len - 1;
+		while((len--) > 0) {
+			*d = *s;
+			d--;
+			s--;
+		}
+	}
+	return dest;
+}
+
+
+int memcmp(const void *av, const void *bv, size_t len) {
 	const uint8_t *a = av;
 	const uint8_t *b = bv;

@ -48,13 +69,8 @@ int memcmp(const void *av, const void *bv, int len)
 	return 0;
 }

-void memxor(uint8_t * dest, uint8_t * src, size_t len) {
-   for( ; len > 0; len--,dest++,src++)
-       *dest ^= *src;
-}

-int strlen(const char *str)
-{
+size_t strlen(const char *str) {
 	int l = 0;
 	while(*str) {
 		l++;
@ -63,8 +79,8 @@ int strlen(const char *str)
 	return l;
 }

-char* strncat(char *dest, const char *src, unsigned int n)
-{
+
+char* strncat(char *dest, const char *src, size_t n) {
 	unsigned int dest_len = strlen(dest);
 	unsigned int i;

@ -75,8 +91,8 @@ char* strncat(char *dest, const char *src, unsigned int n)
 	return dest;
 }

-char* strcat(char *dest, const char *src)
-{
+
+char* strcat(char *dest, const char *src) {
 	unsigned int dest_len = strlen(dest);
 	unsigned int i;

@ -86,35 +102,3 @@ char* strcat(char *dest, const char *src)

 	return dest;
 }
-////////////////////////////////////////// code to do 'itoa'
-
-/* reverse:  reverse string s in place */
-void strreverse(char s[])
-{
-    int c, i, j;
-
-    for (i = 0, j = strlen(s)-1; i<j; i++, j--) {
-        c = s[i];
-        s[i] = s[j];
-        s[j] = c;
-    }
-}
-
-/* itoa:  convert n to characters in s */
-void itoa(int n, char s[])
-{
-    int i, sign;
-
-    if ((sign = n) < 0)  /* record sign */
-        n = -n;          /* make n positive */
-    i = 0;
-    do {       /* generate digits in reverse order */
-        s[i++] = n % 10 + '0';   /* get next digit */
-    } while ((n /= 10) > 0);     /* delete it */
-    if (sign < 0)
-        s[i++] = '-';
-    s[i] = '\0';
-    strreverse(s);
-}
-
-//////////////////////////////////////// END 'itoa' CODE
--- a/armsrc/string.h
+++ b/armsrc/string.h
@ -12,18 +12,14 @@
 #ifndef __STRING_H
 #define __STRING_H

-#include <stdint.h>
-#include "util.h"
+#include <stddef.h>

-int strlen(const char *str);
-RAMFUNC void *memcpy(void *dest, const void *src, int len);
-void *memset(void *dest, int c, int len);
-RAMFUNC int memcmp(const void *av, const void *bv, int len);
-void memxor(uint8_t * dest, uint8_t * src, size_t len);
-char *strncat(char *dest, const char *src, unsigned int n);
+void *memcpy(void *dest, const void *src, size_t len);
+void *memset(void *dest, int c, size_t len);
+void *memmove(void *dest, const void *src, size_t len);
+int memcmp(const void *av, const void *bv, size_t len);
+size_t strlen(const char *str);
+char *strncat(char *dest, const char *src, size_t n);
 char *strcat(char *dest, const char *src);
-void strreverse(char s[]);
-void itoa(int n, char s[]);
-

 #endif /* __STRING_H */
--- a/armsrc/util.c
+++ b/armsrc/util.c
@ -21,7 +21,7 @@ void print_result(char *name, uint8_t *buf, size_t len) {

   if ( len % 16 == 0 ) {
 	   for(; p-buf < len; p += 16)
-       Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+	   Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
 				name,
 				p-buf,
 				len,
@ -30,7 +30,7 @@ void print_result(char *name, uint8_t *buf, size_t len) {
   }
   else {
   for(; p-buf < len; p += 8)
-       Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x", name, p-buf, len, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
+	   Dbprintf("[%s:%d/%d] %02x %02x %02x %02x %02x %02x %02x %02x", name, p-buf, len, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
   }
 }

@ -68,17 +68,17 @@ uint64_t bytes_to_num(uint8_t* src, size_t len)

 // RotateLeft - Ultralight, Desfire
 void rol(uint8_t *data, const size_t len){
-    uint8_t first = data[0];
-    for (size_t i = 0; i < len-1; i++) {
-        data[i] = data[i+1];
-    }
-    data[len-1] = first;
+	uint8_t first = data[0];
+	for (size_t i = 0; i < len-1; i++) {
+		data[i] = data[i+1];
+	}
+	data[len-1] = first;
 }
 void lsl (uint8_t *data, size_t len) {
-    for (size_t n = 0; n < len - 1; n++) {
-        data[n] = (data[n] << 1) | (data[n+1] >> 7);
-    }
-    data[len - 1] <<= 1;
+	for (size_t n = 0; n < len - 1; n++) {
+		data[n] = (data[n] << 1) | (data[n+1] >> 7);
+	}
+	data[len - 1] <<= 1;
 }

 void LEDsoff()
@ -89,6 +89,22 @@ void LEDsoff()
 	LED_D_OFF();
 }

+void LEDson()
+{
+	LED_A_ON();
+	LED_B_ON();
+	LED_C_ON();
+	LED_D_ON();
+}
+
+void LEDsinvert()
+{
+	LED_A_INV();
+	LED_B_INV();
+	LED_C_INV();
+	LED_D_INV();
+}
+
 // LEDs: R(C) O(A) G(B) -- R(D) [1, 2, 4 and 8]
 void LED(int led, int ms)
 {
@ -121,8 +137,7 @@ void LED(int led, int ms)
 // not clicked, or held down (for ms || 1sec)
 // In general, don't use this function unless you expect a
 // double click, otherwise it will waste 500ms -- use BUTTON_HELD instead
-int BUTTON_CLICKED(int ms)
-{
+int BUTTON_CLICKED(int ms) {
 	// Up to 500ms in between clicks to mean a double click
 	int ticks = (48000 * (ms ? ms : 1000)) >> 10;

@ -184,8 +199,7 @@ int BUTTON_CLICKED(int ms)
 }

 // Determine if a button is held down
-int BUTTON_HELD(int ms)
-{
+int BUTTON_HELD(int ms) {
 	// If button is held for one second
 	int ticks = (48000 * (ms ? ms : 1000)) >> 10;

@ -202,8 +216,7 @@ int BUTTON_HELD(int ms)

 	uint16_t start = AT91C_BASE_PWMC_CH0->PWMC_CCNTR;

-	for(;;)
-	{
+	for(;;) {
 		uint16_t now = AT91C_BASE_PWMC_CH0->PWMC_CCNTR;

 		// As soon as our button let go, we didn't hold long enough
@ -211,8 +224,7 @@ int BUTTON_HELD(int ms)
 			return BUTTON_SINGLE_CLICK;

 		// Have we waited the full second?
-		else
-			if (now == (uint16_t)(start + ticks))
+		else if (now == (uint16_t)(start + ticks))
 				return BUTTON_HOLD;

 		WDT_HIT();
@ -224,8 +236,7 @@ int BUTTON_HELD(int ms)

 // attempt at high resolution microsecond timer
 // beware: timer counts in 21.3uS increments (1024/48Mhz)
-void SpinDelayUs(int us)
-{
+void SpinDelayUs(int us) {
 	int ticks = (48*us) >> 10;

 	// Borrow a PWM unit for my real-time clock
@ -246,8 +257,7 @@ void SpinDelayUs(int us)
 	}
 }

-void SpinDelay(int ms)
-{
+void SpinDelay(int ms) {
  // convert to uS and call microsecond delay function
 	SpinDelayUs(ms*1000);
 }
@ -293,16 +303,15 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers
 //  -------------------------------------------------------------------------
 //  test procedure:
 //
-//	ti = GetTickCount();
-//	SpinDelay(1000);
-//	ti = GetTickCount() - ti;
-//	Dbprintf("timer(1s): %d t=%d", ti, GetTickCount());
+//  ti = GetTickCount();
+//  SpinDelay(1000);
+//  ti = GetTickCount() - ti;
+//  Dbprintf("timer(1s): %d t=%d", ti, GetTickCount());

-void StartTickCount()
-{
+void StartTickCount() {
 	// This timer is based on the slow clock. The slow clock frequency is between 22kHz and 40kHz.
 	// We can determine the actual slow clock frequency by looking at the Main Clock Frequency Register.
-    uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & 0xffff;		// = 16 * main clock frequency (16MHz) / slow clock frequency
+	uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & 0xffff;     // = 16 * main clock frequency (16MHz) / slow clock frequency
 	// set RealTimeCounter divider to count at 1kHz:
 	AT91C_BASE_RTTC->RTTC_RTMR = AT91C_RTTC_RTTRST | ((256000 + (mainf/2)) / mainf);
 	// note: worst case precision is approx 2.5%
@ -312,7 +321,7 @@ void StartTickCount()
 /*
 * Get the current count.
 */
-uint32_t RAMFUNC GetTickCount(){
+uint32_t RAMFUNC GetTickCount(void) {
 	return AT91C_BASE_RTTC->RTTC_RTVR;// was * 2;
 }

@ -320,10 +329,9 @@ uint32_t RAMFUNC GetTickCount(){
 //  -------------------------------------------------------------------------
 //  microseconds timer
 //  -------------------------------------------------------------------------
-void StartCountUS()
-{
+void StartCountUS(void) {
 	AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
-//	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC1XC1S_TIOA0;
+//  AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC1XC1S_TIOA0;
 	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;

 	// fast clock
@ -343,14 +351,14 @@ void StartCountUS()
 	}


-uint32_t RAMFUNC GetCountUS(){
+uint32_t RAMFUNC GetCountUS(void) {
 	return (AT91C_BASE_TC1->TC_CV * 0x8000) + ((AT91C_BASE_TC0->TC_CV * 2) / 3); //was  /15) * 10);
 }


 static uint32_t GlobalUsCounter = 0;

-uint32_t RAMFUNC GetDeltaCountUS(){
+uint32_t RAMFUNC GetDeltaCountUS(void) {
 	uint32_t g_cnt = GetCountUS();
 	uint32_t g_res = g_cnt - GlobalUsCounter;
 	GlobalUsCounter = g_cnt;
@ -361,59 +369,69 @@ uint32_t RAMFUNC GetDeltaCountUS(){
 //  -------------------------------------------------------------------------
 //  Timer for iso14443 commands. Uses ssp_clk from FPGA
 //  -------------------------------------------------------------------------
-void StartCountSspClk()
-{
+void StartCountSspClk(void) {
 	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1) | (1 << AT91C_ID_TC2);  // Enable Clock to all timers
-	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1 		// XC0 Clock = TIOA1
-							| AT91C_TCB_TC1XC1S_NONE 		// XC1 Clock = none
-							| AT91C_TCB_TC2XC2S_TIOA0;		// XC2 Clock = TIOA0
+	AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1       // XC0 Clock = TIOA1
+							| AT91C_TCB_TC1XC1S_NONE        // XC1 Clock = none
+							| AT91C_TCB_TC2XC2S_TIOA0;      // XC2 Clock = TIOA0

 	// configure TC1 to create a short pulse on TIOA1 when a rising edge on TIOB1 (= ssp_clk from FPGA) occurs:
-	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; 				// disable TC1
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;               // disable TC1
 	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK // TC1 Clock = MCK(48MHz)/2 = 24MHz
-							| AT91C_TC_CPCSTOP				// Stop clock on RC compare
-							| AT91C_TC_EEVTEDG_RISING		// Trigger on rising edge of Event
-							| AT91C_TC_EEVT_TIOB			// Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16)
-							| AT91C_TC_ENETRG				// Enable external trigger event
-							| AT91C_TC_WAVESEL_UP	 		// Upmode without automatic trigger on RC compare
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_AEEVT_SET 			// Set TIOA1 on external event
-							| AT91C_TC_ACPC_CLEAR; 			// Clear TIOA1 on RC Compare
-	AT91C_BASE_TC1->TC_RC = 0x04; 							// RC Compare value = 0x04
+							| AT91C_TC_CPCSTOP              // Stop clock on RC compare
+							| AT91C_TC_EEVTEDG_RISING       // Trigger on rising edge of Event
+							| AT91C_TC_EEVT_TIOB            // Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16 ... 13,56MHz/4)
+							| AT91C_TC_ENETRG               // Enable external trigger event
+							| AT91C_TC_WAVESEL_UP           // Upmode without automatic trigger on RC compare
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_AEEVT_SET            // Set TIOA1 on external event
+							| AT91C_TC_ACPC_CLEAR;          // Clear TIOA1 on RC Compare
+	AT91C_BASE_TC1->TC_RC = 1;                              // RC Compare value = 1; pulse width to TC0

 	// use TC0 to count TIOA1 pulses
-	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;				// disable TC0
-	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_XC0	 			// TC0 clock = XC0 clock = TIOA1
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_WAVESEL_UP	 		// just count
-							| AT91C_TC_ACPA_CLEAR 			// Clear TIOA0 on RA Compare
-							| AT91C_TC_ACPC_SET; 			// Set TIOA0 on RC Compare
-	AT91C_BASE_TC0->TC_RA = 1;								// RA Compare value = 1; pulse width to TC2
-	AT91C_BASE_TC0->TC_RC = 0; 								// RC Compare value = 0; increment TC2 on overflow
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;               // disable TC0
+	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_XC0              // TC0 clock = XC0 clock = TIOA1
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_WAVESEL_UP           // just count
+							| AT91C_TC_ACPA_CLEAR           // Clear TIOA0 on RA Compare
+							| AT91C_TC_ACPC_SET;            // Set TIOA0 on RC Compare
+	AT91C_BASE_TC0->TC_RA = 1;                              // RA Compare value = 1; pulse width to TC2
+	AT91C_BASE_TC0->TC_RC = 0;                              // RC Compare value = 0; increment TC2 on overflow

 	// use TC2 to count TIOA0 pulses (giving us a 32bit counter (TC0/TC2) clocked by ssp_clk)
-	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS; 				// disable TC2  
-	AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_XC2	 			// TC2 clock = XC2 clock = TIOA0
-							| AT91C_TC_WAVE 				// Waveform Mode
-							| AT91C_TC_WAVESEL_UP;	 		// just count
+	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS;               // disable TC2
+	AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_XC2              // TC2 clock = XC2 clock = TIOA0
+							| AT91C_TC_WAVE                 // Waveform Mode
+							| AT91C_TC_WAVESEL_UP;          // just count

-	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;				// enable TC0
-	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN;				// enable TC1
-	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN;				// enable TC2
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;                // enable TC0
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN;                // enable TC1
+	AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN;                // enable TC2

 	//
-	// synchronize the counter with the ssp_frame signal. Note: FPGA must be in any iso14443 mode, otherwise SSC_FRAME and SSC_CLK signals would not be present 
+	// synchronize the counter with the ssp_frame signal. Note: FPGA must be in a FPGA mode with SSC transfer, otherwise SSC_FRAME and SSC_CLK signals would not be present
 	//
-	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); 	// wait for ssp_frame to go high (start of frame)
-	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME); 		// wait for ssp_frame to be low
-	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); 	// wait for ssp_clk to go high
-	// note: up to now two ssp_clk rising edges have passed since the rising edge of ssp_frame
+	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME);      // wait for ssp_frame to be low
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME));   // wait for ssp_frame to go high (start of frame)
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));     // wait for ssp_clk to go high; 1st ssp_clk after start of frame
+	while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);        // wait for ssp_clk to go low;
+	while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));     // wait for ssp_clk to go high; 2nd ssp_clk after start of frame
+	if ((AT91C_BASE_SSC->SSC_RFMR & SSC_FRAME_MODE_BITS_IN_WORD(32)) == SSC_FRAME_MODE_BITS_IN_WORD(16)) { // 16bit frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 3rd ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 4th ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 5th ssp_clk after start of frame
+		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK);    // wait for ssp_clk to go low;
+		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 6th ssp_clk after start of frame
+	}
 	// it is now safe to assert a sync signal. This sets all timers to 0 on next active clock edge
-	AT91C_BASE_TCB->TCB_BCR = 1;							// assert Sync (set all timers to 0 on next active clock edge)
-	// at the next (3rd) ssp_clk rising edge, TC1 will be reset (and not generate a clock signal to TC0)
-	// at the next (4th) ssp_clk rising edge, TC0 (the low word of our counter) will be reset. From now on,
-	// whenever the last three bits of our counter go 0, we can be sure to be in the middle of a frame transfer.
-	// (just started with the transfer of the 4th Bit).
+	AT91C_BASE_TCB->TCB_BCR = 1;                            // assert Sync (set all timers to 0 on next active clock edge)
+	// at the next (3rd/7th) ssp_clk rising edge, TC1 will be reset (and not generate a clock signal to TC0)
+	// at the next (4th/8th) ssp_clk rising edge, TC0 (the low word of our counter) will be reset. From now on,
+	// whenever the last three/four bits of our counter go 0, we can be sure to be in the middle of a frame transfer.
+
 	// The high word of the counter (TC2) will not reset until the low word (TC0) overflows. Therefore need to wait quite some time before
 	// we can use the counter.
 	while (AT91C_BASE_TC0->TC_CV < 0xFFFF);
@ -429,19 +447,17 @@ void ResetSspClk(void) {
 	while (AT91C_BASE_TC2->TC_CV > 0);
 }

+uint32_t GetCountSspClk(){
+	uint32_t hi, lo;

-uint32_t RAMFUNC GetCountSspClk(){
-	uint32_t tmp_count;
-	tmp_count = (AT91C_BASE_TC2->TC_CV << 16) | AT91C_BASE_TC0->TC_CV;
-	if ((tmp_count & 0x0000ffff) == 0) { //small chance that we may have missed an increment in TC2
-		return (AT91C_BASE_TC2->TC_CV << 16);
-	} 
-	else {
-		return tmp_count;
-	}
+	do { 
+		hi = AT91C_BASE_TC2->TC_CV;
+		lo = AT91C_BASE_TC0->TC_CV;
+	} while (hi != AT91C_BASE_TC2->TC_CV);
+	
+	return (hi << 16) | lo;
 }

-
 //  -------------------------------------------------------------------------
 //  Timer for bitbanging, or LF stuff when you need a very precis timer
 //  1us = 1.5ticks
@ -461,10 +477,10 @@ void StartTicks(void){

 	// second configure TC0 (lower, 0x0000FFFF) 16 bit counter
 	AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK(48MHz) / 32
-	                         AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO |
-	                         AT91C_TC_ACPA_CLEAR | // RA comperator clears TIOA (carry bit)
-	                         AT91C_TC_ACPC_SET |   // RC comperator sets TIOA (carry bit)
-	                         AT91C_TC_ASWTRG_SET;  // SWTriger sets TIOA (carry bit)
+							 AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO |
+							 AT91C_TC_ACPA_CLEAR | // RA comperator clears TIOA (carry bit)
+							 AT91C_TC_ACPC_SET |   // RC comperator sets TIOA (carry bit)
+							 AT91C_TC_ASWTRG_SET;  // SWTriger sets TIOA (carry bit)
 	AT91C_BASE_TC0->TC_RC  = 0; // set TIOA (carry bit) on overflow, return to zero
 	AT91C_BASE_TC0->TC_RA  = 1; // clear carry bit on next clock cycle
 	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // reset and re-enable timer
--- a/armsrc/util.h
+++ b/armsrc/util.h
@ -8,57 +8,66 @@
 // Utility functions used in many places, not specific to any piece of code.
 //-----------------------------------------------------------------------------

-#ifndef __UTIL_H
-#define __UTIL_H
+#ifndef UTIL_H__
+#define UTIL_H__

 #include <stddef.h>
 #include <stdint.h>
 #include "common.h"
+#include "at91sam7s512.h"

 #define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )

-#define LED_RED 1
+#define LED_RED    1
 #define LED_ORANGE 2
-#define LED_GREEN 4
-#define LED_RED2 8
-#define BUTTON_HOLD 1
-#define BUTTON_NO_CLICK 0
-#define BUTTON_SINGLE_CLICK -1
-#define BUTTON_DOUBLE_CLICK -2
-#define BUTTON_ERROR -99
+#define LED_GREEN  4
+#define LED_RED2   8

-void print_result(char *name, uint8_t *buf, size_t len);
-size_t nbytes(size_t nbits);
-uint32_t SwapBits(uint32_t value, int nrbits);
-void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
-uint64_t bytes_to_num(uint8_t* src, size_t len);
-void rol(uint8_t *data, const size_t len);
-void lsl (uint8_t *data, size_t len);
+#define BUTTON_HOLD           1
+#define BUTTON_NO_CLICK       0
+#define BUTTON_SINGLE_CLICK  -1
+#define BUTTON_DOUBLE_CLICK  -2
+#define BUTTON_ERROR        -99

-void LED(int led, int ms);
-void LEDsoff();
-int BUTTON_CLICKED(int ms);
-int BUTTON_HELD(int ms);
-void FormatVersionInformation(char *dst, int len, const char *prefix, void *version_information);
+#define REV8(x)  ((((x)>>7)&1)|((((x)>>6)&1)<<1)|((((x)>>5)&1)<<2)|((((x)>>4)&1)<<3)|((((x)>>3)&1)<<4)|((((x)>>2)&1)<<5)|((((x)>>1)&1)<<6)|(((x)&1)<<7))
+#define REV16(x) (REV8(x)  | (REV8 (x >> 8) << 8))
+#define REV32(x) (REV16(x) | (REV16(x >> 16) << 16))
+#define REV64(x) (REV32(x) | (REV32(x >> 32) << 32))
+
+extern void print_result(char *name, uint8_t *buf, size_t len);
+extern size_t nbytes(size_t nbits);
+extern uint32_t SwapBits(uint32_t value, int nrbits);
+extern void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
+extern uint64_t bytes_to_num(uint8_t* src, size_t len);
+extern void rol(uint8_t *data, const size_t len);
+extern void lsl (uint8_t *data, size_t len);
+
+extern void LED(int led, int ms);
+extern void LEDsoff();
+extern void LEDson();
+extern void LEDsinvert();
+extern int BUTTON_CLICKED(int ms);
+extern int BUTTON_HELD(int ms);
+extern void FormatVersionInformation(char *dst, int len, const char *prefix, void *version_information);

 //iceman's ticks.h
 #ifndef GET_TICKS
 # define GET_TICKS GetTicks()
 #endif

-void SpinDelay(int ms);
-void SpinDelayUs(int us);
+extern void SpinDelay(int ms);
+extern void SpinDelayUs(int us);

-void StartTickCount();
-uint32_t RAMFUNC GetTickCount();
+extern void StartTickCount();
+extern uint32_t RAMFUNC GetTickCount();

-void StartCountUS();
-uint32_t RAMFUNC GetCountUS();
-uint32_t RAMFUNC GetDeltaCountUS();
+extern void StartCountUS();
+extern uint32_t RAMFUNC GetCountUS();
+extern uint32_t RAMFUNC GetDeltaCountUS();

-void StartCountSspClk();
-void ResetSspClk(void);
-uint32_t RAMFUNC GetCountSspClk();
+extern void StartCountSspClk();
+extern void ResetSspClk(void);
+extern uint32_t GetCountSspClk();

 extern void StartTicks(void);
 extern uint32_t GetTicks(void);
@ -70,6 +79,6 @@ extern void ResetTimer(AT91PS_TC timer);
 extern void StopTicks(void);
 // end iceman's ticks.h

-uint32_t prand();
+extern uint32_t prand();

 #endif
--- a/bootrom/Makefile
+++ b/bootrom/Makefile
@ -7,8 +7,8 @@
 #-----------------------------------------------------------------------------

 # DO NOT use thumb mode in the phase 1 bootloader since that generates a section with glue code
-ARMSRC = 
-THUMBSRC = cmd.c usb_cdc.c bootrom.c
+ARMSRC = string.c
+THUMBSRC = usb_cdc.c bootrom.c
 ASMSRC = ram-reset.s flash-reset.s
 VERSIONSRC = version.c

@ -19,7 +19,6 @@ VERSIONSRC = version.c
 # ARMSRC := $(ARMSRC) $(THUMBSRC)
 # THUMBSRC := 

-# stdint.h provided locally until GCC 4.5 becomes C99 compliant
 APP_CFLAGS = -I.

 # version.c should be remade on every compilation
--- a/bootrom/bootrom.c
+++ b/bootrom/bootrom.c
@ -6,17 +6,15 @@
 // Main code for the bootloader
 //-----------------------------------------------------------------------------

-#include <proxmark3.h>
+#include "proxmark3.h"
 #include "usb_cdc.h"
-#include "cmd.h"
-//#include "usb_hid.h"

 void DbpString(char *str) {
-  byte_t len = 0;
+  uint8_t len = 0;
  while (str[len] != 0x00) {
    len++;
  }
-  cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
+  cmd_send_old(CMD_DEBUG_PRINT_STRING,len,0,0,(uint8_t*)str,len);
 }

 struct common_area common_area __attribute__((section(".commonarea")));
@ -89,26 +87,22 @@ static void Fatal(void)
  for(;;);
 }

-void UsbPacketReceived(uint8_t *packet, int len) {
+void UsbPacketReceived(UsbCommand *c) {
  int i, dont_ack=0;
-  UsbCommand* c = (UsbCommand *)packet;
  volatile uint32_t *p;
  
-  if(len != sizeof(UsbCommand)) {
-    Fatal();
-  }
-  
  uint32_t arg0 = (uint32_t)c->arg[0];
  
  switch(c->cmd) {
    case CMD_DEVICE_INFO: {
      dont_ack = 1;
-      arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM |
-      DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH;
+      arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT 
+		| DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM
+		| DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH;
      if(common_area.flags.osimage_present) {
        arg0 |= DEVICE_INFO_FLAG_OSIMAGE_PRESENT;
      }
-      cmd_send(CMD_DEVICE_INFO,arg0,1,2,0,0);
+      cmd_send_old(CMD_DEVICE_INFO,arg0,1,2,0,0);
    } break;
      
    case CMD_SETUP_WRITE: {
@ -134,7 +128,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
        if( ((flash_address+AT91C_IFLASH_PAGE_SIZE-1) >= end_addr) || (flash_address < start_addr) ) {
          /* Disallow write */
          dont_ack = 1;
-          cmd_send(CMD_NACK,0,0,0,0,0);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
        } else {
          uint32_t page_n = (flash_address - ((uint32_t)flash_mem)) / AT91C_IFLASH_PAGE_SIZE;
          /* Translate address to flash page and do flash, update here for the 512k part */
@ -148,7 +142,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
        while(!((sr = AT91C_BASE_EFC0->EFC_FSR) & AT91C_MC_FRDY));
        if(sr & (AT91C_MC_LOCKE | AT91C_MC_PROGE)) {
          dont_ack = 1;
-          cmd_send(CMD_NACK,0,0,0,0,0);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
        }
      }
    } break;
@ -179,7 +173,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
        } else {
          start_addr = end_addr = 0;
          dont_ack = 1;
-          cmd_send(CMD_NACK,0,0,0,0,0);
+          cmd_send_old(CMD_NACK,0,0,0,0,0);
        }
      }
    } break;
@ -190,7 +184,7 @@ void UsbPacketReceived(uint8_t *packet, int len) {
  }
  
  if(!dont_ack) {
-    cmd_send(CMD_ACK,arg0,0,0,0,0);
+    cmd_send_old(CMD_ACK,arg0,0,0,0,0);
  }
 }

@ -199,21 +193,17 @@ static void flash_mode(int externally_entered)
 	start_addr = 0;
 	end_addr = 0;
 	bootrom_unlocked = 0;
-  byte_t rx[sizeof(UsbCommand)];
-	size_t rx_len;
+    UsbCommand rx;

-  usb_enable();
-  for (volatile size_t i=0; i<0x100000; i++) {};
+	usb_enable();
+	for (volatile size_t i=0; i<0x100000; i++) {};

 	for(;;) {
 		WDT_HIT();

-    if (usb_poll()) {
-      rx_len = usb_read(rx,sizeof(UsbCommand));
-      if (rx_len) {
-        UsbPacketReceived(rx,rx_len);
-      }
-    }
+		if (cmd_receive(&rx)) {
+			UsbPacketReceived(&rx);
+		}

 		if(!externally_entered && !BUTTON_PRESS()) {
 			/* Perform a reset to leave flash mode */
--- a/bootrom/string.c
+++ b/bootrom/string.c
@ -0,0 +1,104 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, Sept 2005
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Common string.h functions
+//-----------------------------------------------------------------------------
+
+#include "string.h"
+#include <stdint.h>
+
+void *memcpy(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	while((len--) > 0) {
+		*d = *s;
+		d++;
+		s++;
+	}
+	return dest;
+}
+
+
+void *memset(void *dest, int c, size_t len) {
+	uint8_t *d = dest;
+	while((len--) > 0) {
+		*d = c;
+		d++;
+	}
+	return dest;
+}
+
+
+void *memmove(void *dest, const void *src, size_t len) {
+	uint8_t *d = dest;
+	const uint8_t *s = src;
+	if (dest <= src) {
+		while((len--) > 0) {
+			*d = *s;
+			d++;
+			s++;
+		} 
+	} else {
+		d = d + len - 1;
+		s = s + len - 1;
+		while((len--) > 0) {
+			*d = *s;
+			d--;
+			s--;
+		}
+	}
+	return dest;
+}
+
+
+int memcmp(const void *av, const void *bv, size_t len) {
+	const uint8_t *a = av;
+	const uint8_t *b = bv;
+
+	while((len--) > 0) {
+		if(*a != *b) {
+			return *a - *b;
+		}
+		a++;
+		b++;
+	}
+	return 0;
+}
+
+
+size_t strlen(const char *str) {
+	int l = 0;
+	while(*str) {
+		l++;
+		str++;
+	}
+	return l;
+}
+
+
+char* strncat(char *dest, const char *src, size_t n) {
+	unsigned int dest_len = strlen(dest);
+	unsigned int i;
+
+	for (i = 0 ; i < n && src[i] != '\0' ; i++)
+		dest[dest_len + i] = src[i];
+	dest[dest_len + i] = '\0';
+
+	return dest;
+}
+
+
+char* strcat(char *dest, const char *src) {
+	unsigned int dest_len = strlen(dest);
+	unsigned int i;
+
+	for (i = 0 ; src[i] != '\0' ; i++)
+		dest[dest_len + i] = src[i];
+	dest[dest_len + i] = '\0';
+
+	return dest;
+}
--- a/bootrom/string.h
+++ b/bootrom/string.h
@ -0,0 +1,25 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, Aug 2005
+// Copyright (C) 2010 Hector Martin "marcan" <marcan@marcansoft.com>
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Common string.h functions
+//-----------------------------------------------------------------------------
+
+#ifndef __STRING_H
+#define __STRING_H
+
+#include <stddef.h>
+
+void *memcpy(void *dest, const void *src, size_t len);
+void *memset(void *dest, int c, size_t len);
+void *memmove(void *dest, const void *src, size_t len);
+int memcmp(const void *av, const void *bv, size_t len);
+size_t strlen(const char *str);
+char *strncat(char *dest, const char *src, size_t n);
+char *strcat(char *dest, const char *src);
+
+#endif /* __STRING_H */
--- a/client/Makefile
+++ b/client/Makefile
@ -21,21 +21,41 @@ LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread -lm
 LUALIB = ../liblua/liblua.a
 JANSSONLIBPATH = ./jansson
 JANSSONLIB = $(JANSSONLIBPATH)/libjansson.a
+MBEDTLSLIBPATH = ../common/mbedtls
+MBEDTLSLIB = $(MBEDTLSLIBPATH)/libmbedtls.a
+CBORLIBPATH = ./tinycbor
+CBORLIB = $(CBORLIBPATH)/tinycbor.a
+LIBINCLUDES = -I../zlib -I../uart -I../liblua -I$(MBEDTLSLIBPATH) -I$(JANSSONLIBPATH) -I$(CBORLIBPATH)
+INCLUDES_CLIENT = -I. -I../include -I../common -I/opt/local/include $(LIBINCLUDES)
 LDFLAGS = $(ENV_LDFLAGS)
-CFLAGS = $(ENV_CFLAGS) -std=c99 -D_ISOC99_SOURCE -I. -I../include -I../common -I../common/polarssl -I../zlib -I../uart -I/opt/local/include -I../liblua -I$(JANSSONLIBPATH) -Wall -g -O3
+CFLAGS = $(ENV_CFLAGS) -std=c99 -D_ISOC99_SOURCE $(INCLUDES_CLIENT) -Wall -g -O3
 CXXFLAGS = -I../include -Wall -O3

 APP_CFLAGS =
 include ../common/Makefile_Enabled_Options.common
 CFLAGS += $(APP_CFLAGS)
 ifneq (,$(findstring WITH_SMARTCARD,$(APP_CFLAGS)))
-	SRC_SMARTCARD = cmdsmartcard.c
+	SRC_SMARTCARD = cmdsmartcard.c pcsc.c
 else
 	SRC_SMARTCARD = 
 endif

-LUAPLATFORM = generic
 platform = $(shell uname)
+
+ifneq (,$(findstring MINGW,$(platform)))
+	PCSC_INCLUDES :=
+	PCSC_LIBS = -lwinscard
+else
+	ifeq ($(platform),Darwin)
+		PCSC_INCLUDES = 
+		PCSC_LIBS = -framework PCSC
+	else
+		PCSC_INCLUDES := $(shell pkg-config --cflags libpcsclite)
+		PCSC_LIBS := $(shell pkg-config --libs libpcsclite)
+	endif
+endif
+
+LUAPLATFORM = generic
 ifneq (,$(findstring MINGW,$(platform)))
 		LUAPLATFORM = mingw
 else
@ -105,21 +125,26 @@ CORESRCS = 	uart_posix.c \
 CMDSRCS = 	$(SRC_SMARTCARD) \
 			crapto1/crapto1.c\
 			crapto1/crypto1.c\
-			polarssl/des.c \
-			polarssl/aes.c\
-			polarssl/bignum.c\
-			polarssl/rsa.c\
-			polarssl/sha1.c\
+			crypto/libpcrypto.c\
+			crypto/asn1utils.c\
+			crypto/asn1dump.c\
 			cliparser/argtable3.c\
 			cliparser/cliparser.c\
-			mfkey.c\
+			fido/additional_ca.c \
+			fido/cose.c \
+			fido/cbortools.c \
+			fido/fidocore.c \
+			mifare/mfkey.c \
 			loclass/cipher.c \
 			loclass/cipherutils.c \
 			loclass/ikeys.c \
 			loclass/elite_crack.c\
 			loclass/fileutils.c\
 			whereami.c\
-			mifarehost.c\
+			mifare/mifarehost.c\
+			mifare/mifare4.c\
+			mifare/mad.c \
+			mifare/ndef.c \
 			parity.c\
 			crc.c \
 			crc16.c \
@ -140,12 +165,14 @@ CMDSRCS = 	$(SRC_SMARTCARD) \
 			emv/tlv.c\
 			emv/emv_tags.c\
 			emv/dol.c\
+			emv/emvjson.c\
 			emv/emvcore.c\
 			emv/test/crypto_test.c\
 			emv/test/sda_test.c\
 			emv/test/dda_test.c\
 			emv/test/cda_test.c\
 			emv/cmdemv.c\
+			emv/emv_roca.c \
 			cmdhf.c \
 			cmdhflist.c \
 			cmdhf14a.c \
@ -155,10 +182,12 @@ CMDSRCS = 	$(SRC_SMARTCARD) \
 			cmdhflegic.c \
 			cmdhficlass.c \
 			cmdhfmf.c \
+			cmdhfmfp.c \
 			cmdhfmfu.c \
 			cmdhfmfhard.c \
 			hardnested/hardnested_bruteforce.c \
 			cmdhftopaz.c \
+			cmdhffido.c \
 			cmdhw.c \
 			cmdlf.c \
 			cmdlfawid.c \
@ -191,7 +220,8 @@ CMDSRCS = 	$(SRC_SMARTCARD) \
 			cmdscript.c\
 			pm3_binlib.c\
 			pm3_bitlib.c\
-			protocols.c
+			protocols.c\
+			taginfo.c

 cpu_arch = $(shell uname -m)
 ifneq ($(findstring 86, $(cpu_arch)), )
@ -238,15 +268,15 @@ endif
 			
 BINS = proxmark3 flasher fpga_compress
 WINBINS = $(patsubst %, %.exe, $(BINS))
-CLEAN = $(BINS) $(WINBINS) $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(ZLIBOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(OBJDIR)/*.o *.moc.cpp ui/ui_overlays.h
+CLEAN = $(BINS) $(WINBINS) $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(ZLIBOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(OBJDIR)/*.o *.moc.cpp ui/ui_overlays.h lualibs/usb_cmd.lua

 # need to assign dependancies to build these first...
-all: lua_build jansson_build $(BINS)
+all: lua_build jansson_build mbedtls_build cbor_build $(BINS)

 all-static: LDLIBS:=-static $(LDLIBS)
 all-static: proxmark3 flasher fpga_compress

-proxmark3: LDLIBS+=$(LUALIB) $(JANSSONLIB) $(QTLDLIBS)
+proxmark3: LDLIBS+=$(LUALIB) $(JANSSONLIB) $(MBEDTLSLIB) $(CBORLIB) $(QTLDLIBS) $(PCSC_LIBS)
 proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(ZLIBOBJS) lualibs/usb_cmd.lua
 	$(LD) $(LDFLAGS) $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(OBJCOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(ZLIBOBJS) $(LDLIBS) -o $@

@ -270,7 +300,9 @@ lualibs/usb_cmd.lua: ../include/usb_cmd.h
 clean:
 	$(RM) $(CLEAN)
 	cd ../liblua && make clean
-	cd ./jansson && make clean
+	cd $(JANSSONLIBPATH) && make clean
+	cd $(MBEDTLSLIBPATH) && make clean
+	cd $(CBORLIBPATH) && make clean

 tarbin: $(BINS)
 	$(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(BINS:%=client/%) $(WINBINS:%=client/%)
@ -281,7 +313,15 @@ lua_build:
 	
 jansson_build:
 	@echo Compiling jansson
-	cd ./jansson && make all
+	cd $(JANSSONLIBPATH) && make all
+	
+mbedtls_build:
+	@echo Compiling mbedtls
+	cd $(MBEDTLSLIBPATH) && make all
+	
+cbor_build:
+	@echo Compiling tinycbor
+	cd $(CBORLIBPATH) && make all
 	
 .PHONY: all clean

@ -305,7 +345,7 @@ $(OBJDIR)/%_AVX512.o : %.c $(OBJDIR)/%.d

 %.o: %.c
 $(OBJDIR)/%.o : %.c $(OBJDIR)/%.d
-	$(CC) $(DEPFLAGS) $(CFLAGS) $(ZLIBFLAGS) -c -o $@ $<
+	$(CC) $(DEPFLAGS) $(CFLAGS) $(ZLIBFLAGS) $(PCSC_INCLUDES) -c -o $@ $<
 	$(POSTCOMPILE)

 %.o: %.cpp
--- a/client/cliparser/argtable3.c
+++ b/client/cliparser/argtable3.c
--- a/client/cliparser/argtable3.h
+++ b/client/cliparser/argtable3.h
@ -1,4 +1,6 @@
 /*******************************************************************************
+ * argtable3: Declares the main interfaces of the library
+ *
 * This file is part of the argtable3 library.
 *
 * Copyright (C) 1998-2001,2003-2011,2013 Stewart Heitmann
@ -31,273 +33,239 @@
 #ifndef ARGTABLE3
 #define ARGTABLE3

