replace msleep() by thread signalling in comms.c

[proxmark3-svn] / armsrc / iclass.c

diff --git a/armsrc/iclass.c b/armsrc/iclass.c
index 260e6a6033f7f736173c0558ee8c034366f05434..afe1a607e9e1e823372bfdc285761409327915b4 100644 (file)
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -3,6 +3,7 @@
 // Hagen Fritsch - June 2010
 // Gerhard de Koning Gans - May 2011
 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
 // Hagen Fritsch - June 2010
 // Gerhard de Koning Gans - May 2011
 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation

+// piwi - 2019

 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of


@@ -10,38 +11,22 @@
 //-----------------------------------------------------------------------------
 // Routines to support iClass.
 //-----------------------------------------------------------------------------
 //-----------------------------------------------------------------------------
 // Routines to support iClass.
 //-----------------------------------------------------------------------------

-// Based on ISO14443a implementation. Still in experimental phase.

 // Contribution made during a security research at Radboud University Nijmegen
 // Contribution made during a security research at Radboud University Nijmegen

-// 
-// Please feel free to contribute and extend iClass support!!
-//-----------------------------------------------------------------------------
-//
-// FIX:
-// ====
-// We still have sometimes a demodulation error when snooping iClass communication.
-// The resulting trace of a read-block-03 command may look something like this:
-//
-//  +  22279:    :     0c  03  e8  01    
-//
-//    ...with an incorrect answer...
-//
-//  +     85:   0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb  33  bb  00  01! 0e! 04! bb     !crc
-//
-// We still left the error signalling bytes in the traces like 0xbb
-//
-// A correct trace should look like this:
-//
-// +  21112:    :     0c  03  e8  01    
-// +     85:   0: TAG ff  ff  ff  ff  ff  ff  ff  ff  ea  f5    

 //
 //

+// Please feel free to contribute and extend iClass support!!

 //-----------------------------------------------------------------------------
 
 //-----------------------------------------------------------------------------
 

+#include "iclass.h"
+

 #include "proxmark3.h"
 #include "apps.h"
 #include "util.h"
 #include "string.h"
 #include "proxmark3.h"
 #include "apps.h"
 #include "util.h"
 #include "string.h"

+#include "printf.h"

 #include "common.h"
 #include "common.h"

-#include "cmd.h"
+#include "usb_cdc.h"
+#include "iso14443a.h"
+#include "iso15693.h"

 // Needed for CRC in emulation mode;
 // same construction as in ISO 14443;
 // different initial value (CRC_ICLASS)
 // Needed for CRC in emulation mode;
 // same construction as in ISO 14443;
 // different initial value (CRC_ICLASS)


@@ -49,1951 +34,904 @@
 #include "iso15693tools.h"
 #include "protocols.h"
 #include "optimized_cipher.h"
 #include "iso15693tools.h"
 #include "protocols.h"
 #include "optimized_cipher.h"

+#include "fpgaloader.h"

 
 

-static int timeout = 4096;
+// iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after
+// the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period.
+// 330us = 140 ssp_clk cycles @ 423,75kHz when simulating.
+// 56,64us = 24 ssp_clk_cycles
+#define DELAY_ICLASS_VCD_TO_VICC_SIM     (140 - 24)
+// times in ssp_clk_cycles @ 3,3625MHz when acting as reader
+#define DELAY_ICLASS_VICC_TO_VCD_READER  DELAY_ISO15693_VICC_TO_VCD_READER
+// times in samples @ 212kHz when acting as reader
+#define ICLASS_READER_TIMEOUT_ACTALL     330 // 1558us, nominal 330us + 7slots*160us = 1450us
+#define ICLASS_READER_TIMEOUT_UPDATE    3390 // 16000us, nominal 4-15ms
+#define ICLASS_READER_TIMEOUT_OTHERS      80 // 380us, nominal 330us

 
 

+#define ICLASS_BUFFER_SIZE 34                // we expect max 34 bytes as tag answer (response to READ4)

 
 

-static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);

 
 

-//-----------------------------------------------------------------------------
-// The software UART that receives commands from the reader, and its state
-// variables.
-//-----------------------------------------------------------------------------
-static struct {
-    enum {
-        STATE_UNSYNCD,
-        STATE_START_OF_COMMUNICATION,
-       STATE_RECEIVING
-    }       state;
-    uint16_t    shiftReg;
-    int     bitCnt;
-    int     byteCnt;
-    int     byteCntMax;
-    int     posCnt;
-    int     nOutOfCnt;
-    int     OutOfCnt;
-    int     syncBit;
-    int     samples;
-    int     highCnt;
-    int     swapper;
-    int     counter;
-    int     bitBuffer;
-    int     dropPosition;
-    uint8_t *output;
-} Uart;
-
-static RAMFUNC int OutOfNDecoding(int bit)
-{
-       //int error = 0;
-       int bitright;
-
-       if(!Uart.bitBuffer) {
-               Uart.bitBuffer = bit ^ 0xFF0;
-               return FALSE;
-       }
-       else {
-               Uart.bitBuffer <<= 4;
-               Uart.bitBuffer ^= bit;
-       }
-       
-       /*if(Uart.swapper) {
-               Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
-               Uart.byteCnt++;
-               Uart.swapper = 0;
-               if(Uart.byteCnt > 15) { return TRUE; }
+//=============================================================================
+// A `sniffer' for iClass communication
+// Both sides of communication!
+//=============================================================================
+void SnoopIClass(uint8_t jam_search_len, uint8_t *jam_search_string) {
+       SnoopIso15693(jam_search_len, jam_search_string);
+}
+
+
+void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
+       int i;
+       for (i = 0; i < 8; i++) {
+               rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);

        }
        }

-       else {
-               Uart.swapper = 1;
-       }*/
+}

 
 

-       if(Uart.state != STATE_UNSYNCD) {
-               Uart.posCnt++;

 
 

-               if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
-                       bit = 0x00;
-               }
-               else {
-                       bit = 0x01;
-               }
-               if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
-                       bitright = 0x00;
-               }
-               else {
-                       bitright = 0x01;
-               }
-               if(bit != bitright) { bit = bitright; }
-
-               
-               // So, now we only have to deal with *bit*, lets see...
-               if(Uart.posCnt == 1) {
-                       // measurement first half bitperiod
-                       if(!bit) {
-                               // Drop in first half means that we are either seeing
-                               // an SOF or an EOF.
-
-                               if(Uart.nOutOfCnt == 1) {
-                                       // End of Communication
-                                       Uart.state = STATE_UNSYNCD;
-                                       Uart.highCnt = 0;
-                                       if(Uart.byteCnt == 0) {
-                                               // Its not straightforward to show single EOFs
-                                               // So just leave it and do not return TRUE
-                                               Uart.output[0] = 0xf0;
-                                               Uart.byteCnt++;
-                                       }
-                                       else {
-                                               return TRUE;
-                                       }
-                               }
-                               else if(Uart.state != STATE_START_OF_COMMUNICATION) {
-                                       // When not part of SOF or EOF, it is an error
-                                       Uart.state = STATE_UNSYNCD;
-                                       Uart.highCnt = 0;
-                                       //error = 4;
-                               }
-                       }
-               }
-               else {
-                       // measurement second half bitperiod
-                       // Count the bitslot we are in... (ISO 15693)
-                       Uart.nOutOfCnt++;
-                       
-                       if(!bit) {
-                               if(Uart.dropPosition) {
-                                       if(Uart.state == STATE_START_OF_COMMUNICATION) {
-                                               //error = 1;
-                                       }
-                                       else {
-                                               //error = 7;
-                                       }
-                                       // It is an error if we already have seen a drop in current frame
-                                       Uart.state = STATE_UNSYNCD;
-                                       Uart.highCnt = 0;
-                               }
-                               else {
-                                       Uart.dropPosition = Uart.nOutOfCnt;
-                               }
-                       }
+// Encode SOF only
+static void CodeIClassTagSOF() {
+       ToSendReset();
+       ToSend[++ToSendMax] = 0x1D;
+       ToSendMax++;
+}

 
 

-                       Uart.posCnt = 0;

 
 

-                       
-                       if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
-                               Uart.nOutOfCnt = 0;
-                               
-                               if(Uart.state == STATE_START_OF_COMMUNICATION) {
-                                       if(Uart.dropPosition == 4) {
-                                               Uart.state = STATE_RECEIVING;
-                                               Uart.OutOfCnt = 256;
-                                       }
-                                       else if(Uart.dropPosition == 3) {
-                                               Uart.state = STATE_RECEIVING;
-                                               Uart.OutOfCnt = 4;
-                                               //Uart.output[Uart.byteCnt] = 0xdd;
-                                               //Uart.byteCnt++;
-                                       }
-                                       else {
-                                               Uart.state = STATE_UNSYNCD;
-                                               Uart.highCnt = 0;
-                                       }
-                                       Uart.dropPosition = 0;
-                               }
-                               else {
-                                       // RECEIVING DATA
-                                       // 1 out of 4
-                                       if(!Uart.dropPosition) {
-                                               Uart.state = STATE_UNSYNCD;
-                                               Uart.highCnt = 0;
-                                               //error = 9;
-                                       }
-                                       else {
-                                               Uart.shiftReg >>= 2;
-                                               
-                                               // Swap bit order
-                                               Uart.dropPosition--;
-                                               //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
-                                               //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
-                                               
-                                               Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
-                                               Uart.bitCnt += 2;
-                                               Uart.dropPosition = 0;
-
-                                               if(Uart.bitCnt == 8) {
-                                                       Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
-                                                       Uart.byteCnt++;
-                                                       Uart.bitCnt = 0;
-                                                       Uart.shiftReg = 0;
-                                               }
-                                       }
-                               }
-                       }
-                       else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
-                               // RECEIVING DATA
-                               // 1 out of 256
-                               if(!Uart.dropPosition) {
-                                       Uart.state = STATE_UNSYNCD;
-                                       Uart.highCnt = 0;
-                                       //error = 3;
-                               }
-                               else {
-                                       Uart.dropPosition--;
-                                       Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
-                                       Uart.byteCnt++;
-                                       Uart.bitCnt = 0;
-                                       Uart.shiftReg = 0;
-                                       Uart.nOutOfCnt = 0;
-                                       Uart.dropPosition = 0;
-                               }
-                       }
+static void AppendCrc(uint8_t *data, int len) {
+       ComputeCrc14443(CRC_ICLASS, data, len, data+len, data+len+1);
+}

 
 

-                       /*if(error) {
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = error & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
-                               Uart.byteCnt++;
-                               Uart.output[Uart.byteCnt] = 0xAA;
-                               Uart.byteCnt++;
-                               return TRUE;
-                       }*/
-               }

 
 

-       }
-       else {
-               bit = Uart.bitBuffer & 0xf0;
-               bit >>= 4;
-               bit ^= 0x0F; // drops become 1s ;-)
-               if(bit) {
-                       // should have been high or at least (4 * 128) / fc
-                       // according to ISO this should be at least (9 * 128 + 20) / fc
-                       if(Uart.highCnt == 8) {
-                               // we went low, so this could be start of communication
-                               // it turns out to be safer to choose a less significant
-                               // syncbit... so we check whether the neighbour also represents the drop
-                               Uart.posCnt = 1;   // apparently we are busy with our first half bit period
-                               Uart.syncBit = bit & 8;
-                               Uart.samples = 3;
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 4; Uart.samples = 2; }
-                               else if(bit & 4)        { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 2; Uart.samples = 1; }
-                               else if(bit & 2)        { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
-                               if(!Uart.syncBit)       { Uart.syncBit = bit & 1; Uart.samples = 0;
-                                       if(Uart.syncBit && (Uart.bitBuffer & 8)) {
-                                               Uart.syncBit = 8;
-
-                                               // the first half bit period is expected in next sample
-                                               Uart.posCnt = 0;
-                                               Uart.samples = 3;
-                                       }
-                               }
-                               else if(bit & 1)        { Uart.syncBit = bit & 1; Uart.samples = 0; }
-
-                               Uart.syncBit <<= 4;
-                               Uart.state = STATE_START_OF_COMMUNICATION;
-                               Uart.bitCnt = 0;
-                               Uart.byteCnt = 0;
-                               Uart.nOutOfCnt = 0;
-                               Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
-                               Uart.dropPosition = 0;
-                               Uart.shiftReg = 0;
-                               //error = 0;
-                       }
-                       else {
-                               Uart.highCnt = 0;
-                       }
-               }
-               else {
-                       if(Uart.highCnt < 8) {
-                               Uart.highCnt++;
-                       }
-               }
-       }
+/**
+ * @brief Does the actual simulation
+ */
+int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) {

