CHG: extern methods.

[proxmark3-svn] / armsrc / legicrf.c
diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c

index 26863d71a32cfdf69374c60bbb34701241d8d3a2..f58cb44267f82cda314c7194628af02173eeabf9 100644 (file)
--- a/armsrc/legicrf.c
+++ b/armsrc/legicrf.c
@@ -1,5 +1,6 @@
  //-----------------------------------------------------------------------------
  // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
  //-----------------------------------------------------------------------------
  // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+//     2016 Iceman
  //
  // This code is licensed to you under the terms of the GNU GPL, version 2 or,
  // at your option, any later version. See the LICENSE.txt file for the text of
  //
  // This code is licensed to you under the terms of the GNU GPL, version 2 or,
  // at your option, any later version. See the LICENSE.txt file for the text of
@@ -7,18 +8,10 @@
  //-----------------------------------------------------------------------------
  // LEGIC RF simulation code
  //-----------------------------------------------------------------------------
  //-----------------------------------------------------------------------------
  // LEGIC RF simulation code
  //-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-
  #include "legicrf.h"
  #include "legicrf.h"
-#include "legic_prng.h"
-#include "crc.h"
  
  static struct legic_frame {
  
  static struct legic_frame {
-       int bits;
+       uint8_t bits;
         uint32_t data;
  } current_frame;
  
         uint32_t data;
  } current_frame;
  
@@ -40,21 +33,21 @@ static int      legic_reqresp_drift;
  AT91PS_TC timer;
  AT91PS_TC prng_timer;
  
  AT91PS_TC timer;
  AT91PS_TC prng_timer;
  
-static void setup_timer(void)
-{
-       /* Set up Timer 1 to use for measuring time between pulses. Since we're bit-banging
-        * this it won't be terribly accurate but should be good enough.
-        */
+/*
+static void setup_timer(void) {
+       // Set up Timer 1 to use for measuring time between pulses. Since we're bit-banging
+       // this it won't be terribly accurate but should be good enough.
+       //
         AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
         timer = AT91C_BASE_TC1;
         timer->TC_CCR = AT91C_TC_CLKDIS;
         timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
         timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
  
         AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
         timer = AT91C_BASE_TC1;
         timer->TC_CCR = AT91C_TC_CLKDIS;
         timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
         timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
  
-       /* 
-     * Set up Timer 2 to use for measuring time between frames in 
-     * tag simulation mode. Runs 4x faster as Timer 1
-        */
+       // 
+    // Set up Timer 2 to use for measuring time between frames in 
+    // tag simulation mode. Runs 4x faster as Timer 1
+       //
      AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC2);
      prng_timer = AT91C_BASE_TC2;
      prng_timer->TC_CCR = AT91C_TC_CLKDIS;
      AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC2);
      prng_timer = AT91C_BASE_TC2;
      prng_timer->TC_CCR = AT91C_TC_CLKDIS;
@@ -62,146 +55,174 @@ static void setup_timer(void)
      prng_timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
  }
  
      prng_timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
  }
  
-/* At TIMER_CLOCK3 (MCK/32) */
-#define        RWD_TIME_1 150     /* RWD_TIME_PAUSE off, 80us on = 100us */
-#define RWD_TIME_0 90      /* RWD_TIME_PAUSE off, 40us on = 60us */
-#define RWD_TIME_PAUSE 30  /* 20us */
-#define RWD_TIME_FUZZ 20   /* rather generous 13us, since the peak detector + hysteresis fuzz quite a bit */
-#define TAG_TIME_BIT 150   /* 100us for every bit */
-#define TAG_TIME_WAIT 490  /* time from RWD frame end to tag frame start, experimentally determined */
+       AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
+       AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
+
+       // fast clock
+       AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
+       AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK(48MHz)/32 -- tick=1.5mks
+                                                               AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO | AT91C_TC_ACPA_CLEAR |
+                                                               AT91C_TC_ACPC_SET | AT91C_TC_ASWTRG_SET;
+       AT91C_BASE_TC0->TC_RA = 1;
+       AT91C_BASE_TC0->TC_RC = 0xBFFF + 1; // 0xC000
+       
+*/
+
+// At TIMER_CLOCK3 (MCK/32)
+// testing calculating in ticks. 1.5ticks = 1us 
+#define        RWD_TIME_1 120          // READER_TIME_PAUSE 20us off, 80us on = 100us  80 * 1.5 == 120ticks
+#define RWD_TIME_0 60          // READER_TIME_PAUSE 20us off, 40us on = 60us   40 * 1.5 == 60ticks 
+#define RWD_TIME_PAUSE 30      // 20us == 20 * 1.5 == 30ticks */
+#define TAG_BIT_PERIOD 142     // 100us == 100 * 1.5 == 150ticks
+#define TAG_FRAME_WAIT 495  // 330us from READER frame end to TAG frame start. 330 * 1.5 == 495
+
+#define RWD_TIME_FUZZ 20   // rather generous 13us, since the peak detector + hysteresis fuzz quite a bit
  
  #define SIM_DIVISOR  586   /* prng_time/SIM_DIVISOR count prng needs to be forwared */
  #define SIM_SHIFT    900   /* prng_time+SIM_SHIFT shift of delayed start */
  
  
  #define SIM_DIVISOR  586   /* prng_time/SIM_DIVISOR count prng needs to be forwared */
  #define SIM_SHIFT    900   /* prng_time+SIM_SHIFT shift of delayed start */
  
-#define SESSION_IV 0x55
  #define OFFSET_LOG 1024
  
  #define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz)))
  
  #define OFFSET_LOG 1024
  
  #define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz)))
  
+#ifndef SHORT_COIL
+# define SHORT_COIL     LOW(GPIO_SSC_DOUT);
+#endif
+#ifndef OPEN_COIL
+# define OPEN_COIL     HIGH(GPIO_SSC_DOUT);
+#endif
+#ifndef LINE_IN
+# define LINE_IN  AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
+#endif
+// Pause pulse,  off in 20us / 30ticks,
+// ONE / ZERO bit pulse,  
+//    one == 80us / 120ticks
+//    zero == 40us / 60ticks
+#ifndef COIL_PULSE
+# define COIL_PULSE(x) \
+       do { \
+               SHORT_COIL; \
+               WaitTicks( (RWD_TIME_PAUSE) ); \
+               OPEN_COIL; \
+               WaitTicks((x)); \
+       } while (0); 
+#endif
+
+// ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces. 
+// Historically it used to be FREE_BUFFER_SIZE, which was 2744.
+#define LEGIC_CARD_MEMSIZE 1024
+static uint8_t* cardmem;
+
+static void frame_append_bit(struct legic_frame * const f, uint8_t bit) {
+       // Overflow, won't happen
+   if (f->bits >= 31) return;
+  
+   f->data |= (bit << f->bits);
+   f->bits++;
+}
+
+static void frame_clean(struct legic_frame * const f) {
+       f->data = 0;
+       f->bits = 0;
+}
+
+// Prng works when waiting in 99.1us cycles.
+// and while sending/receiving in bit frames (100, 60)
+/*static void CalibratePrng( uint32_t time){
+       // Calculate Cycles based on timer 100us
+       uint32_t i =  (time - sendFrameStop) / 100 ;
+
+       // substract cycles of finished frames
+       int k =  i - legic_prng_count()+1; 
+
+       // substract current frame length, rewind to beginning
+       if ( k > 0 )
+               legic_prng_forward(k);
+}
+*/
+
  /* Generate Keystream */
  /* Generate Keystream */
-static uint32_t get_key_stream(int skip, int count)
-{
-       uint32_t key=0; int i;
+uint32_t get_key_stream(int skip, int count) {
+
+       int i;
  
  
-       /* Use int to enlarge timer tc to 32bit */
+       // Use int to enlarge timer tc to 32bit
         legic_prng_bc += prng_timer->TC_CV;
         legic_prng_bc += prng_timer->TC_CV;
-       prng_timer->TC_CCR = AT91C_TC_SWTRG;
+
+       // reset the prng timer.
  
