+
+ LED_B_ON();
+ cmd_send(CMD_ACK,isOK,0,0,buf,48);
+ LED_B_OFF();
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+ tracing = TRUE;
+
+ if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
+}
+
+void ReaderMifareBegin(uint32_t offset_time, uint32_t powerdown_time);
+
+/**
+ * @brief New implementation of ReaderMifare, the classic mifare attack.
+ * This implementation is backwards-compatible, but has some added parameters.
+ * @param c the usbcommand in complete
+ * c->arg[0] - nt_noattack (deprecated)
+ * c->arg[1] - offset_time us (0 => random)
+ * c->arg[2] - powerdown_time ms (0=> tuning)
+ *
+ */
+void ReaderMifare(UsbCommand *c)
+{
+ /*
+ * The 'no-attack' is not used anymore, with the introduction of
+ * state tables. Instead, we use an offset which is random. This means that we
+ * should not get stuck on a 'bad' nonce, so no-attack is not needed.
+ * Anyway, arg[0] is reserved for backwards compatibility
+ uint32_t nt_noattack_uint = c->arg[0];
+ byte_t nt_noattack[4];
+ num_to_bytes(parameter, 4, nt_noattack_uint);
+
+ */
+ /*
+ *IF, for some reason, you want to attack a specific nonce or whatever,
+ *you can specify the offset time yourself, in which case it won't be random.
+ *
+ * The offset time is microseconds, MICROSECONDS, not ms.
+ */
+ uint32_t offset_time = c->arg[1];
+ if(offset_time == 0)
+ {
+ //[Martin:]I would like to have used rand(), but linking problems prevented it
+ //offset_time = rand() % 4000;
+ //So instead, I found this nifty thingy, which seems to fit the bill
+ offset_time = GetTickCount() % 2000;
+ }
+ /*
+ * There is an implementation of tuning. Tuning will try to determine
+ * a good power-down time, which is different for different cards.
+ * If a value is specified from the packet, we won't do any tuning.
+ * A value of zero will initialize a tuning.
+ * The power-down time is milliseconds, that MILLI-seconds .
+ */
+ uint32_t powerdown_time = c->arg[2];
+ if(powerdown_time == 0)
+ {
+ //Tuning required
+ int entropy = 100;
+ int time = 25;
+ entropy = TuneMifare(time);
+
+ while(entropy > 50 && time < 2000){
+ //Increase timeout, but never more than 500ms at a time
+ time = MIN(time*2, time+500);
+ entropy = TuneMifare(time);
+ }
+ if(entropy > 50){
+ Dbprintf("OBS! This card has high entropy (%d) and slow power-down. This may take a while", entropy);
+ }
+ powerdown_time = time;
+ }
+ //The actual attack
+ ReaderMifareBegin(offset_time, powerdown_time);
+}
+void ReaderMifareBegin(uint32_t offset_time, uint32_t powerdown_time)
+{
+ Dbprintf("Using power-down-time of %d ms, offset time %d us", powerdown_time, offset_time);
+
+ /**
+ *Allocate our state-table and initialize with zeroes
+ **/
+
+ AttackState states[STATE_SIZE] ;
+ //Dbprintf("Memory allocated ok! (%d bytes)",STATE_SIZE*sizeof(AttackState) );
+ memset(states, 0, STATE_SIZE*sizeof(AttackState));
+
+ // Mifare AUTH
+ uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
+ uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
+
+ traceLen = 0;
+ tracing = false;
+
+ iso14443a_setup();
+ LED_A_ON();
+ LED_B_OFF();
+ LED_C_OFF();
+
+ LED_A_OFF();
+ uint8_t uid[8];
+ uint32_t cuid;
+
+ byte_t nt[4];
+ int nts_attacked= 0;
+ //Keeps track of progress (max value of nt_diff for our states)
+ int progress = 0;
+ int high_entropy_warning_issued = 0;
+ while(!BUTTON_PRESS())
+ {
+ LED_C_OFF();
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelay(powerdown_time);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+ LED_C_ON();
+ SpinDelayUs(offset_time);
+
+ if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
+
+ // Transmit MIFARE_CLASSIC_AUTH
+ ReaderTransmit(mf_auth, sizeof(mf_auth));
+
+ // Receive the (16 bit) "random" nonce
+ if (!ReaderReceive(receivedAnswer)) continue;
+ memcpy(nt, receivedAnswer, 4);
+
+ //Now we have the NT. Check if this NT is already under attack
+ AttackState* pState = NULL;
+ int i = 0;
+ for(i = 0 ; i < nts_attacked && pState == NULL; i++)
