]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
FIX: since the correctionNeeded logic changed, with PR #87 (https://github.com...
[proxmark3-svn] / armsrc / iso14443a.c
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 74e269da11c92f60e62e82046c3e4ec16ca275fd..f86b816fe049a0efc81a1334fe322aabba758e96 100644 (file)
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -1,5 +1,5 @@
-//-----------------------------------------------------------------------------
-// Merlok - June 2011
+  //-----------------------------------------------------------------------------
+// Merlok - June 2011, 2012
 // Gerhard de Koning Gans - May 2008
 // Hagen Fritsch - June 2010
 //
 // Gerhard de Koning Gans - May 2008
 // Hagen Fritsch - June 2010
 //
@@ -9,22 +9,93 @@
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-
-#include "iso14443crc.h"
 #include "iso14443a.h"
 #include "iso14443a.h"
-#include "crapto1.h"
-#include "mifareutil.h"
 
 
-static uint8_t *trace = (uint8_t *) BigBuf;
-static int traceLen = 0;
-static int rsamples = 0;
-static int tracing = TRUE;
 static uint32_t iso14a_timeout;
 static uint32_t iso14a_timeout;
+int rsamples = 0;
+uint8_t trigger = 0;
+// the block number for the ISO14443-4 PCB
+static uint8_t iso14_pcb_blocknum = 0;
+
+static uint8_t* free_buffer_pointer;
+
+//
+// ISO14443 timing:
+//
+// minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
+#define REQUEST_GUARD_TIME (7000/16 + 1)
+// minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles 
+#define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1) 
+// bool LastCommandWasRequest = FALSE;
+
+//
+// Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
+//
+// When the PM acts as reader and is receiving tag data, it takes
+// 3 ticks delay in the AD converter
+// 16 ticks until the modulation detector completes and sets curbit
+// 8 ticks until bit_to_arm is assigned from curbit
+// 8*16 ticks for the transfer from FPGA to ARM
+// 4*16 ticks until we measure the time
+// - 8*16 ticks because we measure the time of the previous transfer 
+#define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16) 
+
+// When the PM acts as a reader and is sending, it takes
+// 4*16 ticks until we can write data to the sending hold register
+// 8*16 ticks until the SHR is transferred to the Sending Shift Register
+// 8 ticks until the first transfer starts
+// 8 ticks later the FPGA samples the data
+// 1 tick to assign mod_sig_coil
+#define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
+
+// When the PM acts as tag and is receiving it takes
+// 2 ticks delay in the RF part (for the first falling edge),
+// 3 ticks for the A/D conversion,
+// 8 ticks on average until the start of the SSC transfer,
+// 8 ticks until the SSC samples the first data
+// 7*16 ticks to complete the transfer from FPGA to ARM
+// 8 ticks until the next ssp_clk rising edge
+// 4*16 ticks until we measure the time 
+// - 8*16 ticks because we measure the time of the previous transfer 
+#define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
+// The FPGA will report its internal sending delay in
+uint16_t FpgaSendQueueDelay;
+// the 5 first bits are the number of bits buffered in mod_sig_buf
+// the last three bits are the remaining ticks/2 after the mod_sig_buf shift
+#define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
+
+// When the PM acts as tag and is sending, it takes
+// 4*16 ticks until we can write data to the sending hold register
+// 8*16 ticks until the SHR is transferred to the Sending Shift Register
+// 8 ticks until the first transfer starts
+// 8 ticks later the FPGA samples the data
+// + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
+// + 1 tick to assign mod_sig_coil
+#define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1)
+
+// When the PM acts as sniffer and is receiving tag data, it takes
+// 3 ticks A/D conversion
+// 14 ticks to complete the modulation detection
+// 8 ticks (on average) until the result is stored in to_arm
+// + the delays in transferring data - which is the same for
+// sniffing reader and tag data and therefore not relevant
+#define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8) 
+// When the PM acts as sniffer and is receiving reader data, it takes
+// 2 ticks delay in analogue RF receiver (for the falling edge of the 
+// start bit, which marks the start of the communication)
+// 3 ticks A/D conversion
+// 8 ticks on average until the data is stored in to_arm.
+// + the delays in transferring data - which is the same for
+// sniffing reader and tag data and therefore not relevant
+#define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8) 
+
+//variables used for timing purposes:
+//these are in ssp_clk cycles:
+static uint32_t NextTransferTime;
+static uint32_t LastTimeProxToAirStart;
+static uint32_t LastProxToAirDuration;
 
 // CARD TO READER - manchester
 // Sequence D: 11110000 modulation with subcarrier during first half
 
 // CARD TO READER - manchester
 // Sequence D: 11110000 modulation with subcarrier during first half
@@ -41,569 +112,381 @@ static uint32_t iso14a_timeout;
 #define        SEC_Y 0x00
 #define        SEC_Z 0xc0
 
 #define        SEC_Y 0x00
 #define        SEC_Z 0xc0
 
-static const uint8_t OddByteParity[256] = {
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
-};
-
-uint8_t trigger = 0;
-void iso14a_set_trigger(int enable) {
+void iso14a_set_trigger(bool enable) {
        trigger = enable;
 }
 
        trigger = enable;
 }
 
-void iso14a_clear_tracelen(void) {
-       traceLen = 0;
+void iso14a_set_timeout(uint32_t timeout) {
+       iso14a_timeout = timeout;
+       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
 }
 }
-void iso14a_set_tracing(int enable) {
-       tracing = enable;
+
+void iso14a_set_ATS_timeout(uint8_t *ats) {
+       uint8_t tb1;
+       uint8_t fwi; 
+       uint32_t fwt;
+       
+       if (ats[0] > 1) {                                                       // there is a format byte T0
+               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
+
+                       if ((ats[1] & 0x10) == 0x10)            // there is an interface byte TA(1) preceding TB(1)
+                               tb1 = ats[3];
+                       else
+                               tb1 = ats[2];
+
+                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
+                       fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
+                       //fwt = 4096 * (1 << fwi);
+                       
+                       iso14a_set_timeout(fwt/(8*16));
+                       //iso14a_set_timeout(fwt/128);
+               }
+       }
 }
 
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
-byte_t oddparity (const byte_t bt)
-{
-  return OddByteParity[bt];
-}
-
-uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
-{
-  int i;
-  uint32_t dwPar = 0;
-
-  // Generate the encrypted data
-  for (i = 0; i < iLen; i++) {
-    // Save the encrypted parity bit
-    dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
-  }
-  return dwPar;
-}
+void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par) {
+       uint16_t paritybit_cnt = 0;
+       uint16_t paritybyte_cnt = 0;
+       uint8_t parityBits = 0;
+
+       for (uint16_t i = 0; i < iLen; i++) {
+               // Generate the parity bits
+               parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
+               if (paritybit_cnt == 7) {
+                       par[paritybyte_cnt] = parityBits;       // save 8 Bits parity
+                       parityBits = 0;                                         // and advance to next Parity Byte
+                       paritybyte_cnt++;
+                       paritybit_cnt = 0;
+               } else {
+                       paritybit_cnt++;
+               }
+       }
 
 
-void AppendCrc14443a(uint8_t* data, int len)
-{
-  ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
+       // save remaining parity bits
+       par[paritybyte_cnt] = parityBits;       
 }
 
 }
 
-int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
-{
-  // Return when trace is full
-  if (traceLen >= TRACE_LENGTH) return FALSE;
-
-  // Trace the random, i'm curious
-  rsamples += iSamples;
-  trace[traceLen++] = ((rsamples >> 0) & 0xff);
-  trace[traceLen++] = ((rsamples >> 8) & 0xff);
-  trace[traceLen++] = ((rsamples >> 16) & 0xff);
-  trace[traceLen++] = ((rsamples >> 24) & 0xff);
-  if (!bReader) {
-    trace[traceLen - 1] |= 0x80;
-  }
-  trace[traceLen++] = ((dwParity >> 0) & 0xff);
-  trace[traceLen++] = ((dwParity >> 8) & 0xff);
-  trace[traceLen++] = ((dwParity >> 16) & 0xff);
-  trace[traceLen++] = ((dwParity >> 24) & 0xff);
-  trace[traceLen++] = iLen;
-  memcpy(trace + traceLen, btBytes, iLen);
-  traceLen += iLen;
-  return TRUE;
+void AppendCrc14443a(uint8_t* data, int len) {
+       ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
 }
 
+//=============================================================================
+// ISO 14443 Type A - Miller decoder
+//=============================================================================
+// Basics:
+// This decoder is used when the PM3 acts as a tag.
+// The reader will generate "pauses" by temporarily switching of the field. 
+// At the PM3 antenna we will therefore measure a modulated antenna voltage. 
+// The FPGA does a comparison with a threshold and would deliver e.g.:
+// ........  1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1  .......
+// The Miller decoder needs to identify the following sequences:
+// 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated:        pause at beginning - Sequence Z ("start of communication" or a "0")
+// 8 ticks without a modulation:                                                                       no pause - Sequence Y (a "0" or "end of communication" or "no information")
+// 4 ticks unmodulated followed by 2 (or 3) ticks pause:                       pause in second half - Sequence X (a "1")
+// Note 1: the bitstream may start at any time. We therefore need to sync.
+// Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-// The software UART that receives commands from the reader, and its state
-// variables.
-//-----------------------------------------------------------------------------
-static struct {
-    enum {
-        STATE_UNSYNCD,
-        STATE_START_OF_COMMUNICATION,
-               STATE_MILLER_X,
-               STATE_MILLER_Y,
-               STATE_MILLER_Z,
-        STATE_ERROR_WAIT
-    }       state;
-    uint16_t    shiftReg;
-    int     bitCnt;
-    int     byteCnt;
-    int     byteCntMax;
-    int     posCnt;
-    int     syncBit;
-       int     parityBits;
-       int     samples;
-    int     highCnt;
-    int     bitBuffer;
-       enum {
-               DROP_NONE,
-               DROP_FIRST_HALF,
-               DROP_SECOND_HALF
-       }               drop;
-    uint8_t   *output;
-} Uart;
-
-static RAMFUNC int MillerDecoding(int bit)
-{
-       int error = 0;
-       int bitright;
-
-       if(!Uart.bitBuffer) {
-               Uart.bitBuffer = bit ^ 0xFF0;
-               return FALSE;
-       }
-       else {
-               Uart.bitBuffer <<= 4;
-               Uart.bitBuffer ^= bit;
-       }
-
-       int EOC = FALSE;
+static tUart Uart;
+
+// Lookup-Table to decide if 4 raw bits are a modulation.
+// We accept the following:
+// 0001  -   a 3 tick wide pause
+// 0011  -   a 2 tick wide pause, or a three tick wide pause shifted left
+// 0111  -   a 2 tick wide pause shifted left
+// 1001  -   a 2 tick wide pause shifted right
+const bool Mod_Miller_LUT[] = {
+       FALSE,  TRUE, FALSE, TRUE,  FALSE, FALSE, FALSE, TRUE,
+       FALSE,  TRUE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE
+};
+#define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
+#define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
 
-       if(Uart.state != STATE_UNSYNCD) {
-               Uart.posCnt++;
+void UartReset() {
+       Uart.state = STATE_UNSYNCD;
+       Uart.bitCount = 0;
+       Uart.len = 0;                                           // number of decoded data bytes
+       Uart.parityLen = 0;                                     // number of decoded parity bytes
+       Uart.shiftReg = 0;                                      // shiftreg to hold decoded data bits
+       Uart.parityBits = 0;                            // holds 8 parity bits
+       Uart.startTime = 0;
+       Uart.endTime = 0;
+       
+       Uart.byteCntMax = 0;
+       Uart.posCnt = 0;
+       Uart.syncBit = 9999;
+}
 
 
-               if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
-                       bit = 0x00;
-               }
-               else {
-                       bit = 0x01;
-               }
-               if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
-                       bitright = 0x00;
-               }
-               else {
-                       bitright = 0x01;
-               }
-               if(bit != bitright) { bit = bitright; }
+void UartInit(uint8_t *data, uint8_t *parity) {
+       Uart.output = data;
+       Uart.parity = parity;
+       Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
+       UartReset();
+}
 
 
-               if(Uart.posCnt == 1) {
-                       // measurement first half bitperiod
-                       if(!bit) {
-                               Uart.drop = DROP_FIRST_HALF;
-                       }
+// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
+static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
+       Uart.fourBits = (Uart.fourBits << 8) | bit;
+       
+       if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
+                       Uart.syncBit = 9999;                                                                                            // not set
+               
+               // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
+               // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
+               // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause                     Sequence X (a "1")
+
+               // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
+               // Sequence X followed by Sequence Y followed by Sequence Z     (111100x1 11111111 00x11111)
+               // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern 
+               // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
+               //
+#define ISO14443A_STARTBIT_MASK                0x07FFEF80              // mask is    00001111 11111111 1110 1111 10000000
+#define ISO14443A_STARTBIT_PATTERN     0x07FF8F80              // pattern is 00001111 11111111 1000 1111 10000000
+
+               if              ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
+               else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
+
+               if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
+                       Uart.startTime = non_real_time ? non_real_time : (GetCountSspClk() & 0xfffffff8);
+                       Uart.startTime -= Uart.syncBit;
+                       Uart.endTime = Uart.startTime;
+                       Uart.state = STATE_START_OF_COMMUNICATION;
                }
                }
-               else {
-                       // measurement second half bitperiod
-                       if(!bit & (Uart.drop == DROP_NONE)) {
-                               Uart.drop = DROP_SECOND_HALF;
-                       }
-                       else if(!bit) {
-                               // measured a drop in first and second half
-                               // which should not be possible
-                               Uart.state = STATE_ERROR_WAIT;
-                               error = 0x01;
+       } else {
+
+               if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
+                       if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) {         // Modulation in both halves - error
+                               UartReset();
+                       } else {                                                                                                                        // Modulation in first half = Sequence Z = logic "0"
+                               if (Uart.state == STATE_MILLER_X) {                                                             // error - must not follow after X
+                                       UartReset();
+                               } else {
+                                       Uart.bitCount++;
+                                       Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
+                                       Uart.state = STATE_MILLER_Z;
+                                       Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
+                                       if(Uart.bitCount >= 9) {                                                                        // if we decoded a full byte (including parity)
+                                               Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
+                                               Uart.parityBits <<= 1;                                                                  // make room for the parity bit
+                                               Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01);               // store parity bit
+                                               Uart.bitCount = 0;
+                                               Uart.shiftReg = 0;
+                                               if((Uart.len&0x0007) == 0) {                                                    // every 8 data bytes
+                                                       Uart.parity[Uart.parityLen++] = Uart.parityBits;        // store 8 parity bits
+                                                       Uart.parityBits = 0;
+                                               }
+                                       }
+                               }
                        }
                        }
-
-                       Uart.posCnt = 0;
-
-                       switch(Uart.state) {
-                               case STATE_START_OF_COMMUNICATION:
+               } else {
+                       if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) {         // Modulation second half = Sequence X = logic "1"
+                               Uart.bitCount++;
+                               Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100;                                   // add a 1 to the shiftreg
+                               Uart.state = STATE_MILLER_X;
+                               Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
+                               if(Uart.bitCount >= 9) {                                                                                // if we decoded a full byte (including parity)
+                                       Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
+                                       Uart.parityBits <<= 1;                                                                          // make room for the new parity bit
+                                       Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01);                       // store parity bit
+                                       Uart.bitCount = 0;
                                        Uart.shiftReg = 0;
                                        Uart.shiftReg = 0;
-                                       if(Uart.drop == DROP_SECOND_HALF) {
-                                               // error, should not happen in SOC
-                                               Uart.state = STATE_ERROR_WAIT;
-                                               error = 0x02;
-                                       }
-                                       else {
-                                               // correct SOC
-                                               Uart.state = STATE_MILLER_Z;
-                                       }
-                                       break;
-
-                               case STATE_MILLER_Z:
-                                       Uart.bitCnt++;
-                                       Uart.shiftReg >>= 1;
-                                       if(Uart.drop == DROP_NONE) {
-                                               // logic '0' followed by sequence Y
-                                               // end of communication
-                                               Uart.state = STATE_UNSYNCD;
-                                               EOC = TRUE;
-                                       }
-                                       // if(Uart.drop == DROP_FIRST_HALF) {
-                                       //      Uart.state = STATE_MILLER_Z; stay the same
-                                       //      we see a logic '0' }
-                                       if(Uart.drop == DROP_SECOND_HALF) {
-                                               // we see a logic '1'
-                                               Uart.shiftReg |= 0x100;
-                                               Uart.state = STATE_MILLER_X;
-                                       }
-                                       break;
-
-                               case STATE_MILLER_X:
-                                       Uart.shiftReg >>= 1;
-                                       if(Uart.drop == DROP_NONE) {
-                                               // sequence Y, we see a '0'
-                                               Uart.state = STATE_MILLER_Y;
-                                               Uart.bitCnt++;
-                                       }
-                                       if(Uart.drop == DROP_FIRST_HALF) {
-                                               // Would be STATE_MILLER_Z
-                                               // but Z does not follow X, so error
-                                               Uart.state = STATE_ERROR_WAIT;
-                                               error = 0x03;
-                                       }
-                                       if(Uart.drop == DROP_SECOND_HALF) {
-                                               // We see a '1' and stay in state X
-                                               Uart.shiftReg |= 0x100;
-                                               Uart.bitCnt++;
+                                       if ((Uart.len&0x0007) == 0) {                                                           // every 8 data bytes
+                                               Uart.parity[Uart.parityLen++] = Uart.parityBits;                // store 8 parity bits
+                                               Uart.parityBits = 0;
                                        }
                                        }
-                                       break;
-
-                               case STATE_MILLER_Y:
-                                       Uart.bitCnt++;
-                                       Uart.shiftReg >>= 1;
-                                       if(Uart.drop == DROP_NONE) {
-                                               // logic '0' followed by sequence Y
-                                               // end of communication
-                                               Uart.state = STATE_UNSYNCD;
-                                               EOC = TRUE;
-                                       }
-                                       if(Uart.drop == DROP_FIRST_HALF) {
-                                               // we see a '0'
-                                               Uart.state = STATE_MILLER_Z;
-                                       }
-                                       if(Uart.drop == DROP_SECOND_HALF) {
-                                               // We see a '1' and go to state X
-                                               Uart.shiftReg |= 0x100;
-                                               Uart.state = STATE_MILLER_X;
+                               }
+                       } else {                                                                                                                        // no modulation in both halves - Sequence Y
+                               if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) {     // Y after logic "0" - End of Communication
+                                       Uart.state = STATE_UNSYNCD;
+                                       Uart.bitCount--;                                                                                        // last "0" was part of EOC sequence
+                                       Uart.shiftReg <<= 1;                                                                            // drop it
+                                       if(Uart.bitCount > 0) {                                                                         // if we decoded some bits
+                                               Uart.shiftReg >>= (9 - Uart.bitCount);                                  // right align them
+                                               Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);               // add last byte to the output
+                                               Uart.parityBits <<= 1;                                                                  // add a (void) parity bit
+                                               Uart.parityBits <<= (8 - (Uart.len&0x0007));                    // left align parity bits
+                                               Uart.parity[Uart.parityLen++] = Uart.parityBits;                // and store it
+                                               return TRUE;
+                                       } else if (Uart.len & 0x0007) {                                                         // there are some parity bits to store
+                                               Uart.parityBits <<= (8 - (Uart.len&0x0007));                    // left align remaining parity bits
+                                               Uart.parity[Uart.parityLen++] = Uart.parityBits;                // and store them
                                        }
                                        }
-                                       break;
-
-                               case STATE_ERROR_WAIT:
-                                       // That went wrong. Now wait for at least two bit periods
-                                       // and try to sync again
-                                       if(Uart.drop == DROP_NONE) {
-                                               Uart.highCnt = 6;
-                                               Uart.state = STATE_UNSYNCD;
+                                       if (Uart.len) {
+                                               return TRUE;                                                                                    // we are finished with decoding the raw data sequence
+                                       } else {
+                                               UartReset();                                                                                    // Nothing received - start over
                                        }
                                        }
-                                       break;
-
-                               default:
-                                       Uart.state = STATE_UNSYNCD;
-                                       Uart.highCnt = 0;
-                                       break;
-                       }
-
-                       Uart.drop = DROP_NONE;
-
-                       // should have received at least one whole byte...
-                       if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
-                               return TRUE;
-                       }
-
-                       if(Uart.bitCnt == 9) {
-                               Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
-                               Uart.byteCnt++;
-
-                               Uart.parityBits <<= 1;
-                               Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
-
-                               if(EOC) {
-                                       // when End of Communication received and
-                                       // all data bits processed..
-                                       return TRUE;
                                }
                                }
-                               Uart.bitCnt = 0;
-                       }
-
-                       /*if(error) {
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = error & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               return TRUE;
-                       }*/
-               }
-
-       }
-       else {
-               bit = Uart.bitBuffer & 0xf0;
-               bit >>= 4;
-               bit ^= 0x0F;
-               if(bit) {
-                       // should have been high or at least (4 * 128) / fc
-                       // according to ISO this should be at least (9 * 128 + 20) / fc
-                       if(Uart.highCnt == 8) {
-                               // we went low, so this could be start of communication
-                               // it turns out to be safer to choose a less significant
-                               // syncbit... so we check whether the neighbour also represents the drop
-                               Uart.posCnt = 1;   // apparently we are busy with our first half bit period
-                               Uart.syncBit = bit & 8;
-                               Uart.samples = 3;
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 4; Uart.samples = 2; }
-                               else if(bit & 4)        { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 2; Uart.samples = 1; }
-                               else if(bit & 2)        { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 1; Uart.samples = 0;
-                                       if(Uart.syncBit && (Uart.bitBuffer & 8)) {
-                                               Uart.syncBit = 8;
-
-                                               // the first half bit period is expected in next sample
-                                               Uart.posCnt = 0;
-                                               Uart.samples = 3;
+                               if (Uart.state == STATE_START_OF_COMMUNICATION) {                               // error - must not follow directly after SOC
+                                       UartReset();
+                               } else {                                                                                                                // a logic "0"
+                                       Uart.bitCount++;
+                                       Uart.shiftReg = (Uart.shiftReg >> 1);                                           // add a 0 to the shiftreg
+                                       Uart.state = STATE_MILLER_Y;
+                                       if(Uart.bitCount >= 9) {                                                                        // if we decoded a full byte (including parity)
+                                               Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
+                                               Uart.parityBits <<= 1;                                                                  // make room for the parity bit
+                                               Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01);               // store parity bit
+                                               Uart.bitCount = 0;
+                                               Uart.shiftReg = 0;
+                                               if ((Uart.len&0x0007) == 0) {                                                   // every 8 data bytes
+                                                       Uart.parity[Uart.parityLen++] = Uart.parityBits;        // store 8 parity bits
+                                                       Uart.parityBits = 0;
+                                               }
                                        }
                                }
                                        }
                                }
-                               else if(bit & 1)        { Uart.syncBit = bit & 1; Uart.samples = 0; }
-
-                               Uart.syncBit <<= 4;
-                               Uart.state = STATE_START_OF_COMMUNICATION;
-                               Uart.drop = DROP_FIRST_HALF;
-                               Uart.bitCnt = 0;
-                               Uart.byteCnt = 0;
-                               Uart.parityBits = 0;
-                               error = 0;
-                       }
-                       else {
-                               Uart.highCnt = 0;
-                       }
-               }
-               else {
-                       if(Uart.highCnt < 8) {
-                               Uart.highCnt++;
                        }
                }
                        }
                }
-       }
-
-    return FALSE;
+       } 
+    return FALSE;      // not finished yet, need more data
 }
 