         /* If skip == -1, forward prng time based */
         if(skip == -1) {
  
         /* If skip == -1, forward prng time based */
         if(skip == -1) {
-               i  = (legic_prng_bc+SIM_SHIFT)/SIM_DIVISOR; /* Calculate Cycles based on timer */
+               i  = (legic_prng_bc + SIM_SHIFT)/SIM_DIVISOR; /* Calculate Cycles based on timer */
                 i -= legic_prng_count(); /* substract cycles of finished frames */
                 i -= legic_prng_count(); /* substract cycles of finished frames */
-               i -= count; /* substract current frame length, rewidn to bedinning */
+               i -= count; /* substract current frame length, rewind to beginning */
                 legic_prng_forward(i);
         } else {
                 legic_prng_forward(skip);
         }
  
                 legic_prng_forward(i);
         } else {
                 legic_prng_forward(skip);
         }
  
-       /* Write Time Data into LOG */
-       uint8_t *BigBuf = BigBuf_get_addr();
         i = (count == 6) ? -1 : legic_read_count;
  
         i = (count == 6) ? -1 : legic_read_count;
  
-       BigBuf[OFFSET_LOG+128+i] = legic_prng_count();
-       BigBuf[OFFSET_LOG+256+i*4]   = (legic_prng_bc >> 0) & 0xff;
-       BigBuf[OFFSET_LOG+256+i*4+1] = (legic_prng_bc >> 8) & 0xff;
-       BigBuf[OFFSET_LOG+256+i*4+2] = (legic_prng_bc >>16) & 0xff;
-       BigBuf[OFFSET_LOG+256+i*4+3] = (legic_prng_bc >>24) & 0xff;
-       BigBuf[OFFSET_LOG+384+i] = count;
-
         /* Generate KeyStream */
         /* Generate KeyStream */
-       for(i=0; i<count; i++) {
-               key |= legic_prng_get_bit() << i;
-               legic_prng_forward(1);
-       }
-       return key;
+       return legic_prng_get_bits(count);
  }
  
  /* Send a frame in tag mode, the FPGA must have been set up by
   * LegicRfSimulate
   */
  }
  
  /* Send a frame in tag mode, the FPGA must have been set up by
   * LegicRfSimulate
   */
-static void frame_send_tag(uint16_t response, int bits, int crypt)
-{
-   /* Bitbang the response */
-   AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
-   AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
-   AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
-        
-   /* Use time to crypt frame */
-   if(crypt) {
-      legic_prng_forward(2); /* TAG_TIME_WAIT -> shift by 2 */
-      int i; int key = 0;
-      for(i=0; i<bits; i++) {
-         key |= legic_prng_get_bit() << i;
-         legic_prng_forward(1);
-      }
-      //Dbprintf("key = 0x%x", key);
-      response = response ^ key;
-   }
+void frame_send_tag(uint16_t response, uint8_t bits) {
  
  
-   /* Wait for the frame start */
-   while(timer->TC_CV < (TAG_TIME_WAIT - 30)) ;
-       
-   int i;
-   for(i=0; i<bits; i++) {
-      int nextbit = timer->TC_CV + TAG_TIME_BIT;
-      int bit = response & 1;
-      response = response >> 1;
-      if(bit)
-         AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
-      else
-         AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
-      
-      while(timer->TC_CV < nextbit) ;
+       uint16_t mask = 1;
+       
+       /* Bitbang the response */
+       SHORT_COIL;
+       AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+       AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+
+        /* TAG_FRAME_WAIT -> shift by 2 */
+       legic_prng_forward(3);
+       response ^= legic_prng_get_bits(bits);
+
+       /* Wait for the frame start */
+       WaitTicks( TAG_FRAME_WAIT );
+
+       for (; mask < BITMASK(bits); mask <<= 1) {      
+               if (response & mask)
+                       OPEN_COIL
+               else
+                       SHORT_COIL
+               WaitTicks(TAG_BIT_PERIOD);
     }
     }
-   AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+   SHORT_COIL;
  }
  
  /* Send a frame in reader mode, the FPGA must have been set up by
   * LegicRfReader
   */
  }
  
  /* Send a frame in reader mode, the FPGA must have been set up by
   * LegicRfReader
   */
-static void frame_send_rwd(uint32_t data, int bits)
-{
-       /* Start clock */
-       timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
-       while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
+void frame_sendAsReader(uint32_t data, uint8_t bits){
  
  
-       int i;
-       for(i=0; i<bits; i++) {
-               int starttime = timer->TC_CV;
-               int pause_end = starttime + RWD_TIME_PAUSE, bit_end;
-               int bit = data & 1;
-               data = data >> 1;
-
-               if(bit ^ legic_prng_get_bit())
-                       bit_end = starttime + RWD_TIME_1;
+       uint32_t starttime = GET_TICKS, send = 0, mask = 1;
+       
+       // xor lsfr onto data.
+       send = data ^ legic_prng_get_bits(bits);
+                               
+       for (; mask < BITMASK(bits); mask <<= 1) {      
+               if (send & mask)
+                       COIL_PULSE(RWD_TIME_1)
                 else
                 else
-                       bit_end = starttime + RWD_TIME_0;
-               
-
-               /* RWD_TIME_PAUSE time off, then some time on, so that the complete bit time is
-                * RWD_TIME_x, where x is the bit to be transmitted */
-               AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
-               while(timer->TC_CV < pause_end) ;
-               AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
-               legic_prng_forward(1); /* bit duration is longest. use this time to forward the lfsr */
-
-               while(timer->TC_CV < bit_end);
+                       COIL_PULSE(RWD_TIME_0)
         }
  
         }
  
-       /* One final pause to mark the end of the frame */
-       int pause_end = timer->TC_CV + RWD_TIME_PAUSE;
-       AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
-       while(timer->TC_CV < pause_end) ;
-       AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
-
-
-       /* Reset the timer, to measure time until the start of the tag frame */
-       timer->TC_CCR = AT91C_TC_SWTRG;
-       while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
+       // Final pause to mark the end of the frame
+       COIL_PULSE(0);
+       
+       // log
+       uint8_t cmdbytes[] = {bits, BYTEx(data,0), BYTEx(data,1), BYTEx(data,2), BYTEx(send,0), BYTEx(send,1), BYTEx(send,2)};
+       LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, TRUE);
  }
  
  /* Receive a frame from the card in reader emulation mode, the FPGA and
  }
  
  /* Receive a frame from the card in reader emulation mode, the FPGA and
- * timer must have been set up by LegicRfReader and frame_send_rwd.
+ * timer must have been set up by LegicRfReader and frame_sendAsReader.
   *
   * The LEGIC RF protocol from card to reader does not include explicit
   * frame start/stop information or length information. The reader must
   *
   * The LEGIC RF protocol from card to reader does not include explicit
   * frame start/stop information or length information. The reader must
@@ -214,520 +235,469 @@ static void frame_send_rwd(uint32_t data, int bits)
   * for edges. Count the edges in each bit interval. If they are approximately
   * 0 this was a 0-bit, if they are approximately equal to the number of edges
   * expected for a 212kHz subcarrier, this was a 1-bit. For timing we use the
   * for edges. Count the edges in each bit interval. If they are approximately
   * 0 this was a 0-bit, if they are approximately equal to the number of edges
   * expected for a 212kHz subcarrier, this was a 1-bit. For timing we use the
- * timer that's still running from frame_send_rwd in order to get a synchronization
+ * timer that's still running from frame_sendAsReader in order to get a synchronization
   * with the frame that we just sent.
   *
   * FIXME: Because we're relying on the hysteresis to just do the right thing
   * the range is severely reduced (and you'll probably also need a good antenna).
   * So this should be fixed some time in the future for a proper receiver.
   */
   * with the frame that we just sent.
   *
   * FIXME: Because we're relying on the hysteresis to just do the right thing
   * the range is severely reduced (and you'll probably also need a good antenna).
   * So this should be fixed some time in the future for a proper receiver.
   */
-static void frame_receive_rwd(struct legic_frame * const f, int bits, int crypt)
-{
-       uint32_t the_bit = 1;  /* Use a bitmask to save on shifts */
-       uint32_t data=0;
-       int i, old_level=0, edges=0;
-       int next_bit_at = TAG_TIME_WAIT;
-       
-       if(bits > 32) {
-               bits = 32;
-    }
-
-       AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
-       AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
+static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) {
  
