]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'master' of https://github.com/iceman1001/proxmark3
[proxmark3-svn] / armsrc / iso14443a.c
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index dfd167f071bbba2ad5b4f662fdb284174214fbf3..4bd55fb3b75d77681120a6d4c4b3150731aa63c6 100644 (file)
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -9,18 +9,7 @@
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Routines to support ISO 14443 type A.
 //-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-#include "cmd.h"
-#include "iso14443crc.h"
 #include "iso14443a.h"
 #include "iso14443a.h"
-#include "crapto1.h"
-#include "mifareutil.h"
-#include "BigBuf.h"
-#include "parity.h"
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
@@ -28,6 +17,8 @@ uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 
 // the block number for the ISO14443-4 PCB
 static uint8_t iso14_pcb_blocknum = 0;
 
+static uint8_t* free_buffer_pointer;
+
 //
 // ISO14443 timing:
 //
 //
 // ISO14443 timing:
 //
@@ -131,7 +122,6 @@ void iso14a_set_timeout(uint32_t timeout) {
 }
 
 void iso14a_set_ATS_timeout(uint8_t *ats) {
 }
 
 void iso14a_set_ATS_timeout(uint8_t *ats) {
-
        uint8_t tb1;
        uint8_t fwi; 
        uint32_t fwt;
        uint8_t tb1;
        uint8_t fwi; 
        uint32_t fwt;
@@ -145,11 +135,11 @@ void iso14a_set_ATS_timeout(uint8_t *ats) {
                                tb1 = ats[2];
 
                        fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
                                tb1 = ats[2];
 
                        fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
-                       //fwt = 256 * 16 * (1 << fwi);          // frame waiting time (FWT) in 1/fc
-                       fwt = 4096 * (1 << fwi);
+                       fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
+                       //fwt = 4096 * (1 << fwi);
                        
                        
-                       //iso14a_set_timeout(fwt/(8*16));
-                       iso14a_set_timeout(fwt/128);
+                       iso14a_set_timeout(fwt/(8*16));
+                       //iso14a_set_timeout(fwt/128);
                }
        }
 }
                }
        }
 }
@@ -158,8 +148,7 @@ void iso14a_set_ATS_timeout(uint8_t *ats) {
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
-void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
-{
+void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par) {
        uint16_t paritybit_cnt = 0;
        uint16_t paritybyte_cnt = 0;
        uint8_t parityBits = 0;
        uint16_t paritybit_cnt = 0;
        uint16_t paritybyte_cnt = 0;
        uint8_t parityBits = 0;
@@ -178,21 +167,13 @@ void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
        }
 
        // save remaining parity bits
        }
 
        // save remaining parity bits
-       par[paritybyte_cnt] = parityBits;
-       
+       par[paritybyte_cnt] = parityBits;       
 }
 
 }
 
-void AppendCrc14443a(uint8_t* data, int len)
-{
+void AppendCrc14443a(uint8_t* data, int len) {
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
        ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
 }
 
-void AppendCrc14443b(uint8_t* data, int len)
-{
-       ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
-}
-
-
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
 //=============================================================================
 // ISO 14443 Type A - Miller decoder
 //=============================================================================
@@ -224,8 +205,7 @@ const bool Mod_Miller_LUT[] = {
 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
 
-void UartReset()
-{
+void UartReset() {
        Uart.state = STATE_UNSYNCD;
        Uart.bitCount = 0;
        Uart.len = 0;                                           // number of decoded data bytes
        Uart.state = STATE_UNSYNCD;
        Uart.bitCount = 0;
        Uart.len = 0;                                           // number of decoded data bytes
@@ -240,8 +220,7 @@ void UartReset()
        Uart.syncBit = 9999;
 }
 
        Uart.syncBit = 9999;
 }
 
-void UartInit(uint8_t *data, uint8_t *parity)
-{
+void UartInit(uint8_t *data, uint8_t *parity) {
        Uart.output = data;
        Uart.parity = parity;
        Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
        Uart.output = data;
        Uart.parity = parity;
        Uart.fourBits = 0x00000000;                     // clear the buffer for 4 Bits
@@ -249,14 +228,11 @@ void UartInit(uint8_t *data, uint8_t *parity)
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
-{
-
+static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
        Uart.fourBits = (Uart.fourBits << 8) | bit;
        
        if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
        Uart.fourBits = (Uart.fourBits << 8) | bit;
        
        if (Uart.state == STATE_UNSYNCD) {                                                                                      // not yet synced
-       
-               Uart.syncBit = 9999;                                                                                                    // not set
+                       Uart.syncBit = 9999;                                                                                            // not set
                
                // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
                // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
                
                // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication")
                // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information")
@@ -280,12 +256,11 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
 
                if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
                else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
 
                if (Uart.syncBit != 9999) {                                                                                             // found a sync bit
-                               Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
-                               Uart.startTime -= Uart.syncBit;
-                               Uart.endTime = Uart.startTime;
-                               Uart.state = STATE_START_OF_COMMUNICATION;
-                       }
-
+                       Uart.startTime = non_real_time ? non_real_time : (GetCountSspClk() & 0xfffffff8);
+                       Uart.startTime -= Uart.syncBit;
+                       Uart.endTime = Uart.startTime;
+                       Uart.state = STATE_START_OF_COMMUNICATION;
+               }
        } else {
 
                if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
        } else {
 
                if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {                 
@@ -371,14 +346,10 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
                                }
                        }
                }
                                }
                        }
                }
-                       
        } 
        } 
-
     return FALSE;      // not finished yet, need more data
 }
 
     return FALSE;      // not finished yet, need more data
 }
 
-
-
 //=============================================================================
 // ISO 14443 Type A - Manchester decoder
 //=============================================================================
 //=============================================================================
 // ISO 14443 Type A - Manchester decoder
 //=============================================================================
@@ -406,9 +377,7 @@ const bool Mod_Manchester_LUT[] = {
 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
 
 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
 
-
-void DemodReset()
-{
+void DemodReset() {
        Demod.state = DEMOD_UNSYNCD;
        Demod.len = 0;                                          // number of decoded data bytes
        Demod.parityLen = 0;
        Demod.state = DEMOD_UNSYNCD;
        Demod.len = 0;                                          // number of decoded data bytes
        Demod.parityLen = 0;
@@ -418,25 +387,20 @@ void DemodReset()
        Demod.twoBits = 0xffff;                         // buffer for 2 Bits
        Demod.highCnt = 0;
        Demod.startTime = 0;
        Demod.twoBits = 0xffff;                         // buffer for 2 Bits
        Demod.highCnt = 0;
        Demod.startTime = 0;
-       Demod.endTime = 0;
-       
-       //
+       Demod.endTime = 0;      
        Demod.bitCount = 0;
        Demod.syncBit = 0xFFFF;
        Demod.samples = 0;
 }
 
        Demod.bitCount = 0;
        Demod.syncBit = 0xFFFF;
        Demod.samples = 0;
 }
 
-void DemodInit(uint8_t *data, uint8_t *parity)
-{
+void DemodInit(uint8_t *data, uint8_t *parity) {
        Demod.output = data;
        Demod.parity = parity;
        DemodReset();
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
        Demod.output = data;
        Demod.parity = parity;
        DemodReset();
 }
 
 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
-static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
-{
-
+static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
        Demod.twoBits = (Demod.twoBits << 8) | bit;
        
        if (Demod.state == DEMOD_UNSYNCD) {
        Demod.twoBits = (Demod.twoBits << 8) | bit;
        
        if (Demod.state == DEMOD_UNSYNCD) {
@@ -464,7 +428,6 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
                                Demod.state = DEMOD_MANCHESTER_DATA;
                        }
                }
                                Demod.state = DEMOD_MANCHESTER_DATA;
                        }
                }
-
        } else {
 
                if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) {            // modulation in first half
        } else {
 
                if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) {            // modulation in first half
@@ -535,6 +498,7 @@ static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
 // Record the sequence of commands sent by the reader to the tag, with
 // triggering so that we start recording at the point that the tag is moved
 // near the reader.
+// "hf 14a sniff"
 //-----------------------------------------------------------------------------
 void RAMFUNC SniffIso14443a(uint8_t param) {
        // param:
 //-----------------------------------------------------------------------------
 void RAMFUNC SniffIso14443a(uint8_t param) {
        // param:
@@ -546,9 +510,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
        
        // Allocate memory from BigBuf for some buffers
        // free all previous allocations first
        
        // Allocate memory from BigBuf for some buffers
        // free all previous allocations first
-       BigBuf_free();
-       
-       // init trace buffer
+       BigBuf_free(); BigBuf_Clear_ext(false);
        clear_trace();
        set_tracing(TRUE);
        
        clear_trace();
        set_tracing(TRUE);
        
@@ -577,7 +539,10 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
        UartInit(receivedCmd, receivedCmdPar);
        
        // Setup and start DMA.
        UartInit(receivedCmd, receivedCmdPar);
        
        // Setup and start DMA.
-       FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
        
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
        
        // We won't start recording the frames that we acquire until we trigger;
        // a good trigger condition to get started is probably when we see a
@@ -673,7 +638,6 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
                                        DemodReset();
                                        // And reset the Miller decoder including itS (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
                                        DemodReset();
                                        // And reset the Miller decoder including itS (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
-
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                                        LED_C_OFF();
                                } 
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
@@ -688,20 +652,20 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
                }
        } // main cycle
 
                }
        } // main cycle
 
+       if (MF_DBGLEVEL >= 1) {
+               Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
+               Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
+       }
        FpgaDisableSscDma();
        FpgaDisableSscDma();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        LEDsoff();
-
-       Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
-       Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
-       
        set_tracing(FALSE);     
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
        set_tracing(FALSE);     
 }
 
 //-----------------------------------------------------------------------------
 // Prepare tag messages
 //-----------------------------------------------------------------------------
-static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
-{
+static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity) {
        ToSendReset();
 
        // Correction bit, might be removed when not needed
        ToSendReset();
 
        // Correction bit, might be removed when not needed
@@ -745,21 +709,17 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par
        ToSend[++ToSendMax] = SEC_F;
 
        // Convert from last byte pos to length
        ToSend[++ToSendMax] = SEC_F;
 
        // Convert from last byte pos to length
-       ToSendMax++;
+       ++ToSendMax;
 }
 
 }
 
-static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
-{
+static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len) {
        uint8_t par[MAX_PARITY_SIZE] = {0};
        uint8_t par[MAX_PARITY_SIZE] = {0};
-       
        GetParity(cmd, len, par);
        CodeIso14443aAsTagPar(cmd, len, par);
 }
 
        GetParity(cmd, len, par);
        CodeIso14443aAsTagPar(cmd, len, par);
 }
 
-
-static void Code4bitAnswerAsTag(uint8_t cmd)
-{
-       int i;
+static void Code4bitAnswerAsTag(uint8_t cmd) {
+       uint8_t b = cmd;
 
        ToSendReset();
 
 
        ToSendReset();
 
@@ -776,8 +736,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd)
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
        // Send startbit
        ToSend[++ToSendMax] = SEC_D;
 
-       uint8_t b = cmd;
-       for(i = 0; i < 4; i++) {
+       for(uint8_t i = 0; i < 4; i++) {
                if(b & 1) {
                        ToSend[++ToSendMax] = SEC_D;
                        LastProxToAirDuration = 8 * ToSendMax - 4;
                if(b & 1) {
                        ToSend[++ToSendMax] = SEC_D;
                        LastProxToAirDuration = 8 * ToSendMax - 4;
@@ -800,15 +759,14 @@ static void Code4bitAnswerAsTag(uint8_t cmd)
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
 // Stop when button is pressed
 // Or return TRUE when command is captured
 //-----------------------------------------------------------------------------
-static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
-{
+static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
     // only, since we are receiving, not transmitting).
     // Signal field is off with the appropriate LED
     LED_D_OFF();
     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
-    // Now run a `software UART' on the stream of incoming samples.
+    // Now run a `software UART` on the stream of incoming samples.
        UartInit(received, parity);
 
        // clear RXRDY:
        UartInit(received, parity);
 
        // clear RXRDY:
@@ -829,26 +787,6 @@ static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int
     }
 }
 