 //=============================================================================
 }
 
 //=============================================================================
-// ISO 14443 Type A - Manchester
+// ISO 14443 Type A - Manchester decoder
 //=============================================================================
 //=============================================================================
+// Basics:
+// This decoder is used when the PM3 acts as a reader.
+// The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
+// at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
+// ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
+// The Manchester decoder needs to identify the following sequences:
+// 4 ticks modulated followed by 4 ticks unmodulated:  Sequence D = 1 (also used as "start of communication")
+// 4 ticks unmodulated followed by 4 ticks modulated:  Sequence E = 0
+// 8 ticks unmodulated:                                                                        Sequence F = end of communication
+// 8 ticks modulated:                                                                  A collision. Save the collision position and treat as Sequence D
+// Note 1: the bitstream may start at any time. We therefore need to sync.
+// Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
+static tDemod Demod;
+
+// Lookup-Table to decide if 4 raw bits are a modulation.
+// We accept three or four "1" in any position
+const bool Mod_Manchester_LUT[] = {
+       FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE,
+       FALSE, FALSE, FALSE, TRUE,  FALSE, TRUE,  TRUE,  TRUE
+};
 
 
-static struct {
-    enum {
-        DEMOD_UNSYNCD,
-               DEMOD_START_OF_COMMUNICATION,
-               DEMOD_MANCHESTER_D,
-               DEMOD_MANCHESTER_E,
-               DEMOD_MANCHESTER_F,
-        DEMOD_ERROR_WAIT
-    }       state;
-    int     bitCount;
-    int     posCount;
-       int     syncBit;
-       int     parityBits;
-    uint16_t    shiftReg;
-       int     buffer;
-       int     buff;
-       int     samples;
-    int     len;
-       enum {
-               SUB_NONE,
-               SUB_FIRST_HALF,
-               SUB_SECOND_HALF
-       }               sub;
-    uint8_t   *output;
-} Demod;
-
-static RAMFUNC int ManchesterDecoding(int v)
-{
-       int bit;
-       int modulation;
-       int error = 0;
+#define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
+#define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
 
 
-       if(!Demod.buff) {
-               Demod.buff = 1;
-               Demod.buffer = v;
-               return FALSE;
-       }
-       else {
-               bit = Demod.buffer;
-               Demod.buffer = v;
-       }
+void DemodReset() {
+       Demod.state = DEMOD_UNSYNCD;
+       Demod.len = 0;                                          // number of decoded data bytes
+       Demod.parityLen = 0;
+       Demod.shiftReg = 0;                                     // shiftreg to hold decoded data bits
+       Demod.parityBits = 0;                           // 
+       Demod.collisionPos = 0;                         // Position of collision bit
+       Demod.twoBits = 0xffff;                         // buffer for 2 Bits
+       Demod.highCnt = 0;
+       Demod.startTime = 0;
+       Demod.endTime = 0;      
+       Demod.bitCount = 0;
+       Demod.syncBit = 0xFFFF;
+       Demod.samples = 0;
+}
 
 
-       if(Demod.state==DEMOD_UNSYNCD) {
-               Demod.output[Demod.len] = 0xfa;
-               Demod.syncBit = 0;
-               //Demod.samples = 0;
-               Demod.posCount = 1;             // This is the first half bit period, so after syncing handle the second part
+void DemodInit(uint8_t *data, uint8_t *parity) {
+       Demod.output = data;
+       Demod.parity = parity;
+       DemodReset();
+}
 
 
-               if(bit & 0x08) {
-                       Demod.syncBit = 0x08;
-               }
+// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
+static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
+       Demod.twoBits = (Demod.twoBits << 8) | bit;
+       
+       if (Demod.state == DEMOD_UNSYNCD) {
 
 
-               if(bit & 0x04) {
-                       if(Demod.syncBit) {
-                               bit <<= 4;
+               if (Demod.highCnt < 2) {                                                                                        // wait for a stable unmodulated signal
+                       if (Demod.twoBits == 0x0000) {
+                               Demod.highCnt++;
+                       } else {
+                               Demod.highCnt = 0;
                        }
                        }
-                       Demod.syncBit = 0x04;
-               }
-
-               if(bit & 0x02) {
-                       if(Demod.syncBit) {
-                               bit <<= 2;
+               } else {
+                       Demod.syncBit = 0xFFFF;                 // not set
+                       if              ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7; 
+                       else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
+                       else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
+                       else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
+                       else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
+                       else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
+                       else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
+                       else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
+                       if (Demod.syncBit != 0xFFFF) {
+                               Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
+                               Demod.startTime -= Demod.syncBit;
+                               Demod.bitCount = offset;                        // number of decoded data bits
+                               Demod.state = DEMOD_MANCHESTER_DATA;
                        }
                        }
-                       Demod.syncBit = 0x02;
                }
                }
+       } else {
 
 
-               if(bit & 0x01 && Demod.syncBit) {
-                       Demod.syncBit = 0x01;
-               }
-               
-               if(Demod.syncBit) {
-                       Demod.len = 0;
-                       Demod.state = DEMOD_START_OF_COMMUNICATION;
-                       Demod.sub = SUB_FIRST_HALF;
-                       Demod.bitCount = 0;
-                       Demod.shiftReg = 0;
-                       Demod.parityBits = 0;
-                       Demod.samples = 0;
-                       if(Demod.posCount) {
-                               if(trigger) LED_A_OFF();
-                               switch(Demod.syncBit) {
-                                       case 0x08: Demod.samples = 3; break;
-                                       case 0x04: Demod.samples = 2; break;
-                                       case 0x02: Demod.samples = 1; break;
-                                       case 0x01: Demod.samples = 0; break;
+               if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) {            // modulation in first half
+                       if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) {    // ... and in second half = collision
+                               if (!Demod.collisionPos) {
+                                       Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
                                }
                                }
-                       }
-                       error = 0;
-               }
-       }
-       else {
-               //modulation = bit & Demod.syncBit;
-               modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-
-               Demod.samples += 4;
-
-               if(Demod.posCount==0) {
-                       Demod.posCount = 1;
-                       if(modulation) {
-                               Demod.sub = SUB_FIRST_HALF;
-                       }
-                       else {
-                               Demod.sub = SUB_NONE;
-                       }
-               }
-               else {
-                       Demod.posCount = 0;
-                       if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
-                               if(Demod.state!=DEMOD_ERROR_WAIT) {
-                                       Demod.state = DEMOD_ERROR_WAIT;
-                                       Demod.output[Demod.len] = 0xaa;
-                                       error = 0x01;
+                       }                                                                                                                       // modulation in first half only - Sequence D = 1
+                       Demod.bitCount++;
+                       Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100;                         // in both cases, add a 1 to the shiftreg
+                       if(Demod.bitCount == 9) {                                                                       // if we decoded a full byte (including parity)
+                               Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
+                               Demod.parityBits <<= 1;                                                                 // make room for the parity bit
+                               Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01);     // store parity bit
+                               Demod.bitCount = 0;
+                               Demod.shiftReg = 0;
+                               if((Demod.len&0x0007) == 0) {                                                   // every 8 data bytes
+                                       Demod.parity[Demod.parityLen++] = Demod.parityBits;     // store 8 parity bits
+                                       Demod.parityBits = 0;
                                }
                        }
                                }
                        }
-                       else if(modulation) {
-                               Demod.sub = SUB_SECOND_HALF;
-                       }
-
-                       switch(Demod.state) {
-                               case DEMOD_START_OF_COMMUNICATION:
-                                       if(Demod.sub == SUB_FIRST_HALF) {
-                                               Demod.state = DEMOD_MANCHESTER_D;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xab;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0x02;
-                                       }
-                                       break;
-
-                               case DEMOD_MANCHESTER_D:
-                               case DEMOD_MANCHESTER_E:
-                                       if(Demod.sub == SUB_FIRST_HALF) {
-                                               Demod.bitCount++;
-                                               Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
-                                               Demod.state = DEMOD_MANCHESTER_D;
-                                       }
-                                       else if(Demod.sub == SUB_SECOND_HALF) {
-                                               Demod.bitCount++;
-                                               Demod.shiftReg >>= 1;
-                                               Demod.state = DEMOD_MANCHESTER_E;
-                                       }
-                                       else {
-                                               Demod.state = DEMOD_MANCHESTER_F;
-                                       }
-                                       break;
-
-                               case DEMOD_MANCHESTER_F:
-                                       // Tag response does not need to be a complete byte!
-                                       if(Demod.len > 0 || Demod.bitCount > 0) {
-                                               if(Demod.bitCount > 0) {
-                                                       Demod.shiftReg >>= (9 - Demod.bitCount);
-                                                       Demod.output[Demod.len] = Demod.shiftReg & 0xff;
-                                                       Demod.len++;
-                                                       // No parity bit, so just shift a 0
-                                                       Demod.parityBits <<= 1;
-                                               }
-
-                                               Demod.state = DEMOD_UNSYNCD;
-                                               return TRUE;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xad;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0x03;
+                       Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
+               } else {                                                                                                                // no modulation in first half
+                       if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) {    // and modulation in second half = Sequence E = 0
+                               Demod.bitCount++;
+                               Demod.shiftReg = (Demod.shiftReg >> 1);                                 // add a 0 to the shiftreg
+                               if(Demod.bitCount >= 9) {                                                               // if we decoded a full byte (including parity)
+                                       Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
+                                       Demod.parityBits <<= 1;                                                         // make room for the new parity bit
+                                       Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
+                                       Demod.bitCount = 0;
+                                       Demod.shiftReg = 0;
+                                       if ((Demod.len&0x0007) == 0) {                                          // every 8 data bytes
+                                               Demod.parity[Demod.parityLen++] = Demod.parityBits;     // store 8 parity bits1
+                                               Demod.parityBits = 0;
                                        }
                                        }
-                                       break;
-
-                               case DEMOD_ERROR_WAIT:
-                                       Demod.state = DEMOD_UNSYNCD;
-                                       break;
-
-                               default:
-                                       Demod.output[Demod.len] = 0xdd;
-                                       Demod.state = DEMOD_UNSYNCD;
-                                       break;
-                       }
-
-                       if(Demod.bitCount>=9) {
-                               Demod.output[Demod.len] = Demod.shiftReg & 0xff;
-                               Demod.len++;
-
-                               Demod.parityBits <<= 1;
-                               Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
-
-                               Demod.bitCount = 0;
-                               Demod.shiftReg = 0;
+                               }
+                               Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
+                       } else {                                                                                                        // no modulation in both halves - End of communication
+                               if(Demod.bitCount > 0) {                                                                // there are some remaining data bits
+                                       Demod.shiftReg >>= (9 - Demod.bitCount);                        // right align the decoded bits
+                                       Demod.output[Demod.len++] = Demod.shiftReg & 0xff;      // and add them to the output
+                                       Demod.parityBits <<= 1;                                                         // add a (void) parity bit
+                                       Demod.parityBits <<= (8 - (Demod.len&0x0007));          // left align remaining parity bits
+                                       Demod.parity[Demod.parityLen++] = Demod.parityBits;     // and store them
+                                       return TRUE;
+                               } else if (Demod.len & 0x0007) {                                                // there are some parity bits to store
+                                       Demod.parityBits <<= (8 - (Demod.len&0x0007));          // left align remaining parity bits
+                                       Demod.parity[Demod.parityLen++] = Demod.parityBits;     // and store them
+                               }
+                               if (Demod.len) {
+                                       return TRUE;                                                                            // we are finished with decoding the raw data sequence
+                               } else {                                                                                                // nothing received. Start over
+                                       DemodReset();
+                               }
                        }
                        }
-
-                       /*if(error) {
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               Demod.output[Demod.len] = error & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               Demod.output[Demod.len] = bit & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = Demod.buffer & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = Demod.syncBit & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               return TRUE;
-                       }*/
-
                }
                }
-
-       } // end (state != UNSYNCED)
-
-    return FALSE;
+       } 
+    return FALSE;      // not finished yet, need more data
 }
 
 //=============================================================================
 }
 
 //=============================================================================
@@ -615,180 +498,174 @@ static RAMFUNC int ManchesterDecoding(int v)
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
+// "hf 14a sniff"
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void RAMFUNC SnoopIso14443a(void)
-{
-//     #define RECV_CMD_OFFSET         2032    // original (working as of 21/2/09) values
-//     #define RECV_RES_OFFSET         2096    // original (working as of 21/2/09) values
-//     #define DMA_BUFFER_OFFSET       2160    // original (working as of 21/2/09) values
-//     #define DMA_BUFFER_SIZE         4096    // original (working as of 21/2/09) values
-//     #define TRACE_LENGTH            2000    // original (working as of 21/2/09) values
-
-    // We won't start recording the frames that we acquire until we trigger;
-    // a good trigger condition to get started is probably when we see a
-    // response from the tag.
-    int triggered = FALSE; // FALSE to wait first for card
-
-    // The command (reader -> tag) that we're receiving.
-       // The length of a received command will in most cases be no more than 18 bytes.
-       // So 32 should be enough!
-    uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
-    // The response (tag -> reader) that we're receiving.
-    uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
-
-    // As we receive stuff, we copy it from receivedCmd or receivedResponse
-    // into trace, along with its length and other annotations.
-    //uint8_t *trace = (uint8_t *)BigBuf;
-    
-    traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
-
-    // The DMA buffer, used to stream samples from the FPGA
-    int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
-    int lastRxCounter;
-    int8_t *upTo;
-    int smpl;
-    int maxBehindBy = 0;
-
-    // Count of samples received so far, so that we can include timing
-    // information in the trace buffer.
-    int samples = 0;
-    int rsamples = 0;
-
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-
-    // Set up the demodulator for tag -> reader responses.
-    Demod.output = receivedResponse;
-    Demod.len = 0;
-    Demod.state = DEMOD_UNSYNCD;
-
-    // Setup for the DMA.
-    FpgaSetupSsc();
-    upTo = dmaBuf;
-    lastRxCounter = DMA_BUFFER_SIZE;
-    FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
-
-    // And the reader -> tag commands
-    memset(&Uart, 0, sizeof(Uart));
-    Uart.output = receivedCmd;
-    Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
-    Uart.state = STATE_UNSYNCD;
-
-    // And put the FPGA in the appropriate mode
-    // Signal field is off with the appropriate LED
-    LED_D_OFF();
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
-    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+void RAMFUNC SniffIso14443a(uint8_t param) {
+       // param:
+       // bit 0 - trigger from first card answer
+       // bit 1 - trigger from first reader 7-bit request
+       LEDsoff();
 
 
+       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+       
+       // Allocate memory from BigBuf for some buffers
+       // free all previous allocations first
+       BigBuf_free(); BigBuf_Clear_ext(false);
+       clear_trace();
+       set_tracing(TRUE);
+       
+       // The command (reader -> tag) that we're receiving.
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
+       
+       // The response (tag -> reader) that we're receiving.
+       uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
+       
+       // The DMA buffer, used to stream samples from the FPGA
+       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
+
+       uint8_t *data = dmaBuf;
+       uint8_t previous_data = 0;
+       int maxDataLen = 0;
+       int dataLen = 0;
+       bool TagIsActive = FALSE;
+       bool ReaderIsActive = FALSE;
+       
+       // Set up the demodulator for tag -> reader responses.
+       DemodInit(receivedResponse, receivedResponsePar);
+       
+       // Set up the demodulator for the reader -> tag commands
+       UartInit(receivedCmd, receivedCmdPar);
+       
+       // Setup and start DMA.
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
+       
+       // We won't start recording the frames that we acquire until we trigger;
+       // a good trigger condition to get started is probably when we see a
+       // response from the tag.
+       // triggered == FALSE -- to wait first for card
+       bool triggered = !(param & 0x03); 
+       
+       // And now we loop, receiving samples.
+       for(uint32_t rsamples = 0; TRUE; ) {
 