 
 

-    return FALSE;
-}
+       // free eventually allocated BigBuf memory
+       BigBuf_free_keep_EM();

 
 

-//=============================================================================
-// Manchester
-//=============================================================================
+       uint16_t page_size = 32 * 8;
+       uint8_t current_page = 0;

 
 

-static struct {
-    enum {
-        DEMOD_UNSYNCD,
-               DEMOD_START_OF_COMMUNICATION,
-               DEMOD_START_OF_COMMUNICATION2,
-               DEMOD_START_OF_COMMUNICATION3,
-               DEMOD_SOF_COMPLETE,
-               DEMOD_MANCHESTER_D,
-               DEMOD_MANCHESTER_E,
-               DEMOD_END_OF_COMMUNICATION,
-               DEMOD_END_OF_COMMUNICATION2,
-               DEMOD_MANCHESTER_F,
-        DEMOD_ERROR_WAIT
-    }       state;
-    int     bitCount;
-    int     posCount;
-       int     syncBit;
-    uint16_t    shiftReg;
-       int     buffer;
-       int     buffer2;
-       int     buffer3;
-       int     buff;
-       int     samples;
-    int     len;
-       enum {
-               SUB_NONE,
-               SUB_FIRST_HALF,
-               SUB_SECOND_HALF,
-               SUB_BOTH
-       }               sub;
-    uint8_t *output;
-} Demod;
-
-static RAMFUNC int ManchesterDecoding(int v)
-{
-       int bit;
-       int modulation;
-       int error = 0;
-
-       bit = Demod.buffer;
-       Demod.buffer = Demod.buffer2;
-       Demod.buffer2 = Demod.buffer3;
-       Demod.buffer3 = v;
-
-       if(Demod.buff < 3) {
-               Demod.buff++;
-               return FALSE;
-       }
+       // maintain cipher states for both credit and debit key for each page
+       State cipher_state_KC[8];
+       State cipher_state_KD[8];
+       State *cipher_state = &cipher_state_KD[0];

 
 

-       if(Demod.state==DEMOD_UNSYNCD) {
-               Demod.output[Demod.len] = 0xfa;
-               Demod.syncBit = 0;
-               //Demod.samples = 0;
-               Demod.posCount = 1;             // This is the first half bit period, so after syncing handle the second part
+       uint8_t *emulator = BigBuf_get_EM_addr();
+       uint8_t *csn = emulator;

 
 

-               if(bit & 0x08) {
-                       Demod.syncBit = 0x08;
-               }
+       // CSN followed by two CRC bytes
+       uint8_t anticoll_data[10];
+       uint8_t csn_data[10];
+       memcpy(csn_data, csn, sizeof(csn_data));
+       Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]);

 
 

-               if(bit & 0x04) {
-                       if(Demod.syncBit) {
-                               bit <<= 4;
-                       }
-                       Demod.syncBit = 0x04;
-               }
+       // Construct anticollision-CSN
+       rotateCSN(csn_data, anticoll_data);

 
 

-               if(bit & 0x02) {
-                       if(Demod.syncBit) {
-                               bit <<= 2;
-                       }
-                       Demod.syncBit = 0x02;
-               }
+       // Compute CRC on both CSNs
+       AppendCrc(anticoll_data, 8);
+       AppendCrc(csn_data, 8);

 
 

-               if(bit & 0x01 && Demod.syncBit) {
-                       Demod.syncBit = 0x01;
-               }
-               
-               if(Demod.syncBit) {
-                       Demod.len = 0;
-                       Demod.state = DEMOD_START_OF_COMMUNICATION;
-                       Demod.sub = SUB_FIRST_HALF;
-                       Demod.bitCount = 0;
-                       Demod.shiftReg = 0;
-                       Demod.samples = 0;
-                       if(Demod.posCount) {
-                               //if(trigger) LED_A_OFF();  // Not useful in this case...
-                               switch(Demod.syncBit) {
-                                       case 0x08: Demod.samples = 3; break;
-                                       case 0x04: Demod.samples = 2; break;
-                                       case 0x02: Demod.samples = 1; break;
-                                       case 0x01: Demod.samples = 0; break;
-                               }
-                               // SOF must be long burst... otherwise stay unsynced!!!
-                               if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                               }
-                       }
-                       else {
-                               // SOF must be long burst... otherwise stay unsynced!!!
-                               if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                                       error = 0x88;
-                               }
+       uint8_t diversified_key_d[8] = { 0x00 };
+       uint8_t diversified_key_c[8] = { 0x00 };
+       uint8_t *diversified_key = diversified_key_d;

 
 

-                       }
-                       error = 0;
+       // configuration block
+       uint8_t conf_block[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00};

 
 

-               }
+       // e-Purse
+       uint8_t card_challenge_data[8] = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+
+       if (simulationMode == ICLASS_SIM_MODE_FULL) {
+               // initialize from page 0
+               memcpy(conf_block, emulator + 8 * 1, 8);
+               memcpy(card_challenge_data, emulator + 8 * 2, 8); // e-purse
+               memcpy(diversified_key_d, emulator + 8 * 3, 8);   // Kd
+               memcpy(diversified_key_c, emulator + 8 * 4, 8);   // Kc

        }
        }

-       else {
-               modulation = bit & Demod.syncBit;
-               modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;

 
 

-               Demod.samples += 4;
+       AppendCrc(conf_block, 8);

 
 

-               if(Demod.posCount==0) {
-                       Demod.posCount = 1;
-                       if(modulation) {
-                               Demod.sub = SUB_FIRST_HALF;
-                       }
-                       else {
-                               Demod.sub = SUB_NONE;
-                       }
+       // save card challenge for sim2,4 attack
+       if (reader_mac_buf != NULL) {
+               memcpy(reader_mac_buf, card_challenge_data, 8);
+       }
+
+       if (conf_block[5] & 0x80) {
+               page_size = 256 * 8;
+       }
+
+       // From PicoPass DS:
+       // When the page is in personalization mode this bit is equal to 1.
+       // Once the application issuer has personalized and coded its dedicated areas, this bit must be set to 0:
+       // the page is then "in application mode".
+       bool personalization_mode = conf_block[7] & 0x80;
+
+       // chip memory may be divided in 8 pages
+       uint8_t max_page = conf_block[4] & 0x10 ? 0 : 7;
+
+       // Precalculate the cipher states, feeding it the CC
+       cipher_state_KD[0] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
+       cipher_state_KC[0] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
+       if (simulationMode == ICLASS_SIM_MODE_FULL) {
+               for (int i = 1; i < max_page; i++) {
+                       uint8_t *epurse = emulator + i*page_size + 8*2;
+                       uint8_t *Kd = emulator + i*page_size + 8*3;
+                       uint8_t *Kc = emulator + i*page_size + 8*4;
+                       cipher_state_KD[i] = opt_doTagMAC_1(epurse, Kd);
+                       cipher_state_KC[i] = opt_doTagMAC_1(epurse, Kc);

                }
                }

-               else {
-                       Demod.posCount = 0;
-                       /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
-                               if(Demod.state!=DEMOD_ERROR_WAIT) {
-                                       Demod.state = DEMOD_ERROR_WAIT;
-                                       Demod.output[Demod.len] = 0xaa;
-                                       error = 0x01;
-                               }
-                       }*/
-                       //else if(modulation) {
-                       if(modulation) {
-                               if(Demod.sub == SUB_FIRST_HALF) {
-                                       Demod.sub = SUB_BOTH;
-                               }
-                               else {
-                                       Demod.sub = SUB_SECOND_HALF;
-                               }
-                       }
-                       else if(Demod.sub == SUB_NONE) {
-                               if(Demod.state == DEMOD_SOF_COMPLETE) {
-                                       Demod.output[Demod.len] = 0x0f;
-                                       Demod.len++;
-                                       Demod.state = DEMOD_UNSYNCD;
-//                                     error = 0x0f;
-                                       return TRUE;
-                               }
-                               else {
-                                       Demod.state = DEMOD_ERROR_WAIT;
-                                       error = 0x33;
-                               }
-                               /*if(Demod.state!=DEMOD_ERROR_WAIT) {
-                                       Demod.state = DEMOD_ERROR_WAIT;
-                                       Demod.output[Demod.len] = 0xaa;
-                                       error = 0x01;
-                               }*/
-                       }
+       }

 
 

-                       switch(Demod.state) {
-                               case DEMOD_START_OF_COMMUNICATION:
-                                       if(Demod.sub == SUB_BOTH) {
-                                               //Demod.state = DEMOD_MANCHESTER_D;
-                                               Demod.state = DEMOD_START_OF_COMMUNICATION2;
-                                               Demod.posCount = 1;
-                                               Demod.sub = SUB_NONE;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xab;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0xd2;
-                                       }
-                                       break;
-                               case DEMOD_START_OF_COMMUNICATION2:
-                                       if(Demod.sub == SUB_SECOND_HALF) {
-                                               Demod.state = DEMOD_START_OF_COMMUNICATION3;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xab;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0xd3;
-                                       }
-                                       break;
-                               case DEMOD_START_OF_COMMUNICATION3:
-                                       if(Demod.sub == SUB_SECOND_HALF) {
-//                                             Demod.state = DEMOD_MANCHESTER_D;
-                                               Demod.state = DEMOD_SOF_COMPLETE;
-                                               //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
-                                               //Demod.len++;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xab;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0xd4;
-                                       }
-                                       break;
-                               case DEMOD_SOF_COMPLETE:
-                               case DEMOD_MANCHESTER_D:
-                               case DEMOD_MANCHESTER_E:
-                                       // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
-                                       //                          00001111 = 1 (0 in 14443)
-                                       if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
-                                               Demod.bitCount++;
-                                               Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
-                                               Demod.state = DEMOD_MANCHESTER_D;
-                                       }
-                                       else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
-                                               Demod.bitCount++;
-                                               Demod.shiftReg >>= 1;
-                                               Demod.state = DEMOD_MANCHESTER_E;
-                                       }
-                                       else if(Demod.sub == SUB_BOTH) {
-                                               Demod.state = DEMOD_MANCHESTER_F;
-                                       }
-                                       else {
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0x55;
-                                       }
-                                       break;
-
-                               case DEMOD_MANCHESTER_F:
-                                       // Tag response does not need to be a complete byte!
-                                       if(Demod.len > 0 || Demod.bitCount > 0) {
-                                               if(Demod.bitCount > 1) {  // was > 0, do not interpret last closing bit, is part of EOF
-                                                       Demod.shiftReg >>= (9 - Demod.bitCount);        // right align data
-                                                       Demod.output[Demod.len] = Demod.shiftReg & 0xff;
-                                                       Demod.len++;
-                                               }
+       int exitLoop = 0;
+       // Reader 0a
+       // Tag    0f
+       // Reader 0c
+       // Tag    anticoll. CSN
+       // Reader 81 anticoll. CSN
+       // Tag    CSN

 
 

-                                               Demod.state = DEMOD_UNSYNCD;
-                                               return TRUE;
-                                       }
-                                       else {
-                                               Demod.output[Demod.len] = 0xad;
-                                               Demod.state = DEMOD_ERROR_WAIT;
-                                               error = 0x03;
-                                       }
-                                       break;
+       uint8_t *modulated_response;
+       int modulated_response_size = 0;
+       uint8_t *trace_data = NULL;
+       int trace_data_size = 0;