-#include <stdio.h>      /* FILE */
-#include <time.h>       /* struct tm */
+#include <stdio.h> /* FILE */
+#include <time.h>  /* struct tm */

 #ifdef __cplusplus
 extern "C" {
 #endif

 #define ARG_REX_ICASE 1
+#define ARG_DSTR_SIZE 200
+#define ARG_CMD_NAME_LEN 100
+#define ARG_CMD_DESCRIPTION_LEN 256
+
+#ifndef ARG_REPLACE_GETOPT
+#define ARG_REPLACE_GETOPT 1 /* use the embedded getopt as the system getopt(3) */
+#endif /* ARG_REPLACE_GETOPT */

 /* bit masks for arg_hdr.flag */
-enum
-{
-    ARG_TERMINATOR=0x1,
-    ARG_HASVALUE=0x2,
-    ARG_HASOPTVALUE=0x4
-};
+enum { ARG_TERMINATOR = 0x1, ARG_HASVALUE = 0x2, ARG_HASOPTVALUE = 0x4 };

-typedef void (arg_resetfn)(void *parent);
-typedef int  (arg_scanfn)(void *parent, const char *argval);
-typedef int  (arg_checkfn)(void *parent);
-typedef void (arg_errorfn)(void *parent, FILE *fp, int error, const char *argval, const char *progname);
+#if defined(_WIN32)
+  #if defined(argtable3_EXPORTS)
+    #define ARG_EXTERN __declspec(dllexport)
+  #elif defined(argtable3_IMPORTS)
+    #define ARG_EXTERN __declspec(dllimport)
+  #else
+    #define ARG_EXTERN
+  #endif
+#else
+  #define ARG_EXTERN
+#endif

+typedef struct _internal_arg_dstr* arg_dstr_t;
+typedef void* arg_cmd_itr_t;
+
+typedef void(arg_resetfn)(void* parent);
+typedef int(arg_scanfn)(void* parent, const char* argval);
+typedef int(arg_checkfn)(void* parent);
+typedef void(arg_errorfn)(void* parent, arg_dstr_t ds, int error, const char* argval, const char* progname);
+typedef void(arg_dstr_freefn)(char* buf);
+typedef int(arg_cmdfn)(int argc, char* argv[], arg_dstr_t res);
+typedef int(arg_comparefn)(const void* k1, const void* k2);

 /*
-* The arg_hdr struct defines properties that are common to all arg_xxx structs.
-* The argtable library requires each arg_xxx struct to have an arg_hdr
-* struct as its first data member.
-* The argtable library functions then use this data to identify the
-* properties of the command line option, such as its option tags,
-* datatype string, and glossary strings, and so on.
-* Moreover, the arg_hdr struct contains pointers to custom functions that
-* are provided by each arg_xxx struct which perform the tasks of parsing
-* that particular arg_xxx arguments, performing post-parse checks, and
-* reporting errors.
-* These functions are private to the individual arg_xxx source code
-* and are the pointer to them are initiliased by that arg_xxx struct's
-* constructor function. The user could alter them after construction
-* if desired, but the original intention is for them to be set by the
-* constructor and left unaltered.
-*/
-struct arg_hdr
-{
-    char         flag;        /* Modifier flags: ARG_TERMINATOR, ARG_HASVALUE. */
-    const char  *shortopts;   /* String defining the short options */
-    const char  *longopts;    /* String defiing the long options */
-    const char  *datatype;    /* Description of the argument data type */
-    const char  *glossary;    /* Description of the option as shown by arg_print_glossary function */
-    int          mincount;    /* Minimum number of occurences of this option accepted */
-    int          maxcount;    /* Maximum number of occurences if this option accepted */
-    void        *parent;      /* Pointer to parent arg_xxx struct */
-    arg_resetfn *resetfn;     /* Pointer to parent arg_xxx reset function */
-    arg_scanfn  *scanfn;      /* Pointer to parent arg_xxx scan function */
-    arg_checkfn *checkfn;     /* Pointer to parent arg_xxx check function */
-    arg_errorfn *errorfn;     /* Pointer to parent arg_xxx error function */
-    void        *priv;        /* Pointer to private header data for use by arg_xxx functions */
-};
+ * The arg_hdr struct defines properties that are common to all arg_xxx structs.
+ * The argtable library requires each arg_xxx struct to have an arg_hdr
+ * struct as its first data member.
+ * The argtable library functions then use this data to identify the
+ * properties of the command line option, such as its option tags,
+ * datatype string, and glossary strings, and so on.
+ * Moreover, the arg_hdr struct contains pointers to custom functions that
+ * are provided by each arg_xxx struct which perform the tasks of parsing
+ * that particular arg_xxx arguments, performing post-parse checks, and
+ * reporting errors.
+ * These functions are private to the individual arg_xxx source code
+ * and are the pointer to them are initiliased by that arg_xxx struct's
+ * constructor function. The user could alter them after construction
+ * if desired, but the original intention is for them to be set by the
+ * constructor and left unaltered.
+ */
+typedef struct arg_hdr {
+    char flag;             /* Modifier flags: ARG_TERMINATOR, ARG_HASVALUE. */
+    const char* shortopts; /* String defining the short options */
+    const char* longopts;  /* String defiing the long options */
+    const char* datatype;  /* Description of the argument data type */
+    const char* glossary;  /* Description of the option as shown by arg_print_glossary function */
+    int mincount;          /* Minimum number of occurences of this option accepted */
+    int maxcount;          /* Maximum number of occurences if this option accepted */
+    void* parent;          /* Pointer to parent arg_xxx struct */
+    arg_resetfn* resetfn;  /* Pointer to parent arg_xxx reset function */
+    arg_scanfn* scanfn;    /* Pointer to parent arg_xxx scan function */
+    arg_checkfn* checkfn;  /* Pointer to parent arg_xxx check function */
+    arg_errorfn* errorfn;  /* Pointer to parent arg_xxx error function */
+    void* priv;            /* Pointer to private header data for use by arg_xxx functions */
+} arg_hdr_t;

-struct arg_rem
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-};
+typedef struct arg_rem {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+} arg_rem_t;

-struct arg_lit
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args */
-};
+typedef struct arg_lit {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+} arg_lit_t;

-struct arg_int
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args */
-    int *ival;               /* Array of parsed argument values */
-};
+typedef struct arg_int {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    int* ival;          /* Array of parsed argument values */
+} arg_int_t;

-struct arg_dbl
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args */
-    double *dval;            /* Array of parsed argument values */
-};
+typedef struct arg_dbl {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    double* dval;       /* Array of parsed argument values */
+} arg_dbl_t;

-struct arg_str
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args */
-    const char **sval;       /* Array of parsed argument values */
-};
+typedef struct arg_str {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    const char** sval;  /* Array of parsed argument values */
+} arg_str_t;

-struct arg_rex
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args */
-    const char **sval;       /* Array of parsed argument values */
-};
+typedef struct arg_rex {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    int count;          /* Number of matching command line args */
+    const char** sval;  /* Array of parsed argument values */
+} arg_rex_t;

-struct arg_file
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of matching command line args*/
-    const char **filename;   /* Array of parsed filenames  (eg: /home/foo.bar) */
-    const char **basename;   /* Array of parsed basenames  (eg: foo.bar) */
-    const char **extension;  /* Array of parsed extensions (eg: .bar) */
-};
+typedef struct arg_file {
+    struct arg_hdr hdr;     /* The mandatory argtable header struct */
+    int count;              /* Number of matching command line args*/
+    const char** filename;  /* Array of parsed filenames  (eg: /home/foo.bar) */
+    const char** basename;  /* Array of parsed basenames  (eg: foo.bar) */
+    const char** extension; /* Array of parsed extensions (eg: .bar) */
+} arg_file_t;

-struct arg_date
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    const char *format;      /* strptime format string used to parse the date */
-    int count;               /* Number of matching command line args */
-    struct tm *tmval;        /* Array of parsed time values */
-};
+typedef struct arg_date {
+    struct arg_hdr hdr; /* The mandatory argtable header struct */
+    const char* format; /* strptime format string used to parse the date */
+    int count;          /* Number of matching command line args */
+    struct tm* tmval;   /* Array of parsed time values */
+} arg_date_t;

-enum {ARG_ELIMIT=1, ARG_EMALLOC, ARG_ENOMATCH, ARG_ELONGOPT, ARG_EMISSARG};
-struct arg_end
-{
-    struct arg_hdr hdr;      /* The mandatory argtable header struct */
-    int count;               /* Number of errors encountered */
-    int *error;              /* Array of error codes */
-    void **parent;           /* Array of pointers to offending arg_xxx struct */
-    const char **argval;     /* Array of pointers to offending argv[] string */
-};
+enum { ARG_ELIMIT = 1, ARG_EMALLOC, ARG_ENOMATCH, ARG_ELONGOPT, ARG_EMISSARG };
+typedef struct arg_end {
+    struct arg_hdr hdr;  /* The mandatory argtable header struct */
+    int count;           /* Number of errors encountered */
+    int* error;          /* Array of error codes */
+    void** parent;       /* Array of pointers to offending arg_xxx struct */
+    const char** argval; /* Array of pointers to offending argv[] string */
+} arg_end_t;

+typedef struct arg_cmd_info {
+    char name[ARG_CMD_NAME_LEN];
+    char description[ARG_CMD_DESCRIPTION_LEN];
+    arg_cmdfn* proc;
+} arg_cmd_info_t;

 /**** arg_xxx constructor functions *********************************/

-struct arg_rem* arg_rem(const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_rem* arg_rem(const char* datatype, const char* glossary);

-struct arg_lit* arg_lit0(const char* shortopts,
-    const char* longopts,
-    const char* glossary);
-struct arg_lit* arg_lit1(const char* shortopts,
-    const char* longopts,
-    const char *glossary);
-struct arg_lit* arg_litn(const char* shortopts,
-    const char* longopts,
-    int mincount,
-    int maxcount,
-    const char *glossary);
+ARG_EXTERN struct arg_lit* arg_lit0(const char* shortopts, const char* longopts, const char* glossary);
+ARG_EXTERN struct arg_lit* arg_lit1(const char* shortopts, const char* longopts, const char* glossary);
+ARG_EXTERN struct arg_lit* arg_litn(const char* shortopts, const char* longopts, int mincount, int maxcount, const char* glossary);

-struct arg_key* arg_key0(const char* keyword,
-    int flags,
-    const char* glossary);
-struct arg_key* arg_key1(const char* keyword,
-    int flags,
-    const char* glossary);
-struct arg_key* arg_keyn(const char* keyword,
-    int flags,
-    int mincount,
-    int maxcount,
-    const char* glossary);
+ARG_EXTERN struct arg_int* arg_int0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_int* arg_int1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_int* arg_intn(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);

-struct arg_int* arg_int0(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char* glossary);
-struct arg_int* arg_int1(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char *glossary);
-struct arg_int* arg_intn(const char* shortopts,
-    const char* longopts,
-    const char *datatype,
-    int mincount,
-    int maxcount,
-    const char *glossary);
+ARG_EXTERN struct arg_dbl* arg_dbl0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_dbl* arg_dbl1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_dbl* arg_dbln(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);

-struct arg_dbl* arg_dbl0(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char* glossary);
-struct arg_dbl* arg_dbl1(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char *glossary);
-struct arg_dbl* arg_dbln(const char* shortopts,
-    const char* longopts,
-    const char *datatype,
-    int mincount,
-    int maxcount,
-    const char *glossary);
+ARG_EXTERN struct arg_str* arg_str0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_str* arg_str1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_str* arg_strn(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);

-struct arg_str* arg_str0(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char* glossary);
-struct arg_str* arg_str1(const char* shortopts,
-    const char* longopts,                    
-    const char* datatype,
-    const char *glossary);
-struct arg_str* arg_strn(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    int mincount,
-    int maxcount,
-    const char *glossary);
+ARG_EXTERN struct arg_rex* arg_rex0(const char* shortopts, const char* longopts, const char* pattern, const char* datatype, int flags, const char* glossary);
+ARG_EXTERN struct arg_rex* arg_rex1(const char* shortopts, const char* longopts, const char* pattern, const char* datatype, int flags, const char* glossary);
+ARG_EXTERN struct arg_rex* arg_rexn(const char* shortopts,
+                         const char* longopts,
+                         const char* pattern,
+                         const char* datatype,
+                         int mincount,
+                         int maxcount,
+                         int flags,
+                         const char* glossary);

-struct arg_rex* arg_rex0(const char* shortopts,
-    const char* longopts,
-    const char* pattern,
-    const char* datatype,
-    int flags,
-    const char* glossary);
-struct arg_rex* arg_rex1(const char* shortopts,
-    const char* longopts,
-    const char* pattern,
-    const char* datatype,
-    int flags,
-    const char *glossary);
-struct arg_rex* arg_rexn(const char* shortopts,
-    const char* longopts,
-    const char* pattern,
-    const char* datatype,
-    int mincount,
-    int maxcount,
-    int flags,
-    const char *glossary);
+ARG_EXTERN struct arg_file* arg_file0(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_file* arg_file1(const char* shortopts, const char* longopts, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_file* arg_filen(const char* shortopts, const char* longopts, const char* datatype, int mincount, int maxcount, const char* glossary);

-struct arg_file* arg_file0(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char* glossary);
-struct arg_file* arg_file1(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    const char *glossary);
-struct arg_file* arg_filen(const char* shortopts,
-    const char* longopts,
-    const char* datatype,
-    int mincount,
-    int maxcount,
-    const char *glossary);
+ARG_EXTERN struct arg_date* arg_date0(const char* shortopts, const char* longopts, const char* format, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_date* arg_date1(const char* shortopts, const char* longopts, const char* format, const char* datatype, const char* glossary);
+ARG_EXTERN struct arg_date* arg_daten(const char* shortopts, const char* longopts, const char* format, const char* datatype, int mincount, int maxcount, const char* glossary);

-struct arg_date* arg_date0(const char* shortopts,
-    const char* longopts,
-    const char* format,
-    const char* datatype,
-    const char* glossary);
-struct arg_date* arg_date1(const char* shortopts,
-    const char* longopts,
-    const char* format,
-    const char* datatype,
-    const char *glossary);
-struct arg_date* arg_daten(const char* shortopts,
-    const char* longopts,
-    const char* format,
-    const char* datatype,
-    int mincount,
-    int maxcount,
-    const char *glossary);
-
-struct arg_end* arg_end(int maxerrors);
+ARG_EXTERN struct arg_end* arg_end(int maxerrors);

+#define ARG_DSTR_STATIC ((arg_dstr_freefn*)0)
+#define ARG_DSTR_VOLATILE ((arg_dstr_freefn*)1)
+#define ARG_DSTR_DYNAMIC ((arg_dstr_freefn*)3)

 /**** other functions *******************************************/
-int arg_nullcheck(void **argtable);
-int arg_parse(int argc, char **argv, void **argtable);
-void arg_print_option(FILE *fp, const char *shortopts, const char *longopts, const char *datatype, const char *suffix);
-void arg_print_syntax(FILE *fp, void **argtable, const char *suffix);
-void arg_print_syntaxv(FILE *fp, void **argtable, const char *suffix);
-void arg_print_glossary(FILE *fp, void **argtable, const char *format);
-void arg_print_glossary_gnu(FILE *fp, void **argtable);
-void arg_print_errors(FILE* fp, struct arg_end* end, const char* progname);
-void arg_freetable(void **argtable, size_t n);
+ARG_EXTERN int arg_nullcheck(void** argtable);
+ARG_EXTERN int arg_parse(int argc, char** argv, void** argtable);
+ARG_EXTERN void arg_print_option(FILE* fp, const char* shortopts, const char* longopts, const char* datatype, const char* suffix);
+ARG_EXTERN void arg_print_syntax(FILE* fp, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_syntaxv(FILE* fp, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_glossary(FILE* fp, void** argtable, const char* format);
+ARG_EXTERN void arg_print_glossary_gnu(FILE* fp, void** argtable);
+ARG_EXTERN void arg_print_errors(FILE* fp, struct arg_end* end, const char* progname);
+ARG_EXTERN void arg_print_option_ds(arg_dstr_t ds, const char* shortopts, const char* longopts, const char* datatype, const char* suffix);
+ARG_EXTERN void arg_print_syntax_ds(arg_dstr_t ds, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_syntaxv_ds(arg_dstr_t ds, void** argtable, const char* suffix);
+ARG_EXTERN void arg_print_glossary_ds(arg_dstr_t ds, void** argtable, const char* format);
+ARG_EXTERN void arg_print_glossary_gnu_ds(arg_dstr_t ds, void** argtable);
+ARG_EXTERN void arg_print_errors_ds(arg_dstr_t ds, struct arg_end* end, const char* progname);
+ARG_EXTERN void arg_freetable(void** argtable, size_t n);
+
+ARG_EXTERN arg_dstr_t arg_dstr_create(void);
+ARG_EXTERN void arg_dstr_destroy(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_reset(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_free(arg_dstr_t ds);
+ARG_EXTERN void arg_dstr_set(arg_dstr_t ds, char* str, arg_dstr_freefn* free_proc);
+ARG_EXTERN void arg_dstr_cat(arg_dstr_t ds, const char* str);
+ARG_EXTERN void arg_dstr_catc(arg_dstr_t ds, char c);
+ARG_EXTERN void arg_dstr_catf(arg_dstr_t ds, const char* fmt, ...);
+ARG_EXTERN char* arg_dstr_cstr(arg_dstr_t ds);
+
+ARG_EXTERN void arg_cmd_init(void);
+ARG_EXTERN void arg_cmd_uninit(void);
+ARG_EXTERN void arg_cmd_register(const char* name, arg_cmdfn* proc, const char* description);
+ARG_EXTERN void arg_cmd_unregister(const char* name);
+ARG_EXTERN int arg_cmd_dispatch(const char* name, int argc, char* argv[], arg_dstr_t res);
+ARG_EXTERN unsigned int arg_cmd_count(void);
+ARG_EXTERN arg_cmd_info_t* arg_cmd_info(const char* name);
+ARG_EXTERN arg_cmd_itr_t arg_cmd_itr_create(void);
+ARG_EXTERN void arg_cmd_itr_destroy(arg_cmd_itr_t itr);
+ARG_EXTERN int arg_cmd_itr_advance(arg_cmd_itr_t itr);
+ARG_EXTERN char* arg_cmd_itr_key(arg_cmd_itr_t itr);
+ARG_EXTERN arg_cmd_info_t* arg_cmd_itr_value(arg_cmd_itr_t itr);
+ARG_EXTERN int arg_cmd_itr_search(arg_cmd_itr_t itr, void* k);
+ARG_EXTERN void arg_mgsort(void* data, int size, int esize, int i, int k, arg_comparefn* comparefn);
+ARG_EXTERN void arg_make_get_help_msg(arg_dstr_t res);
+ARG_EXTERN void arg_make_help_msg(arg_dstr_t ds, char* cmd_name, void** argtable);
+ARG_EXTERN void arg_make_syntax_err_msg(arg_dstr_t ds, void** argtable, struct arg_end* end);
+ARG_EXTERN int arg_make_syntax_err_help_msg(arg_dstr_t ds, char* name, int help, int nerrors, void** argtable, struct arg_end* end, int* exitcode);
+ARG_EXTERN void arg_set_module_name(const char* name);
+ARG_EXTERN void arg_set_module_version(int major, int minor, int patch, const char* tag);

 /**** deprecated functions, for back-compatibility only ********/
-void arg_free(void **argtable);
+ARG_EXTERN void arg_free(void** argtable);

 #ifdef __cplusplus
 }
--- a/client/cliparser/cliparser.c
+++ b/client/cliparser/cliparser.c
@ -153,23 +153,14 @@ void CLIParserFree() {
 // convertors
 int CLIParamHexToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen) {
 	*datalen = 0;
-	if (!argstr->count)
-		return 0;
 	
-	char buf[256] = {0};
 	int ibuf = 0;
+	uint8_t buf[256] = {0};
+	int res = CLIParamStrToBuf(argstr, buf, maxdatalen * 2, &ibuf); // *2 because here HEX
+	if (res || !ibuf)
+		return res;
 	
-	for (int i = 0; i < argstr->count; i++) {
-		int len = strlen(argstr->sval[i]);
-		memcpy(&buf[ibuf], argstr->sval[i], len);
-		ibuf += len;
-	}
-	buf[ibuf] = 0;
-  
-	if (!ibuf)
-		return 0;
-	
-	switch(param_gethex_to_eol(buf, 0, data, maxdatalen, datalen)) {
+	switch(param_gethex_to_eol((char *)buf, 0, data, maxdatalen, datalen)) {
 	case 1:
 		printf("Parameter error: Invalid HEX value.\n");
 		return 1;
@ -184,5 +175,31 @@ int CLIParamHexToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int
 	return 0;
 }

+int CLIParamStrToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen) {
+	*datalen = 0;
+	if (!argstr->count)
+		return 0;
+	
+	uint8_t buf[256] = {0};
+	int ibuf = 0;
+	
+	for (int i = 0; i < argstr->count; i++) {
+		int len = strlen(argstr->sval[i]);
+		memcpy(&buf[ibuf], argstr->sval[i], len);
+		ibuf += len;
+	}
+	buf[ibuf] = 0;
+  
+	if (!ibuf)
+		return 0;
+
+	if (ibuf > maxdatalen)
+		return 2;
+	
+	memcpy(data, buf, ibuf);
+	*datalen = ibuf;
+	
+	return 0;
+}


--- a/client/cliparser/cliparser.h
+++ b/client/cliparser/cliparser.h
@ -17,7 +17,9 @@

 #define arg_getsize(a) (sizeof(a) / sizeof(a[0]))
 #define arg_get_lit(n)(((struct arg_lit*)argtable[n])->count)
+#define arg_get_int_count(n)(((struct arg_int*)argtable[n])->count)
 #define arg_get_int(n)(((struct arg_int*)argtable[n])->ival[0])
+#define arg_get_int_def(n,def)(arg_get_int_count(n)?(arg_get_int(n)):(def))
 #define arg_get_str(n)((struct arg_str*)argtable[n])
 #define arg_get_str_len(n)(strlen(((struct arg_str*)argtable[n])->sval[0]))

@ -25,8 +27,9 @@
 #define arg_strx0(shortopts, longopts, datatype, glossary) (arg_strn((shortopts), (longopts), (datatype), 0, 250, (glossary)))

 #define CLIExecWithReturn(cmd, atbl, ifempty) if (CLIParserParseString(cmd, atbl, arg_getsize(atbl), ifempty)){CLIParserFree();return 0;}
-#define CLIGetStrBLessWithReturn(paramnum, data, datalen, delta) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data) - (delta), datalen)) {CLIParserFree();return 1;}
-#define CLIGetStrWithReturn(paramnum, data, datalen) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data), datalen)) {CLIParserFree();return 1;}
+#define CLIGetHexBLessWithReturn(paramnum, data, datalen, delta) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data) - (delta), datalen)) {CLIParserFree();return 1;}
+#define CLIGetHexWithReturn(paramnum, data, datalen) if (CLIParamHexToBuf(arg_get_str(paramnum), data, sizeof(data), datalen)) {CLIParserFree();return 1;}
+#define CLIGetStrWithReturn(paramnum, data, datalen) if (CLIParamStrToBuf(arg_get_str(paramnum), data, sizeof(data), datalen)) {CLIParserFree();return 1;}

 extern int CLIParserInit(char *vprogramName, char *vprogramHint, char *vprogramHelp);
 extern int CLIParserParseString(const char* str, void* argtable[], size_t vargtableLen, bool allowEmptyExec);
@ -35,3 +38,4 @@ extern int CLIParserParseArg(int argc, char **argv, void* argtable[], size_t var
 extern void CLIParserFree();

 extern int CLIParamHexToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen);
+extern int CLIParamStrToBuf(struct arg_str *argstr, uint8_t *data, int maxdatalen, int *datalen);
--- a/client/cmddata.c
+++ b/client/cmddata.c
@ -367,18 +367,20 @@ int Cmdmandecoderaw(const char *Cmd)
 	return 1;
 }

-//by marshmellow
-//biphase decode
-//take 01 or 10 = 0 and 11 or 00 = 1
-//takes 2 arguments "offset" default = 0 if 1 it will shift the decode by one bit
-// and "invert" default = 0 if 1 it will invert output
-//  the argument offset allows us to manually shift if the output is incorrect - [EDIT: now auto detects]
+/**
+ * @author marshmellow
+ * biphase decode
+ * decdoes  01 or 10 to 0 and 11 or 00 to 1
+ * param offset adjust start position
+ * param invert invert output
+ * param maxErr maximum tolerated errors
+ */
 int CmdBiphaseDecodeRaw(const char *Cmd)
 {
 	size_t size=0;
 	int offset=0, invert=0, maxErr=20, errCnt=0;
 	char cmdp = param_getchar(Cmd, 0);
-	if (strlen(Cmd) > 3 || cmdp == 'h' || cmdp == 'H') {
+	if (strlen(Cmd) > 7 || cmdp == 'h' || cmdp == 'H') {
 		PrintAndLog("Usage:  data biphaserawdecode [offset] [invert] [maxErr]");
 		PrintAndLog("     Converts 10 or 01 to 1 and 11 or 00 to 0");
 		PrintAndLog("     --must have binary sequence in demodbuffer (run data askrawdemod first)");
@ -427,7 +429,7 @@ int CmdBiphaseDecodeRaw(const char *Cmd)
 int ASKbiphaseDemod(const char *Cmd, bool verbose)
 {
 	//ask raw demod GraphBuffer first
-	int offset=0, clk=0, invert=0, maxErr=0;
+	int offset=0, clk=0, invert=0, maxErr=100;
 	sscanf(Cmd, "%i %i %i %i", &offset, &clk, &invert, &maxErr);

 	uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
@ -813,7 +815,7 @@ int FSKrawDemod(const char *Cmd, bool verbose)
 		setDemodBuf(BitStream,size,0);
 		setClockGrid(rfLen, startIdx);

-    // Now output the bitstream to the scrollback by line of 16 bits
+	// Now output the bitstream to the scrollback by line of 16 bits
 		if (verbose || g_debugMode) {
 			PrintAndLog("\nUsing Clock:%u, invert:%u, fchigh:%u, fclow:%u", (unsigned int)rfLen, (unsigned int)invert, (unsigned int)fchigh, (unsigned int)fclow);
 			PrintAndLog("%s decoded bitstream:",GetFSKType(fchigh,fclow,invert));
@ -1204,13 +1206,16 @@ int getSamples(int n, bool silent)
 	uint8_t bits_per_sample = 8;

 	//Old devices without this feature would send 0 at arg[0]
-	if(response.arg[0] > 0)
-	{
+	if(response.arg[0] > 0) {
+		#pragma GCC diagnostic push
+		#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
 		sample_config *sc = (sample_config *) response.d.asBytes;
+		#pragma GCC diagnostic pop
 		if (!silent) PrintAndLog("Samples @ %d bits/smpl, decimation 1:%d ", sc->bits_per_sample
 		    , sc->decimation);
 		bits_per_sample = sc->bits_per_sample;
 	}
+
 	if(bits_per_sample < 8)
 	{
 		if (!silent) PrintAndLog("Unpacking...");
--- a/client/cmdhf.c
+++ b/client/cmdhf.c
@ -11,16 +11,12 @@

 #include "cmdhf.h"

-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
+#include <math.h>
+#include "usb_cmd.h"
 #include "comms.h"
-#include "util.h"
 #include "ui.h"
-#include "iso14443crc.h"
-#include "parity.h"
-#include "cmdmain.h"
 #include "cmdparser.h"
+#include "cliparser/cliparser.h"
 #include "cmdhf14a.h"
 #include "cmdhf14b.h"
 #include "cmdhf15.h"
@ -28,11 +24,14 @@
 #include "cmdhflegic.h"
 #include "cmdhficlass.h"
 #include "cmdhfmf.h"
+#include "cmdhfmfp.h"
 #include "cmdhfmfu.h"
 #include "cmdhftopaz.h"
-#include "protocols.h"
-#include "emv/cmdemv.h"
 #include "cmdhflist.h"
+#include "cmdhffido.h"
+#include "cmddata.h"
+#include "graph.h"
+#include "fpga.h"

 static int CmdHelp(const char *Cmd);

@ -43,510 +42,6 @@ int CmdHFTune(const char *Cmd)
  return 0;
 }

-/**
- * @brief iso14443B_CRC_check Checks CRC in command or response
- * @param isResponse
- * @param data
- * @param len
- * @return  0 : CRC-command, CRC not ok
- *          1 : CRC-command, CRC ok
- *          2 : Not crc-command
- */
-
-uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
-{
-	uint8_t b1,b2;
-
-	if(len <= 2) return 2;
-
-	ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
-	if(b1 != data[len-2] || b2 != data[len-1]) {
-		return 0;
-	} else {
-		return 1;
-	}
-}
-
-/**
- * @brief iclass_CRC_Ok Checks CRC in command or response
- * @param isResponse
- * @param data
- * @param len
- * @return  0 : CRC-command, CRC not ok
- *	        1 : CRC-command, CRC ok
- *          2 : Not crc-command
- */
-uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
-{
-	if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes
-
-	uint8_t b1, b2;
-
-	if(!isResponse)//Commands to tag
-	{
-		/**
-		  These commands should have CRC. Total length leftmost
-		  4	READ
-		  4 READ4
-		  12 UPDATE - unsecured, ends with CRC16
-		  14 UPDATE - secured, ends with signature instead
-		  4 PAGESEL
-		  **/
-		if(len == 4 || len == 12)//Covers three of them
-		{
-			//Don't include the command byte
-			ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2);
-			return b1 == data[len -2] && b2 == data[len-1];
-		}
-		return 2;
-	}else{
-		/**
-		These tag responses should have CRC. Total length leftmost
-
-		10  READ		data[8] crc[2]
-		34  READ4		data[32]crc[2]
-		10  UPDATE	data[8] crc[2]
-		10 SELECT	csn[8] crc[2]
-		10  IDENTIFY  asnb[8] crc[2]
-		10  PAGESEL   block1[8] crc[2]
-		10  DETECT    csn[8] crc[2]
-
-		These should not
-
-		4  CHECK		chip_response[4]
-		8  READCHECK data[8]
-		1  ACTALL    sof[1]
-		1  ACT	     sof[1]
-
-		In conclusion, without looking at the command; any response
-		of length 10 or 34 should have CRC
-		  **/
-		if(len != 10 && len != 34) return true;
-
-		ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2);
-		return b1 == data[len -2] && b2 == data[len-1];
-	}
-}
-
-
-bool is_last_record(uint16_t tracepos, uint8_t *trace, uint16_t traceLen)
-{
-	return(tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) >= traceLen);
-}
-
-
-bool next_record_is_response(uint16_t tracepos, uint8_t *trace)
-{
-	uint16_t next_records_datalen = *((uint16_t *)(trace + tracepos + sizeof(uint32_t) + sizeof(uint16_t)));
-	
-	return(next_records_datalen & 0x8000);
-}
-
-
-bool merge_topaz_reader_frames(uint32_t timestamp, uint32_t *duration, uint16_t *tracepos, uint16_t traceLen, uint8_t *trace, uint8_t *frame, uint8_t *topaz_reader_command, uint16_t *data_len)
-{
-
-#define MAX_TOPAZ_READER_CMD_LEN	16
-
-	uint32_t last_timestamp = timestamp + *duration;
-
-	if ((*data_len != 1) || (frame[0] == TOPAZ_WUPA) || (frame[0] == TOPAZ_REQA)) return false;
-
-	memcpy(topaz_reader_command, frame, *data_len);
-
-	while (!is_last_record(*tracepos, trace, traceLen) && !next_record_is_response(*tracepos, trace)) {
-		uint32_t next_timestamp = *((uint32_t *)(trace + *tracepos));
-		*tracepos += sizeof(uint32_t);
-		uint16_t next_duration = *((uint16_t *)(trace + *tracepos));
-		*tracepos += sizeof(uint16_t);
-		uint16_t next_data_len = *((uint16_t *)(trace + *tracepos)) & 0x7FFF;
-		*tracepos += sizeof(uint16_t);
-		uint8_t *next_frame = (trace + *tracepos);
-		*tracepos += next_data_len;
-		if ((next_data_len == 1) && (*data_len + next_data_len <= MAX_TOPAZ_READER_CMD_LEN)) {
-			memcpy(topaz_reader_command + *data_len, next_frame, next_data_len);
-			*data_len += next_data_len;
-			last_timestamp = next_timestamp + next_duration;
-		} else {
-			// rewind and exit
-			*tracepos = *tracepos - next_data_len - sizeof(uint16_t) - sizeof(uint16_t) - sizeof(uint32_t);
-			break;
-		}
-		uint16_t next_parity_len = (next_data_len-1)/8 + 1;
-		*tracepos += next_parity_len;
-	}
-
-	*duration = last_timestamp - timestamp;
-	
-	return true;
-}
-
-
-uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, uint8_t protocol, bool showWaitCycles, bool markCRCBytes)
-{
-	bool isResponse;
-	uint16_t data_len, parity_len;
-	uint32_t duration;
-	uint8_t topaz_reader_command[9];
-	uint32_t timestamp, first_timestamp, EndOfTransmissionTimestamp;
-	char explanation[30] = {0};
-	uint8_t mfData[32] = {0};
-	size_t mfDataLen = 0;
-
-	if (tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) > traceLen) return traceLen;
-	
-	first_timestamp = *((uint32_t *)(trace));
-	timestamp = *((uint32_t *)(trace + tracepos));
-
-	tracepos += 4;
-	duration = *((uint16_t *)(trace + tracepos));
-	tracepos += 2;
-	data_len = *((uint16_t *)(trace + tracepos));
-	tracepos += 2;
-
-	if (data_len & 0x8000) {
-	  data_len &= 0x7fff;
-	  isResponse = true;
-	} else {
-	  isResponse = false;
-	}
-	parity_len = (data_len-1)/8 + 1;
-
-	if (tracepos + data_len + parity_len > traceLen) {
-		return traceLen;
-	}
-	uint8_t *frame = trace + tracepos;
-	tracepos += data_len;
-	uint8_t *parityBytes = trace + tracepos;
-	tracepos += parity_len;
-
-	if (protocol == TOPAZ && !isResponse) {
-		// topaz reader commands come in 1 or 9 separate frames with 7 or 8 Bits each.
-		// merge them:
-		if (merge_topaz_reader_frames(timestamp, &duration, &tracepos, traceLen, trace, frame, topaz_reader_command, &data_len)) {
-			frame = topaz_reader_command;
-		}
-	}
-	
-	//Check the CRC status
-	uint8_t crcStatus = 2;
-
-	if (data_len > 2) {
-		switch (protocol) {
-			case ICLASS:
-				crcStatus = iclass_CRC_check(isResponse, frame, data_len);
-				break;
-			case ISO_14443B:
-			case TOPAZ:
-				crcStatus = iso14443B_CRC_check(isResponse, frame, data_len); 
-				break;
-			case PROTO_MIFARE:
-				crcStatus = mifare_CRC_check(isResponse, frame, data_len);
-				break;
-			case ISO_14443A:
-				crcStatus = iso14443A_CRC_check(isResponse, frame, data_len);
-				break;
-			default: 
-				break;
-		}
-	}
-	//0 CRC-command, CRC not ok
-	//1 CRC-command, CRC ok
-	//2 Not crc-command
-
-	//--- Draw the data column
-	//char line[16][110];
-	char line[16][110];
-
-	for (int j = 0; j < data_len && j/16 < 16; j++) {
-
-		uint8_t parityBits = parityBytes[j>>3];
-		if (protocol != ISO_14443B && (isResponse || protocol == ISO_14443A) && (oddparity8(frame[j]) != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
-			snprintf(line[j/16]+(( j % 16) * 4),110, "%02x! ", frame[j]);
-		} else {
-			snprintf(line[j/16]+(( j % 16) * 4), 110, " %02x ", frame[j]);
-		}
-
-	}
-
-	if (markCRCBytes) {
-		if(crcStatus == 0 || crcStatus == 1)
-		{//CRC-command
-			char *pos1 = line[(data_len-2)/16]+(((data_len-2) % 16) * 4);
-			(*pos1) = '[';
-			char *pos2 = line[(data_len)/16]+(((data_len) % 16) * 4);
-			sprintf(pos2, "%c", ']');
-		}
-	}
-
-	if(data_len == 0)
-	{
-		if(data_len == 0){
-			sprintf(line[0],"<empty trace - possible error>");
-		}
-	}
-	//--- Draw the CRC column
-
-	char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : "    "));
-
-	EndOfTransmissionTimestamp = timestamp + duration;
-
-	if (protocol == PROTO_MIFARE)
-		annotateMifare(explanation, sizeof(explanation), frame, data_len, parityBytes, parity_len, isResponse);
-	
-	if(!isResponse)
-	{
-		switch(protocol) {
-			case ICLASS:		annotateIclass(explanation,sizeof(explanation),frame,data_len); break;
-			case ISO_14443A:	annotateIso14443a(explanation,sizeof(explanation),frame,data_len); break;
-			case ISO_14443B:	annotateIso14443b(explanation,sizeof(explanation),frame,data_len); break;
-			case TOPAZ:			annotateTopaz(explanation,sizeof(explanation),frame,data_len); break;
-			default:			break;
-		}
-	}
-
-	int num_lines = MIN((data_len - 1)/16 + 1, 16);
-	for (int j = 0; j < num_lines ; j++) {
-		if (j == 0) {
-			PrintAndLog(" %10d | %10d | %s |%-64s | %s| %s",
-				(timestamp - first_timestamp),
-				(EndOfTransmissionTimestamp - first_timestamp),
-				(isResponse ? "Tag" : "Rdr"),
-				line[j],
-				(j == num_lines-1) ? crc : "    ",
-				(j == num_lines-1) ? explanation : "");
-		} else {
-			PrintAndLog("            |            |     |%-64s | %s| %s",
-				line[j],
-				(j == num_lines-1) ? crc : "    ",
-				(j == num_lines-1) ? explanation : "");
-		}
-	}
-	
-	if (DecodeMifareData(frame, data_len, parityBytes, isResponse, mfData, &mfDataLen)) {
-		memset(explanation, 0x00, sizeof(explanation));
-		if (!isResponse) {
-			explanation[0] = '>';
-			annotateIso14443a(&explanation[1], sizeof(explanation) - 1, mfData, mfDataLen);
-		}
-		uint8_t crcc = iso14443A_CRC_check(isResponse, mfData, mfDataLen);
-		PrintAndLog("            |          * | dec |%-64s | %-4s| %s",
-			sprint_hex(mfData, mfDataLen),
-			(crcc == 0 ? "!crc" : (crcc == 1 ? " ok " : "    ")),
-			(true) ? explanation : "");
-	};
-
-	if (is_last_record(tracepos, trace, traceLen)) return traceLen;
-	
-	if (showWaitCycles && !isResponse && next_record_is_response(tracepos, trace)) {
-		uint32_t next_timestamp = *((uint32_t *)(trace + tracepos));
-		PrintAndLog(" %10d | %10d | %s | fdt (Frame Delay Time): %d",
-			(EndOfTransmissionTimestamp - first_timestamp),
-			(next_timestamp - first_timestamp),
-			"   ",
-			(next_timestamp - EndOfTransmissionTimestamp));
-	}
-
-	return tracepos;
-}
-
-
-int CmdHFList(const char *Cmd)
-{
-	#ifdef WITH_SMARTCARD
-		PrintAndLog("TEST_WITH_SMARTCARD");
-	#endif
-	#ifdef WITH_TEST
-		PrintAndLog("TEST_WITH_TEST");
-	#endif
-	bool showWaitCycles = false;
-	bool markCRCBytes = false;
-	bool loadFromFile = false;
-	bool saveToFile = false;
-	char param1 = '\0';
-	char param2 = '\0';
-	char param3 = '\0';
-	char type[40] = {0};
-	char filename[FILE_PATH_SIZE] = {0};
-	uint8_t protocol = 0;
-	
-	// parse command line
-	int tlen = param_getstr(Cmd, 0, type, sizeof(type));
-	if (param_getlength(Cmd, 1) == 1) {
-		param1 = param_getchar(Cmd, 1);
-	} else {
-		param_getstr(Cmd, 1, filename, sizeof(filename));
-	}
-	if (param_getlength(Cmd, 2) == 1) {
-		param2 = param_getchar(Cmd, 2);
-	} else if (strlen(filename) == 0) {
-		param_getstr(Cmd, 2, filename, sizeof(filename));
-	}
-	if (param_getlength(Cmd, 3) == 1) {
-		param3 = param_getchar(Cmd, 3);
-	} else if (strlen(filename) == 0) {
-		param_getstr(Cmd, 3, filename, sizeof(filename));
-	}
-
-	// Validate param1
-	bool errors = false;
-
-	if(tlen == 0) {
-		errors = true;
-	}
-
-	if(param1 == 'h'
-			|| (param1 != 0 && param1 != 'f' && param1 != 'c' && param1 != 'l')
-			|| (param2 != 0 && param2 != 'f' && param2 != 'c' && param2 != 'l')
-			|| (param3 != 0 && param3 != 'f' && param3 != 'c' && param3 != 'l')) {
-		errors = true;
-	}
-
-	if(!errors) {
-		if(strcmp(type, "iclass") == 0)	{
-			protocol = ICLASS;
-		} else if(strcmp(type, "mf") == 0) {
-			protocol = PROTO_MIFARE;
-		} else if(strcmp(type, "14a") == 0) {
-			protocol = ISO_14443A;
-		} else if(strcmp(type, "14b") == 0)	{
-			protocol = ISO_14443B;
-		} else if(strcmp(type,"topaz") == 0) {
-			protocol = TOPAZ;
-		} else if(strcmp(type,"raw") == 0) {
-			protocol = -1; //No crc, no annotations
-		} else if (strcmp(type, "save") == 0) {
-			saveToFile = true;
-		} else {
-			errors = true;
-		}
-	}
-	
-	if (param1 == 'f' || param2 == 'f' || param3 == 'f') {
-		showWaitCycles = true;
-	}
-
-	if (param1 == 'c' || param2 == 'c' || param3 == 'c') {
-		markCRCBytes = true;
-	}
-
-	if (param1 == 'l' || param2 == 'l' || param3 == 'l') {
-		loadFromFile = true;
-	}
-
-	if ((loadFromFile || saveToFile) && strlen(filename) == 0) {
-		errors = true;
-	}
-
-	if (loadFromFile && saveToFile) {
-		errors = true;
-	}
-	
-	if (errors) {
-		PrintAndLog("List or save protocol data.");
-		PrintAndLog("Usage:  hf list <protocol> [f] [c] [l <filename>]");
-		PrintAndLog("        hf list save <filename>");
-		PrintAndLog("    f      - show frame delay times as well");
-		PrintAndLog("    c      - mark CRC bytes");
-		PrintAndLog("    l      - load data from file instead of trace buffer");
-		PrintAndLog("    save   - save data to file");
-		PrintAndLog("Supported <protocol> values:");
-		PrintAndLog("    raw    - just show raw data without annotations");
-		PrintAndLog("    14a    - interpret data as iso14443a communications");
-		PrintAndLog("    mf     - interpret data as iso14443a communications and decrypt crypto1 stream");
-		PrintAndLog("    14b    - interpret data as iso14443b communications");
-		PrintAndLog("    iclass - interpret data as iclass communications");
-		PrintAndLog("    topaz  - interpret data as topaz communications");
-		PrintAndLog("");
-		PrintAndLog("example: hf list 14a f");
-		PrintAndLog("example: hf list iclass");
-		PrintAndLog("example: hf list save myCardTrace.trc");
-		PrintAndLog("example: hf list 14a l myCardTrace.trc");
-		return 0;
-	}
-
-
-	uint8_t *trace;
-	uint32_t tracepos = 0;
-	uint32_t traceLen = 0;
-	
-	if (loadFromFile) {
-		#define TRACE_CHUNK_SIZE (1<<16)		// 64K to start with. Will be enough for BigBuf and some room for future extensions
-		FILE *tracefile = NULL;
-		size_t bytes_read;
-		trace = malloc(TRACE_CHUNK_SIZE);
-		if (trace == NULL) {
-			PrintAndLog("Cannot allocate memory for trace");
-			return 2;
-		}
-		if ((tracefile = fopen(filename,"rb")) == NULL) { 
-			PrintAndLog("Could not open file %s", filename);
-			free(trace);
-			return 0;
-		}
-		while (!feof(tracefile)) {
-			bytes_read = fread(trace+traceLen, 1, TRACE_CHUNK_SIZE, tracefile);
-			traceLen += bytes_read;
-			if (!feof(tracefile)) {
-				uint8_t *p = realloc(trace, traceLen + TRACE_CHUNK_SIZE);
-				if (p == NULL) {
-					PrintAndLog("Cannot allocate memory for trace");
-					free(trace);
-					fclose(tracefile);
-					return 2;
-				}
-				trace = p;
-			}
-		}
-		fclose(tracefile);
-	} else {
-		trace = malloc(USB_CMD_DATA_SIZE);
-		// Query for the size of the trace
-		UsbCommand response;
-		GetFromBigBuf(trace, USB_CMD_DATA_SIZE, 0, &response, -1, false);
-		traceLen = response.arg[2];
-		if (traceLen > USB_CMD_DATA_SIZE) {
-			uint8_t *p = realloc(trace, traceLen);
-			if (p == NULL) {
-				PrintAndLog("Cannot allocate memory for trace");
-				free(trace);
-				return 2;
-			}
-			trace = p;
-			GetFromBigBuf(trace, traceLen, 0, NULL, -1, false);
-		}
-	}
-
-	if (saveToFile) {
-		FILE *tracefile = NULL;
-		if ((tracefile = fopen(filename,"wb")) == NULL) { 
-			PrintAndLog("Could not create file %s", filename);
-			return 1;
-		}
-		fwrite(trace, 1, traceLen, tracefile);
-		PrintAndLog("Recorded Activity (TraceLen = %d bytes) written to file %s", traceLen, filename);
-		fclose(tracefile);
-	} else {
-		PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen);
-		PrintAndLog("");
-		PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
-		PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)");
-		PrintAndLog("iClass    - Timings are not as accurate");
-		PrintAndLog("");
-		PrintAndLog("      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |");
-		PrintAndLog("------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|");
-
-		ClearAuthData();
-		while(tracepos < traceLen)
-		{
-			tracepos = printTraceLine(tracepos, traceLen, trace, protocol, showWaitCycles, markCRCBytes);
-		}
-	}
-
-	free(trace);
-	return 0;
-}
-
 int CmdHFSearch(const char *Cmd){
 	int ans = 0;
 	PrintAndLog("");
@ -555,7 +50,7 @@ int CmdHFSearch(const char *Cmd){
 		PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n");
 		return ans;
 	}
-	ans = HFiClassReader("", false, false);
+	ans = HFiClassReader(false, false);
 	if (ans) {
 		PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n");
 		return ans;
@ -566,11 +61,16 @@ int CmdHFSearch(const char *Cmd){
 		return ans;
 	}
 	//14b is longest test currently (and rarest chip type) ... put last
-	ans = HF14BInfo(false);
+	ans = infoHF14B(false);
 	if (ans) {
 		PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
 		return ans;
 	}
+	ans = CmdLegicRFRead("");
+	if (ans == 0) {
+		PrintAndLog("\nValid Legic Tag Found - Quiting Search\n");
+		return ans;
+	}
 	PrintAndLog("\nno known/supported 13.56 MHz tags found\n");
 	return 0;
 }
@ -583,24 +83,77 @@ int CmdHFSnoop(const char *Cmd)
 	return 0;
 }