     }
 }
 
-static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
-int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
-int EmSend4bit(uint8_t resp);
-int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
-int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
-int EmSendCmd(uint8_t *resp, uint16_t respLen);
-int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
-bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
-                                uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
-
-static uint8_t* free_buffer_pointer;
-
-typedef struct {
-  uint8_t* response;
-  size_t   response_n;
-  uint8_t* modulation;
-  size_t   modulation_n;
-  uint32_t ProxToAirDuration;
-} tag_response_info_t;
-
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
        // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
        // This will need the following byte array for a modulation sequence
@@ -860,28 +798,24 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
        // ----------- +
        //    166 bytes, since every bit that needs to be send costs us a byte
        //
-  // Prepare the tag modulation bits from the message
-  CodeIso14443aAsTag(response_info->response,response_info->response_n);
-  
-  // Make sure we do not exceed the free buffer space
-  if (ToSendMax > max_buffer_size) {
-    Dbprintf("Out of memory, when modulating bits for tag answer:");
-    Dbhexdump(response_info->response_n,response_info->response,false);
-    return false;
-  }
-  
-  // Copy the byte array, used for this modulation to the buffer position
-  memcpy(response_info->modulation,ToSend,ToSendMax);
-  
-  // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
-  response_info->modulation_n = ToSendMax;
-  response_info->ProxToAirDuration = LastProxToAirDuration;
-  
-  return true;
-}
+       // Prepare the tag modulation bits from the message
+       CodeIso14443aAsTag(response_info->response,response_info->response_n);
 
 
+       // Make sure we do not exceed the free buffer space
+       if (ToSendMax > max_buffer_size) {
+               Dbprintf("Out of memory, when modulating bits for tag answer:");
+               Dbhexdump(response_info->response_n,response_info->response,false);
+               return FALSE;
+       }
+
+       // Copy the byte array, used for this modulation to the buffer position
+       memcpy(response_info->modulation,ToSend,ToSendMax);
+
+       // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
+       response_info->modulation_n = ToSendMax;
+       response_info->ProxToAirDuration = LastProxToAirDuration;
+       return TRUE;
+}
 
 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
 
 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
@@ -892,84 +826,88 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
 
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
 
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
-  // Retrieve and store the current buffer index
-  response_info->modulation = free_buffer_pointer;
-  
-  // Determine the maximum size we can use from our buffer
-  size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
-  
-  // Forward the prepare tag modulation function to the inner function
-  if (prepare_tag_modulation(response_info, max_buffer_size)) {
-    // Update the free buffer offset
-    free_buffer_pointer += ToSendMax;
-    return true;
-  } else {
-    return false;
-  }
+       // Retrieve and store the current buffer index
+       response_info->modulation = free_buffer_pointer;
+
+       // Determine the maximum size we can use from our buffer
+       size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
+
+       // Forward the prepare tag modulation function to the inner function
+       if (prepare_tag_modulation(response_info, max_buffer_size)) {
+               // Update the free buffer offset
+               free_buffer_pointer += ToSendMax;
+               return true;
+       } else {
+               return false;
+       }
 }
 
 //-----------------------------------------------------------------------------
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
 }
 
 //-----------------------------------------------------------------------------
 // Main loop of simulated tag: receive commands from reader, decide what
 // response to send, and send it.
+// 'hf 14a sim'
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
-{
-       uint32_t counters[] = {0,0,0};
-       //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
-       // This can be used in a reader-only attack.
-       // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
-       uint8_t ar_nr_collected = 0;
+void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
+
+       uint8_t sak = 0;
+       uint32_t cuid = 0;                      
+       uint32_t nonce = 0;
        
        
-       uint8_t sak;
-                                       
        // PACK response to PWD AUTH for EV1/NTAG
        // PACK response to PWD AUTH for EV1/NTAG
-       uint8_t response8[4] =  {0,0,0,0};
+       uint8_t response8[4] = {0,0,0,0};
+       // Counter for EV1/NTAG
+       uint32_t counters[] = {0,0,0};
        
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
        
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
-       uint8_t response1[2] =  {0,0};
+       uint8_t response1[] = {0,0};
+
+       // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+       // it should also collect block, keytype.
+       uint8_t cardAUTHSC = 0;
+       uint8_t cardAUTHKEY = 0xff;  // no authentication
+       // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
+       #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
+       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+
+       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
+       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+       uint8_t nonce1_count = 0;
+       uint8_t nonce2_count = 0;
+       uint8_t moebius_n_count = 0;
+       bool gettingMoebius = false;
+       uint8_t mM = 0; // moebius_modifier for collection storage
+
        
        switch (tagType) {
        
        switch (tagType) {
-               case 1: { // MIFARE Classic
-                       // Says: I am Mifare 1k - original line
+               case 1: { // MIFARE Classic 1k 
                        response1[0] = 0x04;
                        response1[0] = 0x04;
-                       response1[1] = 0x00;
                        sak = 0x08;
                } break;
                case 2: { // MIFARE Ultralight
                        sak = 0x08;
                } break;
                case 2: { // MIFARE Ultralight
-                       // Says: I am a stupid memory tag, no crypto
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x00;
                } break;
                case 3: { // MIFARE DESFire
                        sak = 0x00;
                } break;
                case 3: { // MIFARE DESFire
-                       // Says: I am a DESFire tag, ph33r me
                        response1[0] = 0x04;
                        response1[1] = 0x03;
                        sak = 0x20;
                } break;
                        response1[0] = 0x04;
                        response1[1] = 0x03;
                        sak = 0x20;
                } break;
-               case 4: { // ISO/IEC 14443-4
-                       // Says: I am a javacard (JCOP)
+               case 4: { // ISO/IEC 14443-4 - javacard (JCOP)
                        response1[0] = 0x04;
                        response1[0] = 0x04;
-                       response1[1] = 0x00;
                        sak = 0x28;
                } break;
                case 5: { // MIFARE TNP3XXX
                        sak = 0x28;
                } break;
                case 5: { // MIFARE TNP3XXX
-                       // Says: I am a toy
                        response1[0] = 0x01;
                        response1[1] = 0x0f;
                        sak = 0x01;
                } break;
                        response1[0] = 0x01;
                        response1[1] = 0x0f;
                        sak = 0x01;
                } break;
-               case 6: { // MIFARE Mini
-                       // Says: I am a Mifare Mini, 320b
+               case 6: { // MIFARE Mini 320b
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x09;
                } break;
                        sak = 0x09;
                } break;
-               case 7: { // NTAG?
-                       // Says: I am a NTAG, 
+               case 7: { // NTAG
                        response1[0] = 0x44;
                        response1[0] = 0x44;
-                       response1[1] = 0x00;
                        sak = 0x00;
                        // PACK
                        response8[0] = 0x80;
                        sak = 0x00;
                        // PACK
                        response8[0] = 0x80;
@@ -980,8 +918,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                uint16_t start = 4 * (0+12);  
                                uint8_t emdata[8];
                                emlGetMemBt( emdata, start, sizeof(emdata));
                                uint16_t start = 4 * (0+12);  
                                uint8_t emdata[8];
                                emlGetMemBt( emdata, start, sizeof(emdata));
-                               memcpy(data, emdata, 3); //uid bytes 0-2
-                               memcpy(data+3, emdata+4, 4); //uid bytes 3-7
+                               memcpy(data, emdata, 3); // uid bytes 0-2
+                               memcpy(data+3, emdata+4, 4); // uid bytes 3-7
                                flags |= FLAG_7B_UID_IN_DATA;
                        }
                } break;                
                                flags |= FLAG_7B_UID_IN_DATA;
                        }
                } break;                
@@ -994,11 +932,11 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        // The second response contains the (mandatory) first 24 bits of the UID
        uint8_t response2[5] = {0x00};
 
        // The second response contains the (mandatory) first 24 bits of the UID
        uint8_t response2[5] = {0x00};
 
-       // Check if the uid uses the (optional) part
+       // For UID size 7, 
        uint8_t response2a[5] = {0x00};
        
        uint8_t response2a[5] = {0x00};
        
-       if (flags & FLAG_7B_UID_IN_DATA) {
-               response2[0] = 0x88;
+       if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA ) {
+               response2[0] = 0x88;  // Cascade Tag marker
                response2[1] = data[0];
                response2[2] = data[1];
                response2[3] = data[2];
                response2[1] = data[0];
                response2[2] = data[1];
                response2[3] = data[2];
@@ -1012,20 +950,21 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
                // Configure the ATQA and SAK accordingly
                response1[0] |= 0x40;
                sak |= 0x04;
+               
+               cuid = bytes_to_num(data+3, 4);
        } else {
                memcpy(response2, data, 4);
        } else {
                memcpy(response2, data, 4);
-               //num_to_bytes(uid_1st,4,response2);
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
                // Configure the ATQA and SAK accordingly
                response1[0] &= 0xBF;
                sak &= 0xFB;
+               cuid = bytes_to_num(data, 4);
        }
 
        // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
        }
 
        // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
        response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
 
        // Prepare the mandatory SAK (for 4 and 7 byte UID)
-       uint8_t response3[3]  = {0x00};
-       response3[0] = sak;
+       uint8_t response3[3]  = {sak, 0x00, 0x00};
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
        ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
 
        // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
@@ -1033,20 +972,22 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
-       uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
-       uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: 
+       uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 };                               // Very random tag nonce
+       uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 };   // dummy ATS (pseudo-ATR), answer to RATS: 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
 
-       // Prepare GET_VERSION (different for UL EV-1 / NTAG)
-       //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
-       //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
+       // the randon nonce
+       nonce = bytes_to_num(response5, 4);     
        
        
+       // Prepare GET_VERSION (different for UL EV-1 / NTAG)
+       // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
+       // uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215  
        // Prepare CHK_TEARING
        // Prepare CHK_TEARING
-       //uint8_t response9[] =  {0xBD,0x90,0x3f};
+       // uint8_t response9[] =  {0xBD,0x90,0x3f};
        
        #define TAG_RESPONSE_COUNT 10
        tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
        
        #define TAG_RESPONSE_COUNT 10
        tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
@@ -1060,8 +1001,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 
                { .response = response8,   .response_n = sizeof(response8) }  // EV1/NTAG PACK response
        };      
 
                { .response = response8,   .response_n = sizeof(response8) }  // EV1/NTAG PACK response
        };      
-               //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
-               //{ .response = response9,      .response_n = sizeof(response9)     }  // EV1/NTAG CHK_TEAR response
+               // { .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
+               // { .response = response9,      .response_n = sizeof(response9)     }  // EV1/NTAG CHK_TEAR response
        
 
        // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
        
 
        // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
@@ -1081,16 +1022,14 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        BigBuf_free_keep_EM();
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        BigBuf_free_keep_EM();
+       clear_trace();
+       set_tracing(TRUE);
 
        // allocate buffers:
        uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
        uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
        free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 
 
        // allocate buffers:
        uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
        uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
        free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
 
-       // clear trace
-       clear_trace();
-       set_tracing(TRUE);
-
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
        for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
        // Prepare the responses of the anticollision phase
        // there will be not enough time to do this at the moment the reader sends it REQA
        for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
@@ -1106,13 +1045,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        int happened = 0;
        int happened2 = 0;
        int cmdsRecvd = 0;
        int happened = 0;
        int happened2 = 0;
        int cmdsRecvd = 0;
-
-       cmdsRecvd = 0;
        tag_response_info_t* p_response;
 
        LED_A_ON();
        tag_response_info_t* p_response;
 
        LED_A_ON();
-       for(;;) {
-               
+       for(;;) {       
                WDT_HIT();
                
                // Clean receive command buffer
                WDT_HIT();
                
                // Clean receive command buffer
@@ -1120,61 +1056,67 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        DbpString("Button press");
                        break;
                }
                        DbpString("Button press");
                        break;
                }
-
+               
+               // incease nonce at every command recieved
+               nonce++;
+               num_to_bytes(nonce, 4, response5);
+               
                p_response = NULL;
                
                // Okay, look at the command now.
                lastorder = order;
                p_response = NULL;
                