 
 

-                               case DEMOD_ERROR_WAIT:
-                                       Demod.state = DEMOD_UNSYNCD;
-                                       break;
+       // Respond SOF -- takes 1 bytes
+       uint8_t *resp_sof = BigBuf_malloc(1);
+       int resp_sof_Len;

 
 

-                               default:
-                                       Demod.output[Demod.len] = 0xdd;
-                                       Demod.state = DEMOD_UNSYNCD;
-                                       break;
-                       }
+       // Anticollision CSN (rotated CSN)
+       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+       uint8_t *resp_anticoll = BigBuf_malloc(22);
+       int resp_anticoll_len;

 
 

-                       /*if(Demod.bitCount>=9) {
-                               Demod.output[Demod.len] = Demod.shiftReg & 0xff;
-                               Demod.len++;
-
-                               Demod.parityBits <<= 1;
-                               Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
-
-                               Demod.bitCount = 0;
-                               Demod.shiftReg = 0;
-                       }*/
-                       if(Demod.bitCount>=8) {
-                               Demod.shiftReg >>= 1;
-                               Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
-                               Demod.len++;
-                               Demod.bitCount = 0;
-                               Demod.shiftReg = 0;
-                       }
+       // CSN (block 0)
+       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+       uint8_t *resp_csn = BigBuf_malloc(22);
+       int resp_csn_len;

 
 

-                       if(error) {
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               Demod.output[Demod.len] = error & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               Demod.output[Demod.len] = bit & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = Demod.buffer & 0xFF;
-                               Demod.len++;
-                               // Look harder ;-)
-                               Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = Demod.syncBit & 0xFF;
-                               Demod.len++;
-                               Demod.output[Demod.len] = 0xBB;
-                               Demod.len++;
-                               return TRUE;
-                       }
+       // configuration (block 1) picopass 2ks
+       uint8_t *resp_conf = BigBuf_malloc(22);
+       int resp_conf_len;

 
 

-               }
+       // e-Purse (block 2)
+       // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
+       uint8_t *resp_cc = BigBuf_malloc(18);
+       int resp_cc_len;

 
 

-       } // end (state != UNSYNCED)
+       // Kd, Kc (blocks 3 and 4). Cannot be read. Always respond with 0xff bytes only
+       uint8_t *resp_ff = BigBuf_malloc(22);
+       int resp_ff_len;
+       uint8_t ff_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
+       AppendCrc(ff_data, 8);

 
 

-    return FALSE;
-}
+       // Application Issuer Area (block 5)
+       uint8_t *resp_aia = BigBuf_malloc(22);
+       int resp_aia_len;
+       uint8_t aia_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
+       AppendCrc(aia_data, 8);

 
 

-//=============================================================================
-// Finally, a `sniffer' for iClass communication
-// Both sides of communication!
-//=============================================================================
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+       int len;

 
 

-//-----------------------------------------------------------------------------
-// Record the sequence of commands sent by the reader to the tag, with
-// triggering so that we start recording at the point that the tag is moved
-// near the reader.
-//-----------------------------------------------------------------------------
-void RAMFUNC SnoopIClass(void)
-{
-
-
-    // We won't start recording the frames that we acquire until we trigger;
-    // a good trigger condition to get started is probably when we see a
-    // response from the tag.
-    //int triggered = FALSE; // FALSE to wait first for card
-
-    // The command (reader -> tag) that we're receiving.
-       // The length of a received command will in most cases be no more than 18 bytes.
-       // So 32 should be enough!
-       #define ICLASS_BUFFER_SIZE 32
-       uint8_t readerToTagCmd[ICLASS_BUFFER_SIZE];
-    // The response (tag -> reader) that we're receiving.
-       uint8_t tagToReaderResponse[ICLASS_BUFFER_SIZE];
-       
-    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
- 
-       // free all BigBuf memory
-       BigBuf_free();
-    // The DMA buffer, used to stream samples from the FPGA
-    uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
- 
-       set_tracing(TRUE);
-       clear_trace();
-    iso14a_set_trigger(FALSE);
-
-       int lastRxCounter;
-    uint8_t *upTo;
-    int smpl;
-    int maxBehindBy = 0;
-
-    // Count of samples received so far, so that we can include timing
-    // information in the trace buffer.
-    int samples = 0;
-    rsamples = 0;
-
-    // Set up the demodulator for tag -> reader responses.
-       Demod.output = tagToReaderResponse;
-    Demod.len = 0;
-    Demod.state = DEMOD_UNSYNCD;
-
-    // Setup for the DMA.
-    FpgaSetupSsc();
-    upTo = dmaBuf;
-    lastRxCounter = DMA_BUFFER_SIZE;
-    FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
-
-    // And the reader -> tag commands
-    memset(&Uart, 0, sizeof(Uart));
-       Uart.output = readerToTagCmd;
-    Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
-    Uart.state = STATE_UNSYNCD;
-
-    // And put the FPGA in the appropriate mode
-    // Signal field is off with the appropriate LED
-    LED_D_OFF();
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
-    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       uint32_t time_0 = GetCountSspClk();
-       uint32_t time_start = 0;
-       uint32_t time_stop  = 0;
-
-    int div = 0;
-    //int div2 = 0;
-    int decbyte = 0;
-    int decbyter = 0;
-
-    // And now we loop, receiving samples.
-    for(;;) {
-        LED_A_ON();
-        WDT_HIT();
-        int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
-                                (DMA_BUFFER_SIZE-1);
-        if(behindBy > maxBehindBy) {
-            maxBehindBy = behindBy;
-            if(behindBy > (9 * DMA_BUFFER_SIZE / 10)) {
-                Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
-                goto done;
-            }
-        }
-        if(behindBy < 1) continue;
+       // Prepare card messages

 
 

-       LED_A_OFF();
-        smpl = upTo[0];
-        upTo++;
-        lastRxCounter -= 1;
-        if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
-            upTo -= DMA_BUFFER_SIZE;
-            lastRxCounter += DMA_BUFFER_SIZE;
-            AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
-            AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
-        }
-
-        //samples += 4;
-       samples += 1;
-
-       if(smpl & 0xF) {
-               decbyte ^= (1 << (3 - div));
-       }
-       
-       // FOR READER SIDE COMMUMICATION...
+       // First card answer: SOF only
+       CodeIClassTagSOF();
+       memcpy(resp_sof, ToSend, ToSendMax);
+       resp_sof_Len = ToSendMax;

 
 

-       decbyter <<= 2;
-       decbyter ^= (smpl & 0x30);
+       // Anticollision CSN
+       CodeIso15693AsTag(anticoll_data, sizeof(anticoll_data));
+       memcpy(resp_anticoll, ToSend, ToSendMax);
+       resp_anticoll_len = ToSendMax;
+
+       // CSN (block 0)
+       CodeIso15693AsTag(csn_data, sizeof(csn_data));
+       memcpy(resp_csn, ToSend, ToSendMax);
+       resp_csn_len = ToSendMax;
+
+       // Configuration (block 1)
+       CodeIso15693AsTag(conf_block, sizeof(conf_block));
+       memcpy(resp_conf, ToSend, ToSendMax);
+       resp_conf_len = ToSendMax;
+
+       // e-Purse (block 2)
+       CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data));
+       memcpy(resp_cc, ToSend, ToSendMax);
+       resp_cc_len = ToSendMax;
+
+       // Kd, Kc (blocks 3 and 4)
+       CodeIso15693AsTag(ff_data, sizeof(ff_data));
+       memcpy(resp_ff, ToSend, ToSendMax);
+       resp_ff_len = ToSendMax;
+
+       // Application Issuer Area (block 5)
+       CodeIso15693AsTag(aia_data, sizeof(aia_data));
+       memcpy(resp_aia, ToSend, ToSendMax);
+       resp_aia_len = ToSendMax;

 
 

-       div++;
-       
-       if((div + 1) % 2 == 0) {
-               smpl = decbyter;        
-               if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
-                   rsamples = samples - Uart.samples;
-                       time_stop = (GetCountSspClk()-time_0) << 4;
-                   LED_C_ON();
-
-                       //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
-                       //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
-                       if(tracing)     {
-                               uint8_t parity[MAX_PARITY_SIZE];
-                               GetParity(Uart.output, Uart.byteCnt, parity);
-                               LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE);
-                       }
+       //This is used for responding to READ-block commands or other data which is dynamically generated
+       uint8_t *data_generic_trace = BigBuf_malloc(32 + 2); // 32 bytes data + 2byte CRC is max tag answer
+       uint8_t *data_response = BigBuf_malloc( (32 + 2) * 2 + 2);

 
 

+       bool buttonPressed = false;
+       enum { IDLE, ACTIVATED, SELECTED, HALTED } chip_state = IDLE;

 
 

-                       /* And ready to receive another command. */
-                   Uart.state = STATE_UNSYNCD;
-                   /* And also reset the demod code, which might have been */
-                   /* false-triggered by the commands from the reader. */
-                   Demod.state = DEMOD_UNSYNCD;
-                   LED_B_OFF();
-                   Uart.byteCnt = 0;
-               }else{
-                       time_start = (GetCountSspClk()-time_0) << 4;
-               }
-               decbyter = 0;
-       }
+       while (!exitLoop) {
+               WDT_HIT();

 
 

-       if(div > 3) {
-               smpl = decbyte;
-               if(ManchesterDecoding(smpl & 0x0F)) {
-                       time_stop = (GetCountSspClk()-time_0) << 4;
+               uint32_t reader_eof_time = 0;
+               len = GetIso15693CommandFromReader(receivedCmd, MAX_FRAME_SIZE, &reader_eof_time);
+               if (len < 0) {
+                       buttonPressed = true;
+                       break;
+               }

 
 

-                       rsamples = samples - Demod.samples;
-                   LED_B_ON();
+               // Now look at the reader command and provide appropriate responses
+               // default is no response:
+               modulated_response = NULL;
+               modulated_response_size = 0;
+               trace_data = NULL;
+               trace_data_size = 0;

 
 

-                       if(tracing)     {
-                               uint8_t parity[MAX_PARITY_SIZE];
-                               GetParity(Demod.output, Demod.len, parity);
-                               LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE);
+               if (receivedCmd[0] == ICLASS_CMD_ACTALL && len == 1) {
+                       // Reader in anticollision phase
+                       if (chip_state != HALTED) {
+                               modulated_response = resp_sof;
+                               modulated_response_size = resp_sof_Len;
+                               chip_state = ACTIVATED;

                        }
 
                        }
 

-                   // And ready to receive another response.
-                   memset(&Demod, 0, sizeof(Demod));
-                       Demod.output = tagToReaderResponse;
-                   Demod.state = DEMOD_UNSYNCD;
-                   LED_C_OFF();
-               }else{
-                       time_start = (GetCountSspClk()-time_0) << 4;
-               }
-               
-               div = 0;
-               decbyte = 0x00;
-       }
-       //}
-
-        if(BUTTON_PRESS()) {
-            DbpString("cancelled_a");
-            goto done;
-        }
-    }
-
-    DbpString("COMMAND FINISHED");
-
-    Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-       Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
-
-done:
-    AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-    Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
-       Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
-    LED_A_OFF();
-    LED_B_OFF();
-    LED_C_OFF();
-    LED_D_OFF();
-}
+               } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // identify
+                       // Reader asks for anticollision CSN
+                       if (chip_state == SELECTED || chip_state == ACTIVATED) {
+                               modulated_response = resp_anticoll;
+                               modulated_response_size = resp_anticoll_len;
+                               trace_data = anticoll_data;
+                               trace_data_size = sizeof(anticoll_data);
+                       }

 
 

