]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/mifarecmd.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
added testing timeout 40 sec to avoid hang VM
[proxmark3-svn] / armsrc / mifarecmd.c
diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index e7850b3f2c316bd07d4380cd6152518da935467c..edafe0a34129d922397e7deb40fc7bc4f09d4e9e 100644 (file)
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -2,6 +2,9 @@
 // Merlok - June 2011, 2012\r
 // Gerhard de Koning Gans - May 2008\r
 // Hagen Fritsch - June 2010\r
 // Merlok - June 2011, 2012\r
 // Gerhard de Koning Gans - May 2008\r
 // Hagen Fritsch - June 2010\r
+// Midnitesnake - Dec 2013\r
+// Andy Davies  - Apr 2014\r
+// Iceman - May 2014\r
 //\r
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
 // at your option, any later version. See the LICENSE.txt file for the text of\r
 //\r
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
 // at your option, any later version. See the LICENSE.txt file for the text of\r
@@ -11,10 +14,19 @@
 //-----------------------------------------------------------------------------\r
 \r
 #include "mifarecmd.h"\r
 //-----------------------------------------------------------------------------\r
 \r
 #include "mifarecmd.h"\r
+\r
 #include "apps.h"\r
 #include "apps.h"\r
+#include "util.h"\r
+#include "parity.h"\r
+#include "crc.h"\r
+\r
+// the block number for the ISO14443-4 PCB\r
+static uint8_t pcb_blocknum = 0;\r
+// Deselect card by sending a s-block. the crc is precalced for speed\r
+static  uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};\r
 \r
 //-----------------------------------------------------------------------------\r
 \r
 //-----------------------------------------------------------------------------\r
-// Select, Authenticaate, Read an MIFARE tag. \r
+// Select, Authenticate, Read a MIFARE tag.\r
 // read block\r
 //-----------------------------------------------------------------------------\r
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
 // read block\r
 //-----------------------------------------------------------------------------\r
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
@@ -24,79 +36,156 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        ui64Key = bytes_to_num(datain, 6);\r
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        ui64Key = bytes_to_num(datain, 6);\r
-       \r
+\r
        // variables\r
        byte_t isOK = 0;\r
        byte_t dataoutbuf[16];\r
        // variables\r
        byte_t isOK = 0;\r
        byte_t dataoutbuf[16];\r
-       uint8_t uid[8];\r
+       uint8_t uid[10];\r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       iso14a_clear_trace();\r
-//     iso14a_set_tracing(false);\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
 \r
-       iso14443a_setup();\r
+       clear_trace();\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        while (true) {\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        while (true) {\r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
+               if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                        break;\r
                };\r
 \r
                if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
                        break;\r
                };\r
 \r
                if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
                        break;\r
                };\r
                        break;\r
                };\r
-               \r
+\r
                if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {\r
                if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block error");\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Read block error");\r
                        break;\r
                };\r
 \r
                if(mifare_classic_halt(pcs, cuid)) {\r
                        break;\r
                };\r
 \r
                if(mifare_classic_halt(pcs, cuid)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
                        break;\r
                };\r
                        break;\r
                };\r
-               \r
+\r
                isOK = 1;\r
                break;\r
        }\r
                isOK = 1;\r
                break;\r
        }\r
-       \r
+\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
-       \r
-       if (MF_DBGLEVEL >= 2)   DbpString("READ BLOCK FINISHED");\r
 \r
 \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
+       if (MF_DBGLEVEL >= 2)   DbpString("READ BLOCK FINISHED");\r
 \r
 \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-//     memcpy(ack.d.asBytes, dataoutbuf, 16);\r
-       \r
        LED_B_ON();\r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,isOK,0,0,0,0);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);\r
        LED_B_OFF();\r
 \r
        LED_B_OFF();\r
 \r
-\r
-  // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-//  iso14a_set_tracing(TRUE);\r
+}\r
+\r
+void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){\r
+\r
+       bool turnOffField = (arg0 == 1);\r
+\r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
+\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       clear_trace();\r
+\r
+       if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       if(!mifare_ultra_auth(keybytes)){\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");\r
+               OnError(1);\r
+               return;\r
+       }\r
+\r
+       if (turnOffField) {\r
+               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+               LEDsoff();\r
+       }\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
+}\r
+\r
+// Arg0 = BlockNo,\r
+// Arg1 = UsePwd bool\r
+// datain = PWD bytes,\r
+void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)\r
+{\r
+       uint8_t blockNo = arg0;\r
+       byte_t dataout[16] = {0x00};\r
+       bool useKey = (arg1 == 1); //UL_C\r
+       bool usePwd = (arg1 == 2); //UL_EV1/NTAG\r
+\r
+       LEDsoff();\r
+       LED_A_ON();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       clear_trace();\r
+\r
+       int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);\r
+       if(!len) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);\r
+               OnError(1);\r
+               return;\r
+       }\r
+\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain, sizeof(key) );\r
+\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
 \r
 \r
+       // UL-EV1 / NTAG authentication\r
+       if ( usePwd ) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain, 4);\r
+               uint8_t pack[4] = {0,0,0,0};\r
+               if (!mifare_ul_ev1_auth(pwd, pack)) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       if( mifare_ultra_readblock(blockNo, dataout) ) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");\r
+               OnError(2);\r
+               return;\r
+       }\r
+\r
+       if( mifare_ultra_halt() ) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");\r
+               OnError(3);\r
+               return;\r
+       }\r
+\r
+       cmd_send(CMD_ACK,1,0,0,dataout,16);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
-// Select, Authenticaate, Read an MIFARE tag. \r
-// read sector (data = 4 x 16 bytes = 64 bytes)\r
+// Select, Authenticate, Read a MIFARE tag.\r
+// read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)\r
 //-----------------------------------------------------------------------------\r
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
 {\r
 //-----------------------------------------------------------------------------\r
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
 {\r
@@ -105,94 +194,161 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        ui64Key = bytes_to_num(datain, 6);\r
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        ui64Key = bytes_to_num(datain, 6);\r
-       \r
+\r
        // variables\r
        byte_t isOK = 0;\r
        // variables\r
        byte_t isOK = 0;\r
-       byte_t dataoutbuf[16 * 4];\r
-       uint8_t uid[8];\r
+       byte_t dataoutbuf[16 * 16];\r
+       uint8_t uid[10];\r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       iso14a_clear_trace();\r
-//     iso14a_set_tracing(false);\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
 \r
-       iso14443a_setup();\r
+       clear_trace();\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
-       while (true) {\r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
+       isOK = 1;\r
+       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+               isOK = 0;\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                       break;\r
-               };\r
+       }\r
+\r
 \r
 \r
-               if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {\r
+       if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {\r
+               isOK = 0;\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
+       }\r
+\r
+       for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
+               if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {\r
+                       isOK = 0;\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);\r
                        break;\r
                        break;\r
-               };\r
-               \r
-               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 0 error");\r
-                       break;\r
-               };\r
-               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 1 error");\r
-                       break;\r
-               };\r
-               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 2 error");\r
-                       break;\r
-               };\r
-               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 3 error");\r
-                       break;\r
-               };\r
-               \r
-               if(mifare_classic_halt(pcs, cuid)) {\r
-               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                       break;\r
-               };\r
+               }\r
+       }\r
 \r
 \r
-               isOK = 1;\r