+
+// static void InterpolateShannon(int *source, size_t source_len, int *dest, size_t dest_len)
+// {
+	// int *buf = (int*)malloc(source_len * sizeof(int));
+	// memcpy(buf, source, source_len * sizeof(int));
+	// for (int i = 0; i < source_len; i++) {
+		// buf[i] += 128;
+	// }
+	// for (int i = 0; i < dest_len; i++) {
+		// float value = 0.0;
+		// for (int j = 0; j < source_len; j++) {
+			// if (i * source_len == j * dest_len) { // sin(0) / 0 = 1
+				// value += (float)buf[j];
+			// } else {
+				// value += (float)buf[j] * sin(((float)i*source_len/dest_len-j)*3.1415) / (((float)i*source_len/dest_len-j)*3.1415);
+			// }
+		// }
+		// dest[i] = value - 128;
+	// }
+	// free(buf);
+// }
+
+
+static int CmdHFPlot(const char *Cmd)
+{
+	CLIParserInit("hf plot",
+		"Plots HF signal after RF signal path and A/D conversion.",
+		"This can be used after any hf command and will show the last few milliseconds of the HF signal.\n"
+		"Note: If the last hf command terminated because of a timeout you will most probably see nothing.\n");
+	void* argtable[] = {
+		arg_param_begin,
+		arg_param_end
+	};
+	CLIExecWithReturn(Cmd, argtable, true);
+
+	uint8_t buf[FPGA_TRACE_SIZE];
+
+	if (GetFromFpgaRAM(buf, FPGA_TRACE_SIZE)) {
+		for (size_t i = 0; i < FPGA_TRACE_SIZE; i++) {
+			GraphBuffer[i] = (int)buf[i] - 128;
+		}
+		GraphTraceLen = FPGA_TRACE_SIZE;
+		// InterpolateShannon(GraphBuffer, FPGA_TRACE_SIZE, GraphBuffer, FPGA_TRACE_SIZE*8/7);
+		// GraphTraceLen = FPGA_TRACE_SIZE*8/7;
+		ShowGraphWindow();
+		RepaintGraphWindow();
+	}
+	return 0;
+}
+
+
 static command_t CommandTable[] =
 {
-	{"help",	CmdHelp,		1, "This help"},
-	{"14a",		CmdHF14A,		1, "{ ISO14443A RFIDs... }"},
-	{"14b",		CmdHF14B,		1, "{ ISO14443B RFIDs... }"},
-	{"15",		CmdHF15,		1, "{ ISO15693 RFIDs... }"},
-	{"epa",		CmdHFEPA,		1, "{ German Identification Card... }"},
-	{"emv",		CmdHFEMV,		1, "{ EMV cards... }"},
-	{"legic",	CmdHFLegic,		0, "{ LEGIC RFIDs... }"},
-	{"iclass",	CmdHFiClass,	1, "{ ICLASS RFIDs... }"},
-	{"mf",		CmdHFMF,		1, "{ MIFARE RFIDs... }"},
-	{"mfu",		CmdHFMFUltra,	1, "{ MIFARE Ultralight RFIDs... }"},
-	{"topaz",	CmdHFTopaz,		1, "{ TOPAZ (NFC Type 1) RFIDs... }"},
-	{"tune",	CmdHFTune,		0, "Continuously measure HF antenna tuning"},
-	{"list",	CmdHFList,		1, "List protocol data in trace buffer"},
-	{"search",	CmdHFSearch,	1, "Search for known HF tags [preliminary]"},
+	{"help",    CmdHelp,        1, "This help"},
+	{"14a",     CmdHF14A,       0, "{ ISO14443A RFIDs... }"},
+	{"14b",     CmdHF14B,       0, "{ ISO14443B RFIDs... }"},
+	{"15",      CmdHF15,        1, "{ ISO15693 RFIDs... }"},
+	{"epa",     CmdHFEPA,       0, "{ German Identification Card... }"},
+	{"legic",   CmdHFLegic,     0, "{ LEGIC RFIDs... }"},
+	{"iclass",  CmdHFiClass,    1, "{ ICLASS RFIDs... }"},
+	{"mf",      CmdHFMF,        1, "{ MIFARE RFIDs... }"},
+	{"mfu",     CmdHFMFUltra,   1, "{ MIFARE Ultralight RFIDs... }"},
+	{"mfp",     CmdHFMFP,       0, "{ MIFARE Plus RFIDs... }"},
+	{"topaz",   CmdHFTopaz,     0, "{ TOPAZ (NFC Type 1) RFIDs... }"},
+	{"fido",    CmdHFFido,      0, "{ FIDO and FIDO2 authenticators... }"},
+	{"tune",    CmdHFTune,      0, "Continuously measure HF antenna tuning"},
+	{"list",    CmdHFList,      1, "List protocol data in trace buffer"},
+	{"plot",    CmdHFPlot,      0, "Plot signal"},
+	{"search",  CmdHFSearch,    0, "Search for known HF tags [preliminary]"},
 	{"snoop",   CmdHFSnoop,     0, "<samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop"},
-	{NULL,		NULL,			0, NULL}
+	{NULL,      NULL,           0, NULL}
 };

 int CmdHF(const char *Cmd)
--- a/client/cmdhf.h
+++ b/client/cmdhf.h
@ -13,5 +13,5 @@

 int CmdHF(const char *Cmd);
 int CmdHFTune(const char *Cmd);
-int CmdHFList(const char *Cmd);
+
 #endif
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@ -1,6 +1,6 @@
 //-----------------------------------------------------------------------------
-// 2011, 2017 Merlok
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
+// 2011, 2017 - 2019 Merlok
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@ -27,108 +27,18 @@
 #include "cmdmain.h"
 #include "mifare.h"
 #include "cmdhfmfu.h"
-#include "mifarehost.h"
+#include "mifare/mifarehost.h"
 #include "cliparser/cliparser.h"
 #include "emv/apduinfo.h"
 #include "emv/emvcore.h"
+#include "taginfo.h"

 static int CmdHelp(const char *Cmd);
 static int waitCmd(uint8_t iLen);

-// structure and database for uid -> tagtype lookups 
-typedef struct { 
-	uint8_t uid;
-	char* desc;
-} manufactureName; 
-
-static const manufactureName manufactureMapping[] = {
-	// ID,  "Vendor Country"
-	{ 0x01, "Motorola UK" },
-	{ 0x02, "ST Microelectronics SA France" },
-	{ 0x03, "Hitachi, Ltd Japan" }, 
-	{ 0x04, "NXP Semiconductors Germany" }, 
-	{ 0x05, "Infineon Technologies AG Germany" }, 
-	{ 0x06, "Cylink USA" }, 
-	{ 0x07, "Texas Instrument France" },
-	{ 0x08, "Fujitsu Limited Japan" }, 
-	{ 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" }, 
-	{ 0x0A, "NEC Japan" }, 
-	{ 0x0B, "Oki Electric Industry Co. Ltd Japan" },
-	{ 0x0C, "Toshiba Corp. Japan" },
-	{ 0x0D, "Mitsubishi Electric Corp. Japan" },
-	{ 0x0E, "Samsung Electronics Co. Ltd Korea" },
-	{ 0x0F, "Hynix / Hyundai, Korea" },
-	{ 0x10, "LG-Semiconductors Co. Ltd Korea" },
-	{ 0x11, "Emosyn-EM Microelectronics USA" },
-	{ 0x12, "INSIDE Technology France" },
-	{ 0x13, "ORGA Kartensysteme GmbH Germany" },
-	{ 0x14, "SHARP Corporation Japan" },
-	{ 0x15, "ATMEL France" },
-	{ 0x16, "EM Microelectronic-Marin SA Switzerland" },
-	{ 0x17, "KSW Microtec GmbH Germany" },
-	{ 0x18, "ZMD AG Germany" },
-	{ 0x19, "XICOR, Inc. USA" },
-	{ 0x1A, "Sony Corporation Japan Identifier Company Country" },
-	{ 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
-	{ 0x1C, "Emosyn USA" },
-	{ 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
-	{ 0x1E, "Magellan Technology Pty Limited Australia" },
-	{ 0x1F, "Melexis NV BO Switzerland" },
-	{ 0x20, "Renesas Technology Corp. Japan" },
-	{ 0x21, "TAGSYS France" },
-	{ 0x22, "Transcore USA" },
-	{ 0x23, "Shanghai belling corp., ltd. China" },
-	{ 0x24, "Masktech Germany Gmbh Germany" },
-	{ 0x25, "Innovision Research and Technology Plc UK" },
-	{ 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
-	{ 0x27, "Cypak AB Sweden" },
-	{ 0x28, "Ricoh Japan" },
-	{ 0x29, "ASK France" },
-	{ 0x2A, "Unicore Microsystems, LLC Russian Federation" },
-	{ 0x2B, "Dallas Semiconductor/Maxim USA" },
-	{ 0x2C, "Impinj, Inc. USA" },
-	{ 0x2D, "RightPlug Alliance USA" },
-	{ 0x2E, "Broadcom Corporation USA" },
-	{ 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
-	{ 0x30, "BeeDar Technology Inc. USA" },
-	{ 0x31, "RFIDsec Denmark" },
-	{ 0x32, "Schweizer Electronic AG Germany" },
-	{ 0x33, "AMIC Technology Corp Taiwan" }, 
-	{ 0x34, "Mikron JSC Russia" },
-	{ 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
-	{ 0x36, "IDS Microchip AG Switzerland" },
-	{ 0x37, "Kovio USA" },
-	{ 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
-	{ 0x39, "Silicon Craft Technology Thailand" },
-	{ 0x3A, "Advanced Film Device Inc. Japan" },
-	{ 0x3B, "Nitecrest Ltd UK" },
-	{ 0x3C, "Verayo Inc. USA" },
-	{ 0x3D, "HID Global USA" },
-	{ 0x3E, "Productivity Engineering Gmbh Germany" },
-	{ 0x3F, "Austriamicrosystems AG (reserved) Austria" }, 
-	{ 0x40, "Gemalto SA France" },
-	{ 0x41, "Renesas Electronics Corporation Japan" },
-	{ 0x42, "3Alogics Inc Korea" },
-	{ 0x43, "Top TroniQ Asia Limited Hong Kong" },
-	{ 0x44, "Gentag Inc (USA) USA" },
-	{ 0x00, "no tag-info available" } // must be the last entry
-};
-
-// get a product description based on the UID
-//		uid[8] 	tag uid
-// returns description of the best match	
-char* getTagInfo(uint8_t uid) {
-
-	int i;
-	int len = sizeof(manufactureMapping) / sizeof(manufactureName);
-	
-	for ( i = 0; i < len; ++i ) 
-		if ( uid == manufactureMapping[i].uid) 
-			return manufactureMapping[i].desc;
-
-	//No match, return default
-	return manufactureMapping[len-1].desc; 
-}
+// iso14a apdu input frame length
+static uint16_t frameLength = 0;
+uint16_t atsFSC[] = {16, 24, 32, 40, 48, 64, 96, 128, 256};

 int CmdHF14AList(const char *Cmd)
 {
@ -136,6 +46,45 @@ int CmdHF14AList(const char *Cmd)
 	return 0;
 }

+int Hf14443_4aGetCardData(iso14a_card_select_t *card) {
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
+	SendCommand(&c);
+
+	UsbCommand resp;
+	WaitForResponse(CMD_NACK, &resp);
+
+	memcpy(card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
+
+	uint64_t select_status = resp.arg[0];       // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+
+	if (select_status == 0) {
+		PrintAndLog("E->iso14443a card select failed");
+		return 1;
+	}
+
+	if (select_status == 2) {
+		PrintAndLog("E->Card doesn't support iso14443-4 mode");
+		return 1;
+	}
+
+	if (select_status == 3) {
+		PrintAndLog("E->Card doesn't support standard iso14443-3 anticollision");
+		PrintAndLog("\tATQA : %02x %02x", card->atqa[1], card->atqa[0]);
+		return 1;
+	}
+
+	PrintAndLog(" UID: %s", sprint_hex(card->uid, card->uidlen));
+	PrintAndLog("ATQA: %02x %02x", card->atqa[1], card->atqa[0]);
+	PrintAndLog(" SAK: %02x [%" PRIu64 "]", card->sak, resp.arg[0]);
+	if(card->ats_len < 3) {         // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
+		PrintAndLog("E-> Error ATS length(%d) : %s", card->ats_len, sprint_hex(card->ats, card->ats_len));
+		return 1;
+	}
+	PrintAndLog(" ATS: %s", sprint_hex(card->ats, card->ats_len));
+
+	return 0;
+}
+
 int CmdHF14AReader(const char *Cmd) {
 	uint32_t cm = ISO14A_CONNECT;
 	bool leaveSignalON = false;
@ -176,7 +125,7 @@ int CmdHF14AReader(const char *Cmd) {
 		iso14a_card_select_t card;
 		memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));

-		uint64_t select_status = resp.arg[0];		// 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+		uint64_t select_status = resp.arg[0];       // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision

 		if(select_status == 0) {
 			PrintAndLog("iso14443a card select failed");
@ -192,7 +141,7 @@ int CmdHF14AReader(const char *Cmd) {
 		PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
 		PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
 		PrintAndLog(" SAK : %02x [%" PRIu64 "]", card.sak, resp.arg[0]);
-		if(card.ats_len >= 3) {			// a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
+		if(card.ats_len >= 3) {         // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
 			PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
 		}
 		if (leaveSignalON) {
@ -207,20 +156,24 @@ int CmdHF14AReader(const char *Cmd) {
 	return 0;
 }

-int CmdHF14AInfo(const char *Cmd)
-{
+
+int CmdHF14AInfo(const char *Cmd) {
+
 	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
 	SendCommand(&c);

 	UsbCommand resp;
-	WaitForResponse(CMD_ACK,&resp);
+	if (!WaitForResponseTimeout(CMD_NACK, &resp, 500)) {
+		if (Cmd[0] != 's') PrintAndLog("Error: No response from Proxmark.\n");
+		return 0;
+	}
 	
 	iso14a_card_select_t card;
 	memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));

-	uint64_t select_status = resp.arg[0];		// 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+	uint64_t select_status = resp.arg[0];       // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision

-	if(select_status == 0) {
+	if (select_status == 0) {
 		if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
 		// disconnect
 		c.arg[0] = 0;
@ -268,13 +221,13 @@ int CmdHF14AInfo(const char *Cmd)
 			SendCommand(&c);

 			UsbCommand resp;
-			WaitForResponse(CMD_ACK,&resp);
+			WaitForResponse(CMD_NACK,&resp);

 			memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));

-			select_status = resp.arg[0];		// 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
+			select_status = resp.arg[0];        // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS

-			if(select_status == 0) {
+			if (select_status == 0) {
 				//PrintAndLog("iso14443a card select failed");
 				// disconnect
 				c.arg[0] = 0;
@ -323,8 +276,8 @@ int CmdHF14AInfo(const char *Cmd)

 	// Double & triple sized UID, can be mapped to a manufacturer.
 	// HACK: does this apply for Ultralight cards?
-	if ( card.uidlen > 4 ) {
-		PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
+	if (card.uidlen > 4) {
+		PrintAndLog("MANUFACTURER : %s", getManufacturerName(card.uid[0]));
 	}

 	// try to request ATS even if tag claims not to support it
@ -337,11 +290,11 @@ int CmdHF14AInfo(const char *Cmd)
 		SendCommand(&c);
 		WaitForResponse(CMD_ACK,&resp);

-	    memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
-		card.ats_len = resp.arg[0];				// note: ats_len includes CRC Bytes
+		memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
+		card.ats_len = resp.arg[0];             // note: ats_len includes CRC Bytes
 	}

-	if(card.ats_len >= 3) {			// a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
+	if(card.ats_len >= 3) {         // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
 		bool ta1 = 0, tb1 = 0, tc1 = 0;
 		int pos;

@ -354,7 +307,7 @@ int CmdHF14AInfo(const char *Cmd)
 			PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
 		}

-		if (card.ats[0] > 1) {		// there is a format byte (T0)
+		if (card.ats[0] > 1) {      // there is a format byte (T0)
 			ta1 = (card.ats[1] & 0x10) == 0x10;
 			tb1 = (card.ats[1] & 0x20) == 0x20;
 			tc1 = (card.ats[1] & 0x40) == 0x40;
@ -363,10 +316,7 @@ int CmdHF14AInfo(const char *Cmd)
 					"TC1 is%s present, FSCI is %d (FSC = %ld)",
 				(ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
 				fsci,
-				fsci < 5 ? (fsci - 2) * 8 : 
-					fsci < 8 ? (fsci - 3) * 32 :
-					fsci == 8 ? 256 :
-					-1
+				fsci < sizeof(atsFSC) ? atsFSC[fsci] : -1
 				);
 		}
 		pos = 2;
@ -484,7 +434,7 @@ int CmdHF14AInfo(const char *Cmd)
 	(void)mfCIdentify();

 	if (isMifareClassic) {
-		switch(DetectClassicPrng()) {
+		switch (DetectClassicPrng()) {
 		case 0:
 			PrintAndLog("Prng detection: HARDENED (hardnested)");
 			break;
@ -516,7 +466,7 @@ int CmdHF14ACUIDs(const char *Cmd)
 		SendCommand(&c);

 		UsbCommand resp;
-		WaitForResponse(CMD_ACK,&resp);
+		WaitForResponse(CMD_NACK,&resp);

 		iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;

@ -608,16 +558,17 @@ int CmdHF14ASim(const char *Cmd)
  unsigned int hi = 0, lo = 0;
  int n = 0, i = 0;
  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
-    hi= (hi << 4) | (lo >> 28);
-    lo= (lo << 4) | (n & 0xf);
+	hi= (hi << 4) | (lo >> 28);
+	lo= (lo << 4) | (n & 0xf);
  }
 */
-//	UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16)};
+//  UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16)};
 //  PrintAndLog("Emulating ISO/IEC 14443 type A tag with UID %01d %08x %08x",c.arg[0],c.arg[1],c.arg[2]);
  SendCommand(&c);
  return 0;
 }

+
 int CmdHF14ASnoop(const char *Cmd) {
 	int param = 0;

@ -643,60 +594,236 @@ int CmdHF14ASnoop(const char *Cmd) {
 	return 0;
 }

+
 void DropField() {
 	UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
 	SendCommand(&c);
 }

-int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
+
+int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
+	static bool responseNum = false;
 	uint16_t cmdc = 0;
+	*dataoutlen = 0;

 	if (activateField) {
-		cmdc |= ISO14A_CONNECT | ISO14A_CLEAR_TRACE;
+		responseNum = false;
+		UsbCommand resp;
+
+		// Anticollision + SELECT card
+		UsbCommand ca = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT | ISO14A_CLEAR_TRACE, 0, 0}};
+		SendCommand(&ca);
+		if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+			PrintAndLog("14aRAW ERROR: Proxmark connection timeout.");
+			return 1;
+		}
+
+		// check result
+		if (resp.arg[0] == 0) {
+			PrintAndLog("14aRAW ERROR: No card in field.");
+			return 1;
+		}
+
+		if (resp.arg[0] != 1 && resp.arg[0] != 2) {
+			PrintAndLog("14aRAW ERROR: card not in iso14443-4. res=%d.", resp.arg[0]);
+			return 1;
+		}
+
+		if (resp.arg[0] == 2) {     // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+			// get ATS
+			UsbCommand cr = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0}};
+			uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
+			memcpy(cr.d.asBytes, rats, 2);
+			SendCommand(&cr);
+			if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+				PrintAndLog("14aRAW ERROR: Proxmark connection timeout.");
+				return 1;
+			}
+
+			if (resp.arg[0] <= 0) { // ats_len
+				PrintAndLog("14aRAW ERROR: Can't get ATS.");
+				return 1;
+			}
+		}
 	}
+
 	if (leaveSignalON)
 		cmdc |= ISO14A_NO_DISCONNECT;

-	// "Command APDU" length should be 5+255+1, but javacard's APDU buffer might be smaller - 133 bytes
-	// https://stackoverflow.com/questions/32994936/safe-max-java-card-apdu-data-command-and-respond-size
-	// here length USB_CMD_DATA_SIZE=512
-	// timeout must be authomatically set by "get ATS"
-	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_APDU | cmdc, (datainlen & 0xFFFF), 0}}; 
-	memcpy(c.d.asBytes, datain, datainlen);
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_APPEND_CRC | cmdc, (datainlen & 0xFFFF) + 2, 0}};
+	uint8_t header[] = {0x0a | responseNum, 0x00};
+	responseNum ^= 1;
+	memcpy(c.d.asBytes, header, 2);
+	memcpy(&c.d.asBytes[2], datain, datainlen);
 	SendCommand(&c);

-    uint8_t *recv;
-    UsbCommand resp;
+	uint8_t *recv;
+	UsbCommand resp;

-	if (activateField) {
-		if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
-			PrintAndLog("APDU ERROR: Proxmark connection timeout.");
+	if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+		recv = resp.d.asBytes;
+		int iLen = resp.arg[0];
+
+		if(!iLen) {
+			PrintAndLog("14aRAW ERROR: No card response.");
 			return 1;
 		}
-		if (resp.arg[0] != 1) {
-			PrintAndLog("APDU ERROR: Proxmark error %d.", resp.arg[0]);
-			return 1;
-		}
-	}
-
-    if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
-        recv = resp.d.asBytes;
-        int iLen = resp.arg[0];

 		*dataoutlen = iLen - 2;
 		if (*dataoutlen < 0)
 			*dataoutlen = 0;

+		if (maxdataoutlen && *dataoutlen > maxdataoutlen) {
+			PrintAndLog("14aRAW ERROR: Buffer too small(%d). Needs %d bytes", *dataoutlen, maxdataoutlen);
+			return 2;
+		}
+
+		if (recv[0] != header[0]) {
+			PrintAndLog("14aRAW ERROR: iso14443-4 framing error. Card send %2x must be %2x", dataout[0], header[0]);
+			return 2;
+		}
+
+		memcpy(dataout, &recv[2], *dataoutlen);
+
+		// CRC Check
+		if (iLen == -1) {
+			PrintAndLog("14aRAW ERROR: ISO 14443A CRC error.");
+			return 3;
+		}
+
+
+	} else {
+		PrintAndLog("14aRAW ERROR: Reply timeout.");
+		return 4;
+	}
+
+	return 0;
+}
+
+
+static int SelectCard14443_4(bool disconnect, iso14a_card_select_t *card) {
+	UsbCommand resp;
+
+	frameLength = 0;
+
+	if (card)
+		memset(card, 0, sizeof(iso14a_card_select_t));
+
+	DropField();
+
+	// Anticollision + SELECT card
+	UsbCommand ca = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
+	SendCommand(&ca);
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+		PrintAndLogEx(ERR, "Proxmark connection timeout.");
+		return 1;
+	}
+
+	// check result
+	if (resp.arg[0] == 0) {
+		PrintAndLogEx(ERR, "No card in field.");
+		return 1;
+	}
+
+	if (resp.arg[0] != 1 && resp.arg[0] != 2) {
+		PrintAndLogEx(ERR, "Card not in iso14443-4. res=%d.", resp.arg[0]);
+		return 1;
+	}
+
+	if (resp.arg[0] == 2) {     // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+		// try to get ATS although SAK indicated that it is not ISO14443-4 compliant
+		UsbCommand cr = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0}};
+		uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
+		memcpy(cr.d.asBytes, rats, 2);
+		SendCommand(&cr);
+		if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+			PrintAndLogEx(ERR, "Proxmark connection timeout.");
+			return 1;
+		}
+
+		if (resp.arg[0] <= 0) { // ats_len
+			PrintAndLogEx(ERR, "Can't get ATS.");
+			return 1;
+		}
+	}
+
+	// get frame length from ATS
+	iso14a_card_select_t *vcard = (iso14a_card_select_t *) resp.d.asBytes;
+	if (vcard->ats_len > 1) {
+		uint8_t fsci = vcard->ats[1] & 0x0f;
+		if (fsci < sizeof(atsFSC))
+			frameLength = atsFSC[fsci];
+	}
+
+	if (card) {
+		memcpy(card, vcard, sizeof(iso14a_card_select_t));
+	}
+
+	if (disconnect) {
+		DropField();
+	}
+
+	return 0;
+}
+
+
+static int ExchangeAPDU(bool chainingin, uint8_t *datain, int datainlen, bool activateField, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, bool *chainingout)
+{
+	*chainingout = false;
+
+	if (activateField) {
+		// select with no disconnect and set frameLength
+		int selres = SelectCard14443_4(false, NULL);
+		if (selres)
+			return selres;
+	}
+
+	uint16_t cmdc = 0;
+	if (chainingin)
+		cmdc = ISO14A_SEND_CHAINING;
+
+	// "Command APDU" length should be 5+255+1, but javacard's APDU buffer might be smaller - 133 bytes
+	// https://stackoverflow.com/questions/32994936/safe-max-java-card-apdu-data-command-and-respond-size
+	// here length USB_CMD_DATA_SIZE=512
+	// timeout must be authomatically set by "get ATS"
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_APDU | ISO14A_NO_DISCONNECT | cmdc, (datainlen & 0xFFFF), 0}};
+	memcpy(c.d.asBytes, datain, datainlen);
+	SendCommand(&c);
+
+	uint8_t *recv;
+	UsbCommand resp;
+
+	if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
+		recv = resp.d.asBytes;
+		int iLen = resp.arg[0];
+		uint8_t res = resp.arg[1];
+
+		int dlen = iLen - 2;
+		if (dlen < 0)
+			dlen = 0;
+		*dataoutlen += dlen;
+
 		if (maxdataoutlen && *dataoutlen > maxdataoutlen) {
 			PrintAndLog("APDU ERROR: Buffer too small(%d). Needs %d bytes", *dataoutlen, maxdataoutlen);
 			return 2;
 		}

-		memcpy(dataout, recv, *dataoutlen);
+		// I-block ACK
+		if ((res & 0xf2) == 0xa2) {
+			*dataoutlen = 0;
+			*chainingout = true;
+			return 0;
+		}

-        if(!iLen) {
+		if(!iLen) {
 			PrintAndLog("APDU ERROR: No APDU response.");
-            return 1;
+			return 1;
+		}
+
+		// check apdu length
+		if (iLen < 2 && iLen >= 0) {
+			PrintAndLog("APDU ERROR: Small APDU response. Len=%d", iLen);
+			return 2;
 		}

 		// check block TODO
@ -705,22 +832,91 @@ int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool lea
 			return 2;
 		}

+		memcpy(dataout, recv, dlen);
+
+		// chaining
+		if ((res & 0x10) != 0) {
+			*chainingout = true;
+		}
+
 		// CRC Check
 		if (iLen == -1) {
 			PrintAndLog("APDU ERROR: ISO 14443A CRC error.");
 			return 3;
 		}
-
-		// check apdu length
-		if (iLen < 4) {
-			PrintAndLog("APDU ERROR: Small APDU response. Len=%d", iLen);
-			return 2;
-		}
-		
-    } else {
-        PrintAndLog("APDU ERROR: Reply timeout.");
+	} else {
+		PrintAndLog("APDU ERROR: Reply timeout.");
 		return 4;
-    }
+	}
+
+	return 0;
+}
+
+
+int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
+	*dataoutlen = 0;
+	bool chaining = false;
+	int res;
+
+	// 3 byte here - 1b framing header, 2b crc16
+	if ( (frameLength && (datainlen > frameLength - 3)) || (datainlen > USB_CMD_DATA_SIZE - 3) ) {
+		int clen = 0;
+
+		bool vActivateField = activateField;
+
+		do {
+			int vlen = MIN(frameLength - 3, datainlen - clen);
+			bool chainBlockNotLast = ((clen + vlen) < datainlen);
+
+			*dataoutlen = 0;
+			res = ExchangeAPDU(chainBlockNotLast, &datain[clen], vlen, vActivateField, dataout, maxdataoutlen, dataoutlen, &chaining);
+			if (res) {
+				if (!leaveSignalON)
+					DropField();
+
+				return 200;
+			}
+
+			// check R-block ACK
+			if ((*dataoutlen == 0) && (*dataoutlen != 0 || chaining != chainBlockNotLast)) {
+				if (!leaveSignalON)
+					DropField();
+
+				return 201;
+			}
+
+			clen += vlen;
+			vActivateField = false;
+			if (*dataoutlen) {
+				if (clen != datainlen)
+					PrintAndLogEx(WARNING, "APDU: I-block/R-block sequence error. Data len=%d, Sent=%d, Last packet len=%d", datainlen, clen, *dataoutlen);
+				break;
+			}
+		} while (clen < datainlen);
+	} else {
+		res = ExchangeAPDU(false, datain, datainlen, activateField, dataout, maxdataoutlen, dataoutlen, &chaining);
+		if (res) {
+			if (!leaveSignalON)
+				DropField();
+
+			return res;
+		}
+	}
+
+	while (chaining) {
+		// I-block with chaining
+		res = ExchangeAPDU(false, NULL, 0, false, &dataout[*dataoutlen], maxdataoutlen, dataoutlen, &chaining);
+
+		if (res) {
+			if (!leaveSignalON)
+				DropField();
+
+			return 100;
+		}
+	}
+
+	if (!leaveSignalON)
+		DropField();

 	return 0;
 }
@ -729,20 +925,34 @@ int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool lea
 int CmdHF14AAPDU(const char *cmd) {
 	uint8_t data[USB_CMD_DATA_SIZE];
 	int datalen = 0;
+	uint8_t header[5];
+	int headerlen = 0;
 	bool activateField = false;
 	bool leaveSignalON = false;
 	bool decodeTLV = false;
+	bool decodeAPDU = false;
+	bool makeAPDU = false;
+	bool extendedAPDU = false;
+	int le = 0;
+	int res = 0;

 	CLIParserInit("hf 14a apdu",
-		"Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL)", 
-		"Sample:\n\thf 14a apdu -st 00A404000E325041592E5359532E444446303100\n");
+				  "Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). Works with all APDU types from ISO 7816-4:2013",
+				  "Examples:\n\thf 14a apdu -st 00A404000E325041592E5359532E444446303100\n"
+				  "\thf 14a apdu -sd 00A404000E325041592E5359532E444446303100 - decode APDU\n"
+				  "\thf 14a apdu -sm 00A40400 325041592E5359532E4444463031 -l 256 - encode standard APDU\n"
+				  "\thf 14a apdu -sm 00A40400 325041592E5359532E4444463031 -el 65536 - encode extended APDU\n");

 	void* argtable[] = {
 		arg_param_begin,
-		arg_lit0("sS",  "select",  "activate field and select card"),
-		arg_lit0("kK",  "keep",    "leave the signal field ON after receive response"),
-		arg_lit0("tT",  "tlv",     "executes TLV decoder if it possible"),
-		arg_strx1(NULL, NULL,      "<APDU (hex)>", NULL),
+		arg_lit0("sS",  "select",   "activate field and select card"),
+		arg_lit0("kK",  "keep",     "leave the signal field ON after receive response"),
+		arg_lit0("tT",  "tlv",      "executes TLV decoder if it possible"),
+		arg_lit0("dD",  "decapdu",  "decode APDU request if it possible"),
+		arg_str0("mM",  "make",     "<head (CLA INS P1 P2) hex>", "make APDU with head from this field and data from data field. Must be 4 bytes length: <CLA INS P1 P2>"),
+		arg_lit0("eE",  "extended", "make extended length APDU (requires `-m`)"),
+		arg_int0("lL",  "le",       "<Le (int)>", "Le APDU parameter (requires `-m`)"),
+		arg_strx1(NULL, NULL,       "<APDU (hex) | data (hex)>", "APDU (without `-m`), or data (with `-m`)"),
 		arg_param_end
 	};
 	CLIExecWithReturn(cmd, argtable, false);
@ -750,15 +960,71 @@ int CmdHF14AAPDU(const char *cmd) {
 	activateField = arg_get_lit(1);
 	leaveSignalON = arg_get_lit(2);
 	decodeTLV = arg_get_lit(3);
-	// len = data + PCB(1b) + CRC(2b)
-	CLIGetStrBLessWithReturn(4, data, &datalen, 1 + 2);
+	decodeAPDU = arg_get_lit(4);

