ADD: "HF 14A READ", got ULTRALIGHT C / EV1 annotation

[proxmark3-svn] / armsrc / iclass.c
diff --git a/armsrc/iclass.c b/armsrc/iclass.c

index 9971b670c93778bb48086e4dfe6a386467e676b8..4d2f924c5f41e65e8e25f1971a41013e186e297e 100644 (file)
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -36,7 +36,7 @@
  //
  //-----------------------------------------------------------------------------
  
  //
  //-----------------------------------------------------------------------------
  
-#include "proxmark3.h"
+#include "../include/proxmark3.h"
  #include "apps.h"
  #include "util.h"
  #include "string.h"
  #include "apps.h"
  #include "util.h"
  #include "string.h"
@@ -45,22 +45,14 @@
  // Needed for CRC in emulation mode;
  // same construction as in ISO 14443;
  // different initial value (CRC_ICLASS)
  // Needed for CRC in emulation mode;
  // same construction as in ISO 14443;
  // different initial value (CRC_ICLASS)
-#include "iso14443crc.h"
-#include "iso15693tools.h"
+#include "../common/iso14443crc.h"
+#include "../common/iso15693tools.h"
+//#include "iso15693tools.h"
+#include "protocols.h"
+#include "optimized_cipher.h"
  
  static int timeout = 4096;
  
  
  static int timeout = 4096;
  
-// CARD TO READER
-// Sequence D: 11110000 modulation with subcarrier during first half
-// Sequence E: 00001111 modulation with subcarrier during second half
-// Sequence F: 00000000 no modulation with subcarrier
-// READER TO CARD
-// Sequence X: 00001100 drop after half a period
-// Sequence Y: 00000000 no drop
-// Sequence Z: 11000000 drop at start
-#define        SEC_X 0x0c
-#define        SEC_Y 0x00
-#define        SEC_Z 0xc0
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
  
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
  
@@ -82,14 +74,13 @@ static struct {
      int     nOutOfCnt;
      int     OutOfCnt;
      int     syncBit;
      int     nOutOfCnt;
      int     OutOfCnt;
      int     syncBit;
-    int     parityBits;
      int     samples;
      int     highCnt;
      int     swapper;
      int     counter;
      int     bitBuffer;
      int     dropPosition;
      int     samples;
      int     highCnt;
      int     swapper;
      int     counter;
      int     bitBuffer;
      int     dropPosition;
-    uint8_t   *output;
+    uint8_t *output;
  } Uart;
  
  static RAMFUNC int OutOfNDecoding(int bit)
  } Uart;
  
  static RAMFUNC int OutOfNDecoding(int bit)
@@ -148,11 +139,8 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                         if(Uart.byteCnt == 0) {
                                                 // Its not straightforward to show single EOFs
                                                 // So just leave it and do not return TRUE
                                         if(Uart.byteCnt == 0) {
                                                 // Its not straightforward to show single EOFs
                                                 // So just leave it and do not return TRUE
-                                               Uart.output[Uart.byteCnt] = 0xf0;
+                                               Uart.output[0] = 0xf0;
                                                 Uart.byteCnt++;
                                                 Uart.byteCnt++;
-
-                                               // Calculate the parity bit for the client...
-                                               Uart.parityBits = 1;
                                         }
                                         else {
                                                 return TRUE;
                                         }
                                         else {
                                                 return TRUE;
@@ -234,11 +222,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                                 if(Uart.bitCnt == 8) {
                                                         Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
                                                         Uart.byteCnt++;
                                                 if(Uart.bitCnt == 8) {
                                                         Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
                                                         Uart.byteCnt++;
-
-                                                       // Calculate the parity bit for the client...
-                                                       Uart.parityBits <<= 1;
-                                                       Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
-
                                                         Uart.bitCnt = 0;
                                                         Uart.shiftReg = 0;
                                                 }
                                                         Uart.bitCnt = 0;
                                                         Uart.shiftReg = 0;
                                                 }
@@ -257,11 +240,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                         Uart.dropPosition--;
                                         Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
                                         Uart.byteCnt++;
                                         Uart.dropPosition--;
                                         Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
                                         Uart.byteCnt++;
-
-                                       // Calculate the parity bit for the client...
-                                       Uart.parityBits <<= 1;
-                                       Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
-
                                         Uart.bitCnt = 0;
                                         Uart.shiftReg = 0;
                                         Uart.nOutOfCnt = 0;
                                         Uart.bitCnt = 0;
                                         Uart.shiftReg = 0;
                                         Uart.nOutOfCnt = 0;
@@ -322,7 +300,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                 Uart.state = STATE_START_OF_COMMUNICATION;
                                 Uart.bitCnt = 0;
                                 Uart.byteCnt = 0;
                                 Uart.state = STATE_START_OF_COMMUNICATION;
                                 Uart.bitCnt = 0;
                                 Uart.byteCnt = 0;
-                               Uart.parityBits = 0;
                                 Uart.nOutOfCnt = 0;
                                 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
                                 Uart.dropPosition = 0;
                                 Uart.nOutOfCnt = 0;
                                 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
                                 Uart.dropPosition = 0;
@@ -364,7 +341,6 @@ static struct {
      int     bitCount;
      int     posCount;
         int     syncBit;
      int     bitCount;
      int     posCount;
         int     syncBit;
-       int     parityBits;
      uint16_t    shiftReg;
         int     buffer;
         int     buffer2;
      uint16_t    shiftReg;
         int     buffer;
         int     buffer2;
@@ -431,7 +407,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                         Demod.sub = SUB_FIRST_HALF;
                         Demod.bitCount = 0;
                         Demod.shiftReg = 0;
                         Demod.sub = SUB_FIRST_HALF;
                         Demod.bitCount = 0;
                         Demod.shiftReg = 0;
-                       Demod.parityBits = 0;
                         Demod.samples = 0;
                         if(Demod.posCount) {
                                 //if(trigger) LED_A_OFF();  // Not useful in this case...
                         Demod.samples = 0;
                         if(Demod.posCount) {
                                 //if(trigger) LED_A_OFF();  // Not useful in this case...
@@ -461,7 +436,6 @@ static RAMFUNC int ManchesterDecoding(int v)
         else {
                 modulation = bit & Demod.syncBit;
                 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
         else {
                 modulation = bit & Demod.syncBit;
                 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-               //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
  
                 Demod.samples += 4;
  
  
                 Demod.samples += 4;
  
@@ -496,8 +470,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                                 if(Demod.state == DEMOD_SOF_COMPLETE) {
                                         Demod.output[Demod.len] = 0x0f;
                                         Demod.len++;
                                 if(Demod.state == DEMOD_SOF_COMPLETE) {
                                         Demod.output[Demod.len] = 0x0f;
                                         Demod.len++;
-                                       Demod.parityBits <<= 1;
-                                       Demod.parityBits ^= OddByteParity[0x0f];
                                         Demod.state = DEMOD_UNSYNCD;
  //                                     error = 0x0f;
                                         return TRUE;
                                         Demod.state = DEMOD_UNSYNCD;
  //                                     error = 0x0f;
                                         return TRUE;
@@ -578,11 +550,9 @@ static RAMFUNC int ManchesterDecoding(int v)
                                         // Tag response does not need to be a complete byte!
                                         if(Demod.len > 0 || Demod.bitCount > 0) {
                                                 if(Demod.bitCount > 1) {  // was > 0, do not interpret last closing bit, is part of EOF
                                         // Tag response does not need to be a complete byte!
                                         if(Demod.len > 0 || Demod.bitCount > 0) {
                                                 if(Demod.bitCount > 1) {  // was > 0, do not interpret last closing bit, is part of EOF
-                                                       Demod.shiftReg >>= (9 - Demod.bitCount);
+                                                       Demod.shiftReg >>= (9 - Demod.bitCount);        // right align data
                                                         Demod.output[Demod.len] = Demod.shiftReg & 0xff;
                                                         Demod.len++;
                                                         Demod.output[Demod.len] = Demod.shiftReg & 0xff;
                                                         Demod.len++;
-                                                       // No parity bit, so just shift a 0
-                                                       Demod.parityBits <<= 1;
                                                 }
  