 
-    // And now we loop, receiving samples.
-    for(;;) {
-        LED_A_ON();
-        WDT_HIT();
-        int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
-                                (DMA_BUFFER_SIZE-1);
-        if(behindBy > maxBehindBy) {
-            maxBehindBy = behindBy;
-            if(behindBy > 400) {
-                Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
-                goto done;
-            }
-        }
-        if(behindBy < 1) continue;
+               if(BUTTON_PRESS()) {
+                       DbpString("cancelled by button");
+                       break;
+               }
 
 
-       LED_A_OFF();
-        smpl = upTo[0];
-        upTo++;
-        lastRxCounter -= 1;
-        if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
-            upTo -= DMA_BUFFER_SIZE;
-            lastRxCounter += DMA_BUFFER_SIZE;
-            AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
-            AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
-        }
+               LED_A_ON();
+               WDT_HIT();
 
 
-        samples += 4;
-        if(MillerDecoding((smpl & 0xF0) >> 4)) {
-            rsamples = samples - Uart.samples;
-            LED_C_ON();
-            if(triggered) {
-                trace[traceLen++] = ((rsamples >>  0) & 0xff);
-                trace[traceLen++] = ((rsamples >>  8) & 0xff);
-                trace[traceLen++] = ((rsamples >> 16) & 0xff);
-                trace[traceLen++] = ((rsamples >> 24) & 0xff);
-                trace[traceLen++] = ((Uart.parityBits >>  0) & 0xff);
-                trace[traceLen++] = ((Uart.parityBits >>  8) & 0xff);
-                trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
-                trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
-                trace[traceLen++] = Uart.byteCnt;
-                memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
-                traceLen += Uart.byteCnt;
-                if(traceLen > TRACE_LENGTH) break;
-            }
-            /* And ready to receive another command. */
-            Uart.state = STATE_UNSYNCD;
-            /* And also reset the demod code, which might have been */
-            /* false-triggered by the commands from the reader. */
-            Demod.state = DEMOD_UNSYNCD;
-            LED_B_OFF();
-        }
+               int register readBufDataP = data - dmaBuf;
+               int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
+               if (readBufDataP <= dmaBufDataP){
+                       dataLen = dmaBufDataP - readBufDataP;
+               } else {
+                       dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
+               }
+               // test for length of buffer
+               if(dataLen > maxDataLen) {
+                       maxDataLen = dataLen;
+                       if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
+                               Dbprintf("blew circular buffer! dataLen=%d", dataLen);
+                               break;
+                       }
+               }
+               if(dataLen < 1) continue;
 
 
-        if(ManchesterDecoding(smpl & 0x0F)) {
-            rsamples = samples - Demod.samples;
-            LED_B_ON();
-
-            // timestamp, as a count of samples
-            trace[traceLen++] = ((rsamples >>  0) & 0xff);
-            trace[traceLen++] = ((rsamples >>  8) & 0xff);
-            trace[traceLen++] = ((rsamples >> 16) & 0xff);
-            trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
-            trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);
-            trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);
-            trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
-            trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
-            // length
-            trace[traceLen++] = Demod.len;
-            memcpy(trace+traceLen, receivedResponse, Demod.len);
-            traceLen += Demod.len;
-            if(traceLen > TRACE_LENGTH) break;
-
-            triggered = TRUE;
-
-            // And ready to receive another response.
-            memset(&Demod, 0, sizeof(Demod));
-            Demod.output = receivedResponse;
-            Demod.state = DEMOD_UNSYNCD;
-            LED_C_OFF();
-        }
+               // primary buffer was stopped( <-- we lost data!
+               if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
+                       AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
+                       AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
+                       Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
+               }
+               // secondary buffer sets as primary, secondary buffer was stopped
+               if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
+                       AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
+                       AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
+               }
 
 
-        if(BUTTON_PRESS()) {
-            DbpString("cancelled_a");
-            goto done;
-        }
-    }
+               LED_A_OFF();
+               
+               if (rsamples & 0x01) {                          // Need two samples to feed Miller and Manchester-Decoder
+
+                       if(!TagIsActive) {              // no need to try decoding reader data if the tag is sending
+                               uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
+                               if (MillerDecoding(readerdata, (rsamples-1)*4)) {
+                                       LED_C_ON();
+
+                                       // check - if there is a short 7bit request from reader
+                                       if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = TRUE;
+
+                                       if(triggered) {
+                                               if (!LogTrace(receivedCmd, 
+                                                                               Uart.len, 
+                                                                               Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
+                                                                               Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
+                                                                               Uart.parity, 
+                                                                               TRUE)) break;
+                                       }
+                                       /* And ready to receive another command. */
+                                       UartReset();
+                                       /* And also reset the demod code, which might have been */
+                                       /* false-triggered by the commands from the reader. */
+                                       DemodReset();
+                                       LED_B_OFF();
+                               }
+                               ReaderIsActive = (Uart.state != STATE_UNSYNCD);
+                       }
 
 
-    DbpString("COMMAND FINISHED");
+                       if(!ReaderIsActive) {           // no need to try decoding tag data if the reader is sending - and we cannot afford the time
+                               uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
+                               if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
+                                       LED_B_ON();
 
 
-    Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-    Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
+                                       if (!LogTrace(receivedResponse, 
+                                                                       Demod.len, 
+                                                                       Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, 
+                                                                       Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
+                                                                       Demod.parity,
+                                                                       FALSE)) break;
 
 
-done:
-    AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-    Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-    Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
-    LED_A_OFF();
-    LED_B_OFF();
-       LED_C_OFF();
-       LED_D_OFF();
+                                       if ((!triggered) && (param & 0x01)) triggered = TRUE;
+
+                                       // And ready to receive another response.
+                                       DemodReset();
+                                       // And reset the Miller decoder including itS (now outdated) input buffer
+                                       UartInit(receivedCmd, receivedCmdPar);
+                                       LED_C_OFF();
+                               } 
+                               TagIsActive = (Demod.state != DEMOD_UNSYNCD);
+                       }
+               }
+
+               previous_data = *data;
+               rsamples++;
+               data++;
+               if(data == dmaBuf + DMA_BUFFER_SIZE) {
+                       data = dmaBuf;
+               }
+       } // main cycle
+
+       if (MF_DBGLEVEL >= 1) {
+               Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
+               Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
+       }
+       FpgaDisableSscDma();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+       set_tracing(FALSE);     
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
-static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
-{
-       int i;
-//     int oddparity;
-
+static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity) {
        ToSendReset();
 
        // Correction bit, might be removed when not needed
        ToSendReset();
 
        // Correction bit, might be removed when not needed
@@ -803,15 +680,13 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity
        
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
        
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
+       LastProxToAirDuration = 8 * ToSendMax - 4;
 
 
-       for(i = 0; i < len; i++) {
-               int j;
+       for(uint16_t i = 0; i < len; i++) {
                uint8_t b = cmd[i];
 
                // Data bits
                uint8_t b = cmd[i];
 
                // Data bits
-//             oddparity = 0x01;
-               for(j = 0; j < 8; j++) {
-//                     oddparity ^= (b & 1);
+               for(uint16_t j = 0; j < 8; j++) {
                        if(b & 1) {
                                ToSend[++ToSendMax] = SEC_D;
                        } else {
                        if(b & 1) {
                                ToSend[++ToSendMax] = SEC_D;
                        } else {
@@ -820,52 +695,33 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity
                        b >>= 1;
                }
 
                        b >>= 1;
                }
 
-       // Get the parity bit
-               if ((dwParity >> i) & 0x01) {
+               // Get the parity bit
+               if (parity[i>>3] & (0x80>>(i&0x0007))) {
                        ToSend[++ToSendMax] = SEC_D;
                        ToSend[++ToSendMax] = SEC_D;
+                       LastProxToAirDuration = 8 * ToSendMax - 4;
                } else {
                        ToSend[++ToSendMax] = SEC_E;
                } else {
                        ToSend[++ToSendMax] = SEC_E;
+                       LastProxToAirDuration = 8 * ToSendMax;
                }
                }
-               
-                       // Parity bit
-//                     if(oddparity) {
-//                             ToSend[++ToSendMax] = SEC_D;
-//                     } else {
-//                             ToSend[++ToSendMax] = SEC_E;
-//                     }
-
-//             if (oddparity != ((dwParity >> i) & 0x01))
-//               Dbprintf("par error. i=%d", i);
        }
 
        // Send stopbit
        ToSend[++ToSendMax] = SEC_F;
 
        }
 
        // Send stopbit
        ToSend[++ToSendMax] = SEC_F;
 
-       // Flush the buffer in FPGA!!
-       for(i = 0; i < 5; i++) {
-//             ToSend[++ToSendMax] = SEC_F;
-       }
-
        // Convert from last byte pos to length
        // Convert from last byte pos to length
-       ToSendMax++;
-
-    // Add a few more for slop
-//    ToSend[ToSendMax++] = 0x00;
-//     ToSend[ToSendMax++] = 0x00;
+       ++ToSendMax;
 }
 
 }
 
-static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
-       CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
+static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len) {
+       uint8_t par[MAX_PARITY_SIZE] = {0};
+       GetParity(cmd, len, par);
+       CodeIso14443aAsTagPar(cmd, len, par);
 }
 
 }
 
-//-----------------------------------------------------------------------------
-// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
-//-----------------------------------------------------------------------------
-static void CodeStrangeAnswerAsTag()
-{
-       int i;
+static void Code4bitAnswerAsTag(uint8_t cmd) {
+       uint8_t b = cmd;
 
 
-    ToSendReset();
+       ToSendReset();
 
        // Correction bit, might be removed when not needed
        ToSendStuffBit(0);
 
        // Correction bit, might be removed when not needed
        ToSendStuffBit(0);
@@ -880,66 +736,22 @@ static void CodeStrangeAnswerAsTag()
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
-       // 0
-       ToSend[++ToSendMax] = SEC_E;
-
-       // 0
-       ToSend[++ToSendMax] = SEC_E;
-
-       // 1
-       ToSend[++ToSendMax] = SEC_D;
+       for(uint8_t i = 0; i < 4; i++) {
+               if(b & 1) {
+                       ToSend[++ToSendMax] = SEC_D;
+                       LastProxToAirDuration = 8 * ToSendMax - 4;
+               } else {
+                       ToSend[++ToSendMax] = SEC_E;
+                       LastProxToAirDuration = 8 * ToSendMax;
+               }
+               b >>= 1;
+       }
 
 
-    // Send stopbit
+       // Send stopbit
        ToSend[++ToSendMax] = SEC_F;
 
        ToSend[++ToSendMax] = SEC_F;
 
-       // Flush the buffer in FPGA!!
-       for(i = 0; i < 5; i++) {
-               ToSend[++ToSendMax] = SEC_F;
-       }
-
-    // Convert from last byte pos to length
-    ToSendMax++;
-}
-
-static void Code4bitAnswerAsTag(uint8_t cmd)
-{
-       int i;
-
-    ToSendReset();
-
-       // Correction bit, might be removed when not needed
-       ToSendStuffBit(0);
-       ToSendStuffBit(0);
-       ToSendStuffBit(0);
-       ToSendStuffBit(0);
-       ToSendStuffBit(1);  // 1
-       ToSendStuffBit(0);
-       ToSendStuffBit(0);
-       ToSendStuffBit(0);
-
-       // Send startbit
-       ToSend[++ToSendMax] = SEC_D;
-
-       uint8_t b = cmd;
-       for(i = 0; i < 4; i++) {
-               if(b & 1) {
-                       ToSend[++ToSendMax] = SEC_D;
-               } else {
-                       ToSend[++ToSendMax] = SEC_E;
-               }
-               b >>= 1;
-       }
-
-       // Send stopbit
-       ToSend[++ToSendMax] = SEC_F;
-
-       // Flush the buffer in FPGA!!
-       for(i = 0; i < 5; i++) {
-               ToSend[++ToSendMax] = SEC_F;
-       }
-
-    // Convert from last byte pos to length
-    ToSendMax++;
+       // Convert from last byte pos to length
+       ToSendMax++;
 }
 
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
@@ -947,265 +759,565 @@ static void Code4bitAnswerAsTag(uint8_t cmd)
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
-static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
-{
+int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
-    // Now run a `software UART' on the stream of incoming samples.
-    Uart.output = received;
-    Uart.byteCntMax = maxLen;
-    Uart.state = STATE_UNSYNCD;
+    // Now run a `software UART` on the stream of incoming samples.
+       UartInit(received, parity);
+
+       // clear RXRDY:
+    uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 
     for(;;) {
         WDT_HIT();
 
         if(BUTTON_PRESS()) return FALSE;
 
     for(;;) {
         WDT_HIT();
 
         if(BUTTON_PRESS()) return FALSE;
-
-        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-            AT91C_BASE_SSC->SSC_THR = 0x00;
-        }
+               
         if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
         if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-            uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       if(MillerDecoding((b & 0xf0) >> 4)) {
-                               *len = Uart.byteCnt;
+            b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+                       if(MillerDecoding(b, 0)) {
+                               *len = Uart.len;
                                return TRUE;
                        }
                                return TRUE;
                        }
-                       if(MillerDecoding(b & 0x0f)) {
-                               *len = Uart.byteCnt;
-                               return TRUE;
-                       }
-        }
+               }
     }
 }
     }
 }
-static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
-
-//-----------------------------------------------------------------------------
-// Main loop of simulated tag: receive commands from reader, decide what
-// response to send, and send it.
-//-----------------------------------------------------------------------------
-void SimulateIso14443aTag(int tagType, int TagUid)
-{
-       // This function contains the tag emulation
-
-       // Prepare protocol messages
-    // static const uint8_t cmd1[] = { 0x26 };
-//     static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
-//
-       static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
-//     static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
-
-       // UID response
-    // static const uint8_t cmd2[] = { 0x93, 0x20 };
-    //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
 
 
-// my desfire
-    static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
-
-
-// When reader selects us during cascade1 it will send cmd3
-//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
-uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
-ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
-
-// send cascade2 2nd half of UID
-static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; //  uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
-// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
-
-// When reader selects us during cascade2 it will send cmd3a
-//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
-uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
-ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
-
-    static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
-
-    uint8_t *resp;
-    int respLen;
-
-    // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
-       // This will need
+bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
+       // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
+       // This will need the following byte array for a modulation sequence
        //    144        data bits (18 * 8)
        //     18        parity bits
        //      2        Start and stop
        //      1        Correction bit (Answer in 1172 or 1236 periods, see FPGA)
        //      1        just for the case
        // ----------- +
        //    144        data bits (18 * 8)
        //     18        parity bits
        //      2        Start and stop
        //      1        Correction bit (Answer in 1172 or 1236 periods, see FPGA)
        //      1        just for the case
        // ----------- +
-       //    166
-       //
-       // 166 bytes, since every bit that needs to be send costs us a byte
+       //    166 bytes, since every bit that needs to be send costs us a byte
        //
        //
+       // Prepare the tag modulation bits from the message
+       CodeIso14443aAsTag(response_info->response,response_info->response_n);
 
 
-    // Respond with card type
-    uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
-    int resp1Len;
-
-    // Anticollision cascade1 - respond with uid
-    uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
-    int resp2Len;
-
-    // Anticollision cascade2 - respond with 2nd half of uid if asked
-    // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
-    uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
-    int resp2aLen;
-
-    // Acknowledge select - cascade 1
-    uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
-    int resp3Len;
-
-    // Acknowledge select - cascade 2
-    uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
-    int resp3aLen;
+       // Make sure we do not exceed the free buffer space
+       if (ToSendMax > max_buffer_size) {
+               Dbprintf("Out of memory, when modulating bits for tag answer:");
+               Dbhexdump(response_info->response_n,response_info->response,false);
+               return FALSE;
+       }
 
 
-    // Response to a read request - not implemented atm
-    uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
-    int resp4Len;
+       // Copy the byte array, used for this modulation to the buffer position
+       memcpy(response_info->modulation,ToSend,ToSendMax);
 
 
-    // Authenticate response - nonce
-    uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
-    int resp5Len;
+       // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
+       response_info->modulation_n = ToSendMax;
+       response_info->ProxToAirDuration = LastProxToAirDuration;
+       return TRUE;
+}
 
 
-    uint8_t *receivedCmd = (uint8_t *)BigBuf;
-    int len;
+// "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
+// Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
+// 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
+// -> need 273 bytes buffer
+// 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits --370
+// 47 * 8 data bits, 47 * 1 parity bits, 10 start bits, 10 stop bits, 10 correction bits 
+#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
+
+bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
+       // Retrieve and store the current buffer index
+       response_info->modulation = free_buffer_pointer;
+
+       // Determine the maximum size we can use from our buffer
+       size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
+
+       // Forward the prepare tag modulation function to the inner function
+       if (prepare_tag_modulation(response_info, max_buffer_size)) {
+               // Update the free buffer offset
+               free_buffer_pointer += ToSendMax;
+               return true;
+       } else {
+               return false;
+       }
+}
 
 
-    int i;
-       int u;
-       uint8_t b;
+//-----------------------------------------------------------------------------
+// Main loop of simulated tag: receive commands from reader, decide what
+// response to send, and send it.
+// 'hf 14a sim'
+//-----------------------------------------------------------------------------
+void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 
 
-       // To control where we are in the protocol
-       int order = 0;
-       int lastorder;
+       #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+       // init pseudorand
+       fast_prand();
+       
+       uint8_t sak = 0;
+       uint32_t cuid = 0;                      
+       uint32_t nonce = 0;
+       
+       // PACK response to PWD AUTH for EV1/NTAG
+       uint8_t response8[4] = {0,0,0,0};
+       // Counter for EV1/NTAG
+       uint32_t counters[] = {0,0,0};
+       
+       // The first response contains the ATQA (note: bytes are transmitted in reverse order).
+       uint8_t response1[] = {0,0};
 
 
-       // Just to allow some checks
-       int happened = 0;
-       int happened2 = 0;
+       // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+       // it should also collect block, keytype.
+       uint8_t cardAUTHSC = 0;
+       uint8_t cardAUTHKEY = 0xff;  // no authentication
+       // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
 
 
-    int cmdsRecvd = 0;
+       nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; // for attack types moebius
+       memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
+       uint8_t moebius_count = 0;
+       
+       switch (tagType) {
+               case 1: { // MIFARE Classic 1k 
+                       response1[0] = 0x04;
+                       sak = 0x08;
+               } break;
+               case 2: { // MIFARE Ultralight
+                       response1[0] = 0x44;
+                       sak = 0x00;
+               } break;
+               case 3: { // MIFARE DESFire
+                       response1[0] = 0x04;
+                       response1[1] = 0x03;
+                       sak = 0x20;
+               } break;
+               case 4: { // ISO/IEC 14443-4 - javacard (JCOP)
+                       response1[0] = 0x04;
+                       sak = 0x28;
+               } break;
+               case 5: { // MIFARE TNP3XXX
+                       response1[0] = 0x01;
+                       response1[1] = 0x0f;
+                       sak = 0x01;
+               } break;
+               case 6: { // MIFARE Mini 320b
+                       response1[0] = 0x44;
+                       sak = 0x09;
+               } break;
+               case 7: { // NTAG
+                       response1[0] = 0x44;
+                       sak = 0x00;
+                       // PACK
+                       response8[0] = 0x80;
+                       response8[1] = 0x80;
+                       ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]);
+                       // uid not supplied then get from emulator memory
+                       if (data[0]==0) {
+                               uint16_t start = 4 * (0+12);  
+                               uint8_t emdata[8];
+                               emlGetMemBt( emdata, start, sizeof(emdata));
+                               memcpy(data, emdata, 3); // uid bytes 0-2
+                               memcpy(data+3, emdata+4, 4); // uid bytes 3-7
+                               flags |= FLAG_7B_UID_IN_DATA;
+                       }
+               } break;        
+               case 8: { // MIFARE Classic 4k
+                       response1[0] = 0x02;
+                       sak = 0x18;
+               } break;
+               default: {
+                       Dbprintf("Error: unkown tagtype (%d)",tagType);
+                       return;
+               } break;
+       }
+       
+       // The second response contains the (mandatory) first 24 bits of the UID
+       uint8_t response2[5] = {0x00};
 