+	res = CLIParamHexToBuf(arg_get_str(5), header, sizeof(header), &headerlen);
+	makeAPDU = headerlen > 0;
+	if (res || (makeAPDU && headerlen != 4)) {
+		PrintAndLogEx(ERR, "header length must be exactly 4 bytes");
+		CLIParserFree();
+		return 1;
+	}
+	extendedAPDU = arg_get_lit(6);
+	le = arg_get_int_def(7, 0);
+
+	if (makeAPDU) {
+		uint8_t apdudata[USB_CMD_DATA_SIZE] = {0};
+		int apdudatalen = 0;
+
+		CLIGetHexBLessWithReturn(8, apdudata, &apdudatalen, 1 + 2);
+
+		APDUStruct apdu;
+		apdu.cla = header[0];
+		apdu.ins = header[1];
+		apdu.p1 = header[2];
+		apdu.p2 = header[3];
+
+		apdu.lc = apdudatalen;
+		apdu.data = apdudata;
+
+		apdu.extended_apdu = extendedAPDU;
+		apdu.le = le;
+
+		if (APDUEncode(&apdu, data, &datalen)) {
+			PrintAndLogEx(ERR, "can't make apdu with provided parameters.");
+			CLIParserFree();
+			return 2;
+		}
+	} else {
+		if (extendedAPDU) {
+			PrintAndLogEx(ERR, "`-e` without `-m`.");
+			CLIParserFree();
+			return 3;
+		}
+		if (le > 0) {
+			PrintAndLogEx(ERR, "`-l` without `-m`.");
+			CLIParserFree();
+			return 3;
+		}
+
+		// len = data + PCB(1b) + CRC(2b)
+		CLIGetHexBLessWithReturn(8, data, &datalen, 1 + 2);
+	}

 	CLIParserFree();
-//	PrintAndLog("---str [%d] %s", arg_get_str(4)->count, arg_get_str(4)->sval[0]);
-	PrintAndLog(">>>>[%s%s%s] %s", activateField ? "sel ": "", leaveSignalON ? "keep ": "", decodeTLV ? "TLV": "", sprint_hex(data, datalen));
+//  PrintAndLog("---str [%d] %s", arg_get_str(4)->count, arg_get_str(4)->sval[0]);
+	PrintAndLogEx(NORMAL, ">>>>[%s%s%s] %s", activateField ? "sel ": "", leaveSignalON ? "keep ": "", decodeTLV ? "TLV": "", sprint_hex(data, datalen));

-	int res = ExchangeAPDU14a(data, datalen, activateField, leaveSignalON, data, USB_CMD_DATA_SIZE, &datalen);
+	if (decodeAPDU) {
+		APDUStruct apdu;
+
+		if (APDUDecode(data, datalen, &apdu) == 0)
+			APDUPrint(apdu);
+		else
+			PrintAndLogEx(WARNING, "can't decode APDU.");
+	}
+
+	res = ExchangeAPDU14a(data, datalen, activateField, leaveSignalON, data, USB_CMD_DATA_SIZE, &datalen);

 	if (res)
 		return res;
@ -858,7 +1124,7 @@ int CmdHF14ACmdRaw(const char *cmd) {
 	}

 	if(bTimeout){
-		#define MAX_TIMEOUT 40542464 	// = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
+		#define MAX_TIMEOUT 40542464    // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
 		c.arg[0] |= ISO14A_SET_TIMEOUT;
 		if(timeout > MAX_TIMEOUT) {
 			timeout = MAX_TIMEOUT;
@ -901,13 +1167,13 @@ int CmdHF14ACmdRaw(const char *cmd) {


 static int waitCmd(uint8_t iSelect) {
-    uint8_t *recv;
-    UsbCommand resp;
-    char *hexout;
+	uint8_t *recv;
+	UsbCommand resp;
+	char *hexout;

-    if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
-        recv = resp.d.asBytes;
-        uint8_t iLen = resp.arg[0];
+	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+		recv = resp.d.asBytes;
+		uint8_t iLen = resp.arg[0];
 		if (iSelect){
 			iLen = resp.arg[1];
 			if (iLen){
@ -918,38 +1184,38 @@ static int waitCmd(uint8_t iSelect) {
 		} else {
 			PrintAndLog("received %i bytes:", iLen);
 		}
-        if(!iLen)
-            return 1;
-        hexout = (char *)malloc(iLen * 3 + 1);
-        if (hexout != NULL) {
-            for (int i = 0; i < iLen; i++) { // data in hex
-                sprintf(&hexout[i * 3], "%02X ", recv[i]);
-            }
-            PrintAndLog("%s", hexout);
-            free(hexout);
-        } else {
-            PrintAndLog("malloc failed your client has low memory?");
+		if(!iLen)
+			return 1;
+		hexout = (char *)malloc(iLen * 3 + 1);
+		if (hexout != NULL) {
+			for (int i = 0; i < iLen; i++) { // data in hex
+				sprintf(&hexout[i * 3], "%02X ", recv[i]);
+			}
+			PrintAndLog("%s", hexout);
+			free(hexout);
+		} else {
+			PrintAndLog("malloc failed your client has low memory?");
 			return 2;
-        }
-    } else {
-        PrintAndLog("timeout while waiting for reply.");
+		}
+	} else {
+		PrintAndLog("timeout while waiting for reply.");
 		return 3;
-    }
+	}
 	return 0;
 }

 static command_t CommandTable[] =
 {
-  {"help",   CmdHelp,              1, "This help"},
-  {"list",   CmdHF14AList,         0, "[Deprecated] List ISO 14443a history"},
-  {"reader", CmdHF14AReader,       0, "Start acting like an ISO14443 Type A reader"},
-  {"info",   CmdHF14AInfo,         0, "Reads card and shows information about it"},
-  {"cuids",  CmdHF14ACUIDs,        0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
-  {"sim",    CmdHF14ASim,          0, "<UID> -- Simulate ISO 14443a tag"},
-  {"snoop",  CmdHF14ASnoop,        0, "Eavesdrop ISO 14443 Type A"},
-  {"apdu",   CmdHF14AAPDU,         0, "Send an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol"},
-  {"raw",    CmdHF14ACmdRaw,       0, "Send raw hex data to tag"},
-  {NULL, NULL, 0, NULL}
+	{"help",     CmdHelp,              1, "This help"},
+	{"list",     CmdHF14AList,         0, "[Deprecated] List ISO 14443a history"},
+	{"reader",   CmdHF14AReader,       0, "Start acting like an ISO14443 Type A reader"},
+	{"info",     CmdHF14AInfo,         0, "Reads card and shows information about it"},
+	{"cuids",    CmdHF14ACUIDs,        0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
+	{"sim",      CmdHF14ASim,          0, "<UID> -- Simulate ISO 14443a tag"},
+	{"snoop",    CmdHF14ASnoop,        0, "Eavesdrop ISO 14443 Type A"},
+	{"apdu",     CmdHF14AAPDU,         0, "Send an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol"},
+	{"raw",      CmdHF14ACmdRaw,       0, "Send raw hex data to tag"},
+	{NULL,       NULL,                 0, NULL}
 };

 int CmdHF14A(const char *Cmd) {
--- a/client/cmdhf14a.h
+++ b/client/cmdhf14a.h
@ -14,17 +14,21 @@

 #include <stdint.h>
 #include <stdbool.h>
+#include "mifare.h"

-int CmdHF14A(const char *Cmd);
-int CmdHF14AList(const char *Cmd);
-int CmdHF14AMifare(const char *Cmd);
-int CmdHF14AReader(const char *Cmd);
+extern int CmdHF14A(const char *Cmd);
+extern int CmdHF14AMfDbg(const char* cmd);
+extern int CmdHF14AList(const char *Cmd);
+extern int CmdHF14AMifare(const char *Cmd);
+extern int CmdHF14AReader(const char *Cmd);
 extern int CmdHF14AInfo(const char *Cmd);
-int CmdHF14ASim(const char *Cmd);
-int CmdHF14ASnoop(const char *Cmd);
-char* getTagInfo(uint8_t uid);
+extern int CmdHF14ASim(const char *Cmd);
+extern int CmdHF14ASnoop(const char *Cmd);

 extern void DropField();
+
+extern int Hf14443_4aGetCardData(iso14a_card_select_t * card);
+extern int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
 extern int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);

 #endif
--- a/client/cmdhf14b.c
+++ b/client/cmdhf14b.c
@ -15,6 +15,7 @@
 #include <stdbool.h>
 #include <string.h>
 #include <stdint.h>
+#include <ctype.h>
 #include "iso14443crc.h"
 #include "comms.h"
 #include "graph.h"
@ -22,73 +23,71 @@
 #include "ui.h"
 #include "cmdparser.h"
 #include "cmdmain.h"
-#include "cmdhf14a.h"
+#include "taginfo.h"

-static int CmdHelp(const char *Cmd);

-int CmdHF14BList(const char *Cmd)
-{
+int CmdHF14BList(const char *Cmd) {
 	PrintAndLog("Deprecated command, use 'hf list 14b' instead");
-
 	return 0;
 }

-int CmdHF14BSim(const char *Cmd)
-{
+
+int CmdHF14BSim(const char *Cmd) {
  UsbCommand c={CMD_SIMULATE_TAG_ISO_14443B};
  clearCommandBuffer();
  SendCommand(&c);
  return 0;
 }

-int CmdHF14BSnoop(const char *Cmd)
-{
+
+int CmdHF14BSnoop(const char *Cmd) {
  UsbCommand c = {CMD_SNOOP_ISO_14443B};
  clearCommandBuffer();
  SendCommand(&c);
  return 0;
 }

+
 /* New command to read the contents of a SRI512 tag
 * SRI512 tags are ISO14443-B modulated memory tags,
 * this command just dumps the contents of the memory
 */
-int CmdSri512Read(const char *Cmd)
-{
+int CmdSri512Read(const char *Cmd) {
  UsbCommand c = {CMD_READ_SRI512_TAG, {strtol(Cmd, NULL, 0), 0, 0}};
  clearCommandBuffer();
  SendCommand(&c);
  return 0;
 }

+
 /* New command to read the contents of a SRIX4K tag
 * SRIX4K tags are ISO14443-B modulated memory tags,
 * this command just dumps the contents of the memory/
 */
-int CmdSrix4kRead(const char *Cmd)
-{
+int CmdSrix4kRead(const char *Cmd) {
  UsbCommand c = {CMD_READ_SRIX4K_TAG, {strtol(Cmd, NULL, 0), 0, 0}};
  clearCommandBuffer();
  SendCommand(&c);
  return 0;
 }

-int rawClose(void){
+
+static bool switch_off_field_14b(void) {
 	UsbCommand resp;
 	UsbCommand c = {CMD_ISO_14443B_COMMAND, {0, 0, 0}};
 	clearCommandBuffer();
 	SendCommand(&c);
-	if (!WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
-		return 0;
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
+		return false;
 	}
-	return 0;
+	return false;
 }

-int HF14BCmdRaw(bool reply, bool *crc, bool power, uint8_t *data, uint8_t *datalen, bool verbose){
+
+int HF14BCmdRaw(bool reply, bool *crc, bool power, uint8_t *data, uint8_t *datalen, bool verbose) {
 	UsbCommand resp;
 	UsbCommand c = {CMD_ISO_14443B_COMMAND, {0, 0, 0}}; // len,recv,power
-	if(*crc)
-	{
+	if (*crc) {
 		uint8_t first, second;
 		ComputeCrc14443(CRC_14443_B, data, *datalen, &first, &second);
 		data[*datalen] = first;
@ -99,26 +98,38 @@ int HF14BCmdRaw(bool reply, bool *crc, bool power, uint8_t *data, uint8_t *datal
 	c.arg[0] = *datalen;
 	c.arg[1] = reply;
 	c.arg[2] = power;
-	memcpy(c.d.asBytes,data,*datalen);
+	memcpy(c.d.asBytes,data, *datalen);
 	clearCommandBuffer();
 	SendCommand(&c);

 	if (!reply) return 1;

-	if (!WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
 		if (verbose) PrintAndLog("timeout while waiting for reply.");
 		return 0;
 	}
-	*datalen = resp.arg[0];
-	if (verbose) PrintAndLog("received %u octets", *datalen);
-	if(*datalen<2) return 0;
+
+	int ret = resp.arg[0];
+	if (verbose) {
+		if (ret < 0) {
+			PrintAndLog("tag didn't respond");
+		} else if (ret == 0) {
+			PrintAndLog("received SOF only (maybe iCLASS/Picopass)");
+		} else {
+			PrintAndLog("received %u octets", ret);
+		}
+	}
+
+	*datalen = ret;
+
+	if (ret < 2) return 0;

 	memcpy(data, resp.d.asBytes, *datalen);
 	if (verbose) PrintAndLog("%s", sprint_hex(data, *datalen));

 	uint8_t first, second;
 	ComputeCrc14443(CRC_14443_B, data, *datalen-2, &first, &second);
-	if(data[*datalen-2] == first && data[*datalen-1] == second) {
+	if (data[*datalen-2] == first && data[*datalen-1] == second) {
 		if (verbose) PrintAndLog("CRC OK");
 		*crc = true;
 	} else {
@ -128,7 +139,8 @@ int HF14BCmdRaw(bool reply, bool *crc, bool power, uint8_t *data, uint8_t *datal
 	return 1;
 }

-int CmdHF14BCmdRaw (const char *Cmd) {
+
+static int CmdHF14BCmdRaw (const char *Cmd) {
 	bool reply = true;
 	bool crc = false;
 	bool power = false;
@ -139,7 +151,7 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 	uint8_t datalen = 0;
 	unsigned int temp;
 	int i = 0;
-	if (strlen(Cmd)<3) {
+	if (strlen(Cmd) < 2) {
 			PrintAndLog("Usage: hf 14b raw [-r] [-c] [-p] [-s || -ss] <0A 0B 0C ... hex>");
 			PrintAndLog("       -r    do not read response");
 			PrintAndLog("       -c    calculate and append CRC");
@ -150,11 +162,11 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 	}

 	// strip
-	while (*Cmd==' ' || *Cmd=='\t') Cmd++;
+	while (*Cmd == ' ' || *Cmd == '\t') Cmd++;

-	while (Cmd[i]!='\0') {
-		if (Cmd[i]==' ' || Cmd[i]=='\t') { i++; continue; }
-		if (Cmd[i]=='-') {
+	while (Cmd[i] != '\0') {
+		if (Cmd[i] == ' ' || Cmd[i] == '\t') { i++; continue; }
+		if (Cmd[i] == '-') {
 			switch (Cmd[i+1]) {
 				case 'r':
 				case 'R':
@ -171,7 +183,7 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 				case 's':
 				case 'S':
 					select = true;
-					if (Cmd[i+2]=='s' || Cmd[i+2]=='S') {
+					if (Cmd[i+2] == 's' || Cmd[i+2] == 'S') {
 						SRx = true;
 						i++;
 					}
@ -180,34 +192,33 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 					PrintAndLog("Invalid option");
 					return 0;
 			}
-			i+=2;
+			i += 2;
 			continue;
 		}
-		if ((Cmd[i]>='0' && Cmd[i]<='9') ||
-		    (Cmd[i]>='a' && Cmd[i]<='f') ||
-		    (Cmd[i]>='A' && Cmd[i]<='F') ) {
-			buf[strlen(buf)+1]=0;
-			buf[strlen(buf)]=Cmd[i];
+		if ((Cmd[i] >= '0' && Cmd[i] <= '9') ||
+			(Cmd[i] >= 'a' && Cmd[i] <= 'f') ||
+			(Cmd[i] >= 'A' && Cmd[i] <= 'F') ) {
+			buf[strlen(buf)+1] = 0;
+			buf[strlen(buf)] = Cmd[i];
 			i++;

-			if (strlen(buf)>=2) {
-				sscanf(buf,"%x",&temp);
-				data[datalen++]=(uint8_t)(temp & 0xff);
-				*buf=0;
+			if (strlen(buf) >= 2) {
+				sscanf(buf, "%x", &temp);
+				data[datalen++] = (uint8_t)(temp & 0xff);
+				*buf = 0;
 			}
 			continue;
 		}
 		PrintAndLog("Invalid char on input");
 		return 0;
 	}
-	if (datalen == 0)
-	{
+	if (datalen == 0) {
 		PrintAndLog("Missing data input");
 		return 0;
 	}

-	if (select){ //auto select 14b tag
-		uint8_t	cmd2[16];
+	if (select) { //auto select 14b tag
+		uint8_t cmd2[16];
 		bool crc2 = true;
 		uint8_t cmdLen;

@ -224,10 +235,13 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 			cmd2[2] = 0x08;
 		}

-		if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false)==0) return rawClose();
+		if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false) == 0) return switch_off_field_14b();

-		if ( SRx && (cmdLen != 3 || !crc2) ) return rawClose();
-		else if (cmd2[0] != 0x50 || cmdLen != 14 || !crc2) return rawClose();
+		if (SRx) {
+			if (cmdLen != 3 || !crc2) return switch_off_field_14b();
+		} else {
+			if (cmd2[0] != 0x50 || cmdLen != 14 || !crc2) return switch_off_field_14b();
+		}

 		uint8_t chipID = 0;
 		if (SRx) {
@ -247,19 +261,22 @@ int CmdHF14BCmdRaw (const char *Cmd) {
 			cmdLen = 9;
 		}

-		if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false)==0) return rawClose();
+		if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false) == 0) return switch_off_field_14b();

-		if (cmdLen != 3 || !crc2) return rawClose();
-		if (SRx && cmd2[0] != chipID) return rawClose();
+		if (cmdLen != 3 || !crc2) return switch_off_field_14b();
+		if (SRx && cmd2[0] != chipID) return switch_off_field_14b();
 	}
+
 	return HF14BCmdRaw(reply, &crc, power, data, &datalen, true);
+
 }

+
 // print full atqb info
-static void print_atqb_resp(uint8_t *data){
+static void print_atqb_resp(uint8_t *data) {
 	//PrintAndLog ("           UID: %s", sprint_hex(data+1,4));
-	PrintAndLog ("      App Data: %s", sprint_hex(data+5,4));
-	PrintAndLog ("      Protocol: %s", sprint_hex(data+9,3));
+	PrintAndLog("      App Data: %s", sprint_hex(data+5,4));
+	PrintAndLog("      Protocol: %s", sprint_hex(data+9,3));
 	uint8_t BitRate = data[9];
 	if (!BitRate)
 		PrintAndLog ("      Bit Rate: 106 kbit/s only PICC <-> PCD");
@ -278,7 +295,7 @@ static void print_atqb_resp(uint8_t *data){
 	if (BitRate & 0x80)
 		PrintAndLog ("                Same bit rate <-> required");

-	uint16_t maxFrame = data[10]>>4;
+	uint16_t maxFrame = data[10] >> 4;
 	if (maxFrame < 5)
 		maxFrame = 8*maxFrame + 16;
 	else if (maxFrame == 5)
@ -292,7 +309,7 @@ static void print_atqb_resp(uint8_t *data){
 	else
 		maxFrame = 257;

-	PrintAndLog ("Max Frame Size: %u%s",maxFrame, (maxFrame == 257) ? "+ RFU" : "");
+	PrintAndLog ("Max Frame Size: %u%s", maxFrame, (maxFrame == 257) ? "+ RFU" : "");

 	uint8_t protocolT = data[10] & 0xF;
 	PrintAndLog (" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " );
@ -305,36 +322,18 @@ static void print_atqb_resp(uint8_t *data){
 	return;
 }

-// get SRx chip model (from UID) // from ST Microelectronics
-char *get_ST_Chip_Model(uint8_t data){
-	static char model[20];
-	char *retStr = model;
-	memset(model,0, sizeof(model));

-	switch (data) {
-		case 0x0: sprintf(retStr, "SRIX4K (Special)"); break;
-		case 0x2: sprintf(retStr, "SR176"); break;
-		case 0x3: sprintf(retStr, "SRIX4K"); break;
-		case 0x4: sprintf(retStr, "SRIX512"); break;
-		case 0x6: sprintf(retStr, "SRI512"); break;
-		case 0x7: sprintf(retStr, "SRI4K"); break;
-		case 0xC: sprintf(retStr, "SRT512"); break;
-		default : sprintf(retStr, "Unknown"); break;
-	}
-	return retStr;
-}
-
-int print_ST_Lock_info(uint8_t model){
+int print_ST_Lock_info(uint8_t model) {
 	//assume connection open and tag selected...
 	uint8_t data[16] = {0x00};
 	uint8_t datalen = 2;
 	bool crc = true;
 	uint8_t resplen;
-	uint8_t	blk1;
+	uint8_t blk1;
 	data[0] = 0x08;

-	if (model == 0x2) { //SR176 has special command:
-		data[1] = 0xf;
+	if (model == 0x02) { //SR176 has special command:
+		data[1] = 0x0f;
 		resplen = 4;
 	} else {
 		data[1] = 0xff;
@ -342,9 +341,9 @@ int print_ST_Lock_info(uint8_t model){
 	}

 	//std read cmd
-	if (HF14BCmdRaw(true, &crc, true, data, &datalen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc, true, data, &datalen, false) == 0) return switch_off_field_14b();

-	if (datalen != resplen || !crc) return rawClose();
+	if (datalen != resplen || !crc) return switch_off_field_14b();

 	PrintAndLog("Chip Write Protection Bits:");
 	// now interpret the data
@ -356,7 +355,7 @@ int print_ST_Lock_info(uint8_t model){
 			blk1 = 9;
 			PrintAndLog("   raw: %s",printBits(1,data+3));
 			PrintAndLog(" 07/08:%slocked", (data[3] & 1) ? " not " : " " );
-			for (uint8_t i = 1; i<8; i++){
+			for (uint8_t i = 1; i < 8; i++){
 				PrintAndLog("    %02u:%slocked", blk1, (data[3] & (1 << i)) ? " not " : " " );
 				blk1++;
 			}
@ -366,9 +365,9 @@ int print_ST_Lock_info(uint8_t model){
 		case 0xC: //             (SRT512)
 			//need data[2] and data[3]
 			blk1 = 0;
-			PrintAndLog("   raw: %s",printBits(2,data+2));
-			for (uint8_t b=2; b<4; b++){
-				for (uint8_t i=0; i<8; i++){
+			PrintAndLog("   raw: %s", printBits(2,data+2));
+			for (uint8_t b = 2; b < 4; b++) {
+				for (uint8_t i = 0; i < 8; i++) {
 					PrintAndLog("    %02u:%slocked", blk1, (data[b] & (1 << i)) ? " not " : " " );
 					blk1++;
 				}
@ -377,29 +376,31 @@ int print_ST_Lock_info(uint8_t model){
 		case 0x2: //             (SR176)
 			//need data[2]
 			blk1 = 0;
-			PrintAndLog("   raw: %s",printBits(1,data+2));
-			for (uint8_t i = 0; i<8; i++){
+			PrintAndLog("   raw: %s",printBits(1, data+2));
+			for (uint8_t i = 0; i < 8; i++){
 				PrintAndLog(" %02u/%02u:%slocked", blk1, blk1+1, (data[2] & (1 << i)) ? " " : " not " );
-				blk1+=2;
+				blk1 += 2;
 			}
 			break;
 		default:
-			return rawClose();
+			return switch_off_field_14b();
 	}
 	return 1;
 }

+
 // print UID info from SRx chips (ST Microelectronics)
-static void print_st_general_info(uint8_t *data){
+static void print_st_general_info(uint8_t *data) {
 	//uid = first 8 bytes in data
-	PrintAndLog("   UID: %s", sprint_hex(SwapEndian64(data,8,8),8));
-	PrintAndLog("   MFG: %02X, %s", data[6], getTagInfo(data[6]));
-	PrintAndLog("  Chip: %02X, %s", data[5]>>2, get_ST_Chip_Model(data[5]>>2));
+	PrintAndLog("   UID: %s", sprint_hex(SwapEndian64(data, 8, 8), 8));
+	PrintAndLog("   MFG: %02X, %s", data[6], getManufacturerName(data[6]));
+	PrintAndLog("  Chip: %02X, %s", data[5], getChipInfo(data[6], data[5]));
 	return;
 }

+
 // 14b get and print UID only (general info)
-int HF14BStdReader(uint8_t *data, uint8_t *datalen){
+int HF14BStdReader(uint8_t *data, uint8_t *datalen) {
 	//05 00 00 = find one tag in field
 	//1d xx xx xx xx 00 08 01 00 = attrib xx=UID (resp 10 [f9 e0])
 	//a3 = ?  (resp 03 [e2 c2])
@ -424,14 +425,14 @@ int HF14BStdReader(uint8_t *data, uint8_t *datalen){
 	data[1] = 0x00;
 	data[2] = 0x08;

-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc, true, data, datalen, false) == 0) return switch_off_field_14b();

-	if (data[0] != 0x50 || *datalen != 14 || !crc) return rawClose();
+	if (data[0] != 0x50 || *datalen != 14 || !crc) return switch_off_field_14b();

 	PrintAndLog ("\n14443-3b tag found:");
-	PrintAndLog ("           UID: %s", sprint_hex(data+1,4));
+	PrintAndLog ("           UID: %s", sprint_hex(data+1, 4));

-	uint8_t	cmd2[16];
+	uint8_t cmd2[16];
 	uint8_t cmdLen = 3;
 	bool crc2 = true;

@ -448,28 +449,29 @@ int HF14BStdReader(uint8_t *data, uint8_t *datalen){
 	cmdLen = 9;

 	// attrib
-	if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc2, true, cmd2, &cmdLen, false) == 0) return switch_off_field_14b();

-	if (cmdLen != 3 || !crc2) return rawClose();
+	if (cmdLen != 3 || !crc2) return switch_off_field_14b();
 	// add attrib responce to data
 	data[14] = cmd2[0];
-	rawClose();
+	switch_off_field_14b();
 	return 1;
 }

+
 // 14b get and print Full Info (as much as we know)
-int HF14BStdInfo(uint8_t *data, uint8_t *datalen){
-	if (!HF14BStdReader(data,datalen)) return 0;
+static bool HF14B_Std_Info(uint8_t *data, uint8_t *datalen) {
+	if (!HF14BStdReader(data, datalen)) return false;

 	//add more info here
 	print_atqb_resp(data);

-
-	return 1;
+	return true;
 }

+
 // SRx get and print general info about SRx chip from UID
-int HF14B_ST_Reader(uint8_t *data, uint8_t *datalen, bool closeCon){
+static bool HF14B_ST_Reader(uint8_t *data, uint8_t *datalen, bool closeCon){
 	bool crc = true;
 	*datalen = 2;
 	//wake cmd
@ -478,9 +480,9 @@ int HF14B_ST_Reader(uint8_t *data, uint8_t *datalen, bool closeCon){

 	//leave power on
 	// verbose on for now for testing - turn off when functional
-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc, true, data, datalen, false) == 0) return switch_off_field_14b();

-	if (*datalen != 3 || !crc) return rawClose();
+	if (*datalen != 3 || !crc) return switch_off_field_14b();

 	uint8_t chipID = data[0];
 	// select
@ -489,115 +491,139 @@ int HF14B_ST_Reader(uint8_t *data, uint8_t *datalen, bool closeCon){
 	*datalen = 2;

 	//leave power on
-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc, true, data, datalen, false) == 0) return switch_off_field_14b();

-	if (*datalen != 3 || !crc || data[0] != chipID) return rawClose();
+	if (*datalen != 3 || !crc || data[0] != chipID) return switch_off_field_14b();

 	// get uid
 	data[0] = 0x0B;
 	*datalen = 1;

 	//leave power on
-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose();
+	if (HF14BCmdRaw(true, &crc, true, data, datalen, false) == 0) return switch_off_field_14b();

-	if (*datalen != 10 || !crc) return rawClose();
+	if (*datalen != 10 || !crc) return switch_off_field_14b();

 	//power off ?
-	if (closeCon) rawClose();
+	if (closeCon) switch_off_field_14b();

 	PrintAndLog("\n14443-3b ST tag found:");
 	print_st_general_info(data);
 	return 1;
 }

+
 // SRx get and print full info (needs more info...)
-int HF14B_ST_Info(uint8_t *data, uint8_t *datalen){
-	if (!HF14B_ST_Reader(data, datalen, false)) return 0;
+static bool HF14B_ST_Info(bool verbose) {
+	uint8_t data[100];
+	uint8_t datalen;
+
+	if (!HF14B_ST_Reader(data, &datalen, false)) return false;

 	//add locking bit information here.
-	if (print_ST_Lock_info(data[5]>>2)) 
-		rawClose();
+	if (print_ST_Lock_info(data[5] >> 2))
+		switch_off_field_14b();

-	return 1;
+	return true;
 }

+
 // test for other 14b type tags (mimic another reader - don't have tags to identify)
-int HF14B_Other_Reader(uint8_t *data, uint8_t *datalen){
+static bool HF14B_Other_Reader(uint8_t *data, bool verbose) {
+	uint8_t datalen;
 	bool crc = true;
-	*datalen = 4;
+
 	//std read cmd
 	data[0] = 0x00;
 	data[1] = 0x0b;
 	data[2] = 0x3f;
 	data[3] = 0x80;
+	datalen = 4;

-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)!=0) {
-		if (*datalen > 2 || !crc) {
+	if (HF14BCmdRaw(true, &crc, true, data, &datalen, false) != 0) {
+		if (datalen > 2 || !crc) {
 			PrintAndLog ("\n14443-3b tag found:");
-			PrintAndLog ("Unknown tag type answered to a 0x000b3f80 command ans:");
-			PrintAndLog ("%s",sprint_hex(data,*datalen));
-			rawClose();
-			return 1;
+			PrintAndLog ("Unknown tag type answered to a 0x000b3f80 command:");
+			PrintAndLog ("%s", sprint_hex(data, datalen));
+			switch_off_field_14b();
+			return true;
 		}
 	}

 	crc = false;
-	*datalen = 1;
+	datalen = 1;
 	data[0] = 0x0a;

-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)!=0) {
-		if (*datalen > 0) {
+	if (HF14BCmdRaw(true, &crc, true, data, &datalen, false) != 0) {
+		if (datalen > 0) {
 			PrintAndLog ("\n14443-3b tag found:");
-			PrintAndLog ("Unknown tag type answered to a 0x0A command ans:");
-			PrintAndLog ("%s",sprint_hex(data,*datalen));
-			rawClose();
-			return 1;
+			PrintAndLog ("Unknown tag type answered to a 0x0A command:");
+			PrintAndLog ("%s", sprint_hex(data, datalen));
+			switch_off_field_14b();
+			return true;
 		}
 	}

 	crc = false;
-	*datalen = 1;
+	datalen = 1;
 	data[0] = 0x0c;

-	if (HF14BCmdRaw(true, &crc, true, data, datalen, false)!=0) {
-		if (*datalen > 0) {
+	if (HF14BCmdRaw(true, &crc, true, data, &datalen, false) != 0) {
+		if (datalen > 0) {
 			PrintAndLog ("\n14443-3b tag found:");
-			PrintAndLog ("Unknown tag type answered to a 0x0C command ans:");
-			PrintAndLog ("%s",sprint_hex(data,*datalen));
-			rawClose();
-			return 1;
+			PrintAndLog ("Unknown tag type answered to a 0x0C command:");
+			PrintAndLog ("%s", sprint_hex(data, datalen));
+			switch_off_field_14b();
+			return true;
 		}
 	}
-	rawClose();
+	switch_off_field_14b();
+	return false;
+}
+
+
+// get and print all info known about any known 14b tag
+static int usage_hf_14b_info(void) {
+	PrintAndLogEx(NORMAL, "Usage: hf 14b info [h] [s]");
+	PrintAndLogEx(NORMAL, "Options:");
+	PrintAndLogEx(NORMAL, "       h    this help");
+	PrintAndLogEx(NORMAL, "       s    silently");
+	PrintAndLogEx(NORMAL, "Example:");
+	PrintAndLogEx(NORMAL, "       hf 14b info");
 	return 0;
 }

-// get and print all info known about any known 14b tag
-int HF14BInfo(bool verbose){
+int infoHF14B(bool verbose) {
 	uint8_t data[100];
-	uint8_t datalen = 5;
+	uint8_t datalen;

 	// try std 14b (atqb)
-	if (HF14BStdInfo(data, &datalen)) return 1;
+	if (HF14B_Std_Info(data, &datalen)) return 1;

 	// try st 14b
-	if (HF14B_ST_Info(data, &datalen)) return 1;
+	if (HF14B_ST_Info(verbose)) return 1;

 	// try unknown 14b read commands (to be identified later)
 	//   could be read of calypso, CEPAS, moneo, or pico pass.
-	if (HF14B_Other_Reader(data, &datalen)) return 1;
+	if (HF14B_Other_Reader(data, verbose)) return 1;

 	if (verbose) PrintAndLog("no 14443B tag found");
 	return 0;
 }

+
 // menu command to get and print all info known about any known 14b tag
-int CmdHF14Binfo(const char *Cmd){
-	return HF14BInfo(true);
+static int CmdHF14Binfo(const char *Cmd){
+	char cmdp = tolower(param_getchar(Cmd, 0));
+	if (cmdp == 'h') return usage_hf_14b_info();
+
+	bool verbose = !(cmdp == 's');
+	return infoHF14B(verbose);
 }

+
 // get and print general info about all known 14b chips
-int HF14BReader(bool verbose){
+int readHF14B(bool verbose){
 	uint8_t data[100];
 	uint8_t datalen = 5;

@ -609,18 +635,35 @@ int HF14BReader(bool verbose){

 	// try unknown 14b read commands (to be identified later)
 	//   could be read of calypso, CEPAS, moneo, or pico pass.
-	if (HF14B_Other_Reader(data, &datalen)) return 1;
+	if (HF14B_Other_Reader(data, verbose)) return 1;

 	if (verbose) PrintAndLog("no 14443B tag found");
 	return 0;
 }

+
 // menu command to get and print general info about all known 14b chips
-int CmdHF14BReader(const char *Cmd){
-	return HF14BReader(true);
+static int usage_hf_14b_reader(void) {
+	PrintAndLogEx(NORMAL, "Usage: hf 14b reader [h] [s]");
+	PrintAndLogEx(NORMAL, "Options:");
+	PrintAndLogEx(NORMAL, "       h    this help");
+	PrintAndLogEx(NORMAL, "       s    silently");
+	PrintAndLogEx(NORMAL, "Example:");
+	PrintAndLogEx(NORMAL, "       hf 14b reader");
+	return 0;
 }

-int CmdSriWrite( const char *Cmd){
+
+static int CmdHF14BReader(const char *Cmd) {
+	char cmdp = tolower(param_getchar(Cmd, 0));
+	if (cmdp == 'h') return usage_hf_14b_reader();
+
+	bool verbose = !(cmdp == 's');
+	return readHF14B(verbose);
+}
+
+
+int CmdSriWrite(const char *Cmd) {
 /*
 * For SRIX4K  blocks 00 - 7F
 * hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata
@ -631,11 +674,10 @@ int CmdSriWrite( const char *Cmd){
 * Special block FF =  otp_lock_reg block.
 * Data len 4 bytes-
 */
- 	char cmdp = param_getchar(Cmd, 0);
+	char cmdp = param_getchar(Cmd, 0);
 	uint8_t blockno = -1;
 	uint8_t data[4] = {0x00};
 	bool isSrix4k = true;
-	char str[20];	

 	if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') {
 		PrintAndLog("Usage:  hf 14b write <1|2> <BLOCK> <DATA>");
@ -654,18 +696,18 @@ int CmdSriWrite( const char *Cmd){

 	//blockno = param_get8(Cmd, 1);

-	if ( param_gethex(Cmd,1, &blockno, 2) ) {
+	if (param_gethex(Cmd,1, &blockno, 2) ) {
 		PrintAndLog("Block number must include 2 HEX symbols");
 		return 0;
 	}

-	if ( isSrix4k ){
-		if ( blockno > 0x7f && blockno != 0xff ){
+	if (isSrix4k) {
+		if (blockno > 0x7f && blockno != 0xff){
 			PrintAndLog("Block number out of range");
 			return 0;
 		}
 	} else {
-		if ( blockno > 0x0f && blockno != 0xff ){
+		if (blockno > 0x0f && blockno != 0xff){
 			PrintAndLog("Block number out of range");
 			return 0;
 		}
@ -676,17 +718,21 @@ int CmdSriWrite( const char *Cmd){
 		return 0;
 	}

-	if ( blockno == 0xff)
-		PrintAndLog("[%s] Write special block %02X [ %s ]", (isSrix4k)?"SRIX4K":"SRI512" , blockno,  sprint_hex(data,4) );
+	if (blockno == 0xff)
+		PrintAndLog("[%s] Write special block %02X [ %s ]", (isSrix4k)?"SRIX4K":"SRI512", blockno, sprint_hex(data, 4));
 	else
-		PrintAndLog("[%s] Write block %02X [ %s ]", (isSrix4k)?"SRIX4K":"SRI512", blockno,  sprint_hex(data,4) );
+		PrintAndLog("[%s] Write block %02X [ %s ]", (isSrix4k)?"SRIX4K":"SRI512", blockno, sprint_hex(data, 4));

-	sprintf(str, "-c 09 %02x %02x%02x%02x%02x", blockno, data[0], data[1], data[2], data[3]);
+	char str[22];
+	sprintf(str, "-ss -c 09 %02x %02x%02x%02x%02x", blockno, data[0], data[1], data[2], data[3]);

 	CmdHF14BCmdRaw(str);
 	return 0;
 }

+
+static int CmdHelp(const char *Cmd);
+
 static command_t CommandTable[] =
 {
  {"help",        CmdHelp,        1, "This help"},
--- a/client/cmdhf14b.h
+++ b/client/cmdhf14b.h
@ -21,6 +21,6 @@ int CmdHF14BSnoop(const char *Cmd);
 int CmdSri512Read(const char *Cmd);
 int CmdSrix4kRead(const char *Cmd);
 int CmdHF14BWrite( const char *cmd);
-int HF14BInfo(bool verbose);
+int infoHF14B(bool verbose);

 #endif
--- a/client/cmdhf15.c
+++ b/client/cmdhf15.c
--- a/client/cmdhf15.h
+++ b/client/cmdhf15.h
@ -13,16 +13,7 @@