                                                 Demod.state = DEMOD_UNSYNCD;
                                                 }
  
                                                 Demod.state = DEMOD_UNSYNCD;
@@ -619,11 +589,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                                 Demod.shiftReg >>= 1;
                                 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
                                 Demod.len++;
                                 Demod.shiftReg >>= 1;
                                 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
                                 Demod.len++;
-
-                               // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
-                               Demod.parityBits <<= 1;
-                               Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
-
                                 Demod.bitCount = 0;
                                 Demod.shiftReg = 0;
                         }
                                 Demod.bitCount = 0;
                                 Demod.shiftReg = 0;
                         }
@@ -668,12 +633,7 @@ static RAMFUNC int ManchesterDecoding(int v)
  //-----------------------------------------------------------------------------
  void RAMFUNC SnoopIClass(void)
  {
  //-----------------------------------------------------------------------------
  void RAMFUNC SnoopIClass(void)
  {
-// DEFINED ABOVE
-// #define RECV_CMD_OFFSET   3032
-// #define RECV_RES_OFFSET   3096
-// #define DMA_BUFFER_OFFSET 3160
-// #define DMA_BUFFER_SIZE   4096
-// #define TRACE_SIZE        3000
+
  
      // We won't start recording the frames that we acquire until we trigger;
      // a good trigger condition to get started is probably when we see a
  
      // We won't start recording the frames that we acquire until we trigger;
      // a good trigger condition to get started is probably when we see a
@@ -683,23 +643,24 @@ void RAMFUNC SnoopIClass(void)
      // The command (reader -> tag) that we're receiving.
         // The length of a received command will in most cases be no more than 18 bytes.
         // So 32 should be enough!
      // The command (reader -> tag) that we're receiving.
         // The length of a received command will in most cases be no more than 18 bytes.
         // So 32 should be enough!
-    uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
+       #define ICLASS_BUFFER_SIZE 32
+       uint8_t readerToTagCmd[ICLASS_BUFFER_SIZE];
      // The response (tag -> reader) that we're receiving.
      // The response (tag -> reader) that we're receiving.
-    uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
-
-    // As we receive stuff, we copy it from receivedCmd or receivedResponse
-    // into trace, along with its length and other annotations.
-    //uint8_t *trace = (uint8_t *)BigBuf;
-    
-    // reset traceLen to 0
-    iso14a_set_tracing(TRUE);
-    iso14a_clear_trace();
+       uint8_t tagToReaderResponse[ICLASS_BUFFER_SIZE];
+       
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ 
+       // free all BigBuf memory
+       BigBuf_free();
+    // The DMA buffer, used to stream samples from the FPGA
+    uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
+ 
+       set_tracing(TRUE);
+       clear_trace();
      iso14a_set_trigger(FALSE);
  
      iso14a_set_trigger(FALSE);
  
-    // The DMA buffer, used to stream samples from the FPGA
-    int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
      int lastRxCounter;
      int lastRxCounter;
-    int8_t *upTo;
+    uint8_t *upTo;
      int smpl;
      int maxBehindBy = 0;
  
      int smpl;
      int maxBehindBy = 0;
  
@@ -708,10 +669,8 @@ void RAMFUNC SnoopIClass(void)
      int samples = 0;
      rsamples = 0;
  
      int samples = 0;
      rsamples = 0;
  
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-
      // Set up the demodulator for tag -> reader responses.
      // Set up the demodulator for tag -> reader responses.
-    Demod.output = receivedResponse;
+       Demod.output = tagToReaderResponse;
      Demod.len = 0;
      Demod.state = DEMOD_UNSYNCD;
  
      Demod.len = 0;
      Demod.state = DEMOD_UNSYNCD;
  
@@ -723,7 +682,7 @@ void RAMFUNC SnoopIClass(void)
  
      // And the reader -> tag commands
      memset(&Uart, 0, sizeof(Uart));
  
      // And the reader -> tag commands
      memset(&Uart, 0, sizeof(Uart));
-    Uart.output = receivedCmd;
+       Uart.output = readerToTagCmd;
      Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
      Uart.state = STATE_UNSYNCD;
  
      Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
      Uart.state = STATE_UNSYNCD;
  
@@ -733,6 +692,10 @@ void RAMFUNC SnoopIClass(void)
      FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
      SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
      FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
      SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
+       uint32_t time_0 = GetCountSspClk();
+       uint32_t time_start = 0;
+       uint32_t time_stop  = 0;
+
      int div = 0;
      //int div2 = 0;
      int decbyte = 0;
      int div = 0;
      //int div2 = 0;
      int decbyte = 0;
@@ -746,7 +709,7 @@ void RAMFUNC SnoopIClass(void)
                                  (DMA_BUFFER_SIZE-1);
          if(behindBy > maxBehindBy) {
              maxBehindBy = behindBy;
                                  (DMA_BUFFER_SIZE-1);
          if(behindBy > maxBehindBy) {
              maxBehindBy = behindBy;
-            if(behindBy > 400) {
+            if(behindBy > (9 * DMA_BUFFER_SIZE / 10)) {
                  Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
                  goto done;
              }
                  Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
                  goto done;
              }
@@ -766,20 +729,13 @@ void RAMFUNC SnoopIClass(void)
  
          //samples += 4;
         samples += 1;
  
          //samples += 4;
         samples += 1;
-       //div2++;       
  
  
-       //if(div2 > 3) {
-               //div2 = 0;
-       //decbyte ^= ((smpl & 0x01) << (3 - div));
-       //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
-       //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
         if(smpl & 0xF) {
                 decbyte ^= (1 << (3 - div));
         }
         if(smpl & 0xF) {
                 decbyte ^= (1 << (3 - div));
         }
-       //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
         
         // FOR READER SIDE COMMUMICATION...
         
         // FOR READER SIDE COMMUMICATION...
-       //decbyte ^=  ((smpl & 0x10) << (3 - div));
+
         decbyter <<= 2;
         decbyter ^= (smpl & 0x30);
  
         decbyter <<= 2;
         decbyter ^= (smpl & 0x30);
  
@@ -789,28 +745,27 @@ void RAMFUNC SnoopIClass(void)
                 smpl = decbyter;        
                 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
                     rsamples = samples - Uart.samples;
                 smpl = decbyter;        
                 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
                     rsamples = samples - Uart.samples;
+                       time_stop = (GetCountSspClk()-time_0) << 4;
                     LED_C_ON();
                     LED_C_ON();
-                   //if(triggered) {
-                       trace[traceLen++] = ((rsamples >>  0) & 0xff);
-                       trace[traceLen++] = ((rsamples >>  8) & 0xff);
-                       trace[traceLen++] = ((rsamples >> 16) & 0xff);
-                       trace[traceLen++] = ((rsamples >> 24) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >>  0) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >>  8) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
-                       trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
-                       trace[traceLen++] = Uart.byteCnt;
-                       memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
-                       traceLen += Uart.byteCnt;
-                       if(traceLen > TRACE_SIZE) break;
-                   //}
-                   /* And ready to receive another command. */
+
+                       //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
+                       //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
+                       if(tracing)     {
+                               uint8_t parity[MAX_PARITY_SIZE];
+                               GetParity(Uart.output, Uart.byteCnt, parity);
+                               LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE);
+                       }
+
+
+                       /* And ready to receive another command. */
                     Uart.state = STATE_UNSYNCD;
                     /* And also reset the demod code, which might have been */
                     /* false-triggered by the commands from the reader. */
                     Demod.state = DEMOD_UNSYNCD;
                     LED_B_OFF();
                     Uart.byteCnt = 0;
                     Uart.state = STATE_UNSYNCD;
                     /* And also reset the demod code, which might have been */
                     /* false-triggered by the commands from the reader. */
                     Demod.state = DEMOD_UNSYNCD;
                     LED_B_OFF();
                     Uart.byteCnt = 0;
+               }else{
+                       time_start = (GetCountSspClk()-time_0) << 4;
                 }
                 decbyter = 0;
         }
                 }
                 decbyter = 0;
         }
@@ -818,31 +773,24 @@ void RAMFUNC SnoopIClass(void)
         if(div > 3) {
                 smpl = decbyte;
                 if(ManchesterDecoding(smpl & 0x0F)) {
         if(div > 3) {
                 smpl = decbyte;
                 if(ManchesterDecoding(smpl & 0x0F)) {
+                       time_stop = (GetCountSspClk()-time_0) << 4;
+
                     rsamples = samples - Demod.samples;
                     LED_B_ON();
  
                     rsamples = samples - Demod.samples;
                     LED_B_ON();
  