 
-       int fdt_indicator;
+       // For UID size 7, 
+       uint8_t response2a[5] = {0x00};
+       
+       if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA ) {
+               response2[0] = 0x88;  // Cascade Tag marker
+               response2[1] = data[0];
+               response2[2] = data[1];
+               response2[3] = data[2];
+
+               response2a[0] = data[3];
+               response2a[1] = data[4];
+               response2a[2] = data[5];
+               response2a[3] = data[6]; //??
+               response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
+
+               // Configure the ATQA and SAK accordingly
+               response1[0] |= 0x40;
+               sak |= 0x04;
+               
+               cuid = bytes_to_num(data+3, 4);
+       } else {
+               memcpy(response2, data, 4);
+               // Configure the ATQA and SAK accordingly
+               response1[0] &= 0xBF;
+               sak &= 0xFB;
+               cuid = bytes_to_num(data, 4);
+       }
 
 
-    memset(receivedCmd, 0x44, 400);
+       // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
+       response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
 
-       // Prepare the responses of the anticollision phase
-       // there will be not enough time to do this at the moment the reader sends it REQA
+       // Prepare the mandatory SAK (for 4 and 7 byte UID)
+       uint8_t response3[3]  = {sak, 0x00, 0x00};
+       ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
 
-       // Answer to request
-       CodeIso14443aAsTag(response1, sizeof(response1));
-    memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
+       // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
+       uint8_t response3a[3]  = {0x00};
+       response3a[0] = sak & 0xFB;
+       ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
 
-       // Send our UID (cascade 1)
-       CodeIso14443aAsTag(response2, sizeof(response2));
-    memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
+       // Tag NONCE.
+       uint8_t response5[4]; 
+       
+       uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 };   // dummy ATS (pseudo-ATR), answer to RATS: 
+       // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
+       // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
+       // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
+       // TC(1) = 0x02: CID supported, NAD not supported
+       ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
+       
+       // Prepare GET_VERSION (different for UL EV-1 / NTAG)
+       // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
+       // uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215  
+       // Prepare CHK_TEARING
+       // uint8_t response9[] =  {0xBD,0x90,0x3f};
+       
+       #define TAG_RESPONSE_COUNT 10
+       tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
+               { .response = response1,  .response_n = sizeof(response1)  },  // Answer to request - respond with card type
+               { .response = response2,  .response_n = sizeof(response2)  },  // Anticollision cascade1 - respond with uid
+               { .response = response2a, .response_n = sizeof(response2a) },  // Anticollision cascade2 - respond with 2nd half of uid if asked
+               { .response = response3,  .response_n = sizeof(response3)  },  // Acknowledge select - cascade 1
+               { .response = response3a, .response_n = sizeof(response3a) },  // Acknowledge select - cascade 2
+               { .response = response5,  .response_n = sizeof(response5)  },  // Authentication answer (random nonce)
+               { .response = response6,  .response_n = sizeof(response6)  },  // dummy ATS (pseudo-ATR), answer to RATS
+
+               { .response = response8,   .response_n = sizeof(response8) }  // EV1/NTAG PACK response
+       };      
+               // { .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
+               // { .response = response9,      .response_n = sizeof(response9)     }  // EV1/NTAG CHK_TEAR response
+       
 
 
-       // Answer to select (cascade1)
-       CodeIso14443aAsTag(response3, sizeof(response3));
-    memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
+       // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
+       // Such a response is less time critical, so we can prepare them on the fly
+       #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
+       #define DYNAMIC_MODULATION_BUFFER_SIZE 512
+       uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
+       uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
+       tag_response_info_t dynamic_response_info = {
+               .response = dynamic_response_buffer,
+               .response_n = 0,
+               .modulation = dynamic_modulation_buffer,
+               .modulation_n = 0
+       };
+  
+       // We need to listen to the high-frequency, peak-detected path.
+       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
 
-       // Send the cascade 2 2nd part of the uid
-       CodeIso14443aAsTag(response2a, sizeof(response2a));
-    memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
+       BigBuf_free_keep_EM();
+       clear_trace();
+       set_tracing(TRUE);
 
 
-       // Answer to select (cascade 2)
-       CodeIso14443aAsTag(response3a, sizeof(response3a));
-    memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
+       // allocate buffers:
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
+       free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 
 
-       // Strange answer is an example of rare message size (3 bits)
-       CodeStrangeAnswerAsTag();
-       memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
+       // Prepare the responses of the anticollision phase
+       // there will be not enough time to do this at the moment the reader sends it REQA
+       for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
+               prepare_allocated_tag_modulation(&responses[i]);
 
 
-       // Authentication answer (random nonce)
-       CodeIso14443aAsTag(response5, sizeof(response5));
-    memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
+       int len = 0;
 
 
-    // We need to listen to the high-frequency, peak-detected path.
-    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-    FpgaSetupSsc();
+       // To control where we are in the protocol
+       int order = 0;
+       int lastorder;
 
 
-    cmdsRecvd = 0;
+       // Just to allow some checks
+       int happened = 0;
+       int happened2 = 0;
+       int cmdsRecvd = 0;
+       tag_response_info_t* p_response;
 
 
-    LED_A_ON();
-       for(;;) {
+       LED_A_ON();
+       for(;;) {       
+               WDT_HIT();
+               
+               // Clean receive command buffer
+               if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
+                       Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
+                       break;
+               }       
+               p_response = NULL;
+               
+               // Okay, look at the command now.
+               lastorder = order;
+               if(receivedCmd[0] == ISO14443A_CMD_REQA) { // Received a REQUEST
+                       p_response = &responses[0]; order = 1;
+               } else if(receivedCmd[0] == ISO14443A_CMD_WUPA) { // Received a WAKEUP
+                       p_response = &responses[0]; order = 6;
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received request for UID (cascade 1)
+                       p_response = &responses[1]; order = 2;
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received request for UID (cascade 2)
+                       p_response = &responses[2]; order = 20;
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received a SELECT (cascade 1)
+                       p_response = &responses[3]; order = 3;
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received a SELECT (cascade 2)
+                       p_response = &responses[4]; order = 30;         
+               } else if(receivedCmd[0] == ISO14443A_CMD_READBLOCK) {  // Received a (plain) READ
+                       uint8_t block = receivedCmd[1];
+                       // if Ultralight or NTAG (4 byte blocks)
+                       if ( tagType == 7 || tagType == 2 ) {
+                               // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                               uint16_t start = 4 * (block+12);  
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, start, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata));
+                               // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+                               p_response = NULL;
+                       } else { // all other tags (16 byte block tags)
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, block, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata));
+                               // EmSendCmdEx(data+(4*receivedCmd[1]),16);
+                               // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
+                               // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+                               p_response = NULL;
+                       }
+               } else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) {    // Received a FAST READ (ranged read)                           
+                       uint8_t emdata[MAX_FRAME_SIZE];
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       int start =  (receivedCmd[1]+12) * 4; 
+                       int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
+                       emlGetMemBt( emdata, start, len);
+                       AppendCrc14443a(emdata, len);
+                       EmSendCmdEx(emdata, len+2);                             
+                       p_response = NULL;              
+               } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) {     // Received a READ SIGNATURE -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       uint16_t start = 4 * 4;
+                       uint8_t emdata[34];
+                       emlGetMemBt( emdata, start, 32);
+                       AppendCrc14443a(emdata, 32);
+                       EmSendCmdEx(emdata, sizeof(emdata));
+                       p_response = NULL;                                      
+               } else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) {   // Received a READ COUNTER -- 
+                       uint8_t index = receivedCmd[1];
+                       uint8_t cmd[] =  {0x00,0x00,0x00,0x14,0xa5};
+                       if ( counters[index] > 0) {
+                               num_to_bytes(counters[index], 3, cmd);
+                               AppendCrc14443a(cmd, sizeof(cmd)-2);
+                       }
+                       EmSendCmdEx(cmd,sizeof(cmd));                           
+                       p_response = NULL;
+               } else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) {   // Received a INC COUNTER -- 
+                       // number of counter
+                       uint8_t counter = receivedCmd[1];
+                       uint32_t val = bytes_to_num(receivedCmd+2,4);
+                       counters[counter] = val;
+               
+                       // send ACK
+                       uint8_t ack[] = {0x0a};
+                       EmSendCmdEx(ack,sizeof(ack));
+                       p_response = NULL;                      
+               } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) {   // Received a CHECK_TEARING_EVENT -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       uint8_t emdata[3];
+                       uint8_t counter=0;
+                       if (receivedCmd[1]<3) counter = receivedCmd[1];
+                       emlGetMemBt( emdata, 10+counter, 1);
+                       AppendCrc14443a(emdata, sizeof(emdata)-2);
+                       EmSendCmdEx(emdata, sizeof(emdata));    
+                       p_response = NULL;              
+               } else if(receivedCmd[0] == ISO14443A_CMD_HALT) {       // Received a HALT
+                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                       p_response = NULL;
+               } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) {   // Received an authentication request                           
+                       if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
+                               uint8_t emdata[10];
+                               emlGetMemBt( emdata, 0, 8 );
+                               AppendCrc14443a(emdata, sizeof(emdata)-2);
+                               EmSendCmdEx(emdata, sizeof(emdata));
+                               p_response = NULL;
+                       } else {
+                                                               
+                               cardAUTHKEY = receivedCmd[0] - 0x60;
+                               cardAUTHSC = receivedCmd[1] / 4; // received block num
+                               
+                               // incease nonce at AUTH requests. this is time consuming.
+                               nonce = prand();
+                               //num_to_bytes(nonce, 4, response5);
+                               num_to_bytes(nonce, 4, dynamic_response_info.response);                         
+                               dynamic_response_info.response_n = 4;
+
+                               //prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
+                               prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE);
+                               p_response = &dynamic_response_info;
+                               //p_response = &responses[5]; 
+                               order = 7;
+                       }
+               } else if(receivedCmd[0] == ISO14443A_CMD_RATS) {       // Received a RATS request
+                       if (tagType == 1 || tagType == 2) {     // RATS not supported
+                               EmSend4bit(CARD_NACK_NA);
+                               p_response = NULL;
+                       } else {
+                               p_response = &responses[6]; order = 70;
+                       }
+               } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
+                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                       uint32_t nr = bytes_to_num(receivedCmd,4);
+                       uint32_t ar = bytes_to_num(receivedCmd+4,4);
+                
+                       // Collect AR/NR per keytype & sector
+                       if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+                               
+                               int8_t index = -1;
+                               int8_t empty = -1;
+                               for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                       // find which index to use
+                                       if ( (cardAUTHSC == ar_nr_nonces[i].sector) &&  (cardAUTHKEY == ar_nr_nonces[i].keytype)) 
+                                               index = i;
+
+                                       // keep track of empty slots.
+                                       if ( ar_nr_nonces[i].state == EMPTY)
+                                               empty = i;
+                               }
+                               // if no empty slots.  Choose first and overwrite.
+                               if ( index == -1 ) {
+                                       if ( empty == -1 ) {
+                                               index = 0;
+                                               ar_nr_nonces[index].state = EMPTY;
+                                       } else {
+                                               index = empty;
+                                       }
+                               }
 
 
-               if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
-            DbpString("button press");
-            break;
-        }
-       // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
-        // Okay, look at the command now.
-        lastorder = order;
-               i = 1; // first byte transmitted
-        if(receivedCmd[0] == 0x26) {
-                       // Received a REQUEST
-                       resp = resp1; respLen = resp1Len; order = 1;
-                       //DbpString("Hello request from reader:");
-               } else if(receivedCmd[0] == 0x52) {
-                       // Received a WAKEUP
-                       resp = resp1; respLen = resp1Len; order = 6;
-//                     //DbpString("Wakeup request from reader:");
-
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) {   // greg - cascade 1 anti-collision
-                       // Received request for UID (cascade 1)
-                       resp = resp2; respLen = resp2Len; order = 2;
-//                     DbpString("UID (cascade 1) request from reader:");
-//                     DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) {    // greg - cascade 2 anti-collision
-                       // Received request for UID (cascade 2)
-                       resp = resp2a; respLen = resp2aLen; order = 20;
-//                     DbpString("UID (cascade 2) request from reader:");
-//                     DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) {    // greg - cascade 1 select
-                       // Received a SELECT
-                       resp = resp3; respLen = resp3Len; order = 3;
-//                     DbpString("Select (cascade 1) request from reader:");
-//                     DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) {    // greg - cascade 2 select
-                       // Received a SELECT
-                       resp = resp3a; respLen = resp3aLen; order = 30;
-//                     DbpString("Select (cascade 2) request from reader:");
-//                     DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
-               } else if(receivedCmd[0] == 0x30) {
-                       // Received a READ
-                       resp = resp4; respLen = resp4Len; order = 4; // Do nothing
-                       Dbprintf("Read request from reader: %x %x %x",
-                               receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
-               } else if(receivedCmd[0] == 0x50) {
-                       // Received a HALT
-                       resp = resp1; respLen = 0; order = 5; // Do nothing
-                       DbpString("Reader requested we HALT!:");
-
-               } else if(receivedCmd[0] == 0x60) {
-                       // Received an authentication request
-                       resp = resp5; respLen = resp5Len; order = 7;
-                       Dbprintf("Authenticate request from reader: %x %x %x",
-                               receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-               } else if(receivedCmd[0] == 0xE0) {
-                       // Received a RATS request
-                       resp = resp1; respLen = 0;order = 70;
-                       Dbprintf("RATS request from reader: %x %x %x",
-                               receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-        } else {
-            // Never seen this command before
-               Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
-                       // Do not respond
-                       resp = resp1; respLen = 0; order = 0;
-        }
+                               switch(ar_nr_nonces[index].state) {
+                                       case EMPTY: {
+                                               // first nonce collect
+                                               ar_nr_nonces[index].cuid = cuid;
+                                               ar_nr_nonces[index].sector = cardAUTHSC;
+                                               ar_nr_nonces[index].keytype = cardAUTHKEY;
+                                               ar_nr_nonces[index].nonce = nonce;
+                                               ar_nr_nonces[index].nr = nr;
+                                               ar_nr_nonces[index].ar = ar;
+                                               ar_nr_nonces[index].state = FIRST;
+                                               break;
+                                       } 
+                                       case FIRST : { 
+                                               // second nonce collect
+                                               ar_nr_nonces[index].nonce2 = nonce;
+                                               ar_nr_nonces[index].nr2 = nr;
+                                               ar_nr_nonces[index].ar2 = ar;
+                                               ar_nr_nonces[index].state = SECOND;
+
+                                               // send to client
+                                               cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
+                                               
+                                               ar_nr_nonces[index].state = EMPTY;
+                                               ar_nr_nonces[index].sector = 0;
+                                               ar_nr_nonces[index].keytype = 0;
+                                               
+                                               moebius_count++;
+                                               break;
+                                       }
+                                       default: break;
+                               }
+                       }
+                       p_response = NULL;
+                       
+               } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
+               } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
+                       if ( tagType == 7 ) {
+                               uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
+                               uint8_t emdata[4];
+                               emlGetMemBt( emdata, start, 2);
+                               AppendCrc14443a(emdata, 2);
+                               EmSendCmdEx(emdata, sizeof(emdata));
+                               p_response = NULL;
+                               uint32_t pwd = bytes_to_num(receivedCmd+1,4);
+                               
+                               if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);     
+                       }
+               } else {
+                       // Check for ISO 14443A-4 compliant commands, look at left nibble
+                       switch (receivedCmd[0]) {
+                               case 0x02:
+                               case 0x03: {  // IBlock (command no CID)
+                                       dynamic_response_info.response[0] = receivedCmd[0];
+                                       dynamic_response_info.response[1] = 0x90;
+                                       dynamic_response_info.response[2] = 0x00;
+                                       dynamic_response_info.response_n = 3;
+                               } break;
+                               case 0x0B:
+                               case 0x0A: { // IBlock (command CID)
+                                 dynamic_response_info.response[0] = receivedCmd[0];
+                                 dynamic_response_info.response[1] = 0x00;
+                                 dynamic_response_info.response[2] = 0x90;
+                                 dynamic_response_info.response[3] = 0x00;
+                                 dynamic_response_info.response_n = 4;
+                               } break;
+
+                               case 0x1A:
+                               case 0x1B: { // Chaining command
+                                 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
+                                 dynamic_response_info.response_n = 2;
+                               } break;
+
+                               case 0xAA:
+                               case 0xBB: {
+                                 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
+                                 dynamic_response_info.response_n = 2;
+                               } break;
+                                 
+                               case 0xBA: { // ping / pong
+                                       dynamic_response_info.response[0] = 0xAB;
+                                       dynamic_response_info.response[1] = 0x00;
+                                       dynamic_response_info.response_n = 2;
+                               } break;
+
+                               case 0xCA:
+                               case 0xC2: { // Readers sends deselect command
+                                       dynamic_response_info.response[0] = 0xCA;
+                                       dynamic_response_info.response[1] = 0x00;
+                                       dynamic_response_info.response_n = 2;
+                               } break;
+
+                               default: {
+                                       // Never seen this command before
+                                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       Dbprintf("Received unknown command (len=%d):",len);
+                                       Dbhexdump(len,receivedCmd,false);
+                                       // Do not respond
+                                       dynamic_response_info.response_n = 0;
+                               } break;
+                       }
+      
+                       if (dynamic_response_info.response_n > 0) {
+                               // Copy the CID from the reader query
+                               dynamic_response_info.response[1] = receivedCmd[1];
+
+                               // Add CRC bytes, always used in ISO 14443A-4 compliant cards
+                               AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n);
+                               dynamic_response_info.response_n += 2;
+        
+                               if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
+                                       DbpString("Error preparing tag response");
+                                       LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+                               p_response = &dynamic_response_info;
+                       }
+               }
 
                // Count number of wakeups received after a halt
                if(order == 6 && lastorder == 5) { happened++; }
 
                // Count number of wakeups received after a halt
                if(order == 6 && lastorder == 5) { happened++; }
@@ -1213,244 +1325,207 @@ ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
-               // Look at last parity bit to determine timing of answer
-               if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
-                       // 1236, so correction bit needed
-                       i = 0;
+               // comment this limit if you want to simulation longer          
+               if (!tracing) {
+                       DbpString("Trace Full. Simulation stopped.");
+                       break;
                }
                }
-
-        memset(receivedCmd, 0x44, 32);
-
+               // comment this limit if you want to simulation longer
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
-            break;
-        }
-               else {
-                       cmdsRecvd++;
+                       break;
                }
                }
+               cmdsRecvd++;
 