 #include <stdbool.h>

-int CmdHF15(const char *Cmd);
-
-int CmdHF15Demod(const char *Cmd);
-int CmdHF15Read(const char *Cmd);
-int HF15Reader(const char *Cmd, bool verbose);
-int CmdHF15Reader(const char *Cmd);
-int CmdHF15Sim(const char *Cmd);
-int CmdHF15Record(const char *Cmd);
-int CmdHF15Cmd(const char*Cmd);
-int CmdHF15CmdHelp(const char*Cmd);
-int CmdHF15Help(const char*Cmd);
+extern int CmdHF15(const char *Cmd);
+extern int HF15Reader(const char *Cmd, bool verbose);

 #endif
--- a/client/cmdhffido.c
+++ b/client/cmdhffido.c
@ -0,0 +1,926 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+//
+//  Documentation here:
+//
+// FIDO Alliance specifications
+// https://fidoalliance.org/download/
+// FIDO NFC Protocol Specification v1.0
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-nfc-protocol-v1.2-ps-20170411.html
+// FIDO U2F Raw Message Formats
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html
+//-----------------------------------------------------------------------------
+
+
+#include "cmdhffido.h"
+
+#include <inttypes.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <jansson.h>
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/x509.h>
+#include <mbedtls/pk.h>
+#include "comms.h"
+#include "cmdmain.h"
+#include "util.h"
+#include "ui.h"
+#include "proxmark3.h"
+#include "mifare.h"
+#include "emv/emvcore.h"
+#include "emv/emvjson.h"
+#include "emv/dump.h"
+#include "emv/apduinfo.h"
+#include "cliparser/cliparser.h"
+#include "crypto/asn1utils.h"
+#include "crypto/libpcrypto.h"
+#include "fido/cbortools.h"
+#include "fido/fidocore.h"
+#include "fido/cose.h"
+
+static int CmdHelp(const char *Cmd);
+
+int CmdHFFidoInfo(const char *cmd) {
+	
+	if (cmd && strlen(cmd) > 0)
+		PrintAndLog("WARNING: command don't have any parameters.\n");
+	
+	// info about 14a part
+	CmdHF14AInfo("");
+
+	// FIDO info
+	PrintAndLog("--------------------------------------------"); 
+	SetAPDULogging(false);
+	
+	uint8_t buf[APDU_RESPONSE_LEN] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		if (sw)
+			PrintAndLog("Not a FIDO card! APDU response: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		else
+			PrintAndLog("APDU exchange error. Card returns 0x0000."); 
+		
+		DropField();
+		return 0;
+	}
+	
+	if (!strncmp((char *)buf, "U2F_V2", 7)) {
+		if (!strncmp((char *)buf, "FIDO_2_0", 8)) {
+			PrintAndLog("FIDO2 authenricator detected. Version: %.*s", len, buf); 
+		} else {
+			PrintAndLog("FIDO authenricator detected (not standard U2F)."); 
+			PrintAndLog("Non U2F authenticator version:"); 
+			dump_buffer((const unsigned char *)buf, len, NULL, 0);
+		}
+	} else {
+		PrintAndLog("FIDO U2F authenricator detected. Version: %.*s", len, buf); 
+	}
+
+	res = FIDO2GetInfo(buf, sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		return res;
+	}
+	if (sw != 0x9000) {
+		PrintAndLog("FIDO2 version not exists (%04x - %s).", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		
+		return 0;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 ger version error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	if (len > 1) {
+//		if (false) {
+//			PrintAndLog("FIDO2 version: (len=%d)", len); 
+//			dump_buffer((const unsigned char *)buf, len, NULL, 0);
+//		}
+
+		PrintAndLog("FIDO2 version CBOR decoded:"); 
+		TinyCborPrintFIDOPackage(fido2CmdGetInfo, true, &buf[1], len - 1);
+	} else {
+		PrintAndLog("FIDO2 version length error"); 
+	}
+	
+	return 0;
+}
+
+json_t *OpenJson(int paramnum, char *fname, void* argtable[], bool *err) {	
+	json_t *root = NULL;
+	json_error_t error;
+	*err = false;
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	
+	// CLIGetStrWithReturn(paramnum, jsonname, &jsonnamelen);
+	if (CLIParamStrToBuf(arg_get_str(paramnum), jsonname, sizeof(jsonname), &jsonnamelen))  {
+		CLIParserFree();
+		return NULL;
+	}
+	
+	// current path + file name
+	if (!strstr(cjsonname, ".json"))
+		strcat(cjsonname, ".json");
+	
+	if (jsonnamelen) {
+		strcpy(fname, get_my_executable_directory());
+		strcat(fname, cjsonname);
+		if (access(fname, F_OK) != -1) {
+			root = json_load_file(fname, 0, &error);
+			if (!root) {
+				PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+				*err = true;
+				return NULL; 
+			}
+			
+			if (!json_is_object(root)) {
+				PrintAndLog("ERROR: Invalid json format. root must be an object.");
+				json_decref(root);
+				*err = true;
+				return NULL; 
+			}
+			
+		} else {
+			root = json_object();
+		}
+	}
+	return root;
+}
+
+int CmdHFFidoRegister(const char *cmd) {
+	uint8_t data[64] = {0};
+	int chlen = 0;
+	uint8_t cdata[250] = {0};
+	int applen = 0;
+	uint8_t adata[250] = {0};
+	json_t *root = NULL;
+	
+	CLIParserInit("hf fido reg", 
+		"Initiate a U2F token registration. Needs two 32-byte hash number. \nchallenge parameter (32b) and application parameter (32b).", 
+		"Usage:\n\thf fido reg -> execute command with 2 parameters, filled 0x00\n"
+			"\thf fido reg 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters"
+			"\thf fido reg -p s0 s1 -> execute command with plain parameters");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("pP",  "plain",    "send plain ASCII to challenge and application parameters instead of HEX"),
+		arg_lit0("tT",  "tlv",      "Show DER certificate contents in TLV representation"),
+		arg_str0("jJ",  "json",		"fido.json", "JSON input / output file name for parameters."),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII challenge parameter (32b HEX/1..16 chars)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII application parameter (32b HEX/1..16 chars)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool paramsPlain = arg_get_lit(3);
+	bool showDERTLV = arg_get_lit(4);
+
+	char fname[250] = {0};
+	bool err;
+	root = OpenJson(5, fname, argtable, &err);
+	if(err)
+		return 1;
+	if (root) {	
+		size_t jlen;
+		JsonLoadBufAsHex(root, "$.ChallengeParam", data, 32, &jlen);
+		JsonLoadBufAsHex(root, "$.ApplicationParam", &data[32], 32, &jlen);
+	}
+	
+	if (paramsPlain) {
+		memset(cdata, 0x00, 32);
+		CLIGetStrWithReturn(6, cdata, &chlen);
+		if (chlen && chlen > 16) {
+			PrintAndLog("ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", chlen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(6, cdata, &chlen);
+		if (chlen && chlen != 32) {
+			PrintAndLog("ERROR: challenge parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (chlen)
+		memmove(data, cdata, 32);
+	
+	
+	if (paramsPlain) {
+		memset(adata, 0x00, 32);
+		CLIGetStrWithReturn(7, adata, &applen);
+		if (applen && applen > 16) {
+			PrintAndLog("ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", applen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(7, adata, &applen);
+		if (applen && applen != 32) {
+			PrintAndLog("ERROR: application parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (applen)
+		memmove(&data[32], adata, 32);
+	
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	// challenge parameter [32 bytes] - The challenge parameter is the SHA-256 hash of the Client Data, a stringified JSON data structure that the FIDO Client prepares
+	// application parameter [32 bytes] - The application parameter is the SHA-256 hash of the UTF-8 encoding of the application identity
+	
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDORegister(data, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute register command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute register command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	PrintAndLog("");
+	if (APDULogging)
+		PrintAndLog("---------------------------------------------------------------");
+	PrintAndLog("data len: %d", len);
+	if (verbose2) {
+		PrintAndLog("--------------data----------------------");
+		dump_buffer((const unsigned char *)buf, len, NULL, 0);
+		PrintAndLog("--------------data----------------------");
+	}
+
+	if (buf[0] != 0x05) {
+		PrintAndLog("ERROR: First byte must be 0x05, but it %2x", buf[0]);
+		return 5;
+	}
+	PrintAndLog("User public key: %s", sprint_hex(&buf[1], 65));
+	
+	uint8_t keyHandleLen = buf[66];
+	PrintAndLog("Key handle[%d]: %s", keyHandleLen, sprint_hex(&buf[67], keyHandleLen));
+	
+	int derp = 67 + keyHandleLen;
+	int derLen = (buf[derp + 2] << 8) + buf[derp + 3] + 4;
+	if (verbose2) {
+		PrintAndLog("DER certificate[%d]:\n------------------DER-------------------", derLen);
+		dump_buffer_simple((const unsigned char *)&buf[derp], derLen, NULL);
+		PrintAndLog("\n----------------DER---------------------");
+	} else {
+		if (verbose)
+			PrintAndLog("------------------DER-------------------");
+		PrintAndLog("DER certificate[%d]: %s...", derLen, sprint_hex(&buf[derp], 20));
+	}
+	
+	// check and print DER certificate
+	uint8_t public_key[65] = {0};
+	
+	// print DER certificate in TLV view
+	if (showDERTLV) {
+		PrintAndLog("----------------DER TLV-----------------");
+		asn1_print(&buf[derp], derLen, "  ");
+		PrintAndLog("----------------DER TLV-----------------");
+	}
+	
+    FIDOCheckDERAndGetKey(&buf[derp], derLen, verbose, public_key, sizeof(public_key));
+	
+	// get hash
+	int hashp = 1 + 65 + 1 + keyHandleLen + derLen;
+	PrintAndLog("Hash[%d]: %s", len - hashp, sprint_hex(&buf[hashp], len - hashp));
+
+	// check ANSI X9.62 format ECDSA signature (on P-256)
+	uint8_t rval[300] = {0}; 
+	uint8_t sval[300] = {0}; 
+	res = ecdsa_asn1_get_signature(&buf[hashp], len - hashp, rval, sval);
+	if (!res) {
+		if (verbose) {
+			PrintAndLog("  r: %s", sprint_hex(rval, 32));
+			PrintAndLog("  s: %s", sprint_hex(sval, 32));
+		}
+
+		uint8_t xbuf[4096] = {0};
+		size_t xbuflen = 0;
+		res = FillBuffer(xbuf, sizeof(xbuf), &xbuflen,
+			"\x00", 1,
+			&data[32], 32,           // application parameter  
+			&data[0], 32,            // challenge parameter
+			&buf[67], keyHandleLen,  // keyHandle
+			&buf[1], 65,             // user public key
+			NULL, 0);
+		//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
+		res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[hashp], len - hashp, true);
+		if (res) {
+			if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
+				PrintAndLog("Signature is NOT VALID.");
+			} else {
+				PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));
+			}
+		} else {
+			PrintAndLog("Signature is OK.");
+		}
+		
+	} else {
+		PrintAndLog("Invalid signature. res=%d.", res);
+	}
+	
+	PrintAndLog("\nauth command: ");
+	printf("hf fido auth %s%s", paramsPlain?"-p ":"", sprint_hex_inrow(&buf[67], keyHandleLen));
+	if(chlen || applen)
+		printf(" %s", paramsPlain?(char *)cdata:sprint_hex_inrow(cdata, 32));
+	if(applen)
+		printf(" %s", paramsPlain?(char *)adata:sprint_hex_inrow(adata, 32));
+	printf("\n");
+	
+	if (root) {
+		JsonSaveBufAsHex(root, "ChallengeParam", data, 32);
+		JsonSaveBufAsHex(root, "ApplicationParam", &data[32], 32);
+		JsonSaveBufAsHexCompact(root, "PublicKey", &buf[1], 65);
+		JsonSaveInt(root, "KeyHandleLen", keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "KeyHandle", &buf[67], keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "DER", &buf[67 + keyHandleLen], derLen);
+	
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+		
+		// free json object
+		json_decref(root);
+	}
+	
+	return 0;
+};
+
+int CmdHFFidoAuthenticate(const char *cmd) {
+	uint8_t data[512] = {0};
+	uint8_t hdata[250] = {0};
+	bool public_key_loaded = false;
+	uint8_t public_key[65] = {0}; 
+	int hdatalen = 0;
+	uint8_t keyHandleLen = 0;
+	json_t *root = NULL;
+	
+	CLIParserInit("hf fido auth", 
+		"Initiate a U2F token authentication. Needs key handle and two 32-byte hash number. \nkey handle(var 0..255), challenge parameter (32b) and application parameter (32b).", 
+		"Usage:\n\thf fido auth 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with 2 parameters, filled 0x00 and key handle\n"
+			"\thf fido auth 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f "
+				"000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_lit0("vV",  "verbose",  "show technical data"),
+		arg_lit0("pP",  "plain",    "send plain ASCII to challenge and application parameters instead of HEX"),
+		arg_rem("default mode:",    "dont-enforce-user-presence-and-sign"),
+		arg_lit0("uU",  "user",     "mode: enforce-user-presence-and-sign"),
+		arg_lit0("cC",  "check",    "mode: check-only"),
+		arg_str0("jJ",  "json",		"fido.json", "JSON input / output file name for parameters."),
+		arg_str0("kK",  "key",		"public key to verify signature", NULL),
+		arg_str0(NULL,  NULL,       "<HEX key handle (var 0..255b)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII challenge parameter (32b HEX/1..16 chars)>", NULL),
+		arg_str0(NULL,  NULL,       "<HEX/ASCII application parameter (32b HEX/1..16 chars)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool paramsPlain = arg_get_lit(3);
+	uint8_t controlByte = 0x08;
+	if (arg_get_lit(5))
+		controlByte = 0x03;
+	if (arg_get_lit(6))
+		controlByte = 0x07;
+
+	char fname[250] = {0};
+	bool err;
+	root = OpenJson(7, fname, argtable, &err);
+	if(err)
+		return 1;
+	if (root) {	
+		size_t jlen;
+		JsonLoadBufAsHex(root, "$.ChallengeParam", data, 32, &jlen);
+		JsonLoadBufAsHex(root, "$.ApplicationParam", &data[32], 32, &jlen);
+		JsonLoadBufAsHex(root, "$.KeyHandle", &data[65], 512 - 67, &jlen);
+		keyHandleLen = jlen & 0xff;
+		data[64] = keyHandleLen;
+		JsonLoadBufAsHex(root, "$.PublicKey", public_key, 65, &jlen);
+		public_key_loaded = (jlen > 0);
+	} 
+
+	// public key
+	CLIGetHexWithReturn(8, hdata, &hdatalen);
+	if (hdatalen && hdatalen != 65) {
+		PrintAndLog("ERROR: public key length must be 65 bytes only.");
+		return 1;
+	}
+	if (hdatalen) {
+		memmove(public_key, hdata, hdatalen);
+		public_key_loaded = true;
+	}	
+	
+	CLIGetHexWithReturn(9, hdata, &hdatalen);
+	if (hdatalen > 255) {
+		PrintAndLog("ERROR: application parameter length must be less than 255.");
+		return 1;
+	}
+	if (hdatalen) {
+		keyHandleLen = hdatalen;
+		data[64] = keyHandleLen;
+		memmove(&data[65], hdata, keyHandleLen);
+	}
+
+	if (paramsPlain) {
+		memset(hdata, 0x00, 32);
+		CLIGetStrWithReturn(9, hdata, &hdatalen);
+		if (hdatalen && hdatalen > 16) {
+			PrintAndLog("ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(10, hdata, &hdatalen);
+		if (hdatalen && hdatalen != 32) {
+			PrintAndLog("ERROR: challenge parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (hdatalen)
+		memmove(data, hdata, 32);
+
+	if (paramsPlain) {
+		memset(hdata, 0x00, 32);
+		CLIGetStrWithReturn(11, hdata, &hdatalen);
+		if (hdatalen && hdatalen > 16) {
+			PrintAndLog("ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen);
+			return 1;
+		}
+	} else {
+		CLIGetHexWithReturn(10, hdata, &hdatalen);
+		if (hdatalen && hdatalen != 32) {
+			PrintAndLog("ERROR: application parameter length must be 32 bytes only.");
+			return 1;
+		}
+	}
+	if (hdatalen)
+		memmove(&data[32], hdata, 32);
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	// (in parameter) conrtol byte 0x07 - check only, 0x03 - user presense + cign. 0x08 - sign only
+ 	// challenge parameter [32 bytes]
+	// application parameter [32 bytes]
+	// key handle length [1b] = N
+	// key handle [N]
+
+	uint8_t datalen = 32 + 32 + 1 + keyHandleLen;
+	
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	int res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDOAuthentication(data, datalen, controlByte,  buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute authentication command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute authentication command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	PrintAndLog("---------------------------------------------------------------");
+	PrintAndLog("User presence: %s", (buf[0]?"verified":"not verified"));
+	uint32_t cntr =  (uint32_t)bytes_to_num(&buf[1], 4);
+	PrintAndLog("Counter: %d", cntr);
+	PrintAndLog("Hash[%d]: %s", len - 5, sprint_hex(&buf[5], len - 5));
+
+	// check ANSI X9.62 format ECDSA signature (on P-256)
+	uint8_t rval[300] = {0}; 
+	uint8_t sval[300] = {0}; 
+	res = ecdsa_asn1_get_signature(&buf[5], len - 5, rval, sval);
+	if (!res) {
+		if (verbose) {
+			PrintAndLog("  r: %s", sprint_hex(rval, 32));
+			PrintAndLog("  s: %s", sprint_hex(sval, 32));
+		}
+		if (public_key_loaded) {
+			uint8_t xbuf[4096] = {0};
+			size_t xbuflen = 0;
+			res = FillBuffer(xbuf, sizeof(xbuf), &xbuflen,
+				&data[32], 32, // application parameter
+				&buf[0], 1,    // user presence
+				&buf[1], 4,    // counter
+				data, 32,      // challenge parameter
+				NULL, 0);
+			//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
+			res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[5], len - 5, true);
+			if (res) {
+				if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
+					PrintAndLog("Signature is NOT VALID.");
+				} else {
+					PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));
+				}
+			} else {
+				PrintAndLog("Signature is OK.");
+			}
+		} else {		
+			PrintAndLog("No public key provided. can't check signature.");
+		}
+	} else {
+		PrintAndLog("Invalid signature. res=%d.", res);
+	}
+	
+	if (root) {
+		JsonSaveBufAsHex(root, "ChallengeParam", data, 32);
+		JsonSaveBufAsHex(root, "ApplicationParam", &data[32], 32);
+		JsonSaveInt(root, "KeyHandleLen", keyHandleLen);
+		JsonSaveBufAsHexCompact(root, "KeyHandle", &data[65], keyHandleLen);
+		JsonSaveInt(root, "Counter", cntr);
+	
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+		
+		// free json object
+		json_decref(root);
+	}
+	return 0;
+};
+
+void CheckSlash(char *fileName) {
+	if ((fileName[strlen(fileName) - 1] != '/') && 
+		(fileName[strlen(fileName) - 1] != '\\'))
+		strcat(fileName, "/");
+}
+
+int GetExistsFileNameJson(char *prefixDir, char *reqestedFileName, char *fileName) {
+	fileName[0] = 0x00;
+	strcpy(fileName, get_my_executable_directory());
+	CheckSlash(fileName);
+	
+	strcat(fileName, prefixDir);
+	CheckSlash(fileName);
+	
+	strcat(fileName, reqestedFileName);
+	if (!strstr(fileName, ".json"))
+		strcat(fileName, ".json");
+	
+	if (access(fileName, F_OK) < 0) {
+		strcpy(fileName, get_my_executable_directory());
+		CheckSlash(fileName);
+		
+		strcat(fileName, reqestedFileName);
+		if (!strstr(fileName, ".json"))
+			strcat(fileName, ".json");
+		
+		if (access(fileName, F_OK) < 0) {
+			return 1; // file not found
+		}
+	}
+	return 0;
+}
+
+int CmdHFFido2MakeCredential(const char *cmd) {
+	json_error_t error;
+	json_t *root = NULL;
+	char fname[300] = {0};
+	
+	CLIParserInit("hf fido make", 
+		"Execute a FIDO2 Make Credentional command. Needs json file with parameters. Sample file `fido2.json`. File can be placed in proxmark directory or in `proxmark/fido` directory.", 
+		"Usage:\n\thf fido make -> execute command default parameters file `fido2.json`\n"
+			"\thf fido make test.json -> execute command with parameters file `text.json`");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("tT",  "tlv",      "Show DER certificate contents in TLV representation"),
+		arg_lit0("cC",  "cbor",     "show CBOR decoded data"),
+		arg_str0(NULL,  NULL,		"<json file name>", "JSON input / output file name for parameters. Default `fido2.json`"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool showDERTLV = arg_get_lit(3);
+	bool showCBOR = arg_get_lit(4);
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	CLIGetStrWithReturn(5, jsonname, &jsonnamelen);
+
+	if (!jsonnamelen) {
+		strcat(cjsonname, "fido2");
+		jsonnamelen = strlen(cjsonname);
+	}
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	int res = GetExistsFileNameJson("fido", cjsonname, fname);
+	if(res) {
+		PrintAndLog("ERROR: Can't found the json file.");
+		return res;
+	}
+	PrintAndLog("fname: %s\n", fname);
+	root = json_load_file(fname, 0, &error);	
+	if (!root) {
+		PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+		return 1;
+	}
+	
+	uint8_t data[2048] = {0};
+	size_t datalen = 0;
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDO2CreateMakeCredentionalReq(root, data, sizeof(data), &datalen);
+	if (res)
+		return res;
+	
+	if (showCBOR) {
+		PrintAndLog("CBOR make credentional request:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdMakeCredential, false, data, datalen);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+	
+	res = FIDO2MakeCredential(data, datalen, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute make credential command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute make credential command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 make credential error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	PrintAndLog("MakeCredential result (%d b) OK.", len);
+	if (showCBOR) {
+		PrintAndLog("CBOR make credentional response:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdMakeCredential, true, &buf[1], len - 1);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+
+	// parse returned cbor
+	FIDO2MakeCredentionalParseRes(root, &buf[1], len - 1, verbose, verbose2, showCBOR, showDERTLV);
+	
+	if (root) {
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+	}
+	
+	json_decref(root);
+
+	return 0;
+};
+
+int CmdHFFido2GetAssertion(const char *cmd) {
+	json_error_t error;
+	json_t *root = NULL;
+	char fname[300] = {0};
+	
+	CLIParserInit("hf fido assert", 
+		"Execute a FIDO2 Get Assertion command. Needs json file with parameters. Sample file `fido2.json`. File can be placed in proxmark directory or in `proxmark/fido` directory.", 
+		"Usage:\n\thf fido assert -> execute command default parameters file `fido2.json`\n"
+			"\thf fido assert test.json -l -> execute command with parameters file `text.json` and add to request CredentialId");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("aA",  "apdu",     "show APDU reqests and responses"),
+		arg_litn("vV",  "verbose",  0, 2, "show technical data. vv - show full certificates data"),
+		arg_lit0("cC",  "cbor",     "show CBOR decoded data"),
+		arg_lit0("lL",  "list",     "add CredentialId from json to allowList. Needs if `rk` option is `false` (authenticator don't store credential to its memory)"),
+		arg_str0(NULL,  NULL,		"<json file name>", "JSON input / output file name for parameters. Default `fido2.json`"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool APDULogging = arg_get_lit(1);
+	bool verbose = arg_get_lit(2);
+	bool verbose2 = arg_get_lit(2) > 1;
+	bool showCBOR = arg_get_lit(3);
+	bool createAllowList = arg_get_lit(4);
+
+	uint8_t jsonname[250] ={0};
+	char *cjsonname = (char *)jsonname;
+	int jsonnamelen = 0;
+	CLIGetStrWithReturn(5, jsonname, &jsonnamelen);
+
+	if (!jsonnamelen) {
+		strcat(cjsonname, "fido2");
+		jsonnamelen = strlen(cjsonname);
+	}
+
+	CLIParserFree();	
+	
+	SetAPDULogging(APDULogging);
+
+	int res = GetExistsFileNameJson("fido", "fido2", fname);
+	if(res) {
+		PrintAndLog("ERROR: Can't found the json file.");
+		return res;
+	}
+	PrintAndLog("fname: %s\n", fname);
+	root = json_load_file(fname, 0, &error);	
+	if (!root) {
+		PrintAndLog("ERROR: json error on line %d: %s", error.line, error.text);
+		return 1;
+	}
+	
+	uint8_t data[2048] = {0};
+	size_t datalen = 0;
+	uint8_t buf[2048] = {0};
+	size_t len = 0;
+	uint16_t sw = 0;
+
+	DropField();
+	res = FIDOSelect(true, true, buf, sizeof(buf), &len, &sw);
+
+	if (res) {
+		PrintAndLog("Can't select authenticator. res=%x. Exit...", res);
+		DropField();
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("Can't select FIDO application. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		DropField();
+		return 2;
+	}
+
+	res = FIDO2CreateGetAssertionReq(root, data, sizeof(data), &datalen, createAllowList);
+	if (res)
+		return res;
+	
+	if (showCBOR) {
+		PrintAndLog("CBOR get assertion request:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdGetAssertion, false, data, datalen);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+	
+	res = FIDO2GetAssertion(data, datalen, buf,  sizeof(buf), &len, &sw);
+	DropField();
+	if (res) {
+		PrintAndLog("Can't execute get assertion command. res=%x. Exit...", res);
+		return res;
+	}
+	
+	if (sw != 0x9000) {
+		PrintAndLog("ERROR execute get assertion command. APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff)); 
+		return 3;
+	}
+	
+	if(buf[0]) {
+		PrintAndLog("FIDO2 get assertion error: %d - %s", buf[0], fido2GetCmdErrorDescription(buf[0])); 
+		return 0;
+	}
+
+	PrintAndLog("GetAssertion result (%d b) OK.", len);
+	if (showCBOR) {
+		PrintAndLog("CBOR get assertion response:");
+		PrintAndLog("---------------- CBOR ------------------");
+		TinyCborPrintFIDOPackage(fido2CmdGetAssertion, true, &buf[1], len - 1);
+		PrintAndLog("---------------- CBOR ------------------");
+	}
+
+	// parse returned cbor
+	FIDO2GetAssertionParseRes(root, &buf[1], len - 1, verbose, verbose2, showCBOR);
+	
+	if (root) {
+		res = json_dump_file(root, fname, JSON_INDENT(2));
+		if (res) {
+			PrintAndLog("ERROR: can't save the file: %s", fname);
+			return 200;
+		}
+		PrintAndLog("File `%s` saved.", fname);
+	}
+
+	json_decref(root);
+	
+	return 0;
+};
+
+static command_t CommandTable[] =
+{
+  {"help",             CmdHelp,					1, "This help."},
+  {"info",  	       CmdHFFidoInfo,			0, "Info about FIDO tag."},
+  {"reg",  	  	 	   CmdHFFidoRegister,		0, "FIDO U2F Registration Message."},
+  {"auth",  	       CmdHFFidoAuthenticate,	0, "FIDO U2F Authentication Message."},
+  {"make",  	       CmdHFFido2MakeCredential,	0, "FIDO2 MakeCredential command."},
+  {"assert",  	       CmdHFFido2GetAssertion,		0, "FIDO2 GetAssertion command."},
+  {NULL,               NULL,					0, NULL}
+};
+
+int CmdHFFido(const char *Cmd) {
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}
+
+int CmdHelp(const char *Cmd) {
+  CmdsHelp(CommandTable);
+  return 0;
+}
--- a/client/cmdhffido.h
+++ b/client/cmdhffido.h
@ -0,0 +1,27 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency FIDO U2F and FIDO2 contactless authenticators
+//-----------------------------------------------------------------------------
+//
+//  Documentation here:
+//
+// FIDO Alliance specifications
+// https://fidoalliance.org/download/
+// FIDO NFC Protocol Specification v1.0
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-nfc-protocol-v1.2-ps-20170411.html
+// FIDO U2F Raw Message Formats
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html
+//-----------------------------------------------------------------------------
+
+#ifndef CMDHFFIDO_H__
+#define CMDHFFIDO_H__
+
+extern int CmdHFFido(const char *Cmd);
+
+
+#endif
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
--- a/client/cmdhficlass.h
+++ b/client/cmdhficlass.h
@ -13,28 +13,6 @@
 #define CMDHFICLASS_H__

 int CmdHFiClass(const char *Cmd);
+int HFiClassReader(bool loop, bool verbose);

-int CmdHFiClassCalcNewKey(const char *Cmd);
-int CmdHFiClassCloneTag(const char *Cmd);
-int CmdHFiClassDecrypt(const char *Cmd);
-int CmdHFiClassEncryptBlk(const char *Cmd);
-int CmdHFiClassELoad(const char *Cmd);
-int CmdHFiClassList(const char *Cmd);
-int HFiClassReader(const char *Cmd, bool loop, bool verbose);
-int CmdHFiClassReader(const char *Cmd);
-int CmdHFiClassReader_Dump(const char *Cmd);
-int CmdHFiClassReader_Replay(const char *Cmd);
-int CmdHFiClassReadKeyFile(const char *filename);
-int CmdHFiClassReadTagFile(const char *Cmd);
-int CmdHFiClass_ReadBlock(const char *Cmd);
-int CmdHFiClass_TestMac(const char *Cmd);
-int CmdHFiClassManageKeys(const char *Cmd);
-int CmdHFiClass_loclass(const char *Cmd);
-int CmdHFiClassSnoop(const char *Cmd);
-int CmdHFiClassSim(const char *Cmd);
-int CmdHFiClassWriteKeyFile(const char *Cmd);
-int CmdHFiClass_WriteBlock(const char *Cmd);
-int CmdHFiClassCheckKeys(const char *Cmd);
-void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize);
-void HFiClassCalcDivKey(uint8_t	*CSN, uint8_t	*KEY, uint8_t *div_key, bool elite);
 #endif
--- a/client/cmdhflegic.c
+++ b/client/cmdhflegic.c
@ -18,32 +18,33 @@
 #include "cmdparser.h"
 #include "cmdmain.h"
 #include "util.h"
+#include "../include/legic.h"

 static int CmdHelp(const char *Cmd);

 static command_t CommandTable[] =
 {
-  {"help",        CmdHelp,        1, "This help"},
-  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
-  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
-  {"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
-  {"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
-  {"sim",         CmdLegicRfSim,  0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
-  {"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
-  {"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
-  {NULL, NULL, 0, NULL}
+	{"help",        CmdHelp,        1, "This help"},
+	{"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
+	{"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
+	{"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
+	{"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
+	{"sim",         CmdLegicRfSim,  0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
+	{"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
+	{"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
+	{NULL,          NULL,           0, NULL}
 };

 int CmdHFLegic(const char *Cmd)
 {
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+	CmdsParse(CommandTable, Cmd);
+	return 0;
 }

 int CmdHelp(const char *Cmd)
 {
-  CmdsHelp(CommandTable);
-  return 0;
+	CmdsHelp(CommandTable);
+	return 0;
 }

 /*
@ -53,168 +54,184 @@ int CmdHelp(const char *Cmd)
 */
 int CmdLegicDecode(const char *Cmd)
 {
-  int i, j, k, n;
-  int segment_len = 0;
-  int segment_flag = 0;
-  int stamp_len = 0;
-  int crc = 0;
-  int wrp = 0;
-  int wrc = 0;
-  uint8_t data_buf[1053]; // receiver buffer
-  char out_string[3076]; // just use big buffer - bad practice
-  char token_type[4];
+	int i, j, k, n;
+	int segment_len = 0;
+	int segment_flag = 0;
+	int stamp_len = 0;
+	int crc = 0;
+	int wrp = 0;
+	int wrc = 0;
+	uint8_t data_buf[1053]; // receiver buffer
+	char out_string[3076]; // just use big buffer - bad practice
+	char token_type[4];

-  // copy data from proxmark into buffer
-   GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
+	// copy data from proxmark into buffer
+	GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);

-  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
+	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)

-  PrintAndLog("\nCDF: System Area");
+	PrintAndLog("\nCDF: System Area");

-  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
-    data_buf[0],
-    data_buf[1],
-    data_buf[2],
-    data_buf[3],
-    data_buf[4]
-  );
+	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
+		data_buf[0],
+		data_buf[1],
+		data_buf[2],
+		data_buf[3],
+		data_buf[4]
+	);

-  crc = data_buf[4];
+	crc = data_buf[4];

-  switch (data_buf[5]&0x7f) {
-    case 0x00 ... 0x2f:
-      strncpy(token_type, "IAM",sizeof(token_type));
-      break;
-    case 0x30 ... 0x6f:
-      strcpy(token_type, "SAM");
-      break;
-    case 0x70 ... 0x7f:
-      strcpy(token_type, "GAM");
-      break;
-    default:
-      strcpy(token_type, "???");
-      break;
-  }
+	switch (data_buf[5]&0x7f) {
+	case 0x00 ... 0x2f:
+		strncpy(token_type, "IAM",sizeof(token_type));
+		break;
+	case 0x30 ... 0x6f:
+		strcpy(token_type, "SAM");
+		break;
+	case 0x70 ... 0x7f:
+		strcpy(token_type, "GAM");
+		break;
+	default:
+		strcpy(token_type, "???");
+		break;
+	}

-  stamp_len = 0xfc - data_buf[6];
+	stamp_len = 0xfc - data_buf[6];

-  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
-    data_buf[5],
-    data_buf[6],
-    token_type,
-    (data_buf[5]&0x80)>>7,
-    stamp_len
-  );
+	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
+		data_buf[5],
+		data_buf[6],
+		token_type,
+		(data_buf[5]&0x80)>>7,
+		stamp_len
+	);

-  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
-    data_buf[7]&0x0f,
-    (data_buf[7]&0x70)>>4,
-    (data_buf[7]&0x80)>>7,
-    data_buf[7],
-    data_buf[8]
-  );
+	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
+		data_buf[7]&0x0f,
+		(data_buf[7]&0x70)>>4,
+		(data_buf[7]&0x80)>>7,
+		data_buf[7],
+		data_buf[8]
+	);

-  PrintAndLog("Remaining Header Area");
+	PrintAndLog("Remaining Header Area");

-  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-      data_buf[9],
-    data_buf[10],
-    data_buf[11],
-    data_buf[12],
-    data_buf[13],
-    data_buf[14],
-    data_buf[15],
-    data_buf[16],
-    data_buf[17],
-    data_buf[18],
-    data_buf[19],
-    data_buf[20],
-    data_buf[21]
-  );
+	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+		data_buf[9],
+		data_buf[10],
+		data_buf[11],
+		data_buf[12],
+		data_buf[13],
+		data_buf[14],
+		data_buf[15],
+		data_buf[16],
+		data_buf[17],
+		data_buf[18],
+		data_buf[19],
+		data_buf[20],
+		data_buf[21]
+	);

-  PrintAndLog("\nADF: User Area");
+	PrintAndLog("\nADF: User Area");

-  i = 22;  
-  for (n=0; n<64; n++) {
-    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
-    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
+	i = 22;
+	for (n=0; n<64; n++) {
+		segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
+		segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;

-    wrp = (data_buf[i+2]^crc);
-    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
+		wrp = (data_buf[i+2]^crc);
+		wrc = ((data_buf[i+3]^crc)&0x70)>>4;

-     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
-      n,
-      data_buf[i]^crc,
-      data_buf[i+1]^crc,
-      data_buf[i+2]^crc,
-      data_buf[i+3]^crc,
-      segment_flag,
-      (segment_flag&0x4)>>2,
-      (segment_flag&0x8)>>3,
-      segment_len,
-      wrp,
-      wrc,
-      ((data_buf[i+3]^crc)&0x80)>>7,
-      (data_buf[i+4]^crc)
-    );
+		PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
+			n,
+			data_buf[i]^crc,
+			data_buf[i+1]^crc,
+			data_buf[i+2]^crc,
+			data_buf[i+3]^crc,
+			segment_flag,
+			(segment_flag&0x4)>>2,
+			(segment_flag&0x8)>>3,
+			segment_len,
+			wrp,
+			wrc,
+			((data_buf[i+3]^crc)&0x80)>>7,
+			(data_buf[i+4]^crc)
+		);

-    i+=5;
+		i+=5;

-    if (wrc>0) {
-      PrintAndLog("WRC protected area:");
-      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-        out_string[j+2] = ' ';
-      };
+		if (wrc>0) {
+			PrintAndLog("WRC protected area:");
+			for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+				out_string[j+2] = ' ';
+			};

-      out_string[j] = '\0';
+			out_string[j] = '\0';

-      PrintAndLog("%s", out_string);
-    }
+			PrintAndLog("%s", out_string);
+		}

-    if (wrp>wrc) {
-      PrintAndLog("Remaining write protected area:");
+		if (wrp>wrc) {
+			PrintAndLog("Remaining write protected area:");

-      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-        out_string[j+2] = ' ';
-      };
+			for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+				out_string[j+2] = ' ';
+			};

-      out_string[j] = '\0';
+			out_string[j] = '\0';

-      PrintAndLog("%s", out_string);
-      if((wrp-wrc) == 8) {
-        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
-        PrintAndLog("%s", out_string);
-      }
-    }
+			PrintAndLog("%s", out_string);
+			if((wrp-wrc) == 8) {
+				sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
+				PrintAndLog("%s", out_string);
+			}
+		}

-    PrintAndLog("Remaining segment payload:");
-    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
-      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
-      out_string[j+2] = ' ';
-    };
+		PrintAndLog("Remaining segment payload:");
+		for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
+			sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
+			out_string[j+2] = ' ';
+		};

-    out_string[j] = '\0';
+		out_string[j] = '\0';

-    PrintAndLog("%s", out_string);
+		PrintAndLog("%s", out_string);

-    // end with last segment
-    if (segment_flag & 0x8)
-      return 0;
-  };
-  return 0;
+		// end with last segment
+		if (segment_flag & 0x8)
+			return 0;
+	};
+	return 0;
 }

 int CmdLegicRFRead(const char *Cmd)
 {
-  int byte_count=0,offset=0;
-  sscanf(Cmd, "%i %i", &offset, &byte_count);
-  if(byte_count == 0) byte_count = -1;
-  if(byte_count + offset > 1024) byte_count = 1024 - offset;
-  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
-  SendCommand(&c);
-  return 0;
+	int byte_count=0,offset=0;
+	sscanf(Cmd, "%i %i", &offset, &byte_count);
+	if(byte_count == 0) byte_count = -1;
+	if(byte_count + offset > 1024) byte_count = 1024 - offset;
+	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
+	SendCommand(&c);
+	UsbCommand resp;
+	WaitForResponse(CMD_ACK,&resp);
+	switch (resp.arg[0]) {
+		legic_card_select_t card;
+		case 0:
+			memcpy(&card, resp.d.asBytes, sizeof(card));
+			PrintAndLog("Card (MIM %i) read, use 'hf legic decode' or", card.cardsize);
+			PrintAndLog("'data hexsamples %d' to view results", (resp.arg[1] + 7) & ~7);
+			break;
+		case 1:
+			PrintAndLog("No or unknown card found, aborting");
+			break;
+		case 2:
+			PrintAndLog("operation failed @ 0x%03.3x", resp.arg[1]);
+			break;
+		}
+	return resp.arg[0];
 }

 int CmdLegicLoad(const char *Cmd)
@ -236,85 +253,85 @@ int CmdLegicLoad(const char *Cmd)
 	}
 	memcpy(filename, Cmd, len);