-                   // timestamp, as a count of samples
-                   trace[traceLen++] = ((rsamples >>  0) & 0xff);
-                   trace[traceLen++] = ((rsamples >>  8) & 0xff);
-                   trace[traceLen++] = ((rsamples >> 16) & 0xff);
-                   trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
-                   trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
-                   // length
-                   trace[traceLen++] = Demod.len;
-                   memcpy(trace+traceLen, receivedResponse, Demod.len);
-                   traceLen += Demod.len;
-                   if(traceLen > TRACE_SIZE) break;
-
-                   //triggered = TRUE;
+                       if(tracing)     {
+                               uint8_t parity[MAX_PARITY_SIZE];
+                               GetParity(Demod.output, Demod.len, parity);
+                               LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE);
+                       }
  
                     // And ready to receive another response.
                     memset(&Demod, 0, sizeof(Demod));
  
                     // And ready to receive another response.
                     memset(&Demod, 0, sizeof(Demod));
-                   Demod.output = receivedResponse;
+                       Demod.output = tagToReaderResponse;
                     Demod.state = DEMOD_UNSYNCD;
                     LED_C_OFF();
                     Demod.state = DEMOD_UNSYNCD;
                     LED_C_OFF();
+               }else{
+                       time_start = (GetCountSspClk()-time_0) << 4;
                 }
                 
                 div = 0;
                 }
                 
                 div = 0;
@@ -859,12 +807,12 @@ void RAMFUNC SnoopIClass(void)
      DbpString("COMMAND FINISHED");
  
      Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
      DbpString("COMMAND FINISHED");
  
      Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-    Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
+       Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
  
  done:
      AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
      Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
  
  done:
      AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
      Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-    Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
+       Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
      LED_A_OFF();
      LED_B_OFF();
      LED_C_OFF();
      LED_A_OFF();
      LED_B_OFF();
      LED_C_OFF();
@@ -906,10 +854,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
          }
          if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
              uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
          }
          if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
              uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
-                               *len = Uart.byteCnt;
-                               return TRUE;
-                       }*/
+
                         if(OutOfNDecoding(b & 0x0f)) {
                                 *len = Uart.byteCnt;
                                 return TRUE;
                         if(OutOfNDecoding(b & 0x0f)) {
                                 *len = Uart.byteCnt;
                                 return TRUE;
@@ -918,53 +863,93 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
      }
  }
  
      }
  }
  
+static uint8_t encode4Bits(const uint8_t b)
+{
+       uint8_t c = b & 0xF;
+       // OTA, the least significant bits first
+       //         The columns are
+       //               1 - Bit value to send
+       //               2 - Reversed (big-endian)
+       //               3 - Encoded
+       //               4 - Hex values
+
+       switch(c){
+       //                          1       2         3         4
+         case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
+         case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
+         case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
+         case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
+         case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
+         case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
+         case 9:  return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
+         case 8:  return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
+         case 7:  return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
+         case 6:  return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
+         case 5:  return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
+         case 4:  return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
+         case 3:  return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
+         case 2:  return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
+         case 1:  return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
+         default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
+
+       }
+}
  
  //-----------------------------------------------------------------------------
  // Prepare tag messages
  //-----------------------------------------------------------------------------
  static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  {
  
  //-----------------------------------------------------------------------------
  // Prepare tag messages
  //-----------------------------------------------------------------------------
  static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  {
+
+       /*
+        * SOF comprises 3 parts;
+        * * An unmodulated time of 56.64 us
+        * * 24 pulses of 423.75 KHz (fc/32)
+        * * A logic 1, which starts with an unmodulated time of 18.88us
+        *   followed by 8 pulses of 423.75kHz (fc/32)
+        *
+        *
+        * EOF comprises 3 parts:
+        * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
+        *   time of 18.88us.
+        * - 24 pulses of fc/32
+        * - An unmodulated time of 56.64 us
+        *
+        *
+        * A logic 0 starts with 8 pulses of fc/32
+        * followed by an unmodulated time of 256/fc (~18,88us).
+        *
+        * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
+        * 8 pulses of fc/32 (also 18.88us)
+        *
+        * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag,
+        * works like this.
+        * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us).
+        * - A 0-bit inptu to the FPGA becomes an unmodulated time of 18.88us
+        *
+        * In this mode the SOF can be written as 00011101 = 0x1D
+        * The EOF can be written as 10111000 = 0xb8
+        * A logic 1 is 01
+        * A logic 0 is 10
+        *
+        * */
+
         int i;
  
         ToSendReset();
  
         // Send SOF
         int i;
  
         ToSendReset();
  
         // Send SOF
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
+       ToSend[++ToSendMax] = 0x1D;
  
         for(i = 0; i < len; i++) {
  
         for(i = 0; i < len; i++) {
-               int j;
                 uint8_t b = cmd[i];
                 uint8_t b = cmd[i];
-
-               // Data bits
-               for(j = 0; j < 8; j++) {
-                       if(b & 1) {
-                               ToSend[++ToSendMax] = 0x00;
-                               ToSend[++ToSendMax] = 0xff;
-                       } else {
-                               ToSend[++ToSendMax] = 0xff;
-                               ToSend[++ToSendMax] = 0x00;
+               ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half
+               ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half
                         }
                         }
-                       b >>= 1;
-               }
-       }
  
         // Send EOF
  
         // Send EOF
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-
+       ToSend[++ToSendMax] = 0xB8;
+       //lastProxToAirDuration  = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
         // Convert from last byte pos to length
         ToSendMax++;
  }
         // Convert from last byte pos to length
         ToSendMax++;
  }
@@ -972,55 +957,142 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
  // Only SOF 
  static void CodeIClassTagSOF()
  {
  // Only SOF 
  static void CodeIClassTagSOF()
  {
-       ToSendReset();
+       //So far a dummy implementation, not used
+       //int lastProxToAirDuration =0;
  
  
+       ToSendReset();
         // Send SOF
         // Send SOF
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0xff;
-       ToSend[++ToSendMax] = 0x00;
-       ToSend[++ToSendMax] = 0xff;
-       
+       ToSend[++ToSendMax] = 0x1D;
+//     lastProxToAirDuration  = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
+
         // Convert from last byte pos to length
         ToSendMax++;
  }
         // Convert from last byte pos to length
         ToSendMax++;
  }
-
-//-----------------------------------------------------------------------------
-// Simulate iClass Card
-// Only CSN (Card Serial Number)
-// 
-//-----------------------------------------------------------------------------
-void SimulateIClass(uint8_t arg0, uint8_t *datain)
+#define MODE_SIM_CSN        0
+#define MODE_EXIT_AFTER_MAC 1
+#define MODE_FULLSIM        2
+
+int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf);
+/**
+ * @brief SimulateIClass simulates an iClass card.
+ * @param arg0 type of simulation
+ *                     - 0 uses the first 8 bytes in usb data as CSN
+ *                     - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
+ *                     in the usb data. This mode collects MAC from the reader, in order to do an offline
+ *                     attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
+ *                     - Other : Uses the default CSN (031fec8af7ff12e0)
+ * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
+ * @param arg2
+ * @param datain
+ */
+void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
  {
  {
-       uint8_t simType = arg0;
+       uint32_t simType = arg0;
+       uint32_t numberOfCSNS = arg1;
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
  