                // Okay, look at the command now.
                lastorder = order;
-               if(receivedCmd[0] == 0x26) { // Received a REQUEST
+               if(receivedCmd[0] == ISO14443A_CMD_REQA) { // Received a REQUEST
                        p_response = &responses[0]; order = 1;
                        p_response = &responses[0]; order = 1;
-               } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
+               } else if(receivedCmd[0] == ISO14443A_CMD_WUPA) { // Received a WAKEUP
                        p_response = &responses[0]; order = 6;
                        p_response = &responses[0]; order = 6;
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) {   // Received request for UID (cascade 1)
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received request for UID (cascade 1)
                        p_response = &responses[1]; order = 2;
                        p_response = &responses[1]; order = 2;
-               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) {   // Received request for UID (cascade 2)
+               } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received request for UID (cascade 2)
                        p_response = &responses[2]; order = 20;
                        p_response = &responses[2]; order = 20;
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) {   // Received a SELECT (cascade 1)
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {       // Received a SELECT (cascade 1)
                        p_response = &responses[3]; order = 3;
                        p_response = &responses[3]; order = 3;
-               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) {   // Received a SELECT (cascade 2)
-                       p_response = &responses[4]; order = 30;
-               } else if(receivedCmd[0] == 0x30) {     // Received a (plain) READ
+               } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {     // Received a SELECT (cascade 2)
+                       p_response = &responses[4]; order = 30;         
+               } else if(receivedCmd[0] == ISO14443A_CMD_READBLOCK) {  // Received a (plain) READ
                        uint8_t block = receivedCmd[1];
                        // if Ultralight or NTAG (4 byte blocks)
                        if ( tagType == 7 || tagType == 2 ) {
                        uint8_t block = receivedCmd[1];
                        // if Ultralight or NTAG (4 byte blocks)
                        if ( tagType == 7 || tagType == 2 ) {
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                               // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
                                uint16_t start = 4 * (block+12);  
                                uint16_t start = 4 * (block+12);  
-                                       uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
-                                       emlGetMemBt( emdata, start, 16);
-                                       AppendCrc14443a(emdata, 16);
-                                       EmSendCmdEx(emdata, sizeof(emdata), false);                             
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, start, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        } else { // all other tags (16 byte block tags)
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        } else { // all other tags (16 byte block tags)
-                               EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
+                               uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                               emlGetMemBt( emdata, block, 16);
+                               AppendCrc14443a(emdata, 16);
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
+                               // EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
                                // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        }
                                // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
                                // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
                                p_response = NULL;
                        }
-               } else if(receivedCmd[0] == 0x3A) {     // Received a FAST READ (ranged read)
-                               
-                               uint8_t emdata[MAX_FRAME_SIZE];
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
-                               int start =  (receivedCmd[1]+12) * 4; 
-                               int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
-                               emlGetMemBt( emdata, start, len);
-                               AppendCrc14443a(emdata, len);
-                               EmSendCmdEx(emdata, len+2, false);                              
-                               p_response = NULL;
-                               
-               } else if(receivedCmd[0] == 0x3C && tagType == 7) {     // Received a READ SIGNATURE -- 
-                               //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
-                               uint16_t start = 4 * 4;
-                               uint8_t emdata[34];
-                               emlGetMemBt( emdata, start, 32);
-                               AppendCrc14443a(emdata, 32);
-                               EmSendCmdEx(emdata, sizeof(emdata), false);
-                               p_response = NULL;                                      
-               } else if (receivedCmd[0] == 0x39 && tagType == 7) {    // Received a READ COUNTER -- 
+               } else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) {    // Received a FAST READ (ranged read)                           
+                       uint8_t emdata[MAX_FRAME_SIZE];
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       int start =  (receivedCmd[1]+12) * 4; 
+                       int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
+                       emlGetMemBt( emdata, start, len);
+                       AppendCrc14443a(emdata, len);
+                       EmSendCmdEx(emdata, len+2, false);                              
+                       p_response = NULL;              
+               } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) {     // Received a READ SIGNATURE -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       uint16_t start = 4 * 4;
+                       uint8_t emdata[34];
+                       emlGetMemBt( emdata, start, 32);
+                       AppendCrc14443a(emdata, 32);
+                       EmSendCmdEx(emdata, sizeof(emdata), false);
+                       p_response = NULL;                                      
+               } else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) {   // Received a READ COUNTER -- 
                        uint8_t index = receivedCmd[1];
                        uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
                        if ( counters[index] > 0) {
                        uint8_t index = receivedCmd[1];
                        uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
                        if ( counters[index] > 0) {
@@ -1183,7 +1125,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        }
                        EmSendCmdEx(data,sizeof(data),false);                           
                        p_response = NULL;
                        }
                        EmSendCmdEx(data,sizeof(data),false);                           
                        p_response = NULL;
-               } else if (receivedCmd[0] == 0xA5 && tagType == 7) {    // Received a INC COUNTER -- 
+               } else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) {   // Received a INC COUNTER -- 
                        // number of counter
                        uint8_t counter = receivedCmd[1];
                        uint32_t val = bytes_to_num(receivedCmd+2,4);
                        // number of counter
                        uint8_t counter = receivedCmd[1];
                        uint32_t val = bytes_to_num(receivedCmd+2,4);
@@ -1192,10 +1134,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        // send ACK
                        uint8_t ack[] = {0x0a};
                        EmSendCmdEx(ack,sizeof(ack),false);
                        // send ACK
                        uint8_t ack[] = {0x0a};
                        EmSendCmdEx(ack,sizeof(ack),false);
-                       p_response = NULL;
-                       
-               } else if(receivedCmd[0] == 0x3E && tagType == 7) {     // Received a CHECK_TEARING_EVENT -- 
-                       //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+                       p_response = NULL;                      
+               } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) {   // Received a CHECK_TEARING_EVENT -- 
+                       // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
                        uint8_t emdata[3];
                        uint8_t counter=0;
                        if (receivedCmd[1]<3) counter = receivedCmd[1];
                        uint8_t emdata[3];
                        uint8_t counter=0;
                        if (receivedCmd[1]<3) counter = receivedCmd[1];
@@ -1203,21 +1144,22 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        AppendCrc14443a(emdata, sizeof(emdata)-2);
                        EmSendCmdEx(emdata, sizeof(emdata), false);     
                        p_response = NULL;              
                        AppendCrc14443a(emdata, sizeof(emdata)-2);
                        EmSendCmdEx(emdata, sizeof(emdata), false);     
                        p_response = NULL;              
-               } else if(receivedCmd[0] == 0x50) {     // Received a HALT
+               } else if(receivedCmd[0] == ISO14443A_CMD_HALT) {       // Received a HALT
                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        p_response = NULL;
                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        p_response = NULL;
-               } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) {   // Received an authentication request
-                                       
+               } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) {   // Received an authentication request                           
                        if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
                                uint8_t emdata[10];
                                emlGetMemBt( emdata, 0, 8 );
                                AppendCrc14443a(emdata, sizeof(emdata)-2);
                        if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
                                uint8_t emdata[10];
                                emlGetMemBt( emdata, 0, 8 );
                                AppendCrc14443a(emdata, sizeof(emdata)-2);
-                               EmSendCmdEx(emdata, sizeof(emdata), false);     
+                               EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
                        } else {
                                p_response = NULL;
                        } else {
+                               cardAUTHSC = receivedCmd[1] / 4; // received block num
+                               cardAUTHKEY = receivedCmd[0] - 0x60;
                                p_response = &responses[5]; order = 7;
                        }
                                p_response = &responses[5]; order = 7;
                        }
-               } else if(receivedCmd[0] == 0xE0) {     // Received a RATS request
+               } else if(receivedCmd[0] == ISO14443A_CMD_RATS) {       // Received a RATS request
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
                                EmSend4bit(CARD_NACK_NA);
                                p_response = NULL;
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
                                EmSend4bit(CARD_NACK_NA);
                                p_response = NULL;
@@ -1226,63 +1168,76 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                        }
                } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        }
                } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                       uint32_t nonce = bytes_to_num(response5,4);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
-                       //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
-
-                       if(flags & FLAG_NR_AR_ATTACK )
-                       {
-                               if(ar_nr_collected < 2){
-                                       // Avoid duplicates... probably not necessary, nr should vary. 
-                                       //if(ar_nr_responses[3] != nr){                                         
-                                               ar_nr_responses[ar_nr_collected*5]   = 0;
-                                               ar_nr_responses[ar_nr_collected*5+1] = 0;
-                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
-                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
-                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
-                                               ar_nr_collected++;
-                                       //}
-                               }                       
 
 
-                               if(ar_nr_collected > 1 ) {
-                               
-                                       if (MF_DBGLEVEL >= 2) {
-                                                       Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                                                       Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
-                                                               ar_nr_responses[0], // UID1
-                                                               ar_nr_responses[1], // UID2
-                                                               ar_nr_responses[2], // NT
-                                                               ar_nr_responses[3], // AR1
-                                                               ar_nr_responses[4], // NR1
-                                                               ar_nr_responses[8], // AR2
-                                                               ar_nr_responses[9]  // NR2
-                                                       );
-                                                       Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
-                                                               ar_nr_responses[0], // UID1
-                                                               ar_nr_responses[1], // UID2
-                                                               ar_nr_responses[2], // NT1
-                                                               ar_nr_responses[3], // AR1
-                                                               ar_nr_responses[4], // NR1
-                                                               ar_nr_responses[7], // NT2
-                                                               ar_nr_responses[8], // AR2
-                                                               ar_nr_responses[9]  // NR2
-                                                               );
+                       // Collect AR/NR per keytype & sector
+                       if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+                                       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                               if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+                                                       // if first auth for sector, or matches sector and keytype of previous auth
+                                                       if (ar_nr_collected[i+mM] < 2) {
+                                                               // if we haven't already collected 2 nonces for this sector
+                                                               if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+                                                                       // Avoid duplicates... probably not necessary, ar should vary. 
+                                                                       if (ar_nr_collected[i+mM]==0) {
+                                                                               // first nonce collect
+                                                                               ar_nr_resp[i+mM].cuid = cuid;
+                                                                               ar_nr_resp[i+mM].sector = cardAUTHSC;
+                                                                               ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+                                                                               ar_nr_resp[i+mM].nonce = nonce;
+                                                                               ar_nr_resp[i+mM].nr = nr;
+                                                                               ar_nr_resp[i+mM].ar = ar;
+                                                                               nonce1_count++;
+                                                                               // add this nonce to first moebius nonce
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+                                                                               ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+                                                                               ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+                                                                       } else { // second nonce collect (std and moebius)
+                                                                               ar_nr_resp[i+mM].nonce2 = nonce;
+                                                                               ar_nr_resp[i+mM].nr2 = nr;
+                                                                               ar_nr_resp[i+mM].ar2 = ar;
+                                                                               if (!gettingMoebius) {
+                                                                                       nonce2_count++;
+                                                                                       // check if this was the last second nonce we need for std attack
+                                                                                       if ( nonce2_count == nonce1_count ) {
+                                                                                               // done collecting std test switch to moebius
+                                                                                               // first finish incrementing last sample
+                                                                                               ar_nr_collected[i+mM]++; 
+                                                                                               // switch to moebius collection
+                                                                                               gettingMoebius = true;
+                                                                                               mM = ATTACK_KEY_COUNT;
+                                                                                               break;
+                                                                                       }
+                                                                               } else {
+                                                                                       moebius_n_count++;
+                                                                                       // if we've collected all the nonces we need - finish.
+                                                                                       if (nonce1_count == moebius_n_count) {
+                                                                                               cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+                                                                                               nonce1_count = 0;
+                                                                                               nonce2_count = 0;
+                                                                                               moebius_n_count = 0;
+                                                                                               gettingMoebius = false;
+                                                                                       }
+                                                                               }
+                                                                       }
+                                                                       ar_nr_collected[i+mM]++;
+                                                               }
+                                                       }
+                                                       // we found right spot for this nonce stop looking
+                                                       break;
+                                               }
                                        }
                                        }
-                                       uint8_t len = ar_nr_collected*5*4;
-                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
-                                       ar_nr_collected = 0;
-                                       memset(ar_nr_responses, 0x00, len);
                                }
                                }
-                       }
-               } else if (receivedCmd[0] == 0x1a ) // ULC authentication
-               {
                        
                        
-               }
-               else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
-               {
+               } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
+               } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
                        if ( tagType == 7 ) {
                        if ( tagType == 7 ) {
-                               uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
+                               uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
                                uint8_t emdata[4];
                                emlGetMemBt( emdata, start, 2);
                                AppendCrc14443a(emdata, 2);
                                uint8_t emdata[4];
                                emlGetMemBt( emdata, start, 2);
                                AppendCrc14443a(emdata, 2);
@@ -1290,7 +1245,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                p_response = NULL;
                                uint32_t pwd = bytes_to_num(receivedCmd+1,4);
                                
                                p_response = NULL;
                                uint32_t pwd = bytes_to_num(receivedCmd+1,4);
                                
-                               if ( MF_DBGLEVEL >= 3)  Dbprintf("Auth attempt: %08x", pwd);    
+                               if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);     
                        }
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
                        }
                } else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
@@ -1369,6 +1324,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
                // Count number of other messages after a halt
                if(order != 6 && lastorder == 5) { happened2++; }
 
+               // comment this limit if you want to simulation longer          
+               if (!tracing) {
+                       Dbprintf("Trace Full. Simulation stopped.");
+                       break;
+               }
+               // comment this limit if you want to simulation longer
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
                        break;
                if(cmdsRecvd > 999) {
                        DbpString("1000 commands later...");
                        break;
@@ -1392,11 +1353,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
                                                (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
                                                par);
                }
                                                (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
                                                par);
                }
-               
-               if (!tracing) {
-                       Dbprintf("Trace Full. Simulation stopped.");
-                       break;
-               }
        }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -1404,6 +1360,36 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        BigBuf_free_keep_EM();
        LED_A_OFF();
        
        BigBuf_free_keep_EM();
        LED_A_OFF();
        
+               if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
+               for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }       
+               for ( uint8_t   i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nonce2,//NT2
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }
+       }
+       
        if (MF_DBGLEVEL >= 4){
                Dbprintf("-[ Wake ups after halt [%d]", happened);
                Dbprintf("-[ Messages after halt [%d]", happened2);
        if (MF_DBGLEVEL >= 4){
                Dbprintf("-[ Wake ups after halt [%d]", happened);
                Dbprintf("-[ Messages after halt [%d]", happened2);
@@ -1411,11 +1397,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
        }
 }
 