-               break;\r
+       if(mifare_classic_halt(pcs, cuid)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
        }\r
        }\r
-       \r
+\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
-       \r
-       if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");\r
 \r
 \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
+       if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");\r
 \r
 \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-//     memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);\r
-       \r
        LED_B_ON();\r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,32);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
-//     SpinDelay(100);\r
-       \r
-//     memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
-  cmd_send(CMD_ACK,isOK,0,0,dataoutbuf+32, 32);\r
+       cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));\r
        LED_B_OFF();\r
 \r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
        LED_B_OFF();\r
 \r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-//  iso14a_set_tracing(TRUE);\r
+}\r
+\r
+// arg0 = blockNo (start)\r
+// arg1 = Pages (number of blocks)\r
+// arg2 = useKey\r
+// datain = KEY bytes\r
+void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)\r
+{\r
+       LEDsoff();\r
+       LED_A_ON();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       // free eventually allocated BigBuf memory\r
+       BigBuf_free();\r
+       clear_trace();\r
+\r
+       // params\r
+       uint8_t blockNo = arg0;\r
+       uint16_t blocks = arg1;\r
+       bool useKey = (arg2 == 1); //UL_C\r
+       bool usePwd = (arg2 == 2); //UL_EV1/NTAG\r
+       uint32_t countblocks = 0;\r
+       uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);\r
+       if (dataout == NULL){\r
+               Dbprintf("out of memory");\r
+               OnError(1);\r
+               return;\r
+       }\r
+\r
+       int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);\r
+       if (!len) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);\r
+               OnError(1);\r
+               return;\r
+       }\r
+\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain, sizeof(key) );\r
+\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       // UL-EV1 / NTAG authentication\r
+       if (usePwd) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain, sizeof(pwd));\r
+               uint8_t pack[4] = {0,0,0,0};\r
+\r
+               if (!mifare_ul_ev1_auth(pwd, pack)){\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       for (int i = 0; i < blocks; i++){\r
+               if ((i*4) + 4 >= CARD_MEMORY_SIZE) {\r
+                       Dbprintf("Data exceeds buffer!!");\r
+                       break;\r
+               }\r
+\r
+               len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);\r
+\r
+               if (len) {\r
+                       if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);\r
+                       // if no blocks read - error out\r
+                       if (i==0){\r
+                               OnError(2);\r
+                               return;\r
+                       } else {\r
+                               //stop at last successful read block and return what we got\r
+                               break;\r
+                       }\r
+               } else {\r
+                       countblocks++;\r
+               }\r
+       }\r
+\r
+       len = mifare_ultra_halt();\r
+       if (len) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");\r
+               OnError(3);\r
+               return;\r
+       }\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);\r
 \r
 \r
+       countblocks *= 4;\r
+\r
+       cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+       BigBuf_free();\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
-// Select, Authenticaate, Read an MIFARE tag. \r
+// Select, Authenticate, Write a MIFARE tag.\r
 // read block\r
 //-----------------------------------------------------------------------------\r
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
 // read block\r
 //-----------------------------------------------------------------------------\r
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
@@ -205,27 +361,25 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 \r
        ui64Key = bytes_to_num(datain, 6);\r
        memcpy(blockdata, datain + 10, 16);\r
 \r
        ui64Key = bytes_to_num(datain, 6);\r
        memcpy(blockdata, datain + 10, 16);\r
-       \r
+\r
        // variables\r
        byte_t isOK = 0;\r
        // variables\r
        byte_t isOK = 0;\r
-       uint8_t uid[8];\r
+       uint8_t uid[10];\r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
        uint32_t cuid;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       iso14a_clear_trace();\r
-//  iso14a_set_tracing(false);\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
 \r
-       iso14443a_setup();\r
+       clear_trace();\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        while (true) {\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        while (true) {\r
-                       if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
+                       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                        break;\r
                };\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                        break;\r
                };\r
@@ -234,7 +388,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
                        break;\r
                };\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Auth error");\r
                        break;\r
                };\r
-               \r
+\r
                if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
                        break;\r
                if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
                        break;\r
@@ -244,364 +398,624 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
                        break;\r
                };\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
                        break;\r
                };\r
-               \r
+\r
                isOK = 1;\r
                break;\r
        }\r
                isOK = 1;\r
                break;\r
        }\r
-       \r
+\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
-       \r
-       if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
 \r
 \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
+       if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
 \r
 \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-       \r
        LED_B_ON();\r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,isOK,0,0,0,0);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       cmd_send(CMD_ACK,isOK,0,0,0,0);\r
        LED_B_OFF();\r
 \r
 \r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
        LED_B_OFF();\r
 \r
 \r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-//  iso14a_set_tracing(TRUE);\r
-\r
-}\r
-\r
-// Return 1 if the nonce is invalid else return 0\r
-int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {\r
-       return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \\r
-       (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \\r
-       (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;\r
 }\r
 \r
 }\r
 \r
-//-----------------------------------------------------------------------------\r
-// MIFARE nested authentication. \r
-// \r
-//-----------------------------------------------------------------------------\r
-void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)\r
+/* // Command not needed but left for future testing\r
+void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)\r
 {\r
 {\r
-       // params\r
        uint8_t blockNo = arg0;\r
        uint8_t blockNo = arg0;\r
-       uint8_t keyType = arg1;\r
-       uint8_t targetBlockNo = arg2 & 0xff;\r
-       uint8_t targetKeyType = (arg2 >> 8) & 0xff;\r
-       uint64_t ui64Key = 0;\r
-\r
-       ui64Key = bytes_to_num(datain, 6);\r
-       \r
-       // variables\r
-       int rtr, i, j, m, len;\r
-       int davg, dmin, dmax;\r
-       uint8_t uid[8];\r
-       uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;\r
-       uint8_t par_array[4];\r
-       nestedVector nvector[NES_MAX_INFO + 1][11];\r
-       int nvectorcount[NES_MAX_INFO + 1];\r
-       int ncount = 0;\r
-       struct Crypto1State mpcs = {0, 0};\r
-       struct Crypto1State *pcs;\r
-       pcs = &mpcs;\r
-       uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+       byte_t blockdata[16] = {0x00};\r
 \r
 \r
-       //init\r
-       for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11;  //  11 - empty block;\r
-       \r
-       // clear trace\r
-       iso14a_clear_trace();\r
-  iso14a_set_tracing(false);\r
-       \r
-       iso14443a_setup();\r
+       memcpy(blockdata, datain, 16);\r
 \r
 \r
-       LED_A_ON();\r
-       LED_B_ON();\r
-       LED_C_OFF();\r
+       uint8_t uid[10] = {0x00};\r
 \r
 \r
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-  SpinDelay(200);\r
-       \r
-       davg = dmax = 0;\r
-       dmin = 2000;\r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
 \r
 \r
-       // test nonce distance\r
-       for (rtr = 0; rtr < 10; rtr++) {\r
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-    SpinDelay(100);\r
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+       clear_trace();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
 \r
-    // Test if the action was cancelled\r
-    if(BUTTON_PRESS()) {\r
-      break;\r
-    }\r
+       if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
 \r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                       break;\r
-               };\r
-               \r
-               if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Auth1 error");\r
-                       break;\r
-               };\r
+       if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
+               OnError(0);\r
+               return; };\r
 \r