  
-  // Enable and clear the trace
-       tracing = TRUE;
-       traceLen = 0;
-  memset(trace, 0x44, TRACE_SIZE);
-
-       // CSN followed by two CRC bytes
-       uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
-
-       // e-Purse
-       uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       // Enable and clear the trace
+       set_tracing(TRUE);
+       clear_trace();
+       //Use the emulator memory for SIM
+       uint8_t *emulator = BigBuf_get_EM_addr();
  
         if(simType == 0) {
                 // Use the CSN from commandline
  
         if(simType == 0) {
                 // Use the CSN from commandline
-               memcpy(response3, datain, 8);
+               memcpy(emulator, datain, 8);
+               doIClassSimulation(MODE_SIM_CSN,NULL);
+       }else if(simType == 1)
+       {
+               //Default CSN
+               uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
+               // Use the CSN from commandline
+               memcpy(emulator, csn_crc, 8);
+               doIClassSimulation(MODE_SIM_CSN,NULL);
         }
         }
+       else if(simType == 2)
+       {
+
+               uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
+               Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
+               // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
+               // in order to collect MAC's from the reader. This can later be used in an offlne-attack
+               // in order to obtain the keys, as in the "dismantling iclass"-paper.
+               int i = 0;
+               for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
+               {
+                       // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
+
+                       memcpy(emulator, datain+(i*8), 8);
+                       if(doIClassSimulation(MODE_EXIT_AFTER_MAC,mac_responses+i*8))
+                       {
+                               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
+                               return; // Button pressed
+                       }
+               }
+               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
+
+       }else if(simType == 3){
+               //This is 'full sim' mode, where we use the emulator storage for data.
+               doIClassSimulation(MODE_FULLSIM, NULL);
+       }
+       else{
+               // We may want a mode here where we hardcode the csns to use (from proxclone).
+               // That will speed things up a little, but not required just yet.
+               Dbprintf("The mode is not implemented, reserved for future use");
+       }
+       Dbprintf("Done...");
+
+}
+void AppendCrc(uint8_t* data, int len)
+{
+       ComputeCrc14443(CRC_ICLASS,data,len,data+len,data+len+1);
+}
+
+/**
+ * @brief Does the actual simulation
+ * @param csn - csn to use
+ * @param breakAfterMacReceived if true, returns after reader MAC has been received.
+ */
+int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf)
+{
+       // free eventually allocated BigBuf memory
+       BigBuf_free_keep_EM();
+
+       State cipher_state;
+//     State cipher_state_reserve;
+       uint8_t *csn = BigBuf_get_EM_addr();
+       uint8_t *emulator = csn;
+       uint8_t sof_data[] = { 0x0F} ;
+       // CSN followed by two CRC bytes
+       uint8_t anticoll_data[10] = { 0 };
+       uint8_t csn_data[10] = { 0 };
+       memcpy(csn_data,csn,sizeof(csn_data));
+       Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
  
         // Construct anticollision-CSN
  
         // Construct anticollision-CSN
-       rotateCSN(response3,response2);
+       rotateCSN(csn_data,anticoll_data);
  
         // Compute CRC on both CSNs
  
         // Compute CRC on both CSNs
-       ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
-       ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
+       ComputeCrc14443(CRC_ICLASS, anticoll_data, 8, &anticoll_data[8], &anticoll_data[9]);
+       ComputeCrc14443(CRC_ICLASS, csn_data, 8, &csn_data[8], &csn_data[9]);
  
  
+       uint8_t diversified_key[8] = { 0 };
+       // e-Purse
+       uint8_t card_challenge_data[8] = { 0x00 };
+       if(simulationMode == MODE_FULLSIM)
+       {
+               //The diversified key should be stored on block 3
+               //Get the diversified key from emulator memory
+               memcpy(diversified_key, emulator+(8*3),8);
+
+               //Card challenge, a.k.a e-purse is on block 2
+               memcpy(card_challenge_data,emulator + (8 * 2) , 8);
+               //Precalculate the cipher state, feeding it the CC
+               cipher_state = opt_doTagMAC_1(card_challenge_data,diversified_key);
+
+       }
+
+       int exitLoop = 0;
         // Reader 0a
         // Tag    0f
         // Reader 0c
         // Reader 0a
         // Tag    0f
         // Reader 0c
@@ -1028,34 +1100,33 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
         // Reader 81 anticoll. CSN
         // Tag    CSN
  
         // Reader 81 anticoll. CSN
         // Tag    CSN
  
-       uint8_t *resp;
-       int respLen;
-       uint8_t* respdata = NULL;
-       int respsize = 0;
-       uint8_t sof = 0x0f;
+       uint8_t *modulated_response;
+       int modulated_response_size = 0;
+       uint8_t* trace_data = NULL;
+       int trace_data_size = 0;
+
  
  
-       // Respond SOF -- takes 8 bytes
-       uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
-       int resp1Len;
+       // Respond SOF -- takes 1 bytes
+       uint8_t *resp_sof = BigBuf_malloc(2);
+       int resp_sof_Len;
  
         // Anticollision CSN (rotated CSN)
  
         // Anticollision CSN (rotated CSN)
-       // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
-       uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
-       int resp2Len;
+       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+       uint8_t *resp_anticoll = BigBuf_malloc(28);
+       int resp_anticoll_len;
  
         // CSN
  
         // CSN
-       // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
-       uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
-       int resp3Len;
+       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+       uint8_t *resp_csn = BigBuf_malloc(30);
+       int resp_csn_len;
  
         // e-Purse
  
         // e-Purse
-       // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
-       uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
-       int resp4Len;
+       // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
+       uint8_t *resp_cc = BigBuf_malloc(20);
+       int resp_cc_len;
  
  
-       // + 1720..
-  uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
-       memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
         int len;
  
         // Prepare card messages
         int len;
  
         // Prepare card messages
@@ -1063,88 +1134,167 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
  
         // First card answer: SOF
         CodeIClassTagSOF();
  
         // First card answer: SOF
         CodeIClassTagSOF();
-       memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
+       memcpy(resp_sof, ToSend, ToSendMax); resp_sof_Len = ToSendMax;
  
         // Anticollision CSN
  
         // Anticollision CSN
-       CodeIClassTagAnswer(response2, sizeof(response2));
-       memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
+       CodeIClassTagAnswer(anticoll_data, sizeof(anticoll_data));
+       memcpy(resp_anticoll, ToSend, ToSendMax); resp_anticoll_len = ToSendMax;
  
         // CSN
  
         // CSN
-       CodeIClassTagAnswer(response3, sizeof(response3));
-       memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
+       CodeIClassTagAnswer(csn_data, sizeof(csn_data));
+       memcpy(resp_csn, ToSend, ToSendMax); resp_csn_len = ToSendMax;
  
         // e-Purse
  
         // e-Purse
-       CodeIClassTagAnswer(response4, sizeof(response4));
-       memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
+       CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data));
+       memcpy(resp_cc, ToSend, ToSendMax); resp_cc_len = ToSendMax;
  
  
+       //This is used for responding to READ-block commands or other data which is dynamically generated
+       //First the 'trace'-data, not encoded for FPGA
+       uint8_t *data_generic_trace = BigBuf_malloc(8 + 2);//8 bytes data + 2byte CRC is max tag answer
+       //Then storage for the modulated data
+       //Each bit is doubled when modulated for FPGA, and we also have SOF and EOF (2 bytes)
+       uint8_t *data_response = BigBuf_malloc( (8+2) * 2 + 2);
+
+       // Start from off (no field generated)
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       //SpinDelay(200);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+       SpinDelay(100);
+       StartCountSspClk();
         // We need to listen to the high-frequency, peak-detected path.
         SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
         FpgaSetupSsc();
  
         // To control where we are in the protocol
         int cmdsRecvd = 0;
         // We need to listen to the high-frequency, peak-detected path.
         SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
         FpgaSetupSsc();
  
         // To control where we are in the protocol
         int cmdsRecvd = 0;
+       uint32_t time_0 = GetCountSspClk();
+       uint32_t t2r_time =0;
+       uint32_t r2t_time =0;
  
         LED_A_ON();
  
         LED_A_ON();
-       for(;;) {
+       bool buttonPressed = false;
+       uint8_t response_delay = 1;
+       while(!exitLoop) {
+               response_delay = 1;
                 LED_B_OFF();
                 LED_B_OFF();
+               //Signal tracer
+               // Can be used to get a trigger for an oscilloscope..
+               LED_C_OFF();
+
                 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
                 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
-                       DbpString("button press");
+                       buttonPressed = true;
                         break;
                 }
                         break;
                 }
+               r2t_time = GetCountSspClk();
+               //Signal tracer
+               LED_C_ON();
  
                 // Okay, look at the command now.
  