  
-       /* we have some time now, precompute the cipher
-     * since we cannot compute it on the fly while reading */
+       if ( bits > 32 ) return;
+       
+       uint8_t i = bits, edges = 0;    
+       uint32_t the_bit = 1, next_bit_at = 0, data = 0;
+       uint32_t old_level = 0;
+       volatile uint32_t level = 0;
+       
+       frame_clean(f);
+       
+       // calibrate the prng.
         legic_prng_forward(2);
         legic_prng_forward(2);
+       data = legic_prng_get_bits(bits);
+       
+       //FIXED time between sending frame and now listening frame. 330us
+       uint32_t starttime = GET_TICKS;
+       // its about 9+9 ticks delay from end-send to here.
+       WaitTicks( 477 );
  
  
-       if(crypt) {
-               for(i=0; i<bits; i++) {
-                       data |= legic_prng_get_bit() << i;
-                       legic_prng_forward(1);
-               }
-       }
-
-       while(timer->TC_CV < next_bit_at) ;
-
-       next_bit_at += TAG_TIME_BIT;
+       next_bit_at = GET_TICKS + TAG_BIT_PERIOD;
  
  
-       for(i=0; i<bits; i++) {
+       while ( i-- ){
                 edges = 0;
                 edges = 0;
-               while(timer->TC_CV < next_bit_at) {
-                       int level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
-                       if(level != old_level)
-                               edges++;
+               while  ( GET_TICKS < next_bit_at) {
+
+                       level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
+                       
+                       if (level != old_level)
+                               ++edges;
+                       
                         old_level = level;
                         old_level = level;
-               }
-               next_bit_at += TAG_TIME_BIT;
+               }               
+
+               next_bit_at += TAG_BIT_PERIOD;
                 
                 
-               if(edges > 20 && edges < 60) { /* expected are 42 edges */
+               // We expect 42 edges (ONE)
+               if ( edges > 20 )
                         data ^= the_bit;
                         data ^= the_bit;
-               }
-               the_bit <<= 1;
+
+               the_bit <<= 1;  
         }
  
         }
  
+       // output
         f->data = data;
         f->bits = bits;
         f->data = data;
         f->bits = bits;
-
-       /* Reset the timer, to synchronize the next frame */
-       timer->TC_CCR = AT91C_TC_SWTRG;
-       while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
-}
-
-static void frame_append_bit(struct legic_frame * const f, int bit)
-{
-   if (f->bits >= 31)
-       return; /* Overflow, won't happen */
-  
-   f->data |= (bit << f->bits);
-   f->bits++;
-}
-
-static void frame_clean(struct legic_frame * const f)
-{
-       f->data = 0;
-       f->bits = 0;
+       
+       // log
+       uint8_t cmdbytes[] = {bits,     BYTEx(data, 0), BYTEx(data, 1)};
+       LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, FALSE);
  }
  
  }
  
-static uint32_t perform_setup_phase_rwd(int iv)
-{
-
-       /* Switch on carrier and let the tag charge for 1ms */
-       AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
-       SpinDelay(1);
+// Setup pm3 as a Legic Reader
+static uint32_t setup_phase_reader(uint8_t iv) {
+       
+       // Switch on carrier and let the tag charge for 5ms
+       HIGH(GPIO_SSC_DOUT);
+       WaitUS(5000);
+       
+       ResetTicks();
+       
+       legic_prng_init(0);
+       
+       // send IV handshake
+       frame_sendAsReader(iv, 7);
  
  
-       legic_prng_init(0); /* no keystream yet */
-       frame_send_rwd(iv, 7);
+       // tag and reader has same IV.
         legic_prng_init(iv);
  
         legic_prng_init(iv);
  
-       frame_clean(&current_frame);
-       frame_receive_rwd(&current_frame, 6, 1);
-       legic_prng_forward(3); /* we wait anyways */
-       while(timer->TC_CV < 387) ; /* ~ 258us */
-       frame_send_rwd(0x39, 6);
+       frame_receiveAsReader(&current_frame, 6);
+
+       // 292us (438t) - fixed delay before sending ack.
+       // minus log and stuff 100tick?
+       WaitTicks(338);
+       legic_prng_forward(3); 
+       
+       // Send obsfuscated acknowledgment frame.
+       // 0x19 = 0x18 MIM22, 0x01 LSB READCMD 
+       // 0x39 = 0x38 MIM256, MIM1024 0x01 LSB READCMD 
+       switch ( current_frame.data  ) {
+               case 0x0D: frame_sendAsReader(0x19, 6); break;
+               case 0x1D: 
+               case 0x3D: frame_sendAsReader(0x39, 6); break;
+               default: break;
+       }
  
  
+       legic_prng_forward(2);
         return current_frame.data;
  }
  
         return current_frame.data;
  }
  
-static void LegicCommonInit(void) {
+void LegicCommonInit(bool clear_mem) {
+
         FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
         FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-       FpgaSetupSsc();
         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
  
         /* Bitbang the transmitter */
  
         /* Bitbang the transmitter */
-       AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+       SHORT_COIL;
         AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
         AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
         AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
         AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+       AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
+       
+       // reserve a cardmem,  meaning we can use the tracelog function in bigbuff easier.
+       cardmem = BigBuf_get_EM_addr();
+       if ( clear_mem )
+               memset(cardmem, 0x00, LEGIC_CARD_MEMSIZE);
  
  
-       setup_timer();
-
+       clear_trace();
+       set_tracing(TRUE);
         crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
         crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
+       
+       StartTicks();
  }
  
  }
  
-/* Switch off carrier, make sure tag is reset */
-static void switch_off_tag_rwd(void)
-{
-       AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
-       SpinDelay(10);
+// Switch off carrier, make sure tag is reset
+static void switch_off_tag_rwd(void) {
+       SHORT_COIL;
+       WaitUS(20);
         WDT_HIT();
  }
         WDT_HIT();
  }
-/* calculate crc for a legic command */
-static int LegicCRC(int byte_index, int value, int cmd_sz) {
-       crc_clear(&legic_crc);
-       crc_update(&legic_crc, 1, 1); /* CMD_READ */
-       crc_update(&legic_crc, byte_index, cmd_sz-1);
-       crc_update(&legic_crc, value, 8);
+
+// calculate crc4 for a legic READ command 
+static uint32_t legic4Crc(uint8_t cmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) {
+       crc_clear(&legic_crc);  
+       uint32_t temp =  (value << cmd_sz) | (byte_index << 1) | cmd;
+       crc_update(&legic_crc, temp, cmd_sz + 8 );
         return crc_finish(&legic_crc);
  }
  
         return crc_finish(&legic_crc);
  }
  
-int legic_read_byte(int byte_index, int cmd_sz) {
-       int byte;
-
-       while(timer->TC_CV < 387) ; /* ~ 258us + 100us*delay */
-
-       frame_send_rwd(1 | (byte_index << 1), cmd_sz);
-       frame_clean(&current_frame);
+int legic_read_byte( uint16_t index, uint8_t cmd_sz) {
  
  
-       frame_receive_rwd(&current_frame, 12, 1);
+       uint8_t byte, crc, calcCrc = 0;
+       uint32_t cmd = (index << 1) | LEGIC_READ;
+       
+       // 90ticks = 60us (should be 100us but crc calc takes time.)
+       //WaitTicks(330); // 330ticks prng(4) - works
+       WaitTicks(240); // 240ticks prng(3) - works
+       
+       frame_sendAsReader(cmd, cmd_sz);
+       frame_receiveAsReader(&current_frame, 12);
  
  
-       byte = current_frame.data & 0xff;
+       // CRC check. 
+       byte = BYTEx(current_frame.data, 0);
+       crc = BYTEx(current_frame.data, 1);
+       calcCrc = legic4Crc(LEGIC_READ, index, byte, cmd_sz);
  