 
-        if(respLen <= 0) continue;
-               //----------------------------
-               u = 0;
-               b = 0x00;
-               fdt_indicator = FALSE;
-
-               EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
-/*        // Modulate Manchester
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
-        AT91C_BASE_SSC->SSC_THR = 0x00;
-        FpgaSetupSsc();
-
-               // ### Transmit the response ###
-               u = 0;
-               b = 0x00;
-               fdt_indicator = FALSE;
-        for(;;) {
-            if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                               volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                (void)b;
-            }
-            if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                               if(i > respLen) {
-                                       b = 0x00;
-                                       u++;
-                               } else {
-                                       b = resp[i];
-                                       i++;
-                               }
-                               AT91C_BASE_SSC->SSC_THR = b;
-
-                if(u > 4) {
-                    break;
-                }
-            }
-                       if(BUTTON_PRESS()) {
-                           break;
-                       }
-        }
-*/
-    }
+               if (p_response != NULL) {
+                       EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n);
+                       // do the tracing for the previous reader request and this tag answer:
+                       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+                       GetParity(p_response->response, p_response->response_n, par);
+       
+                       EmLogTrace(Uart.output, 
+                                               Uart.len, 
+                                               Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                                               Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                                               Uart.parity,
+                                               p_response->response, 
+                                               p_response->response_n,
+                                               LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
+                                               (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
+                                               par);
+               }
+       }
 
 
-       Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       set_tracing(FALSE);
+       BigBuf_free_keep_EM();
        LED_A_OFF();
        LED_A_OFF();
+
+       if (MF_DBGLEVEL >= 4){
+               Dbprintf("-[ Wake ups after halt  [%d]", happened);
+               Dbprintf("-[ Messages after halt  [%d]", happened2);
+               Dbprintf("-[ Num of received cmd  [%d]", cmdsRecvd);
+               Dbprintf("-[ Num of moebius tries [%d]", moebius_count);
+       }
+       
+       cmd_send(CMD_ACK,1,0,0,0,0);
 }
 
 }
 
-//-----------------------------------------------------------------------------
+// prepare a delayed transfer. This simply shifts ToSend[] by a number
+// of bits specified in the delay parameter.
+void PrepareDelayedTransfer(uint16_t delay) {
+       delay &= 0x07;
+       if (!delay) return;
+
+       uint8_t bitmask = 0;
+       uint8_t bits_to_shift = 0;
+       uint8_t bits_shifted = 0;
+       uint16_t i = 0;
+
+       for (i = 0; i < delay; ++i)
+               bitmask |= (0x01 << i);
+
+       ToSend[++ToSendMax] = 0x00;
+
+       for (i = 0; i < ToSendMax; ++i) {
+                       bits_to_shift = ToSend[i] & bitmask;
+                       ToSend[i] = ToSend[i] >> delay;
+                       ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
+                       bits_shifted = bits_to_shift;
+               }
+       }
+
+
+//-------------------------------------------------------------------------------------
 // Transmit the command (to the tag) that was placed in ToSend[].
 // Transmit the command (to the tag) that was placed in ToSend[].
-//-----------------------------------------------------------------------------
-static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
-{
-  int c;
+// Parameter timing:
+// if NULL: transfer at next possible time, taking into account
+//                     request guard time and frame delay time
+// if == 0:    transfer immediately and return time of transfer
+// if != 0: delay transfer until time specified
+//-------------------------------------------------------------------------------------
+static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing) {
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
 
 
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+       uint32_t ThisTransferTime = 0;
 
 
-       if (wait)
-    if(*wait < 10)
-      *wait = 10;
+       if (timing) {
+               if(*timing == 0) {                                                                              // Measure time
+                       *timing = (GetCountSspClk() + 8) & 0xfffffff8;
+               } else {
+                       PrepareDelayedTransfer(*timing & 0x00000007);           // Delay transfer (fine tuning - up to 7 MF clock ticks)
+               }
+               if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
+               while(GetCountSspClk() < (*timing & 0xfffffff8));               // Delay transfer (multiple of 8 MF clock ticks)
+               LastTimeProxToAirStart = *timing;
+       } else {
+               ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
 
 
-  for(c = 0; c < *wait;) {
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-      AT91C_BASE_SSC->SSC_THR = 0x00;          // For exact timing!
-      c++;
-    }
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-      volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-      (void)r;
-    }
-    WDT_HIT();
-  }
-
-  c = 0;
-  for(;;) {
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-      AT91C_BASE_SSC->SSC_THR = cmd[c];
-      c++;
-      if(c >= len) {
-        break;
-      }
-    }
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-      volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-      (void)r;
-    }
-    WDT_HIT();
-  }
-       if (samples) *samples = (c + *wait) << 3;
+               while(GetCountSspClk() < ThisTransferTime);
+
+               LastTimeProxToAirStart = ThisTransferTime;
+       }
+       
+       // clear TXRDY
+       AT91C_BASE_SSC->SSC_THR = SEC_Y;
+
+       uint16_t c = 0;
+       for(;;) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+                       AT91C_BASE_SSC->SSC_THR = cmd[c];
+                       ++c;
+                       if(c >= len)
+                               break;
+               }
+       }
+       
+       NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
 }
 
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
-// Code a 7-bit command without parity bit
-// This is especially for 0x26 and 0x52 (REQA and WUPA)
+// Prepare reader command (in bits, support short frames) to send to FPGA
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void ShortFrameFromReader(const uint8_t bt)
-{
-       int j;
-       int last;
-  uint8_t b;
+void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity) {
+       int i, j;
+       int last = 0;
+       uint8_t b;
 
        ToSendReset();
 
        // Start of Communication (Seq. Z)
        ToSend[++ToSendMax] = SEC_Z;
 
        ToSendReset();
 
        // Start of Communication (Seq. Z)
        ToSend[++ToSendMax] = SEC_Z;
-       last = 0;
-
-       b = bt;
-       for(j = 0; j < 7; j++) {
-               if(b & 1) {
-                       // Sequence X
-                       ToSend[++ToSendMax] = SEC_X;
-                       last = 1;
-               } else {
-                       if(last == 0) {
+       LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
+
+       size_t bytecount = nbytes(bits);
+       // Generate send structure for the data bits
+       for (i = 0; i < bytecount; i++) {
+               // Get the current byte to send
+               b = cmd[i];
+               size_t bitsleft = MIN((bits-(i*8)),8);
+
+               for (j = 0; j < bitsleft; j++) {
+                       if (b & 1) {
+                               // Sequence X
+                               ToSend[++ToSendMax] = SEC_X;
+                               LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
+                               last = 1;
+                       } else {
+                               if (last == 0) {
                                // Sequence Z
                                ToSend[++ToSendMax] = SEC_Z;
                                // Sequence Z
                                ToSend[++ToSendMax] = SEC_Z;
+                               LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
+                               } else {
+                                       // Sequence Y
+                                       ToSend[++ToSendMax] = SEC_Y;
+                                       last = 0;
+                               }
                        }
                        }
-                       else {
-                               // Sequence Y
-                               ToSend[++ToSendMax] = SEC_Y;
-                               last = 0;
+                       b >>= 1;
+               }
+
+               // Only transmit parity bit if we transmitted a complete byte
+               if (j == 8 && parity != NULL) {
+                       // Get the parity bit
+                       if (parity[i>>3] & (0x80 >> (i&0x0007))) {
+                               // Sequence X
+                               ToSend[++ToSendMax] = SEC_X;
+                               LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
+                               last = 1;
+                       } else {
+                               if (last == 0) {
+                                       // Sequence Z
+                                       ToSend[++ToSendMax] = SEC_Z;
+                                       LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
+                               } else {
+                                       // Sequence Y
+                                       ToSend[++ToSendMax] = SEC_Y;
+                                       last = 0;
+                               }
                        }
                }
                        }
                }
-               b >>= 1;
        }
 
        }
 
-       // End of Communication
-       if(last == 0) {
+       // End of Communication: Logic 0 followed by Sequence Y
+       if (last == 0) {
                // Sequence Z
                ToSend[++ToSendMax] = SEC_Z;
                // Sequence Z
                ToSend[++ToSendMax] = SEC_Z;
-       }
-       else {
+               LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
+       else {
                // Sequence Y
                ToSend[++ToSendMax] = SEC_Y;
                last = 0;
        }
                // Sequence Y
                ToSend[++ToSendMax] = SEC_Y;
                last = 0;
        }
-       // Sequence Y
        ToSend[++ToSendMax] = SEC_Y;
 
        ToSend[++ToSendMax] = SEC_Y;
 
-       // Just to be sure!
-       ToSend[++ToSendMax] = SEC_Y;
-       ToSend[++ToSendMax] = SEC_Y;
-       ToSend[++ToSendMax] = SEC_Y;
-
-    // Convert from last character reference to length
-    ToSendMax++;
+       // Convert to length of command:
+       ++ToSendMax;
 }
 
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
 }
 
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
-//
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
-{
-  int i, j;
-  int last;
-  uint8_t b;
-
-  ToSendReset();
-
-  // Start of Communication (Seq. Z)
-  ToSend[++ToSendMax] = SEC_Z;
-  last = 0;
-
-  // Generate send structure for the data bits
-  for (i = 0; i < len; i++) {
-    // Get the current byte to send
-    b = cmd[i];
-
-    for (j = 0; j < 8; j++) {
-      if (b & 1) {
-        // Sequence X
-         ToSend[++ToSendMax] = SEC_X;
-        last = 1;
-      } else {
-        if (last == 0) {
-          // Sequence Z
-               ToSend[++ToSendMax] = SEC_Z;
-        } else {
-          // Sequence Y
-               ToSend[++ToSendMax] = SEC_Y;
-          last = 0;
-        }
-      }
-      b >>= 1;
-    }
-
-    // Get the parity bit
-    if ((dwParity >> i) & 0x01) {
-      // Sequence X
-       ToSend[++ToSendMax] = SEC_X;
-      last = 1;
-    } else {
-      if (last == 0) {
-        // Sequence Z
-         ToSend[++ToSendMax] = SEC_Z;
-      } else {
-        // Sequence Y
-         ToSend[++ToSendMax] = SEC_Y;
-        last = 0;
-      }
-    }
-  }
-
-  // End of Communication
-  if (last == 0) {
-    // Sequence Z
-         ToSend[++ToSendMax] = SEC_Z;
-  } else {
-    // Sequence Y
-         ToSend[++ToSendMax] = SEC_Y;
-    last = 0;
-  }
-  // Sequence Y
-  ToSend[++ToSendMax] = SEC_Y;
-
-  // Just to be sure!
-  ToSend[++ToSendMax] = SEC_Y;
-  ToSend[++ToSendMax] = SEC_Y;
-  ToSend[++ToSendMax] = SEC_Y;
-
-  // Convert from last character reference to length
-  ToSendMax++;
+void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity) {
+  CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
 //-----------------------------------------------------------------------------
 }
 
 //-----------------------------------------------------------------------------
@@ -1458,8 +1533,7 @@ void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
-static int EmGetCmd(uint8_t *received, int *len, int maxLen)
-{
+int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
@@ -1475,18 +1549,19 @@ static int EmGetCmd(uint8_t *received, int *len, int maxLen)
        // Set ADC to read field strength
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
        AT91C_BASE_ADC->ADC_MR =
        // Set ADC to read field strength
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
        AT91C_BASE_ADC->ADC_MR =
-                               ADC_MODE_PRESCALE(32) |
-                               ADC_MODE_STARTUP_TIME(16) |
-                               ADC_MODE_SAMPLE_HOLD_TIME(8);
+                               ADC_MODE_PRESCALE(63) |
+                               ADC_MODE_STARTUP_TIME(1) |
+                               ADC_MODE_SAMPLE_HOLD_TIME(15);
        AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        
        // Now run a 'software UART' on the stream of incoming samples.
        AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        
        // Now run a 'software UART' on the stream of incoming samples.
-       Uart.output = received;
-       Uart.byteCntMax = maxLen;
-       Uart.state = STATE_UNSYNCD;
+       UartInit(received, parity);
 
 
+       // Clear RXRDY:
+    uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+       
        for(;;) {
                WDT_HIT();
 
        for(;;) {
                WDT_HIT();
 
@@ -1498,7 +1573,7 @@ static int EmGetCmd(uint8_t *received, int *len, int maxLen)
                        analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
                        analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
-                               if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+                               if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
@@ -1509,451 +1584,776 @@ static int EmGetCmd(uint8_t *received, int *len, int maxLen)
                                analogAVG = 0;
                        }
                }
                                analogAVG = 0;
                        }
                }
-               // transmit none
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0x00;
-               }
+
                // receive and test the miller decoding
                // receive and test the miller decoding
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       if(MillerDecoding((b & 0xf0) >> 4)) {
-                               *len = Uart.byteCnt;
-                               if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
-                               return 0;
-                       }
-                       if(MillerDecoding(b & 0x0f)) {
-                               *len = Uart.byteCnt;
-                               if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
+        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+            b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+                       if(MillerDecoding(b, 0)) {
+                               *len = Uart.len;
                                return 0;
                        }
                                return 0;
                        }
-               }
+        }
        }
 }
 
        }
 }
 
-static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
-{
-       int i, u = 0;
-       uint8_t b = 0;
-
+int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen) {
+       uint8_t b;
+       uint16_t i = 0;
+       uint32_t ThisTransferTime;
+       bool correctionNeeded;
+       
        // Modulate Manchester
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
        // Modulate Manchester
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
-       AT91C_BASE_SSC->SSC_THR = 0x00;
-       FpgaSetupSsc();
-       
-       // include correction bit
-       i = 1;
-       if((Uart.parityBits & 0x01) || correctionNeeded) {
-               // 1236, so correction bit needed
-               i = 0;
+
+       // Include correction bit if necessary
+       if (Uart.bitCount == 7)
+       {
+               // Short tags (7 bits) don't have parity, determine the correct value from MSB
+               correctionNeeded = Uart.output[0] & 0x40;
+       }
+       else
+       {
+               // The parity bits are left-aligned
+               correctionNeeded = Uart.parity[(Uart.len-1)/8] & (0x80 >> ((Uart.len-1) & 7));
        }
        }
+       // 1236, so correction bit needed
+       i = (correctionNeeded) ? 0 : 1;
+
+       // clear receiving shift register and holding register
+       while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
+       b = AT91C_BASE_SSC->SSC_RHR; (void) b;
+       while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
+       b = AT91C_BASE_SSC->SSC_RHR; (void) b;
        
        
+       // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
+       for (uint8_t j = 0; j < 5; j++) {       // allow timeout - better late than never
+               while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
+               if (AT91C_BASE_SSC->SSC_RHR) break;
+       }
+
+       while ((ThisTransferTime = GetCountSspClk()) & 0x00000007);
+
+       // Clear TXRDY:
+       AT91C_BASE_SSC->SSC_THR = SEC_F;
+
        // send cycle
        // send cycle
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       (void)b;
-               }
+       for(; i < respLen; ) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       if(i > respLen) {
-                               b = 0xff; // was 0x00
-                               u++;
-                       } else {
-                               b = resp[i];
-                               i++;
-                       }
-                       AT91C_BASE_SSC->SSC_THR = b;
-
-                       if(u > 4) break;
-               }
-               if(BUTTON_PRESS()) {
-                       break;
+                       AT91C_BASE_SSC->SSC_THR = resp[i++];
+                       FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                }
                }
+       
+               if(BUTTON_PRESS()) break;
        }
 
        }
 
+       // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
+       uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;  // twich /8 ??   >>3, 
+       for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+                       AT91C_BASE_SSC->SSC_THR = SEC_F;
+                       FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+                       i++;
+               }
+       }
+       LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded ? 8 : 0);
        return 0;
 }
 
        return 0;
 }
 
-int EmSend4bitEx(uint8_t resp, int correctionNeeded){
-  Code4bitAnswerAsTag(resp);
-       int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
-  if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
+int EmSend4bit(uint8_t resp){
+       Code4bitAnswerAsTag(resp);
+       int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
+       // do the tracing for the previous reader request and this tag answer:
+       uint8_t par[1] = {0x00};
+       GetParity(&resp, 1, par);
+       EmLogTrace(Uart.output, 
+                               Uart.len, 
+                               Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                               Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                               Uart.parity,
+                               &resp, 
+                               1, 
+                               LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
+                               (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
+                               par);
        return res;
 }
 
        return res;
 }
 
-int EmSend4bit(uint8_t resp){
-       return EmSend4bitEx(resp, 0);
+int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
+       CodeIso14443aAsTagPar(resp, respLen, par);
+       int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
+       // do the tracing for the previous reader request and this tag answer:
+       EmLogTrace(Uart.output, 
+                               Uart.len, 
+                               Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                               Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 
+                               Uart.parity,
+                               resp, 
+                               respLen, 
+                               LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
+                               (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
+                               par);
+       return res;
 }
 
 }
 
-int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
-  CodeIso14443aAsTagPar(resp, respLen, par);
-       int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
-  if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
-       return res;
+int EmSendCmdEx(uint8_t *resp, uint16_t respLen){
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(resp, respLen, par);
+       return EmSendCmdExPar(resp, respLen, par);
 }
 
 }
 
-int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
-       return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
+int EmSendCmd(uint8_t *resp, uint16_t respLen){
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(resp, respLen, par);
+       return EmSendCmdExPar(resp, respLen, par);
 }
 
 }
 
-int EmSendCmd(uint8_t *resp, int respLen){
-       return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
+int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
+       return EmSendCmdExPar(resp, respLen, par);
 }
 
 }
 
-int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
-       return EmSendCmdExPar(resp, respLen, 0, par);
+bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
+                                uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
+{
+       // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
+       // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
+       // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
+       uint16_t reader_modlen = reader_EndTime - reader_StartTime;
+       uint16_t approx_fdt = tag_StartTime - reader_EndTime;
+       uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
+       reader_EndTime = tag_StartTime - exact_fdt;
+       reader_StartTime = reader_EndTime - reader_modlen;
+               
+       if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE))
+               return FALSE;
+       else 
+               return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
+
 }
 
 //-----------------------------------------------------------------------------
 // Wait a certain time for tag response
 //  If a response is captured return TRUE
 }
 
 //-----------------------------------------------------------------------------
 // Wait a certain time for tag response
 //  If a response is captured return TRUE
-//  If it takes to long return FALSE
+//  If it takes too long return FALSE
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
-{
-       // buffer needs to be 512 bytes
-       int c;
-
+static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset) {
+       uint32_t c = 0x00;
+       
        // Set FPGA mode to "reader listen mode", no modulation (listen
        // only, since we are receiving, not transmitting).
        // Signal field is on with the appropriate LED
        LED_D_ON();
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
        // Set FPGA mode to "reader listen mode", no modulation (listen
        // only, since we are receiving, not transmitting).
        // Signal field is on with the appropriate LED
        LED_D_ON();
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
-
+       
        // Now get the answer from the card
        // Now get the answer from the card
-       Demod.output = receivedResponse;
-       Demod.len = 0;
-       Demod.state = DEMOD_UNSYNCD;
+       DemodInit(receivedResponse, receivedResponsePar);
 
 
-       uint8_t b;
-       if (elapsed) *elapsed = 0;
+       // clear RXRDY:
+    uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 
 
-       c = 0;
        for(;;) {
                WDT_HIT();
 
        for(;;) {
                WDT_HIT();
 
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0x00;  // To make use of exact timing of next command from reader!!
-                       if (elapsed) (*elapsed)++;
-               }
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       if(c < iso14a_timeout) { c++; } else { return FALSE; }
                        b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                        b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       if(ManchesterDecoding((b>>4) & 0xf)) {
-                               *samples = ((c - 1) << 3) + 4;
-                               return TRUE;
-                       }
-                       if(ManchesterDecoding(b & 0x0f)) {
-                               *samples = c << 3;
+                       if(ManchesterDecoding(b, offset, 0)) {
+                               NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
                                return TRUE;
                                return TRUE;
+                       } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
+                               return FALSE; 
                        }
                }
        }
 }
 