                 // Okay, look at the command now.
-               if(receivedCmd[0] == 0x0a) {
+               if(receivedCmd[0] == ICLASS_CMD_ACTALL ) {
                         // Reader in anticollission phase
                         // Reader in anticollission phase
-                       resp = resp1; respLen = resp1Len; //order = 1;
-                       respdata = &sof;
-                       respsize = sizeof(sof);
-                       //resp = resp2; respLen = resp2Len; order = 2;
-                       //DbpString("Hello request from reader:");
-               } else if(receivedCmd[0] == 0x0c) {
+                       modulated_response = resp_sof; modulated_response_size = resp_sof_Len; //order = 1;
+                       trace_data = sof_data;
+                       trace_data_size = sizeof(sof_data);
+               } else if(receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) {
                         // Reader asks for anticollission CSN
                         // Reader asks for anticollission CSN
-                       resp = resp2; respLen = resp2Len; //order = 2;
-                       respdata = response2;
-                       respsize = sizeof(response2);
+                       modulated_response = resp_anticoll; modulated_response_size = resp_anticoll_len; //order = 2;
+                       trace_data = anticoll_data;
+                       trace_data_size = sizeof(anticoll_data);
                         //DbpString("Reader requests anticollission CSN:");
                         //DbpString("Reader requests anticollission CSN:");
-               } else if(receivedCmd[0] == 0x81) {
+               } else if(receivedCmd[0] == ICLASS_CMD_SELECT) {
                         // Reader selects anticollission CSN.
                         // Tag sends the corresponding real CSN
                         // Reader selects anticollission CSN.
                         // Tag sends the corresponding real CSN
-                       resp = resp3; respLen = resp3Len; //order = 3;
-                       respdata = response3;
-                       respsize = sizeof(response3);
+                       modulated_response = resp_csn; modulated_response_size = resp_csn_len; //order = 3;
+                       trace_data = csn_data;
+                       trace_data_size = sizeof(csn_data);
                         //DbpString("Reader selects anticollission CSN:");
                         //DbpString("Reader selects anticollission CSN:");
-               } else if(receivedCmd[0] == 0x88) {
+               } else if(receivedCmd[0] == ICLASS_CMD_READCHECK_KD) {
                         // Read e-purse (88 02)
                         // Read e-purse (88 02)
-                       resp = resp4; respLen = resp4Len; //order = 4;
-                       respdata = response4;
-                       respsize = sizeof(response4);
+                       modulated_response = resp_cc; modulated_response_size = resp_cc_len; //order = 4;
+                       trace_data = card_challenge_data;
+                       trace_data_size = sizeof(card_challenge_data);
                         LED_B_ON();
                         LED_B_ON();
-               } else if(receivedCmd[0] == 0x05) {
+               } else if(receivedCmd[0] == ICLASS_CMD_CHECK) {
                         // Reader random and reader MAC!!!
                         // Reader random and reader MAC!!!
-                       // Lets store this ;-)
-/*
-                       Dbprintf("                CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                       response3[0], response3[1], response3[2],
-                       response3[3], response3[4], response3[5],
-                       response3[6], response3[7]);
-*/                     
-                       Dbprintf("READER AUTH (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+                       if(simulationMode == MODE_FULLSIM)
+                       {
+                               //NR, from reader, is in receivedCmd +1
+                               opt_doTagMAC_2(cipher_state,receivedCmd+1,data_generic_trace,diversified_key);
+
+                               trace_data = data_generic_trace;
+                               trace_data_size = 4;
+                               CodeIClassTagAnswer(trace_data , trace_data_size);
+                               memcpy(data_response, ToSend, ToSendMax);
+                               modulated_response = data_response;
+                               modulated_response_size = ToSendMax;
+                               response_delay = 0;//We need to hurry here...
+                               //exitLoop = true;
+                       }else
+                       {       //Not fullsim, we don't respond
+            // We do not know what to answer, so lets keep quiet
+                               modulated_response = resp_sof; modulated_response_size = 0;
+                       trace_data = NULL;
+                       trace_data_size = 0;
+                               if (simulationMode == MODE_EXIT_AFTER_MAC){
+                               // dbprintf:ing ...
+                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+                                                  ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+                               Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
+                                               receivedCmd[0], receivedCmd[1], receivedCmd[2],
+                                               receivedCmd[3], receivedCmd[4], receivedCmd[5],
+                                               receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+                               if (reader_mac_buf != NULL)
+                               {
+                                       memcpy(reader_mac_buf,receivedCmd+1,8);
+                               }
+                               exitLoop = true;
+                       }
+                       }
  
  
-                       // Do not respond
-                       // We do not know what to answer, so lets keep quit
-                       resp = resp1; respLen = 0; //order = 5;
-                       respdata = NULL;
-                       respsize = 0;
-               } else if(receivedCmd[0] == 0x00 && len == 1) {
+               } else if(receivedCmd[0] == ICLASS_CMD_HALT && len == 1) {
                         // Reader ends the session
                         // Reader ends the session
-                       resp = resp1; respLen = 0; //order = 0;
-                       respdata = NULL;
-                       respsize = 0;
-               } else {
+                       modulated_response = resp_sof; modulated_response_size = 0; //order = 0;
+                       trace_data = NULL;
+                       trace_data_size = 0;
+               } else if(simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
+                       //Read block
+                       uint16_t blk = receivedCmd[1];
+                       //Take the data...
+                       memcpy(data_generic_trace, emulator+(blk << 3),8);
+                       //Add crc
+                       AppendCrc(data_generic_trace, 8);
+                       trace_data = data_generic_trace;
+                       trace_data_size = 10;
+                       CodeIClassTagAnswer(trace_data , trace_data_size);
+                       memcpy(data_response, ToSend, ToSendMax);
+                       modulated_response = data_response;
+                       modulated_response_size = ToSendMax;
+               }else if(receivedCmd[0] == ICLASS_CMD_UPDATE && simulationMode == MODE_FULLSIM)
+               {//Probably the reader wants to update the nonce. Let's just ignore that for now.
+                       // OBS! If this is implemented, don't forget to regenerate the cipher_state
+                       //We're expected to respond with the data+crc, exactly what's already in the receivedcmd
+                       //receivedcmd is now UPDATE 1b | ADDRESS 1b| DATA 8b| Signature 4b or CRC 2b|
+
+                       //Take the data...
+                       memcpy(data_generic_trace, receivedCmd+2,8);
+                       //Add crc
+                       AppendCrc(data_generic_trace, 8);
+                       trace_data = data_generic_trace;
+                       trace_data_size = 10;
+                       CodeIClassTagAnswer(trace_data , trace_data_size);
+                       memcpy(data_response, ToSend, ToSendMax);
+                       modulated_response = data_response;
+                       modulated_response_size = ToSendMax;
+               }
+               else if(receivedCmd[0] == ICLASS_CMD_PAGESEL)
+               {//Pagesel
+                       //Pagesel enables to select a page in the selected chip memory and return its configuration block
+                       //Chips with a single page will not answer to this command
+                       // It appears we're fine ignoring this.
+                       //Otherwise, we should answer 8bytes (block) + 2bytes CRC
+               }
+               else {
+                       //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
                         // Never seen this command before
                         Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
                         len,
                         // Never seen this command before
                         Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
                         len,
@@ -1152,79 +1302,88 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
                         receivedCmd[3], receivedCmd[4], receivedCmd[5],
                         receivedCmd[6], receivedCmd[7], receivedCmd[8]);
                         // Do not respond
                         receivedCmd[3], receivedCmd[4], receivedCmd[5],
                         receivedCmd[6], receivedCmd[7], receivedCmd[8]);
                         // Do not respond
-                       resp = resp1; respLen = 0; //order = 0;
-                       respdata = NULL;
-                       respsize = 0;
+                       modulated_response = resp_sof; modulated_response_size = 0; //order = 0;
+                       trace_data = NULL;
+                       trace_data_size = 0;
                 }
  