-void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
-       int i; 
-       for(i = 0; i < 8; i++) {
-               rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
-       }
-}
+               } else if (receivedCmd[0] == ICLASS_CMD_SELECT && len == 9) {
+                       // Reader selects anticollision CSN.
+                       // Tag sends the corresponding real CSN
+                       if (chip_state == ACTIVATED || chip_state == SELECTED) {
+                               if (!memcmp(receivedCmd+1, anticoll_data, 8)) {
+                                       modulated_response = resp_csn;
+                                       modulated_response_size = resp_csn_len;
+                                       trace_data = csn_data;
+                                       trace_data_size = sizeof(csn_data);
+                                       chip_state = SELECTED;
+                               } else {
+                                       chip_state = IDLE;
+                               }
+                       } else if (chip_state == HALTED) {
+                               // RESELECT with CSN
+                               if (!memcmp(receivedCmd+1, csn_data, 8)) {
+                                       modulated_response = resp_csn;
+                                       modulated_response_size = resp_csn_len;
+                                       trace_data = csn_data;
+                                       trace_data_size = sizeof(csn_data);
+                                       chip_state = SELECTED;
+                               }
+                       }

 
 

-//-----------------------------------------------------------------------------
-// Wait for commands from reader
-// Stop when button is pressed
-// Or return TRUE when command is captured
-//-----------------------------------------------------------------------------
-static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
-{
-    // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
-    // only, since we are receiving, not transmitting).
-    // Signal field is off with the appropriate LED
-    LED_D_OFF();
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
-    // Now run a `software UART' on the stream of incoming samples.
-    Uart.output = received;
-    Uart.byteCntMax = maxLen;
-    Uart.state = STATE_UNSYNCD;
-
-    for(;;) {
-        WDT_HIT();
-
-        if(BUTTON_PRESS()) return FALSE;
-
-        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-            AT91C_BASE_SSC->SSC_THR = 0x00;
-        }
-        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-            uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
-                       if(OutOfNDecoding(b & 0x0f)) {
-                               *len = Uart.byteCnt;
-                               return TRUE;
+               } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) { // read block
+                       uint16_t blockNo = receivedCmd[1];
+                       if (chip_state == SELECTED) {
+                               if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) {
+                                       // provide defaults for blocks 0 ... 5
+                                       switch (blockNo) {
+                                               case 0: // csn (block 00)
+                                                       modulated_response = resp_csn;
+                                                       modulated_response_size = resp_csn_len;
+                                                       trace_data = csn_data;
+                                                       trace_data_size = sizeof(csn_data);
+                                                       break;
+                                               case 1: // configuration (block 01)
+                                                       modulated_response = resp_conf;
+                                                       modulated_response_size = resp_conf_len;
+                                                       trace_data = conf_block;
+                                                       trace_data_size = sizeof(conf_block);
+                                                       break;
+                                               case 2: // e-purse (block 02)
+                                                       modulated_response = resp_cc;
+                                                       modulated_response_size = resp_cc_len;
+                                                       trace_data = card_challenge_data;
+                                                       trace_data_size = sizeof(card_challenge_data);
+                                                       // set epurse of sim2,4 attack
+                                                       if (reader_mac_buf != NULL) {
+                                                               memcpy(reader_mac_buf, card_challenge_data, 8);
+                                                       }
+                                                       break;
+                                               case 3:
+                                               case 4: // Kd, Kc, always respond with 0xff bytes
+                                                       modulated_response = resp_ff;
+                                                       modulated_response_size = resp_ff_len;
+                                                       trace_data = ff_data;
+                                                       trace_data_size = sizeof(ff_data);
+                                                       break;
+                                               case 5: // Application Issuer Area (block 05)
+                                                       modulated_response = resp_aia;
+                                                       modulated_response_size = resp_aia_len;
+                                                       trace_data = aia_data;
+                                                       trace_data_size = sizeof(aia_data);
+                                                       break;
+                                               // default: don't respond
+                                       }
+                               } else if (simulationMode == ICLASS_SIM_MODE_FULL) {
+                                       if (blockNo == 3 || blockNo == 4) { // Kd, Kc, always respond with 0xff bytes
+                                               modulated_response = resp_ff;
+                                               modulated_response_size = resp_ff_len;
+                                               trace_data = ff_data;
+                                               trace_data_size = sizeof(ff_data);
+                                       } else { // use data from emulator memory
+                                               memcpy(data_generic_trace, emulator + current_page*page_size + 8*blockNo, 8);
+                                               AppendCrc(data_generic_trace, 8);
+                                               trace_data = data_generic_trace;
+                                               trace_data_size = 10;
+                                               CodeIso15693AsTag(trace_data, trace_data_size);
+                                               memcpy(data_response, ToSend, ToSendMax);
+                                               modulated_response = data_response;
+                                               modulated_response_size = ToSendMax;
+                                       }
+                               }

                        }
                        }

-        }
-    }
-}

 
 

-static uint8_t encode4Bits(const uint8_t b)
-{
-       uint8_t c = b & 0xF;
-       // OTA, the least significant bits first
-       //         The columns are
-       //               1 - Bit value to send
-       //               2 - Reversed (big-endian)
-       //               3 - Encoded
-       //               4 - Hex values
-
-       switch(c){
-       //                          1       2         3         4
-         case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
-         case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
-         case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
-         case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
-         case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
-         case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
-         case 9:  return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
-         case 8:  return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
-         case 7:  return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
-         case 6:  return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
-         case 5:  return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
-         case 4:  return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
-         case 3:  return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
-         case 2:  return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
-         case 1:  return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
-         default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
+               } else if ((receivedCmd[0] == ICLASS_CMD_READCHECK_KD
+                                       || receivedCmd[0] == ICLASS_CMD_READCHECK_KC) && receivedCmd[1] == 0x02 && len == 2) {
+                       // Read e-purse (88 02 || 18 02)
+                       if (chip_state == SELECTED) {
+                               if(receivedCmd[0] == ICLASS_CMD_READCHECK_KD){
+                                       cipher_state = &cipher_state_KD[current_page];
+                                       diversified_key = diversified_key_d;
+                               } else {
+                                       cipher_state = &cipher_state_KC[current_page];
+                                       diversified_key = diversified_key_c;
+                               }
+                               modulated_response = resp_cc;
+                               modulated_response_size = resp_cc_len;
+                               trace_data = card_challenge_data;
+                               trace_data_size = sizeof(card_challenge_data);
+                       }

 
 

-       }
-}
+               } else if ((receivedCmd[0] == ICLASS_CMD_CHECK_KC
+                                       || receivedCmd[0] == ICLASS_CMD_CHECK_KD) && len == 9) {
+                       // Reader random and reader MAC!!!
+                       if (chip_state == SELECTED) {
+                               if (simulationMode == ICLASS_SIM_MODE_FULL) {
+                                       //NR, from reader, is in receivedCmd+1
+                                       opt_doTagMAC_2(*cipher_state, receivedCmd+1, data_generic_trace, diversified_key);
+                                       trace_data = data_generic_trace;
+                                       trace_data_size = 4;
+                                       CodeIso15693AsTag(trace_data, trace_data_size);
+                                       memcpy(data_response, ToSend, ToSendMax);
+                                       modulated_response = data_response;
+                                       modulated_response_size = ToSendMax;
+                                       //exitLoop = true;
+                               } else { // Not fullsim, we don't respond
+                                       // We do not know what to answer, so lets keep quiet
+                                       if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) {
+                                               if (reader_mac_buf != NULL) {
+                                                       // save NR and MAC for sim 2,4
+                                                       memcpy(reader_mac_buf + 8, receivedCmd + 1, 8);
+                                               }
+                                               exitLoop = true;
+                                       }
+                               }
+                       }

 
 

-//-----------------------------------------------------------------------------
-// Prepare tag messages
-//-----------------------------------------------------------------------------
-static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
-{
-
-       /*
-        * SOF comprises 3 parts;
-        * * An unmodulated time of 56.64 us
-        * * 24 pulses of 423.75 KHz (fc/32)
-        * * A logic 1, which starts with an unmodulated time of 18.88us
-        *   followed by 8 pulses of 423.75kHz (fc/32)
-        *
-        *
-        * EOF comprises 3 parts:
-        * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
-        *   time of 18.88us.
-        * - 24 pulses of fc/32
-        * - An unmodulated time of 56.64 us
-        *
-        *
-        * A logic 0 starts with 8 pulses of fc/32
-        * followed by an unmodulated time of 256/fc (~18,88us).
-        *
-        * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
-        * 8 pulses of fc/32 (also 18.88us)
-        *
-        * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag,
-        * works like this.
-        * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us).
-        * - A 0-bit inptu to the FPGA becomes an unmodulated time of 18.88us
-        *
-        * In this mode the SOF can be written as 00011101 = 0x1D
-        * The EOF can be written as 10111000 = 0xb8
-        * A logic 1 is 01
-        * A logic 0 is 10
-        *
-        * */
+               } else if (receivedCmd[0] == ICLASS_CMD_HALT && len == 1) {
+                       if (chip_state == SELECTED) {
+                               // Reader ends the session
+                               modulated_response = resp_sof;
+                               modulated_response_size = resp_sof_Len;
+                               chip_state = HALTED;
+                       }

 
 

-       int i;
+               } else if (simulationMode == ICLASS_SIM_MODE_FULL && receivedCmd[0] == ICLASS_CMD_READ4 && len == 4) {  // 0x06
+                       //Read 4 blocks
+                       if (chip_state == SELECTED) {
+                               uint8_t blockNo = receivedCmd[1];
+                               memcpy(data_generic_trace, emulator + current_page*page_size + blockNo*8, 8 * 4);
+                               AppendCrc(data_generic_trace, 8 * 4);
+                               trace_data = data_generic_trace;
+                               trace_data_size = 8 * 4 + 2;
+                               CodeIso15693AsTag(trace_data, trace_data_size);
+                               memcpy(data_response, ToSend, ToSendMax);
+                               modulated_response = data_response;
+                               modulated_response_size = ToSendMax;
+                       }

 
 

-       ToSendReset();
+               } else if (receivedCmd[0] == ICLASS_CMD_UPDATE && (len == 12 || len == 14)) {
+                       // We're expected to respond with the data+crc, exactly what's already in the receivedCmd
+                       // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b
+                       if (chip_state == SELECTED) {
+                               uint8_t blockNo = receivedCmd[1];
+                               if (blockNo == 2) { // update e-purse
+                                       memcpy(card_challenge_data, receivedCmd+2, 8);
+                                       CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data));
+                                       memcpy(resp_cc, ToSend, ToSendMax);
+                                       resp_cc_len = ToSendMax;
+                                       cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
+                                       cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
+                                       if (simulationMode == ICLASS_SIM_MODE_FULL) {
+                                               memcpy(emulator + current_page*page_size + 8*2, card_challenge_data, 8);
+                                       }
+                               } else if (blockNo == 3) { // update Kd
+                                       for (int i = 0; i < 8; i++) {
+                                               if (personalization_mode) {
+                                                       diversified_key_d[i] = receivedCmd[2 + i];
+                                               } else {
+                                                       diversified_key_d[i] ^= receivedCmd[2 + i];
+                                               }
+                                       }
+                                       cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
+                                       if (simulationMode == ICLASS_SIM_MODE_FULL) {
+                                               memcpy(emulator + current_page*page_size + 8*3, diversified_key_d, 8);
+                                       }
+                               } else if (blockNo == 4) { // update Kc
+                                       for (int i = 0; i < 8; i++) {
+                                               if (personalization_mode) {
+                                                       diversified_key_c[i] = receivedCmd[2 + i];
+                                               } else {
+                                                       diversified_key_c[i] ^= receivedCmd[2 + i];
+                                               }
+                                       }
+                                       cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
+                                       if (simulationMode == ICLASS_SIM_MODE_FULL) {
+                                               memcpy(emulator + current_page*page_size + 8*4, diversified_key_c, 8);
+                                       }
+                               } else if (simulationMode == ICLASS_SIM_MODE_FULL) { // update any other data block
+                                               memcpy(emulator + current_page*page_size + 8*blockNo, receivedCmd+2, 8);
+                               }
+                               memcpy(data_generic_trace, receivedCmd + 2, 8);
+                               AppendCrc(data_generic_trace, 8);
+                               trace_data = data_generic_trace;
+                               trace_data_size = 10;
+                               CodeIso15693AsTag(trace_data, trace_data_size);
+                               memcpy(data_response, ToSend, ToSendMax);
+                               modulated_response = data_response;
+                               modulated_response_size = ToSendMax;
+                       }