                        }
                }
        }
 }
 
-void ReaderTransmitShort(const uint8_t* bt)
-{
-  int wait = 0;
-  int samples = 0;
-
-  ShortFrameFromReader(*bt);
+void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) {
 
 
-  // Select the card
-  TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
-
-  // Store reader command in buffer
-  if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
+       CodeIso14443aBitsAsReaderPar(frame, bits, par);
+       // Send command to tag
+       TransmitFor14443a(ToSend, ToSendMax, timing);
+       if(trigger) LED_A_ON();
+  
+       LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
 }
 
 }
 
-void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
-{
-  int wait = 0;
-  int samples = 0;
-
-  // This is tied to other size changes
-  //   uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
-  CodeIso14443aAsReaderPar(frame,len,par);
-
-  // Select the card
-  TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
-  if(trigger)
-       LED_A_ON();
-
-  // Store reader command in buffer
-  if (tracing) LogTrace(frame,len,0,par,TRUE);
+void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing) {
+  ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 }
 
-
-void ReaderTransmit(uint8_t* frame, int len)
-{
-  // Generate parity and redirect
-  ReaderTransmitPar(frame,len,GetParity(frame,len));
+void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len/8, par);  
+       ReaderTransmitBitsPar(frame, len, par, timing);
 }
 
 }
 
-int ReaderReceive(uint8_t* receivedAnswer)
-{
-  int samples = 0;
-  if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
-  if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
-  if(samples == 0) return FALSE;
-  return Demod.len;
+void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len, par);
+       ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 }
 
-int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
-{
-  int samples = 0;
-  if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
-  if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
-       *parptr = Demod.parityBits;
-  if(samples == 0) return FALSE;
-  return Demod.len;
+int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset))
+               return FALSE;
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
+       return Demod.len;
 }
 
 }
 
-/* performs iso14443a anticolision procedure
- * fills the uid pointer unless NULL
- * fills resp_data unless NULL */
-int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
-       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
-       uint8_t sel_all[]    = { 0x93,0x20 };
-       uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
-       uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0))
+               return FALSE;
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
+       return Demod.len;
+}
 
 
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+// performs iso14443a anticollision (optional) and card select procedure
+// fills the uid and cuid pointer unless NULL
+// fills the card info record unless NULL
+// if anticollision is false, then the UID must be provided in uid_ptr[] 
+// and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
+int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
+       uint8_t wupa[]       = { ISO14443A_CMD_WUPA };  // 0x26 - ISO14443A_CMD_REQA  0x52 - ISO14443A_CMD_WUPA
+       uint8_t sel_all[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x20 };
+       uint8_t sel_uid[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t rats[]       = { ISO14443A_CMD_RATS,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+       uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
+       uint8_t resp_par[MAX_PARITY_SIZE] = {0};
+       byte_t uid_resp[4] = {0};
+       size_t uid_resp_len = 0;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
-
        int len;
        int len;
-       
-       // clear uid
-       memset(uid_ptr, 0, 8);
 
        // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
 
        // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
-       ReaderTransmitShort(wupa);
+    ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
+       
        // Receive the ATQA
        // Receive the ATQA
-       if(!ReaderReceive(resp)) return 0;
+       if(!ReaderReceive(resp, resp_par)) return 0;
+
+       if(p_hi14a_card) {
+               memcpy(p_hi14a_card->atqa, resp, 2);
+               p_hi14a_card->uidlen = 0;
+               memset(p_hi14a_card->uid,0,10);
+       }
 
 
-       if(resp_data)
-               memcpy(resp_data->atqa, resp, 2);
+       if (anticollision) {
+               // clear uid
+               if (uid_ptr)
+                       memset(uid_ptr,0,10);
+       }
+
+       // reset the PCB block number
+       iso14_pcb_blocknum = 0;
+       
+       // check for proprietary anticollision:
+       if ((resp[0] & 0x1F) == 0) return 3;
        
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
        // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
        
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
        // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
-       for(; sak & 0x04; cascade_level++)
-       {
+       for(; sak & 0x04; cascade_level++) {
                // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
                sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
 
                // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
                sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
 
+               if (anticollision) {
                // SELECT_ALL
                // SELECT_ALL
-               ReaderTransmit(sel_all,sizeof(sel_all));
-               if (!ReaderReceive(resp)) return 0;
-               if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
-               
-               // calculate crypto UID
-               if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
+                       ReaderTransmit(sel_all, sizeof(sel_all), NULL);
+                       if (!ReaderReceive(resp, resp_par)) return 0;
+
+                       if (Demod.collisionPos) {                       // we had a collision and need to construct the UID bit by bit
+                               memset(uid_resp, 0, 4);
+                               uint16_t uid_resp_bits = 0;
+                               uint16_t collision_answer_offset = 0;
+                               // anti-collision-loop:
+                               while (Demod.collisionPos) {
+                                       Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
+                                       for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) {      // add valid UID bits before collision point
+                                               uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
+                                               uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
+                                       }
+                                       uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8);                                  // next time select the card(s) with a 1 in the collision position
+                                       uid_resp_bits++;
+                                       // construct anticollosion command:
+                                       sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07);     // length of data in bytes and bits
+                                       for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
+                                               sel_uid[2+i] = uid_resp[i];
+                                       }
+                                       collision_answer_offset = uid_resp_bits%8;
+                                       ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
+                                       if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
+                               }
+                               // finally, add the last bits and BCC of the UID
+                               for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
+                                       uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
+                                       uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
+                               }
+
+                       } else {                // no collision, use the response to SELECT_ALL as current uid
+                               memcpy(uid_resp, resp, 4);
+                       }
+                       
+               } else {
+                       if (cascade_level < num_cascades - 1) {
+                               uid_resp[0] = 0x88;
+                               memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
+                       } else {
+                               memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
+                       }
+               }
+               uid_resp_len = 4;
+
+               // calculate crypto UID. Always use last 4 Bytes.
+               if(cuid_ptr)
+                       *cuid_ptr = bytes_to_num(uid_resp, 4);
 
                // Construct SELECT UID command
 
                // Construct SELECT UID command
-               memcpy(sel_uid+2,resp,5);
-               AppendCrc14443a(sel_uid,7);
-               ReaderTransmit(sel_uid,sizeof(sel_uid));
+               sel_uid[1] = 0x70;                                                                                                      // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
+               memcpy(sel_uid+2, uid_resp, 4);                                                                         // the UID received during anticollision, or the provided UID
+               sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5];         // calculate and add BCC
+               AppendCrc14443a(sel_uid, 7);                                                                            // calculate and add CRC
+               ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
 
                // Receive the SAK
 
                // Receive the SAK
-               if (!ReaderReceive(resp)) return 0;
+               if (!ReaderReceive(resp, resp_par)) return 0;
+               
                sak = resp[0];
                sak = resp[0];
+
+               // Test if more parts of the uid are coming
+               if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
+                       // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
+                       // http://www.nxp.com/documents/application_note/AN10927.pdf
+                       uid_resp[0] = uid_resp[1];
+                       uid_resp[1] = uid_resp[2];
+                       uid_resp[2] = uid_resp[3]; 
+                       uid_resp_len = 3;
+               }
+
+               if(uid_ptr && anticollision)
+                       memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
+
+               if(p_hi14a_card) {
+                       memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
+                       p_hi14a_card->uidlen += uid_resp_len;
+               }
        }
        }
-       if(resp_data) {
-               resp_data->sak = sak;
-               resp_data->ats_len = 0;
-       }
-       //--  this byte not UID, it CT.  http://www.nxp.com/documents/application_note/AN10927.pdf  page 3
-       if (uid_ptr[0] == 0x88) {  
-               memcpy(uid_ptr, uid_ptr + 1, 7);
-               uid_ptr[7] = 0;
+
+       if(p_hi14a_card) {
+               p_hi14a_card->sak = sak;
+               p_hi14a_card->ats_len = 0;
        }
 
        }
 
-       if( (sak & 0x20) == 0)
-               return 2; // non iso14443a compliant tag
+       // non iso14443a compliant tag
+       if( (sak & 0x20) == 0) return 2; 
 
        // Request for answer to select
 
        // Request for answer to select
-       if(resp_data) {  // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
-               AppendCrc14443a(rats, 2);
-               ReaderTransmit(rats, sizeof(rats));
-               
-               if (!(len = ReaderReceive(resp))) return 0;
-               
-               memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
-               resp_data->ats_len = len;
-       }
+       AppendCrc14443a(rats, 2);
+       ReaderTransmit(rats, sizeof(rats), NULL);
+
+       if (!(len = ReaderReceive(resp, resp_par))) return 0;
        
        
-       return 1;
+       if(p_hi14a_card) {
+               memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
+               p_hi14a_card->ats_len = len;
+       }
+
+       // set default timeout based on ATS
+       iso14a_set_ATS_timeout(resp);
+       return 1;       
 }
 
 }
 
-void iso14443a_setup() {
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
+void iso14443a_setup(uint8_t fpga_minor_mode) {
 
 
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       // Set up the synchronous serial port
+       FpgaSetupSsc();
+       // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
-       // Now give it time to spin up.
+       LED_D_OFF();
        // Signal field is on with the appropriate LED
        // Signal field is on with the appropriate LED
-       LED_D_ON();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
+       if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD ||
+               fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN)
+               LED_D_ON();
+
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
 
 
-       iso14a_timeout = 2048; //default
+       SpinDelay(20);
+       
+       // Start the timer
+       StartCountSspClk();
+       
+       // Prepare the demodulation functions
+       DemodReset();
+       UartReset();
+       NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
+       iso14a_set_timeout(10*106); // 20ms default     
 }
 
 }
 
-int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
+int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
+       uint8_t parity[MAX_PARITY_SIZE] = {0x00};
        uint8_t real_cmd[cmd_len+4];
        real_cmd[0] = 0x0a; //I-Block
        uint8_t real_cmd[cmd_len+4];
        real_cmd[0] = 0x0a; //I-Block
+       // put block number into the PCB
+       real_cmd[0] |= iso14_pcb_blocknum;
        real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
        memcpy(real_cmd+2, cmd, cmd_len);
        AppendCrc14443a(real_cmd,cmd_len+2);
  
        real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
        memcpy(real_cmd+2, cmd, cmd_len);
        AppendCrc14443a(real_cmd,cmd_len+2);
  
-       ReaderTransmit(real_cmd, cmd_len+4);
-       size_t len = ReaderReceive(data);
-       if(!len)
-               return -1; //DATA LINK ERROR
+       ReaderTransmit(real_cmd, cmd_len+4, NULL);
+       size_t len = ReaderReceive(data, parity);
+        //DATA LINK ERROR
+       if (!len) return 0;
        
        
+       uint8_t *data_bytes = (uint8_t *) data;
+
+       // if we received an I- or R(ACK)-Block with a block number equal to the
+       // current block number, toggle the current block number
+       if (len >= 4 // PCB+CID+CRC = 4 bytes
+                && ((data_bytes[0] & 0xC0) == 0 // I-Block
+                    || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
+                && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
+       {
+               iso14_pcb_blocknum ^= 1;
+       }
        return len;
 }
 
 
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
        return len;
 }
 
 
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
-//
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
-{
+void ReaderIso14443a(UsbCommand *c) {
        iso14a_command_t param = c->arg[0];
        iso14a_command_t param = c->arg[0];
-       uint8_t * cmd = c->d.asBytes;
-       size_t len = c->arg[1];
-
-       if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
-
-       if(param & ISO14A_CONNECT) {
-               iso14443a_setup();
-               ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
-               UsbSendPacket((void *)ack, sizeof(UsbCommand));
+       size_t len = c->arg[1] & 0xffff;
+       size_t lenbits = c->arg[1] >> 16;
+       uint32_t timeout = c->arg[2];
+       uint8_t *cmd = c->d.asBytes;
+       uint32_t arg0 = 0;
+       byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+  
+       if (param & ISO14A_CONNECT)
+               clear_trace();
+
+       set_tracing(TRUE);
+
+       if (param & ISO14A_REQUEST_TRIGGER)
+               iso14a_set_trigger(TRUE);
+
+       if (param & ISO14A_CONNECT) {
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+               if(!(param & ISO14A_NO_SELECT)) {
+                       iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
+                       arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
+                       cmd_send(CMD_ACK, arg0, card->uidlen, 0, buf, sizeof(iso14a_card_select_t));
+                       // if it fails,  the cmdhf14a.c client quites.. however this one still executes.
+                       if ( arg0 == 0 ) return;
+               }
        }
 
        }
 
-       if(param & ISO14A_SET_TIMEOUT) {
-               iso14a_timeout = c->arg[2];
-       }
+       if (param & ISO14A_SET_TIMEOUT)
+               iso14a_set_timeout(timeout);
 
 
-       if(param & ISO14A_SET_TIMEOUT) {
-               iso14a_timeout = c->arg[2];
+       if (param & ISO14A_APDU) {
+               arg0 = iso14_apdu(cmd, len, buf);
+               cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
        }
 
-       if(param & ISO14A_APDU) {
-               ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
-               UsbSendPacket((void *)ack, sizeof(UsbCommand));
-       }
-
-       if(param & ISO14A_RAW) {
-               if(param & ISO14A_APPEND_CRC) {
-                       AppendCrc14443a(cmd,len);
+       if (param & ISO14A_RAW) {
+               if (param & ISO14A_APPEND_CRC) {
+                       if (param & ISO14A_TOPAZMODE)
+                               AppendCrc14443b(cmd,len);
+                       else
+                               AppendCrc14443a(cmd,len);
+                       
                        len += 2;
                        len += 2;
+                       if (lenbits) lenbits += 16;
+               }
+               if (lenbits>0) {                                // want to send a specific number of bits (e.g. short commands)
+                       if (param & ISO14A_TOPAZMODE) {
+                               int bits_to_send = lenbits;
+                               uint16_t i = 0;
+                               ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL);             // first byte is always short (7bits) and no parity
+                               bits_to_send -= 7;
+                               while (bits_to_send > 0) {
+                                       ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL);     // following bytes are 8 bit and no parity
+                                       bits_to_send -= 8;
+                               }
+                       } else {
+                       GetParity(cmd, lenbits/8, par);
+                               ReaderTransmitBitsPar(cmd, lenbits, par, NULL);                                                 // bytes are 8 bit with odd parity
+                       }
+               } else {                                        // want to send complete bytes only
+                       if (param & ISO14A_TOPAZMODE) {
+                               uint16_t i = 0;
+                               ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL);                                                // first byte: 7 bits, no paritiy
+                               while (i < len) {
+                                       ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL);                                        // following bytes: 8 bits, no paritiy
+                               }
+               } else {
+                               ReaderTransmit(cmd,len, NULL);                                                                                  // 8 bits, odd parity
+                       }
                }
                }
-               ReaderTransmit(cmd,len);
-               ack->arg[0] = ReaderReceive(ack->d.asBytes);
-               UsbSendPacket((void *)ack, sizeof(UsbCommand));
+               arg0 = ReaderReceive(buf, par);
+               cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
        }
 
        }
 
-       if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
+       if (param & ISO14A_REQUEST_TRIGGER)
+               iso14a_set_trigger(FALSE);
 
 
-       if(param & ISO14A_NO_DISCONNECT)
+       if (param & ISO14A_NO_DISCONNECT)
                return;
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
                return;
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       set_tracing(FALSE);
        LEDsoff();
 }
        LEDsoff();
 }
+
+// Determine the distance between two nonces.
+// Assume that the difference is small, but we don't know which is first.
+// Therefore try in alternating directions.
+int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
+
+       if (nt1 == nt2) return 0;
+       
+       uint32_t nttmp1 = nt1;
+       uint32_t nttmp2 = nt2;
+
+       // 0xFFFF -- Half up and half down to find distance between nonces
+       for (uint16_t i = 1; i < 32768/8; i += 8) {
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+1;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+2;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+3;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+4;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+5;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+6;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+7;
+               
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -i;
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+1);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+2);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+3);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+4);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+5);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+6);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+7);               
+       }
+       // either nt1 or nt2 are invalid nonces 
+       return(-99999); 
+}
+
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-// Read an ISO 14443a tag. Send out commands and store answers.
-//
+// Recover several bits of the cypher stream. This implements (first stages of)
+// the algorithm described in "The Dark Side of Security by Obscurity and
+// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
+// (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void ReaderMifare(uint32_t parameter)
-{
-       // Mifare AUTH
-       uint8_t mf_auth[]    = { 0x60,0x00,0xf5,0x7b };
-       uint8_t mf_nr_ar[]   = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
 
 
-       uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
-       traceLen = 0;
-       tracing = false;
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) {
+       
+       uint8_t mf_auth[]       = { keytype, block, 0x00, 0x00 };
+       uint8_t mf_nr_ar[]      = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
+       uint8_t uid[10]         = {0,0,0,0,0,0,0,0,0,0};
+       uint8_t par_list[8]     = {0,0,0,0,0,0,0,0};
+       uint8_t ks_list[8]      = {0,0,0,0,0,0,0,0};
+       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
+       uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
+       byte_t nt_diff = 0;
+       uint32_t nt = 0;
+       uint32_t previous_nt = 0;       
+       uint32_t cuid = 0;
+       
+       int32_t catch_up_cycles = 0;
+       int32_t last_catch_up = 0;
+       int32_t isOK = 0;
+       int32_t nt_distance = 0;
+       
+       uint16_t elapsed_prng_sequences = 1;
+       uint16_t consecutive_resyncs = 0;
+       uint16_t unexpected_random = 0;
+       uint16_t sync_tries = 0;
+
+       // static variables here, is re-used in the next call
+       static uint32_t nt_attacked = 0;
+       static uint32_t sync_time = 0;
+       static uint32_t sync_cycles = 0;
+       static uint8_t par_low = 0;
+       static uint8_t mf_nr_ar3 = 0;
+       
+       #define PRNG_SEQUENCE_LENGTH    (1 << 16)
+       #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
+       #define MAX_SYNC_TRIES          32
+       
+       AppendCrc14443a(mf_auth, 2);
+       
+       BigBuf_free(); BigBuf_Clear_ext(false); 
+       clear_trace();
+       set_tracing(FALSE);     
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+
+       sync_time = GetCountSspClk() & 0xfffffff8;
+       sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).              
+       nt_attacked = 0;
+       
+   if (MF_DBGLEVEL >= 4)       Dbprintf("Mifare::Sync %u", sync_time);
+                               
+       if (first_try) {
+               mf_nr_ar3 = 0;
+               par_low = 0;
+       } else {
+               // we were unsuccessful on a previous call. 
+               // Try another READER nonce (first 3 parity bits remain the same)
+               ++mf_nr_ar3;
+               mf_nr_ar[3] = mf_nr_ar3;
+               par[0] = par_low;
+       }
 
 
-       iso14443a_setup();
+       bool have_uid = FALSE;
+       uint8_t cascade_levels = 0;
 
 
-       LED_A_ON();
-       LED_B_OFF();
-       LED_C_OFF();
+       LED_C_ON(); 
+       uint16_t i;
+       for(i = 0; TRUE; ++i) {
 
 
-       byte_t nt_diff = 0;
-       LED_A_OFF();
-       byte_t par = 0;
-       byte_t par_mask = 0xff;
-       byte_t par_low = 0;
-       int led_on = TRUE;
-       uint8_t uid[8];
-       uint32_t cuid;
-
-       tracing = FALSE;
-       byte_t nt[4] = {0,0,0,0};
-       byte_t nt_attacked[4], nt_noattack[4];
-       byte_t par_list[8] = {0,0,0,0,0,0,0,0};
-       byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
-       num_to_bytes(parameter, 4, nt_noattack);
-       int isOK = 0, isNULL = 0;
-
-       while(TRUE)
-       {
-               LED_C_ON();
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-               SpinDelay(200);
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-               LED_C_OFF();
+               WDT_HIT();
 