                 }
  
-               if(cmdsRecvd > 999) {
-                       DbpString("1000 commands later...");
-                       break;
+               if(cmdsRecvd >  100) {
+                       //DbpString("100 commands later...");
+                       //break;
                 }
                 else {
                         cmdsRecvd++;
                 }
                 }
                 else {
                         cmdsRecvd++;
                 }
-
-               if(respLen > 0) {
-                       SendIClassAnswer(resp, respLen, 21);
+               /**
+               A legit tag has about 380us delay between reader EOT and tag SOF.
+               **/
+               if(modulated_response_size > 0) {
+                       SendIClassAnswer(modulated_response, modulated_response_size, response_delay);
+                       t2r_time = GetCountSspClk();
                 }
                 }
-               
+
                 if (tracing) {
                 if (tracing) {
-                       LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
-                       if (respdata != NULL) {
-                               LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
+                       uint8_t parity[MAX_PARITY_SIZE];
+                       GetParity(receivedCmd, len, parity);
+                       LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
+
+                       if (trace_data != NULL) {
+                               GetParity(trace_data, trace_data_size, parity);
+                               LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
                         }
                         }
-                       if(traceLen > TRACE_SIZE) {
+                       if(!tracing) {
                                 DbpString("Trace full");
                                 DbpString("Trace full");
-                               break;
+                               //break;
                         }
                         }
-               }
  
  
-               memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+               }
+               memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
         }
  
         }
  
-       Dbprintf("%x", cmdsRecvd);
+       //Dbprintf("%x", cmdsRecvd);
         LED_A_OFF();
         LED_B_OFF();
         LED_A_OFF();
         LED_B_OFF();
+       LED_C_OFF();
+
+       if(buttonPressed)
+       {
+               DbpString("Button pressed");
+       }
+       return buttonPressed;
  }
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  {
  }
  
  static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  {
-       int i = 0, u = 0, d = 0;
+       int i = 0, d=0;//, u = 0, d = 0;
         uint8_t b = 0;
         uint8_t b = 0;
-       // return 0;
-       // Modulate Manchester
-       // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD424);
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
+
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K_8BIT);
+
         AT91C_BASE_SSC->SSC_THR = 0x00;
         FpgaSetupSsc();
         AT91C_BASE_SSC->SSC_THR = 0x00;
         FpgaSetupSsc();
-       
-       // send cycle
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       (void)b;
+       while(!BUTTON_PRESS()) {
+               if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
+                       b = AT91C_BASE_SSC->SSC_RHR; (void) b;
                 }
                 }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
+                       b = 0x00;
                         if(d < delay) {
                         if(d < delay) {
-                               b = 0x00;
                                 d++;
                         }
                                 d++;
                         }
-                       else if(i >= respLen) {
-                               b = 0x00;
-                               u++;
-                       } else {
-                               b = resp[i];
-                               u++;
-                               if(u > 1) { i++; u = 0; }
+                       else {
+                               if( i < respLen){
+                                       b = resp[i];
+                                       //Hack
+                                       //b = 0xAC;
+                               }
+                               i++;
                         }
                         AT91C_BASE_SSC->SSC_THR = b;
                         }
                         AT91C_BASE_SSC->SSC_THR = b;
-
-                       if(u > 4) break;
-               }
-               if(BUTTON_PRESS()) {
-                       break;
                 }
                 }
+
+//             if (i > respLen +4) break;
+               if (i > respLen +1) break;
         }
  
         return 0;
         }
  
         return 0;
@@ -1238,15 +1397,14 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
  static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
  {
    int c;
  static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
  {
    int c;
-
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
    AT91C_BASE_SSC->SSC_THR = 0x00;
    FpgaSetupSsc();
  
     if (wait)
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
    AT91C_BASE_SSC->SSC_THR = 0x00;
    FpgaSetupSsc();
  
     if (wait)
-    if(*wait < 10)
-      *wait = 10;
-
+   {
+     if(*wait < 10) *wait = 10;
+     
    for(c = 0; c < *wait;) {
      if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
        AT91C_BASE_SSC->SSC_THR = 0x00;          // For exact timing!
    for(c = 0; c < *wait;) {
      if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
        AT91C_BASE_SSC->SSC_THR = 0x00;          // For exact timing!
@@ -1259,6 +1417,9 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int
      WDT_HIT();
    }
  
      WDT_HIT();
    }
  
+   }
+
+
    uint8_t sendbyte;
    bool firstpart = TRUE;
    c = 0;
    uint8_t sendbyte;
    bool firstpart = TRUE;
    c = 0;
@@ -1314,12 +1475,12 @@ void CodeIClassCommand(const uint8_t * cmd, int len)
      b = cmd[i];
      for(j = 0; j < 4; j++) {
        for(k = 0; k < 4; k++) {
      b = cmd[i];
      for(j = 0; j < 4; j++) {
        for(k = 0; k < 4; k++) {
-       if(k == (b & 3)) {
-           ToSend[++ToSendMax] = 0x0f;
-       }
-       else {
-           ToSend[++ToSendMax] = 0x00;
-       }
+                       if(k == (b & 3)) {
+                               ToSend[++ToSendMax] = 0x0f;
+                       }
+                       else {
+                               ToSend[++ToSendMax] = 0x00;
+                       }
        }
        b >>= 2;
      }
        }
        b >>= 2;
      }
@@ -1339,10 +1500,8 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
  {
    int wait = 0;
    int samples = 0;
  {
    int wait = 0;
    int samples = 0;
-  int par = 0;
  
    // This is tied to other size changes
  
    // This is tied to other size changes
-  //   uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
    CodeIClassCommand(frame,len);
  
    // Select the card
    CodeIClassCommand(frame,len);
  
    // Select the card
@@ -1351,7 +1510,11 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
         LED_A_ON();
  
    // Store reader command in buffer
         LED_A_ON();
  
    // Store reader command in buffer
-  if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
+       if (tracing) {
+               uint8_t par[MAX_PARITY_SIZE];
+               GetParity(frame, len, par);
+               LogTrace(frame, len, rsamples, rsamples, par, TRUE);
+       }
  }
  
  //-----------------------------------------------------------------------------
  }
  
  //-----------------------------------------------------------------------------
@@ -1382,7 +1545,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
         for(;;) {
                 WDT_HIT();
  
         for(;;) {
                 WDT_HIT();
  
-               if(BUTTON_PRESS()) return FALSE;
+           if(BUTTON_PRESS()) return FALSE;
  
                 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                         AT91C_BASE_SSC->SSC_THR = 0x00;  // To make use of exact timing of next command from reader!!
  
                 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                         AT91C_BASE_SSC->SSC_THR = 0x00;  // To make use of exact timing of next command from reader!!
@@ -1393,10 +1556,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
                         b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                         skip = !skip;
                         if(skip) continue;
                         b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                         skip = !skip;
                         if(skip) continue;
-                       /*if(ManchesterDecoding((b>>4) & 0xf)) {
-                               *samples = ((c - 1) << 3) + 4;
-                               return TRUE;
-                       }*/
+               
                         if(ManchesterDecoding(b & 0x0f)) {
                                 *samples = c << 3;
                                 return  TRUE;
                         if(ManchesterDecoding(b & 0x0f)) {
                                 *samples = c << 3;
                                 return  TRUE;
@@ -1410,85 +1570,221 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer)
    int samples = 0;
    if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
    rsamples += samples;
    int samples = 0;
    if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
    rsamples += samples;
-  if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
+  if (tracing) {
+       uint8_t parity[MAX_PARITY_SIZE];
+       GetParity(receivedAnswer, Demod.len, parity);
+       LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,FALSE);
+  }
    if(samples == 0) return FALSE;
    return Demod.len;
  }
  
    if(samples == 0) return FALSE;
    return Demod.len;
  }
  
-// Reader iClass Anticollission
-void ReaderIClass(uint8_t arg0) {
-       uint8_t act_all[]     = { 0x0a };
-       uint8_t identify[]    = { 0x0c };
-       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+void setupIclassReader()
+{
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+    // Reset trace buffer
+       set_tracing(TRUE);
+       clear_trace();
  
  
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+    // Setup SSC
+    FpgaSetupSsc();
+    // Start from off (no field generated)
+    // Signal field is off with the appropriate LED
+    LED_D_OFF();
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    SpinDelay(200);
  
  
-       // Reset trace buffer
-       memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
+    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
  
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
+    // Now give it time to spin up.
+    // Signal field is on with the appropriate LED
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+    SpinDelay(200);
+    LED_A_ON();
  