+ {
+ if( memcmp(nt, states[i].nt, 4) == 0)
+ {
+ //we have it
+ pState = &states[i];
+ //Dbprintf("Existing state found (%d)", i);
+ }
+ }
+
+ if(pState == NULL){
+ if(nts_attacked < STATE_SIZE )
+ {
+ //Initialize a new state
+ pState = &states[nts_attacked++];
+ //Clear it before use
+ memset(pState, 0, sizeof(AttackState));
+ memcpy(pState->nt, nt, 4);
+ i = nts_attacked;
+ //Dbprintf("New state created, nt=");
+ }else if(!high_entropy_warning_issued){
+ /**
+ *If we wound up here, it means that the state table was eaten up by potential nonces. This could be fixed by
+ *increasing the size of the state buffer, however, it points to some other problem. Ideally, we should get the same nonce
+ *every time. Realistically we should get a few different nonces, but if we get more than 50, there is probably somehting
+ *else that is wrong. An attack using too high nonce entropy will take **LONG** time to finish.
+ */
+ DbpString("WARNING: Nonce entropy is suspiciously high, something is wrong. Check timeouts (and perhaps increase STATE_SIZE)");
+ high_entropy_warning_issued = 1;
+ }
+ }
+ if(pState == NULL) continue;
+
+ int result = continueAttack(pState, receivedAnswer);
+
+ if(result == 1){
+ //One state progressed another step
+ if(pState->nt_diff > progress)
+ {
+ progress = pState->nt_diff;
+ //Alert the user
+ Dbprintf("Recovery progress: %d/8, NTs attacked: %d ", progress,nts_attacked );
+ }
+ //Dbprintf("State increased to %d in state %d", pState->nt_diff, i);
+ }
+ else if(result == 2){
+ //Dbprintf("Continue attack no answer, par is now %d", pState->par);
+ }
+ else if(result == 0){
+ reportResults(uid,pState,1);
+ return;
+ }
+ }
+ reportResults(uid,NULL,0);
+}
+//-----------------------------------------------------------------------------
+// MIFARE 1K simulate.
+//
+//-----------------------------------------------------------------------------
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ int cardSTATE = MFEMUL_NOFIELD;
+ int _7BUID = 0;
+ int vHf = 0; // in mV
+ //int nextCycleTimeout = 0;
+ int res;
+// uint32_t timer = 0;
+ uint32_t selTimer = 0;
+ uint32_t authTimer = 0;
+ uint32_t par = 0;
+ int len = 0;
+ uint8_t cardWRBL = 0;
+ uint8_t cardAUTHSC = 0;
+ uint8_t cardAUTHKEY = 0xff; // no authentication
+ //uint32_t cardRn = 0;
+ uint32_t cardRr = 0;
+ uint32_t cuid = 0;
+ //uint32_t rn_enc = 0;
+ uint32_t ans = 0;
+ uint32_t cardINTREG = 0;
+ uint8_t cardINTBLOCK = 0;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
+ uint8_t *response = eml_get_bigbufptr_sendbuf();
+
+ static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
+
+ static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+ static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
+
+ static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
+ static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
+
+ static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
+// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
+ static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
+
+ // clear trace
+ traceLen = 0;
+ tracing = true;
+
+ // Authenticate response - nonce
+ uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
+
+ // get UID from emul memory
+ emlGetMemBt(receivedCmd, 7, 1);
+ _7BUID = !(receivedCmd[0] == 0x00);
+ if (!_7BUID) { // ---------- 4BUID
+ rATQA[0] = 0x04;
+
+ emlGetMemBt(rUIDBCC1, 0, 4);
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ } else { // ---------- 7BUID
+ rATQA[0] = 0x44;
+
+ rUIDBCC1[0] = 0x88;
+ emlGetMemBt(&rUIDBCC1[1], 0, 3);
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ emlGetMemBt(rUIDBCC2, 3, 4);
+ rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+ }
+
+// -------------------------------------- test area
+
+// -------------------------------------- END test area
+ // start mkseconds counter
+ StartCountUS();
+
+ // We need to listen to the high-frequency, peak-detected path.