  
-       if( LegicCRC(byte_index, byte, cmd_sz) != (current_frame.data >> 8) ) {
-               Dbprintf("!!! crc mismatch: expected %x but got %x !!!", 
-                       LegicCRC(byte_index, current_frame.data & 0xff, cmd_sz),
-                       current_frame.data >> 8);
+       if( calcCrc != crc ) {
+               Dbprintf("!!! crc mismatch: %x != %x !!!",  calcCrc, crc);
                 return -1;
         }
  
                 return -1;
         }
  
-       legic_prng_forward(4); /* we wait anyways */
+       legic_prng_forward(3);
         return byte;
  }
  
         return byte;
  }
  
-/* legic_write_byte() is not included, however it's trivial to implement
- * and here are some hints on what remains to be done:
- *
- *  * assemble a write_cmd_frame with crc and send it
- *  * wait until the tag sends back an ACK ('1' bit unencrypted)
- *  * forward the prng based on the timing
+/* 
+ * - assemble a write_cmd_frame with crc and send it
+ * - wait until the tag sends back an ACK ('1' bit unencrypted)
+ * - forward the prng based on the timing
   */
   */
-//int legic_write_byte(int byte, int addr, int addr_sz, int PrngCorrection) {
-int legic_write_byte(int byte, int addr, int addr_sz) {
-    //do not write UID, CRC
-       if(addr <= 0x04) { 
-               return 0;
-               }
-       //== send write command ==============================
-       crc_clear(&legic_crc);
-       crc_update(&legic_crc, 0, 1); /* CMD_WRITE */
-       crc_update(&legic_crc, addr, addr_sz);
-       crc_update(&legic_crc, byte, 8);
-
-       uint32_t crc = crc_finish(&legic_crc);
-       uint32_t cmd = ((crc     <<(addr_sz+1+8)) //CRC
-                   |(byte    <<(addr_sz+1))   //Data
-                   |(addr    <<1)             //Address
-                   |(0x00    <<0));           //CMD = W
-    uint32_t cmd_sz = addr_sz+1+8+4;          //crc+data+cmd
-
-    legic_prng_forward(2); /* we wait anyways */
-    while(timer->TC_CV < 387) ; /* ~ 258us */
-       frame_send_rwd(cmd, cmd_sz);
+bool legic_write_byte(uint16_t index, uint8_t byte, uint8_t addr_sz) {
  
  
-       AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
-       AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
+       bool isOK = false;
+       int8_t i = 40;
+       uint8_t edges = 0;
+       uint8_t cmd_sz = addr_sz+1+8+4; //crc+data+cmd;
+       uint32_t steps = 0, next_bit_at, start, crc, old_level = 0;
+
+       crc = legic4Crc(LEGIC_WRITE, index, byte, addr_sz+1);
+
+       // send write command
+       uint32_t cmd = LEGIC_WRITE;
+       cmd |= index << 1;                        // index
+       cmd |= byte  << (addr_sz+1);  // Data   
+       cmd     |= (crc & 0xF ) << (addr_sz+1+8);       // CRC
+       
+       WaitTicks(240);
+       
+       frame_sendAsReader(cmd, cmd_sz);
+       
+       LINE_IN;
  
  
-       //== wait for ack ====================================
-    int t, old_level=0, edges=0;
-    int next_bit_at =0;
-       while(timer->TC_CV < 387) ; /* ~ 258us */
-    for(t=0; t<80; t++) {
+       start = GET_TICKS;
+
+       // ACK,  - one single "1" bit after 3.6ms
+       // 3.6ms = 3600us * 1.5 = 5400ticks.
+       WaitTicks(5400);
+       
+       next_bit_at = GET_TICKS + TAG_BIT_PERIOD;
+       
+    while ( i-- ) {
+               WDT_HIT();
          edges = 0;
          edges = 0;
-               next_bit_at += TAG_TIME_BIT;
-        while(timer->TC_CV < next_bit_at) {
-            int level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
-            if(level != old_level) {
-                edges++;
-                       }
+        while ( GET_TICKS < next_bit_at) {
+                       
+            volatile uint32_t level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
+            
+                       if (level != old_level)
+                ++edges;
+
              old_level = level;
          }
              old_level = level;
          }
-        if(edges > 20 && edges < 60) { /* expected are 42 edges */
-                       int t = timer->TC_CV;
-                       int c = t/TAG_TIME_BIT;
-                       timer->TC_CCR = AT91C_TC_SWTRG;
-                       while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
-                       legic_prng_forward(c);
-               return 0;
+               
+               next_bit_at += TAG_BIT_PERIOD;
+               
+               // We expect 42 edges (ONE)
+        if(edges > 20 ) {
+                       steps = ( (GET_TICKS - start) / TAG_BIT_PERIOD);                        
+                       legic_prng_forward(steps);
+               isOK = true;
+                       goto OUT;
          }
      }
          }
      }
-    timer->TC_CCR = AT91C_TC_SWTRG;
-    while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
-       return -1;
+               
+OUT: ;
+       legic_prng_forward(1);
+       
+       uint8_t cmdbytes[] = {1, isOK, BYTEx(steps, 0), BYTEx(steps, 1) };
+       LogTrace(cmdbytes, sizeof(cmdbytes), start, GET_TICKS, NULL, FALSE);
+       return isOK;
  }
  
  }
  
-int LegicRfReader(int offset, int bytes, int iv) {
+int LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) {
         
         
-       // ice_legic_setup();
-       // ice_legic_select_card();
-       // return 0;
+       uint16_t i = 0;
+       uint8_t isOK = 1;
+       legic_card_select_t card;
         
         
-       int byte_index=0, cmd_sz=0, card_sz=0;
-
-       iv = (iv <= 0 ) ? SESSION_IV : iv;                                                                                                         
-
-       LegicCommonInit();
-
-       uint8_t *BigBuf = BigBuf_get_addr();
-       memset(BigBuf, 0, 1024);
-
-       DbpString("setting up legic card");
-       uint32_t tag_type = perform_setup_phase_rwd(iv);
-       switch_off_tag_rwd(); //we lose to mutch time with dprintf
-       switch(tag_type) {
-               case 0x0d:
-                       DbpString("MIM22 card found, reading card ...");
-            cmd_sz = 6;
-                       card_sz = 22;
-                       break;
-               case 0x1d:
-                       DbpString("MIM256 card found, reading card ...");
-            cmd_sz = 9;
-                       card_sz = 256;
-                       break;
-               case 0x3d:
-                       DbpString("MIM1024 card found, reading card ...");
-            cmd_sz = 11;
-                       card_sz = 1024;
-                       break;
-               default:
-                       Dbprintf("Unknown card format: %x",tag_type);
-                       return -1;
+       LegicCommonInit(TRUE);
+       
+       if ( legic_select_card_iv(&card, iv) ) {
+               isOK = 0;
+               goto OUT;
         }
         }
-       if(bytes == -1)
-               bytes = card_sz;
-
-       if(bytes+offset >= card_sz)
-               bytes = card_sz-offset;
  
  
-       perform_setup_phase_rwd(iv);
-
-       legic_prng_forward(2);
+       if (len + offset > card.cardsize)
+               len = card.cardsize - offset;
  
         LED_B_ON();
  
         LED_B_ON();
-       while(byte_index < bytes) {
-               int r = legic_read_byte(byte_index+offset, cmd_sz);
-               if(r == -1 ||BUTTON_PRESS()) {
-               DbpString("operation aborted");
-                       switch_off_tag_rwd();
-               LED_B_OFF();
-                       LED_C_OFF();
-               return -1;
+       while (i < len) {
+               int r = legic_read_byte(offset + i, card.cmdsize);
+               
+               if (r == -1 || BUTTON_PRESS()) {                        
+               if ( MF_DBGLEVEL >= 2) DbpString("operation aborted");
+                       isOK = 0;
+                       goto OUT;
                 }
                 }
-               BigBuf[byte_index] = r;
+               cardmem[i++] = r;
          WDT_HIT();
          WDT_HIT();
-               byte_index++;
-               if (byte_index & 0x10) LED_C_ON(); else LED_C_OFF();
         }
         }
-       LED_B_OFF();
-    LED_C_OFF();
+
+OUT:   
+       WDT_HIT();
         switch_off_tag_rwd();
         switch_off_tag_rwd();
-       Dbprintf("Card read, use 'hf legic decode' or");
-    Dbprintf("'data hexsamples %d' to view results", (bytes+7) & ~7);
+       LEDsoff();
+       cmd_send(CMD_ACK, isOK, len, 0, cardmem, len);
      return 0;
  }
  