-    FILE *f = fopen(filename, "r");
-    if(!f) {
-        PrintAndLog("couldn't open '%s'", Cmd);
-        return -1;
-    }
-    char line[80]; int offset = 0; unsigned int data[8];
-    while(fgets(line, sizeof(line), f)) {
-        int res = sscanf(line, "%x %x %x %x %x %x %x %x", 
-            &data[0], &data[1], &data[2], &data[3],
-            &data[4], &data[5], &data[6], &data[7]);
-        if(res != 8) {
-          PrintAndLog("Error: could not read samples");
-          fclose(f);
-          return -1;
-        }
-        UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
-        int j; for(j = 0; j < 8; j++) {
-            c.d.asBytes[j] = data[j];
-        }
-        SendCommand(&c);
-        WaitForResponse(CMD_ACK, NULL);
-        offset += 8;
-    }
-    fclose(f);
-    PrintAndLog("loaded %u samples", offset);
-    return 0;
+	FILE *f = fopen(filename, "r");
+	if (!f) {
+		PrintAndLog("couldn't open '%s'", Cmd);
+		return -1;
+	}
+	char line[80]; int offset = 0; unsigned int data[8];
+	while (fgets(line, sizeof(line), f)) {
+		int res = sscanf(line, "%x %x %x %x %x %x %x %x",
+			&data[0], &data[1], &data[2], &data[3],
+			&data[4], &data[5], &data[6], &data[7]);
+		if (res != 8) {
+			PrintAndLog("Error: could not read samples");
+			fclose(f);
+			return -1;
+		}
+		UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
+		int j; for(j = 0; j < 8; j++) {
+			c.d.asBytes[j] = data[j];
+		}
+		SendCommand(&c);
+		WaitForResponse(CMD_ACK, NULL);
+		offset += 8;
+	}
+	fclose(f);
+	PrintAndLog("loaded %u samples", offset);
+	return 0;
 }

 int CmdLegicSave(const char *Cmd)
 {
-  int requested = 1024;
-  int offset = 0;
-  int delivered = 0;
-  char filename[FILE_PATH_SIZE];
-  uint8_t got[1024];
+	int requested = 1024;
+	int offset = 0;
+	int delivered = 0;
+	char filename[FILE_PATH_SIZE];
+	uint8_t got[1024];

-  sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
+	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);

-  /* If no length given save entire legic read buffer */
-  /* round up to nearest 8 bytes so the saved data can be used with legicload */
-  if (requested == 0) {
-    requested = 1024;
-  }
-  if (requested % 8 != 0) {
-    int remainder = requested % 8;
-    requested = requested + 8 - remainder;
-  }
-  if (offset + requested > sizeof(got)) {
-    PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
-    return 0;
-  }
+	/* If no length given save entire legic read buffer */
+	/* round up to nearest 8 bytes so the saved data can be used with legicload */
+	if (requested == 0) {
+		requested = 1024;
+	}
+	if (requested % 8 != 0) {
+		int remainder = requested % 8;
+		requested = requested + 8 - remainder;
+	}
+	if (offset + requested > sizeof(got)) {
+		PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
+		return 0;
+	}

-  FILE *f = fopen(filename, "w");
-  if(!f) {
-    PrintAndLog("couldn't open '%s'", Cmd+1);
-    return -1;
-  }
+	FILE *f = fopen(filename, "w");
+	if (!f) {
+		PrintAndLog("couldn't open '%s'", Cmd+1);
+		return -1;
+	}

-  GetFromBigBuf(got, requested, offset, NULL, -1, false);
+	GetFromBigBuf(got, requested, offset, NULL, -1, false);

-  for (int j = 0; j < requested; j += 8) {
-    fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
-      got[j+0],
-      got[j+1],
-      got[j+2],
-      got[j+3],
-      got[j+4],
-      got[j+5],
-      got[j+6],
-      got[j+7]
-    );
-    delivered += 8;
-    if (delivered >= requested)
-      break;
-  }
+	for (int j = 0; j < requested; j += 8) {
+		fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
+			got[j+0],
+			got[j+1],
+			got[j+2],
+			got[j+3],
+			got[j+4],
+			got[j+5],
+			got[j+6],
+			got[j+7]
+		);
+		delivered += 8;
+		if (delivered >= requested)
+			break;
+	}

-  fclose(f);
-  PrintAndLog("saved %u samples", delivered);
-  return 0;
+	fclose(f);
+	PrintAndLog("saved %u samples", delivered);
+	return 0;
 }

 int CmdLegicRfSim(const char *Cmd)
@ -328,36 +345,36 @@ int CmdLegicRfSim(const char *Cmd)

 int CmdLegicRfWrite(const char *Cmd)
 {
-    UsbCommand c={CMD_WRITER_LEGIC_RF};
-    int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
-	if(res != 2) {
+	UsbCommand c={CMD_WRITER_LEGIC_RF};
+	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
+	if (res != 2) {
 		PrintAndLog("Please specify the offset and length as two hex strings");
-        return -1;
-    }
-    SendCommand(&c);
-    return 0;
+		return -1;
+	}
+	SendCommand(&c);
+	return 0;
 }

 int CmdLegicRfFill(const char *Cmd)
 {
-    UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
-    int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
-    if(res != 3) {
-        PrintAndLog("Please specify the offset, length and value as two hex strings");
-        return -1;
-    }
+	UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
+	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
+	if (res != 3) {
+		PrintAndLog("Please specify the offset, length and value as two hex strings");
+		return -1;
+	}

-    int i;
-    UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
-    for(i = 0; i < 48; i++) {
-      c.d.asBytes[i] = cmd.arg[2];
-    }
-    for(i = 0; i < 22; i++) {
-      c.arg[0] = i*48;
-      SendCommand(&c);
-      WaitForResponse(CMD_ACK,NULL);
-    }
-    SendCommand(&cmd);
-    return 0;
+	int i;
+	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
+	for (i = 0; i < 48; i++) {
+		c.d.asBytes[i] = cmd.arg[2];
+	}
+	for (i = 0; i < 22; i++) {
+		c.arg[0] = i*48;
+		SendCommand(&c);
+		WaitForResponse(CMD_ACK,NULL);
+	}
+	SendCommand(&cmd);
+	return 0;
 }

--- a/client/cmdhflist.c
+++ b/client/cmdhflist.c
--- a/client/cmdhflist.h
+++ b/client/cmdhflist.h
@ -1,4 +1,5 @@
 //-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
 // Copyright (C) Merlok - 2017
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
@ -10,38 +11,6 @@
 #ifndef CMDHFLIST_H
 #define CMDHFLIST_H

-#include <stdlib.h>
-#include <stdint.h>
-#include <stdbool.h>
+extern int CmdHFList(const char *Cmd);

-typedef struct {
-	uint32_t uid;       // UID
-	uint32_t nt;        // tag challenge
-	uint32_t nt_enc;    // encrypted tag challenge
-	uint8_t nt_enc_par; // encrypted tag challenge parity
-	uint32_t nr_enc;    // encrypted reader challenge
-	uint32_t ar_enc;    // encrypted reader response
-	uint8_t ar_enc_par; // encrypted reader response parity
-	uint32_t at_enc;    // encrypted tag response
-	uint8_t at_enc_par; // encrypted tag response parity
-	bool first_auth;    // is first authentication
-	uint32_t ks2;		// ar ^ ar_enc
-	uint32_t ks3;       // at ^ at_enc
-} TAuthData;
-extern void ClearAuthData();
-
-extern uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len);
-extern uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len);
-extern void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize);
-extern void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize);
-extern void annotateTopaz(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize);
-extern void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize);
-extern void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize);
-extern void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse);
-extern bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen);
-extern bool NTParityChk(TAuthData *ad, uint32_t ntx);
-extern bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity);
-extern bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc);
-extern uint64_t GetCrypto1ProbableKey(TAuthData *ad);
-
-#endif // CMDHFLIST
+#endif // CMDHFLIST_H
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
--- a/client/cmdhfmf.h
+++ b/client/cmdhfmf.h
@ -11,37 +11,6 @@
 #ifndef CMDHFMF_H__
 #define CMDHFMF_H__

-#include "mifaredefault.h"
-
 extern int CmdHFMF(const char *Cmd);

-extern int CmdHF14AMfDbg(const char* cmd);
-extern int CmdHF14AMfRdBl(const char* cmd);
-extern int CmdHF14AMfURdBl(const char* cmd);
-extern int CmdHF14AMfRdSc(const char* cmd);
-extern int CmdHF14SMfURdCard(const char* cmd);
-extern int CmdHF14AMfDump(const char* cmd);
-extern int CmdHF14AMfRestore(const char* cmd);
-extern int CmdHF14AMfWrBl(const char* cmd);
-extern int CmdHF14AMfUWrBl(const char* cmd);
-extern int CmdHF14AMfChk(const char* cmd);
-extern int CmdHF14AMifare(const char* cmd);
-extern int CmdHF14AMfNested(const char* cmd);
-extern int CmdHF14AMfSniff(const char* cmd);
-extern int CmdHF14AMf1kSim(const char* cmd);
-extern int CmdHF14AMfEClear(const char* cmd);
-extern int CmdHF14AMfEGet(const char* cmd);
-extern int CmdHF14AMfESet(const char* cmd);
-extern int CmdHF14AMfELoad(const char* cmd);
-extern int CmdHF14AMfESave(const char* cmd);
-extern int CmdHF14AMfECFill(const char* cmd);
-extern int CmdHF14AMfEKeyPrn(const char* cmd);
-extern int CmdHF14AMfCWipe(const char* cmd);
-extern int CmdHF14AMfCSetUID(const char* cmd);
-extern int CmdHF14AMfCSetBlk(const char* cmd);
-extern int CmdHF14AMfCGetBlk(const char* cmd);
-extern int CmdHF14AMfCGetSc(const char* cmd);
-extern int CmdHF14AMfCLoad(const char* cmd);
-extern int CmdHF14AMfCSave(const char* cmd);
-
 #endif
--- a/client/cmdhfmfp.c
+++ b/client/cmdhfmfp.c
@ -0,0 +1,867 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+// Copyright (C) 2018 drHatson
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+
+#include "cmdhfmfp.h"
+
+#include <inttypes.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include "comms.h"
+#include "cmdmain.h"
+#include "util.h"
+#include "ui.h"
+#include "cmdhf14a.h"
+#include "mifare.h"
+#include "mifare/mifare4.h"
+#include "mifare/mad.h"
+#include "mifare/ndef.h"
+#include "cliparser/cliparser.h"
+#include "crypto/libpcrypto.h"
+#include "emv/dump.h"
+
+static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+
+static int CmdHelp(const char *Cmd);
+
+int CmdHFMFPInfo(const char *cmd) {
+	
+	if (cmd && strlen(cmd) > 0)
+		PrintAndLog("WARNING: command don't have any parameters.\n");
+	
+	// info about 14a part
+	CmdHF14AInfo("");
+
+	// Mifare Plus info
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
+	SendCommand(&c);
+
+	UsbCommand resp;
+	WaitForResponse(CMD_ACK,&resp);
+	
+	iso14a_card_select_t card;
+	memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
+
+	uint64_t select_status = resp.arg[0];		// 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+	
+	if (select_status == 1 || select_status == 2) {
+		PrintAndLog("----------------------------------------------");
+		PrintAndLog("Mifare Plus info:");
+		
+		// MIFARE Type Identification Procedure
+		// https://www.nxp.com/docs/en/application-note/AN10833.pdf
+		uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8);
+		if (ATQA == 0x0004) PrintAndLog("ATQA: Mifare Plus 2k 4bUID");
+		if (ATQA == 0x0002) PrintAndLog("ATQA: Mifare Plus 4k 4bUID");
+		if (ATQA == 0x0044) PrintAndLog("ATQA: Mifare Plus 2k 7bUID");
+		if (ATQA == 0x0042) PrintAndLog("ATQA: Mifare Plus 4k 7bUID");
+		
+		uint8_t SLmode = 0xff;
+		if (card.sak == 0x08) {
+			PrintAndLog("SAK: Mifare Plus 2k 7bUID");
+			if (select_status == 2) SLmode = 1;
+		}
+		if (card.sak == 0x18) {
+			PrintAndLog("SAK: Mifare Plus 4k 7bUID");
+			if (select_status == 2) SLmode = 1;
+		}
+		if (card.sak == 0x10) {
+			PrintAndLog("SAK: Mifare Plus 2k");
+			if (select_status == 2) SLmode = 2;
+		}
+		if (card.sak == 0x11) {
+			PrintAndLog("SAK: Mifare Plus 4k");
+			if (select_status == 2) SLmode = 2;
+		}
+		if (card.sak == 0x20) {
+			PrintAndLog("SAK: Mifare Plus SL0/SL3 or Mifare desfire");
+			if (card.ats_len > 0) {
+				SLmode = 3;
+
+				// check SL0
+				uint8_t data[250] = {0};
+				int datalen = 0;
+				// https://github.com/Proxmark/proxmark3/blob/master/client/scripts/mifarePlus.lua#L161
+				uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00};
+				int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen);
+				if (!res && datalen > 1 && data[0] == 0x09) {
+					SLmode = 0;
+				}
+			}
+		}
+		
+		if (SLmode != 0xff)
+			PrintAndLog("Mifare Plus SL mode: SL%d", SLmode);
+		else
+			PrintAndLog("Mifare Plus SL mode: unknown(");
+	} else {
+		PrintAndLog("Mifare Plus info not available.");
+	}
+	
+	DropField();
+	
+	return 0;
+}
+
+int CmdHFMFPWritePerso(const char *cmd) {
+	uint8_t keyNum[64] = {0};
+	int keyNumLen = 0;
+	uint8_t key[64] = {0};
+	int keyLen = 0;
+
+	CLIParserInit("hf mfp wrp", 
+		"Executes Write Perso command. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp wrp 4000 000102030405060708090a0b0c0d0e0f -> write key (00..0f) to key number 4000 \n"
+			"\thf mfp wrp 4000 -> write default key(0xff..0xff) to key number 4000");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_str1(NULL,  NULL,      "<HEX key number (2b)>", NULL),
+		arg_strx0(NULL,  NULL,     "<HEX key (16b)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIGetHexWithReturn(2, keyNum, &keyNumLen);
+	CLIGetHexWithReturn(3, key, &keyLen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+	
+	if (!keyLen) {
+		memmove(key, DefaultKey, 16);
+		keyLen = 16;
+	}
+	
+	if (keyNumLen != 2) {
+		PrintAndLog("Key number length must be 2 bytes instead of: %d", keyNumLen);
+		return 1;
+	}
+	if (keyLen != 16) {
+		PrintAndLog("Key length must be 16 bytes instead of: %d", keyLen);
+		return 1;
+	}
+
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	int res = MFPWritePerso(keyNum, key, true, false, data, sizeof(data), &datalen);
+	if (res) {
+		PrintAndLog("Exchange error: %d", res);
+		return res;
+	}
+	
+	if (datalen != 3) {
+		PrintAndLog("Command must return 3 bytes instead of: %d", datalen);
+		return 1;
+	}
+
+	if (data[0] != 0x90) {
+		PrintAndLog("Command error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 1;
+	}
+	PrintAndLog("Write OK.");
+	
+	return 0;
+}
+
+uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA001, 0xA080, 0xA081, 0xC000, 0xC001};
+
+int CmdHFMFPInitPerso(const char *cmd) {
+	int res;
+	uint8_t key[256] = {0};
+	int keyLen = 0;
+	uint8_t keyNum[2] = {0};
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	CLIParserInit("hf mfp initp", 
+		"Executes Write Perso command for all card's keys. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp initp 000102030405060708090a0b0c0d0e0f -> fill all the keys with key (00..0f)\n"
+			"\thf mfp initp -vv -> fill all the keys with default key(0xff..0xff) and show all the data exchange");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_litn("vV",  "verbose", 0, 2, "show internal data."),
+		arg_strx0(NULL,  NULL,      "<HEX key (16b)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	bool verbose2 = arg_get_lit(1) > 1;
+	CLIGetHexWithReturn(2, key, &keyLen);
+	CLIParserFree();
+
+	if (keyLen && keyLen != 16) {
+		PrintAndLog("Key length must be 16 bytes instead of: %d", keyLen);
+		return 1;
+	}
+	
+	if (!keyLen)
+		memmove(key, DefaultKey, 16);
+
+	mfpSetVerboseMode(verbose2);
+	for (uint16_t sn = 0x4000; sn < 0x4050; sn++) {
+		keyNum[0] = sn >> 8;
+		keyNum[1] = sn & 0xff;
+		res = MFPWritePerso(keyNum, key, (sn == 0x4000), true, data, sizeof(data), &datalen);
+		if (!res && (datalen == 3) && data[0] == 0x09) {
+			PrintAndLog("2k card detected.");
+			break;
+		}
+		if (res || (datalen != 3) || data[0] != 0x90) {
+			PrintAndLog("Write error on address %04x", sn);
+			break;
+		}
+	}
+	
+	mfpSetVerboseMode(verbose);
+	for (int i = 0; i < sizeof(CardAddresses) / 2; i++) {
+		keyNum[0] = CardAddresses[i] >> 8;
+		keyNum[1] = CardAddresses[i] & 0xff;
+		res = MFPWritePerso(keyNum, key, false, true, data, sizeof(data), &datalen);
+		if (!res && (datalen == 3) && data[0] == 0x09) {
+			PrintAndLog("Skipped[%04x]...", CardAddresses[i]);
+		} else {
+			if (res || (datalen != 3) || data[0] != 0x90) {
+				PrintAndLog("Write error on address %04x", CardAddresses[i]);
+				break;
+			}
+		}
+	}
+	
+	DropField();
+	
+	if (res)
+		return res;
+	
+	PrintAndLog("Done.");
+	
+	return 0;
+}
+
+int CmdHFMFPCommitPerso(const char *cmd) {
+	CLIParserInit("hf mfp commitp", 
+		"Executes Commit Perso command. Can be used in SL0 mode only.", 
+		"Usage:\n\thf mfp commitp ->  \n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_int0(NULL,  NULL,      "SL mode", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+
+	int res = MFPCommitPerso(true, false, data, sizeof(data), &datalen);
+	if (res) {
+		PrintAndLog("Exchange error: %d", res);
+		return res;
+	}
+	
+	if (datalen != 3) {
+		PrintAndLog("Command must return 3 bytes instead of: %d", datalen);
+		return 1;
+	}
+
+	if (data[0] != 0x90) {
+		PrintAndLog("Command error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 1;
+	}
+	PrintAndLog("Switch level OK.");
+
+	return 0;
+}
+
+int CmdHFMFPAuth(const char *cmd) {
+	uint8_t keyn[250] = {0};
+	int keynlen = 0;
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp auth", 
+		"Executes AES authentication command for Mifare Plus card", 
+		"Usage:\n\thf mfp auth 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"
+			"\thf mfp auth 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -v -> executes authentication and shows all the system data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_str1(NULL,  NULL,     "<Key Num (HEX 2 bytes)>", NULL),
+		arg_str1(NULL,  NULL,     "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+	
+	bool verbose = arg_get_lit(1);
+	CLIGetHexWithReturn(2, keyn, &keynlen);
+	CLIGetHexWithReturn(3, key, &keylen);
+	CLIParserFree();
+	
+	if (keynlen != 2) {
+		PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	return MifareAuth4(NULL, keyn, key, true, false, verbose);
+}
+
+int CmdHFMFPRdbl(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp rdbl", 
+		"Reads several blocks from Mifare Plus card.", 
+		"Usage:\n\thf mfp rdbl 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read block 0 data\n"
+			"\thf mfp rdbl 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_int0("nN",  "count",   "blocks count (by default 1).", NULL),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_lit0("pP",  "plain",   "plain communication mode between reader and card."),
+		arg_int1(NULL,  NULL,      "<Block Num (0..255)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	int blocksCount = arg_get_int_def(2, 1);
+	bool keyB = arg_get_lit(3);
+	int plain = arg_get_lit(4);
+	uint32_t blockn = arg_get_int(5);
+	CLIGetHexWithReturn(6, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (blockn > 255) {
+		PrintAndLog("ERROR: <Block Num> must be in range [0..255] instead of: %d", blockn);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	// 3 blocks - wo iso14443-4 chaining
+	if (blocksCount > 3) {
+		PrintAndLog("ERROR: blocks count must be less than 3 instead of: %d", blocksCount);
+		return 1;
+	}
+	
+	if (blocksCount > 1 && mfIsSectorTrailer(blockn)) {
+		PrintAndLog("WARNING: trailer!");
+	}
+	
+	uint8_t sectorNum = mfSectorNum(blockn & 0xff);
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--block:%d sector[%d]:%02x key:%04x", blockn, mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	res = MFPReadBlock(&session, plain, blockn & 0xff, blocksCount, false, false, data, sizeof(data), &datalen, mac);
+	if (res) {
+		PrintAndLog("Read error: %d", res);
+		return res;
+	}
+	
+	if (datalen && data[0] != 0x90) {
+		PrintAndLog("Card read error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		return 6;
+	}
+	
+	if (datalen != 1 + blocksCount * 16 + 8 + 2) {
+		PrintAndLog("Error return length:%d", datalen);
+		return 5;
+	}
+
+	int indx = blockn;
+	for(int i = 0; i < blocksCount; i++)  {
+		PrintAndLog("data[%03d]: %s", indx, sprint_hex(&data[1 + i * 16], 16));
+		indx++;
+		if (mfIsSectorTrailer(indx) && i != blocksCount - 1){
+			PrintAndLog("data[%03d]: ------------------- trailer -------------------", indx);
+			indx++;
+		}
+	}
+
+	if (memcmp(&data[blocksCount * 16 + 1], mac, 8)) {
+		PrintAndLog("WARNING: mac not equal...");
+		PrintAndLog("MAC   card: %s", sprint_hex(&data[blocksCount * 16 + 1], 8));
+		PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+	} else {	
+		if(verbose)
+			PrintAndLog("MAC: %s", sprint_hex(&data[blocksCount * 16 + 1], 8));
+	}
+	
+	return 0;
+}
+
+int CmdHFMFPRdsc(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	
+	CLIParserInit("hf mfp rdsc", 
+		"Reads one sector from Mifare Plus card.", 
+		"Usage:\n\thf mfp rdsc 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read sector 0 data\n"
+			"\thf mfp rdsc 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_lit0("pP",  "plain",   "plain communication mode between reader and card."),
+		arg_int1(NULL,  NULL,      "<Sector Num (0..255)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key Value (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	bool keyB = arg_get_lit(2);
+	bool plain = arg_get_lit(3);
+	uint32_t sectorNum = arg_get_int(4);
+	CLIGetHexWithReturn(5, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (sectorNum > 39) {
+		PrintAndLog("ERROR: <Sector Num> must be in range [0..39] instead of: %d", sectorNum);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+	
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--sector[%d]:%02x key:%04x", mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+	
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	for(int n = mfFirstBlockOfSector(sectorNum); n < mfFirstBlockOfSector(sectorNum) + mfNumBlocksPerSector(sectorNum); n++) {
+		res = MFPReadBlock(&session, plain, n & 0xff, 1, false, true, data, sizeof(data), &datalen, mac);
+		if (res) {
+			PrintAndLog("Read error: %d", res);
+			DropField();
+			return res;
+		}
+		
+		if (datalen && data[0] != 0x90) {
+			PrintAndLog("Card read error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+			DropField();
+			return 6;
+		}
+		if (datalen != 1 + 16 + 8 + 2) {
+			PrintAndLog("Error return length:%d", datalen);
+			DropField();
+			return 5;
+		}
+
+		PrintAndLog("data[%03d]: %s", n, sprint_hex(&data[1], 16));
+			
+		if (memcmp(&data[1 + 16], mac, 8)) {
+			PrintAndLog("WARNING: mac on block %d not equal...", n);
+			PrintAndLog("MAC   card: %s", sprint_hex(&data[1 + 16], 8));
+			PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+		} else {	
+			if(verbose)
+				PrintAndLog("MAC: %s", sprint_hex(&data[1 + 16], 8));
+		}
+	}
+	DropField();
+	
+	return 0;
+}
+
+int CmdHFMFPWrbl(const char *cmd) {
+	uint8_t keyn[2] = {0};
+	uint8_t key[250] = {0};
+	int keylen = 0;
+	uint8_t datain[250] = {0};
+	int datainlen = 0;
+	
+	CLIParserInit("hf mfp wrbl", 
+		"Writes one block to Mifare Plus card.", 
+		"Usage:\n\thf mfp wrbl 1 ff0000000000000000000000000000ff 000102030405060708090a0b0c0d0e0f -> writes block 1 data\n"
+			"\thf mfp wrbl 2 ff0000000000000000000000000000ff -v -> writes block 2 data with default key 0xFF..0xFF and some additional data\n");
+
+	void* argtable[] = {
+		arg_param_begin,
+		arg_lit0("vV",  "verbose", "show internal data."),
+		arg_lit0("bB",  "keyb",    "use key B (by default keyA)."),
+		arg_int1(NULL,  NULL,      "<Block Num (0..255)>", NULL),
+		arg_str1(NULL,  NULL,      "<Data (HEX 16 bytes)>", NULL),
+		arg_str0(NULL,  NULL,      "<Key (HEX 16 bytes)>", NULL),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, false);
+	
+	bool verbose = arg_get_lit(1);
+	bool keyB = arg_get_lit(2);
+	uint32_t blockNum = arg_get_int(3);
+	CLIGetHexWithReturn(4, datain, &datainlen);
+	CLIGetHexWithReturn(5, key, &keylen);
+	CLIParserFree();
+	
+	mfpSetVerboseMode(verbose);
+
+	if (!keylen) {
+		memmove(key, DefaultKey, 16);
+		keylen = 16;
+	}
+	
+	if (blockNum > 39) {
+		PrintAndLog("ERROR: <Block Num> must be in range [0..255] instead of: %d", blockNum);
+		return 1;
+	}
+	
+	if (keylen != 16) {
+		PrintAndLog("ERROR: <Key> must be 16 bytes long instead of: %d", keylen);
+		return 1;
+	}
+
+	if (datainlen != 16) {
+		PrintAndLog("ERROR: <Data> must be 16 bytes long instead of: %d", datainlen);
+		return 1;
+	}
+	
+	uint8_t sectorNum = mfSectorNum(blockNum & 0xff);
+	uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+	keyn[0] = uKeyNum >> 8;
+	keyn[1] = uKeyNum & 0xff;
+	if (verbose)
+		PrintAndLog("--block:%d sector[%d]:%02x key:%04x", blockNum & 0xff, mfNumBlocksPerSector(sectorNum), sectorNum, uKeyNum);
+	
+	mf4Session session;
+	int res = MifareAuth4(&session, keyn, key, true, true, verbose);
+	if (res) {
+		PrintAndLog("Authentication error: %d", res);
+		return res;
+	}
+
+	uint8_t data[250] = {0};
+	int datalen = 0;
+	uint8_t mac[8] = {0};
+	res = MFPWriteBlock(&session, blockNum & 0xff, datain, false, false, data, sizeof(data), &datalen, mac);
+	if (res) {
+		PrintAndLog("Write error: %d", res);
+		DropField();
+		return res;
+	}
+	
+	if (datalen != 3 && (datalen != 3 + 8)) {
+		PrintAndLog("Error return length:%d", datalen);
+		DropField();
+		return 5;
+	}
+	
+	if (datalen && data[0] != 0x90) {
+		PrintAndLog("Card write error: %02x %s", data[0], mfpGetErrorDescription(data[0]));
+		DropField();
+		return 6;
+	}
+	
+	if (memcmp(&data[1], mac, 8)) {
+		PrintAndLog("WARNING: mac not equal...");
+		PrintAndLog("MAC   card: %s", sprint_hex(&data[1], 8));
+		PrintAndLog("MAC reader: %s", sprint_hex(mac, 8));
+	} else {	
+		if(verbose)
+			PrintAndLog("MAC: %s", sprint_hex(&data[1], 8));
+	}
+	
+	DropField();
+	PrintAndLog("Write OK.");	
+	return 0;
+}
+
+int CmdHFMFPMAD(const char *cmd) {
+
+    CLIParserInit("hf mfp mad",
+                  "Checks and prints Mifare Application Directory (MAD)",
+                  "Usage:\n\thf mfp mad -> shows MAD if exists\n"
+                  "\thf mfp mad -a 03e1 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data if exists\n");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_lit0("vV",  "verbose",  "show technical data"),
+        arg_str0("aA",  "aid",      "print all sectors with aid", NULL),
+        arg_str0("kK",  "key",      "key for printing sectors", NULL),
+        arg_lit0("bB",  "keyb",     "use key B for access printing sectors (by default: key A)"),
+        arg_param_end
+    };
+    CLIExecWithReturn(cmd, argtable, true);
+
+    bool verbose = arg_get_lit(1);
+    uint8_t aid[2] = {0};
+    int aidlen;
+    CLIGetHexWithReturn(2, aid, &aidlen);
+    uint8_t key[16] = {0};
+    int keylen;
+    CLIGetHexWithReturn(3, key, &keylen);
+    bool keyB = arg_get_lit(4);
+
+    CLIParserFree();
+
+    if (aidlen != 2 && keylen > 0) {
+        PrintAndLogEx(WARNING, "do not need a key without aid.");
+    }
+
+    uint8_t sector0[16 * 4] = {0};
+    uint8_t sector10[16 * 4] = {0};
+
+    if (mfpReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector0, verbose)) {
+        PrintAndLogEx(NORMAL, "");
+        PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+        return 2;
+    }
+
+    if (verbose) {
+        for (int i = 0; i < 4; i ++)
+            PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(&sector0[i * 16], 16));
+    }
+
+    bool haveMAD2 = false;
+    MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);
+
+    if (haveMAD2) {
+        if (mfpReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector10, verbose)) {
+            PrintAndLogEx(NORMAL, "");
+            PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+            return 2;
+        }
+
+        MAD2DecodeAndPrint(sector10, verbose);
+    }
+
+    if (aidlen == 2) {
+        uint16_t aaid = (aid[0] << 8) + aid[1];
+        PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);
+
+        uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+        size_t madlen = 0;
+        if (MADDecode(sector0, sector10, mad, &madlen)) {
+            PrintAndLogEx(ERR, "can't decode mad.");
+            return 10;
+        }
+
+        uint8_t akey[16] = {0};
+        memcpy(akey, g_mifarep_ndef_key, 16);
+        if (keylen == 16) {
+            memcpy(akey, key, 16);
+        }
+
+        for (int i = 0; i < madlen; i++) {
+            if (aaid == mad[i]) {
+                uint8_t vsector[16 * 4] = {0};
+                if (mfpReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector, false)) {
+                    PrintAndLogEx(NORMAL, "");
+                    PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+                    return 2;
+                }
+
+                for (int j = 0; j < (verbose ? 4 : 3); j ++)
+                    PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));
+            }
+        }
+    }
+
+    return 0;
+}
+
+int CmdHFMFPNDEF(const char *cmd) {
+
+    CLIParserInit("hf mfp ndef",
+                  "Prints NFC Data Exchange Format (NDEF)",
+                  "Usage:\n\thf mfp ndef -> shows NDEF data\n"
+                  "\thf mfp ndef -a 03e1 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key\n");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_litn("vV",  "verbose",  0, 2, "show technical data"),
+        arg_str0("aA",  "aid",      "replace default aid for NDEF", NULL),
+        arg_str0("kK",  "key",      "replace default key for NDEF", NULL),
+        arg_lit0("bB",  "keyb",     "use key B for access sectors (by default: key A)"),
+        arg_param_end
+    };
+    CLIExecWithReturn(cmd, argtable, true);
+
+    bool verbose = arg_get_lit(1);
+    bool verbose2 = arg_get_lit(1) > 1;
+    uint8_t aid[2] = {0};
+    int aidlen;
+    CLIGetHexWithReturn(2, aid, &aidlen);
+    uint8_t key[16] = {0};
+    int keylen;
+    CLIGetHexWithReturn(3, key, &keylen);
+    bool keyB = arg_get_lit(4);
+
+    CLIParserFree();
+
+    uint16_t ndefAID = 0x03e1;
+    if (aidlen == 2)
+        ndefAID = (aid[0] << 8) + aid[1];
+
+    uint8_t ndefkey[16] = {0};
+    memcpy(ndefkey, g_mifarep_ndef_key, 16);
+    if (keylen == 16) {
+        memcpy(ndefkey, key, 16);
+    }
+
+    uint8_t sector0[16 * 4] = {0};
+    uint8_t sector10[16 * 4] = {0};
+    uint8_t data[4096] = {0};
+    int datalen = 0;
+
+    PrintAndLogEx(NORMAL, "");
+
+    if (mfpReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector0, verbose)) {
+        PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");
+        return 2;
+    }
+
+    bool haveMAD2 = false;
+    int res = MADCheck(sector0, NULL, verbose, &haveMAD2);
+    if (res) {
+        PrintAndLogEx(ERR, "MAD error %d.", res);
+        return res;
+    }
+
+    if (haveMAD2) {
+        if (mfpReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifarep_mad_key, sector10, verbose)) {
+            PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");
+            return 2;
+        }
+    }
+
+    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
+    size_t madlen = 0;
+    if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {
+        PrintAndLogEx(ERR, "can't decode mad.");
+        return 10;
+    }
+
+    printf("data reading:");
+    for (int i = 0; i < madlen; i++) {
+        if (ndefAID == mad[i]) {
+            uint8_t vsector[16 * 4] = {0};
+            if (mfpReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector, false)) {
+                PrintAndLogEx(ERR, "read sector %d error.", i + 1);
+                return 2;
+            }
+
+            memcpy(&data[datalen], vsector, 16 * 3);
+            datalen += 16 * 3;
+
+            printf(".");
+        }
+    }
+    printf(" OK\n");
+
+    if (!datalen) {
+        PrintAndLogEx(ERR, "no NDEF data.");
+        return 11;
+    }
+
+    if (verbose2) {
+        PrintAndLogEx(NORMAL, "NDEF data:");
+        dump_buffer(data, datalen, stdout, 1);
+    }
+
+    NDEFDecodeAndPrint(data, datalen, verbose);
+
+    return 0;
+}
+
+static command_t CommandTable[] =
+{
+  {"help",             CmdHelp,					1, "This help"},
+  {"info",  	       CmdHFMFPInfo,			0, "Info about Mifare Plus tag"},
+  {"wrp",	  	       CmdHFMFPWritePerso,		0, "Write Perso command"},
+  {"initp",  	       CmdHFMFPInitPerso,		0, "Fills all the card's keys"},
+  {"commitp",  	       CmdHFMFPCommitPerso,		0, "Move card to SL1 or SL3 mode"},
+  {"auth",  	       CmdHFMFPAuth,			0, "Authentication"},
+  {"rdbl",  	       CmdHFMFPRdbl,			0, "Read blocks"},
+  {"rdsc",  	       CmdHFMFPRdsc,			0, "Read sectors"},
+  {"wrbl",  	       CmdHFMFPWrbl,			0, "Write blocks"},
+  {"mad",              CmdHFMFPMAD,             0, "Checks and prints MAD"},
+  {"ndef",             CmdHFMFPNDEF,            0, "Prints NDEF records from card"},
+  {NULL,               NULL,					0, NULL}
+};
+
+int CmdHFMFP(const char *Cmd) {
+	(void)WaitForResponseTimeout(CMD_ACK,NULL,100);
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}
+
+int CmdHelp(const char *Cmd) {
+  CmdsHelp(CommandTable);
+  return 0;
+}
--- a/client/cmdhfmfp.h
+++ b/client/cmdhfmfp.h
@ -0,0 +1,18 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2018 Merlok
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency MIFARE  Plus commands
+//-----------------------------------------------------------------------------
+#ifndef CMDHFMFP_H__
+#define CMDHFMFP_H__
+
+#include "mifare/mifaredefault.h"
+
+extern int CmdHFMFP(const char *Cmd);
+
+
+#endif
--- a/client/cmdhfmfu.c
+++ b/client/cmdhfmfu.c
--- a/client/cmdhfmfu.h
+++ b/client/cmdhfmfu.h
@ -1,54 +1,10 @@
-#include "cmdhfmf.h"
-#include "cmdhf14a.h"
-
 #ifndef CMDHFMFU_H__
 #define CMDHFMFU_H__

-int CmdHF14AMfUWrBl(const char *Cmd);
-int CmdHF14AMfURdBl(const char *Cmd);
+#include <stdint.h>

-//Crypto Cards
-int CmdHF14AMfucAuth(const char *Cmd);
-
-//general stuff
-int CmdHF14AMfUDump(const char *Cmd);
-int CmdHF14AMfUInfo(const char *Cmd);
-
-uint32_t GetHF14AMfU_Type(void);
-int ul_print_type(uint32_t tagtype, uint8_t spacer);
-
-int usage_hf_mfu_dump(void);
-int usage_hf_mfu_info(void);
-int usage_hf_mfu_rdbl(void);
-int usage_hf_mfu_wrbl(void);
-
-int CmdHFMFUltra(const char *Cmd);
-
-typedef enum TAGTYPE_UL {
-	UNKNOWN       = 0x000000,
-	UL            = 0x000001,
-	UL_C          = 0x000002,
-	UL_EV1_48     = 0x000004,
-	UL_EV1_128    = 0x000008,
-	NTAG          = 0x000010,
-	NTAG_203      = 0x000020,
-	NTAG_210      = 0x000040,
-	NTAG_212      = 0x000080,
-	NTAG_213      = 0x000100,
-	NTAG_215      = 0x000200,
-	NTAG_216      = 0x000400,
-	MY_D          = 0x000800,
-	MY_D_NFC      = 0x001000,
-	MY_D_MOVE     = 0x002000,
-	MY_D_MOVE_NFC = 0x004000,
-	MY_D_MOVE_LEAN= 0x008000,
-	NTAG_I2C_1K   = 0x010000,
-	NTAG_I2C_2K   = 0x020000,
-	FUDAN_UL      = 0x040000,
-	MAGIC         = 0x080000,
-	UL_MAGIC      = UL | MAGIC,
-	UL_C_MAGIC    = UL_C | MAGIC,
-	UL_ERROR      = 0xFFFFFF,
-} TagTypeUL_t;
+extern int CmdHFMFUltra(const char *Cmd);
+extern uint32_t GetHF14AMfU_Type(void);
+extern int ul_print_type(uint32_t tagtype, uint8_t spacer);

 #endif
--- a/client/cmdhftopaz.c
+++ b/client/cmdhftopaz.c
@ -22,6 +22,7 @@
 #include "comms.h"
 #include "iso14443crc.h"
 #include "protocols.h"
+#include "taginfo.h"

 #define TOPAZ_STATIC_MEMORY	(0x0f * 8)		// 15 blocks with 8 Bytes each

@ -477,7 +478,7 @@ int CmdHFTopazReader(const char *Cmd)
 			topaz_tag.uid[0]);
 	PrintAndLog("       UID[6] (Manufacturer Byte) = %02x, Manufacturer: %s", 
 			topaz_tag.uid[6], 
-			getTagInfo(topaz_tag.uid[6]));
+			getManufacturerName(topaz_tag.uid[6]));

 	memcpy(topaz_tag.data_blocks, rall_response+2, 0x0f*8);
 	PrintAndLog("");
--- a/client/cmdhw.c
+++ b/client/cmdhw.c
@ -20,7 +20,8 @@
 #include "cmdmain.h"
 #include "cmddata.h"

-/* low-level hardware control */
+
+static uint32_t hw_capabilities = 0;

 static int CmdHelp(const char *Cmd);

@ -334,10 +335,10 @@ int CmdFPGAOff(const char *Cmd)

 int CmdLCD(const char *Cmd)
 {
-  int i, j;
+  unsigned int i, j;