 
 

-       // Send SOF
-       ToSend[++ToSendMax] = 0x1D;
+               } else if (receivedCmd[0] == ICLASS_CMD_PAGESEL && len == 4) {
+                       // Pagesel
+                       // Chips with a single page will not answer to this command
+                       // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC
+                       if (chip_state == SELECTED) {
+                               if (simulationMode == ICLASS_SIM_MODE_FULL && max_page > 0) {
+                                       current_page = receivedCmd[1];
+                                       memcpy(data_generic_trace, emulator + current_page*page_size + 8*1, 8);
+                                       memcpy(diversified_key_d, emulator + current_page*page_size + 8*3, 8);
+                                       memcpy(diversified_key_c, emulator + current_page*page_size + 8*4, 8);
+                                       cipher_state = &cipher_state_KD[current_page];
+                                       personalization_mode = data_generic_trace[7] & 0x80;
+                                       AppendCrc(data_generic_trace, 8);
+                                       trace_data = data_generic_trace;
+                                       trace_data_size = 10;
+                                       CodeIso15693AsTag(trace_data, trace_data_size);
+                                       memcpy(data_response, ToSend, ToSendMax);
+                                       modulated_response = data_response;
+                                       modulated_response_size = ToSendMax;
+                               }
+                       }

 
 

-       for(i = 0; i < len; i++) {
-               uint8_t b = cmd[i];
-               ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half
-               ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half
-       }
+               } else if (receivedCmd[0] == 0x26 && len == 5) {
+                       // standard ISO15693 INVENTORY command. Ignore.

 
 

-       // Send EOF
-       ToSend[++ToSendMax] = 0xB8;
-       //lastProxToAirDuration  = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
-       // Convert from last byte pos to length
-       ToSendMax++;
-}
+               } else {
+                       // don't know how to handle this command
+                       char debug_message[250]; // should be enough
+                       sprintf(debug_message, "Unhandled command (len = %d) received from reader:", len);
+                       for (int i = 0; i < len && strlen(debug_message) < sizeof(debug_message) - 3 - 1; i++) {
+                               sprintf(debug_message + strlen(debug_message), " %02x", receivedCmd[i]);
+                       }
+                       Dbprintf("%s", debug_message);
+                       // Do not respond
+               }

 
 

-// Only SOF 
-static void CodeIClassTagSOF()
-{
-       //So far a dummy implementation, not used
-       //int lastProxToAirDuration =0;
+               /**
+               A legit tag has about 273,4us delay between reader EOT and tag SOF.
+               **/
+               if (modulated_response_size > 0) {
+                       uint32_t response_time = reader_eof_time + DELAY_ICLASS_VCD_TO_VICC_SIM;
+                       TransmitTo15693Reader(modulated_response, modulated_response_size, &response_time, 0, false);
+                       LogTrace_ISO15693(trace_data, trace_data_size, response_time*32, response_time*32 + modulated_response_size/2, NULL, false);
+               }

 
 

-       ToSendReset();
-       // Send SOF
-       ToSend[++ToSendMax] = 0x1D;
-//     lastProxToAirDuration  = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
+       }

 
 

-       // Convert from last byte pos to length
-       ToSendMax++;
+       if (buttonPressed)
+       {
+               DbpString("Button pressed");
+       }
+       return buttonPressed;

 }
 }

-#define MODE_SIM_CSN        0
-#define MODE_EXIT_AFTER_MAC 1
-#define MODE_FULLSIM        2

 
 

-int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf);

 /**
  * @brief SimulateIClass simulates an iClass card.
  * @param arg0 type of simulation
 /**
  * @brief SimulateIClass simulates an iClass card.
  * @param arg0 type of simulation

- *                     - 0 uses the first 8 bytes in usb data as CSN
- *                     - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
- *                     in the usb data. This mode collects MAC from the reader, in order to do an offline
- *                     attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
- *                     - Other : Uses the default CSN (031fec8af7ff12e0)
+ *          - 0 uses the first 8 bytes in usb data as CSN
+ *          - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
+ *          in the usb data. This mode collects MAC from the reader, in order to do an offline
+ *          attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
+ *          - Other : Uses the default CSN (031fec8af7ff12e0)

  * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
  * @param arg2
  * @param datain
  */
  * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
  * @param arg2
  * @param datain
  */

-void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
-{
+void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) {
+
+       LED_A_ON();
+

        uint32_t simType = arg0;
        uint32_t numberOfCSNS = arg1;
        uint32_t simType = arg0;
        uint32_t numberOfCSNS = arg1;

+
+       // setup hardware for simulation:

        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);

+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
+       LED_D_OFF();
+       FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
+       StartCountSspClk();

 
        // Enable and clear the trace
 
        // Enable and clear the trace

-       set_tracing(TRUE);
+       set_tracing(true);

        clear_trace();
        //Use the emulator memory for SIM
        uint8_t *emulator = BigBuf_get_EM_addr();
 
        clear_trace();
        //Use the emulator memory for SIM
        uint8_t *emulator = BigBuf_get_EM_addr();
 

-       if(simType == 0) {
+       if (simType == ICLASS_SIM_MODE_CSN) {

                // Use the CSN from commandline
                memcpy(emulator, datain, 8);
                // Use the CSN from commandline
                memcpy(emulator, datain, 8);

-               doIClassSimulation(MODE_SIM_CSN,NULL);
-       }else if(simType == 1)
-       {
+               doIClassSimulation(ICLASS_SIM_MODE_CSN, NULL);
+       } else if (simType == ICLASS_SIM_MODE_CSN_DEFAULT) {

                //Default CSN
                uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
                // Use the CSN from commandline
                memcpy(emulator, csn_crc, 8);
                //Default CSN
                uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
                // Use the CSN from commandline
                memcpy(emulator, csn_crc, 8);

-               doIClassSimulation(MODE_SIM_CSN,NULL);
-       }
-       else if(simType == 2)
-       {
-
+               doIClassSimulation(ICLASS_SIM_MODE_CSN, NULL);
+       } else if (simType == ICLASS_SIM_MODE_READER_ATTACK) {

                uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
                Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
                // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
                uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
                Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
                // In this mode, a number of csns are within datain. We'll simulate each one, one at a time

-               // in order to collect MAC's from the reader. This can later be used in an offlne-attack
+               // in order to collect MAC's from the reader. This can later be used in an offline-attack

                // in order to obtain the keys, as in the "dismantling iclass"-paper.
                // in order to obtain the keys, as in the "dismantling iclass"-paper.

-               int i = 0;
-               for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
-               {
-                       // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
-
+               int i;
+               for (i = 0; i < numberOfCSNS && i*16+16 <= USB_CMD_DATA_SIZE; i++) {
+                       // The usb data is 512 bytes, fitting 32 responses (8 byte CC + 4 Byte NR + 4 Byte MAC = 16 Byte response).

                        memcpy(emulator, datain+(i*8), 8);
                        memcpy(emulator, datain+(i*8), 8);

-                       if(doIClassSimulation(MODE_EXIT_AFTER_MAC,mac_responses+i*8))
-                       {
-                               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
-                               return; // Button pressed
-                       }
-               }
-               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
-
-       }else if(simType == 3){
+                       if (doIClassSimulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC, mac_responses+i*16)) {
+                                // Button pressed
+                                break;
+                       }
+                       Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       datain[i*8+0], datain[i*8+1], datain[i*8+2], datain[i*8+3],
+                                       datain[i*8+4], datain[i*8+5], datain[i*8+6], datain[i*8+7]);
+                       Dbprintf("NR,MAC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       mac_responses[i*16+ 8], mac_responses[i*16+ 9], mac_responses[i*16+10], mac_responses[i*16+11],
+                                       mac_responses[i*16+12], mac_responses[i*16+13], mac_responses[i*16+14], mac_responses[i*16+15]);
+                       SpinDelay(100); // give the reader some time to prepare for next CSN
+               }
+               cmd_send(CMD_ACK, CMD_SIMULATE_TAG_ICLASS, i, 0, mac_responses, i*16);
+       } else if (simType == ICLASS_SIM_MODE_FULL) {

                //This is 'full sim' mode, where we use the emulator storage for data.
                //This is 'full sim' mode, where we use the emulator storage for data.

-               doIClassSimulation(MODE_FULLSIM, NULL);
-       }
-       else{
+               doIClassSimulation(ICLASS_SIM_MODE_FULL, NULL);
+       } else {

                // We may want a mode here where we hardcode the csns to use (from proxclone).
                // That will speed things up a little, but not required just yet.
                Dbprintf("The mode is not implemented, reserved for future use");
        }
                // We may want a mode here where we hardcode the csns to use (from proxclone).
                // That will speed things up a little, but not required just yet.
                Dbprintf("The mode is not implemented, reserved for future use");
        }

+

        Dbprintf("Done...");
 
        Dbprintf("Done...");
 

-}
-void AppendCrc(uint8_t* data, int len)
-{
-       ComputeCrc14443(CRC_ICLASS,data,len,data+len,data+len+1);
+       LED_A_OFF();

 }
 
 }
 

-/**
- * @brief Does the actual simulation
- * @param csn - csn to use
- * @param breakAfterMacReceived if true, returns after reader MAC has been received.
- */
-int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf)
-{
-       // free eventually allocated BigBuf memory
-       BigBuf_free_keep_EM();
-
-       State cipher_state;
-//     State cipher_state_reserve;
-       uint8_t *csn = BigBuf_get_EM_addr();
-       uint8_t *emulator = csn;
-       uint8_t sof_data[] = { 0x0F} ;
-       // CSN followed by two CRC bytes
-       uint8_t anticoll_data[10] = { 0 };
-       uint8_t csn_data[10] = { 0 };
-       memcpy(csn_data,csn,sizeof(csn_data));
-       Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);

 
 

-       // Construct anticollision-CSN
-       rotateCSN(csn_data,anticoll_data);
-
-       // Compute CRC on both CSNs
-       ComputeCrc14443(CRC_ICLASS, anticoll_data, 8, &anticoll_data[8], &anticoll_data[9]);
-       ComputeCrc14443(CRC_ICLASS, csn_data, 8, &csn_data[8], &csn_data[9]);
-
-       uint8_t diversified_key[8] = { 0 };
-       // e-Purse
-       uint8_t card_challenge_data[8] = { 0x00 };
-       if(simulationMode == MODE_FULLSIM)
-       {
-               //The diversified key should be stored on block 3
-               //Get the diversified key from emulator memory
-               memcpy(diversified_key, emulator+(8*3),8);
+/// THE READER CODE

 
 

-               //Card challenge, a.k.a e-purse is on block 2
-               memcpy(card_challenge_data,emulator + (8 * 2) , 8);
-               //Precalculate the cipher state, feeding it the CC
-               cipher_state = opt_doTagMAC_1(card_challenge_data,diversified_key);
+static void ReaderTransmitIClass(uint8_t *frame, int len, uint32_t *start_time) {

 
 

-       }
+       CodeIso15693AsReader(frame, len);

 
 

-       int exitLoop = 0;
-       // Reader 0a
-       // Tag    0f
-       // Reader 0c
-       // Tag    anticoll. CSN
-       // Reader 81 anticoll. CSN
-       // Tag    CSN
+       TransmitTo15693Tag(ToSend, ToSendMax, start_time);

 
 

-       uint8_t *modulated_response;
-       int modulated_response_size = 0;
-       uint8_t* trace_data = NULL;
-       int trace_data_size = 0;
+       uint32_t end_time = *start_time + 32*(8*ToSendMax-4); // substract the 4 padding bits after EOF
+       LogTrace_ISO15693(frame, len, *start_time*4, end_time*4, NULL, true);
+}