        }
 }
 
-
 // prepare a delayed transfer. This simply shifts ToSend[] by a number
 // of bits specified in the delay parameter.
 // prepare a delayed transfer. This simply shifts ToSend[] by a number
 // of bits specified in the delay parameter.
-void PrepareDelayedTransfer(uint16_t delay)
-{
+void PrepareDelayedTransfer(uint16_t delay) {
        delay &= 0x07;
        if (!delay) return;
 
        delay &= 0x07;
        if (!delay) return;
 
@@ -1427,7 +1411,7 @@ void PrepareDelayedTransfer(uint16_t delay)
        for (i = 0; i < delay; ++i)
                bitmask |= (0x01 << i);
 
        for (i = 0; i < delay; ++i)
                bitmask |= (0x01 << i);
 
-               ToSend[++ToSendMax] = 0x00;
+       ToSend[++ToSendMax] = 0x00;
 
        for (i = 0; i < ToSendMax; ++i) {
                        bits_to_shift = ToSend[i] & bitmask;
 
        for (i = 0; i < ToSendMax; ++i) {
                        bits_to_shift = ToSend[i] & bitmask;
@@ -1446,28 +1430,19 @@ void PrepareDelayedTransfer(uint16_t delay)
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
-static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
-{
+static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing) {
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
 
        uint32_t ThisTransferTime = 0;
 
        if (timing) {
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
 
        uint32_t ThisTransferTime = 0;
 
        if (timing) {
-
-               if (*timing != 0)
-                       // Delay transfer (fine tuning - up to 7 MF clock ticks)
-                       PrepareDelayedTransfer(*timing & 0x00000007);   
-               else
-                       // Measure time
+               if(*timing == 0) {                                                                              // Measure time
                        *timing = (GetCountSspClk() + 8) & 0xfffffff8;
                        *timing = (GetCountSspClk() + 8) & 0xfffffff8;
-
-               
-               if (MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) 
-                       Dbprintf("TransmitFor14443a: Missed timing");
-               
-               // Delay transfer (multiple of 8 MF clock ticks)
-               while (GetCountSspClk() < (*timing & 0xfffffff8));      
-
+               } else {
+                       PrepareDelayedTransfer(*timing & 0x00000007);           // Delay transfer (fine tuning - up to 7 MF clock ticks)
+               }
+               if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
+               while(GetCountSspClk() < (*timing & 0xfffffff8));               // Delay transfer (multiple of 8 MF clock ticks)
                LastTimeProxToAirStart = *timing;
        } else {
                ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
                LastTimeProxToAirStart = *timing;
        } else {
                ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
@@ -1493,12 +1468,10 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
 }
 
        NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
 }
 
-
 //-----------------------------------------------------------------------------
 // Prepare reader command (in bits, support short frames) to send to FPGA
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Prepare reader command (in bits, support short frames) to send to FPGA
 //-----------------------------------------------------------------------------
-void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
-{
+void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity) {
        int i, j;
        int last = 0;
        uint8_t b;
        int i, j;
        int last = 0;
        uint8_t b;
@@ -1577,20 +1550,16 @@ void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Prepare reader command to send to FPGA
 //-----------------------------------------------------------------------------
-void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity)
-{
-  //CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
-  CodeIso14443aBitsAsReaderPar(cmd, len<<3, parity);
+void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity) {
+  CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
 }
 
 }
 
-
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Wait for commands from reader
 // Stop when button is pressed (return 1) or field was gone (return 2)
 // Or return 0 when command is captured
 //-----------------------------------------------------------------------------
-static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
-{
+static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
        *len = 0;
 
        uint32_t timer = 0, vtime = 0;
@@ -1650,13 +1619,10 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                                return 0;
                        }
         }
                                return 0;
                        }
         }
-
        }
 }
 
        }
 }
 
-
-static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
-{
+int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded) {
        uint8_t b;
        uint16_t i = 0;
        uint32_t ThisTransferTime;
        uint8_t b;
        uint16_t i = 0;
        uint32_t ThisTransferTime;
@@ -1668,12 +1634,8 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        if (Uart.parityBits & 0x01) {
                correctionNeeded = TRUE;
        }
        if (Uart.parityBits & 0x01) {
                correctionNeeded = TRUE;
        }
-       if(correctionNeeded) {
-               // 1236, so correction bit needed
-               i = 0;
-       } else {
-               i = 1;
-       }
+       // 1236, so correction bit needed
+       i = (correctionNeeded) ? 0 : 1;
 
        // clear receiving shift register and holding register
        while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
 
        // clear receiving shift register and holding register
        while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
@@ -1682,7 +1644,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
        b = AT91C_BASE_SSC->SSC_RHR; (void) b;
        
        // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
        b = AT91C_BASE_SSC->SSC_RHR; (void) b;
        
        // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
-       for (uint16_t j = 0; j < 5; j++) {      // allow timeout - better late than never
+       for (uint8_t j = 0; j < 5; j++) {       // allow timeout - better late than never
                while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
                if (AT91C_BASE_SSC->SSC_RHR) break;
        }
                while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
                if (AT91C_BASE_SSC->SSC_RHR) break;
        }
@@ -1711,9 +1673,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
                        i++;
                }
        }
                        i++;
                }
        }
-
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
        LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
-
        return 0;
 }
 
        return 0;
 }
 
@@ -1797,8 +1757,7 @@ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_Start
 //  If a response is captured return TRUE
 //  If it takes too long return FALSE
 //-----------------------------------------------------------------------------
 //  If a response is captured return TRUE
 //  If it takes too long return FALSE
 //-----------------------------------------------------------------------------
-static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
-{
+static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset) {
        uint32_t c = 0x00;
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
        uint32_t c = 0x00;
        
        // Set FPGA mode to "reader listen mode", no modulation (listen
@@ -1828,61 +1787,45 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
        }
 }
 
        }
 }
 
-void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
-{
+void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) {
+
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
        CodeIso14443aBitsAsReaderPar(frame, bits, par);
-  
        // Send command to tag
        TransmitFor14443a(ToSend, ToSendMax, timing);
        // Send command to tag
        TransmitFor14443a(ToSend, ToSendMax, timing);
-       if(trigger)
-               LED_A_ON();
+       if(trigger) LED_A_ON();
   
   
-       // Log reader command in trace buffer
-       //LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
        LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
 }
 
        LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
 }
 
-void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
-{
-  //ReaderTransmitBitsPar(frame, len*8, par, timing);
-  ReaderTransmitBitsPar(frame, len<<3, par, timing);
+void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing) {
+  ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 }
 
-void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
-{
-  // Generate parity and redirect
-  uint8_t par[MAX_PARITY_SIZE] = {0x00};
-  //GetParity(frame, len/8, par);
-  GetParity(frame, len >> 3, par);
-  ReaderTransmitBitsPar(frame, len, par, timing);
+void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len/8, par);  
+       ReaderTransmitBitsPar(frame, len, par, timing);
 }
 
 }
 
-void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
-{
-  // Generate parity and redirect
-  uint8_t par[MAX_PARITY_SIZE] = {0x00};
-  GetParity(frame, len, par);
-  //ReaderTransmitBitsPar(frame, len*8, par, timing);
-  ReaderTransmitBitsPar(frame, len<<3, par, timing);
+void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing) {
+       // Generate parity and redirect
+       uint8_t par[MAX_PARITY_SIZE] = {0x00};
+       GetParity(frame, len, par);
+       ReaderTransmitBitsPar(frame, len*8, par, timing);
 }
 
 }
 
-int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
-{
-       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) 
+int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset))
                return FALSE;
                return FALSE;
-
-       //LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
-       LogTrace(receivedAnswer, Demod.len, (Demod.startTime<<4) - DELAY_AIR2ARM_AS_READER, (Demod.endTime<<4) - DELAY_AIR2ARM_AS_READER, parity, FALSE);
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
        return Demod.len;
 }
 
        return Demod.len;
 }
 
-int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
-{
-       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) 
+int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) {
+       if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0))
                return FALSE;
                return FALSE;
-
-       //LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
-       LogTrace(receivedAnswer, Demod.len, (Demod.startTime<<4) - DELAY_AIR2ARM_AS_READER, (Demod.endTime<<4) - DELAY_AIR2ARM_AS_READER, parity, FALSE);
+       LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
        return Demod.len;
 }
 
        return Demod.len;
 }
 
@@ -1892,10 +1835,10 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
 // if anticollision is false, then the UID must be provided in uid_ptr[] 
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
 // if anticollision is false, then the UID must be provided in uid_ptr[] 
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
-       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
-       uint8_t sel_all[]    = { 0x93,0x20 };
-       uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+       uint8_t wupa[]       = { ISO14443A_CMD_WUPA };  // 0x26 - ISO14443A_CMD_REQA  0x52 - ISO14443A_CMD_WUPA
+       uint8_t sel_all[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x20 };
+       uint8_t sel_uid[]    = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t rats[]       = { ISO14443A_CMD_RATS,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
        uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
        uint8_t resp_par[MAX_PARITY_SIZE] = {0};
        byte_t uid_resp[4] = {0};
        uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
        uint8_t resp_par[MAX_PARITY_SIZE] = {0};
        byte_t uid_resp[4] = {0};
@@ -2044,28 +1987,31 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 }
 
 void iso14443a_setup(uint8_t fpga_minor_mode) {
 }
 
 void iso14443a_setup(uint8_t fpga_minor_mode) {
+
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
        FpgaSetupSsc();
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
        FpgaSetupSsc();
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
+       LED_D_OFF();
        // Signal field is on with the appropriate LED
        // Signal field is on with the appropriate LED
-       if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
-               || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
+       if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD ||
+               fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN)
                LED_D_ON();
                LED_D_ON();
-       } else {
-               LED_D_OFF();
-       }
+
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
 
+       SpinDelay(20);
+       
        // Start the timer
        StartCountSspClk();
        
        // Start the timer
        StartCountSspClk();
        
+       // Prepare the demodulation functions
        DemodReset();
        UartReset();
        DemodReset();
        UartReset();
-       NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
-       iso14a_set_timeout(10*106); // 10ms default
+       NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
+       iso14a_set_timeout(10*106); // 20ms default     
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
 }
 
 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
@@ -2080,12 +2026,14 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
  
        ReaderTransmit(real_cmd, cmd_len+4, NULL);
        size_t len = ReaderReceive(data, parity);
  
        ReaderTransmit(real_cmd, cmd_len+4, NULL);
        size_t len = ReaderReceive(data, parity);
+        //DATA LINK ERROR
+       if (!len) return 0;
+       
        uint8_t *data_bytes = (uint8_t *) data;
        uint8_t *data_bytes = (uint8_t *) data;
-       if (!len)
-               return 0; //DATA LINK ERROR
+
        // if we received an I- or R(ACK)-Block with a block number equal to the
        // current block number, toggle the current block number
        // if we received an I- or R(ACK)-Block with a block number equal to the
        // current block number, toggle the current block number
-       else if (len >= 4 // PCB+CID+CRC = 4 bytes
+       if (len >= 4 // PCB+CID+CRC = 4 bytes
                 && ((data_bytes[0] & 0xC0) == 0 // I-Block
                     || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
                 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
                 && ((data_bytes[0] & 0xC0) == 0 // I-Block
                     || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
                 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
@@ -2096,17 +2044,16 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
        return len;
 }
 
        return len;
 }
 
+
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
 //-----------------------------------------------------------------------------
 // Read an ISO 14443a tag. Send out commands and store answers.
-//
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
-void ReaderIso14443a(UsbCommand *c)
-{
+void ReaderIso14443a(UsbCommand *c) {
        iso14a_command_t param = c->arg[0];
        iso14a_command_t param = c->arg[0];
-       uint8_t *cmd = c->d.asBytes;
        size_t len = c->arg[1] & 0xffff;
        size_t lenbits = c->arg[1] >> 16;
        uint32_t timeout = c->arg[2];
        size_t len = c->arg[1] & 0xffff;
        size_t lenbits = c->arg[1] >> 16;
        uint32_t timeout = c->arg[2];
+       uint8_t *cmd = c->d.asBytes;
        uint32_t arg0 = 0;
        byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
        uint8_t par[MAX_PARITY_SIZE] = {0x00};
        uint32_t arg0 = 0;
        byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
        uint8_t par[MAX_PARITY_SIZE] = {0x00};
@@ -2119,13 +2066,14 @@ void ReaderIso14443a(UsbCommand *c)
        if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(TRUE);
 
        if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(TRUE);
 