  UsbCommand c={CMD_LCD};
-  sscanf(Cmd, "%x %d", &i, &j);
+  sscanf(Cmd, "%x %u", &i, &j);
  while (j--) {
    c.arg[0] = i & 0x1ff;
    SendCommand(&c);
@ -403,6 +404,10 @@ int CmdTune(const char *Cmd)
    return CmdTuneSamples(Cmd);
 }

+bool PM3hasSmartcardSlot(void) {
+	return (hw_capabilities & HAS_SMARTCARD_SLOT);
+}
+
 int CmdVersion(const char *Cmd)
 {

@ -411,10 +416,11 @@ int CmdVersion(const char *Cmd)
 	UsbCommand resp = {0, {0, 0, 0}};

 	SendCommand(&c);
-	if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+	if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
 		PrintAndLog("Prox/RFID mark3 RFID instrument");
 		PrintAndLog((char*)resp.d.asBytes);
 		lookupChipID(resp.arg[0], resp.arg[1]);
+		hw_capabilities = resp.arg[2];
 	}
 	return 0;
 }
--- a/client/cmdhw.h
+++ b/client/cmdhw.h
@ -11,6 +11,8 @@
 #ifndef CMDHW_H__
 #define CMDHW_H__

+#include <stdbool.h>
+
 int CmdHW(const char *Cmd);

 int CmdDetectReader(const char *Cmd);
@ -23,5 +25,6 @@ int CmdSetDivisor(const char *Cmd);
 int CmdSetMux(const char *Cmd);
 int CmdTune(const char *Cmd);
 int CmdVersion(const char *Cmd);
+bool PM3hasSmartcardSlot(void);

 #endif
--- a/client/cmdlf.c
+++ b/client/cmdlf.c
@ -224,24 +224,25 @@ int usage_lf_config(void)
 {
 	PrintAndLog("Usage: lf config [H|<divisor>] [b <bps>] [d <decim>] [a 0|1]");
 	PrintAndLog("Options:        ");
-	PrintAndLog("       h             This help");
-	PrintAndLog("       L             Low frequency (125 KHz)");
-	PrintAndLog("       H             High frequency (134 KHz)");
-	PrintAndLog("       q <divisor>   Manually set divisor. 88-> 134KHz, 95-> 125 Hz");
-	PrintAndLog("       b <bps>       Sets resolution of bits per sample. Default (max): 8");
-	PrintAndLog("       d <decim>     Sets decimation. A value of N saves only 1 in N samples. Default: 1");
-	PrintAndLog("       a [0|1]       Averaging - if set, will average the stored sample value when decimating. Default: 1");
-	PrintAndLog("       t <threshold> Sets trigger threshold. 0 means no threshold (range: 0-128)");
+	PrintAndLog("       h               This help");
+	PrintAndLog("       L               Low frequency (125 KHz)");
+	PrintAndLog("       H               High frequency (134 KHz)");
+	PrintAndLog("       q <divisor>     Manually set divisor. 88-> 134 KHz, 95-> 125 KHz");
+	PrintAndLog("       b <bps>         Sets resolution of bits per sample. Default (max): 8");
+	PrintAndLog("       d <decim>       Sets decimation. A value of N saves only 1 in N samples. Default: 1");
+	PrintAndLog("       a [0|1]         Averaging - if set, will average the stored sample value when decimating. Default: 1");
+	PrintAndLog("       t <threshold>   Sets trigger threshold. 0 means no threshold (range: 0-128)");
+	PrintAndLog("       s <smplstoskip> Sets a number of samples to skip before capture. Default: 0");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf config b 8 L");
-	PrintAndLog("                    Samples at 125KHz, 8bps.");
+	PrintAndLog("                       Samples at 125KHz, 8bps.");
 	PrintAndLog("      lf config H b 4 d 3");
-	PrintAndLog("                    Samples at 134KHz, averages three samples into one, stored with ");
-	PrintAndLog("                    a resolution of 4 bits per sample.");
+	PrintAndLog("                       Samples at 134KHz, averages three samples into one, stored with ");
+	PrintAndLog("                       a resolution of 4 bits per sample.");
 	PrintAndLog("      lf read");
-	PrintAndLog("                    Performs a read (active field)");
+	PrintAndLog("                       Performs a read (active field)");
 	PrintAndLog("      lf snoop");
-	PrintAndLog("                    Performs a snoop (no active field)");
+	PrintAndLog("                       Performs a snoop (no active field)");
 	return 0;
 }

@ -255,6 +256,7 @@ int CmdLFSetConfig(const char *Cmd)
 	bool errors = false;
 	int trigger_threshold =-1;//Means no change
 	uint8_t unsigned_trigg = 0;
+	int samples_to_skip = -1;

 	uint8_t cmdp =0;
 	while(param_getchar(Cmd, cmdp) != 0x00)
@ -295,6 +297,10 @@ int CmdLFSetConfig(const char *Cmd)
 			averaging = param_getchar(Cmd,cmdp+1) == '1';
 			cmdp+=2;
 			break;
+		case 's':
+			samples_to_skip = param_get32ex(Cmd,cmdp+1,0,10);
+			cmdp+=2;
+			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = 1;
@ -316,7 +322,7 @@ int CmdLFSetConfig(const char *Cmd)
 	if(bps >> 4) bps = 8;

 	sample_config config = {
-		decimation,bps,averaging,divisor,trigger_threshold
+		decimation,bps,averaging,divisor,trigger_threshold,samples_to_skip
 	};
 	//Averaging is a flag on high-bit of arg[1]
 	UsbCommand c = {CMD_SET_LF_SAMPLING_CONFIG};
@ -937,12 +943,12 @@ int CmdLFfind(const char *Cmd)
 				PrintAndLog("\nValid EM4x05/EM4x69 Chip Found\nUse lf em 4x05readword/dump commands to read\n");
 				return 1;
 			}
-			ans=CmdLFHitagReader("26"); // 26 = RHT2F_UID_ONLY
-			if (ans==0) {
+            if (getHitagUid(NULL, true)) {
+				PrintAndLog("\nValid Hitag2 tag Found!");
 				return 1;
-			}
-			ans=CmdCOTAGRead("");
-			if (ans>0) {
+            }
+ 			ans = CmdCOTAGRead("");
+			if (ans > 0) {
 				PrintAndLog("\nValid COTAG ID Found!");
 				return 1;
 			}
--- a/client/cmdlfem4x.c
+++ b/client/cmdlfem4x.c
@ -1161,6 +1161,119 @@ int CmdEM4x05WriteWord(const char *Cmd) {
 	return EM4x05WriteWord(addr, data, pwd, usePwd, swap, invert);
 }

+int usage_lf_em_protect(void) {
+	PrintAndLog("Protect EM4x05.  Tag must be on antenna. ");
+	PrintAndLog("");
+	PrintAndLog("Usage:  lf em 4x05protect [h] d <data> p <pwd> [s] [i]");
+	PrintAndLog("Options:");
+	PrintAndLog("       h           - this help");
+	PrintAndLog("       d <data>    - data to write (hex)");
+	PrintAndLog("       p <pwd>     - password (hex) (optional)");
+	PrintAndLog("       s           - swap the data bit order before write");
+	PrintAndLog("       i           - invert the data bits before write");
+	PrintAndLog("samples:");
+	PrintAndLog("      lf em 4x05protect d 11223344");
+	PrintAndLog("      lf em 4x05protect p deadc0de d 11223344 s i");
+	return 0;
+}
+
+int EM4x05Protect(uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) {
+	if (swap) data = SwapBits(data, 32);
+
+	if (invert) data ^= 0xFFFFFFFF;
+
+	if ( !usePwd ) {
+		PrintAndLog("Writing Protect data %08X", data);
+	} else {
+		PrintAndLog("Writing Protect data %08X using password %08X", data, pwd);
+	}
+
+	uint16_t flag = usePwd;
+
+	UsbCommand c = {CMD_EM4X_PROTECT, {flag, data, pwd}};
+	clearCommandBuffer();
+	SendCommand(&c);
+	UsbCommand resp;
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
+		PrintAndLog("Error occurred, device did not respond during protect operation.");
+		return -1;
+	}
+	if ( !downloadSamplesEM() ) {
+		return -1;
+	}
+	//check response for 00001010 for write confirmation!
+	//attempt demod:
+	uint32_t dummy = 0;
+	int result = demodEM4x05resp(&dummy,false);
+	if (result == 1) {
+		PrintAndLog("Protect Verified");
+	} else {
+		PrintAndLog("Protect could not be verified");
+	}
+	return result;
+}
+
+int CmdEM4x05ProtectWrite(const char *Cmd) {
+	bool errors = false;
+	bool usePwd = false;
+	uint32_t data = 0xFFFFFFFF;
+	uint32_t pwd = 0xFFFFFFFF;
+	bool swap = false;
+	bool invert = false;
+	bool gotData = false;
+	char cmdp = 0;
+	while(param_getchar(Cmd, cmdp) != 0x00)
+	{
+		switch(param_getchar(Cmd, cmdp))
+		{
+		case 'h':
+		case 'H':
+			return usage_lf_em_write();
+		case 'd':
+		case 'D':
+			data = param_get32ex(Cmd, cmdp+1, 0, 16);
+			gotData = true;
+			cmdp += 2;
+			break;
+		case 'i':
+		case 'I':
+			invert = true;
+			cmdp++;
+			break;
+		case 'p':
+		case 'P':
+			pwd = param_get32ex(Cmd, cmdp+1, 1, 16);
+			if (pwd == 1) {
+				PrintAndLog("invalid pwd");
+				errors = true;
+			}
+			usePwd = true;
+			cmdp += 2;
+			break;
+		case 's':
+		case 'S':
+			swap = true;
+			cmdp++;
+			break;
+		default:
+			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+			errors = true;
+			break;
+		}
+		if(errors) break;
+	}
+	//Validations
+	if(errors) return usage_lf_em_protect();
+
+	if ( strlen(Cmd) == 0 ) return usage_lf_em_protect();
+
+	if (!gotData) {
+		PrintAndLog("You must enter the data you want to write");
+		return usage_lf_em_protect();
+	}
+	return EM4x05Protect(data, pwd, usePwd, swap, invert);
+}
+
 void printEM4x05config(uint32_t wordData) {
 	uint16_t datarate = EM4x05_GET_BITRATE(wordData);
 	uint8_t encoder = ((wordData >> 6) & 0xF);
@ -1345,6 +1458,7 @@ static command_t CommandTable[] =
 	{"4x05info",  CmdEM4x05info, 0, "(pwd) -- Get info from EM4x05/EM4x69 tag"},
 	{"4x05readword",  CmdEM4x05ReadWord, 0, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
 	{"4x05writeword", CmdEM4x05WriteWord, 0, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
+	{"4x05protect",   CmdEM4x05ProtectWrite, 0, "<data> (pwd) -- Write Protection to EM4x05"},
 	{"4x50read",  CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
 	{NULL, NULL, 0, NULL}
 };
--- a/client/cmdlffdx.c
+++ b/client/cmdlffdx.c
@ -137,7 +137,7 @@ int CmdFdxDemod(const char *Cmd){

 	//Differential Biphase / di-phase (inverted biphase)
 	//get binary from ask wave
-	if (!ASKbiphaseDemod("0 32 1 0", false)) {
+	if (!ASKbiphaseDemod("0 32 1 100", false)) {
 		if (g_debugMode) PrintAndLog("DEBUG: Error - FDX-B ASKbiphaseDemod failed");
 		return 0;
 	}
@ -206,7 +206,7 @@ int CmdFdxDemod(const char *Cmd){
 }

 int CmdFdxRead(const char *Cmd) {
-	lf_read(true, 10000);
+	lf_read(true, 39999);
 	return CmdFdxDemod(Cmd);
 }

--- a/client/cmdlfhid.c
+++ b/client/cmdlfhid.c
@ -39,7 +39,7 @@
 *
 * Returns the number of nibbles (4 bits) entered.
 */
-int hexstring_to_int96(/* out */ uint32_t* hi2,/* out */ uint32_t* hi, /* out */ uint32_t* lo, const char* str) {
+int hid_hexstring_to_int96(/* out */ uint32_t* hi2,/* out */ uint32_t* hi, /* out */ uint32_t* lo, const char* str) {
  // TODO: Replace this with param_gethex when it supports arbitrary length
  // inputs.
  int n = 0, i = 0;
@ -201,7 +201,7 @@ int CmdHIDReadFSK(const char *Cmd)
 int CmdHIDSim(const char *Cmd)
 {
  uint32_t hi2 = 0, hi = 0, lo = 0;
-  hexstring_to_int96(&hi2, &hi, &lo, Cmd);
+  hid_hexstring_to_int96(&hi2, &hi, &lo, Cmd);
  if (hi2 != 0) {
    PrintAndLog("Emulating tag with ID %x%08x%08x", hi2, hi, lo);
  } else {
@ -218,7 +218,7 @@ int CmdHIDSim(const char *Cmd)
 int CmdHIDClone(const char *Cmd)
 {
  unsigned int top = 0, mid = 0, bot = 0;
-  hexstring_to_int96(&top, &mid, &bot, Cmd);
+  hid_hexstring_to_int96(&top, &mid, &bot, Cmd);
  hidproxmessage_t packed = initialize_proxmessage_object(top, mid, bot);
  Write(&packed);
  return 0;
@ -234,7 +234,7 @@ int CmdHIDDecode(const char *Cmd){

  uint32_t top = 0, mid = 0, bot = 0;
  bool ignoreParity = false;
-  hexstring_to_int96(&top, &mid, &bot, Cmd);
+  hid_hexstring_to_int96(&top, &mid, &bot, Cmd);
  hidproxmessage_t packed = initialize_proxmessage_object(top, mid, bot);

  char opt = param_getchar(Cmd, 1);
--- a/client/cmdlfhid.h
+++ b/client/cmdlfhid.h
@ -22,4 +22,6 @@ int CmdHIDClone(const char *Cmd);
 int CmdHIDDecode(const char *Cmd);
 int CmdHIDEncode(const char *Cmd);
 int CmdHIDWrite(const char *Cmd);
+// This is used by the Paradox code
+int hid_hexstring_to_int96(/* out */ uint32_t* hi2,/* out */ uint32_t* hi, /* out */ uint32_t* lo, const char* str);
 #endif
--- a/client/cmdlfhitag.c
+++ b/client/cmdlfhitag.c
@ -19,20 +19,16 @@
 #include "common.h"
 #include "util.h"
 #include "parity.h"
-#include "hitag2.h"
-#include "hitagS.h"
+#include "hitag.h"
 #include "cmdmain.h"

-static int CmdHelp(const char *Cmd);
-
-size_t nbytes(size_t nbits) {
-	return (nbits/8)+((nbits%8)>0);
+static size_t nbytes(size_t nbits) {
+	return (nbits/8) + ((nbits%8)>0);
 }

-int CmdLFHitagList(const char *Cmd)
-{
- 	uint8_t *got = malloc(USB_CMD_DATA_SIZE);

+static int CmdLFHitagList(const char *Cmd) {
+	uint8_t *got = malloc(USB_CMD_DATA_SIZE);
 	// Query for the actual size of the trace
 	UsbCommand response;
 	GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
@ -52,6 +48,7 @@ int CmdLFHitagList(const char *Cmd)
 	PrintAndLog(" ETU     :nbits: who bytes");
 	PrintAndLog("---------+-----+----+-----------");

+	int j;
 	int i = 0;
 	int prev = -1;
 	int len = strlen(Cmd);
@ -73,7 +70,7 @@ int CmdLFHitagList(const char *Cmd)

 	for (;;) {

-		if(i > traceLen) { break; }
+		if(i >= traceLen) { break; }

 		bool isResponse;
 		int timestamp = *((uint32_t *)(got+i));
@ -93,29 +90,53 @@ int CmdLFHitagList(const char *Cmd)
 		// or each half bit period in 256 levels.

 		int bits = got[i+8];
-		int len = nbytes(got[i+8]);
+		int len = nbytes(bits);

 		if (len > 100) {
-		  break;
+			break;
 		}
 		if (i + len > traceLen) { break;}

 		uint8_t *frame = (got+i+9);
+/*
+		int fillupBits = 8 - (bits % 8);
+		byte_t framefilled[bits+fillupBits];
+		byte_t* ff = framefilled;
+
+		int response_bit[200] = {0};
+		int z = 0;
+		for (int y = 0; y < len; y++) {
+			for (j = 0; j < 8; j++) {
+				response_bit[z] = 0;
+				if ((frame[y] & ((mask << 7) >> j)) != 0)
+					response_bit[z] = 1;
+				z++;
+			}
+		}
+		z = 0;
+		for (int y = 0; y < len; y++) {
+			ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
+					| (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
+					| (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
+					| (response_bit[z + 6] << 1) | response_bit[z + 7];
+			z += 8;
+		}
+*/
+
+
+

 		// Break and stick with current result if buffer was not completely full
 		if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }

 		char line[1000] = "";
-		int j;
 		for (j = 0; j < len; j++) {
-
-		  //if((parityBits >> (len - j - 1)) & 0x01) {
-		  if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
-			sprintf(line+(j*4), "%02x!  ", frame[j]);
-		  }
-		  else {
-			sprintf(line+(j*4), "%02x   ", frame[j]);
-		  }
+			//if((parityBits >> (len - j - 1)) & 0x01) {
+			if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
+				sprintf(line+(j*4), "%02x!  ", frame[j]);
+			} else {
+				sprintf(line+(j*4), "%02x   ", frame[j]);
+			}
 		}

 		PrintAndLog(" +%7d:  %3d: %s %s",
@ -145,15 +166,17 @@ int CmdLFHitagList(const char *Cmd)
 	return 0;
 }

-int CmdLFHitagSnoop(const char *Cmd) {
-  UsbCommand c = {CMD_SNOOP_HITAG};
-  SendCommand(&c);
-  return 0;
+
+static int CmdLFHitagSnoop(const char *Cmd) {
+	UsbCommand c = {CMD_SNOOP_HITAG};
+	SendCommand(&c);
+	return 0;
 }

-int CmdLFHitagSim(const char *Cmd) {

-  UsbCommand c = {CMD_SIMULATE_HITAG};
+static int CmdLFHitagSim(const char *Cmd) {
+
+	UsbCommand c = {CMD_SIMULATE_HITAG};
 	char filename[FILE_PATH_SIZE] = { 0x00 };
 	FILE* pf;
 	bool tag_mem_supplied;
@ -180,35 +203,97 @@ int CmdLFHitagSim(const char *Cmd) {
 	// Does the tag comes with memory
 	c.arg[0] = (uint32_t)tag_mem_supplied;

-  SendCommand(&c);
-  return 0;
+	SendCommand(&c);
+	return 0;
 }

+
+bool getHitagUid(uint32_t *uid, bool quiet) {
+	// ToDo: this is for Hitag2 only (??)
+	
+	UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};
+
+	SendCommand(&c);
+
+	UsbCommand resp;
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
+		if (!quiet) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
+		return false;
+	}
+
+	if (resp.arg[0] == false) {
+		if (!quiet) PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
+		return false;
+	}
+
+	if (uid)
+		*uid = bytes_to_num(resp.d.asBytes, 4);
+
+	return true;
+}
+
+
+static int CmdLFHitagInfo(const char *Cmd) {
+	char ctmp = param_getchar(Cmd, 0);
+	if (ctmp != '\0') {
+		PrintAndLog("Usage:   lf hitag info [h]");
+		PrintAndLog("Options:");
+		PrintAndLog("       h          This help");
+		PrintAndLog("Examples:");
+		PrintAndLog("         lf hitag info");
+		return 0;
+	}
+
+	// read UID
+	uint32_t uid = 0;
+	if (getHitagUid(&uid, false) == false)
+		return 1;
+
+	PrintAndLogEx(SUCCESS, "UID: %08X", uid);
+
+	// how to detemine Hitag types?
+	// read block3,  get configuration byte.
+	// PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));
+
+	// common configurations.
+	// printHitagConfiguration(0x06);
+	//printHitagConfiguration( 0x0E );
+	//printHitagConfiguration( 0x02 );
+	//printHitagConfiguration( 0x00 );
+	//printHitagConfiguration( 0x04 );
+	return 0;
+}
+
+
 int CmdLFHitagReader(const char *Cmd) {
-	UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
+	UsbCommand c = {CMD_READER_HITAG};
 	hitag_data* htd = (hitag_data*)c.d.asBytes;
-	hitag_function htf = param_get32ex(Cmd,0,0,10);
+	hitag_function htf = param_get32ex(Cmd, 0, 0, 10);

 	switch (htf) {
-		case 01: { //RHTSF_CHALLENGE
+		case RHTSF_CHALLENGE: {
 			c = (UsbCommand){ CMD_READ_HITAG_S };
-			num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
-			num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
+			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
+			num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
+			c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
+			c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
 		} break;
-		case 02: { //RHTSF_KEY
+		case RHTSF_KEY: {
 			c = (UsbCommand){ CMD_READ_HITAG_S };
-			num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
+			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
+			c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
+			c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
 		} break;
 		case RHT2F_PASSWORD: {
-			num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
+			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
 		} break;
 		case RHT2F_AUTHENTICATE: {
-			num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
-			num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
+			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
+			num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
 		} break;
 		case RHT2F_CRYPTO: {
-			num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
-			//			num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
+			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
+			//          num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
 		} break;
 		case RHT2F_TEST_AUTH_ATTEMPTS: {
 			// No additional parameters needed
@ -221,16 +306,18 @@ int CmdLFHitagReader(const char *Cmd) {
 			PrintAndLog("");
 			PrintAndLog("Usage: hitag reader <Reader Function #>");
 			PrintAndLog("Reader Functions:");
-			PrintAndLog(" HitagS (0*)");
-			PrintAndLog("  01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
-			PrintAndLog("  02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
-			PrintAndLog(" Hitag1 (1*)");
-			PrintAndLog(" Hitag2 (2*)");
-			PrintAndLog("  21 <password> (password mode)");
-			PrintAndLog("  22 <nr> <ar> (authentication)");
-			PrintAndLog("  23 <key> (authentication) key is in format: ISK high + ISK low");
-			PrintAndLog("  25 (test recorded authentications)");
-			PrintAndLog("  26 just read UID");
+			PrintAndLog("  HitagS (0*):");
+			PrintAndLog("    01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
+			PrintAndLog("    02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
+			PrintAndLog("    Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
+			PrintAndLog("  Hitag1 (1*):");
+			PrintAndLog("    (not yet implemented)");
+			PrintAndLog("  Hitag2 (2*):");
+			PrintAndLog("    21 <password> (password mode)");
+			PrintAndLog("    22 <nr> <ar> (authentication)");
+			PrintAndLog("    23 <key> (authentication) key is in format: ISK high + ISK low");
+			PrintAndLog("    25 (test recorded authentications)");
+			PrintAndLog("    26 just read UID");
 			return 1;
 		} break;
 	}
@ -243,16 +330,22 @@ int CmdLFHitagReader(const char *Cmd) {
 	SendCommand(&c);

 	UsbCommand resp;
-	WaitForResponse(CMD_ACK,&resp);
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
+		PrintAndLogEx(WARNING, "timeout while waiting for reply.");
+		return 1;
+	}

 	// Check the return status, stored in the first argument
-	if (resp.arg[0] == false) return 1;
+	if (resp.arg[0] == false)  {
+		PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
+		return 1;
+	}

-	uint32_t id = bytes_to_num(resp.d.asBytes,4);
+	uint32_t id = bytes_to_num(resp.d.asBytes, 4);

-	if (htf == RHT2F_UID_ONLY){
-		PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
-	} else {
+	PrintAndLog("Valid Hitag2 tag found - UID: %08x", id);
+	if (htf != RHT2F_UID_ONLY) {
+        PrintAndLogEx(SUCCESS, "Dumping tag memory...");
 		char filename[256];
 		FILE* pf = NULL;

@ -269,12 +362,11 @@ int CmdLFHitagReader(const char *Cmd) {
 		PrintAndLog("Succesfully saved tag memory to [%s]",filename);
 	}

-
 	return 0;
 }


-int CmdLFHitagSimS(const char *Cmd) {
+static int CmdLFHitagSimS(const char *Cmd) {
 	UsbCommand c = { CMD_SIMULATE_HITAG_S };
 	char filename[FILE_PATH_SIZE] = { 0x00 };
 	FILE* pf;
@ -307,7 +399,8 @@ int CmdLFHitagSimS(const char *Cmd) {
 	return 0;
 }

-int CmdLFHitagCheckChallenges(const char *Cmd) {
+
+static int CmdLFHitagCheckChallenges(const char *Cmd) {
 	UsbCommand c = { CMD_TEST_HITAGS_TRACES };
 	char filename[FILE_PATH_SIZE] = { 0x00 };
 	FILE* pf;
@ -326,7 +419,7 @@ int CmdLFHitagCheckChallenges(const char *Cmd) {
 			PrintAndLog("Error: File reading error");
 			fclose(pf);
 			return 1;
-        }
+		}
 		fclose(pf);
 	} else {
 		file_given = false;
@ -334,78 +427,93 @@ int CmdLFHitagCheckChallenges(const char *Cmd) {

 	//file with all the challenges to try
 	c.arg[0] = (uint32_t)file_given;
+	c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode

-  SendCommand(&c);
-  return 0;
+	SendCommand(&c);
+	return 0;
 }


-int CmdLFHitagWP(const char *Cmd) {
+static int CmdLFHitagWriter(const char *Cmd) {
 	UsbCommand c = { CMD_WR_HITAG_S };
 	hitag_data* htd = (hitag_data*)c.d.asBytes;
 	hitag_function htf = param_get32ex(Cmd,0,0,10);
 	switch (htf) {
-		case 03: { //WHTSF_CHALLENGE
+		case WHTSF_CHALLENGE: {
 			num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
 			c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
 			num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
 		} break;
-		case 04:
-		case 24:
-		{ //WHTSF_KEY
+		case WHTSF_KEY:
+		case WHT2F_CRYPTO: {
 			num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
 			c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
 			num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
-
+		} break;
+		case WHT2F_PASSWORD: {
+			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
+			c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
+			num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
 		} break;
 		default: {
 			PrintAndLog("Error: unkown writer function %d",htf);
 			PrintAndLog("Hitag writer functions");
-			PrintAndLog(" HitagS (0*)");
-			PrintAndLog("  03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
-			PrintAndLog("  04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
-			PrintAndLog(" Hitag1 (1*)");
-			PrintAndLog(" Hitag2 (2*)");
-			PrintAndLog("  24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
+			PrintAndLog("  HitagS (0*):");
+			PrintAndLog("    03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
+			PrintAndLog("    04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
+			PrintAndLog("  Hitag1 (1*)");
+			PrintAndLog("    (not yet implemented)");
+			PrintAndLog("  Hitag2 (2*):");
+			PrintAndLog("    24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
+			PrintAndLog("    27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
 			return 1;
 		} break;
 	}
 	// Copy the hitag function into the first argument
 	c.arg[0] = htf;

-  // Send the command to the proxmark
-  SendCommand(&c);
+	// Send the command to the proxmark
+	SendCommand(&c);

-  UsbCommand resp;
-  WaitForResponse(CMD_ACK,&resp);
+	UsbCommand resp;
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
+		PrintAndLogEx(WARNING, "timeout while waiting for reply.");
+		return 1;
+	}

-  // Check the return status, stored in the first argument
-  if (resp.arg[0] == false) return 1;
-  return 0;
+	// Check the return status, stored in the first argument
+	if (resp.arg[0] == false) {
+		PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
+		return 1;
+	}
+	return 0;
 }


+static int CmdHelp(const char *Cmd);
+
 static command_t CommandTable[] =
 {
-  {"help",    		CmdHelp,           1, "This help"},
-  {"list",    		CmdLFHitagList,    1, "<outfile> List Hitag trace history"},
-  {"reader",  		CmdLFHitagReader,  1, "Act like a Hitag Reader"},
-  {"sim",     		CmdLFHitagSim,     1, "<infile> Simulate Hitag transponder"},
-  {"snoop",   		CmdLFHitagSnoop,   1, "Eavesdrop Hitag communication"},
-  {"writer",   		CmdLFHitagWP,      1, "Act like a Hitag Writer" },
-  {"simS",   		CmdLFHitagSimS,    1, "<hitagS.hts> Simulate HitagS transponder" }, 
-  {"checkChallenges",	CmdLFHitagCheckChallenges,   1, "<challenges.cc> test all challenges" }, {
-				NULL,NULL, 0, NULL }
+	{"help",             CmdHelp,                   1, "This help"},
+	{"list",             CmdLFHitagList,            0, "<outfile> List Hitag trace history"},
+	{"info",             CmdLFHitagInfo,            0, "Tag information" },
+	{"reader",           CmdLFHitagReader,          0, "Act like a Hitag Reader"},
+	{"sim",              CmdLFHitagSim,             0, "Simulate Hitag transponder"},
+	{"snoop",            CmdLFHitagSnoop,           0, "Eavesdrop Hitag communication"},
+	{"writer",           CmdLFHitagWriter,          0, "Act like a Hitag Writer" },
+	{"simS",             CmdLFHitagSimS,            0, "Simulate HitagS transponder" },
+	{"checkChallenges",  CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
+	{ NULL,              NULL,                      0, NULL }
 };

-int CmdLFHitag(const char *Cmd)
-{
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+
+static int CmdHelp(const char *Cmd) {
+	CmdsHelp(CommandTable);
+	return 0;
 }

-int CmdHelp(const char *Cmd)
-{
-  CmdsHelp(CommandTable);
-  return 0;
+
+int CmdLFHitag(const char *Cmd) {
+	CmdsParse(CommandTable, Cmd);
+	return 0;
 }
--- a/client/cmdlfhitag.h
+++ b/client/cmdlfhitag.h
@ -11,11 +11,11 @@
 #ifndef CMDLFHITAG_H__
 #define CMDLFHITAG_H__

-int CmdLFHitag(const char *Cmd);
+#include <stdint.h>
+#include <stdbool.h>

-int CmdLFHitagList(const char *Cmd);
-int CmdLFHitagSnoop(const char *Cmd);
-int CmdLFHitagSim(const char *Cmd);
-int CmdLFHitagReader(const char *Cmd);
+extern int CmdLFHitag(const char *Cmd);
+extern int CmdLFHitagReader(const char *Cmd);
+extern bool getHitagUid(uint32_t *uid, bool quiet);

 #endif
--- a/client/cmdlfparadox.c
+++ b/client/cmdlfparadox.c
@ -19,7 +19,14 @@
 #include "cmddata.h"
 #include "cmdlf.h"
 #include "lfdemod.h"
+#include "comms.h"
+// This card type is similar to HID, so we include the utils from there
+#include "cmdlfhid.h"
+#include "hidcardformats.h"
+#include "hidcardformatutils.h"
+
 static int CmdHelp(const char *Cmd);
+void ParadoxWrite(hidproxmessage_t *packed);

 //by marshmellow
 //Paradox Prox demod - FSK RF/50 with preamble of 00001111 (then manchester encoded)
@ -55,14 +62,24 @@ int CmdFSKdemodParadox(const char *Cmd)
 		if (g_debugMode) PrintAndLog("DEBUG: Error - no value found");
 		return 0;
 	}
+
 	uint32_t fc = ((hi & 0x3)<<6) | (lo>>26);
 	uint32_t cardnum = (lo>>10)&0xFFFF;
 	uint32_t rawLo = bytebits_to_byte(BitStream+idx+64,32);
 	uint32_t rawHi = bytebits_to_byte(BitStream+idx+32,32);
 	uint32_t rawHi2 = bytebits_to_byte(BitStream+idx,32);

-	PrintAndLog("Paradox TAG ID: %x%08x - FC: %d - Card: %d - Checksum: %02x - RAW: %08x%08x%08x",
-		hi>>10, (hi & 0x3)<<26 | (lo>>10), fc, cardnum, (lo>>2) & 0xFF, rawHi2, rawHi, rawLo);
+	// Steal the HID parsing to output a "full" ID we can send to the HID cloning function
+	hidproxmessage_t packed = initialize_proxmessage_object(hi2, hi, lo);
+
+	if (packed.top != 0) {
+		PrintAndLog("Paradox TAG ID: %x%08x (Full ID: %x%08x%08x) - FC: %d - Card: %d - Checksum: %02x - RAW: %08x%08x%08x",
+			hi>>10, (hi & 0x3)<<26 | (lo>>10), (uint32_t)packed.top, (uint32_t)packed.mid, (uint32_t)packed.bot, fc, cardnum, (lo>>2) & 0xFF, rawHi2, rawHi, rawLo);
+	} else {
+		PrintAndLog("Paradox TAG ID: %x%08x (Full ID: %x%08x) - FC: %d - Card: %d - Checksum: %02x - RAW: %08x%08x%08x",
+			hi>>10, (hi & 0x3)<<26 | (lo>>10), (uint32_t)packed.mid, (uint32_t)packed.bot, fc, cardnum, (lo>>2) & 0xFF, rawHi2, rawHi, rawLo);
+
+	}
 	setDemodBuf(BitStream,BitLen,idx);
 	setClockGrid(50, waveIdx + (idx*50));
 	if (g_debugMode){ 
@ -80,10 +97,31 @@ int CmdParadoxRead(const char *Cmd) {
 	return CmdFSKdemodParadox(Cmd);
 }

+int CmdParadoxClone(const char *Cmd)
+{
+	unsigned int top = 0, mid = 0, bot = 0;
+	hid_hexstring_to_int96(&top, &mid, &bot, Cmd);
+	hidproxmessage_t packed = initialize_proxmessage_object(top, mid, bot);
+	ParadoxWrite(&packed);
+	return 0;
+}
+
+void ParadoxWrite(hidproxmessage_t *packed){
+	UsbCommand c;
+	c.d.asBytes[0] = (packed->top != 0 && ((packed->mid & 0xFFFFFFC0) != 0))
+	? 1 : 0; // Writing long format?
+	c.cmd = CMD_PARADOX_CLONE_TAG;
+	c.arg[0] = (packed->top & 0x000FFFFF);
+	c.arg[1] = packed->mid;
+	c.arg[2] = packed->bot;
+	SendCommand(&c);
+}
+
 static command_t CommandTable[] = {
 	{"help",  CmdHelp,            1, "This help"},
 	{"demod", CmdFSKdemodParadox, 1, "Demodulate a Paradox FSK tag from the GraphBuffer"},
 	{"read",  CmdParadoxRead,     0, "Attempt to read and Extract tag data from the antenna"},
+	{"clone", CmdParadoxClone,    0, "<ID> -- Clone Paradox to T55x7 (tag must be in antenna)"},
 	{NULL, NULL, 0, NULL}
 };

--- a/client/cmdlfpcf7931.c
+++ b/client/cmdlfpcf7931.c
@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2012 Chalk <chalk.secu at gmail.com>
 //               2015 Dake <thomas.cayrou at gmail.com>
+//               2018 sguerrini97 <sguerrini97 at gmail.com>

 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@ -76,6 +77,21 @@ int usage_pcf7931_write(){
 	return 0;
 }

+int usage_pcf7931_bruteforce()
+{
+	PrintAndLog("Usage: lf pcf7931 bruteforce [h] <start password> <tries>");
+	PrintAndLog("This command tries to disable PAC of a PCF7931 transponder by bruteforcing the password.");
+	PrintAndLog("!! THIS IS NOT INTENDED TO RECOVER THE FULL PASSWORD !!");
+	PrintAndLog("!! DO NOT USE UNLESS THE FIRST 5 BYTES OF THE PASSWORD ARE KNOWN !!");
+	PrintAndLog("Options:");
+	PrintAndLog("       h                This help");
+	PrintAndLog("       start password   hex password to start from");
+	PrintAndLog("       tries            How many times to send the same data frame");
+	PrintAndLog("Examples:");
+	PrintAndLog("      lf pcf7931 bruteforce 00000000123456 3");
+	return 0;
+}
+
 int usage_pcf7931_config(){
 	PrintAndLog("Usage: lf pcf7931 config [h] [r] <pwd> <delay> <offset width> <offset position>");
 	PrintAndLog("This command tries to set the configuration used with PCF7931 commands");
@ -159,12 +175,47 @@ int CmdLFPCF7931Write(const char *Cmd){
 	return 0;
 }

+int CmdLFPCF7931BruteForce(const char *Cmd){
+
+	uint8_t ctmp = param_getchar(Cmd, 0);
+	if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_bruteforce();
+
+	uint8_t start_password[7] = {0};
+	uint8_t tries = 3;
+
+	if (param_gethex(Cmd, 0, start_password, 14)) return usage_pcf7931_bruteforce();
+	if (param_getdec(Cmd, 1, &tries)) return usage_pcf7931_bruteforce();
+
+	PrintAndLog("Bruteforcing from password: %02x %02x %02x %02x %02x %02x %02x",
+			start_password[0],
+			start_password[1],
+			start_password[2],
+			start_password[3],
+			start_password[4],
+			start_password[5],
+			start_password[6]);
+
+	PrintAndLog("Trying each password %d times", tries);
+
+	UsbCommand c = {CMD_PCF7931_BRUTEFORCE, {bytes_to_num(start_password, 7), tries} };
+
+	c.d.asDwords[7] = (configPcf.OffsetWidth + 128);
+	c.d.asDwords[8] = (configPcf.OffsetPosition + 128);
+	c.d.asDwords[9] = configPcf.InitDelay;
+
+	clearCommandBuffer();
+	SendCommand(&c);
+	//no ack?
+	return 0;
+}
+
 static command_t CommandTable[] =
 {
 	{"help",   CmdHelp,            1, "This help"},
 	{"read",   CmdLFPCF7931Read,   0, "Read content of a PCF7931 transponder"},
 	{"write",  CmdLFPCF7931Write,  0, "Write data on a PCF7931 transponder."},
 	{"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"},
+	{"bruteforce", CmdLFPCF7931BruteForce, 0, "Bruteforce a PCF7931 transponder password."},
 	{NULL,     NULL,               0, NULL}
 };

--- a/client/cmdlfpcf7931.h
+++ b/client/cmdlfpcf7931.h
@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2012 Chalk <chalk.secu at gmail.com>
 //				 2015 Dake <thomas.cayrou at gmail.com>
+//				 2018 sguerrini97 <sguerrini97 at gmail.com>

 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@ -26,12 +27,14 @@ int pcf7931_printConfig();

 int usage_pcf7931_read();
 int usage_pcf7931_write();
+int usage_pcf7931_bruteforce();
 int usage_pcf7931_config();

 int CmdLFPCF7931(const char *Cmd);

 int CmdLFPCF7931Read(const char *Cmd);
 int CmdLFPCF7931Write(const char *Cmd);
+int CmdLFPCF7931BruteForce(const char *Cmd);
 int CmdLFPCF7931Config(const char *Cmd);

 #endif
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -23,8 +23,8 @@
 #include "cmdlf.h"
 #include "util.h"
 #include "lfdemod.h"
-#include "cmdhf14a.h" //for getTagInfo
 #include "protocols.h"
+#include "taginfo.h"