      return 0;
  }
  
-/*int _LegicRfWriter(int offset, int bytes, int addr_sz, uint8_t *BigBuf, int RoundBruteforceValue) {
-       int byte_index=0;
-
-    LED_B_ON();
-       perform_setup_phase_rwd(SESSION_IV);
-    //legic_prng_forward(2);
-       while(byte_index < bytes) {
-               int r;
-
-               //check if the DCF should be changed
-               if ( (offset == 0x05) && (bytes == 0x02) ) {
-                       //write DCF in reverse order (addr 0x06 before 0x05)
-                       r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz, RoundBruteforceValue);
-                       //legic_prng_forward(1);
-                       if(r == 0) {
-                               byte_index++;
-                               r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz, RoundBruteforceValue);
-                       }
-                       //legic_prng_forward(1);
-               }
-               else {
-                       r = legic_write_byte(BigBuf[byte_index+offset], byte_index+offset, addr_sz, RoundBruteforceValue);
-               }
-               if((r != 0) || BUTTON_PRESS()) {
-                       Dbprintf("operation aborted @ 0x%03.3x", byte_index);
-       switch_off_tag_rwd();
-                       LED_B_OFF();
-                       LED_C_OFF();
-                       return -1;
-               }
+void LegicRfWriter(uint16_t offset, uint16_t len, uint8_t iv, uint8_t *data) {
  
  
-        WDT_HIT();
-               byte_index++;
-        if(byte_index & 0x10) LED_C_ON(); else LED_C_OFF();
+       #define LOWERLIMIT 4
+       uint8_t isOK = 1, msg = 0;
+       legic_card_select_t card;
+       
+       // uid NOT is writeable.
+       if ( offset <= LOWERLIMIT ) {
+               isOK = 0;
+               goto OUT;
         }
         }
-    LED_B_OFF();
-    LED_C_OFF();
-    DbpString("write successful");
-    return 0;
-}*/
-
-void LegicRfWriter(int offset, int bytes, int iv) {
+       
+       LegicCommonInit(TRUE);
+       
+       if ( legic_select_card_iv(&card, iv) ) {
+               isOK = 0;
+               msg = 1;
+               goto OUT;
+       }
+       
+       if ( len + offset > card.cardsize)
+               len = card.cardsize - offset;
+
+    LED_B_ON();        
+       while( len > 0 ) {
+               --len;          
+               if ( !legic_write_byte( len + offset, data[len], card.addrsize) ) {
+                       Dbprintf("operation failed | %02X | %02X | %02X", len + offset, len, data[len] );
+                       isOK = 0;
+                       goto OUT;
+               }
+               WDT_HIT();
+       }
+OUT:
+       cmd_send(CMD_ACK, isOK, msg,0,0,0);
+       switch_off_tag_rwd();
+       LEDsoff();      
+}
  
  
-       int byte_index=0, addr_sz=0;
-       uint8_t *BigBuf = BigBuf_get_addr();
-       iv = (iv <=0 ) ? SESSION_IV : iv;                                                                                 
+int legic_select_card_iv(legic_card_select_t *p_card, uint8_t iv){
  
  
-       LegicCommonInit();
+       if ( p_card == NULL ) return 1;
         
         
-       DbpString("setting up legic card");
-       uint32_t tag_type = perform_setup_phase_rwd(iv);
-       switch_off_tag_rwd();
-       switch(tag_type) {
+       p_card->tagtype = setup_phase_reader(iv);
+       
+       switch(p_card->tagtype) {
                 case 0x0d:
                 case 0x0d:
-                       if(offset+bytes > 22) {
-                               Dbprintf("Error: can not write to 0x%03.3x on MIM22", offset+bytes);
-                               return;
-                       }
-                       addr_sz = 5;
-                       Dbprintf("MIM22 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset+bytes);
+            p_card->cmdsize = 6;
+                       p_card->addrsize = 5;
+                       p_card->cardsize = 22;
                         break;
                 case 0x1d:
                         break;
                 case 0x1d:
-                       if(offset+bytes > 0x100) {
-                               Dbprintf("Error: can not write to 0x%03.3x on MIM256", offset+bytes);
-                               return;
-                       }
-                       addr_sz = 8;
-                       Dbprintf("MIM256 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset+bytes);
+                       p_card->cmdsize = 9;
+                       p_card->addrsize = 8;
+                       p_card->cardsize = 256;
                         break;
                 case 0x3d:
                         break;
                 case 0x3d:
-                       if(offset+bytes > 0x400) {
-                       Dbprintf("Error: can not write to 0x%03.3x on MIM1024", offset+bytes);
-                       return;
-               }
-                       addr_sz = 10;
-                       Dbprintf("MIM1024 card found, writing 0x%03.3x - 0x%03.3x ...", offset, offset+bytes);
+            p_card->cmdsize = 11;
+                       p_card->addrsize = 10;
+                       p_card->cardsize = 1024;
                         break;
                         break;
-               default:
-                       Dbprintf("No or unknown card found, aborting");
-            return;
-       }
-
-#if 1
-    LED_B_ON();
-       perform_setup_phase_rwd(iv);
-       while(byte_index < bytes) {
-               int r;
-
-               //check if the DCF should be changed
-               if ( ((byte_index+offset) == 0x05) && (bytes >= 0x02) ) {
-                       //write DCF in reverse order (addr 0x06 before 0x05)
-                       r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz);
-
-                       // write second byte on success...
-                       if(r == 0) {
-                               byte_index++;
-                               r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz);
-                       }
-               }
-               else {
-                       r = legic_write_byte(BigBuf[byte_index+offset], byte_index+offset, addr_sz);
-               }
-               if((r != 0) || BUTTON_PRESS()) {
-                       Dbprintf("operation aborted @ 0x%03.3x", byte_index);
-                       switch_off_tag_rwd();
-                       LED_B_OFF();
-                       LED_C_OFF();
-                       return;
-               }
-
-        WDT_HIT();
-               byte_index++;
-        if(byte_index & 0x10) LED_C_ON(); else LED_C_OFF();
+               default: 
+                   p_card->cmdsize = 0;
+                       p_card->addrsize = 0;
+                       p_card->cardsize = 0;
+                       return 2;
         }
         }
-    LED_B_OFF();
-    LED_C_OFF();
-    DbpString("write successful");
-#else
-       for(byte_index = -2; byte_index < 200; byte_index++)
-       {
-               Dbprintf("+ Try RndValue %d...", byte_index);
-               if(_LegicRfWriter(bytes, offset, addr_sz, BigBuf, byte_index) == 0)
-                       break;
-       }
-#endif
+       return 0;
+}
+int legic_select_card(legic_card_select_t *p_card){
+       return legic_select_card_iv(p_card, 0x01);
+}
  
  
+//-----------------------------------------------------------------------------
+// Work with emulator memory
+// 
+// Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
+// involved in dealing with emulator memory. But if it is called later, it might
+// destroy the Emulator Memory.
+//-----------------------------------------------------------------------------
+// arg0 = offset
+// arg1 = num of bytes
+void LegicEMemSet(uint32_t arg0, uint32_t arg1, uint8_t *data) {
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       legic_emlset_mem(data, arg0, arg1);
+}
+// arg0 = offset
+// arg1 = num of bytes
+void LegicEMemGet(uint32_t arg0, uint32_t arg1) {
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       uint8_t buf[USB_CMD_DATA_SIZE] = {0x00};
+       legic_emlget_mem(buf, arg0, arg1);
+       LED_B_ON();
+       cmd_send(CMD_ACK, arg0, arg1, 0, buf, USB_CMD_DATA_SIZE);
+       LED_B_OFF();
  }
  }
+void legic_emlset_mem(uint8_t *data, int offset, int numofbytes) {
+       cardmem = BigBuf_get_EM_addr();
+       memcpy(cardmem + offset, data, numofbytes);
+}
+void legic_emlget_mem(uint8_t *data, int offset, int numofbytes) {
+       cardmem = BigBuf_get_EM_addr();
+       memcpy(data, cardmem + offset, numofbytes);
+}
+
+void LegicRfInfo(void){
  