  
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+}
  
  
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
+size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries)
+{
+       while(retries-- > 0)
+       {
+               ReaderTransmitIClass(command, cmdsize);
+               if(expected_size == ReaderReceiveIClass(resp)){
+                       return 0;
+               }
+       }
+       return 1;//Error
+}
  
  
-       LED_A_ON();
+/**
+ * @brief Talks to an iclass tag, sends the commands to get CSN and CC.
+ * @param card_data where the CSN and CC are stored for return
+ * @return 0 = fail
+ *         1 = Got CSN
+ *         2 = Got CSN and CC
+ */
+uint8_t handshakeIclassTag(uint8_t *card_data)
+{
+       static uint8_t act_all[]     = { 0x0a };
+       static uint8_t identify[]    = { 0x0c };
+       static uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+
+
+       static uint8_t readcheck_cc[]= { 0x88, 0x02,};
+
+       uint8_t resp[ICLASS_BUFFER_SIZE];
+
+       uint8_t read_status = 0;
+
+       // Send act_all
+       ReaderTransmitIClass(act_all, 1);
+       // Card present?
+       if(!ReaderReceiveIClass(resp)) return read_status;//Fail
+       //Send Identify
+       ReaderTransmitIClass(identify, 1);
+       //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
+       uint8_t len  = ReaderReceiveIClass(resp);
+       if(len != 10) return read_status;//Fail
+
+       //Copy the Anti-collision CSN to our select-packet
+       memcpy(&select[1],resp,8);
+       //Select the card
+       ReaderTransmitIClass(select, sizeof(select));
+       //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
+       len  = ReaderReceiveIClass(resp);
+       if(len != 10) return read_status;//Fail
+
+       //Success - level 1, we got CSN
+       //Save CSN in response data
+       memcpy(card_data,resp,8);
+
+       //Flag that we got to at least stage 1, read CSN
+       read_status = 1;
+
+       // Card selected, now read e-purse (cc)
+       ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+       if(ReaderReceiveIClass(resp) == 8) {
+               //Save CC (e-purse) in response data
+               memcpy(card_data+8,resp,8);
+               read_status++;
+       }
  
  
-       for(;;) {
+       return read_status;
+}
+
+
+// Reader iClass Anticollission
+void ReaderIClass(uint8_t arg0) {
+
+       uint8_t card_data[6 * 8]={0};
+       memset(card_data, 0xFF, sizeof(card_data));
+    uint8_t last_csn[8]={0};
         
         
-               if(traceLen > TRACE_SIZE) {
+       //Read conf block CRC(0x01) => 0xfa 0x22
+       uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22};
+       //Read conf block CRC(0x05) => 0xde  0x64
+       uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64};
+
+
+    int read_status= 0;
+       uint8_t result_status = 0;
+    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+
+       set_tracing(TRUE);
+    setupIclassReader();
+
+    while(!BUTTON_PRESS())
+    {
+
+               if(!tracing) {
                         DbpString("Trace full");
                         break;
                 }
                         DbpString("Trace full");
                         break;
                 }
-               
-               if (BUTTON_PRESS()) break;
+               WDT_HIT();
  
  
-               // Send act_all
-               ReaderTransmitIClass(act_all, 1);
-               // Card present?
-               if(ReaderReceiveIClass(resp)) {
-                       ReaderTransmitIClass(identify, 1);
-                       if(ReaderReceiveIClass(resp) == 10) {
-                               // Select card          
-                               memcpy(&select[1],resp,8);
-                               ReaderTransmitIClass(select, sizeof(select));
+               read_status = handshakeIclassTag(card_data);
+
+               if(read_status == 0) continue;
+               if(read_status == 1) result_status = FLAG_ICLASS_READER_CSN;
+               if(read_status == 2) result_status = FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CC;
+
+               // handshakeIclass returns CSN|CC, but the actual block
+               // layout is CSN|CONFIG|CC, so here we reorder the data,
+               // moving CC forward 8 bytes
+               memcpy(card_data+16,card_data+8, 8);
+               //Read block 1, config
+               if(arg0 & FLAG_ICLASS_READER_CONF)
+               {
+                       if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10))
+                       {
+                               Dbprintf("Failed to dump config block");
+                       }else
+                       {
+                               result_status |= FLAG_ICLASS_READER_CONF;
+                       }
+               }
  
  
-                               if(ReaderReceiveIClass(resp) == 10) {
-                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
+               //Read block 5, AA
+               if(arg0 & FLAG_ICLASS_READER_AA){
+                       if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10))
+                       {
+//                             Dbprintf("Failed to dump AA block");
+                       }else
+                       {
+                               result_status |= FLAG_ICLASS_READER_AA;
+                       }
+               }
+
+               // 0 : CSN
+               // 1 : Configuration
+               // 2 : e-purse
+               // (3,4 write-only, kc and kd)
+               // 5 Application issuer area
+               //
+               //Then we can 'ship' back the 8 * 5 bytes of data,
+               // with 0xFF:s in block 3 and 4.
+
+                    LED_B_ON();
+                    //Send back to client, but don't bother if we already sent this
+                    if(memcmp(last_csn, card_data, 8) != 0)
+               {
+                       // If caller requires that we get CC, continue until we got it
+                       if( (arg0 & read_status & FLAG_ICLASS_READER_CC) || !(arg0 & FLAG_ICLASS_READER_CC))
+                       {
+                               cmd_send(CMD_ACK,result_status,0,0,card_data,sizeof(card_data));
+                               if(abort_after_read) {
+                                       LED_A_OFF();
+                                       return;
                                 }
                                 }
-                               // Card selected, whats next... ;-)
+                    //Save that we already sent this....
+                        memcpy(last_csn, card_data, 8);
                         }
                         }
+
                 }
                 }
-               WDT_HIT();
-       }
-       
-       LED_A_OFF();
+               LED_B_OFF();
+    }
+    cmd_send(CMD_ACK,0,0,0,card_data, 0);
+    LED_A_OFF();
  }
  
  void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
  }
  
  void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
-       uint8_t act_all[]     = { 0x0a };
-       uint8_t identify[]    = { 0x0c };
-       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+
+       uint8_t card_data[USB_CMD_DATA_SIZE]={0};
+       uint16_t block_crc_LUT[255] = {0};
+
+       {//Generate a lookup table for block crc
+               for(int block = 0; block < 255; block++){
+                       char bl = block;
+                       block_crc_LUT[block] = iclass_crc16(&bl ,1);
+               }
+       }
+       //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
+
         uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
         
      uint16_t crc = 0;
         uint8_t cardsize=0;
         uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
         uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
         
      uint16_t crc = 0;
         uint8_t cardsize=0;
-       bool read_success=false;
         uint8_t mem=0;
         
         static struct memory_t{
         uint8_t mem=0;
         
         static struct memory_t{
@@ -1499,88 +1795,44 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
           int keyaccess;
         } memory;
         
           int keyaccess;
         } memory;
         
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
-
-       // Reset trace buffer
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
-
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
-
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
-
-       LED_A_ON();
+       uint8_t resp[ICLASS_BUFFER_SIZE];
+       
+    setupIclassReader();
+       set_tracing(TRUE);
  
  
-       for(int i=0;i<1;i++) {
+       while(!BUTTON_PRESS()) {
         
         
-               if(traceLen > TRACE_SIZE) {
+               WDT_HIT();
+
+               if(!tracing) {
                         DbpString("Trace full");
                         break;
                 }
                 
                         DbpString("Trace full");
                         break;
                 }
                 
-               if (BUTTON_PRESS()) break;
+               uint8_t read_status = handshakeIclassTag(card_data);
+               if(read_status < 2) continue;
  