 #define T55x7_CONFIGURATION_BLOCK 0x00
 #define T55x7_PAGE0 0x00
@ -67,6 +67,8 @@ int usage_t55xx_read(){
 	PrintAndLog("     p <password> - OPTIONAL password (8 hex characters)");
 	PrintAndLog("     o            - OPTIONAL override safety check");
 	PrintAndLog("     1            - OPTIONAL read Page 1 instead of Page 0");
+	PrintAndLog("     r <mode>     - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
+	PrintAndLog("                                               '2' leading zero,               '3' 1 of 4 coding reference"); 
 	PrintAndLog("     ****WARNING****");
 	PrintAndLog("     Use of read with password on a tag not configured for a pwd");
 	PrintAndLog("     can damage the tag");
@ -86,6 +88,8 @@ int usage_t55xx_write(){
 	PrintAndLog("     p <password> - OPTIONAL password 4bytes (8 hex characters)");
 	PrintAndLog("     1            - OPTIONAL write Page 1 instead of Page 0");
 	PrintAndLog("     t            - OPTIONAL test mode write - ****DANGER****");	
+	PrintAndLog("     r <mode>     - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
+	PrintAndLog("                                               '2' leading zero,               '3' 1 of 4 coding reference"); 
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx write b 3 d 11223344            - write 11223344 to block 3");
@ -132,6 +136,8 @@ int usage_t55xx_detect(){
 	PrintAndLog("Options:");
 	PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");
 	PrintAndLog("     p <password>  - OPTIONAL password (8 hex characters)");
+	PrintAndLog("     r <mode>      - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
+	PrintAndLog("                                                '2' leading zero,               '3' 1 of 4 coding reference"); 
 	PrintAndLog("");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf t55xx detect");
@ -162,7 +168,7 @@ int usage_t55xx_wakup(){
 	PrintAndLog("     <password>  - [required] password 4bytes (8 hex symbols)");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
-		PrintAndLog("      lf t55xx wakeup 11223344  - send wakeup password");
+	PrintAndLog("      lf t55xx wakeup 11223344  - send wakeup password");
 	return 0;
 }
 int usage_t55xx_bruteforce(){
@ -172,13 +178,16 @@ int usage_t55xx_bruteforce(){
 	PrintAndLog("       password must be 4 bytes (8 hex symbols)");
 	PrintAndLog("Options:");
 	PrintAndLog("     h           - this help");
+	PrintAndLog("     r <mode>    - OPTIONAL downlink encoding '0' fixed bit length (default)"); 
+	PrintAndLog("                                  '1' long leading reference,  '2' leading zero ");
+	PrintAndLog("                                  '3' 1 of 4 coding reference, '4' special - try all downlink modes");
 	PrintAndLog("     <start_pwd> - 4 byte hex value to start pwd search at");
 	PrintAndLog("     <end_pwd>   - 4 byte hex value to end pwd search at");
 	PrintAndLog("     i <*.dic>   - loads a default keys dictionary file <*.dic>");
 	PrintAndLog("");
 	PrintAndLog("Examples:");
-	PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");
-	PrintAndLog("       lf t55xx bruteforce i default_pwd.dic");
+	PrintAndLog("       lf t55xx bruteforce [r 2] aaaaaaaa bbbbbbbb");
+	PrintAndLog("       lf t55xx bruteforce [r 2] i default_pwd.dic");
 	PrintAndLog("");
 	return 0;
 }
@ -302,21 +311,21 @@ int CmdT55xxSetConfig(const char *Cmd) {
 	}

 	// No args
-	if (cmdp == 0) return printConfiguration( config );
+	if (cmdp == 0) return printConfiguration( config);

 	//Validations
 	if (errors) return usage_t55xx_config();

 	config.block0 = 0;
-	return printConfiguration ( config );
+	return printConfiguration ( config);
 }

-int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){
+int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){
 	//Password mode
 	if ( usepwd ) {
 		// try reading the config block and verify that PWD bit is set before doing this!
 		if ( !override ) {
-			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;
+			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0;
 			if ( !tryDetectModulation() ) {
 				PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
 				return 0;
@ -330,7 +339,7 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32
 		}
 	}

-	if (!AquireData(page1, block, usepwd, password) )	return 0;
+	if (!AquireData(page1, block, usepwd, password,downlink_mode) )	return 0;
 	if (!DecodeT55xxBlock()) return 0;

 	char blk[10]={0};
@ -342,6 +351,8 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32
 int CmdT55xxReadBlock(const char *Cmd) {
 	uint8_t block = REGULAR_READ_MODE_BLOCK;
 	uint32_t password = 0; //default to blank Block 7
+	uint8_t downlink_mode = 0;
+	
 	bool usepwd = false;
 	bool override = false;
 	bool page1 = false;
@ -372,6 +383,12 @@ int CmdT55xxReadBlock(const char *Cmd) {
 			page1 = true;
 			cmdp++;
 			break;
+		case 'r':
+		case 'R':
+			downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
+			if (downlink_mode > 3) downlink_mode = 0;
+			cmdp +=2;
+			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
@ -386,7 +403,7 @@ int CmdT55xxReadBlock(const char *Cmd) {
 	}

 	printT5xxHeader(page1);
-	return T55xxReadBlock(block, page1, usepwd, override, password);
+	return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode);
 }

 bool DecodeT55xxBlock(){
@ -459,12 +476,32 @@ bool DecodeT5555TraceBlock() {
 	return (bool) ASKDemod("64 0 1", false, false, 1);
 }

+void T55xx_Print_DownlinkMode (uint8_t downlink_mode)
+{
+	char Msg[80];
+	sprintf (Msg,"Downlink Mode used : ");
+	
+		switch (downlink_mode) {
+			case  0 :	strcat (Msg,"default/fixed bit length"); break;
+			case  1 :   strcat (Msg,"long leading reference (r 1)");   break;
+			case  2 :   strcat (Msg,"leading zero reference (r 2)");   break;
+			case  3 :   strcat (Msg,"1 of 4 coding reference (r 3)");  break;
+			default :
+					strcat (Msg,"default/fixed bit length"); break;
+
+		}
+	
+	PrintAndLog (Msg);
+	
+}
+
 int CmdT55xxDetect(const char *Cmd){
 	bool errors = false;
 	bool useGB = false;
 	bool usepwd = false;
 	uint32_t password = 0;
 	uint8_t cmdp = 0;
+	uint8_t downlink_mode = 0;

 	while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
 		switch(param_getchar(Cmd, cmdp)) {
@ -482,6 +519,12 @@ int CmdT55xxDetect(const char *Cmd){
 			useGB = true;
 			cmdp++;
 			break;
+		case 'r':
+		case 'R':
+			downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
+			if (downlink_mode > 3) downlink_mode = 0;
+			cmdp +=2;
+			break;			
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
@ -491,13 +534,16 @@ int CmdT55xxDetect(const char *Cmd){
 	if (errors) return usage_t55xx_detect();
 	
 	if ( !useGB) {
-		if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )
+		if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) )
 			return 0;
 	}
 	
 	if ( !tryDetectModulation() )
 		PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
-
+	else {
+		// Add downlink mode for reference.
+		T55xx_Print_DownlinkMode (downlink_mode);
+	}
 	return 1;
 }

@ -649,7 +695,8 @@ bool tryDetectModulation(){
 		config.block0 = tests[0].block0;
 		config.Q5 = tests[0].Q5;
 		config.ST = tests[0].ST;
-		printConfiguration( config );
+		
+		printConfiguration( config);
 		return true;
 	}
 	
@ -657,7 +704,7 @@ bool tryDetectModulation(){
 		PrintAndLog("Found [%d] possible matches for modulation.",hits);
 		for(int i=0; i<hits; ++i){
 			PrintAndLog("--[%d]---------------", i+1);
-			printConfiguration( tests[i] );
+			printConfiguration( tests[i]);
 		}
 	}
 	return false;
@ -898,6 +945,8 @@ int CmdT55xxWriteBlock(const char *Cmd) {
 	uint8_t block = 0xFF; //default to invalid block
 	uint32_t data = 0; //default to blank Block 
 	uint32_t password = 0; //default to blank Block 7
+	uint32_t downlink_mode = 0;
+	
 	bool usepwd = false;
 	bool page1 = false;	
 	bool gotdata = false;
@ -935,6 +984,12 @@ int CmdT55xxWriteBlock(const char *Cmd) {
 			page1 = true;
 			cmdp++;
 			break;
+		case 'r':
+		case 'R':
+			downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
+			if (downlink_mode > 3) downlink_mode = 0;
+			cmdp +=2;
+			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
@ -952,6 +1007,7 @@ int CmdT55xxWriteBlock(const char *Cmd) {
 	UsbCommand resp;
 	c.d.asBytes[0] = (page1) ? 0x2 : 0; 
 	c.d.asBytes[0] |= (testMode) ? 0x4 : 0; 
+	c.d.asBytes[0] |= (downlink_mode << 3);
 	
 	char pwdStr[16] = {0};
 	snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);
@ -963,6 +1019,7 @@ int CmdT55xxWriteBlock(const char *Cmd) {
 		c.arg[2] = password;
 		c.d.asBytes[0] |= 0x1; 
 	}
+	
 	clearCommandBuffer();
 	SendCommand(&c);
 	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
@ -980,7 +1037,7 @@ int CmdT55xxReadTrace(const char *Cmd) {
 		return usage_t55xx_trace();

 	if (strlen(Cmd)==0)
-		if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )
+		if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) )
 			return 0;

 	if ( config.Q5 ) {
@ -1070,7 +1127,7 @@ void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){
 	PrintAndLog("-- T55x7 Trace Information ----------------------------------");
 	PrintAndLog("-------------------------------------------------------------");
 	PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);
-	PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));
+	PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getManufacturerName(data.mfc));
 	PrintAndLog(" CID                                     : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));
 	PrintAndLog(" ICR IC Revision                         : %d", data.icr );
 	PrintAndLog(" Manufactured");
@ -1144,7 +1201,7 @@ int CmdT55xxInfo(const char *Cmd){
 		return usage_t55xx_info();
 	
 	if (strlen(Cmd)==0)
-		if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )
+		if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) )
 			return 1;

 	if (!DecodeT55xxBlock()) return 1;
@ -1212,20 +1269,21 @@ int CmdT55xxDump(const char *Cmd){
 	
 	printT5xxHeader(0);
 	for ( uint8_t i = 0; i <8; ++i)
-		T55xxReadBlock(i, 0, usepwd, override, password);
+		T55xxReadBlock(i, 0, usepwd, override, password,0);

 	printT5xxHeader(1);
 	for ( uint8_t	i = 0; i<4; i++)
-		T55xxReadBlock(i, 1, usepwd, override, password);		
+		T55xxReadBlock(i, 1, usepwd, override, password,0);		

 	return 1;
 }

-int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){
 	// arg0 bitmodes:
 	// bit0 = pwdmode
 	// bit1 = page to read from
 	uint8_t arg0 = (page<<1) | pwdmode;
+	arg0 |= (downlink_mode << 3);
 	UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};

 	clearCommandBuffer();
@ -1403,9 +1461,23 @@ int CmdT55xxBruteForce(const char *Cmd) {
 	uint32_t start_password = 0x00000000; //start password
 	uint32_t end_password   = 0xFFFFFFFF; //end   password
 	bool found = false;
+	uint8_t downlink_mode = 0;
+	bool try_all_dl_modes = false;
+	uint8_t dl_mode = 0;
+	uint8_t cmd_offset = 0;
+	int cmd_opt = 0;
 		
 	char cmdp = param_getchar(Cmd, 0);
+	
 	if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
+	if (cmdp == 'r' || cmdp == 'R') {
+		downlink_mode = param_getchar(Cmd, 1) - '0'; // get 2nd option, as this is fixed order.
+		if (downlink_mode == 4) try_all_dl_modes = true;
+		if (downlink_mode > 3) downlink_mode = 0;
+		cmd_opt += 2;	 // To help start/end passwords for range to be found
+		cmd_offset += 4; // r <sp> x <sp> To help the string offset for filename start position in cmd
+		cmdp = param_getchar(Cmd, 2); // get 3rd option, as this is fixed order.
+	}

 	keyBlock = calloc(stKeyBlock, 6);
 	if (keyBlock == NULL) return 1;
@ -1414,7 +1486,7 @@ int CmdT55xxBruteForce(const char *Cmd) {

 		int len = strlen(Cmd+2);
 		if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
-		memcpy(filename, Cmd+2, len);
+		memcpy(filename, Cmd+2+cmd_offset, len);

 		FILE * f = fopen( filename , "r");

@ -1480,18 +1552,27 @@ int CmdT55xxBruteForce(const char *Cmd) {

 			PrintAndLog("Testing %08X", testpwd);
 			
-			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd)) {
-				PrintAndLog("Aquireing data from device failed. Quitting");
-				free(keyBlock);
-				return 0;
-			}
+			// Try each downlink_mode if asked to 
+			// donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3
+			for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){
+				if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd, dl_mode)) {
+					PrintAndLog("Acquiring data from device failed. Quitting");
+					free(keyBlock);
+					return 0;
+				}

-			found = tryDetectModulation();
+				found = tryDetectModulation();

-			if ( found ) {
-				PrintAndLog("Found valid password: [%08X]", testpwd);
-				free(keyBlock);
-				return 0;
+				if ( found ) {
+					PrintAndLog("Found valid password: [%08X]", testpwd);
+					free(keyBlock);
+					
+					T55xx_Print_DownlinkMode (dl_mode);
+
+					return 0;
+				}
+				if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
+					dl_mode = 4;
 			}	
 		}
 		PrintAndLog("Password NOT found.");
@ -1502,8 +1583,8 @@ int CmdT55xxBruteForce(const char *Cmd) {
 	// Try to read Block 7, first :)

 	// incremental pwd range search
-	start_password = param_get32ex(Cmd, 0, 0, 16);
-	end_password = param_get32ex(Cmd, 1, 0, 16);
+	start_password = param_get32ex(Cmd, cmd_opt , 0, 16);
+	end_password = param_get32ex(Cmd, cmd_opt+1 , 0, 16);

 	if ( start_password >= end_password ) {
 		free(keyBlock);
@ -1524,29 +1605,36 @@ int CmdT55xxBruteForce(const char *Cmd) {
 			free(keyBlock);
 			return 0;
 		}
+		// Try each downlink_mode if asked to 
+		// donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3
+		for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){
+			if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,dl_mode)) {
+				PrintAndLog("Acquiring data from device failed. Quitting");
+				free(keyBlock);
+				return 0;
+			}
+			found = tryDetectModulation();

-		if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i)) {
-			PrintAndLog("Aquireing data from device failed. Quitting");
-			free(keyBlock);
-			return 0;
+			if (found) break;
+			if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
+				dl_mode = 4;			
 		}
-		found = tryDetectModulation();
-
 		if (found) break;
 		i++;
 	}

-	PrintAndLog("");
-
-	if (found)
+	if (found){
 		PrintAndLog("Found valid password: [%08x]", i);
-	else
+		T55xx_Print_DownlinkMode (downlink_mode);
+	}
+	else{
+		PrintAndLog("");
 		PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
+	}

 	free(keyBlock);
 	return 0;
 }
-
 // note length of data returned is different for different chips.  
 //   some return all page 1 (64 bits) and others return just that block (32 bits) 
 //   unfortunately the 64 bits makes this more likely to get a false positive...
@ -1558,7 +1646,7 @@ bool tryDetectP1(bool getData) {
 	bool st = true;

 	if ( getData ) {
-		if ( !AquireData(T55x7_PAGE1, 1, false, 0) )
+		if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) )
 			return false;
 	}

@ -1687,7 +1775,7 @@ int CmdT55xxDetectPage1(const char *Cmd){
 	if (errors) return usage_t55xx_detectP1();

 	if ( !useGB ) {
-		if ( !AquireData(T55x7_PAGE1, 1, usepwd, password) )
+		if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) )
 			return false;
 	}
 	bool success = tryDetectP1(false);
@ -1697,7 +1785,7 @@ int CmdT55xxDetectPage1(const char *Cmd){

 static command_t CommandTable[] = {
  {"help",      CmdHelp,           1, "This help"},
-	{"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
+  {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
  {"config",    CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
  {"detect",    CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},
  {"p1detect",  CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"},
--- a/client/cmdlft55xx.h
+++ b/client/cmdlft55xx.h
@ -98,7 +98,7 @@ bool tryDetectModulation(void);
 extern bool tryDetectP1(bool getData);
 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5);
 int special(const char *Cmd);
-int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password );
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password,uint8_t downlink_mode );

 void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat );
 void printT5555Trace( t5555_tracedata_t data, uint8_t repeat );
--- a/client/cmdmain.c
+++ b/client/cmdmain.c
@ -26,6 +26,7 @@
 #include "util.h"
 #include "util_posix.h"
 #include "cmdscript.h"
+#include "emv/cmdemv.h"		// EMV				  
 #ifdef WITH_SMARTCARD 
  #include "cmdsmartcard.h"
 #endif
@ -36,18 +37,21 @@ static int CmdQuit(const char *Cmd);

 static command_t CommandTable[] = 
 {
-  {"help",  CmdHelp,  1, "This help. Use '<command> help' for details of a particular command."},
-  {"data",  CmdData,  1, "{ Plot window / data buffer manipulation... }"},
-  {"hf",    CmdHF,    1, "{ High Frequency commands... }"},
-  {"hw",    CmdHW,    1, "{ Hardware commands... }"},
-  {"lf",    CmdLF,    1, "{ Low Frequency commands... }"},
+	{"help",  CmdHelp,  1, "This help. Use '<command> help' for details of a particular command."},
+	{"data",  CmdData,  1, "{ Plot window / data buffer manipulation... }"},
+	{"hf",    CmdHF,    1, "{ High Frequency commands... }"},
+	{"hw",    CmdHW,    1, "{ Hardware commands... }"},
+	{"lf",    CmdLF,    1, "{ Low Frequency commands... }"},
 #ifdef WITH_SMARTCARD
-  {"sc",    CmdSmartcard,1,"{ Smartcard commands... }"},
+	{"emv",   CmdEMV,   1, "{ EMV iso14443 and iso7816... }"},
+	{"sc",    CmdSmartcard,1,"{ Smartcard commands... }"},
+#else
+	{"emv",   CmdEMV,   1, "{ EMV iso14443 }"},
 #endif
-  {"script",CmdScript,1, "{ Scripting commands }"},
-  {"quit",  CmdQuit,  1, "Exit program"},
-  {"exit",  CmdQuit,  1, "Exit program"},
-  {NULL, NULL, 0, NULL}
+	{"script",CmdScript,1, "{ Scripting commands }"},
+	{"quit",  CmdQuit,  1, "Exit program"},
+	{"exit",  CmdQuit,  1, "Exit program"},
+	{NULL, NULL, 0, NULL}
 };

 command_t* getTopLevelCommandTable()
--- a/client/cmdsmartcard.c
+++ b/client/cmdsmartcard.c
--- a/client/cmdsmartcard.h
+++ b/client/cmdsmartcard.h
@ -11,29 +11,12 @@
 #ifndef CMDSMARTCARD_H__
 #define CMDSMARTCARD_H__

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include "proxmark3.h"
-#include "ui.h"
-#include "cmdparser.h"
-#include "common.h"
-#include "util.h"
-#include "loclass/fileutils.h"  // saveFile
-#include "cmdmain.h"            // getfromdevice
-#include "emv/emvcore.h"        // decodeTVL
-#include "emv/apduinfo.h"       // APDUcode description
+#include <stdint.h>
+#include <stdbool.h>
+#include "smartcard.h"

 extern int CmdSmartcard(const char *Cmd);
+extern bool smart_getATR(smart_card_atr_t *card);
+extern int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);

-extern int CmdSmartRaw(const char* cmd);
-extern int CmdSmartUpgrade(const char* cmd);
-extern int CmdSmartInfo(const char* cmd);
-extern int CmdSmartReader(const char *Cmd);
-
-extern int usage_sm_raw(void);
-extern int usage_sm_reader(void);
-extern int usage_sm_info(void);
-extern int usage_sm_upgrade(void);
 #endif
--- a/client/comms.c
+++ b/client/comms.c
@ -9,12 +9,18 @@
 // Code for communicating with the proxmark3 hardware.
 //-----------------------------------------------------------------------------

+#define _POSIX_C_SOURCE 199309L // need clock_gettime()
+
 #include "comms.h"

+#include <stdio.h>
+#include <stddef.h>
+#include <string.h>
 #include <pthread.h>
-#if defined(__linux__) && !defined(NO_UNLINK)
-#include <unistd.h>		// for unlink()
-#endif
+#include <inttypes.h>
+#include <time.h>
+#include <sys/time.h>
+
 #include "uart.h"
 #include "ui.h"
 #include "common.h"
@ -31,7 +37,6 @@ static bool offline;

 typedef struct {
 	bool run; // If TRUE, continue running the uart_communication thread
-	bool block_after_ACK; // if true, block after receiving an ACK package
 } communication_arg_t;

 static communication_arg_t conn;
@ -45,6 +50,9 @@ static pthread_cond_t txBufferSig = PTHREAD_COND_INITIALIZER;

 // Used by UsbReceiveCommand as a ring buffer for messages that are yet to be
 // processed by a command handler (WaitForResponse{,Timeout})
+#define CMD_BUFFER_SIZE 50
+#define CMD_BUFFER_CHECK_TIME 10 // maximum time (in ms) to wait in getCommand()
+
 static UsbCommand rxBuffer[CMD_BUFFER_SIZE];

 // Points to the next empty position to write to
@ -55,6 +63,7 @@ static int cmd_tail = 0;

 // to lock rxBuffer operations from different threads
 static pthread_mutex_t rxBufferMutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t rxBufferSig = PTHREAD_COND_INITIALIZER;

 // These wrappers are required because it is not possible to access a static
 // global variable outside of the context of a single file.
@ -69,13 +78,13 @@ bool IsOffline() {

 void SendCommand(UsbCommand *c) {
 	#ifdef COMMS_DEBUG
-	printf("Sending %04x cmd\n", c->cmd);
+	printf("Sending %04" PRIx64 " cmd\n", c->cmd);
 	#endif

 	if (offline) {
 		PrintAndLog("Sending bytes to proxmark failed - offline");
 		return;
-    }
+	}

 	pthread_mutex_lock(&txBufferMutex);
 	/**
@ -101,8 +110,7 @@ void SendCommand(UsbCommand *c) {
 *  A better method could have been to have explicit command-ACKS, so we can know which ACK goes to which
 *  operation. Right now we'll just have to live with this.
 */
-void clearCommandBuffer()
-{
+void clearCommandBuffer() {
 	//This is a very simple operation
 	pthread_mutex_lock(&rxBufferMutex);
 	cmd_tail = cmd_head;
@ -113,11 +121,9 @@ void clearCommandBuffer()
 * @brief storeCommand stores a USB command in a circular buffer
 * @param UC
 */
-static void storeCommand(UsbCommand *command)
-{
+static void storeCommand(UsbCommand *command) {
 	pthread_mutex_lock(&rxBufferMutex);
-	if( (cmd_head+1) % CMD_BUFFER_SIZE == cmd_tail)
-	{
+	if ((cmd_head + 1) % CMD_BUFFER_SIZE == cmd_tail) {
 		// If these two are equal, we're about to overwrite in the
 		// circular buffer.
 		PrintAndLog("WARNING: Command buffer about to overwrite command! This needs to be fixed!");
@ -127,7 +133,8 @@ static void storeCommand(UsbCommand *command)
 	UsbCommand* destination = &rxBuffer[cmd_head];
 	memcpy(destination, command, sizeof(UsbCommand));

-	cmd_head = (cmd_head +1) % CMD_BUFFER_SIZE; //increment head and wrap
+	cmd_head = (cmd_head + 1) % CMD_BUFFER_SIZE; //increment head and wrap
+	pthread_cond_signal(&rxBufferSig); // tell main thread that a new command can be retreived
 	pthread_mutex_unlock(&rxBufferMutex);
 }

@ -135,21 +142,32 @@ static void storeCommand(UsbCommand *command)
 /**
 * @brief getCommand gets a command from an internal circular buffer.
 * @param response location to write command
- * @return 1 if response was returned, 0 if nothing has been received
+ * @return 1 if response was returned, 0 if nothing has been received in time
 */
-static int getCommand(UsbCommand* response)
-{
+static int getCommand(UsbCommand* response, uint32_t ms_timeout) {
+
+	struct timespec end_time;
+	clock_gettime(CLOCK_REALTIME, &end_time);
+	end_time.tv_sec += ms_timeout / 1000;
+	end_time.tv_nsec += (ms_timeout % 1000) * 1000000;
+	if (end_time.tv_nsec > 1000000000) {
+		end_time.tv_nsec -= 1000000000;
+		end_time.tv_sec += 1;
+	}
 	pthread_mutex_lock(&rxBufferMutex);
-	//If head == tail, there's nothing to read, or if we just got initialized
-	if (cmd_head == cmd_tail){
+	int res = 0;
+	while (cmd_head == cmd_tail && !res) {
+		res = pthread_cond_timedwait(&rxBufferSig, &rxBufferMutex, &end_time);
+	}
+	if (res) { // timeout
 		pthread_mutex_unlock(&rxBufferMutex);
 		return 0;
 	}

-	//Pick out the next unread command
+	// Pick out the next unread command
 	UsbCommand* last_unread = &rxBuffer[cmd_tail];
 	memcpy(response, last_unread, sizeof(UsbCommand));
-	//Increment tail - this is a circular buffer, so modulo buffer size
+	// Increment tail - this is a circular buffer, so modulo buffer size
 	cmd_tail = (cmd_tail + 1) % CMD_BUFFER_SIZE;

 	pthread_mutex_unlock(&rxBufferMutex);
@ -161,15 +179,14 @@ static int getCommand(UsbCommand* response)
 // Entry point into our code: called whenever we received a packet over USB.
 // Handle debug commands directly, store all other commands in circular buffer.
 //----------------------------------------------------------------------------------
-static void UsbCommandReceived(UsbCommand *UC)
-{
-	switch(UC->cmd) {
+static void UsbCommandReceived(UsbCommand *UC) {
+	switch (UC->cmd) {
 		// First check if we are handling a debug message
 		case CMD_DEBUG_PRINT_STRING: {
 			char s[USB_CMD_DATA_SIZE+1];
 			memset(s, 0x00, sizeof(s));
-			size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE);
-			memcpy(s,UC->d.asBytes,len);
+			size_t len = MIN(UC->arg[0], USB_CMD_DATA_SIZE);
+			memcpy(s, UC->d.asBytes,len);
 			PrintAndLog("#db# %s", s);
 			return;
 		} break;
@ -180,13 +197,31 @@ static void UsbCommandReceived(UsbCommand *UC)
 		} break;

 		default:
- 			storeCommand(UC);
+			storeCommand(UC);
 			break;
 	}

 }


+static bool receive_from_serial(serial_port sp, uint8_t *rx_buf, size_t len, size_t *received_len) {
+	size_t bytes_read = 0;
+	*received_len = 0;
+	// we eventually need to call uart_receive several times because it may timeout in the middle of a transfer
+	while (uart_receive(sp, rx_buf + *received_len, len - *received_len, &bytes_read) && bytes_read && *received_len < len) {
+		#ifdef COMMS_DEBUG
+		if (bytes_read != len - *received_len) {
+			printf("uart_receive() returned true but not enough bytes could be received. received: %zd, wanted to receive: %zd, already received before: %zd\n",
+				bytes_read, len - *received_len, *received_len);
+		}
+		#endif
+		*received_len += bytes_read;
+		bytes_read = 0;
+	}
+	return (*received_len == len);
+}
+
+
 static void
 #ifdef __has_attribute
 #if __has_attribute(force_align_arg_pointer)
@ -195,49 +230,70 @@ __attribute__((force_align_arg_pointer))
 #endif
 *uart_communication(void *targ) {
 	communication_arg_t *conn = (communication_arg_t*)targ;
-	size_t rxlen;
-	UsbCommand rx;
-	UsbCommand *prx = &rx;
+	uint8_t rx[sizeof(UsbCommand)];
+	size_t rxlen = 0;
+	uint8_t *prx = rx;
+	UsbCommand *command = (UsbCommand*)rx;
+	UsbResponse *response = (UsbResponse*)rx;

 #if defined(__MACH__) && defined(__APPLE__)
 	disableAppNap("Proxmark3 polling UART");
 #endif

 	while (conn->run) {
-		rxlen = 0;
 		bool ACK_received = false;
-		if (uart_receive(sp, (uint8_t *)prx, sizeof(UsbCommand) - (prx-&rx), &rxlen) && rxlen) {
+		prx = rx;
+		size_t bytes_to_read = offsetof(UsbResponse, d);  // the fixed part of a new style UsbResponse. Otherwise this will be cmd and arg[0] (64 bit each)
+		if (receive_from_serial(sp, prx, bytes_to_read, &rxlen)) {
 			prx += rxlen;
-			if (prx-&rx < sizeof(UsbCommand)) {
-				continue;
-			}
-			UsbCommandReceived(&rx);
-			if (rx.cmd == CMD_ACK) {
-				ACK_received = true;
-			}
-		}
-		prx = &rx;
-
-		
-		pthread_mutex_lock(&txBufferMutex);
-
-		if (conn->block_after_ACK) {
-			// if we just received an ACK, wait here until a new command is to be transmitted
-			if (ACK_received) {
-				while (!txBuffer_pending) {
-					pthread_cond_wait(&txBufferSig, &txBufferMutex);
+			if (response->cmd & CMD_VARIABLE_SIZE_FLAG) { // new style response with variable size
+#ifdef COMMS_DEBUG
+				PrintAndLog("received new style response %04" PRIx16 ", datalen = %zd, arg[0] = %08" PRIx32 ", arg[1] = %08" PRIx32 ", arg[2] = %08" PRIx32,
+					response->cmd, response->datalen, response->arg[0], response->arg[1], response->arg[2]);
+#endif
+				bytes_to_read = response->datalen;
+				if (receive_from_serial(sp, prx, bytes_to_read, &rxlen)) {
+					UsbCommand resp;
+					resp.cmd = response->cmd & ~CMD_VARIABLE_SIZE_FLAG;  // remove the flag
+					resp.arg[0] = response->arg[0];
+					resp.arg[1] = response->arg[1];
+					resp.arg[2] = response->arg[2];
+					memcpy(&resp.d.asBytes, &response->d.asBytes, response->datalen);
+					UsbCommandReceived(&resp);
+					if (resp.cmd == CMD_ACK) {
+						ACK_received = true;
+					}
+				}
+			} else { // old style response uses same data structure as commands. Fixed size.
+#ifdef COMMS_DEBUG
+				PrintAndLog("received old style response %016" PRIx64 ", arg[0] = %016" PRIx64, command->cmd, command->arg[0]);
+#endif
+				bytes_to_read = sizeof(UsbCommand) - bytes_to_read;
+				if (receive_from_serial(sp, prx, bytes_to_read, &rxlen)) {
+					UsbCommandReceived(command);
+					if (command->cmd == CMD_ACK) {
+						ACK_received = true;
+					}
 				}
 			}
 		}

-		if(txBuffer_pending) {
+		pthread_mutex_lock(&txBufferMutex);
+		// if we received an ACK the PM has done its job and waits for another command.
+		// We therefore can wait here as well until a new command is to be transmitted.
+		// The advantage is that the next command will be transmitted immediately without the need to wait for a receive timeout
+		if (ACK_received) {
+			while (!txBuffer_pending) {
+				pthread_cond_wait(&txBufferSig, &txBufferMutex);
+			}
+		}
+		if (txBuffer_pending) {
 			if (!uart_send(sp, (uint8_t*) &txBuffer, sizeof(UsbCommand))) {
 				PrintAndLog("Sending bytes to proxmark failed");
 			}
 			txBuffer_pending = false;
-			pthread_cond_signal(&txBufferSig); // tell main thread that txBuffer is empty
 		}
-
+		pthread_cond_signal(&txBufferSig); // tell main thread that txBuffer is empty
 		pthread_mutex_unlock(&txBufferMutex);
 	}

@ -262,21 +318,30 @@ __attribute__((force_align_arg_pointer))
 * @param show_warning display message after 2 seconds
 * @return true if command was returned, otherwise false
 */
-bool GetFromBigBuf(uint8_t *dest, int bytes, int start_index, UsbCommand *response, size_t ms_timeout, bool show_warning)
-{
-	UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {start_index, bytes, 0}};
-	SendCommand(&c);
+bool GetFromBigBuf(uint8_t *dest, int bytes, int start_index, UsbCommand *response, size_t ms_timeout, bool show_warning) {

 	uint64_t start_time = msclock();

+	UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {start_index, bytes, 0}};
+	SendCommand(&c);
+
 	UsbCommand resp;
-  	if (response == NULL) {
+	if (response == NULL) {
 		response = &resp;
 	}

 	int bytes_completed = 0;
-	while(true) {
-		if (getCommand(response)) {
+	while (true) {
+		if (msclock() - start_time > ms_timeout) {
+			break; // timeout
+		}
+		if (msclock() - start_time > 2000 && show_warning) {
+			// 2 seconds elapsed (but this doesn't mean the timeout was exceeded)
+			PrintAndLog("Waiting for a response from the proxmark...");
+			PrintAndLog("You can cancel this operation by pressing the pm3 button");
+			show_warning = false;
+		}
+		if (getCommand(response, CMD_BUFFER_CHECK_TIME)) {
 			if (response->cmd == CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K) {
 				int copy_bytes = MIN(bytes - bytes_completed, response->arg[1]);
 				memcpy(dest + response->arg[0], response->d.asBytes, copy_bytes);
@ -285,23 +350,45 @@ bool GetFromBigBuf(uint8_t *dest, int bytes, int start_index, UsbCommand *respon
 				return true;
 			}
 		}
+	}

-		if (msclock() - start_time > ms_timeout) {
-			break;
-		}
+	return false;
+}

+
+bool GetFromFpgaRAM(uint8_t *dest, int bytes) {
+
+	uint64_t start_time = msclock();
+
+	UsbCommand c = {CMD_HF_PLOT, {0, 0, 0}};
+	SendCommand(&c);
+
+	UsbCommand response;
+
+	int bytes_completed = 0;
+	bool show_warning = true;
+	while (true) {
 		if (msclock() - start_time > 2000 && show_warning) {
 			PrintAndLog("Waiting for a response from the proxmark...");
 			PrintAndLog("You can cancel this operation by pressing the pm3 button");
 			show_warning = false;
 		}
+		if (getCommand(&response, CMD_BUFFER_CHECK_TIME)) {
+			if (response.cmd == CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K) {
+				int copy_bytes = MIN(bytes - bytes_completed, response.arg[1]);
+				memcpy(dest + response.arg[0], response.d.asBytes, copy_bytes);
+				bytes_completed += copy_bytes;
+			} else if (response.cmd == CMD_ACK) {
+				return true;
+			}
+		}
 	}

 	return false;
 }


-bool OpenProxmark(void *port, bool wait_for_port, int timeout, bool flash_mode) {
+bool OpenProxmark(void *port, bool wait_for_port, int timeout) {
 	char *portname = (char *)port;
 	if (!wait_for_port) {
 		sp = uart_open(portname);
@ -314,7 +401,7 @@ bool OpenProxmark(void *port, bool wait_for_port, int timeout, bool flash_mode)
 			msleep(1000);
 			printf(".");
 			fflush(stdout);
-		} while(++openCount < timeout && (sp == INVALID_SERIAL_PORT || sp == CLAIMED_SERIAL_PORT));
+		} while (++openCount < timeout && (sp == INVALID_SERIAL_PORT || sp == CLAIMED_SERIAL_PORT));
 		printf("\n");
 	}

@ -333,7 +420,6 @@ bool OpenProxmark(void *port, bool wait_for_port, int timeout, bool flash_mode)
 		// start the USB communication thread
 		serial_port_name = portname;
 		conn.run = true;
-		conn.block_after_ACK = flash_mode;
 		pthread_create(&USB_communication_thread, NULL, &uart_communication, &conn);
 		return true;
 	}
@ -361,15 +447,6 @@ void CloseProxmark(void) {
 		uart_close(sp);
 	}

-#if defined(__linux__) && !defined(NO_UNLINK)
-	// Fix for linux, it seems that it is extremely slow to release the serial port file descriptor /dev/*
-	//
-	// This may be disabled at compile-time with -DNO_UNLINK (used for a JNI-based serial port on Android).
-	if (serial_port_name) {
-		unlink(serial_port_name);
-	}
-#endif
-
 	// Clean up our state
 	sp = NULL;
 	serial_port_name = NULL;
@ -397,30 +474,28 @@ bool WaitForResponseTimeoutW(uint32_t cmd, UsbCommand* response, size_t ms_timeo
 	printf("Waiting for %04x cmd\n", cmd);
 	#endif

+	uint64_t start_time = msclock();
+
 	if (response == NULL) {
 		response = &resp;
 	}

-	uint64_t start_time = msclock();
-
 	// Wait until the command is received
 	while (true) {
-		while(getCommand(response)) {
-			if (cmd == CMD_UNKNOWN || response->cmd == cmd) {
-				return true;
-			}
+		if (ms_timeout != -1 && msclock() > start_time + ms_timeout) {
+			break; // timeout
 		}
-
-		if (msclock() - start_time > ms_timeout) {
-			break;
-		}
-
 		if (msclock() - start_time > 2000 && show_warning) {
 			// 2 seconds elapsed (but this doesn't mean the timeout was exceeded)
 			PrintAndLog("Waiting for a response from the proxmark...");
 			PrintAndLog("You can cancel this operation by pressing the pm3 button");
 			show_warning = false;
 		}
+		if (getCommand(response, CMD_BUFFER_CHECK_TIME)) {
+			if (cmd == CMD_UNKNOWN || response->cmd == cmd) {
+				return true;
+			}
+		}
 	}
 	return false;
 }
--- a/client/comms.h
+++ b/client/comms.h
@ -9,31 +9,24 @@
 // Code for communicating with the proxmark3 hardware.
 //-----------------------------------------------------------------------------

-#ifndef COMMS_H_
-#define COMMS_H_
+#ifndef COMMS_H__
+#define COMMS_H__

+#include <stddef.h>
+#include <stdint.h>
 #include <stdbool.h>
-#include <pthread.h>
-
 #include "usb_cmd.h"
-#include "uart.h"

-#ifndef CMD_BUFFER_SIZE
-#define CMD_BUFFER_SIZE 50
-#endif
+extern void SetOffline(bool new_offline);
+extern bool IsOffline();
+extern bool OpenProxmark(void *port, bool wait_for_port, int timeout);
+extern void CloseProxmark(void);
+extern void SendCommand(UsbCommand *c);
+extern void clearCommandBuffer();
+extern bool WaitForResponseTimeoutW(uint32_t cmd, UsbCommand* response, size_t ms_timeout, bool show_warning);
+extern bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout);
+extern bool WaitForResponse(uint32_t cmd, UsbCommand* response);
+extern bool GetFromBigBuf(uint8_t *dest, int bytes, int start_index, UsbCommand *response, size_t ms_timeout, bool show_warning);
+extern bool GetFromFpgaRAM(uint8_t *dest, int bytes);

-void SetOffline(bool new_offline);
-bool IsOffline();
-
-bool OpenProxmark(void *port, bool wait_for_port, int timeout, bool flash_mode);
-void CloseProxmark(void);
-
-void SendCommand(UsbCommand *c);
-
-void clearCommandBuffer();
-bool WaitForResponseTimeoutW(uint32_t cmd, UsbCommand* response, size_t ms_timeout, bool show_warning);
-bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout);
-bool WaitForResponse(uint32_t cmd, UsbCommand* response);
-bool GetFromBigBuf(uint8_t *dest, int bytes, int start_index, UsbCommand *response, size_t ms_timeout, bool show_warning);
-
-#endif // COMMS_H_
+#endif // COMMS_H__
--- a/Show more
+++ b/Show more