                // Test if the action was cancelled
                if(BUTTON_PRESS()) {
 
                // Test if the action was cancelled
                if(BUTTON_PRESS()) {
+                       isOK = -1;
                        break;
                }
                        break;
                }
+               
+               // this part is from Piwi's faster nonce collecting part in Hardnested.
+               if (!have_uid) { // need a full select cycle to get the uid first
+                       iso14a_card_select_t card_info;         
+                       if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (ALL)");
+                               break;
+                       }
+                       switch (card_info.uidlen) {
+                               case 4 : cascade_levels = 1; break;
+                               case 7 : cascade_levels = 2; break;
+                               case 10: cascade_levels = 3; break;
+                               default: break;
+                       }
+                       have_uid = TRUE;        
+               } else { // no need for anticollision. We can directly select the card
+                       if(!iso14443a_select_card(uid, NULL, &cuid, false, cascade_levels)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (UID)");
+                               continue;
+                       }
+               }
+               
+               // Sending timeslot of ISO14443a frame          
+               sync_time = (sync_time & 0xfffffff8 ) + sync_cycles + catch_up_cycles;
+               catch_up_cycles = 0;
+                                                               
+               // if we missed the sync time already, advance to the next nonce repeat
+               while( GetCountSspClk() > sync_time) {
+                       ++elapsed_prng_sequences;
+                       sync_time = (sync_time & 0xfffffff8 ) + sync_cycles;
+               }               
+
+               // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
+               ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
+
+               // Receive the (4 Byte) "random" nonce from TAG
+               if (!ReaderReceive(receivedAnswer, receivedAnswerPar))
+                       continue;
+
+               previous_nt = nt;
+               nt = bytes_to_num(receivedAnswer, 4);
+               
+               // Transmit reader nonce with fake par
+               ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
+       
+               // we didn't calibrate our clock yet,
+               // iceman: has to be calibrated every time.
+               if (previous_nt && !nt_attacked) { 
 
 
-               if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
-
-               // Transmit MIFARE_CLASSIC_AUTH
-               ReaderTransmit(mf_auth, sizeof(mf_auth));
-
-               // Receive the (16 bit) "random" nonce
-               if (!ReaderReceive(receivedAnswer)) continue;
-               memcpy(nt, receivedAnswer, 4);
-
-               // Transmit reader nonce and reader answer
-               ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
+                       nt_distance = dist_nt(previous_nt, nt);
+                       
+                       // if no distance between,  then we are in sync.
+                       if (nt_distance == 0) {
+                               nt_attacked = nt;
+                       } else {
+                               if (nt_distance == -99999) { // invalid nonce received
+                                       ++unexpected_random;
+                                       if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
+                                               isOK = -3;              // Card has an unpredictable PRNG. Give up      
+                                               break;
+                                       } else {                                                
+                                               if (sync_cycles <= 0) sync_cycles += PRNG_SEQUENCE_LENGTH;
+                                               LED_B_OFF();
+                                               continue;               // continue trying...
+                                       }
+                               }
+                               
+                               if (++sync_tries > MAX_SYNC_TRIES) {
+                                       isOK = -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly
+                                       break;
+                               }
+                               
+                               sync_cycles = (sync_cycles - nt_distance)/elapsed_prng_sequences;
+                               
+                               if (sync_cycles <= 0)
+                                       sync_cycles += PRNG_SEQUENCE_LENGTH;
+                               
+                               if (MF_DBGLEVEL >= 4)
+                                       Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
 
 
-               // Receive 4 bit answer
-               if (ReaderReceive(receivedAnswer))
-               {
-                       if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
+                               LED_B_OFF();
+                               continue;
+                       }
+               }
+               LED_B_OFF();
 
 
-                       isNULL = (nt_attacked[0] = 0) && (nt_attacked[1] = 0) && (nt_attacked[2] = 0) && (nt_attacked[3] = 0);
-                       if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
+               if ( (nt != nt_attacked) && nt_attacked) {      // we somehow lost sync. Try to catch up again...
+                       
+                       catch_up_cycles = ABS(dist_nt(nt_attacked, nt));
+                       if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
+                               catch_up_cycles = 0;
+                               continue;
+                       }               
+                       // average? 
+                       catch_up_cycles /= elapsed_prng_sequences;
+               
+                       if (catch_up_cycles == last_catch_up) {
+                               ++consecutive_resyncs;
+                       } else {
+                               last_catch_up = catch_up_cycles;
+                           consecutive_resyncs = 0;
+                       }               
+                       
+                       if (consecutive_resyncs < 3) {
+                               if (MF_DBGLEVEL >= 4)
+                                       Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, catch_up_cycles, consecutive_resyncs);
+                       } else {        
+                               sync_cycles += catch_up_cycles;
+                               
+                               if (MF_DBGLEVEL >= 4) 
+                                       Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, catch_up_cycles, sync_cycles);
 
 
-                       if (nt_diff == 0)
-                       {
-                               LED_A_ON();
-                               memcpy(nt_attacked, nt, 4);
-                               par_mask = 0xf8;
-                               par_low = par & 0x07;
+                               last_catch_up = 0;
+                               catch_up_cycles = 0;
+                               consecutive_resyncs = 0;
                        }
                        }
+                       continue;
+               }
+               // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
+               if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
+                       catch_up_cycles = 8;    // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
+       
+                       if (nt_diff == 0)
+                               par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
 
 
-                       led_on = !led_on;
-                       if(led_on) LED_B_ON(); else LED_B_OFF();
-                       par_list[nt_diff] = par;
-                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
+                       par_list[nt_diff] = SwapBits(par[0], 8);
+                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;  // xor with NACK value to get keystream
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
@@ -1962,301 +2362,484 @@ void ReaderMifare(uint32_t parameter)
                        }
 
                        nt_diff = (nt_diff + 1) & 0x07;
                        }
 
                        nt_diff = (nt_diff + 1) & 0x07;
-                       mf_nr_ar[3] = nt_diff << 5;
-                       par = par_low;
+                       mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
+                       par[0] = par_low;
+                       
                } else {
                } else {
-                       if (nt_diff == 0)
-                       {
-                               par++;
+                       // No NACK.     
+                       if (nt_diff == 0 && first_try) {
+                               par[0]++;
+                               if (par[0] == 0x00) {   // tried all 256 possible parities without success. Card doesn't send NACK.
+                                       isOK = -2;
+                                       break;
+                               }
                        } else {
                        } else {
-                               par = (((par >> 3) + 1) << 3) | par_low;
+                               // Why this?
+                               par[0] = ((par[0] & 0x1F) + 1) | par_low;
                        }
                }
                        }
                }
-       }
+               
+               // reset the resyncs since we got a complete transaction on right time.
+               consecutive_resyncs = 0;
+       } // end for loop
 
 
-       LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
-       LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
-       LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
+       mf_nr_ar[3] &= 0x1F;
 
 
-       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
-       memcpy(ack.d.asBytes + 0,  uid, 4);
-       memcpy(ack.d.asBytes + 4,  nt, 4);
-       memcpy(ack.d.asBytes + 8,  par_list, 8);
-       memcpy(ack.d.asBytes + 16, ks_list, 8);
+       if (MF_DBGLEVEL >= 4) Dbprintf("Number of sent auth requestes: %u", i);
+       
+       uint8_t buf[28] = {0x00};
+       memset(buf, 0x00, sizeof(buf));
+       num_to_bytes(cuid, 4, buf);
+       num_to_bytes(nt, 4, buf + 4);
+       memcpy(buf + 8,  par_list, 8);
+       memcpy(buf + 16, ks_list, 8);
+       memcpy(buf + 24, mf_nr_ar, 4);
                
                
-       LED_B_ON();
-       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
-       LED_B_OFF();    
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, sizeof(buf) );
 
 
-       // Thats it...
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
-       tracing = TRUE;
-       
-       if (MF_DBGLEVEL >= 1)   DbpString("COMMAND mifare FINISHED");
+       set_tracing(FALSE);
 }
 
 
 }
 
 
-//-----------------------------------------------------------------------------
-// MIFARE 1K simulate. 
-// 
-//-----------------------------------------------------------------------------
-void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
-{
+/**
+  *MIFARE 1K simulate.
+  *
+  *@param flags :
+  *    FLAG_INTERACTIVE                - In interactive mode, we are expected to finish the operation with an ACK
+  * FLAG_4B_UID_IN_DATA                - use 4-byte UID in the data-section
+  * FLAG_7B_UID_IN_DATA                - use 7-byte UID in the data-section
+  * FLAG_10B_UID_IN_DATA       - use 10-byte UID in the data-section
+  * FLAG_UID_IN_EMUL           - use 4-byte UID from emulator memory
+  *    FLAG_NR_AR_ATTACK               - collect NR_AR responses for bruteforcing later
+  *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
+  */
+void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) {
+
+       // init pseudorand
+       fast_prand( GetTickCount() );
+       
        int cardSTATE = MFEMUL_NOFIELD;
        int cardSTATE = MFEMUL_NOFIELD;
-       int _7BUID = 0;
+       int _UID_LEN = 0;  // 4, 7, 10
        int vHf = 0;    // in mV
        int vHf = 0;    // in mV
-       int nextCycleTimeout = 0;
-       int res;
-       uint32_t timer = 0;
+       int res = 0;
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
-       uint32_t par = 0;
-       int len = 0;
+       uint16_t len = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        uint32_t cuid = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        uint32_t cuid = 0;
+       uint32_t ans = 0;
+       uint32_t cardINTREG = 0;
+       uint8_t cardINTBLOCK = 0;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
+       uint32_t numReads = 0;  // Counts numer of times reader read a block
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
+       uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t response_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
        
        
-       uint64_t key64 = 0xffffffffffffULL;
+       uint8_t atqa[]   = {0x04, 0x00}; // Mifare classic 1k
+       uint8_t sak_4[]  = {0x0C, 0x00, 0x00}; // CL1 - 4b uid
+       uint8_t sak_7[]  = {0x0C, 0x00, 0x00}; // CL2 - 7b uid
+       uint8_t sak_10[] = {0x0C, 0x00, 0x00}; // CL3 - 10b uid
+       // uint8_t sak[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
        
        
-       uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
-       uint8_t *response = eml_get_bigbufptr_sendbuf();
+       uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+
+       // TAG Nonce - Authenticate response
+       uint8_t rAUTH_NT[4];
+       uint32_t nonce = prand();
+       num_to_bytes(nonce, 4, rAUTH_NT);
        
        
-       static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
-
-       static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
-       static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
-               
-       static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
-       static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
-
-       static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
-       static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
-       
-       // clear trace
-       traceLen = 0;
-       tracing = true;
-       
-       // get UID from emul memory
-       emlGetMemBt(receivedCmd, 7, 1);
-       _7BUID = !(receivedCmd[0] == 0x00);
-       if (!_7BUID) {                     // ---------- 4BUID
-               rATQA[0] = 0x04;
-
-               emlGetMemBt(rUIDBCC1, 0, 4);
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-       } else {                           // ---------- 7BUID
-               rATQA[0] = 0x44;
-
-               rUIDBCC1[0] = 0x88;
-               emlGetMemBt(&rUIDBCC1[1], 0, 3);
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-               emlGetMemBt(rUIDBCC2, 3, 4);
-               rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+       // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this?
+       uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
+       
+       // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
+       // This can be used in a reader-only attack.
+       nonces_t ar_nr_nonces[ATTACK_KEY_COUNT];
+       memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
+
+       // -- Determine the UID
+       // Can be set from emulator memory or incoming data
+       // Length: 4,7,or 10 bytes
+       if ( (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL)
+               emlGetMemBt(datain, 0, 10);  // load 10bytes from EMUL to the datain pointer. to be used below.
+       
+       if ( (flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) {
+               memcpy(rUIDBCC1, datain, 4);
+               _UID_LEN = 4;
+       } else if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy( rUIDBCC2,    datain+3, 4);
+               _UID_LEN = 7;
+       } else if ( (flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy(&rUIDBCC2[1], datain+3, 3);
+               memcpy( rUIDBCC3,    datain+6, 4);
+               _UID_LEN = 10;
        }
 
        }
 
-// --------------------------------------      test area
-
-   // Authenticate response - nonce
-    uint8_t *resp1 = (((uint8_t *)BigBuf) + EML_RESPONSES);
-    int resp1Len;
-//    uint8_t *resp2 = (((uint8_t *)BigBuf) + EML_RESPONSES + 200);
-//    int resp2Len;
-       CodeIso14443aAsTag(rAUTH_NT, sizeof(rAUTH_NT));
-    memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
-               
-       timer = GetTickCount();
-       uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
-       uint32_t rn_enc = 0x98d76b77; // !!!!!!!!!!!!!!!!!
-       uint32_t ans = 0;
-       cuid = bytes_to_num(rUIDBCC1, 4);
-/*     
-       crypto1_create(pcs, key64);
-  crypto1_word(pcs, cuid ^ nonce, 0);
-  crypto1_word(pcs, rn_enc , 1);
-  crypto1_word(pcs, 0, 0);
-  ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
-       num_to_bytes(ans, 4, rAUTH_AT);
-       CodeIso14443aAsTag(rAUTH_AT, sizeof(rAUTH_AT));
-  memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
-       Dbprintf("crypto auth time: %d", GetTickCount() - timer);
-*/
-// --------------------------------------      END test area
-       // start mkseconds counter
-       StartCountUS();
-
+       switch (_UID_LEN) {
+               case 4:
+                       sak_4[0] &= 0xFB;               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC1, 4);
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("4B UID: %02x%02x%02x%02x", 
+                                       rUIDBCC1[0],
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3]
+                               );
+                       }
+                       break;
+               case 7:
+                       atqa[0] |= 0x40;
+                       sak_7[0] &= 0xFB;                                               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC2, 4);                       
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; 
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; 
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[0],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3]
+                               );
+                       }
+                       break;
+               case 10:
+                       atqa[0] |= 0x80;
+                       sak_10[0] &= 0xFB;                                      
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC3, 4);
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       rUIDBCC2[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+                       rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
+
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3],
+                                       rUIDBCC3[0],
+                                       rUIDBCC3[1],
+                                       rUIDBCC3[2],
+                                       rUIDBCC3[3]
+                               );
+                       }
+                       break;
+               default: 
+                       break;
+       }
+       // calc some crcs
+       ComputeCrc14443(CRC_14443_A, sak_4, 1, &sak_4[1], &sak_4[2]);
+       ComputeCrc14443(CRC_14443_A, sak_7, 1, &sak_7[1], &sak_7[2]);
+       ComputeCrc14443(CRC_14443_A, sak_10, 1, &sak_10[1], &sak_10[2]);
+       
        // We need to listen to the high-frequency, peak-detected path.
        // We need to listen to the high-frequency, peak-detected path.
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-       FpgaSetupSsc();
+       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
 
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-       SpinDelay(200);
+       // free eventually allocated BigBuf memory but keep Emulator Memory
+       BigBuf_free_keep_EM();
+       clear_trace();
+       set_tracing(TRUE);
 
 
-       Dbprintf("--> start. 7buid=%d", _7BUID);
-       // calibrate mkseconds counter
-       GetDeltaCountUS();
-       while (true) {
+       bool finished = FALSE;
+       while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
                WDT_HIT();
 
                WDT_HIT();
 
-               if(BUTTON_PRESS()) {
-                       break;
-               }
-
                // find reader field
                // find reader field
-               // Vref = 3300mV, and an 10:1 voltage divider on the input
-               // can measure voltages up to 33000 mV
                if (cardSTATE == MFEMUL_NOFIELD) {
                if (cardSTATE == MFEMUL_NOFIELD) {
-                       vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
+                       vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
                        if (vHf > MF_MINFIELDV) {
                        if (vHf > MF_MINFIELDV) {
-                               cardSTATE = MFEMUL_IDLE;
+                               cardSTATE_TO_IDLE();
                                LED_A_ON();
                        }
                } 
                                LED_A_ON();
                        }
                } 
-
-               if (cardSTATE != MFEMUL_NOFIELD) {
-                       res = EmGetCmd(receivedCmd, &len, 100); // (+ nextCycleTimeout)
-                       if (res == 2) {
-                               cardSTATE = MFEMUL_NOFIELD;
-                               LEDsoff();
-                               continue;
-                       }
-                       if(res) break;
+               if (cardSTATE == MFEMUL_NOFIELD) continue;
+
+               // Now, get data
+               res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
+               if (res == 2) { //Field is off!
+                       cardSTATE = MFEMUL_NOFIELD;
+                       LEDsoff();
+                       continue;
+               } else if (res == 1) {
+                       break;  // return value 1 means button press
                }
                }
-               
-               nextCycleTimeout = 0;
-               
-//             if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
-
-               if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
-                       // REQ or WUP request in ANY state and WUP in HALTED state
-                       if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
-                               selTimer = GetTickCount();
-                               EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
-                               cardSTATE = MFEMUL_SELECT1;
-
-                               // init crypto block
-                               LED_B_OFF();
-                               LED_C_OFF();
-                               crypto1_destroy(pcs);
-                               cardAUTHKEY = 0xff;
-                       }
+                       
+               // REQ or WUP request in ANY state and WUP in HALTED state
+               // this if-statement doesn't match the specification above. (iceman)
+               if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
+                       selTimer = GetTickCount();
+                       EmSendCmdEx(atqa, sizeof(atqa));
+                       cardSTATE = MFEMUL_SELECT1;
+                       crypto1_destroy(pcs);
+                       cardAUTHKEY = 0xff;
+                       LEDsoff();
+                       nonce = prand(); 
+                       continue;
                }
                
                switch (cardSTATE) {
                }
                
                switch (cardSTATE) {
-                       case MFEMUL_NOFIELD:{
-                               break;
-                       }
-                       case MFEMUL_HALTED:{
-                               break;
-                       }
+                       case MFEMUL_NOFIELD:
+                       case MFEMUL_HALTED:
                        case MFEMUL_IDLE:{
                        case MFEMUL_IDLE:{
+                               LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                break;
                        }
                        case MFEMUL_SELECT1:{
                                break;
                        }
                        case MFEMUL_SELECT1:{
-                               // select all
-                               if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
+                                       if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
+                                       break;
                                }
                                }
-
                                // select card
                                if (len == 9 && 
                                // select card
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
-                                       if (!_7BUID) 
-                                               EmSendCmd(rSAK, sizeof(rSAK));
-                                       else
-                                               EmSendCmd(rSAK1, sizeof(rSAK1));
-
-                                       cuid = bytes_to_num(rUIDBCC1, 4);
-                                       if (!_7BUID) {
-                                               cardSTATE = MFEMUL_WORK;
-                                       } else {
-                                               cardSTATE = MFEMUL_SELECT2;
-                                               break;
+                                               ( receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT &&
+                                                 receivedCmd[1] == 0x70 && 
+                                                 memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+                                       
+                                       // SAK 4b 
+                                       EmSendCmd(sak_4, sizeof(sak_4));
+                                       switch(_UID_LEN){
+                                               case 4:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 7:
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT2;
+                                                       continue;
+                                               default:break;
                                        }
                                        }
-                                       LED_B_ON();
-                                       Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+                               } else {
+                                       cardSTATE_TO_IDLE();
                                }
                                }
-                               
                                break;
                        }
                        case MFEMUL_SELECT2:{
                                break;
                        }
                        case MFEMUL_SELECT2:{
-                               if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
+                               if (!len) { 
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
                                        EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
                                        break;
                                }
                                        EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
                                        break;
                                }
-
-                               // select 2 card
                                if (len == 9 && 
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
-                                       EmSendCmd(rSAK, sizeof(rSAK));
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 &&
+                                                receivedCmd[1] == 0x70 && 
+                                                memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) {
+                                                        
+                                       EmSendCmd(sak_7, sizeof(sak_7));
+                                       switch(_UID_LEN){
+                                               case 7:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT3;
+                                                       continue;
+                                               default:break;
+                                       }
+                               } 
+                               cardSTATE_TO_IDLE();
+                               break;
+                       }
+                       case MFEMUL_SELECT3:{
+                               if (!len) { 
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
+                                       EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
+                                       break;
+                               }
+                               if (len == 9 && 
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
+                                                receivedCmd[1] == 0x70 && 
+                                                memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
 