 
 
 
 

-       // Respond SOF -- takes 1 bytes
-       uint8_t *resp_sof = BigBuf_malloc(2);
-       int resp_sof_Len;
+static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, size_t max_resp_size,
+                                                                                 uint8_t expected_size, uint8_t tries, uint32_t start_time, uint32_t timeout, uint32_t *eof_time) {
+       while (tries-- > 0) {
+               ReaderTransmitIClass(command, cmdsize, &start_time);
+               if (expected_size == GetIso15693AnswerFromTag(resp, max_resp_size, timeout, eof_time)) {
+                       return true;
+               }
+       }
+       return false;//Error
+}

 
 

-       // Anticollision CSN (rotated CSN)
-       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
-       uint8_t *resp_anticoll = BigBuf_malloc(28);
-       int resp_anticoll_len;

 
 

-       // CSN
-       // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
-       uint8_t *resp_csn = BigBuf_malloc(30);
-       int resp_csn_len;
+/**
+ * @brief Selects an iclass tag
+ * @param card_data where the CSN is stored for return
+ * @return false = fail
+ *         true = success
+ */
+static bool selectIclassTag(uint8_t *card_data, uint32_t *eof_time) {
+       uint8_t act_all[]      = { 0x0a };
+       uint8_t identify[]     = { 0x0c };
+       uint8_t select[]       = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };

 
 

-       // e-Purse
-       // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
-       uint8_t *resp_cc = BigBuf_malloc(20);
-       int resp_cc_len;
+       uint8_t resp[ICLASS_BUFFER_SIZE];

 
 

-       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
-       memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
-       int len;
+       uint32_t start_time = GetCountSspClk();

 
 

-       // Prepare card messages
-       ToSendMax = 0;
+       // Send act_all
+       ReaderTransmitIClass(act_all, 1, &start_time);
+       // Card present?
+       if (GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_ACTALL, eof_time) < 0) return false; //Fail

 
 

-       // First card answer: SOF
-       CodeIClassTagSOF();
-       memcpy(resp_sof, ToSend, ToSendMax); resp_sof_Len = ToSendMax;
+       //Send Identify
+       start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
+       ReaderTransmitIClass(identify, 1, &start_time);
+       //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
+       uint8_t len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
+       if (len != 10) return false; //Fail

 
 

-       // Anticollision CSN
-       CodeIClassTagAnswer(anticoll_data, sizeof(anticoll_data));
-       memcpy(resp_anticoll, ToSend, ToSendMax); resp_anticoll_len = ToSendMax;
+       //Copy the Anti-collision CSN to our select-packet
+       memcpy(&select[1], resp, 8);
+       //Select the card
+       start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
+       ReaderTransmitIClass(select, sizeof(select), &start_time);
+       //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
+       len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
+       if (len != 10) return false; //Fail

 
 

-       // CSN
-       CodeIClassTagAnswer(csn_data, sizeof(csn_data));
-       memcpy(resp_csn, ToSend, ToSendMax); resp_csn_len = ToSendMax;
+       //Success - we got CSN
+       //Save CSN in response data
+       memcpy(card_data, resp, 8);

 
 

-       // e-Purse
-       CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data));
-       memcpy(resp_cc, ToSend, ToSendMax); resp_cc_len = ToSendMax;
+       return true;
+}

 
 

-       //This is used for responding to READ-block commands or other data which is dynamically generated
-       //First the 'trace'-data, not encoded for FPGA
-       uint8_t *data_generic_trace = BigBuf_malloc(8 + 2);//8 bytes data + 2byte CRC is max tag answer
-       //Then storage for the modulated data
-       //Each bit is doubled when modulated for FPGA, and we also have SOF and EOF (2 bytes)
-       uint8_t *data_response = BigBuf_malloc( (8+2) * 2 + 2);
-
-       // Start from off (no field generated)
-       //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       //SpinDelay(200);
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-       SpinDelay(100);
-       StartCountSspClk();
-       // We need to listen to the high-frequency, peak-detected path.
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-       FpgaSetupSsc();

 
 

-       // To control where we are in the protocol
-       int cmdsRecvd = 0;
-       uint32_t time_0 = GetCountSspClk();
-       uint32_t t2r_time =0;
-       uint32_t r2t_time =0;
+// Select an iClass tag and read all blocks which are always readable without authentication
+void ReaderIClass(uint8_t flags) {

 
        LED_A_ON();
 
        LED_A_ON();

-       bool buttonPressed = false;
-       uint8_t response_delay = 1;
-       while(!exitLoop) {
-               response_delay = 1;
-               LED_B_OFF();
-               //Signal tracer
-               // Can be used to get a trigger for an oscilloscope..
-               LED_C_OFF();
-
-               if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
-                       buttonPressed = true;
-                       break;
-               }
-               r2t_time = GetCountSspClk();
-               //Signal tracer
-               LED_C_ON();
-
-               // Okay, look at the command now.
-               if(receivedCmd[0] == ICLASS_CMD_ACTALL ) {
-                       // Reader in anticollission phase
-                       modulated_response = resp_sof; modulated_response_size = resp_sof_Len; //order = 1;
-                       trace_data = sof_data;
-                       trace_data_size = sizeof(sof_data);
-               } else if(receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) {
-                       // Reader asks for anticollission CSN
-                       modulated_response = resp_anticoll; modulated_response_size = resp_anticoll_len; //order = 2;
-                       trace_data = anticoll_data;
-                       trace_data_size = sizeof(anticoll_data);
-                       //DbpString("Reader requests anticollission CSN:");
-               } else if(receivedCmd[0] == ICLASS_CMD_SELECT) {
-                       // Reader selects anticollission CSN.
-                       // Tag sends the corresponding real CSN
-                       modulated_response = resp_csn; modulated_response_size = resp_csn_len; //order = 3;
-                       trace_data = csn_data;
-                       trace_data_size = sizeof(csn_data);
-                       //DbpString("Reader selects anticollission CSN:");
-               } else if(receivedCmd[0] == ICLASS_CMD_READCHECK_KD) {
-                       // Read e-purse (88 02)
-                       modulated_response = resp_cc; modulated_response_size = resp_cc_len; //order = 4;
-                       trace_data = card_challenge_data;
-                       trace_data_size = sizeof(card_challenge_data);
-                       LED_B_ON();
-               } else if(receivedCmd[0] == ICLASS_CMD_CHECK) {
-                       // Reader random and reader MAC!!!
-                       if(simulationMode == MODE_FULLSIM)
-                       {
-                               //NR, from reader, is in receivedCmd +1
-                               opt_doTagMAC_2(cipher_state,receivedCmd+1,data_generic_trace,diversified_key);

 
 

-                               trace_data = data_generic_trace;
-                               trace_data_size = 4;
-                               CodeIClassTagAnswer(trace_data , trace_data_size);
-                               memcpy(data_response, ToSend, ToSendMax);
-                               modulated_response = data_response;
-                               modulated_response_size = ToSendMax;
-                               response_delay = 0;//We need to hurry here...
-                               //exitLoop = true;
-                       }else
-                       {       //Not fullsim, we don't respond
-                               // We do not know what to answer, so lets keep quiet
-                               modulated_response = resp_sof; modulated_response_size = 0;
-                               trace_data = NULL;
-                               trace_data_size = 0;
-                               if (simulationMode == MODE_EXIT_AFTER_MAC){
-                                       // dbprintf:ing ...
-                                       Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
-                                                          ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
-                                       Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
-                                                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                                                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                                                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
-                                       if (reader_mac_buf != NULL)
-                                       {
-                                               memcpy(reader_mac_buf,receivedCmd+1,8);
-                                       }
-                                       exitLoop = true;
-                               }
-                       }
-
-               } else if(receivedCmd[0] == ICLASS_CMD_HALT && len == 1) {
-                       // Reader ends the session
-                       modulated_response = resp_sof; modulated_response_size = 0; //order = 0;
-                       trace_data = NULL;
-                       trace_data_size = 0;
-               } else if(simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
-                       //Read block
-                       uint16_t blk = receivedCmd[1];
-                       //Take the data...
-                       memcpy(data_generic_trace, emulator+(blk << 3),8);
-                       //Add crc
-                       AppendCrc(data_generic_trace, 8);
-                       trace_data = data_generic_trace;
-                       trace_data_size = 10;
-                       CodeIClassTagAnswer(trace_data , trace_data_size);
-                       memcpy(data_response, ToSend, ToSendMax);
-                       modulated_response = data_response;
-                       modulated_response_size = ToSendMax;
-               }else if(receivedCmd[0] == ICLASS_CMD_UPDATE && simulationMode == MODE_FULLSIM)
-               {//Probably the reader wants to update the nonce. Let's just ignore that for now.
-                       // OBS! If this is implemented, don't forget to regenerate the cipher_state
-                       //We're expected to respond with the data+crc, exactly what's already in the receivedcmd
-                       //receivedcmd is now UPDATE 1b | ADDRESS 1b| DATA 8b| Signature 4b or CRC 2b|
-
-                       //Take the data...
-                       memcpy(data_generic_trace, receivedCmd+2,8);
-                       //Add crc
-                       AppendCrc(data_generic_trace, 8);
-                       trace_data = data_generic_trace;
-                       trace_data_size = 10;
-                       CodeIClassTagAnswer(trace_data , trace_data_size);
-                       memcpy(data_response, ToSend, ToSendMax);
-                       modulated_response = data_response;
-                       modulated_response_size = ToSendMax;
-               }
-               else if(receivedCmd[0] == ICLASS_CMD_PAGESEL)
-               {//Pagesel
-                       //Pagesel enables to select a page in the selected chip memory and return its configuration block
-                       //Chips with a single page will not answer to this command
-                       // It appears we're fine ignoring this.
-                       //Otherwise, we should answer 8bytes (block) + 2bytes CRC
-               }
-               else {
-                       //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
-                       // Never seen this command before
-                       Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
-                       // Do not respond
-                       modulated_response = resp_sof; modulated_response_size = 0; //order = 0;
-                       trace_data = NULL;
-                       trace_data_size = 0;
-               }
-
-               if(cmdsRecvd >  100) {
-                       //DbpString("100 commands later...");
-                       //break;
-               }
-               else {
-                       cmdsRecvd++;
-               }
-               /**
-               A legit tag has about 380us delay between reader EOT and tag SOF.
-               **/
-               if(modulated_response_size > 0) {
-                       SendIClassAnswer(modulated_response, modulated_response_size, response_delay);
-                       t2r_time = GetCountSspClk();
-               }
-
-               if (tracing) {
-                       uint8_t parity[MAX_PARITY_SIZE];
-                       GetParity(receivedCmd, len, parity);
-                       LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
+       uint8_t card_data[6 * 8] = {0};
+       memset(card_data, 0xFF, sizeof(card_data));
+       uint8_t resp[ICLASS_BUFFER_SIZE];
+       //Read conf block CRC(0x01) => 0xfa 0x22
+       uint8_t readConf[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22};
+       //Read e-purse block CRC(0x02) => 0x61 0x10
+       uint8_t readEpurse[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x02, 0x61, 0x10};
+       //Read App Issuer Area block CRC(0x05) => 0xde  0x64
+       uint8_t readAA[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};

 
 

-                       if (trace_data != NULL) {
-                               GetParity(trace_data, trace_data_size, parity);
-                               LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
-                       }
-                       if(!tracing) {
-                               DbpString("Trace full");
-                               //break;
-                       }
+       uint8_t result_status = 0;

 
 

-               }
-               memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
+       if (flags & FLAG_ICLASS_READER_INIT) {
+               Iso15693InitReader();

        }
 
        }
 

-       //Dbprintf("%x", cmdsRecvd);
-       LED_A_OFF();
-       LED_B_OFF();
-       LED_C_OFF();
-
-       if(buttonPressed)
-       {
-               DbpString("Button pressed");
+       if (flags & FLAG_ICLASS_READER_CLEARTRACE) {
+               set_tracing(true);
+               clear_trace();
+               StartCountSspClk();