 \r
-               if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Auth2 error");\r
-                       break;\r
-               };\r
-               \r
-               nttmp = prng_successor(nt1, 500);\r
-               for (i = 501; i < 2000; i++) {\r
-                       nttmp = prng_successor(nttmp, 1);\r
-                       if (nttmp == nt2) break;\r
-               }\r
-               \r
-               if (i != 2000) {\r
-                       davg += i;\r
-                       if (dmin > i) dmin = i;\r
-                       if (dmax < i) dmax = i;\r
-                       if (MF_DBGLEVEL >= 4)   Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i);\r
-               }\r
-       }\r
-       \r
-       if (rtr == 0)   return;\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
 \r
-       davg = davg / rtr;\r
-       if (MF_DBGLEVEL >= 3)   Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg);\r
+       if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
 \r
 \r
-       LED_B_OFF();\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+*/\r
+\r
+// Arg0   : Block to write to.\r
+// Arg1   : 0 = use no authentication.\r
+//          1 = use 0x1A authentication.\r
+//          2 = use 0x1B authentication.\r
+// datain : 4 first bytes is data to be written.\r
+//        : 4/16 next bytes is authentication key.\r
+void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)\r
+{\r
+       uint8_t blockNo = arg0;\r
+       bool useKey = (arg1 == 1); //UL_C\r
+       bool usePwd = (arg1 == 2); //UL_EV1/NTAG\r
+       byte_t blockdata[4] = {0x00};\r
 \r
 \r
-//  -------------------------------------------------------------------------------------------------  \r
-       \r
-       LED_C_ON();\r
+       memcpy(blockdata, datain,4);\r
 \r
 \r
-       //  get crypted nonces for target sector\r
-       for (rtr = 0; rtr < NS_RETRIES_GETNONCE; rtr++) {\r
-       if (MF_DBGLEVEL >= 4)                   Dbprintf("------------------------------");\r
+       LEDsoff();\r
+       LED_A_ON();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
 \r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-    SpinDelay(100);\r
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+       clear_trace();\r
 \r
 \r
-    // Test if the action was cancelled\r
-    if(BUTTON_PRESS()) {\r
-      break;\r
-    }\r
+       if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
 \r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                       break;\r
-               };\r
-               \r
-               if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Auth1 error");\r
-                       break;\r
-               };\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain+4, sizeof(key) );\r
 \r
 \r
-               // nested authentication\r
-               len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);\r
-               if (len != 4) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Auth2 error len=%d", len);\r
-                       break;\r
-               };\r
-       \r
-               nt2 = bytes_to_num(receivedAnswer, 4);          \r
-               if (MF_DBGLEVEL >= 4)   Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);\r
-               \r
-               // Parity validity check\r
-               for (i = 0; i < 4; i++) {\r
-                       par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));\r
-                       par = par << 1;\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
                }\r
                }\r
-               \r
-               ncount = 0;\r
-               nttest = prng_successor(nt1, dmin - NS_TOLERANCE);\r
-               for (m = dmin - NS_TOLERANCE + 1; m < dmax + NS_TOLERANCE; m++) {\r
-                       nttest = prng_successor(nttest, 1);\r
-                       ks1 = nt2 ^ nttest;\r
-\r
-                       if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){\r
-                               \r
-                               nvector[NES_MAX_INFO][ncount].nt = nttest;\r
-                               nvector[NES_MAX_INFO][ncount].ks1 = ks1;\r
-                               ncount++;\r
-                               nvectorcount[NES_MAX_INFO] = ncount;\r
-                               if (MF_DBGLEVEL >= 4)   Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);\r
-                       }\r
+       }\r
 \r
 \r
-               }\r
-               \r
-               // select vector with length less than got\r
-               if (nvectorcount[NES_MAX_INFO] != 0) {\r
-                       m = NES_MAX_INFO;\r
-                       \r
-                       for (i = 0; i < NES_MAX_INFO; i++)\r
-                               if (nvectorcount[i] > 10) {\r
-                                       m = i;\r
-                                       break;\r
-                               }\r
-                               \r
-                       if (m == NES_MAX_INFO)\r
-                               for (i = 0; i < NES_MAX_INFO; i++)\r
-                                       if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) {\r
-                                               m = i;\r
-                                               break;\r
-                                       }\r
-                                       \r
-                       if (m != NES_MAX_INFO) {\r
-                               for (i = 0; i < nvectorcount[m]; i++) {\r
-                                       nvector[m][i] = nvector[NES_MAX_INFO][i];\r
-                               }\r
-                               nvectorcount[m] = nvectorcount[NES_MAX_INFO];\r
-                       }\r
+       // UL-EV1 / NTAG authentication\r
+       if (usePwd) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain+4, 4);\r
+               uint8_t pack[4] = {0,0,0,0};\r
+               if (!mifare_ul_ev1_auth(pwd, pack)) {\r
+                       OnError(1);\r
+                       return;\r
                }\r
        }\r
 \r
                }\r
        }\r
 \r
-       LED_C_OFF();\r
-       \r
-       //  ----------------------------- crypto1 destroy\r
-       crypto1_destroy(pcs);\r
-       \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
-\r
-//  UsbCommand ack = {CMD_ACK, {0, 0, 0}};\r
+       if(mifare_ultra_writeblock(blockNo, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
 \r
-       for (i = 0; i < NES_MAX_INFO; i++) {\r
-               if (nvectorcount[i] > 10) continue;\r
-               \r
-               for (j = 0; j < nvectorcount[i]; j += 5) {\r
-                       ncount = nvectorcount[i] - j;\r
-                       if (ncount > 5) ncount = 5; \r
-\r
-//                     ack.arg[0] = 0; // isEOF = 0\r
-//                     ack.arg[1] = ncount;\r
-//                     ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);\r
-//                     memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));\r
-                       \r
-      byte_t buf[48];\r
-      memset(buf, 0x00, sizeof(buf));\r
-                       memcpy(buf, &cuid, 4);\r
-                       for (m = 0; m < ncount; m++) {\r
-                               memcpy(buf + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);\r
-                               memcpy(buf + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);\r
-                       }\r
-       \r
-                       LED_B_ON();\r
-//                     SpinDelay(100);\r
-      cmd_send(CMD_ACK,0,ncount,targetBlockNo + (targetKeyType * 0x100),buf,48);\r
-//                     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
-                       LED_B_OFF();\r
-               }\r
-       }\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
 \r
-       // finalize list\r
-//     ack.arg[0] = 1; // isEOF = 1\r
-//     ack.arg[1] = 0;\r
-//     ack.arg[2] = 0;\r
-//     memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));\r
-       \r
-       LED_B_ON();\r
-//     SpinDelay(300);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
-  cmd_send(CMD_ACK,1,0,0,0,0);\r
-       LED_B_OFF();\r
+       if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");\r
 \r
 \r
-       if (MF_DBGLEVEL >= 4)   DbpString("NESTED FINISHED");\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
 \r
 \r
-       // Thats it...\r
+void MifareUSetPwd(uint8_t arg0, uint8_t *datain){\r
+\r
+       uint8_t pwd[16] = {0x00};\r
+       byte_t blockdata[4] = {0x00};\r
+\r
+       memcpy(pwd, datain, 16);\r
+\r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       clear_trace();\r
+\r
+       if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       blockdata[0] = pwd[7];\r
+       blockdata[1] = pwd[6];\r
+       blockdata[2] = pwd[5];\r
+       blockdata[3] = pwd[4];\r
+       if(mifare_ultra_writeblock( 44, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(44);\r
+               return;\r
+       };\r
+\r
+       blockdata[0] = pwd[3];\r
+       blockdata[1] = pwd[2];\r
+       blockdata[2] = pwd[1];\r
+       blockdata[3] = pwd[0];\r
+       if(mifare_ultra_writeblock( 45, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(45);\r
+               return;\r
+       };\r
+\r
+       blockdata[0] = pwd[15];\r
+       blockdata[1] = pwd[14];\r
+       blockdata[2] = pwd[13];\r
+       blockdata[3] = pwd[12];\r
+       if(mifare_ultra_writeblock( 46, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(46);\r
+               return;\r
+       };\r
+\r
+       blockdata[0] = pwd[11];\r
+       blockdata[1] = pwd[10];\r
+       blockdata[2] = pwd[9];\r
+       blockdata[3] = pwd[8];\r
+       if(mifare_ultra_writeblock( 47, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(47);\r
+               return;\r
+       };\r
+\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-       \r
-  iso14a_set_tracing(TRUE);\r
 }\r
 \r
 }\r
 \r
+// Return 1 if the nonce is invalid else return 0\r
+int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {\r
+       return ((oddparity8((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \\r