-
        if (param & ISO14A_CONNECT) {
                iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
                if(!(param & ISO14A_NO_SELECT)) {
                        iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
                        arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
        if (param & ISO14A_CONNECT) {
                iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
                if(!(param & ISO14A_NO_SELECT)) {
                        iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
                        arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
-                       cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
+                       cmd_send(CMD_ACK, arg0, card->uidlen, 0, buf, sizeof(iso14a_card_select_t));
+                       // if it fails,  the cmdhf14a.c client quites.. however this one still executes.
+                       if ( arg0 == 0 ) return;
                }
        }
 
                }
        }
 
@@ -2179,7 +2127,6 @@ void ReaderIso14443a(UsbCommand *c)
        if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(FALSE);
 
        if (param & ISO14A_REQUEST_TRIGGER)
                iso14a_set_trigger(FALSE);
 
-
        if (param & ISO14A_NO_DISCONNECT)
                return;
 
        if (param & ISO14A_NO_DISCONNECT)
                return;
 
@@ -2188,82 +2135,50 @@ void ReaderIso14443a(UsbCommand *c)
        LEDsoff();
 }
 
        LEDsoff();
 }
 
-
 // Determine the distance between two nonces.
 // Assume that the difference is small, but we don't know which is first.
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
        if (nt1 == nt2) return 0;
 // Determine the distance between two nonces.
 // Assume that the difference is small, but we don't know which is first.
 // Therefore try in alternating directions.
 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 
        if (nt1 == nt2) return 0;
-
-       uint16_t i;
+       
        uint32_t nttmp1 = nt1;
        uint32_t nttmp2 = nt2;
        uint32_t nttmp1 = nt1;
        uint32_t nttmp2 = nt2;
-       
-       for (i = 1; i < 0xFFFF; i += 8) {
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+1;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-1;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+2;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-2;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+3;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-3;
 
 
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+4;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-4;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+5;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-5;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+6;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-6;
-
-               nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+7;
-               nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-7;
-/*
-               if ( prng_successor(nttmp1, i) == nt2) return i;
-               if ( prng_successor(nttmp2, i) == nt1) return -i;
-
-               if ( prng_successor(nttmp1, i+2) == nt2) return i+2;
-               if ( prng_successor(nttmp2, i+2) == nt1) return -(i+2);
-
-               if ( prng_successor(nttmp1, i+3) == nt2) return i+3;
-               if ( prng_successor(nttmp2, i+3) == nt1) return -(i+3);
-
-               if ( prng_successor(nttmp1, i+4) == nt2) return i+4;
-               if ( prng_successor(nttmp2, i+4) == nt1) return -(i+4);
-
-               if ( prng_successor(nttmp1, i+5) == nt2) return i+5;
-               if ( prng_successor(nttmp2, i+5) == nt1) return -(i+5);
-
-               if ( prng_successor(nttmp1, i+6) == nt2) return i+6;
-               if ( prng_successor(nttmp2, i+6) == nt1) return -(i+6);
-
-               if ( prng_successor(nttmp1, i+7) == nt2) return i+7;
-               if ( prng_successor(nttmp2, i+7) == nt1) return -(i+7);
-*/
+       // 0xFFFF -- Half up and half down to find distance between nonces
+       for (uint16_t i = 1; i < 32768/8; i += 8) {
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+1;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+2;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+3;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+4;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+5;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+6;
+               nttmp1 = prng_successor(nttmp1, 1);     if (nttmp1 == nt2) return i+7;
+               
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -i;
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+1);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+2);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+3);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+4);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+5);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+6);
+               nttmp2 = prng_successor(nttmp2, 1);     if (nttmp2 == nt1) return -(i+7);               
        }
        }
-       
-       return(-99999); // either nt1 or nt2 are invalid nonces
+       // either nt1 or nt2 are invalid nonces 
+       return(-99999); 
 }
 
 }
 
-
 //-----------------------------------------------------------------------------
 // Recover several bits of the cypher stream. This implements (first stages of)
 // the algorithm described in "The Dark Side of Security by Obscurity and
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Recover several bits of the cypher stream. This implements (first stages of)
 // the algorithm described in "The Dark Side of Security by Obscurity and
 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
 // (article by Nicolas T. Courtois, 2009)
 //-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try, uint8_t block )
-{
-       // Mifare AUTH
-       //uint8_t mf_auth[]    = { 0x60,0x00,0xf5,0x7b };
-       //uint8_t mf_auth[]    = { 0x60,0x05, 0x58, 0x2c };
-       uint8_t mf_auth[]       = { 0x60,0x00, 0x00, 0x00 };
+
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) {
+       
+       uint8_t mf_auth[]       = { keytype, block, 0x00, 0x00 };
        uint8_t mf_nr_ar[]      = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
        uint8_t uid[10]         = {0,0,0,0,0,0,0,0,0,0};
        uint8_t par_list[8]     = {0,0,0,0,0,0,0,0};
        uint8_t mf_nr_ar[]      = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
        uint8_t uid[10]         = {0,0,0,0,0,0,0,0,0,0};
        uint8_t par_list[8]     = {0,0,0,0,0,0,0,0};
@@ -2271,55 +2186,48 @@ void ReaderMifare(bool first_try, uint8_t block )
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
-       
-       mf_auth[1] = block;
-       AppendCrc14443a(mf_auth, 2);
-
        byte_t nt_diff = 0;
        byte_t nt_diff = 0;
-
        uint32_t nt = 0;
        uint32_t previous_nt = 0;       
        uint32_t nt = 0;
        uint32_t previous_nt = 0;       
-       uint32_t halt_time = 0;
        uint32_t cuid = 0;
        
        uint32_t cuid = 0;
        
-       int catch_up_cycles = 0;
-       int last_catch_up = 0;
-       int isOK = 0;
+       int32_t catch_up_cycles = 0;
+       int32_t last_catch_up = 0;
+       int32_t isOK = 0;
+       int32_t nt_distance = 0;
        
        uint16_t elapsed_prng_sequences = 1;
        uint16_t consecutive_resyncs = 0;
        uint16_t unexpected_random = 0;
        uint16_t sync_tries = 0;
        
        uint16_t elapsed_prng_sequences = 1;
        uint16_t consecutive_resyncs = 0;
        uint16_t unexpected_random = 0;
        uint16_t sync_tries = 0;
-       uint16_t strategy = 0;
 
 
+       // static variables here, is re-used in the next call
        static uint32_t nt_attacked = 0;
        static uint32_t sync_time = 0;
        static uint32_t nt_attacked = 0;
        static uint32_t sync_time = 0;
-       static int32_t sync_cycles = 0;
+       static uint32_t sync_cycles = 0;
        static uint8_t par_low = 0;
        static uint8_t mf_nr_ar3 = 0;
        static uint8_t par_low = 0;
        static uint8_t mf_nr_ar3 = 0;
-
+       
        #define PRNG_SEQUENCE_LENGTH    (1 << 16)
        #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
        #define MAX_SYNC_TRIES          32
        #define PRNG_SEQUENCE_LENGTH    (1 << 16)
        #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
        #define MAX_SYNC_TRIES          32
-       #define MAX_STRATEGY            3
-
-       clear_trace();
-       set_tracing(TRUE);
-       
-       LED_A_ON();
        
        
-       if (first_try)
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+       AppendCrc14443a(mf_auth, 2);
        
        
-       // free eventually allocated BigBuf memory. We want all for tracing.
-       BigBuf_free();
-
-       if (first_try) { 
-               sync_time = GetCountSspClk() & 0xfffffff8;
-               sync_cycles = PRNG_SEQUENCE_LENGTH + 1100; //65536;     //0x10000                       // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
-               mf_nr_ar3 = 0;                  
-               nt_attacked = 0;
+       BigBuf_free(); BigBuf_Clear_ext(false); 
+       clear_trace();
+       set_tracing(TRUE);      
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
 
 
+       sync_time = GetCountSspClk() & 0xfffffff8;
+       sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).              
+       nt_attacked = 0;
+       
+   if (MF_DBGLEVEL >= 4)       Dbprintf("Mifare::Sync %08x", sync_time);
+                               
+       if (first_try) {
+               mf_nr_ar3 = 0;
+               par_low = 0;
        } else {
                // we were unsuccessful on a previous call. 
                // Try another READER nonce (first 3 parity bits remain the same)
        } else {
                // we were unsuccessful on a previous call. 
                // Try another READER nonce (first 3 parity bits remain the same)
@@ -2327,10 +2235,13 @@ void ReaderMifare(bool first_try, uint8_t block )
                mf_nr_ar[3] = mf_nr_ar3;
                par[0] = par_low;
        }
                mf_nr_ar[3] = mf_nr_ar3;
                par[0] = par_low;
        }
-               
-               LED_A_ON();
+
+       bool have_uid = FALSE;
+       uint8_t cascade_levels = 0;
+
        LED_C_ON(); 
        LED_C_ON(); 
-       for(uint16_t i = 0; TRUE; ++i) {
+       uint16_t i;
+       for(i = 0; TRUE; ++i) {
 
                WDT_HIT();
 
 
                WDT_HIT();
 
@@ -2340,98 +2251,98 @@ void ReaderMifare(bool first_try, uint8_t block )
                        break;
                }
                
                        break;
                }
                
-               if (strategy == 2) {
-                       // test with additional halt command
-                       halt_time = 0;
-                       int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
-
-                       if (len && MF_DBGLEVEL >= 3)
-                               Dbprintf("Unexpected response of %d bytes to halt command.", len);
-               }
-
-               if (strategy == 3) {
-                       // test with FPGA power off/on
-                       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-                       SpinDelay(200);
-                       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-                       SpinDelay(100);
-                       sync_time = GetCountSspClk() & 0xfffffff8;
-                       WDT_HIT();
-               }
-               
-               if (!iso14443a_select_card(uid, NULL,  &cuid, true, 0)) {
-                       if (MF_DBGLEVEL >= 2) Dbprintf("Mifare: Can't select card\n");
-                       continue;
+               // this part is from Piwi's faster nonce collecting part in Hardnested.
+               if (!have_uid) { // need a full select cycle to get the uid first
+                       iso14a_card_select_t card_info;         
+                       if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (ALL)");
+                               break;
+                       }
+                       switch (card_info.uidlen) {
+                               case 4 : cascade_levels = 1; break;
+                               case 7 : cascade_levels = 2; break;
+                               case 10: cascade_levels = 3; break;
+                               default: break;
+                       }
+                       have_uid = TRUE;        
+               } else { // no need for anticollision. We can directly select the card
+                       if(!iso14443a_select_card(uid, NULL, &cuid, false, cascade_levels)) {
+                               if (MF_DBGLEVEL >= 4)   Dbprintf("Mifare: Can't select card (UID)");
+                               continue;
+                       }
                }
                }
-
-               // Sending timeslot of ISO14443a frame
                
                
-               sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
+               // Sending timeslot of ISO14443a frame          
+               sync_time = (sync_time & 0xfffffff8 ) + sync_cycles + catch_up_cycles;
                catch_up_cycles = 0;
                catch_up_cycles = 0;
-               
-               //catch_up_cycles = 0;
                                                                
                // if we missed the sync time already, advance to the next nonce repeat
                                                                
                // if we missed the sync time already, advance to the next nonce repeat
-               while(GetCountSspClk() > sync_time) {
+               while( GetCountSspClk() > sync_time) {
                        ++elapsed_prng_sequences;
                        ++elapsed_prng_sequences;
-                       sync_time = (sync_time & 0xfffffff8) + sync_cycles;
-               }
-               // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked) 
-               ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);                   
+                       sync_time = (sync_time & 0xfffffff8 ) + sync_cycles;
+               }               
 
 
-               // Receive the (4 Byte) "random" nonce
+               // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
+               ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
+
+               // Receive the (4 Byte) "random" nonce from TAG
                if (!ReaderReceive(receivedAnswer, receivedAnswerPar))
                        continue;
 
                if (!ReaderReceive(receivedAnswer, receivedAnswerPar))
                        continue;
 
-               // Transmit reader nonce with fake par
-               ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
-
                previous_nt = nt;
                nt = bytes_to_num(receivedAnswer, 4);
                
                previous_nt = nt;
                nt = bytes_to_num(receivedAnswer, 4);
                
-               if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
-                       int nt_distance = dist_nt(previous_nt, nt);
+               // Transmit reader nonce with fake par
+               ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
+       
+               // we didn't calibrate our clock yet,
+               // iceman: has to be calibrated every time.
+               if (previous_nt && !nt_attacked) { 
+
+                       nt_distance = dist_nt(previous_nt, nt);
+                       
+                       // if no distance between,  then we are in sync.
                        if (nt_distance == 0) {
                                nt_attacked = nt;
                        } else {
                                if (nt_distance == -99999) { // invalid nonce received
                        if (nt_distance == 0) {
                                nt_attacked = nt;
                        } else {
                                if (nt_distance == -99999) { // invalid nonce received
-                                       unexpected_random++;
+                                       ++unexpected_random;
                                        if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
                                                isOK = -3;              // Card has an unpredictable PRNG. Give up      
                                                break;
                                        if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
                                                isOK = -3;              // Card has an unpredictable PRNG. Give up      
                                                break;
-                                       } else {
+                                       } else {                                                
+                                               if (sync_cycles <= 0) sync_cycles += PRNG_SEQUENCE_LENGTH;
+                                               LED_B_OFF();
                                                continue;               // continue trying...
                                        }
                                }
                                
                                if (++sync_tries > MAX_SYNC_TRIES) {
                                                continue;               // continue trying...
                                        }
                                }
                                
                                if (++sync_tries > MAX_SYNC_TRIES) {
-                                       if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
-                                               isOK = -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly
-                                               break;
-                                       } else {
-                                               continue;
-                               }
+                                       isOK = -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly
+                                       break;
                                }
                                
                                sync_cycles = (sync_cycles - nt_distance)/elapsed_prng_sequences;
                                }
                                
                                sync_cycles = (sync_cycles - nt_distance)/elapsed_prng_sequences;
+                               
                                if (sync_cycles <= 0)
                                        sync_cycles += PRNG_SEQUENCE_LENGTH;
                                
                                if (sync_cycles <= 0)
                                        sync_cycles += PRNG_SEQUENCE_LENGTH;
                                
-                               if (MF_DBGLEVEL >= 3)
+                               if (MF_DBGLEVEL >= 4)
                                        Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
 
                                        Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
 
+                               LED_B_OFF();
                                continue;
                        }
                }
                                continue;
                        }
                }
+               LED_B_OFF();
 
 
-               if ((nt != nt_attacked) && nt_attacked) {       // we somehow lost sync. Try to catch up again...
+               if ( (nt != nt_attacked) && nt_attacked) {      // we somehow lost sync. Try to catch up again...
                        