        }
        }

-       return buttonPressed;
-}

 
 

-static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
-{
-       int i = 0, d=0;//, u = 0, d = 0;
-       uint8_t b = 0;
+       uint32_t start_time = 0;
+       uint32_t eof_time = 0;

 
 

-       //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K_8BIT);
+       if (selectIclassTag(resp, &eof_time)) {
+               result_status = FLAG_ICLASS_READER_CSN;
+               memcpy(card_data, resp, 8);

 
 

-       AT91C_BASE_SSC->SSC_THR = 0x00;
-       FpgaSetupSsc();
-       while(!BUTTON_PRESS()) {
-               if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
-                       b = AT91C_BASE_SSC->SSC_RHR; (void) b;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
-                       b = 0x00;
-                       if(d < delay) {
-                               d++;
+               start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
+
+               //Read block 1, config
+               if (flags & FLAG_ICLASS_READER_CONF) {
+                       if (sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
+                               result_status |= FLAG_ICLASS_READER_CONF;
+                               memcpy(card_data+8, resp, 8);
+                       } else {
+                               Dbprintf("Failed to read config block");

                        }
                        }

-                       else {
-                               if( i < respLen){
-                                       b = resp[i];
-                                       //Hack
-                                       //b = 0xAC;
-                               }
-                               i++;
+                       start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
+               }
+
+               //Read block 2, e-purse
+               if (flags & FLAG_ICLASS_READER_CC) {
+                       if (sendCmdGetResponseWithRetries(readEpurse, sizeof(readEpurse), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
+                               result_status |= FLAG_ICLASS_READER_CC;
+                               memcpy(card_data + (8*2), resp, 8);
+                       } else {
+                               Dbprintf("Failed to read e-purse");

                        }
                        }

-                       AT91C_BASE_SSC->SSC_THR = b;
+                       start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;

                }
 
                }
 

-//             if (i > respLen +4) break;
-               if (i > respLen +1) break;
+               //Read block 5, AA
+               if (flags & FLAG_ICLASS_READER_AA) {
+                       if (sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
+                               result_status |= FLAG_ICLASS_READER_AA;
+                               memcpy(card_data + (8*5), resp, 8);
+                       } else {
+                               Dbprintf("Failed to read AA block");
+                       }
+               }

        }
        }

+       
+       cmd_send(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data));

 
 

-       return 0;
-}
-
-/// THE READER CODE
-
-//-----------------------------------------------------------------------------
-// Transmit the command (to the tag) that was placed in ToSend[].
-//-----------------------------------------------------------------------------
-static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
-{
-  int c;
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-  AT91C_BASE_SSC->SSC_THR = 0x00;
-  FpgaSetupSsc();
-
-   if (wait)
-   {
-     if(*wait < 10) *wait = 10;
-     
-     for(c = 0; c < *wait;) {
-       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-         AT91C_BASE_SSC->SSC_THR = 0x00;               // For exact timing!
-         c++;
-       }
-       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-         volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-         (void)r;
-       }
-       WDT_HIT();
-     }
-
-   }
-
-
-  uint8_t sendbyte;
-  bool firstpart = TRUE;
-  c = 0;
-  for(;;) {
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-
-      // DOUBLE THE SAMPLES!
-      if(firstpart) {
-       sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4); 
-      }
-      else {
-       sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
-        c++;
-      }
-      if(sendbyte == 0xff) {
-       sendbyte = 0xfe;
-      }
-      AT91C_BASE_SSC->SSC_THR = sendbyte;
-      firstpart = !firstpart;
-
-      if(c >= len) {
-        break;
-      }
-    }
-    if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-      volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-      (void)r;
-    }
-    WDT_HIT();
-  }
-  if (samples) *samples = (c + *wait) << 3;
+       LED_A_OFF();

 }
 
 
 }
 
 

-//-----------------------------------------------------------------------------
-// Prepare iClass reader command to send to FPGA
-//-----------------------------------------------------------------------------
-void CodeIClassCommand(const uint8_t * cmd, int len)
-{
-  int i, j, k;
-  uint8_t b;
-
-  ToSendReset();
-
-  // Start of Communication: 1 out of 4
-  ToSend[++ToSendMax] = 0xf0;
-  ToSend[++ToSendMax] = 0x00;
-  ToSend[++ToSendMax] = 0x0f;
-  ToSend[++ToSendMax] = 0x00;
-
-  // Modulate the bytes 
-  for (i = 0; i < len; i++) {
-    b = cmd[i];
-    for(j = 0; j < 4; j++) {
-      for(k = 0; k < 4; k++) {
-                       if(k == (b & 3)) {
-                               ToSend[++ToSendMax] = 0x0f;
-                       }
-                       else {
-                               ToSend[++ToSendMax] = 0x00;
-                       }
-      }
-      b >>= 2;
-    }
-  }
-
-  // End of Communication
-  ToSend[++ToSendMax] = 0x00;
-  ToSend[++ToSendMax] = 0x00;
-  ToSend[++ToSendMax] = 0xf0;
-  ToSend[++ToSendMax] = 0x00;
-
-  // Convert from last character reference to length
-  ToSendMax++;
+void iClass_Check(uint8_t *NRMAC) {
+       uint8_t check[9] = {ICLASS_CMD_CHECK_KD, 0x00};
+       uint8_t resp[4];
+       memcpy(check+1, NRMAC, 8);
+       uint32_t eof_time;
+       bool isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 3, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
+       cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));

 }
 
 }
 

-void ReaderTransmitIClass(uint8_t* frame, int len)
-{
-       int wait = 0;
-       int samples = 0;

 
 

-       // This is tied to other size changes
-       CodeIClassCommand(frame,len);
-
-       // Select the card
-       TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
-       if(trigger)
-               LED_A_ON();
-
-       // Store reader command in buffer
-       if (tracing) {
-               uint8_t par[MAX_PARITY_SIZE];
-               GetParity(frame, len, par);
-               LogTrace(frame, len, rsamples, rsamples, par, TRUE);
+void iClass_Readcheck(uint8_t block, bool use_credit_key) {
+       uint8_t readcheck[2] = {ICLASS_CMD_READCHECK_KD, block};
+       if (use_credit_key) {
+               readcheck[0] = ICLASS_CMD_READCHECK_KC;

        }
        }

+       uint8_t resp[8];
+       uint32_t eof_time;
+       bool isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 8, 3, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
+       cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));

 }
 
 }
 

-//-----------------------------------------------------------------------------
-// Wait a certain time for tag response
-//  If a response is captured return TRUE
-//  If it takes too long return FALSE
-//-----------------------------------------------------------------------------
-static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
-{
-       // buffer needs to be 512 bytes
-       int c;

 
 

-       // Set FPGA mode to "reader listen mode", no modulation (listen
-       // only, since we are receiving, not transmitting).
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
+static bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
+       uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
+       uint8_t bl = blockNo;
+       uint16_t rdCrc = iclass_crc16(&bl, 1);
+       readcmd[2] = rdCrc >> 8;
+       readcmd[3] = rdCrc & 0xff;
+       uint8_t resp[10];
+       uint32_t eof_time;

 
 

-       // Now get the answer from the card
-       Demod.output = receivedResponse;
-       Demod.len = 0;
-       Demod.state = DEMOD_UNSYNCD;
+       bool isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, sizeof(resp), 10, 10, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
+       memcpy(readdata, resp, sizeof(resp));

 
 

-       uint8_t b;
-       if (elapsed) *elapsed = 0;
+       return isOK;
+}

 
 

-       bool skip = FALSE;

 
 

-       c = 0;
-       for(;;) {
-               WDT_HIT();
+void iClass_ReadBlk(uint8_t blockno) {

 
 

-               if(BUTTON_PRESS()) return FALSE;
+       LED_A_ON();

 
 

-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0x00;  // To make use of exact timing of next command from reader!!
-                       if (elapsed) (*elapsed)++;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       if(c < timeout) { c++; } else { return FALSE; }
-                       b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       skip = !skip;
-                       if(skip) continue;
-               
-                       if(ManchesterDecoding(b & 0x0f)) {
-                               *samples = c << 3;
-                               return  TRUE;
-                       }
-               }
-       }
-}
+       uint8_t readblockdata[10];
+       bool isOK = iClass_ReadBlock(blockno, readblockdata);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LED_D_OFF();
+       cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);

 
 

-int ReaderReceiveIClass(uint8_t* receivedAnswer)
-{
-  int samples = 0;
-  if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
-  rsamples += samples;
-  if (tracing) {
-       uint8_t parity[MAX_PARITY_SIZE];
-       GetParity(receivedAnswer, Demod.len, parity);
-       LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,FALSE);
-  }
-  if(samples == 0) return FALSE;
-  return Demod.len;
+       LED_A_OFF();

 }
 
 }
 

-void setupIclassReader()
-{
-    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-    // Reset trace buffer
-       set_tracing(TRUE);
-       clear_trace();

 
 

-    // Setup SSC
-    FpgaSetupSsc();
-    // Start from off (no field generated)
-    // Signal field is off with the appropriate LED
-    LED_D_OFF();
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-    SpinDelay(200);
+void iClass_Dump(uint8_t startblock, uint8_t numblks) {

 
 

-    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       LED_A_ON();

 
 

-    // Now give it time to spin up.
-    // Signal field is on with the appropriate LED
-    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-    SpinDelay(200);
-    LED_A_ON();
+       uint8_t readblockdata[USB_CMD_DATA_SIZE+2] = {0};
+       bool isOK = false;
+       uint16_t blkCnt = 0;

 
 

-}
+       if (numblks > USB_CMD_DATA_SIZE / 8) {
+               numblks = USB_CMD_DATA_SIZE / 8;
+       }

 
 

-size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries)
-{
-       while(retries-- > 0)
-       {
-               ReaderTransmitIClass(command, cmdsize);
-               if(expected_size == ReaderReceiveIClass(resp)){
-                       return 0;
+       for (blkCnt = 0; blkCnt < numblks; blkCnt++) {
+               isOK = iClass_ReadBlock(startblock+blkCnt, readblockdata+8*blkCnt);
+               if (!isOK) {
+                       Dbprintf("Block %02X failed to read", startblock+blkCnt);
+                       break;

                }
        }
                }
        }

-       return 1;//Error
-}
-
-/**
- * @brief Talks to an iclass tag, sends the commands to get CSN and CC.
- * @param card_data where the CSN and CC are stored for return
- * @return 0 = fail
- *         1 = Got CSN
- *         2 = Got CSN and CC
- */
-uint8_t handshakeIclassTag(uint8_t *card_data)
-{
-       static uint8_t act_all[]     = { 0x0a };
-       static uint8_t identify[]    = { 0x0c };
-       static uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       static uint8_t readcheck_cc[]= { 0x88, 0x02 };
-       uint8_t resp[ICLASS_BUFFER_SIZE];

 
 

-       uint8_t read_status = 0;
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LED_D_OFF();

 
 

-       // Send act_all
-       ReaderTransmitIClass(act_all, 1);
-       // Card present?
-       if(!ReaderReceiveIClass(resp)) return read_status;//Fail
-       //Send Identify
-       ReaderTransmitIClass(identify, 1);
-       //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
-       uint8_t len  = ReaderReceiveIClass(resp);
-       if(len != 10) return read_status;//Fail
+       cmd_send(CMD_ACK, isOK, blkCnt, 0, readblockdata, blkCnt*8);

 
 

-       //Copy the Anti-collision CSN to our select-packet
-       memcpy(&select[1],resp,8);
-       //Select the card
-       ReaderTransmitIClass(select, sizeof(select));
-       //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
-       len  = ReaderReceiveIClass(resp);
-       if(len != 10) return read_status;//Fail
+       LED_A_OFF();
+}

 
 

-       //Success - level 1, we got CSN
-       //Save CSN in response data
-       memcpy(card_data,resp,8);