+       (oddparity8((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \\r
+       (oddparity8((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;\r
+}\r
+\r
+\r
 //-----------------------------------------------------------------------------\r
 //-----------------------------------------------------------------------------\r
-// MIFARE check keys. key count up to 8. \r
-// \r
+// acquire encrypted nonces in order to perform the attack described in\r
+// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened\r
+// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on\r
+// Computer and Communications Security, 2015\r
 //-----------------------------------------------------------------------------\r
 //-----------------------------------------------------------------------------\r
-void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
+void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)\r
 {\r
 {\r
-  // params\r
-       uint8_t blockNo = arg0;\r
-       uint8_t keyType = arg1;\r
-       uint8_t keyCount = arg2;\r
        uint64_t ui64Key = 0;\r
        uint64_t ui64Key = 0;\r
-       \r
-       // variables\r
-       int i;\r
-       byte_t isOK = 0;\r
-       uint8_t uid[8];\r
+       uint8_t uid[10];\r
        uint32_t cuid;\r
        uint32_t cuid;\r
+       uint8_t cascade_levels = 0;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
        struct Crypto1State mpcs = {0, 0};\r
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
-       \r
-       // clear debug level\r
-       int OLD_MF_DBGLEVEL = MF_DBGLEVEL;      \r
-       MF_DBGLEVEL = MF_DBG_NONE;\r
-       \r
-       // clear trace\r
-       iso14a_clear_trace();\r
-  iso14a_set_tracing(TRUE);\r
-\r
-       iso14443a_setup();\r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+       int16_t isOK = 0;\r
+       uint8_t par_enc[1];\r
+       uint8_t nt_par_enc = 0;\r
+       uint8_t buf[USB_CMD_DATA_SIZE];\r
+       uint32_t timeout;\r
+\r
+       uint8_t blockNo = arg0 & 0xff;\r
+       uint8_t keyType = (arg0 >> 8) & 0xff;\r
+       uint8_t targetBlockNo = arg1 & 0xff;\r
+       uint8_t targetKeyType = (arg1 >> 8) & 0xff;\r
+       ui64Key = bytes_to_num(datain, 6);\r
+       bool initialize = flags & 0x0001;\r
+       bool slow = flags & 0x0002;\r
+       bool field_off = flags & 0x0004;\r
 \r
        LED_A_ON();\r
 \r
        LED_A_ON();\r
-       LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        LED_C_OFF();\r
 \r
-       SpinDelay(300);\r
-       for (i = 0; i < keyCount; i++) {\r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-    SpinDelay(100);\r
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+       if (initialize) {\r
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+               clear_trace();\r
+               set_tracing(true);\r
+       }\r
+\r
+       LED_C_ON();\r
+\r
+       uint16_t num_nonces = 0;\r
+       bool have_uid = false;\r
+       for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {\r
 \r
 \r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                       if (OLD_MF_DBGLEVEL >= 1)       Dbprintf("Can't select card");\r
+               // Test if the action was cancelled\r
+               if(BUTTON_PRESS()) {\r
+                       isOK = 2;\r
+                       field_off = true;\r
                        break;\r
                        break;\r
-               };\r
+               }\r
 \r
 \r
-               ui64Key = bytes_to_num(datain + i * 6, 6);\r
-               if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
+               if (!have_uid) { // need a full select cycle to get the uid first\r
+                       iso14a_card_select_t card_info;\r
+                       if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0, true)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("AcquireNonces: Can't select card (ALL)");\r
+                               continue;\r
+                       }\r
+                       switch (card_info.uidlen) {\r
+                               case 4 : cascade_levels = 1; break;\r
+                               case 7 : cascade_levels = 2; break;\r
+                               case 10: cascade_levels = 3; break;\r
+                               default: break;\r
+                       }\r
+                       have_uid = true;\r
+               } else { // no need for anticollision. We can directly select the card\r
+                       if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels, true)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("AcquireNonces: Can't select card (UID)");\r
+                               continue;\r
+                       }\r
+               }\r
+\r
+               if (slow) {\r
+                       timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;\r
+                       while(GetCountSspClk() < timeout);\r
+               }\r
+\r
+               uint32_t nt1;\r
+               if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("AcquireNonces: Auth1 error");\r
                        continue;\r
                        continue;\r
-               };\r
-               \r
-               isOK = 1;\r
-               break;\r
+               }\r
+\r
+               // nested authentication\r
+               uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);\r
+               if (len != 4) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("AcquireNonces: Auth2 error len=%d", len);\r
+                       continue;\r
+               }\r
+\r
+               // send a dummy byte as reader response in order to trigger the cards authentication timeout\r
+               uint8_t dummy_answer = 0;\r
+               ReaderTransmit(&dummy_answer, 1, NULL);\r
+               timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;\r
+\r
+               num_nonces++;\r
+               if (num_nonces % 2) {\r
+                       memcpy(buf+i, receivedAnswer, 4);\r
+                       nt_par_enc = par_enc[0] & 0xf0;\r
+               } else {\r
+                       nt_par_enc |= par_enc[0] >> 4;\r
+                       memcpy(buf+i+4, receivedAnswer, 4);\r
+                       memcpy(buf+i+8, &nt_par_enc, 1);\r
+                       i += 9;\r
+               }\r
+\r
+               // wait for the card to become ready again\r
+               while(GetCountSspClk() < timeout);\r
+\r
        }\r
        }\r
-       \r
+\r
+       LED_C_OFF();\r
+\r
+       crypto1_destroy(pcs);\r
+\r
+       LED_B_ON();\r
+       cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));\r
+       LED_B_OFF();\r
+\r
+       if (MF_DBGLEVEL >= 3)   DbpString("AcquireEncryptedNonces finished");\r
+\r
+       if (field_off) {\r
+               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+               LEDsoff();\r
+       }\r
+}\r
+\r
+\r
+//-----------------------------------------------------------------------------\r
+// MIFARE nested authentication.\r
+//\r
+//-----------------------------------------------------------------------------\r
+void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)\r
+{\r
+       // params\r
+       uint8_t blockNo = arg0 & 0xff;\r
+       uint8_t keyType = (arg0 >> 8) & 0xff;\r
+       uint8_t targetBlockNo = arg1 & 0xff;\r
+       uint8_t targetKeyType = (arg1 >> 8) & 0xff;\r
+       uint64_t ui64Key = 0;\r
+\r
+       ui64Key = bytes_to_num(datain, 6);\r
+\r
+       // variables\r
+       uint16_t rtr, i, j, len;\r
+       uint16_t davg;\r
+       static uint16_t dmin, dmax;\r
+       uint8_t uid[10];\r
+       uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;\r
+       uint8_t par[1];\r
+       uint32_t target_nt[2], target_ks[2];\r
+\r
+       uint8_t par_array[4];\r
+       uint16_t ncount = 0;\r
+       struct Crypto1State mpcs = {0, 0};\r
+       struct Crypto1State *pcs;\r
+       pcs = &mpcs;\r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+\r
+       uint32_t auth1_time, auth2_time;\r
+       static uint16_t delta_time;\r
+\r
+       LED_A_ON();\r
+       LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       // free eventually allocated BigBuf memory\r
+       BigBuf_free();\r
+\r
+       if (calibrate) clear_trace();\r
+       set_tracing(true);\r
+\r
+       // statistics on nonce distance\r
+       int16_t isOK = 0;\r
+       #define NESTED_MAX_TRIES 12\r
+       uint16_t unsuccessfull_tries = 0;\r
+       if (calibrate) {        // for first call only. Otherwise reuse previous calibration\r
+               LED_B_ON();\r
+               WDT_HIT();\r
+\r
+               davg = dmax = 0;\r
+               dmin = 2000;\r
+               delta_time = 0;\r
+\r
+               for (rtr = 0; rtr < 17; rtr++) {\r
+\r
+                       // Test if the action was cancelled\r
+                       if(BUTTON_PRESS()) {\r
+                               isOK = -2;\r
+                               break;\r
+                       }\r
+\r
+                       // prepare next select. No need to power down the card.\r
+                       if(mifare_classic_halt(pcs, cuid)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Halt error");\r
+                               rtr--;\r
+                               continue;\r
+                       }\r
+\r
+                       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Can't select card");\r
+                               rtr--;\r
+                               continue;\r
+                       };\r
+\r
+                       auth1_time = 0;\r
+                       if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Auth1 error");\r
+                               rtr--;\r
+                               continue;\r
+                       };\r
+\r
+                       if (delta_time) {\r
+                               auth2_time = auth1_time + delta_time;\r
+                       } else {\r
+                               auth2_time = 0;\r
+                       }\r
+                       if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Auth2 error");\r