  
-void LegicRfRawWriter(int address, int byte, int iv) {
-       int byte_index=0, addr_sz=0;
-                                                                                                 
-       iv = (iv <= 0) ? SESSION_IV : iv;
+       int r;
         
         
-       LegicCommonInit();
+       uint8_t buf[sizeof(legic_card_select_t)] = {0x00};
+       legic_card_select_t *card = (legic_card_select_t*) buf;
         
         
-       DbpString("setting up legic card");
-       uint32_t tag_type = perform_setup_phase_rwd(iv);
-       switch_off_tag_rwd();
-       switch(tag_type) {
-               case 0x0d:
-                       if(address > 22) {
-                               Dbprintf("Error: can not write to 0x%03.3x on MIM22", address);
-                               return;
-                       }
-                       addr_sz = 5;
-                       Dbprintf("MIM22 card found, writing at addr 0x%02.2x - value 0x%02.2x ...", address, byte);
-                       break;
-               case 0x1d:
-                       if(address > 0x100) {
-                               Dbprintf("Error: can not write to 0x%03.3x on MIM256", address);
-                               return;
-                       }
-                       addr_sz = 8;
-                       Dbprintf("MIM256 card found, writing at addr 0x%02.2x - value 0x%02.2x ...", address, byte);
-                       break;
-               case 0x3d:
-                       if(address > 0x400) {
-                       Dbprintf("Error: can not write to 0x%03.3x on MIM1024", address);
-                       return;
-               }
-                       addr_sz = 10;
-                       Dbprintf("MIM1024 card found, writing at addr 0x%03.3x - value 0x%03.3x ...", address, byte);
-                       break;
-               default:
-                       Dbprintf("No or unknown card found, aborting");
-            return;
+       LegicCommonInit(FALSE);
+
+       if ( legic_select_card(card) ) {
+               cmd_send(CMD_ACK,0,0,0,0,0);
+               goto OUT;
         }
         }
-       Dbprintf("integer value: %d address: %d  addr_sz: %d", byte, address, addr_sz);
-    LED_B_ON();
-       perform_setup_phase_rwd(iv);
-    //legic_prng_forward(2);
-               
-       int r = legic_write_byte(byte, address, addr_sz);
-               
-       if((r != 0) || BUTTON_PRESS()) {
-               Dbprintf("operation aborted @ 0x%03.3x (%1d)", byte_index, r);
-               switch_off_tag_rwd();
-               LED_B_OFF();
-               LED_C_OFF();
-               return;
+
+       // read UID bytes
+       for ( uint8_t i = 0; i < sizeof(card->uid); ++i) {
+               r = legic_read_byte(i, card->cmdsize);
+               if ( r == -1 ) {
+                       cmd_send(CMD_ACK,0,0,0,0,0);
+                       goto OUT;
+               }
+               card->uid[i] = r & 0xFF;
+       }
+
+       // MCC byte.
+       r = legic_read_byte(4, card->cmdsize);
+       uint32_t calc_mcc =  CRC8Legic(card->uid, 4);;
+       if ( r != calc_mcc) {
+               cmd_send(CMD_ACK,0,0,0,0,0);
+               goto OUT;
         }
         
         }
         
-    LED_B_OFF();
-    LED_C_OFF();
-    DbpString("write successful");
-}
+       // OK
+       cmd_send(CMD_ACK, 1, 0, 0, buf, sizeof(legic_card_select_t));
  
  
-int timestamp;
+OUT:
+       switch_off_tag_rwd();
+       LEDsoff();
+}
  
  
-/* Handle (whether to respond) a frame in tag mode */
+/* Handle (whether to respond) a frame in tag mode
+ * Only called when simulating a tag.
+ */
  static void frame_handle_tag(struct legic_frame const * const f)
  {
  static void frame_handle_tag(struct legic_frame const * const f)
  {
-       uint8_t *BigBuf = BigBuf_get_addr();
-
-   /* First Part of Handshake (IV) */
-   if(f->bits == 7) {
-//     if(f->data == SESSION_IV) {
-        LED_C_ON();
-        prng_timer->TC_CCR = AT91C_TC_SWTRG;
-        legic_prng_init(f->data);
-        frame_send_tag(0x3d, 6, 1); /* 0x3d^0x26 = 0x1b */
-        legic_state = STATE_IV;
-        legic_read_count = 0;
-        legic_prng_bc = 0;
-        legic_prng_iv = f->data;
- 
-        /* TIMEOUT */
-        timer->TC_CCR = AT91C_TC_SWTRG;
-        while(timer->TC_CV > 1);
-        while(timer->TC_CV < 280);
-        return;
-//      } else if((prng_timer->TC_CV % 50) > 40) {
-//        legic_prng_init(f->data);
-//        frame_send_tag(0x3d, 6, 1);
-//        SpinDelay(20);
-//        return;
-//     }
-   }
+       // log
+       //uint8_t cmdbytes[] = {bits,   BYTEx(data, 0), BYTEx(data, 1)};
+       //LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, FALSE);
+       //Dbprintf("ICE: enter frame_handle_tag: %02x ", f->bits);
+               
+       /* First Part of Handshake (IV) */
+       if(f->bits == 7) {
+
+               LED_C_ON();
+
+               // Reset prng timer
+               //ResetTimer(prng_timer);
+               ResetTicks();
+
+               // IV from reader.
+               legic_prng_init(f->data);
+               
+               Dbprintf("ICE: IV: %02x ", f->data);
+               
+               // We should have three tagtypes with three different answers.
+               legic_prng_forward(2);
+               //frame_send_tag(0x3d, 6); /* MIM1024 0x3d^0x26 = 0x1B */
+               frame_send_tag(0x1d, 6); // MIM256
+               
+               legic_state = STATE_IV;
+               legic_read_count = 0;
+               legic_prng_bc = 0;
+               legic_prng_iv = f->data;
+
+               //ResetTimer(timer);
+               //WaitUS(280);
+               WaitTicks(388);
+               return;
+       }
  
     /* 0x19==??? */
     if(legic_state == STATE_IV) {
  
     /* 0x19==??? */
     if(legic_state == STATE_IV) {
-      int local_key = get_key_stream(3, 6);
+      uint32_t local_key = get_key_stream(3, 6);
        int xored = 0x39 ^ local_key;
        if((f->bits == 6) && (f->data == xored)) {
           legic_state = STATE_CON;
  
        int xored = 0x39 ^ local_key;
        if((f->bits == 6) && (f->data == xored)) {
           legic_state = STATE_CON;
  
-         /* TIMEOUT */
-         timer->TC_CCR = AT91C_TC_SWTRG;
-         while(timer->TC_CV > 1);
-         while(timer->TC_CV < 200);
+                ResetTimer(timer);
+                WaitTicks(300);
           return;
           return;
-      } else {
+
+        } else {
           legic_state = STATE_DISCON;
           LED_C_OFF();
           Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored);
           legic_state = STATE_DISCON;
           LED_C_OFF();
           Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored);
@@ -738,86 +708,77 @@ static void frame_handle_tag(struct legic_frame const * const f)
     /* Read */
     if(f->bits == 11) {
        if(legic_state == STATE_CON) {
     /* Read */
     if(f->bits == 11) {
        if(legic_state == STATE_CON) {
-         int key   = get_key_stream(2, 11); //legic_phase_drift, 11);
-         int addr  = f->data ^ key; addr = addr >> 1;
-         int data = BigBuf[addr];
-         int hash = LegicCRC(addr, data, 11) << 8;
-         BigBuf[OFFSET_LOG+legic_read_count] = (uint8_t)addr;
-         legic_read_count++;
-
-         //Dbprintf("Data:%03.3x, key:%03.3x, addr: %03.3x, read_c:%u", f->data, key, addr, read_c);
-         legic_prng_forward(legic_reqresp_drift);
-
-         frame_send_tag(hash | data, 12, 1);
-
-         /* SHORT TIMEOUT */
-         timer->TC_CCR = AT91C_TC_SWTRG;
-         while(timer->TC_CV > 1);
+         uint32_t key = get_key_stream(2, 11); //legic_phase_drift, 11);
+         uint16_t addr = f->data ^ key; 
+                addr >>= 1;
+         uint8_t data = cardmem[addr];
+                
+         uint32_t crc = legic4Crc(LEGIC_READ, addr, data, 11) << 8;
+
+         //legic_read_count++;
+         //legic_prng_forward(legic_reqresp_drift);
+
+         frame_send_tag(crc | data, 12);
+                //ResetTimer(timer);
           legic_prng_forward(2);
           legic_prng_forward(2);
-         while(timer->TC_CV < 180);
+                WaitTicks(330);
           return;
        }
     }
  