 
 

-       //Flag that we got to at least stage 1, read CSN
-       read_status = 1;
+static bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {

 
 

-       // Card selected, now read e-purse (cc)
-       ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
-       if(ReaderReceiveIClass(resp) == 8) {
-               //Save CC (e-purse) in response data
-               memcpy(card_data+8,resp,8);
+       uint8_t write[16] = {ICLASS_CMD_UPDATE, blockNo};
+       memcpy(write+2, data, 12); // data + mac
+       AppendCrc(write+1, 13);
+       uint8_t resp[10];
+       bool isOK = false;
+       uint32_t eof_time = 0;

 
 

-               //Got both
-               read_status = 2;
+       isOK = sendCmdGetResponseWithRetries(write, sizeof(write), resp, sizeof(resp), 10, 3, 0, ICLASS_READER_TIMEOUT_UPDATE, &eof_time);
+       if (!isOK) {
+               return false;

        }
        }

-
-       return read_status;
-}
-
-// Reader iClass Anticollission
-void ReaderIClass(uint8_t arg0) {
-
-    uint8_t card_data[24]={0};
-    uint8_t last_csn[8]={0};

        
        

-    int read_status= 0;
-    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
-       bool get_cc = arg0 & FLAG_ICLASS_READER_GET_CC;
-       set_tracing(TRUE);
-    setupIclassReader();
-
-    size_t datasize = 0;
-    while(!BUTTON_PRESS())
-    {
-
-               if(!tracing) {
-                       DbpString("Trace full");
-                       break;
+       uint8_t all_ff[8] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+       if (blockNo == 2) {
+               if (memcmp(data+4, resp, 4) || memcmp(data, resp+4, 4)) { // check response. e-purse update swaps first and second half
+                       return false;

                }
                }

-               WDT_HIT();
-
-               read_status = handshakeIclassTag(card_data);
-
-               if(read_status == 0) continue;
-               if(read_status == 1) datasize = 8;
-               if(read_status == 2) datasize = 16;
-
-               //Todo, read the public blocks 1,5 aswell:
-               //
-               // 0 : CSN (we already have)
-               // 1 : Configuration
-               // 2 : e-purse (we already have)
-               // (3,4 write-only)
-               // 5 Application issuer area
-               //
-               //Then we can 'ship' back the 8 * 5 bytes of data,
-               // with 0xFF:s in block 3 and 4.
-
-               LED_B_ON();
-               //Send back to client, but don't bother if we already sent this
-               if(memcmp(last_csn, card_data, 8) != 0)
-               {
-
-                       if(!get_cc || (get_cc && read_status == 2))
-                       {
-                               cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
-                               if(abort_after_read) {
-                                       LED_A_OFF();
-                                       return;
-                               }
-                               //Save that we already sent this....
-                               memcpy(last_csn, card_data, 8);
-                       }
-                       //If 'get_cc' was specified and we didn't get a CC, we'll just keep trying...
+       } else if (blockNo == 3 || blockNo == 4) {
+               if (memcmp(all_ff, resp, 8)) { // check response. Key updates always return 0xffffffffffffffff
+                       return false;

                }
                }

-               LED_B_OFF();
-    }
-    cmd_send(CMD_ACK,0,0,0,card_data, 0);
-    LED_A_OFF();
-}
-
-void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
-
-       uint8_t card_data[USB_CMD_DATA_SIZE]={0};
-       uint16_t block_crc_LUT[255] = {0};
-
-       {//Generate a lookup table for block crc
-               for(int block = 0; block < 255; block++){
-                       char bl = block;
-                       block_crc_LUT[block] = iclass_crc16(&bl ,1);
+       } else {
+               if (memcmp(data, resp, 8)) { // check response. All other updates return unchanged data
+                       return false;

                }
        }
                }
        }

-       //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);

 
 

-       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
-       
-    uint16_t crc = 0;
-       uint8_t cardsize=0;
-       uint8_t mem=0;
-       
-       static struct memory_t{
-         int k16;
-         int book;
-         int k2;
-         int lockauth;
-         int keyaccess;
-       } memory;
-       
-       uint8_t resp[ICLASS_BUFFER_SIZE];
-       
-    setupIclassReader();
-       set_tracing(TRUE);
+       return true;
+}

 
 

-       while(!BUTTON_PRESS()) {
-       
-               WDT_HIT();

 
 

-               if(!tracing) {
-                       DbpString("Trace full");
-                       break;
-               }
-               
-               uint8_t read_status = handshakeIclassTag(card_data);
-               if(read_status < 2) continue;
+void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {

 
 

-               //for now replay captured auth (as cc not updated)
-               memcpy(check+5,MAC,4);
+       LED_A_ON();

 
 

-               if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5))
-               {
-                       Dbprintf("Error: Authentication Fail!");
-                       continue;
-               }
+       bool isOK = iClass_WriteBlock_ext(blockNo, data);
+       if (isOK) {
+               Dbprintf("Write block [%02x] successful", blockNo);
+       } else {
+               Dbprintf("Write block [%02x] failed", blockNo);
+       }
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LED_D_OFF();

 
 

-               //first get configuration block (block 1)
-               crc = block_crc_LUT[1];
-               read[1]=1;
-               read[2] = crc >> 8;
-               read[3] = crc & 0xff;
+       cmd_send(CMD_ACK, isOK, 0, 0, 0, 0);
+       LED_A_OFF();
+}

 
 

-               if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10))
-               {
-                       Dbprintf("Dump config (block 1) failed");
-                       continue;
-               }

 
 

-               mem=resp[5];
-               memory.k16= (mem & 0x80);
-               memory.book= (mem & 0x20);
-               memory.k2= (mem & 0x8);
-               memory.lockauth= (mem & 0x2);
-               memory.keyaccess= (mem & 0x1);
+void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {

 
 

-               cardsize = memory.k16 ? 255 : 32;
-               WDT_HIT();
-               //Set card_data to all zeroes, we'll fill it with data
-               memset(card_data,0x0,USB_CMD_DATA_SIZE);
-               uint8_t failedRead =0;
-               uint32_t stored_data_length =0;
-               //then loop around remaining blocks
-               for(int block=0; block < cardsize; block++){
-
-                       read[1]= block;
-                       crc = block_crc_LUT[block];
-                       read[2] = crc >> 8;
-                       read[3] = crc & 0xff;
-
-                       if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10))
-                       {
-                               Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                                block, resp[0], resp[1], resp[2],
-                                               resp[3], resp[4], resp[5],
-                                               resp[6], resp[7]);
-
-                               //Fill up the buffer
-                               memcpy(card_data+stored_data_length,resp,8);
-                               stored_data_length += 8;
-                               if(stored_data_length +8 > USB_CMD_DATA_SIZE)
-                               {//Time to send this off and start afresh
-                                       cmd_send(CMD_ACK,
-                                                        stored_data_length,//data length
-                                                        failedRead,//Failed blocks?
-                                                        0,//Not used ATM
-                                                        card_data, stored_data_length);
-                                       //reset
-                                       stored_data_length = 0;
-                                       failedRead = 0;
-                               }
+       LED_A_ON();

 
 

-                       }else{
-                               failedRead = 1;
-                               stored_data_length +=8;//Otherwise, data becomes misaligned
-                               Dbprintf("Failed to dump block %d", block);
-                       }
-               }
+       int written = 0;
+       int total_blocks = (endblock - startblock) + 1;

 
 

-               //Send off any remaining data
-               if(stored_data_length > 0)
-               {
-                       cmd_send(CMD_ACK,
-                                        stored_data_length,//data length
-                                        failedRead,//Failed blocks?
-                                        0,//Not used ATM
-                                        card_data, stored_data_length);
+       for (uint8_t block = startblock; block <= endblock; block++) {
+               // block number
+               if (iClass_WriteBlock_ext(block, data + (block-startblock)*12)) {
+                       Dbprintf("Write block [%02x] successful", block);
+                       written++;
+               } else {
+                       Dbprintf("Write block [%02x] failed", block);

                }
                }

-               //If we got here, let's break
-               break;

        }
        }

-       //Signal end of transmission
-       cmd_send(CMD_ACK,
-                        0,//data length
-                        0,//Failed blocks?
-                        0,//Not used ATM
-                        card_data, 0);

 
 

-       LED_A_OFF();
-}
+       if (written == total_blocks)
+               Dbprintf("Clone complete");
+       else
+               Dbprintf("Clone incomplete");

 
 

-//2. Create Read method (cut-down from above) based off responses from 1. 
-//   Since we have the MAC could continue to use replay function.
-//3. Create Write method
-/*
-void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
-       uint8_t act_all[]     = { 0x0a };
-       uint8_t identify[]    = { 0x0c };
-       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t readcheck_cc[]= { 0x88, 0x02 };
-       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
-       uint8_t write[]       = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       
-    uint16_t crc = 0;
-       
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);
-
-       // Reset trace buffer
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
-
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();

        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

-       SpinDelay(200);
-
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
-
-       LED_A_ON();
+       LED_D_OFF();

 
 

-       for(int i=0;i<1;i++) {
-       
-               if(traceLen > TRACE_SIZE) {
-                       DbpString("Trace full");
-                       break;
-               }
-               
-               if (BUTTON_PRESS()) break;
-
-               // Send act_all
-               ReaderTransmitIClass(act_all, 1);
-               // Card present?
-               if(ReaderReceiveIClass(resp)) {
-                       ReaderTransmitIClass(identify, 1);
-                       if(ReaderReceiveIClass(resp) == 10) {
-                               // Select card          
-                               memcpy(&select[1],resp,8);
-                               ReaderTransmitIClass(select, sizeof(select));
-
-                               if(ReaderReceiveIClass(resp) == 10) {
-                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }
-                               // Card selected
-                               Dbprintf("Readcheck on Sector 2");
-                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
-                               if(ReaderReceiveIClass(resp) == 8) {
-                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }else return;
-                               Dbprintf("Authenticate");
-                               //for now replay captured auth (as cc not updated)
-                               memcpy(check+5,MAC,4);
-                               Dbprintf("     AA: %02x %02x %02x %02x",
-                                       check[5], check[6], check[7],check[8]);
-                               ReaderTransmitIClass(check, sizeof(check));
-                               if(ReaderReceiveIClass(resp) == 4) {
-                                  Dbprintf("     AR: %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],resp[3]);
-                               }else {
-                                 Dbprintf("Error: Authentication Fail!");
-                                 return;
-                               }
-                               Dbprintf("Write Block");
-                               
-                               //read configuration for max block number
-                               read_success=false;
-                               read[1]=1;
-                               uint8_t *blockno=&read[1];
-                               crc = iclass_crc16((char *)blockno,1);
-                               read[2] = crc >> 8;
-                               read[3] = crc & 0xff;
-                               while(!read_success){
-                                     ReaderTransmitIClass(read, sizeof(read));
-                                     if(ReaderReceiveIClass(resp) == 10) {
-                                        read_success=true;
-                                        mem=resp[5];
-                                        memory.k16= (mem & 0x80);
-                                        memory.book= (mem & 0x20);
-                                        memory.k2= (mem & 0x8);
-                                        memory.lockauth= (mem & 0x2);
-                                        memory.keyaccess= (mem & 0x1);
-
-                                     }
-                               }
-                               if (memory.k16){
-                                 cardsize=255;
-                               }else cardsize=32;
-                               //check card_size
-                               
-                               memcpy(write+1,blockNo,1);
-                               memcpy(write+2,data,8);
-                               memcpy(write+10,mac,4);
-                               while(!send_success){
-                                 ReaderTransmitIClass(write, sizeof(write));
-                                 if(ReaderReceiveIClass(resp) == 10) {
-                                   write_success=true;
-                               }
-                       }//
-               }
-               WDT_HIT();
-       }
-       
+       cmd_send(CMD_ACK, 1, 0, 0, 0, 0);

        LED_A_OFF();
        LED_A_OFF();

-}*/
+}