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ FpgaSetupSsc();
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+ SpinDelay(200);
+
+ if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
+ // calibrate mkseconds counter
+ GetDeltaCountUS();
+ while (true) {
+ WDT_HIT();
+
+ if(BUTTON_PRESS()) {
+ break;
+ }
+
+ // find reader field
+ // Vref = 3300mV, and an 10:1 voltage divider on the input
+ // can measure voltages up to 33000 mV
+ if (cardSTATE == MFEMUL_NOFIELD) {
+ vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
+ if (vHf > MF_MINFIELDV) {
+ cardSTATE_TO_IDLE();
+ LED_A_ON();
+ }
+ }
+
+ if (cardSTATE != MFEMUL_NOFIELD) {
+ res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
+ if (res == 2) {
+ cardSTATE = MFEMUL_NOFIELD;
+ LEDsoff();
+ continue;
+ }
+ if(res) break;
+ }
+
+ //nextCycleTimeout = 0;
+
+// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
+
+ if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
+ // REQ or WUP request in ANY state and WUP in HALTED state
+ if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+ selTimer = GetTickCount();
+ EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+ cardSTATE = MFEMUL_SELECT1;
+
+ // init crypto block
+ LED_B_OFF();
+ LED_C_OFF();
+ crypto1_destroy(pcs);
+ cardAUTHKEY = 0xff;
+ }
+ }
+
+ switch (cardSTATE) {
+ case MFEMUL_NOFIELD:{
+ break;
+ }
+ case MFEMUL_HALTED:{
+ break;
+ }
+ case MFEMUL_IDLE:{
+ break;
+ }
+ case MFEMUL_SELECT1:{
+ // select all
+ if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+ EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
+ break;
+ }
+
+ // select card
+ if (len == 9 &&
+ (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+ if (!_7BUID)
+ EmSendCmd(rSAK, sizeof(rSAK));
+ else
+ EmSendCmd(rSAK1, sizeof(rSAK1));
+
+ cuid = bytes_to_num(rUIDBCC1, 4);
+ if (!_7BUID) {
+ cardSTATE = MFEMUL_WORK;
+ LED_B_ON();
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+ break;
+ } else {
+ cardSTATE = MFEMUL_SELECT2;
+ break;
+ }
+ }
+
+ break;
+ }
+ case MFEMUL_SELECT2:{
+ if (!len) break;
+
+ if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
+ EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+ break;
+ }
+
+ // select 2 card
+ if (len == 9 &&
+ (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
+ EmSendCmd(rSAK, sizeof(rSAK));
+
+ cuid = bytes_to_num(rUIDBCC2, 4);
+ cardSTATE = MFEMUL_WORK;
+ LED_B_ON();
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+ break;
+ }
+
+ // i guess there is a command). go into the work state.
+ if (len != 4) break;
+ cardSTATE = MFEMUL_WORK;
+ goto lbWORK;
+ }
+ case MFEMUL_AUTH1:{
+ if (len == 8) {
+ // --- crypto
+ //rn_enc = bytes_to_num(receivedCmd, 4);
+ //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
+ cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
+ // test if auth OK
+ if (cardRr != prng_successor(nonce, 64)){
+ if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
+ cardSTATE_TO_IDLE();
+ break;
+ }
+ ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
+ num_to_bytes(ans, 4, rAUTH_AT);
+ // --- crypto
+ EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+ cardSTATE = MFEMUL_AUTH2;
+ } else {
+ cardSTATE_TO_IDLE();
+ }
+ if (cardSTATE != MFEMUL_AUTH2) break;
+ }
+ case MFEMUL_AUTH2:{
+ LED_C_ON();
+ cardSTATE = MFEMUL_WORK;
+ if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
+ break;
+ }
+ case MFEMUL_WORK:{
+lbWORK: if (len == 0) break;
+
+ if (cardAUTHKEY == 0xff) {
+ // first authentication
+ if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
+ authTimer = GetTickCount();
+
+ cardAUTHSC = receivedCmd[1] / 4; // received block num
+ cardAUTHKEY = receivedCmd[0] - 0x60;
+
+ // --- crypto
+ crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
+ ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
+ num_to_bytes(nonce, 4, rAUTH_AT);
+ EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+ // --- crypto
+
+// last working revision
+// EmSendCmd14443aRaw(resp1, resp1Len, 0);
+// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
+
+ cardSTATE = MFEMUL_AUTH1;
+ //nextCycleTimeout = 10;
+ break;
+ }
+ } else {
+ // decrypt seqence
+ mf_crypto1_decrypt(pcs, receivedCmd, len);
+
+ // nested authentication
+ if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
+ authTimer = GetTickCount();
+
+ cardAUTHSC = receivedCmd[1] / 4; // received block num
+ cardAUTHKEY = receivedCmd[0] - 0x60;
+
+ // --- crypto
+ crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
+ ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
+ num_to_bytes(ans, 4, rAUTH_AT);
+ EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+ // --- crypto
+
+ cardSTATE = MFEMUL_AUTH1;
+ //nextCycleTimeout = 10;
+ break;
+ }
+ }
+
+ // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
+ // BUT... ACK --> NACK
+ if (len == 1 && receivedCmd[0] == CARD_ACK) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+
+ // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
+ if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+ break;
+ }
+
+ // read block
+ if (len == 4 && receivedCmd[0] == 0x30) {
+ if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+ emlGetMem(response, receivedCmd[1], 1);
+ AppendCrc14443a(response, 16);
+ mf_crypto1_encrypt(pcs, response, 18, &par);
+ EmSendCmdPar(response, 18, par);
+ break;
+ }
+
+ // write block
+ if (len == 4 && receivedCmd[0] == 0xA0) {
+ if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+ //nextCycleTimeout = 50;
+ cardSTATE = MFEMUL_WRITEBL2;
+ cardWRBL = receivedCmd[1];
+ break;
+ }
+
+ // works with cardINTREG
+
+ // increment, decrement, restore
+ if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
+ if (receivedCmd[1] >= 16 * 4 ||
+ receivedCmd[1] / 4 != cardAUTHSC ||
+ emlCheckValBl(receivedCmd[1])) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+ if (receivedCmd[0] == 0xC1)
+ cardSTATE = MFEMUL_INTREG_INC;
+ if (receivedCmd[0] == 0xC0)
+ cardSTATE = MFEMUL_INTREG_DEC;
+ if (receivedCmd[0] == 0xC2)
+ cardSTATE = MFEMUL_INTREG_REST;
+ cardWRBL = receivedCmd[1];
+
+ break;
+ }
+
+
+ // transfer
+ if (len == 4 && receivedCmd[0] == 0xB0) {
+ if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+
+ if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ else
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+
+ break;
+ }
+
+ // halt
+ if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
+ LED_B_OFF();
+ LED_C_OFF();
+ cardSTATE = MFEMUL_HALTED;
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
+ break;
+ }
+
+ // command not allowed
+ if (len == 4) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ break;
+ }
+
+ // case break
+ break;
+ }
+ case MFEMUL_WRITEBL2:{
+ if (len == 18){
+ mf_crypto1_decrypt(pcs, receivedCmd, len);
+ emlSetMem(receivedCmd, cardWRBL, 1);
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+ cardSTATE = MFEMUL_WORK;
+ break;
+ } else {
+ cardSTATE_TO_IDLE();
+ break;
+ }
+ break;
+ }
+
+ case MFEMUL_INTREG_INC:{
+ mf_crypto1_decrypt(pcs, receivedCmd, len);
+ memcpy(&ans, receivedCmd, 4);
+ if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ cardSTATE_TO_IDLE();
+ break;
+ }
+ cardINTREG = cardINTREG + ans;
+ cardSTATE = MFEMUL_WORK;
+ break;
+ }
+ case MFEMUL_INTREG_DEC:{
+ mf_crypto1_decrypt(pcs, receivedCmd, len);
+ memcpy(&ans, receivedCmd, 4);
+ if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ cardSTATE_TO_IDLE();
+ break;
+ }
+ cardINTREG = cardINTREG - ans;
+ cardSTATE = MFEMUL_WORK;
+ break;
+ }
+ case MFEMUL_INTREG_REST:{
+ mf_crypto1_decrypt(pcs, receivedCmd, len);
+ memcpy(&ans, receivedCmd, 4);
+ if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ cardSTATE_TO_IDLE();
+ break;
+ }
+ cardSTATE = MFEMUL_WORK;
+ break;
+ }
+ }
+ }
+