+                               rtr--;\r
+                               continue;\r
+                       };\r
+\r
+                       nttmp = prng_successor(nt1, 100);                               //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
+                       for (i = 101; i < 1200; i++) {\r
+                               nttmp = prng_successor(nttmp, 1);\r
+                               if (nttmp == nt2) break;\r
+                       }\r
+\r
+                       if (i != 1200) {\r
+                               if (rtr != 0) {\r
+                                       davg += i;\r
+                                       dmin = MIN(dmin, i);\r
+                                       dmax = MAX(dmax, i);\r
+                               }\r
+                               else {\r
+                                       delta_time = auth2_time - auth1_time + 32;  // allow some slack for proper timing\r
+                               }\r
+                               if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);\r
+                       } else {\r
+                               unsuccessfull_tries++;\r
+                               if (unsuccessfull_tries > NESTED_MAX_TRIES) {   // card isn't vulnerable to nested attack (random numbers are not predictable)\r
+                                       isOK = -3;\r
+                               }\r
+                       }\r
+               }\r
+\r
+               davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
+\r
+               if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);\r
+\r
+               dmin = davg - 2;\r
+               dmax = davg + 2;\r
+\r
+               LED_B_OFF();\r
+\r
+       }\r
+       //  -------------------------------------------------------------------------------------------------\r
+\r
+       LED_C_ON();\r
+\r
+       //  get crypted nonces for target sector\r
+       for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces\r
+\r
+               target_nt[i] = 0;\r
+               while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
+\r
+                       // prepare next select. No need to power down the card.\r
+                       if(mifare_classic_halt(pcs, cuid)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Halt error");\r
+                               continue;\r
+                       }\r
+\r
+                       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Can't select card");\r
+                               continue;\r
+                       };\r
+\r
+                       auth1_time = 0;\r
+                       if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Auth1 error");\r
+                               continue;\r
+                       };\r
+\r
+                       // nested authentication\r
+                       auth2_time = auth1_time + delta_time;\r
+                       len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
+                       if (len != 4) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Auth2 error len=%d", len);\r
+                               continue;\r
+                       };\r
+\r
+                       nt2 = bytes_to_num(receivedAnswer, 4);\r
+                       if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);\r
+\r
+                       // Parity validity check\r
+                       for (j = 0; j < 4; j++) {\r
+                               par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
+                       }\r
+\r
+                       ncount = 0;\r
+                       nttest = prng_successor(nt1, dmin - 1);\r
+                       for (j = dmin; j < dmax + 1; j++) {\r
+                               nttest = prng_successor(nttest, 1);\r
+                               ks1 = nt2 ^ nttest;\r
+\r
+                               if (valid_nonce(nttest, nt2, ks1, par_array)){\r
+                                       if (ncount > 0) {               // we are only interested in disambiguous nonces, try again\r
+                                               if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);\r
+                                               target_nt[i] = 0;\r
+                                               break;\r
+                                       }\r
+                                       target_nt[i] = nttest;\r
+                                       target_ks[i] = ks1;\r
+                                       ncount++;\r
+                                       if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces\r
+                                               target_nt[i] = 0;\r
+                                               if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);\r
+                                               break;\r
+                                       }\r
+                                       if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);\r
+                               }\r
+                       }\r
+                       if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);\r
+               }\r
+       }\r
+\r
+       LED_C_OFF();\r
+\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
-       \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
 \r
 \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-//     if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6);\r
-       \r
+       byte_t buf[4 + 4 * 4];\r
+       memcpy(buf, &cuid, 4);\r
+       memcpy(buf+4, &target_nt[0], 4);\r
+       memcpy(buf+8, &target_ks[0], 4);\r
+       memcpy(buf+12, &target_nt[1], 4);\r
+       memcpy(buf+16, &target_ks[1], 4);\r
+\r
        LED_B_ON();\r
        LED_B_ON();\r
-    cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
+       LED_B_OFF();\r
+\r
+       if (MF_DBGLEVEL >= 3)   DbpString("NESTED FINISHED");\r
+\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+\r
+//-----------------------------------------------------------------------------\r
+// MIFARE check keys. key count up to 85.\r
+//\r
+//-----------------------------------------------------------------------------\r
+void MifareChkKeys(uint16_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)\r
+{\r
+       uint8_t blockNo = arg0 & 0xff;\r
+       uint8_t keyType = (arg0 >> 8) & 0xff;\r
+       bool clearTrace = arg1 & 0x01;\r
+       bool multisectorCheck = arg1 & 0x02;\r
+       uint8_t set14aTimeout = (arg1 >> 8) & 0xff;\r
+       uint8_t keyCount = arg2;\r
+\r
+       // clear debug level\r
+       int OLD_MF_DBGLEVEL = MF_DBGLEVEL;\r
+       MF_DBGLEVEL = MF_DBG_NONE;\r
+\r
+       LED_A_ON();\r
        LED_B_OFF();\r
        LED_B_OFF();\r
+       LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       if (clearTrace) clear_trace();\r
+       set_tracing(true);\r
+\r
+       if (set14aTimeout){\r
+               iso14a_set_timeout(set14aTimeout * 10); // timeout: ms = x/106  35-minimum, 50-OK 106-recommended 500-safe\r
+       }\r
+       \r
+       if (multisectorCheck) {\r
+               TKeyIndex keyIndex = {{0}};\r
+               uint8_t sectorCnt = blockNo;\r
+               int res = MifareMultisectorChk(datain, keyCount, sectorCnt, keyType, OLD_MF_DBGLEVEL, &keyIndex);\r
+\r
+               LED_B_ON();\r
+               if (res >= 0) {\r
+                       cmd_send(CMD_ACK, 1, 0, 0, keyIndex, 80);\r
+               } else {\r
+                       cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);\r
+               }\r
+               LED_B_OFF();\r
+       } else {        \r
+               int res = MifareChkBlockKeys(datain, keyCount, blockNo, keyType, OLD_MF_DBGLEVEL);\r
+               \r
+               LED_B_ON();\r
+               if (res > 0) {\r
+                       cmd_send(CMD_ACK, 1, 0, 0, datain + (res - 1) * 6, 6);\r
+               } else {\r
+                       cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);\r
+               }\r
+               LED_B_OFF();\r
+       }\r
 \r
 \r
-  // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 \r
        // restore debug level\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 \r
        // restore debug level\r
-       MF_DBGLEVEL = OLD_MF_DBGLEVEL;  \r
+       MF_DBGLEVEL = OLD_MF_DBGLEVEL;\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 // MIFARE commands set debug level\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 // MIFARE commands set debug level\r
-// \r
+//\r
 //-----------------------------------------------------------------------------\r
 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
        MF_DBGLEVEL = arg0;\r
 //-----------------------------------------------------------------------------\r
 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
        MF_DBGLEVEL = arg0;\r
@@ -610,35 +1024,38 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 \r
 //-----------------------------------------------------------------------------\r
 // Work with emulator memory\r
 \r
 //-----------------------------------------------------------------------------\r
 // Work with emulator memory\r
-// \r
+//\r
+// Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not\r
+// involved in dealing with emulator memory. But if it is called later, it might\r
+// destroy the Emulator Memory.\r
 //-----------------------------------------------------------------------------\r
 //-----------------------------------------------------------------------------\r
+\r
 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
        emlClearMem();\r
 }\r
 \r
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
        emlClearMem();\r
 }\r
 \r
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
        emlSetMem(datain, arg0, arg1); // data, block num, blocks count\r
 }\r
 \r
 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
        emlSetMem(datain, arg0, arg1); // data, block num, blocks count\r
 }\r
 \r
 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
-//     UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}};\r
-\r
-  byte_t buf[48];\r