     /* Write */
           return;
        }
     }
  
     /* Write */
-   if(f->bits == 23) {
-      int key   = get_key_stream(-1, 23); //legic_frame_drift, 23);
-      int addr  = f->data ^ key; addr = addr >> 1; addr = addr & 0x3ff;
-      int data  = f->data ^ key; data = data >> 11; data = data & 0xff;
-
+   if (f->bits == 23 || f->bits == 21 ) {
+      uint32_t key  = get_key_stream(-1, 23); //legic_frame_drift, 23);
+      uint16_t addr = f->data ^ key; 
+         addr >>= 1; 
+         addr &= 0x3ff;
+      uint32_t data = f->data ^ key; 
+         data >>= 11; 
+         data &= 0xff;
+
+         cardmem[addr] = data;
        /* write command */
        legic_state = STATE_DISCON;
        LED_C_OFF();
        Dbprintf("write - addr: %x, data: %x", addr, data);
        /* write command */
        legic_state = STATE_DISCON;
        LED_C_OFF();
        Dbprintf("write - addr: %x, data: %x", addr, data);
+         // should send a ACK after 3.6ms 
        return;
     }
  
     if(legic_state != STATE_DISCON) {
        Dbprintf("Unexpected: sz:%u, Data:%03.3x, State:%u, Count:%u", f->bits, f->data, legic_state, legic_read_count);
        return;
     }
  
     if(legic_state != STATE_DISCON) {
        Dbprintf("Unexpected: sz:%u, Data:%03.3x, State:%u, Count:%u", f->bits, f->data, legic_state, legic_read_count);
-      int i;
        Dbprintf("IV: %03.3x", legic_prng_iv);
        Dbprintf("IV: %03.3x", legic_prng_iv);
-      for(i = 0; i<legic_read_count; i++) {
-         Dbprintf("Read Nb: %u, Addr: %u", i, BigBuf[OFFSET_LOG+i]);
-      }
-
-      for(i = -1; i<legic_read_count; i++) {
-         uint32_t t;
-         t  = BigBuf[OFFSET_LOG+256+i*4];
-         t |= BigBuf[OFFSET_LOG+256+i*4+1] << 8;
-         t |= BigBuf[OFFSET_LOG+256+i*4+2] <<16;
-         t |= BigBuf[OFFSET_LOG+256+i*4+3] <<24;
-
-         Dbprintf("Cycles: %u, Frame Length: %u, Time: %u", 
-            BigBuf[OFFSET_LOG+128+i],
-            BigBuf[OFFSET_LOG+384+i],
-            t);
-      }
     }
     }
-   legic_state = STATE_DISCON; 
-   legic_read_count = 0;
-   SpinDelay(10);
-   LED_C_OFF();
-   return; 
+
+       legic_state = STATE_DISCON; 
+       legic_read_count = 0;
+       WaitMS(10);
+       LED_C_OFF();
+       return; 
  }
  
  /* Read bit by bit untill full frame is received
   * Call to process frame end answer
   */
  }
  
  /* Read bit by bit untill full frame is received
   * Call to process frame end answer
   */
-static void emit(int bit)
-{
-  if(bit == -1) {
-     if(current_frame.bits <= 4) {
-        frame_clean(&current_frame);
-     } else {
-        frame_handle_tag(&current_frame);
-        frame_clean(&current_frame);
-     }
-     WDT_HIT();
-  } else if(bit == 0) {
-    frame_append_bit(&current_frame, 0);
-  } else if(bit == 1) {
-    frame_append_bit(&current_frame, 1);
-  }
+static void emit(int bit) {
+
+       switch (bit) {
+               case 1:
+                       frame_append_bit(&current_frame, 1);
+                       break;                  
+               case 0:
+                       frame_append_bit(&current_frame, 0);
+                       break;
+               default: 
+                       if(current_frame.bits <= 4) {
+                               frame_clean(&current_frame);
+                       } else {
+                               frame_handle_tag(&current_frame);
+                               frame_clean(&current_frame);
+                       }
+                       WDT_HIT();
+                       break;
+       } 
  }
  
  void LegicRfSimulate(int phase, int frame, int reqresp)
  }
  
  void LegicRfSimulate(int phase, int frame, int reqresp)
@@ -830,89 +791,147 @@ void LegicRfSimulate(int phase, int frame, int reqresp)
     * measure the time between two rising edges on DIN, and no encoding on the
     * subcarrier from card to reader, so we'll just shift out our verbatim data
     * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear,
     * measure the time between two rising edges on DIN, and no encoding on the
     * subcarrier from card to reader, so we'll just shift out our verbatim data
     * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear,
-   * seems to be 300us-ish.
+   * seems to be 330us.
     */
     */
+               
+       int old_level = 0, active = 0;
+       volatile int32_t level = 0;
+       
+       legic_state = STATE_DISCON;
+       legic_phase_drift = phase;
+       legic_frame_drift = frame;
+       legic_reqresp_drift = reqresp;
  
  
-//   if(phase < 0) {
-//      int i;
-//      for(i=0; i<=reqresp; i++) {
-//         legic_prng_init(SESSION_IV);
-//         Dbprintf("i=%u, key 0x%3.3x", i, get_key_stream(i, frame));
-//      }
-//      return;
-//   }
-
-   legic_phase_drift = phase;
-   legic_frame_drift = frame;
-   legic_reqresp_drift = reqresp;
-
-   FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-   SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-   FpgaSetupSsc();
-   FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K);
-   
-   /* Bitbang the receiver */
-   AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
-   AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
-   
-   setup_timer();
-   crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
-   
-   int old_level = 0;
-   int active = 0;
-   legic_state = STATE_DISCON;
-
-   LED_B_ON();
-   DbpString("Starting Legic emulator, press button to end");
-   while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
-      int level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
-      int time = timer->TC_CV;
-                
-      if(level != old_level) {
-         if(level == 1) {
-            timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
-            if(FUZZ_EQUAL(time, RWD_TIME_1, RWD_TIME_FUZZ)) {
-               /* 1 bit */
-               emit(1);
-               active = 1;
-               LED_A_ON();
-            } else if(FUZZ_EQUAL(time, RWD_TIME_0, RWD_TIME_FUZZ)) {
-               /* 0 bit */
-               emit(0);
-               active = 1;
-               LED_A_ON();
-            } else if(active) {
-               /* invalid */
-               emit(-1);
-               active = 0;
-               LED_A_OFF();
-            }
-         }
-      }
  
  
-      if(time >= (RWD_TIME_1+RWD_TIME_FUZZ) && active) {
-         /* Frame end */
-         emit(-1);
-         active = 0;
-         LED_A_OFF();
-      }
-                
-      if(time >= (20*RWD_TIME_1) && (timer->TC_SR & AT91C_TC_CLKSTA)) {
-         timer->TC_CCR = AT91C_TC_CLKDIS;
-      }
-                
-      old_level = level;
-      WDT_HIT();
-   }
-   DbpString("Stopped");
-   LED_B_OFF();
-   LED_A_OFF();
-   LED_C_OFF();
-}
+       /* to get the stream of bits from FPGA in sim mode.*/
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       // Set up the synchronous serial port
+       //FpgaSetupSsc();
+       // connect Demodulated Signal to ADC:
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K);
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
  
  
+       #define LEGIC_DMA_BUFFER 256
+       // The DMA buffer, used to stream samples from the FPGA
+       //uint8_t *dmaBuf = BigBuf_malloc(LEGIC_DMA_BUFFER);
+       //uint8_t *data = dmaBuf;
+       // Setup and start DMA.
+       // if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, LEGIC_DMA_BUFFER) ){
+               // if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); 
+               // return;
+       // }
  