                        
-                       catch_up_cycles = -dist_nt(nt_attacked, nt);
+                       catch_up_cycles = ABS(dist_nt(nt_attacked, nt));
                        if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
                                catch_up_cycles = 0;
                                continue;
                        if (catch_up_cycles == 99999) {                 // invalid nonce received. Don't resync on that one.
                                catch_up_cycles = 0;
                                continue;
-                       }
-                       
+                       }               
                        // average? 
                        catch_up_cycles /= elapsed_prng_sequences;
                
                        // average? 
                        catch_up_cycles /= elapsed_prng_sequences;
                
@@ -2443,13 +2354,13 @@ void ReaderMifare(bool first_try, uint8_t block )
                        }               
                        
                        if (consecutive_resyncs < 3) {
                        }               
                        
                        if (consecutive_resyncs < 3) {
-                               if (MF_DBGLEVEL >= 3)
-                                       Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
+                               if (MF_DBGLEVEL >= 4)
+                                       Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, catch_up_cycles, consecutive_resyncs);
                        } else {        
                                sync_cycles += catch_up_cycles;
                                
                        } else {        
                                sync_cycles += catch_up_cycles;
                                
-                               if (MF_DBGLEVEL >= 3
-                                       Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
+                               if (MF_DBGLEVEL >= 4
+                                       Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, catch_up_cycles, sync_cycles);
 
                                last_catch_up = 0;
                                catch_up_cycles = 0;
 
                                last_catch_up = 0;
                                catch_up_cycles = 0;
@@ -2466,7 +2377,7 @@ void ReaderMifare(bool first_try, uint8_t block )
                                par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
 
                        par_list[nt_diff] = SwapBits(par[0], 8);
                                par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
 
                        par_list[nt_diff] = SwapBits(par[0], 8);
-                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
+                       ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;  // xor with NACK value to get keystream
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
 
                        // Test if the information is complete
                        if (nt_diff == 0x07) {
@@ -2492,158 +2403,199 @@ void ReaderMifare(bool first_try, uint8_t block )
                        }
                }
                
                        }
                }
                
+               // reset the resyncs since we got a complete transaction on right time.
                consecutive_resyncs = 0;
                consecutive_resyncs = 0;
-       }
+       } // end for loop
 
        mf_nr_ar[3] &= 0x1F;
 
 
        mf_nr_ar[3] &= 0x1F;
 
-       WDT_HIT();
-       
-       // reset sync_time.
-       if ( isOK == 1) {
-               sync_time =     0;
-               sync_cycles = 0;
-               mf_nr_ar3 = 0;          
-               nt_attacked = 0;
-               par[0] = 0;
-       }
+       if (MF_DBGLEVEL >= 4) Dbprintf("Number of sent auth requestes: %u", i);
        
        uint8_t buf[28] = {0x00};
        
        uint8_t buf[28] = {0x00};
+       memset(buf, 0x00, sizeof(buf));
        num_to_bytes(cuid, 4, buf);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
        memcpy(buf + 24, mf_nr_ar, 4);
                
        num_to_bytes(cuid, 4, buf);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
        memcpy(buf + 24, mf_nr_ar, 4);
                
-       cmd_send(CMD_ACK,isOK,0,0,buf,28);
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, sizeof(buf) );
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        set_tracing(FALSE);
 }
 
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        set_tracing(FALSE);
 }
 
+
 /**
   *MIFARE 1K simulate.
   *
   *@param flags :
 /**
   *MIFARE 1K simulate.
   *
   *@param flags :
-  *    FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
-  * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
-  * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
-  *    FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
+  *    FLAG_INTERACTIVE                - In interactive mode, we are expected to finish the operation with an ACK
+  * FLAG_4B_UID_IN_DATA                - use 4-byte UID in the data-section
+  * FLAG_7B_UID_IN_DATA                - use 7-byte UID in the data-section
+  * FLAG_10B_UID_IN_DATA       - use 10-byte UID in the data-section
+  * FLAG_UID_IN_EMUL           - use 4-byte UID from emulator memory
+  *    FLAG_NR_AR_ATTACK               - collect NR_AR responses for bruteforcing later
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
   */
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
   */
-void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
-{
+void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) {
        int cardSTATE = MFEMUL_NOFIELD;
        int cardSTATE = MFEMUL_NOFIELD;
-       int _7BUID = 0;
+       int _UID_LEN = 0;  // 4, 7, 10
        int vHf = 0;    // in mV
        int vHf = 0;    // in mV
-       int res;
+       int res = 0;
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
        uint16_t len = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        uint32_t selTimer = 0;
        uint32_t authTimer = 0;
        uint16_t len = 0;
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
-//     uint32_t cardRr = 0;
        uint32_t cuid = 0;
        uint32_t cuid = 0;
-       //uint32_t rn_enc = 0;
        uint32_t ans = 0;
        uint32_t cardINTREG = 0;
        uint8_t cardINTBLOCK = 0;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
        uint32_t ans = 0;
        uint32_t cardINTREG = 0;
        uint8_t cardINTBLOCK = 0;
        struct Crypto1State mpcs = {0, 0};
        struct Crypto1State *pcs;
        pcs = &mpcs;
-       uint32_t numReads = 0;//Counts numer of times reader read a block
+       uint32_t numReads = 0;  // Counts numer of times reader read a block
        uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
        uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t response_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
        
        uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
        uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
        uint8_t response_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
        
-       uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
-       uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
-       uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
-       uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
-       //uint8_t rSAK[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
-       uint8_t rSAK1[] = {0x04, 0xda, 0x17};
+       uint8_t atqa[]   = {0x04, 0x00}; // Mifare classic 1k
+       uint8_t sak_4[]  = {0x0C, 0x00, 0x00}; // CL1 - 4b uid
+       uint8_t sak_7[]  = {0x0C, 0x00, 0x00}; // CL2 - 7b uid
+       uint8_t sak_10[] = {0x0C, 0x00, 0x00}; // CL3 - 10b uid
+       // uint8_t sak[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
+       
+       uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
+       uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
 
 
-       //uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
-       uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};
+       uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};  // very random nonce
+       // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this?
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
                
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
                
-       //Here, we collect UID1,UID2,NT,AR,NR,0,0,NT2,AR2,NR2
+       // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
        // This can be used in a reader-only attack.
        // This can be used in a reader-only attack.
-       // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
-       uint8_t ar_nr_collected = 0;
+       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
+       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+
+       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
+       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+       uint8_t nonce1_count = 0;
+       uint8_t nonce2_count = 0;
+       uint8_t moebius_n_count = 0;
+       bool gettingMoebius = false;
+       uint8_t mM = 0; // moebius_modifier for collection storage
+       bool doBufResetNext = false;
 
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
 
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
-       //-- Determine the UID
-       // Can be set from emulator memory, incoming data
-       // and can be 7 or 4 bytes long
-       if (flags & FLAG_4B_UID_IN_DATA)
-       {
-               // 4B uid comes from data-portion of packet
-               memcpy(rUIDBCC1,datain,4);
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-
-       } else if (flags & FLAG_7B_UID_IN_DATA) {
-               // 7B uid comes from data-portion of packet
-               memcpy(&rUIDBCC1[1],datain,3);
-               memcpy(rUIDBCC2, datain+3, 4);
-               _7BUID = true;
-       } else {
-               // get UID from emul memory
-               emlGetMemBt(receivedCmd, 7, 1);
-               _7BUID = !(receivedCmd[0] == 0x00);
-               if (!_7BUID) {                     // ---------- 4BUID
-                       emlGetMemBt(rUIDBCC1, 0, 4);
-               } else {                           // ---------- 7BUID
-                       emlGetMemBt(&rUIDBCC1[1], 0, 3);
-                       emlGetMemBt(rUIDBCC2, 3, 4);
-               }
-       }
-
-       // save uid.
-       ar_nr_responses[0*5]   = bytes_to_num(rUIDBCC1+1, 3);
-       if ( _7BUID )
-               ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
-
-       /*
-        * Regardless of what method was used to set the UID, set fifth byte and modify
-        * the ATQA for 4 or 7-byte UID
-        */
-       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-       if (_7BUID) {
-               rATQA[0] = 0x44;
-               rUIDBCC1[0] = 0x88;
-               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-               rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+       // -- Determine the UID
+       // Can be set from emulator memory or incoming data
+       // Length: 4,7,or 10 bytes
+       if ( (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL)
+               emlGetMemBt(datain, 0, 10);  // load 10bytes from EMUL to the datain pointer. to be used below.
+       
+       if ( (flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) {
+               memcpy(rUIDBCC1, datain, 4);
+               _UID_LEN = 4;
+       } else if ( (flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy( rUIDBCC2,    datain+3, 4);
+               _UID_LEN = 7;
+       } else if ( (flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
+               memcpy(&rUIDBCC1[1], datain,   3);
+               memcpy(&rUIDBCC2[1], datain+3, 3);
+               memcpy( rUIDBCC3,    datain+6, 4);
+               _UID_LEN = 10;
        }
 
        }
 
-       if (MF_DBGLEVEL >= 1)   {
-               if (!_7BUID) {
-                       Dbprintf("4B UID: %02x%02x%02x%02x", 
-                               rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
-               } else {
-                       Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
-                               rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
-                               rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
-               }
+       switch (_UID_LEN) {
+               case 4:
+                       sak_4[0] &= 0xFB;               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC1, 4);
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("4B UID: %02x%02x%02x%02x", 
+                                       rUIDBCC1[0],
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3]
+                               );
+                       }
+                       break;
+               case 7:
+                       atqa[0] |= 0x40;
+                       sak_7[0] &= 0xFB;                                               
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC2, 4);                       
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; 
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; 
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[0],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3]
+                               );
+                       }
+                       break;
+               case 10:
+                       atqa[0] |= 0x80;
+                       sak_10[0] &= 0xFB;                                      
+                       // save CUID
+                       cuid = bytes_to_num(rUIDBCC3, 4);
+                        // CascadeTag, CT
+                       rUIDBCC1[0] = 0x88;
+                       rUIDBCC2[0] = 0x88;
+                       // BCC
+                       rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+                       rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+                       rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
+
+                       if (MF_DBGLEVEL >= 2)   {
+                               Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       rUIDBCC1[1],
+                                       rUIDBCC1[2],
+                                       rUIDBCC1[3],
+                                       rUIDBCC2[1],
+                                       rUIDBCC2[2],
+                                       rUIDBCC2[3],
+                                       rUIDBCC3[0],
+                                       rUIDBCC3[1],
+                                       rUIDBCC3[2],
+                                       rUIDBCC3[3]
+                               );
+                       }
+                       break;
+               default: 
+                       break;
        }
        }
-
+       // calc some crcs
+       ComputeCrc14443(CRC_14443_A, sak_4, 1, &sak_4[1], &sak_4[2]);
+       ComputeCrc14443(CRC_14443_A, sak_7, 1, &sak_7[1], &sak_7[2]);
+       ComputeCrc14443(CRC_14443_A, sak_10, 1, &sak_10[1], &sak_10[2]);
+       
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        // free eventually allocated BigBuf memory but keep Emulator Memory
        BigBuf_free_keep_EM();
        // We need to listen to the high-frequency, peak-detected path.
        iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
 