-       emlGetMem(buf, arg0, arg1); // data, block num, blocks count\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
+       byte_t buf[USB_CMD_DATA_SIZE];\r
+       emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)\r
 \r
        LED_B_ON();\r
 \r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,arg0,arg1,0,buf,48);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);\r
        LED_B_OFF();\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 // Load a card into the emulator memory\r
        LED_B_OFF();\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
 // Load a card into the emulator memory\r
-// \r
+//\r
 //-----------------------------------------------------------------------------\r
 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
 //-----------------------------------------------------------------------------\r
 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
-       int i;\r
-       uint8_t sectorNo = 0;\r
+       uint8_t numSectors = arg0;\r
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        uint32_t cuid;\r
        uint8_t keyType = arg1;\r
        uint64_t ui64Key = 0;\r
        uint32_t cuid;\r
@@ -649,101 +1066,216 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
        // variables\r
        byte_t dataoutbuf[16];\r
        byte_t dataoutbuf2[16];\r
        // variables\r
        byte_t dataoutbuf[16];\r
        byte_t dataoutbuf2[16];\r
-       uint8_t uid[8];\r
-\r
-       // clear trace\r
-       iso14a_clear_trace();\r
-       iso14a_set_tracing(false);\r
-       \r
-       iso14443a_setup();\r
+       uint8_t uid[10];\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
 \r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
-       \r
-       while (true) {\r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                       break;\r
-               };\r
-               \r
-               for (i = 0; i < 16; i++) {\r
-                       sectorNo = i;\r
-                       ui64Key = emlGetKey(sectorNo, keyType);\r
-       \r
-                       if (!i){\r
-                               if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {\r
-                                       if (MF_DBGLEVEL >= 1)   Dbprintf("Sector[%d]. Auth error", i);\r
-                                       break;\r
-                               }\r
-                       } else {\r
-                               if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_NESTED)) {\r
-                                       if (MF_DBGLEVEL >= 1)   Dbprintf("Sector[%d]. Auth nested error", i);\r
-                                       break;\r
-                               }\r
-                       }\r
-               \r
-                       if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 0 error");\r
-                               break;\r
-                       };\r
-                       emlSetMem(dataoutbuf, sectorNo * 4 + 0, 1);\r
-                       \r
-                       if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 1 error");\r
-                               break;\r
-                       };\r
-                       emlSetMem(dataoutbuf, sectorNo * 4 + 1, 1);\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       clear_trace();\r
+       set_tracing(false);\r
 \r
 \r
-                       if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 2 error");\r
+       bool isOK = true;\r
+\r
+       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+               isOK = false;\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
+       }\r
+\r
+       for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
+               ui64Key = emlGetKey(sectorNo, keyType);\r
+               if (sectorNo == 0){\r
+                       if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {\r
+                               isOK = false;\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Sector[%2d]. Auth error", sectorNo);\r
                                break;\r
                                break;\r
-                       };\r
-                       emlSetMem(dataoutbuf, sectorNo * 4 + 2, 1);\r
+                       }\r
+               } else {\r
+                       if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {\r
+                               isOK = false;\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Sector[%2d]. Auth nested error", sectorNo);\r
+                               break;\r
+                       }\r
+               }\r
 \r
 \r
-                       // get block 3 bytes 6-9\r
-                       if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Read block 3 error");\r
+               for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
+                       if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {\r
+                               isOK = false;\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);\r
                                break;\r
                        };\r
                                break;\r
                        };\r
-                       emlGetMem(dataoutbuf2, sectorNo * 4 + 3, 1);\r
-                       memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);\r
-                       emlSetMem(dataoutbuf2,  sectorNo * 4 + 3, 1);\r
+                       if (isOK) {\r
+                               if (blockNo < NumBlocksPerSector(sectorNo) - 1) {\r
+                                       emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);\r
+                               } else {        // sector trailer, keep the keys, set only the AC\r
+                                       emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);\r
+                                       memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);\r
+                                       emlSetMem(dataoutbuf2,  FirstBlockOfSector(sectorNo) + blockNo, 1);\r
+                               }\r
+                       }\r
                }\r
 \r
                }\r
 \r
-               if(mifare_classic_halt(pcs, cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                       break;\r
-               };\r
-               \r
-               break;\r
-       }       \r
+       }\r
+\r
+       if(mifare_classic_halt(pcs, cuid)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+       };\r
 \r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
 \r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 \r
        //  ----------------------------- crypto1 destroy\r
        crypto1_destroy(pcs);\r
 \r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-       \r
+\r
        if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");\r
 \r
        if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");\r
 \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
 }\r
 \r
 }\r
 \r
-//-----------------------------------------------------------------------------\r
-// MIFARE 1k emulator\r
-// \r
-//-----------------------------------------------------------------------------\r
-\r
 \r
 //-----------------------------------------------------------------------------\r
 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)\r
 \r
 //-----------------------------------------------------------------------------\r
 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)\r
-// \r
+//\r
 //-----------------------------------------------------------------------------\r
 //-----------------------------------------------------------------------------\r
+\r
+static bool isBlockTrailer(int blockN) {\r
+       if (blockN >= 0 && blockN < 128) {\r
+               return ((blockN & 0x03) == 0x03);\r
+       }\r
+       if (blockN >= 128 && blockN <= 256) {\r
+               return ((blockN & 0x0F) == 0x0F);\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       // var\r
+       byte_t isOK = 0;\r
+       uint32_t numBlocks = arg0;\r
+       // cmdParams:\r
+       // bit 0 - wipe gen1a\r
+       // bit 1 - fill card with default data\r
+       // bit 2 - gen1a = 0, gen1b = 1\r
+       uint8_t cmdParams = arg1;\r
+       bool needWipe = cmdParams & 0x01;\r
+       bool needFill = cmdParams & 0x02;\r
+       bool gen1b = cmdParams & 0x04;\r
+       \r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
+       \r
+       uint8_t block0[16] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xAF};\r
+       uint8_t block1[16] = {0x00};\r
+       uint8_t blockK[16] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08, 0x77, 0x8F, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
+       uint8_t d_block[18] = {0x00};\r
+       \r
+       // card commands\r
+       uint8_t wupC1[]       = { 0x40 };\r
+       uint8_t wupC2[]       = { 0x43 };\r
+       uint8_t wipeC[]       = { 0x41 };\r
+       \r
+       // iso14443 setup\r
+       LED_A_ON();\r
+       LED_B_OFF();\r
+       LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       // tracing\r
+       clear_trace();\r
+       set_tracing(true);\r
+               \r
+       while (true){\r
+               // wipe\r
+               if (needWipe){\r
+                       ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
+                               break;\r
+                       };\r
+\r
+                       ReaderTransmit(wipeC, sizeof(wipeC), NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("wipeC error");\r
+                               break;\r
+                       };\r
+\r
+                       if(mifare_classic_halt(NULL, 0)) {\r
+                               if (MF_DBGLEVEL > 2)    Dbprintf("Halt error");\r
+                       };\r
+               };\r
+       \r
+               // put default data\r
+               if (needFill){\r
+                       // select commands\r
+                       ReaderTransmitBitsPar(wupC1, 7, 0, NULL);\r
+\r
+                       // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)\r
+                       if (!gen1b) { \r
+\r
+                               if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