  
-               // Send act_all
-               ReaderTransmitIClass(act_all, 1);
-               // Card present?
-               if(ReaderReceiveIClass(resp)) {
-                       ReaderTransmitIClass(identify, 1);
-                       if(ReaderReceiveIClass(resp) == 10) {
-                               // Select card          
-                               memcpy(&select[1],resp,8);
-                               ReaderTransmitIClass(select, sizeof(select));
-
-                               if(ReaderReceiveIClass(resp) == 10) {
-                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }
-                               // Card selected
-                               Dbprintf("Readcheck on Sector 2");
-                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
-                               if(ReaderReceiveIClass(resp) == 8) {
-                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }else return;
-                               Dbprintf("Authenticate");
                                 //for now replay captured auth (as cc not updated)
                                 memcpy(check+5,MAC,4);
                                 //for now replay captured auth (as cc not updated)
                                 memcpy(check+5,MAC,4);
-                               Dbprintf("     AA: %02x %02x %02x %02x",
-                                       check[5], check[6], check[7],check[8]);
-                               ReaderTransmitIClass(check, sizeof(check));
-                               if(ReaderReceiveIClass(resp) == 4) {
-                                  Dbprintf("     AR: %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],resp[3]);
-                               }else {
+
+               if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5))
+               {
                                   Dbprintf("Error: Authentication Fail!");
                                   Dbprintf("Error: Authentication Fail!");
-                                 return;
+                       continue;
                                 }
                                 }
-                               Dbprintf("Dump Contents");
-                               //first get configuration block
-                               read_success=false;
+
+               //first get configuration block (block 1)
+               crc = block_crc_LUT[1];
                                 read[1]=1;
                                 read[1]=1;
-                               uint8_t *blockno=&read[1];
-                               crc = iclass_crc16((char *)blockno,1);
                                 read[2] = crc >> 8;
                                 read[3] = crc & 0xff;
                                 read[2] = crc >> 8;
                                 read[3] = crc & 0xff;
-                               while(!read_success){
-                                     ReaderTransmitIClass(read, sizeof(read));
-                                     if(ReaderReceiveIClass(resp) == 10) {
-                                        read_success=true;
+
+               if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10))
+               {
+                       Dbprintf("Dump config (block 1) failed");
+                       continue;
+               }
+
                                          mem=resp[5];
                                          memory.k16= (mem & 0x80);
                                          memory.book= (mem & 0x20);
                                          mem=resp[5];
                                          memory.k16= (mem & 0x80);
                                          memory.book= (mem & 0x20);
@@ -1588,134 +1840,69 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                                          memory.lockauth= (mem & 0x2);
                                          memory.keyaccess= (mem & 0x1);
  
                                          memory.lockauth= (mem & 0x2);
                                          memory.keyaccess= (mem & 0x1);
  
-                                     }
-                               }
-                               if (memory.k16){
-                                 cardsize=255;
-                               }else cardsize=32;
+               cardsize = memory.k16 ? 255 : 32;
+               WDT_HIT();
+               //Set card_data to all zeroes, we'll fill it with data
+               memset(card_data,0x0,USB_CMD_DATA_SIZE);
+               uint8_t failedRead =0;
+               uint32_t stored_data_length =0;
                                 //then loop around remaining blocks
                                 //then loop around remaining blocks
-                               for(uint8_t j=0; j<cardsize; j++){
-                                   read_success=false;
-                                   uint8_t *blockno=&j;
-                                   //crc_data[0]=j;
-                                   read[1]=j;
-                                   crc = iclass_crc16((char *)blockno,1);
+               for(int block=0; block < cardsize; block++){
+
+                       read[1]= block;
+                       crc = block_crc_LUT[block];
                                     read[2] = crc >> 8;
                                     read[3] = crc & 0xff;
                                     read[2] = crc >> 8;
                                     read[3] = crc & 0xff;
-                                   while(!read_success){
-                                     ReaderTransmitIClass(read, sizeof(read));
-                                     if(ReaderReceiveIClass(resp) == 10) {
-                                        read_success=true;
+
+                       if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10))
+                       {
                                          Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
                                          Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                         j, resp[0], resp[1], resp[2],
+                                                block, resp[0], resp[1], resp[2],
                                           resp[3], resp[4], resp[5],
                                           resp[6], resp[7]);
                                           resp[3], resp[4], resp[5],
                                           resp[6], resp[7]);
-                                     }
-                                   }
-                               }
-                       }
-               }
-               WDT_HIT();
-       }
-       
-       LED_A_OFF();
-}
-
-//1. Create Method to Read sectors/blocks 0,1,2 and Send to client
-void IClass_iso14443A_GetPublic(uint8_t arg0) {
-       uint8_t act_all[]     = { 0x0a };
-       uint8_t identify[]    = { 0x0c };
-       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t readcheck_cc[]= { 0x88, 0x02 }; 
-       //uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };   
-       uint8_t card_data[24]={0};
-       
-       //bool read_success=false;
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
-
-       // Reset trace buffer
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
  
  
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
-
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
-
-       LED_A_ON();
+                               //Fill up the buffer
+                               memcpy(card_data+stored_data_length,resp,8);
+                               stored_data_length += 8;
+                               if(stored_data_length +8 > USB_CMD_DATA_SIZE)
+                               {//Time to send this off and start afresh
+                                       cmd_send(CMD_ACK,
+                                                        stored_data_length,//data length
+                                                        failedRead,//Failed blocks?
+                                                        0,//Not used ATM
+                                                        card_data, stored_data_length);
+                                       //reset
+                                       stored_data_length = 0;
+                                       failedRead = 0;
+                               }
  
  
-       for(int i=0;i<1;i++) {
-       
-               if(traceLen > TRACE_SIZE) {
-                       DbpString("Trace full");
-                       break;
+                       }else{
+                               failedRead = 1;
+                               stored_data_length +=8;//Otherwise, data becomes misaligned
+                               Dbprintf("Failed to dump block %d", block);
+                       }
                 }
                 }
-               
-               if (BUTTON_PRESS()) break;
  
  
-               // Send act_all
-               ReaderTransmitIClass(act_all, 1);
-               // Card present?
-               if(ReaderReceiveIClass(resp)) {
-                       ReaderTransmitIClass(identify, 1);
-                       if(ReaderReceiveIClass(resp) == 10) {
-                               // Select card          
-                               memcpy(&select[1],resp,8);
-                               ReaderTransmitIClass(select, sizeof(select));
-
-                               if(ReaderReceiveIClass(resp) == 10) {
-                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }
-                               memcpy(card_data,resp,8);
-                               // Card selected
-                               Dbprintf("Readcheck on Sector 2");
-                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
-                               if(ReaderReceiveIClass(resp) == 8) {
-                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }
-                               memcpy(card_data+8,resp,8);
-                               //prep to read config block
-                               /*  read card configuration block
-                                 while(!read_success){
-                                 uint8_t sector_config=0x01;
-                                 memcpy(read+1,&sector_config,1);
-                                 ReaderTransmitIClass(read, sizeof(read));
-                                 if(ReaderReceiveIClass(resp) == 8) {
-                                   Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                                       read_success=true;
-                    memcpy(card_data+16,resp,8);
-                                 }
-                               }*/
-                       }
+               //Send off any remaining data
+               if(stored_data_length > 0)
+               {
+                       cmd_send(CMD_ACK,
+                                        stored_data_length,//data length
+                                        failedRead,//Failed blocks?
+                                        0,//Not used ATM
+                                        card_data, stored_data_length);
                 }
                 }
-               WDT_HIT();
+               //If we got here, let's break
+               break;
         }
         }
-       //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[0],card_data[1],card_data[2],card_data[3],card_data[4],card_data[5],card_data[6],card_data[7]);
-       //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[8],card_data[9],card_data[10],card_data[11],card_data[12],card_data[13],card_data[14],card_data[15]);
+       //Signal end of transmission
+       cmd_send(CMD_ACK,
+                        0,//data length
+                        0,//Failed blocks?
+                        0,//Not used ATM
+                        card_data, 0);
+
         LED_A_OFF();
         LED_A_OFF();
-       LED_B_ON();
-       //send data back to the client
-    cmd_send(CMD_ACK,0,0,0,card_data,16);
-       LED_B_OFF();
  }
  
  //2. Create Read method (cut-down from above) based off responses from 1. 
  }
  
  //2. Create Read method (cut-down from above) based off responses from 1. 
@@ -1733,10 +1920,10 @@ void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_
         
      uint16_t crc = 0;
         
         
      uint16_t crc = 0;
         
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);
  
         // Reset trace buffer
  
         // Reset trace buffer
-    memset(trace, 0x44, RECV_CMD_OFFSET);
+       memset(trace, 0x44, RECV_CMD_OFFSET);
         traceLen = 0;
  
         // Setup SSC
         traceLen = 0;
  
         // Setup SSC