        // free eventually allocated BigBuf memory but keep Emulator Memory
        BigBuf_free_keep_EM();
-
-       // clear trace
        clear_trace();
        set_tracing(TRUE);
 
        clear_trace();
        set_tracing(TRUE);
 
-
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
                WDT_HIT();
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
                WDT_HIT();
@@ -2656,29 +2608,28 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                LED_A_ON();
                        }
                } 
                                LED_A_ON();
                        }
                } 
-               if(cardSTATE == MFEMUL_NOFIELD) continue;
+               if (cardSTATE == MFEMUL_NOFIELD) continue;
 
 
-               //Now, get data
+               // Now, get data
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
                        LEDsoff();
                        continue;
                } else if (res == 1) {
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
                        LEDsoff();
                        continue;
                } else if (res == 1) {
-                       break;  //return value 1 means button press
+                       break;  // return value 1 means button press
                }
                        
                // REQ or WUP request in ANY state and WUP in HALTED state
                }
                        
                // REQ or WUP request in ANY state and WUP in HALTED state
-               if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+               // this if-statement doesn't match the specification above. (iceman)
+               if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
                        selTimer = GetTickCount();
                        selTimer = GetTickCount();
-                       EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+                       EmSendCmdEx(atqa, sizeof(atqa), (receivedCmd[0] == ISO14443A_CMD_WUPA));
                        cardSTATE = MFEMUL_SELECT1;
                        cardSTATE = MFEMUL_SELECT1;
-
-                       // init crypto block
-                       LED_B_OFF();
-                       LED_C_OFF();
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
+                       LEDsoff();
+                       nonce++; 
                        continue;
                }
                
                        continue;
                }
                
@@ -2690,160 +2641,258 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                break;
                        }
                        case MFEMUL_SELECT1:{
                                break;
                        }
                        case MFEMUL_SELECT1:{
-                               // select all
-                               if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
-
-                               if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
-                               {
-                                       Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
-                               }
                                // select card
                                if (len == 9 && 
                                // select card
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
-                                       EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
-                                       cuid = bytes_to_num(rUIDBCC1, 4);
-                                       if (!_7BUID) {
-                                               cardSTATE = MFEMUL_WORK;
-                                               LED_B_ON();
-                                               if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
-                                               break;
-                                       } else {
-                                               cardSTATE = MFEMUL_SELECT2;
+                                               ( receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT &&
+                                                 receivedCmd[1] == 0x70 && 
+                                                 memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+                                       
+                                       // SAK 4b 
+                                       EmSendCmd(sak_4, sizeof(sak_4));
+                                       switch(_UID_LEN){
+                                               case 4:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 7:
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT2;
+                                                       continue;
+                                               default:break;
                                        }
                                        }
+                               } else {
+                                       cardSTATE_TO_IDLE();
                                }
                                break;
                        }
                                }
                                break;
                        }
-                       case MFEMUL_AUTH1:{
-                               if( len != 8) {
-                                       cardSTATE_TO_IDLE();
+                       case MFEMUL_SELECT2:{
+                               if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
-
-                               uint32_t ar = bytes_to_num(receivedCmd, 4);
-                               uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
-
-                               //Collect AR/NR
-                               //if(ar_nr_collected < 2 && cardAUTHSC == 2){
-                               if(ar_nr_collected < 2) {
-                                       if(ar_nr_responses[2] != ar) {
-                                               // Avoid duplicates... probably not necessary, ar should vary. 
-                                               //ar_nr_responses[ar_nr_collected*5]   = 0;
-                                               //ar_nr_responses[ar_nr_collected*5+1] = 0;
-                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
-                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
-                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
-                                               ar_nr_collected++;
-                                       }                                               
-                                       // Interactive mode flag, means we need to send ACK
-                                       if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
-                                               finished = true;
-                               }
-
-                               // --- crypto
-                               //crypto1_word(pcs, ar , 1);
-                               //cardRr = nr ^ crypto1_word(pcs, 0, 0);
-
-                               //test if auth OK
-                               //if (cardRr != prng_successor(nonce, 64)){
-                                       
-                                       //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
-                                       //      cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
-                                       //              cardRr, prng_successor(nonce, 64));
-                                       // Shouldn't we respond anything here?
-                                       // Right now, we don't nack or anything, which causes the
-                                       // reader to do a WUPA after a while. /Martin
-                                       // -- which is the correct response. /piwi
-                                       //cardSTATE_TO_IDLE();
-                                       //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       //break;
-                               //}
-
-                               ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
-
-                               num_to_bytes(ans, 4, rAUTH_AT);
-                               // --- crypto
-                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-                               LED_C_ON();
-                               cardSTATE = MFEMUL_WORK;
-                               if (MF_DBGLEVEL >= 4) {
-                                       Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", 
-                                               cardAUTHSC, 
-                                               cardAUTHKEY == 0 ? 'A' : 'B',
-                                               GetTickCount() - authTimer
-                                       );
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
+                                       EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+                                       break;
                                }
                                }
+                               if (len == 9 && 
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 &&
+                                                receivedCmd[1] == 0x70 && 
+                                                memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) {
+                                                        
+                                       EmSendCmd(sak_7, sizeof(sak_7));
+                                       switch(_UID_LEN){
+                                               case 7:
+                                                       cardSTATE = MFEMUL_WORK;
+                                                       LED_B_ON();
+                                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                                       continue;
+                                               case 10:
+                                                       cardSTATE = MFEMUL_SELECT3;
+                                                       continue;
+                                               default:break;
+                                       }
+                               } 
+                               cardSTATE_TO_IDLE();
                                break;
                        }
                                break;
                        }
-                       case MFEMUL_SELECT2:{
+                       case MFEMUL_SELECT3:{
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
-                               if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
-                                       EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
+                                       EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
                                        break;
                                }
                                        break;
                                }
-
-                               // select 2 card
                                if (len == 9 && 
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x95 &&
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
                                                 receivedCmd[1] == 0x70 && 
                                                 receivedCmd[1] == 0x70 && 
-                                                memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) {
-                                       EmSendCmd(rSAK, sizeof(rSAK));
-                                       cuid = bytes_to_num(rUIDBCC2, 4);
+                                                memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
+
+                                       EmSendCmd(sak_10, sizeof(sak_10));
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
-                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+                                       if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
                                        break;
                                }
                                        break;
                                }
+                               cardSTATE_TO_IDLE();
+                               break;
+                       }
+                       case MFEMUL_AUTH1:{
+                               if( len != 8) {
+                                       cardSTATE_TO_IDLE();
+                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       break;
+                               }
+
+                               uint32_t nr = bytes_to_num(receivedCmd, 4);
+                               uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
+
+                               if (doBufResetNext) {
+                                       // Reset, lets try again!
+                                       Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer");
+                                       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
+                                       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+                                       mM = 0;
+                                       doBufResetNext = false;
+                               }
+
+                               for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                       if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+
+                                               // if first auth for sector, or matches sector and keytype of previous auth
+                                               if (ar_nr_collected[i+mM] < 2) {
+                                                       // if we haven't already collected 2 nonces for this sector
+                                                       if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+                                                               // Avoid duplicates... probably not necessary, ar should vary.
+                                                               if (ar_nr_collected[i+mM]==0) {
+                                                                       // first nonce collect
+                                                                       ar_nr_resp[i+mM].cuid = cuid;
+                                                                       ar_nr_resp[i+mM].sector = cardAUTHSC;
+                                                                       ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+                                                                       ar_nr_resp[i+mM].nonce = nonce;
+                                                                       ar_nr_resp[i+mM].nr = nr;
+                                                                       ar_nr_resp[i+mM].ar = ar;
+                                                                       nonce1_count++;
+                                                                       // add this nonce to first moebius nonce
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+                                                                       ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+                                                               } else { // second nonce collect (std and moebius)
+                                                                       ar_nr_resp[i+mM].nonce2 = nonce;
+                                                                       ar_nr_resp[i+mM].nr2 = nr;
+                                                                       ar_nr_resp[i+mM].ar2 = ar;
+                                                                       if (!gettingMoebius) {
+                                                                               nonce2_count++;
+                                                                               // check if this was the last second nonce we need for std attack
+                                                                               if ( nonce2_count == nonce1_count ) {
+                                                                                       // done collecting std test switch to moebius
+                                                                                       // first finish incrementing last sample
+                                                                                       ar_nr_collected[i+mM]++; 
+                                                                                       // switch to moebius collection
+                                                                                       gettingMoebius = true;
+                                                                                       mM = ATTACK_KEY_COUNT;
+                                                                                       break;
+                                                                               }
+                                                                       } else {
+                                                                               moebius_n_count++;
+                                                                               // if we've collected all the nonces we need - finish.
+
+                                                                               if (nonce1_count == moebius_n_count) {
+                                                                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+                                                                                       nonce1_count = 0;
+                                                                                       nonce2_count = 0;
+                                                                                       moebius_n_count = 0;
+                                                                                       gettingMoebius = false;
+                                                                                       doBufResetNext = true;
+                                                                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE));
+                                                                               }
+                                                                       }
+                                                               }
+                                                               ar_nr_collected[i+mM]++;
+                                                       }
+                                               }
+                                               // we found right spot for this nonce stop looking
+                                               break;
+                                       }
+                               }
+
+
+                               /*
+                               // Collect AR/NR
+                               // if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               if(ar_nr_collected < 2) {                                       
+                                       // if(ar_nr_responses[2] != nr) {
+                                               ar_nr_responses[ar_nr_collected*4]   = cuid;
+                                               ar_nr_responses[ar_nr_collected*4+1] = nonce;
+                                               ar_nr_responses[ar_nr_collected*4+2] = nr;
+                                               ar_nr_responses[ar_nr_collected*4+3] = ar;
+                                               ar_nr_collected++;
+                                       // }                                    
+               
+                                       // Interactive mode flag, means we need to send ACK
+                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2);
+                               }
+                               
+                               crypto1_word(pcs, ar , 1);
+                               cardRr = nr ^ crypto1_word(pcs, 0, 0);
                                
                                
-                               // i guess there is a command). go into the work state.
-                               if (len != 4) {
+                               test if auth OK
+                               if (cardRr != prng_successor(nonce, 64)){
+                                       
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+                                               cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
+                                                       cardRr, prng_successor(nonce, 64));
+                                       Shouldn't we respond anything here?
+                                       Right now, we don't nack or anything, which causes the
+                                       reader to do a WUPA after a while. /Martin
+                                       -- which is the correct response. /piwi
+                                       cardSTATE_TO_IDLE();
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
+                               */
+                               
+                               ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
+                               num_to_bytes(ans, 4, rAUTH_AT);
+                               EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+                               LED_C_ON();
+                               
+                               if (MF_DBGLEVEL >= 4) {
+                                       Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", 
+                                               cardAUTHSC, 
+                                               cardAUTHKEY == 0 ? 'A' : 'B',
+                                               GetTickCount() - authTimer
+                                       );
+                               }
                                cardSTATE = MFEMUL_WORK;
                                cardSTATE = MFEMUL_WORK;
-                               //goto lbWORK;
-                               //intentional fall-through to the next case-stmt
+                               break;
                        }
                        }
-
                        case MFEMUL_WORK:{
                                if (len == 0) {
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                        case MFEMUL_WORK:{
                                if (len == 0) {
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
-                               }
-                               
+                               }               
                                bool encrypted_data = (cardAUTHKEY != 0xFF) ;
 
                                bool encrypted_data = (cardAUTHKEY != 0xFF) ;
 
-                               // decrypt seqence
                                if(encrypted_data)
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                
                                if(encrypted_data)
                                        mf_crypto1_decrypt(pcs, receivedCmd, len);
                                
-                               if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
+                               if (len == 4 && (receivedCmd[0] == MIFARE_AUTH_KEYA || 
+                                                receivedCmd[0] == MIFARE_AUTH_KEYB)  ) {
+
                                        authTimer = GetTickCount();
                                        cardAUTHSC = receivedCmd[1] / 4;  // received block num
                                        authTimer = GetTickCount();
                                        cardAUTHSC = receivedCmd[1] / 4;  // received block num
-                                       cardAUTHKEY = receivedCmd[0] - 0x60;
-                                       crypto1_destroy(pcs);//Added by martin
+                                       cardAUTHKEY = receivedCmd[0] - 0x60; // & 1
+                                       crypto1_destroy(pcs);
                                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
 
                                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
 
-                                       if (!encrypted_data) { // first authentication
+                                       if (!encrypted_data) { 
+                                               // first authentication
+                                               crypto1_word(pcs, cuid ^ nonce, 0);// Update crypto state
+                                               num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
+                                               
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY  );
 