+                                       break;\r
+                               };\r
+\r
+                               ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
+                               if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
+                                       break;\r
+                               };\r
+                       }\r
+\r
+                       // send blocks command\r
+                       for (int blockNo = 0; blockNo < numBlocks; blockNo++) {\r
+                               if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");\r
+                                       break;\r
+                               };\r
+                               \r
+                               // check type of block and add crc\r
+                               if (!isBlockTrailer(blockNo)){\r
+                                       memcpy(d_block, block1, 16);\r
+                               } else {\r
+                                       memcpy(d_block, blockK, 16);\r
+                               }\r
+                               if (blockNo == 0) {\r
+                                       memcpy(d_block, block0, 16);\r
+                               }\r
+                               AppendCrc14443a(d_block, 16);\r
+\r
+                               // send write command\r
+                               ReaderTransmit(d_block, sizeof(d_block), NULL);\r
+                               if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("write block send data error");\r
+                                       break;\r
+                               };\r
+                       }\r
+                       \r
+                       // halt\r
+                       // do no issue halt command for gen1b \r
+                       if (!gen1b) {\r
+                               if (mifare_classic_halt(NULL, 0)) {\r
+                                       if (MF_DBGLEVEL > 2)    Dbprintf("Halt error");\r
+                                               break;\r
+                               }\r
+                       }\r
+               }\r
+               break;\r
+       }       \r
+\r
+       // send USB response\r
+       LED_B_ON();\r
+       cmd_send(CMD_ACK,isOK,0,0,NULL,0);\r
+       LED_B_OFF();\r
+       \r
+       // reset fpga\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+               \r
+       return;\r
+}\r
+\r
 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
-  \r
+\r
   // params\r
        uint8_t needWipe = arg0;\r
        // bit 0 - need get UID\r
   // params\r
        uint8_t needWipe = arg0;\r
        // bit 0 - need get UID\r
@@ -751,221 +1283,315 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
        // bit 2 - need HALT after sequence\r
        // bit 3 - need init FPGA and field before sequence\r
        // bit 4 - need reset FPGA and LED\r
        // bit 2 - need HALT after sequence\r
        // bit 3 - need init FPGA and field before sequence\r
        // bit 4 - need reset FPGA and LED\r
+       // bit 6 - gen1b backdoor type\r
        uint8_t workFlags = arg1;\r
        uint8_t blockNo = arg2;\r
        uint8_t workFlags = arg1;\r
        uint8_t blockNo = arg2;\r
-       \r
+\r
        // card commands\r
        // card commands\r
-       uint8_t wupC1[]       = { 0x40 }; \r
-       uint8_t wupC2[]       = { 0x43 }; \r
-       uint8_t wipeC[]       = { 0x41 }; \r
-       \r
+       uint8_t wupC1[]       = { 0x40 };\r
+       uint8_t wupC2[]       = { 0x43 };\r
+       uint8_t wipeC[]       = { 0x41 };\r
+\r
        // variables\r
        byte_t isOK = 0;\r
        // variables\r
        byte_t isOK = 0;\r
-       uint8_t uid[8];\r
-       uint8_t d_block[18];\r
+       uint8_t uid[10] = {0x00};\r
+       uint8_t d_block[18] = {0x00};\r
        uint32_t cuid;\r
        uint32_t cuid;\r
-       \r
-       memset(uid, 0x00, 8);\r
-       uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
-       \r
-       if (workFlags & 0x08) {\r
-               // clear trace\r
-               iso14a_clear_trace();\r
-               iso14a_set_tracing(TRUE);\r
 \r
 \r
-               iso14443a_setup();\r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
 \r
 \r
+       // reset FPGA and LED\r
+       if (workFlags & 0x08) {\r
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
-       \r
-               SpinDelay(300);\r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-               SpinDelay(100);\r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+               clear_trace();\r
+               set_tracing(true);\r
        }\r
 \r
        while (true) {\r
        }\r
 \r
        while (true) {\r
+\r
                // get UID from chip\r
                if (workFlags & 0x01) {\r
                // get UID from chip\r
                if (workFlags & 0x01) {\r
-                       if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
+                       if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                               break;\r
-                       };\r
-\r
-                       if(mifare_classic_halt(NULL, cuid)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                               break;\r
-                       };\r
+                               // Continue, if we set wrong UID or wrong UID checksum or some ATQA or SAK we will can't select card. But we need to write block 0 to make card work.\r
+                               //break;\r
+                               };\r
+\r
+                               if(mifare_classic_halt(NULL, cuid)) {\r
+                                       if (MF_DBGLEVEL > 2)    Dbprintf("Halt error");\r
+                                       // Continue, some magic tags misbehavies and send an answer to it.\r
+                                       // break;\r
+                               };\r
                };\r
                };\r
-       \r
+\r
                // reset chip\r
                // reset chip\r
-               if (needWipe){\r
-                       ReaderTransmitShort(wupC1);\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+               // Wipe command don't work with gen1b\r
+               if (needWipe && !(workFlags & 0x40)){\r
+                       ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
                                break;\r
                        };\r
 \r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
                                break;\r
                        };\r
 \r
-                       ReaderTransmit(wipeC, sizeof(wipeC));\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                       ReaderTransmit(wipeC, sizeof(wipeC), NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wipeC error");\r
                                break;\r
                        };\r
 \r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wipeC error");\r
                                break;\r
                        };\r
 \r
-                       if(mifare_classic_halt(NULL, cuid)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                               break;\r
+                       if(mifare_classic_halt(NULL, 0)) {\r
+                               if (MF_DBGLEVEL > 2)    Dbprintf("Halt error");\r
+                               // Continue, some magic tags misbehavies and send an answer to it.\r
+                               // break;\r
                        };\r
                        };\r
-               };      \r
+               };\r
 \r
                // write block\r
                if (workFlags & 0x02) {\r
 \r
                // write block\r
                if (workFlags & 0x02) {\r
-                       ReaderTransmitShort(wupC1);\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
-                               break;\r
-                       };\r
+                       ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
 \r
 \r
-                       ReaderTransmit(wupC2, sizeof(wupC2));\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
-                               break;\r
-                       };\r
+                       // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)\r
+                       if (!(workFlags & 0x40)) {\r
+\r
+                               if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
+                                       break;\r
+                               };\r
+\r
+                               ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
+                               if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
+                                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
+                                       break;\r
+                               };\r
+                       }\r
                }\r
 \r
                }\r
 \r
-               if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+               if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");\r
                        break;\r
                };\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");\r
                        break;\r
                };\r
-       \r
+\r
                memcpy(d_block, datain, 16);\r
                AppendCrc14443a(d_block, 16);\r
                memcpy(d_block, datain, 16);\r
                AppendCrc14443a(d_block, 16);\r
-       \r
-               ReaderTransmit(d_block, sizeof(d_block));\r
-               if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+\r
+               ReaderTransmit(d_block, sizeof(d_block), NULL);\r
+               if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("write block send data error");\r
                        break;\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("write block send data error");\r
                        break;\r
-               };      \r
-       \r
+               };\r
+\r
                if (workFlags & 0x04) {\r
                if (workFlags & 0x04) {\r