 
-                                       cuid = bytes_to_num(rUIDBCC2, 4);
+                                       EmSendCmd(sak_10, sizeof(sak_10));
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
-                                       Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
                                        break;
                                }
                                        break;
                                }
-                               // TODO: goto work state - i guess there is a command
+                               cardSTATE_TO_IDLE();
                                break;
                        }
                        case MFEMUL_AUTH1:{
                                break;
                        }
                        case MFEMUL_AUTH1:{
-                               if (len == 8) {
-// ---------------------------------
-       rn_enc = bytes_to_num(receivedCmd, 4);
-       crypto1_create(pcs, key64);
-  crypto1_word(pcs, cuid ^ nonce, 0);
-  crypto1_word(pcs, rn_enc , 1);
-  crypto1_word(pcs, 0, 0);
-  ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
-       num_to_bytes(ans, 4, rAUTH_AT);
-// ---------------------------------
-                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-                                       cardSTATE = MFEMUL_AUTH2;
-                               } else {
-                                       cardSTATE = MFEMUL_IDLE;
-                                       LED_B_OFF();
-                                       LED_C_OFF();
+                               if( len != 8) {
+                                       cardSTATE_TO_IDLE();
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+
+                               uint32_t nr = bytes_to_num(receivedCmd, 4);
+                               uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
+
+                               // Collect AR/NR per keytype & sector
+                               if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+                                       
+                                       int8_t index = -1;
+                                       int8_t empty = -1;
+                                       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                               // find which index to use
+                                               if ( (cardAUTHSC == ar_nr_nonces[i].sector) &&  (cardAUTHKEY == ar_nr_nonces[i].keytype)) 
+                                                       index = i;
+
+                                               // keep track of empty slots.
+                                               if ( ar_nr_nonces[i].state == EMPTY)
+                                                       empty = i;
+                                       }
+                                       // if no empty slots.  Choose first and overwrite.
+                                       if ( index == -1 ) {
+                                               if ( empty == -1 ) {
+                                                       index = 0;
+                                                       ar_nr_nonces[index].state = EMPTY;
+                                               } else {
+                                                       index = empty;
+                                               }
+                                       }
+
+                                       switch(ar_nr_nonces[index].state) {
+                                               case EMPTY: {
+                                                       // first nonce collect
+                                                       ar_nr_nonces[index].cuid = cuid;
+                                                       ar_nr_nonces[index].sector = cardAUTHSC;
+                                                       ar_nr_nonces[index].keytype = cardAUTHKEY;
+                                                       ar_nr_nonces[index].nonce = nonce;
+                                                       ar_nr_nonces[index].nr = nr;
+                                                       ar_nr_nonces[index].ar = ar;
+                                                       ar_nr_nonces[index].state = FIRST;
+                                                       break;
+                                               } 
+                                               case FIRST : { 
+                                                       // second nonce collect
+                                                       ar_nr_nonces[index].nonce2 = nonce;
+                                                       ar_nr_nonces[index].nr2 = nr;
+                                                       ar_nr_nonces[index].ar2 = ar;
+                                                       ar_nr_nonces[index].state = SECOND;
+
+                                                       // send to client
+                                                       cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
+                                                       
+                                                       ar_nr_nonces[index].state = EMPTY;
+                                                       ar_nr_nonces[index].sector = 0;
+                                                       ar_nr_nonces[index].keytype = 0;
+                                                       break;
+                                               }
+                                               default: break;
+                                       }
                                }
                                }
-                               if (cardSTATE != MFEMUL_AUTH2) break;
-                       }
-                       case MFEMUL_AUTH2:{
-                               // test auth info here...
 
 
+                               crypto1_word(pcs, nr , 1);
+                               uint32_t cardRr = ar ^ crypto1_word(pcs, 0, 0);
+                               
+                               //test if auth OK
+                               if (cardRr != prng_successor(nonce, 64)){
+                                       
+                                       if (MF_DBGLEVEL >= 3) {
+                                               Dbprintf("AUTH FAILED for sector %d with key %c. [nr=%08x  cardRr=%08x] [nt=%08x succ=%08x]"
+                                                       , cardAUTHSC
+                                                       , (cardAUTHKEY == 0) ? 'A' : 'B'
+                                                       , nr
+                                                       , cardRr
+                                                       , nonce // nt
+                                                       , prng_successor(nonce, 64)
+                                               );
+                                       }
+                                       // Shouldn't we respond anything here?
+                                       // Right now, we don't nack or anything, which causes the
+                                       // reader to do a WUPA after a while. /Martin
+                                       // -- which is the correct response. /piwi
+                                       cardSTATE_TO_IDLE();
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+                               
+                               ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
+                               num_to_bytes(ans, 4, rAUTH_AT);
+                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                LED_C_ON();
                                LED_C_ON();
+                               
+                               if (MF_DBGLEVEL >= 1) {
+                                       Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", 
+                                               cardAUTHSC, 
+                                               cardAUTHKEY == 0 ? 'A' : 'B',
+                                               GetTickCount() - authTimer
+                                       );
+                               }
                                cardSTATE = MFEMUL_WORK;
                                cardSTATE = MFEMUL_WORK;
-Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
                                break;
                        }
                        case MFEMUL_WORK:{
                                break;
                        }
                        case MFEMUL_WORK:{
-                               // auth
-                               if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
-authTimer = GetTickCount();
-//                                     EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT));
-//SpinDelayUs(190);
-                                       EmSendCmd14443aRaw(resp1, resp1Len, 0);
-LogTrace(NULL, 0, GetDeltaCountUS(), 0, TRUE);
-//                                     crypto1_create(pcs, key64);
-//                                     if (cardAUTHKEY == 0xff) { // first auth
-//                                     crypto1_word(pcs, cuid ^ bytes_to_num(rAUTH_NT, 4), 0); // uid ^ nonce
-//                                     } else { // nested auth
-//                                     }
-
-                                       cardAUTHSC = receivedCmd[1] / 4;  // received block num
-                                       cardAUTHKEY = receivedCmd[0] - 0x60;
+                               if (len == 0) {
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }               
+                               bool encrypted_data = (cardAUTHKEY != 0xFF) ;
+
+                               if(encrypted_data)
+                                       mf_crypto1_decrypt(pcs, receivedCmd, len);
+                               
+                               if (len == 4 && (receivedCmd[0] == MIFARE_AUTH_KEYA || 
+                                                receivedCmd[0] == MIFARE_AUTH_KEYB)  ) {
+
+                                       authTimer = GetTickCount();
+                                       cardAUTHSC = receivedCmd[1] / 4;  // received block -> sector
+                                       cardAUTHKEY = receivedCmd[0] & 0x1;
+                                       crypto1_destroy(pcs);
+                                       
+                                       // load key into crypto
+                                       crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
+
+                                       if (!encrypted_data) {
+                                               // first authentication
+                                               // Update crypto state init  (UID ^ NONCE)
+                                               crypto1_word(pcs, cuid ^ nonce, 0);
+                                               num_to_bytes(nonce, 4, rAUTH_AT);
+                                       } else {
+                                               // nested authentication
+                                               ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
+                                               num_to_bytes(ans, 4, rAUTH_AT);
+
+                                               if (MF_DBGLEVEL >= 3) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %c", receivedCmd[1], receivedCmd[1],  cardAUTHKEY == 0 ? 'A' : 'B');
+                                       }
+
+                                       EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                        cardSTATE = MFEMUL_AUTH1;
                                        cardSTATE = MFEMUL_AUTH1;
-                                       nextCycleTimeout = 10;
                                        break;
                                }
                                
                                        break;
                                }
                                
-                               if (len == 0) break;
-                               
-                               // decrypt seqence
-                               if (cardAUTHKEY != 0xff) mf_crypto1_decrypt(pcs, receivedCmd, len);
-                               
                                // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
                                // BUT... ACK --> NACK
                                if (len == 1 && receivedCmd[0] == CARD_ACK) {
                                // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
                                // BUT... ACK --> NACK
                                if (len == 1 && receivedCmd[0] == CARD_ACK) {
@@ -2270,70 +2853,320 @@ LogTrace(NULL, 0, GetDeltaCountUS(), 0, TRUE);
                                        break;
                                }
                                
                                        break;
                                }
                                
-                               // read block
-                               if (len == 4 && receivedCmd[0] == 0x30) {
+                               if(len != 4) {
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+
+                               if ( receivedCmd[0] == ISO14443A_CMD_READBLOCK ||
+                                        receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK ||
+                                        receivedCmd[0] == MIFARE_CMD_INC ||
+                                        receivedCmd[0] == MIFARE_CMD_DEC ||
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE ||
+                                        receivedCmd[0] == MIFARE_CMD_TRANSFER ) {
+                                               
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                                break;
                                        }
                                                break;
                                        }
+
+                                       if (receivedCmd[1] / 4 != cardAUTHSC) {
+                                               EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
+                                               break;
+                                       }
+                               }
+                               // read block
+                               if (receivedCmd[0] == ISO14443A_CMD_READBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)", receivedCmd[1], receivedCmd[1]);
+
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
-                                       mf_crypto1_encrypt(pcs, response, 18, &par);
-                                       EmSendCmdPar(response, 18, par);
+                                       mf_crypto1_encrypt(pcs, response, 18, response_par);
+                                       EmSendCmdPar(response, 18, response_par);
+                                       numReads++;
+                                       if(exitAfterNReads > 0 && numReads >= exitAfterNReads) {
+                                               Dbprintf("%d reads done, exiting", numReads);
+                                               finished = true;
+                                       }
                                        break;
                                }
                                        break;
                                }
-                               
                                // write block
                                // write block
-                               if (len == 4 && receivedCmd[0] == 0xA0) {
-                                       if (receivedCmd[1] >= 16 * 4) {
+                               if (receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)", receivedCmd[1], receivedCmd[1]);
+                                       EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+                                       cardSTATE = MFEMUL_WRITEBL2;
+                                       cardWRBL = receivedCmd[1];
+                                       break;
+                               }
+                               // increment, decrement, restore
+                               if ( receivedCmd[0] == MIFARE_CMD_INC || 
+                                    receivedCmd[0] == MIFARE_CMD_DEC || 
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE) {
+
+                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0], receivedCmd[1], receivedCmd[1]);
+
+                                       if (emlCheckValBl(receivedCmd[1])) {
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
-                                       nextCycleTimeout = 50;
-                                       cardSTATE = MFEMUL_WRITEBL2;
+                                       if (receivedCmd[0] == MIFARE_CMD_INC)           cardSTATE = MFEMUL_INTREG_INC;
+                                       if (receivedCmd[0] == MIFARE_CMD_DEC)           cardSTATE = MFEMUL_INTREG_DEC;
+                                       if (receivedCmd[0] == MIFARE_CMD_RESTORE)       cardSTATE = MFEMUL_INTREG_REST;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
-                       
+                               // transfer
+                               if (receivedCmd[0] == MIFARE_CMD_TRANSFER) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)", receivedCmd[0], receivedCmd[1], receivedCmd[1]);
+                                       if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
+                                               EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                       else
+                                               EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
+                                       break;
+                               }
                                // halt
                                // halt
-                               if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
-                                       cardSTATE = MFEMUL_HALTED;
+                               if (receivedCmd[0] == ISO14443A_CMD_HALT && receivedCmd[1] == 0x00) {
                                        LED_B_OFF();
                                        LED_C_OFF();
                                        LED_B_OFF();
                                        LED_C_OFF();
-                                       Dbprintf("--> HALTED. Selected time: %d ms",  GetTickCount() - selTimer);
+                                       cardSTATE = MFEMUL_HALTED;
+                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> HALTED. Selected time: %d ms",  GetTickCount() - selTimer);
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        break;
                                }
-                               break;
-
-                               // command not allowed
-                               if (len == 4) {
+                               // RATS
+                               if (receivedCmd[0] == ISO14443A_CMD_RATS) {
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
+                               // command not allowed
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Received command not allowed, nacking");
+                               EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                               break;
                        }
                        case MFEMUL_WRITEBL2:{
                        }
                        case MFEMUL_WRITEBL2:{
-                               if (len == 18){
+                               if (len == 18) {
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                        emlSetMem(receivedCmd, cardWRBL, 1);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WORK;
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                        emlSetMem(receivedCmd, cardWRBL, 1);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WORK;
+                               } else {
+                                       cardSTATE_TO_IDLE();
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                               }
+                               break;
+                       }
+                       case MFEMUL_INTREG_INC:{
+                               mf_crypto1_decrypt(pcs, receivedCmd, len);
+                               memcpy(&ans, receivedCmd, 4);
+                               if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+                                       EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                       cardSTATE_TO_IDLE();
+                                       break;
+                               } 
+                               LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                               cardINTREG = cardINTREG + ans;
+                               cardSTATE = MFEMUL_WORK;
+                               break;
+                       }
+                       case MFEMUL_INTREG_DEC:{
+                               mf_crypto1_decrypt(pcs, receivedCmd, len);
+                               memcpy(&ans, receivedCmd, 4);
+                               if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+                                       EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                       cardSTATE_TO_IDLE();
                                        break;
                                }
                                        break;
                                }
-Dbprintf("err write block: %d len:%d", cardWRBL, len);
+                               LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                               cardINTREG = cardINTREG - ans;
+                               cardSTATE = MFEMUL_WORK;
+                               break;
+                       }
+                       case MFEMUL_INTREG_REST:{
+                               mf_crypto1_decrypt(pcs, receivedCmd, len);
+                               memcpy(&ans, receivedCmd, 4);
+                               if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
+                                       EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                                       cardSTATE_TO_IDLE();
+                                       break;
+                               }
+                               LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                               cardSTATE = MFEMUL_WORK;
                                break;
                        }
                                break;
                        }
-               
                }
                }
-       
        }
 
        }
 
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       if (MF_DBGLEVEL >= 1) 
+               Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
+       
+       cmd_send(CMD_ACK,1,0,0,0,0);    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        LEDsoff();
+       set_tracing(FALSE);
+}
+
 
 
-       // add trace trailer
-       memset(rAUTH_NT, 0x44, 4);
-       LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
+//-----------------------------------------------------------------------------
+// MIFARE sniffer. 
+// 
+// if no activity for 2sec, it sends the collected data to the client.
+//-----------------------------------------------------------------------------
+// "hf mf sniff"
+void RAMFUNC SniffMifare(uint8_t param) {
 
 
-       DbpString("Emulator stopped.");
+       LEDsoff();
+
+       // free eventually allocated BigBuf memory
+       BigBuf_free(); BigBuf_Clear_ext(false);
+       clear_trace();
+       set_tracing(TRUE);
+
+       // The command (reader -> tag) that we're receiving.
+       uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};    
+       uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
+
+       // The response (tag -> reader) that we're receiving.
+       uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00};
+       uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00};
+
+       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
+       // allocate the DMA buffer, used to stream samples from the FPGA
+       // [iceman] is this sniffed data unsigned?
+       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
+       uint8_t *data = dmaBuf;
+       uint8_t previous_data = 0;
+       int maxDataLen = 0;
+       int dataLen = 0;
+       bool ReaderIsActive = FALSE;
+       bool TagIsActive = FALSE;
+
+       // Set up the demodulator for tag -> reader responses.
+       DemodInit(receivedResponse, receivedResponsePar);
+
+       // Set up the demodulator for the reader -> tag commands
+       UartInit(receivedCmd, receivedCmdPar);
+
+       // Setup and start DMA.
+       // set transfer address and number of bytes. Start transfer.
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
+
+       LED_D_OFF();
+
+       MfSniffInit();
+
+       // And now we loop, receiving samples.
+       for(uint32_t sniffCounter = 0;; ) {
+
+               LED_A_ON();
+               WDT_HIT();
+       
+               if(BUTTON_PRESS()) {
+                       DbpString("cancelled by button");
+                       break;
+               }
+       
+               if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
+                       // check if a transaction is completed (timeout after 2000ms).
+                       // if yes, stop the DMA transfer and send what we have so far to the client
+                       if (MfSniffSend(2000)) {                        
+                               // Reset everything - we missed some sniffed data anyway while the DMA was stopped
+                               sniffCounter = 0;
+                               data = dmaBuf;
+                               maxDataLen = 0;
+                               ReaderIsActive = FALSE;
+                               TagIsActive = FALSE;
+                               // Setup and start DMA. set transfer address and number of bytes. Start transfer.
+                               if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+                                       if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+                                       return;
+                               }                               
+                       }
+               }
+               
+               int register readBufDataP = data - dmaBuf;      // number of bytes we have processed so far
+               int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
+
+               if (readBufDataP <= dmaBufDataP)                        // we are processing the same block of data which is currently being transferred
+                       dataLen = dmaBufDataP - readBufDataP;   // number of bytes still to be processed
+               else
+                       dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
+
+               // test for length of buffer
+               if(dataLen > maxDataLen) {                                      // we are more behind than ever...
+                       maxDataLen = dataLen;                                   
+                       if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
+                               Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
+                               break;
+                       }
+               }
+               if(dataLen < 1) continue;
+
+               // primary buffer was stopped ( <-- we lost data!
+               if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
+                       AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
+                       AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
+                       Dbprintf("RxEmpty ERROR, data length:%d", dataLen); // temporary
+               }
+               // secondary buffer sets as primary, secondary buffer was stopped
+               if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
+                       AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
+                       AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
+               }
+
+               LED_A_OFF();
+               
+               if (sniffCounter & 0x01) {
+
+                       // no need to try decoding tag data if the reader is sending
+                       if(!TagIsActive) {              
+                               uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
+                               if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
+                                       LED_C_INV();
+
+                                       if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
+
+                                       UartInit(receivedCmd, receivedCmdPar);
+                                       DemodReset();
+                               }
+                               ReaderIsActive = (Uart.state != STATE_UNSYNCD);
+                       }
+                       
+                       // no need to try decoding tag data if the reader is sending
+                       if(!ReaderIsActive) {           
+                               uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
+                               if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
+                                       LED_C_INV();
+
+                                       if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
+
+                                       DemodReset();
+                                       UartInit(receivedCmd, receivedCmdPar);
+                               }
+                               TagIsActive = (Demod.state != DEMOD_UNSYNCD);
+                       }
+               }
+
+               previous_data = *data;
+               sniffCounter++;
+               data++;
+
+               if(data == dmaBuf + DMA_BUFFER_SIZE)
+                       data = dmaBuf;
+
+       } // main cycle
+       
+       if (MF_DBGLEVEL >= 1) Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
+       
+       FpgaDisableSscDma();
+       MfSniffEnd();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+       set_tracing(FALSE);
 }
 }
Proxmark3 GIT tracking
Impressum, Datenschutz