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY  );
 
-                                               crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
-                                               num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
-                                       } else { // nested authentication
-                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
+                                       } else {
+                                               // nested authentication
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
                                                ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); 
                                                num_to_bytes(ans, 4, rAUTH_AT);
+
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
                                        }
 
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
                                        }
 
                                        EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
-                                       //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
                                        cardSTATE = MFEMUL_AUTH1;
                                        break;
                                }
                                        cardSTATE = MFEMUL_AUTH1;
                                        break;
                                }
@@ -2866,12 +2915,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
 
                                        break;
                                }
 
-                               if(receivedCmd[0] == 0x30 // read block
-                                               || receivedCmd[0] == 0xA0 // write block
-                                               || receivedCmd[0] == 0xC0 // inc
-                                               || receivedCmd[0] == 0xC1 // dec
-                                               || receivedCmd[0] == 0xC2 // restore
-                                               || receivedCmd[0] == 0xB0) { // transfer
+                               if ( receivedCmd[0] == ISO14443A_CMD_READBLOCK ||
+                                        receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK ||
+                                        receivedCmd[0] == MIFARE_CMD_INC ||
+                                        receivedCmd[0] == MIFARE_CMD_DEC ||
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE ||
+                                        receivedCmd[0] == MIFARE_CMD_TRANSFER ) {
+                                               
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
@@ -2885,8 +2935,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        }
                                }
                                // read block
                                        }
                                }
                                // read block
-                               if (receivedCmd[0] == 0x30) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]);
+                               if (receivedCmd[0] == ISO14443A_CMD_READBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)", receivedCmd[1], receivedCmd[1]);
 
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
 
                                        emlGetMem(response, receivedCmd[1], 1);
                                        AppendCrc14443a(response, 16);
@@ -2900,34 +2950,35 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // write block
                                        break;
                                }
                                // write block
-                               if (receivedCmd[0] == 0xA0) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]);
+                               if (receivedCmd[0] == ISO14443A_CMD_WRITEBLOCK) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)", receivedCmd[1], receivedCmd[1]);
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WRITEBL2;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // increment, decrement, restore
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        cardSTATE = MFEMUL_WRITEBL2;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // increment, decrement, restore
-                               if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                               if ( receivedCmd[0] == MIFARE_CMD_INC || 
+                                    receivedCmd[0] == MIFARE_CMD_DEC || 
+                                        receivedCmd[0] == MIFARE_CMD_RESTORE) {
+
+                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0], receivedCmd[1], receivedCmd[1]);
+
                                        if (emlCheckValBl(receivedCmd[1])) {
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
                                        if (emlCheckValBl(receivedCmd[1])) {
                                                if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
-                                       if (receivedCmd[0] == 0xC1)
-                                               cardSTATE = MFEMUL_INTREG_INC;
-                                       if (receivedCmd[0] == 0xC0)
-                                               cardSTATE = MFEMUL_INTREG_DEC;
-                                       if (receivedCmd[0] == 0xC2)
-                                               cardSTATE = MFEMUL_INTREG_REST;
+                                       if (receivedCmd[0] == MIFARE_CMD_INC)           cardSTATE = MFEMUL_INTREG_INC;
+                                       if (receivedCmd[0] == MIFARE_CMD_DEC)           cardSTATE = MFEMUL_INTREG_DEC;
+                                       if (receivedCmd[0] == MIFARE_CMD_RESTORE)       cardSTATE = MFEMUL_INTREG_REST;
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // transfer
                                        cardWRBL = receivedCmd[1];
                                        break;
                                }
                                // transfer
-                               if (receivedCmd[0] == 0xB0) {
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                               if (receivedCmd[0] == MIFARE_CMD_TRANSFER) {
+                                       if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)", receivedCmd[0], receivedCmd[1], receivedCmd[1]);
                                        if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        else
                                        if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        else
@@ -2935,7 +2986,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // halt
                                        break;
                                }
                                // halt
-                               if (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00) {
+                               if (receivedCmd[0] == ISO14443A_CMD_HALT && receivedCmd[1] == 0x00) {
                                        LED_B_OFF();
                                        LED_C_OFF();
                                        cardSTATE = MFEMUL_HALTED;
                                        LED_B_OFF();
                                        LED_C_OFF();
                                        cardSTATE = MFEMUL_HALTED;
@@ -2944,7 +2995,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        break;
                                }
                                // RATS
                                        break;
                                }
                                // RATS
-                               if (receivedCmd[0] == 0xe0) {//RATS
+                               if (receivedCmd[0] == ISO14443A_CMD_RATS) {
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
                                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                        break;
                                }
@@ -2965,7 +3016,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                }
                                break;
                        }
                                }
                                break;
                        }
-                       
                        case MFEMUL_INTREG_INC:{
                                mf_crypto1_decrypt(pcs, receivedCmd, len);
                                memcpy(&ans, receivedCmd, 4);
                        case MFEMUL_INTREG_INC:{
                                mf_crypto1_decrypt(pcs, receivedCmd, len);
                                memcpy(&ans, receivedCmd, 4);
@@ -3007,53 +3057,50 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
                }
        }
 
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       LEDsoff();
-
        // Interactive mode flag, means we need to send ACK
        // Interactive mode flag, means we need to send ACK
-       if(flags & FLAG_INTERACTIVE) {
-               //May just aswell send the collected ar_nr in the response aswell
-               uint8_t len = ar_nr_collected*5*4;
+       /*
+       if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) {
+               // May just aswell send the collected ar_nr in the response aswell
+               uint8_t len = ar_nr_collected * 4 * 4;
                cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
                cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
-
-       if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 ) {
-               if(ar_nr_collected > 1 ) {
-                       Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                       Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
-                                       ar_nr_responses[0], // UID1
-                                       ar_nr_responses[1], // UID2
-                                       ar_nr_responses[2], // NT
-                                       ar_nr_responses[3], // AR1
-                                       ar_nr_responses[4], // NR1
-                                       ar_nr_responses[8], // AR2
-                                       ar_nr_responses[9]  // NR2
-                                       );
-                       Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
-                                       ar_nr_responses[0], // UID1
-                                       ar_nr_responses[1], // UID2
-                                       ar_nr_responses[2], // NT1
-                                       ar_nr_responses[3], // AR1
-                                       ar_nr_responses[4], // NR1
-                                       ar_nr_responses[7], // NT2
-                                       ar_nr_responses[8], // AR2
-                                       ar_nr_responses[9]  // NR2
-                                       );
-               } else {
-                       Dbprintf("Failed to obtain two AR/NR pairs!");
-                       if(ar_nr_collected > 0 ) {
-                               Dbprintf("Only got these: UID=%06x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
-                                               ar_nr_responses[0], // UID1
-                                               ar_nr_responses[1], // UID2
-                                               ar_nr_responses[2], // NT
-                                               ar_nr_responses[3], // AR1
-                                               ar_nr_responses[4]  // NR1
+       
+   */
+       if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) {
+               for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
+                                               );
+                       }
+               }       
+               for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+                       if (ar_nr_collected[i] == 2) {
+                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+                               Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+                                               ar_nr_resp[i].cuid,  //UID
+                                               ar_nr_resp[i].nonce, //NT
+                                               ar_nr_resp[i].nr,    //NR1
+                                               ar_nr_resp[i].ar,    //AR1
+                                               ar_nr_resp[i].nonce2,//NT2
+                                               ar_nr_resp[i].nr2,   //NR2
+                                               ar_nr_resp[i].ar2    //AR2
                                                );
                        }
                }
        }
                                                );
                        }
                }
        }
-       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
        
        
+       
+       if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
+       
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
        set_tracing(FALSE);
 }
 
        set_tracing(FALSE);
 }
 
@@ -3061,20 +3108,19 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
+// if no activity for 2sec, it sends the collected data to the client.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
+// "hf mf sniff"
 void RAMFUNC SniffMifare(uint8_t param) {
 void RAMFUNC SniffMifare(uint8_t param) {
-       // param:
-       // bit 0 - trigger from first card answer
-       // bit 1 - trigger from first reader 7-bit request
+
        LEDsoff();
 
        LEDsoff();
 
-       // init trace buffer
+       // free eventually allocated BigBuf memory
+       BigBuf_free(); BigBuf_Clear_ext(false);
        clear_trace();
        set_tracing(TRUE);
 
        // The command (reader -> tag) that we're receiving.
        clear_trace();
        set_tracing(TRUE);
 
        // The command (reader -> tag) that we're receiving.
-       // The length of a received command will in most cases be no more than 18 bytes.
-       // So 32 should be enough!
        uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};    
        uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 
        uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};    
        uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 
@@ -3084,10 +3130,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
        iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 
 
        iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
 
-       // free eventually allocated BigBuf memory
-       BigBuf_free();
-       
        // allocate the DMA buffer, used to stream samples from the FPGA
        // allocate the DMA buffer, used to stream samples from the FPGA
+       // [iceman] is this sniffed data unsigned?
        uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
        uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
        uint8_t *data = dmaBuf;
        uint8_t previous_data = 0;
@@ -3102,25 +3146,28 @@ void RAMFUNC SniffMifare(uint8_t param) {
        // Set up the demodulator for the reader -> tag commands
        UartInit(receivedCmd, receivedCmdPar);
 
        // Set up the demodulator for the reader -> tag commands
        UartInit(receivedCmd, receivedCmdPar);
 
-       // Setup for the DMA.
-       FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+       // Setup and start DMA.
+       // set transfer address and number of bytes. Start transfer.
+       if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+               if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               return;
+       }
 
        LED_D_OFF();
 
        LED_D_OFF();
-       
-       // init sniffer
+
        MfSniffInit();
 
        // And now we loop, receiving samples.
        MfSniffInit();
 
        // And now we loop, receiving samples.
-       for(uint32_t sniffCounter = 0; TRUE; ) {
+       for(uint32_t sniffCounter = 0;; ) {
+
+               LED_A_ON();
+               WDT_HIT();
        
                if(BUTTON_PRESS()) {
                        DbpString("cancelled by button");
                        break;
                }
        
                if(BUTTON_PRESS()) {
                        DbpString("cancelled by button");
                        break;
                }
-
-               LED_A_ON();
-               WDT_HIT();
-               
+       
                if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
                        // check if a transaction is completed (timeout after 2000ms).
                        // if yes, stop the DMA transfer and send what we have so far to the client
                if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
                        // check if a transaction is completed (timeout after 2000ms).
                        // if yes, stop the DMA transfer and send what we have so far to the client
@@ -3131,7 +3178,11 @@ void RAMFUNC SniffMifare(uint8_t param) {
                                maxDataLen = 0;
                                ReaderIsActive = FALSE;
                                TagIsActive = FALSE;
                                maxDataLen = 0;
                                ReaderIsActive = FALSE;
                                TagIsActive = FALSE;
-                               FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+                               // Setup and start DMA. set transfer address and number of bytes. Start transfer.
+                               if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+                                       if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+                                       return;
+                               }                               
                        }
                }
                
                        }
                }
                
@@ -3157,7 +3208,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
                if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
                        AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
                        AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
                if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
                        AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
                        AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
-                       Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
+                       Dbprintf("RxEmpty ERROR, data length:%d", dataLen); // temporary
                }
                // secondary buffer sets as primary, secondary buffer was stopped
                if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
                }
                // secondary buffer sets as primary, secondary buffer was stopped
                if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
@@ -3177,10 +3228,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
 
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
-                                       /* And ready to receive another command. */
                                        UartInit(receivedCmd, receivedCmdPar);
                                        UartInit(receivedCmd, receivedCmdPar);
-                                       
-                                       /* And also reset the demod code */
                                        DemodReset();
                                }
                                ReaderIsActive = (Uart.state != STATE_UNSYNCD);
                                        DemodReset();
                                }
                                ReaderIsActive = (Uart.state != STATE_UNSYNCD);
@@ -3194,10 +3242,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
 
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
 
-                                       // And ready to receive another response.
                                        DemodReset();
                                        DemodReset();
-                                       
-                                       // And reset the Miller decoder including its (now outdated) input buffer
                                        UartInit(receivedCmd, receivedCmdPar);
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
                                        UartInit(receivedCmd, receivedCmdPar);
                                }
                                TagIsActive = (Demod.state != DEMOD_UNSYNCD);
@@ -3212,10 +3257,12 @@ void RAMFUNC SniffMifare(uint8_t param) {
                        data = dmaBuf;
 
        } // main cycle
                        data = dmaBuf;
 
        } // main cycle
-
+       
+       if (MF_DBGLEVEL >= 1) Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
+       
        FpgaDisableSscDma();
        MfSniffEnd();
        FpgaDisableSscDma();
        MfSniffEnd();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
        LEDsoff();
-       Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
        set_tracing(FALSE);
 }
        set_tracing(FALSE);
 }
Proxmark3 GIT tracking
Impressum, Datenschutz