-                       if (mifare_classic_halt(NULL, cuid)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                               break;\r
-                       };\r
+                       // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)\r
+                       if (!(workFlags & 0x40)) {\r
+                               if (mifare_classic_halt(NULL, 0)) {\r
+                                       if (MF_DBGLEVEL > 2)    Dbprintf("Halt error");\r
+                                       // Continue, some magic tags misbehavies and send an answer to it.\r
+                                       // break;\r
+                               }\r
+                       }\r
                }\r
                }\r
-               \r
+\r
                isOK = 1;\r
                break;\r
        }\r
                isOK = 1;\r
                break;\r
        }\r
-       \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-//     if (isOK) memcpy(ack.d.asBytes, uid, 4);\r
-       \r
-       // add trace trailer\r
-       memset(uid, 0x44, 4);\r
-       LogTrace(uid, 4, 0, 0, TRUE);\r
 \r
        LED_B_ON();\r
 \r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,isOK,0,0,uid,4);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       cmd_send(CMD_ACK,isOK,0,0,uid,4);\r
        LED_B_OFF();\r
 \r
        if ((workFlags & 0x10) || (!isOK)) {\r
        LED_B_OFF();\r
 \r
        if ((workFlags & 0x10) || (!isOK)) {\r
-               // Thats it...\r
                FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
                LEDsoff();\r
        }\r
 }\r
 \r
                FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
                LEDsoff();\r
        }\r
 }\r
 \r
+\r
 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
-  \r
-  // params\r
+\r
+       // params\r
        // bit 1 - need wupC\r
        // bit 2 - need HALT after sequence\r
        // bit 3 - need init FPGA and field before sequence\r
        // bit 4 - need reset FPGA and LED\r
        // bit 1 - need wupC\r
        // bit 2 - need HALT after sequence\r
        // bit 3 - need init FPGA and field before sequence\r
        // bit 4 - need reset FPGA and LED\r
+       // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)\r
+       // bit 6 - gen1b backdoor type\r
        uint8_t workFlags = arg0;\r
        uint8_t blockNo = arg2;\r
        uint8_t workFlags = arg0;\r
        uint8_t blockNo = arg2;\r
-       \r
+\r
        // card commands\r
        // card commands\r
-       uint8_t wupC1[]       = { 0x40 }; \r
-       uint8_t wupC2[]       = { 0x43 }; \r
-       \r
+       uint8_t wupC1[]       = { 0x40 };\r
+       uint8_t wupC2[]       = { 0x43 };\r
+\r
        // variables\r
        byte_t isOK = 0;\r
        // variables\r
        byte_t isOK = 0;\r
-       uint8_t data[18];\r
+       uint8_t data[18] = {0x00};\r
        uint32_t cuid = 0;\r
        uint32_t cuid = 0;\r
-       \r
-       memset(data, 0x00, 18);\r
-       uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
-       \r
-       if (workFlags & 0x08) {\r
-               // clear trace\r
-               iso14a_clear_trace();\r
-               iso14a_set_tracing(TRUE);\r
 \r
 \r
-               iso14443a_setup();\r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
 \r
 \r
+       if (workFlags & 0x08) {\r
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
-       \r
-               SpinDelay(300);\r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-               SpinDelay(100);\r
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+               clear_trace();\r
+               set_tracing(true);\r
        }\r
 \r
        while (true) {\r
                if (workFlags & 0x02) {\r
        }\r
 \r
        while (true) {\r
                if (workFlags & 0x02) {\r
-                       ReaderTransmitShort(wupC1);\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                       ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
                                break;\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
                                break;\r
-                       };\r
-\r
-                       ReaderTransmit(wupC2, sizeof(wupC2));\r
-                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+               };\r
+               // do no issue for gen1b magic tag\r
+               if (!(workFlags & 0x40)) {\r
+                       ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
+                       if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
                                break;\r
                        };\r
                }\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
                                break;\r
                        };\r
                }\r
+       }\r
 \r
                // read block\r
 \r
                // read block\r
-               if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer) != 18)) {\r
+               if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("read block send command error");\r
                        break;\r
                };\r
                memcpy(data, receivedAnswer, 18);\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("read block send command error");\r
                        break;\r
                };\r
                memcpy(data, receivedAnswer, 18);\r
-               \r
+\r
                if (workFlags & 0x04) {\r
                if (workFlags & 0x04) {\r
-                       if (mifare_classic_halt(NULL, cuid)) {\r
-                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                               break;\r
-                       };\r
+                       // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)\r
+                       if (!(workFlags & 0x40)) {\r
+                               if (mifare_classic_halt(NULL, cuid)) {\r
+                                       if (MF_DBGLEVEL > 1)    Dbprintf("Halt error");\r
+                                       // Continue, some magic tags misbehavies and send an answer to it.\r
+                                       //              break;\r
+                               }\r
+                       }\r
                }\r
                }\r
-               \r
+\r
                isOK = 1;\r
                break;\r
        }\r
                isOK = 1;\r
                break;\r
        }\r
-       \r
-//     UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
-//     if (isOK) memcpy(ack.d.asBytes, data, 18);\r
-       \r
-       // add trace trailer\r
-       memset(data, 0x44, 4);\r
-       LogTrace(data, 4, 0, 0, TRUE);\r
 \r
        LED_B_ON();\r
 \r
        LED_B_ON();\r
-  cmd_send(CMD_ACK,isOK,0,0,data,18);\r
-//     UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       if (workFlags & 0x20) {\r
+               if (isOK)\r
+                       memcpy(datain, data, 18);\r
+       }\r
+       else\r
+               cmd_send(CMD_ACK,isOK,0,0,data,18);\r
        LED_B_OFF();\r
 \r
        if ((workFlags & 0x10) || (!isOK)) {\r
        LED_B_OFF();\r
 \r
        if ((workFlags & 0x10) || (!isOK)) {\r
-               // Thats it...\r
                FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
                LEDsoff();\r
        }\r
 }\r
 \r
                FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
                LEDsoff();\r
        }\r
 }\r
 \r
+void MifareCIdent(){\r
+\r
+       // card commands\r
+       uint8_t wupC1[]       = { 0x40 };\r
+       uint8_t wupC2[]       = { 0x43 };\r
+\r
+       // variables\r
+       byte_t isOK = 0;\r
+\r
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
+\r
+       ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+       if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {\r
+               isOK = 2;\r
+\r
+               ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
+               if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {\r
+                       isOK = 1;\r
+               };\r
+       };\r
+\r
+       // From iceman1001: removed the if,  since some magic tags misbehavies and send an answer to it.\r
+       mifare_classic_halt(NULL, 0);\r
+\r
+       cmd_send(CMD_ACK,isOK,0,0,0,0);\r
+}\r
+\r
+//\r
+// DESFIRE\r
+//\r
+\r
+void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){\r
+\r
+       byte_t dataout[11] = {0x00};\r
+       uint8_t uid[10] = {0x00};\r
+       uint32_t cuid;\r
+\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+       clear_trace();\r
+\r
+       int len = iso14443a_select_card(uid, NULL, &cuid, true, 0, true);\r
+       if(!len) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");\r
+               OnError(1);\r
+               return;\r
+       };\r
+\r
+       if(mifare_desfire_des_auth1(cuid, dataout)){\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");\r
+               OnError(4);\r
+               return;\r
+       }\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");\r
+    cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));\r
+}\r
+\r
+void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){\r
+\r
+       uint32_t cuid = arg0;\r
+       uint8_t key[16] = {0x00};\r
+       byte_t isOK = 0;\r
+       byte_t dataout[12] = {0x00};\r
+\r
+       memcpy(key, datain, 16);\r
+\r
+       isOK = mifare_desfire_des_auth2(cuid, key, dataout);\r
+\r
+       if( isOK) {\r
+               if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");\r
+               OnError(4);\r
+               return;\r
+       }\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");\r
+\r
+       cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+\r
+void OnSuccess(){\r
+       pcb_blocknum = 0;\r
+       ReaderTransmit(deselect_cmd, 3 , NULL);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+\r
+void OnError(uint8_t reason){\r
+       pcb_blocknum = 0;\r
+       ReaderTransmit(deselect_cmd, 3 , NULL);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       cmd_send(CMD_ACK,0,reason,0,0,0);\r
+       LEDsoff();\r
+}\r
Proxmark3 GIT tracking
Impressum, Datenschutz