  
-//-----------------------------------------------------------------------------
-//-----------------------------------------------------------------------------
+       //StartCountSspClk();
+       /* Bitbang the receiver */
+       AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
+       AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
+
+       // need a way to determine which tagtype we are simulating
+       
+       // hook up emulator memory  
+       cardmem = BigBuf_get_EM_addr();
+       
+       clear_trace();
+       set_tracing(TRUE);
+
+       crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
+
+       StartTicks();
+
+       LED_B_ON();
+       DbpString("Starting Legic emulator, press button to end");
+       
+       /*
+        * The mode FPGA_HF_SIMULATOR_MODULATE_212K works like this.
+        * - A 1-bit input to the FPGA becomes 8 pulses on 212kHz (fc/64) (18.88us).
+        * - A 0-bit input to the FPGA becomes an unmodulated time of 18.88us
+        *
+        * In this mode the SOF can be written as 00011101 = 0x1D
+        * The EOF can be written as 10111000 = 0xb8
+        * A logic 1 is 01
+        * A logic 0 is 10
+       volatile uint8_t b;
+       uint8_t i = 0;
+       while( !BUTTON_PRESS() ) {
+               WDT_HIT();
+
+               // not sending anything.
+        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+            AT91C_BASE_SSC->SSC_THR = 0x00;
+        }
+
+               // receive
+               if ( AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY ) {
+                       b = (uint8_t) AT91C_BASE_SSC->SSC_RHR;
+                       bd[i] = b;
+                       ++i;
+       //              if(OutOfNDecoding(b & 0x0f))
+       //                              *len = Uart.byteCnt;
+                       }
+               
+       }
+        */
+
+       while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+               
+               level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
+
+               uint32_t time = GET_TICKS;
+
+               if (level != old_level) {
+                       if (level == 1) {
+
+                               //Dbprintf("start, %u ", time);
+                               StartTicks();
+                               // did we get a signal 
+                               if (FUZZ_EQUAL(time, RWD_TIME_1, RWD_TIME_FUZZ)) {
+                                       // 1 bit 
+                                       emit(1);
+                                       active = 1;
+                                       LED_A_ON();
+                               } else if (FUZZ_EQUAL(time, RWD_TIME_0, RWD_TIME_FUZZ)) {
+                                       // 0 bit 
+                                       emit(0);
+                                       active = 1;
+                                       LED_A_ON();
+                               } else if (active) {
+                                       // invalid 
+                                       emit(-1);
+                                       active = 0;
+                                       LED_A_OFF();
+                               }
+                       }
+               }
+
+       
+               /* Frame end */
+               if(time >= (RWD_TIME_1 + RWD_TIME_FUZZ) && active) {
+                       emit(-1);
+                       active = 0;
+                       LED_A_OFF();
+               }
+
+               /*
+               * Disable the counter, Then wait for the clock to acknowledge the
+               * shutdown in its status register. Reading the SR has the
+               * side-effect of clearing any pending state in there.
+               */
+               //if(time >= (20*RWD_TIME_1) && (timer->TC_SR & AT91C_TC_CLKSTA))
+               if(time >= (20 * RWD_TIME_1) )
+                       StopTicks();
+
+               old_level = level;
+               WDT_HIT();
+}
+
+       WDT_HIT();
+       DbpString("LEGIC Prime emulator stopped");
+       switch_off_tag_rwd();
+       FpgaDisableSscDma();
+       LEDsoff();
+       cmd_send(CMD_ACK, 1, 0, 0, 0, 0);
+}
  
  
  //-----------------------------------------------------------------------------
  
  
  //-----------------------------------------------------------------------------
@@ -1006,6 +1025,7 @@ void LegicRfSimulate(int phase, int frame, int reqresp)
  // The software UART that receives commands from the reader, and its state
  // variables.
  //-----------------------------------------------------------------------------
  // The software UART that receives commands from the reader, and its state
  // variables.
  //-----------------------------------------------------------------------------
+/*
  static struct {
         enum {
                 STATE_UNSYNCD,
  static struct {
         enum {
                 STATE_UNSYNCD,
@@ -1020,7 +1040,7 @@ static struct {
         int     posCnt;
         uint8_t *output;
  } Uart;
         int     posCnt;
         uint8_t *output;
  } Uart;
-
+*/
  /* Receive & handle a bit coming from the reader.
   *
   * This function is called 4 times per bit (every 2 subcarrier cycles).
  /* Receive & handle a bit coming from the reader.
   *
   * This function is called 4 times per bit (every 2 subcarrier cycles).
@@ -1145,20 +1165,18 @@ static struct {
  
         // return FALSE;
  // }
  
         // return FALSE;
  // }
+/*
  
  
-
-static void UartReset()
-{
-       Uart.byteCntMax = MAX_FRAME_SIZE;
+static void UartReset() {
+       Uart.byteCntMax = 3;
         Uart.state = STATE_UNSYNCD;
         Uart.byteCnt = 0;
         Uart.bitCnt = 0;
         Uart.posCnt = 0;
         Uart.state = STATE_UNSYNCD;
         Uart.byteCnt = 0;
         Uart.bitCnt = 0;
         Uart.posCnt = 0;
-       memset(Uart.output, 0x00, MAX_FRAME_SIZE);
+       memset(Uart.output, 0x00, 3);
  }
  }
-
-// static void UartInit(uint8_t *data)
-// {
+*/
+// static void UartInit(uint8_t *data) {
         // Uart.output = data;
         // UartReset();
  // }
         // Uart.output = data;
         // UartReset();
  // }
@@ -1169,7 +1187,7 @@ static void UartReset()
  // tag's response, which we leave in the buffer to be demodulated on the
  // PC side.
  //=============================================================================
  // tag's response, which we leave in the buffer to be demodulated on the
  // PC side.
  //=============================================================================
-
+/*
  static struct {
         enum {
                 DEMOD_UNSYNCD,
  static struct {
         enum {
                 DEMOD_UNSYNCD,
@@ -1188,7 +1206,7 @@ static struct {
         int     sumI;
         int     sumQ;
  } Demod;
         int     sumI;
         int     sumQ;
  } Demod;
-
+*/
  /*
   * Handles reception of a bit from the tag
   *
  /*
   * Handles reception of a bit from the tag
   *
@@ -1203,32 +1221,8 @@ static struct {
   *          false if we are still waiting for some more
   *
   */
   *          false if we are still waiting for some more
   *
   */
-
- #ifndef SUBCARRIER_DETECT_THRESHOLD
- # define SUBCARRIER_DETECT_THRESHOLD  8
- #endif
   
   
- // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
-#ifndef CHECK_FOR_SUBCARRIER
-# define CHECK_FOR_SUBCARRIER() { v = MAX(ai, aq) + MIN(halfci, halfcq); }
-#endif
-
-// The soft decision on the bit uses an estimate of just the
-// quadrant of the reference angle, not the exact angle.
-// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
-#define MAKE_SOFT_DECISION() { \
-               if(Demod.sumI > 0) \
-                       v = ci; \
-               else \
-                       v = -ci; \
-               \
-               if(Demod.sumQ > 0) \
-                       v += cq; \
-               else \
-                       v -= cq; \
-               \
-       }
-
+/*
  static RAMFUNC int HandleLegicSamplesDemod(int ci, int cq)
  {
         int v = 0;
  static RAMFUNC int HandleLegicSamplesDemod(int ci, int cq)
  {
         int v = 0;
@@ -1383,7 +1377,8 @@ static RAMFUNC int HandleLegicSamplesDemod(int ci, int cq)
         }
         return FALSE;
  }
         }
         return FALSE;
  }
-
+*/
+/*
  // Clear out the state of the "UART" that receives from the tag.
  static void DemodReset() {
         Demod.len = 0;
  // Clear out the state of the "UART" that receives from the tag.
  static void DemodReset() {
         Demod.len = 0;
@@ -1394,20 +1389,24 @@ static void DemodReset() {
         Demod.bitCount = 0;
         Demod.thisBit = 0;
         Demod.shiftReg = 0;
         Demod.bitCount = 0;
         Demod.thisBit = 0;
         Demod.shiftReg = 0;
-       memset(Demod.output, 0x00, MAX_FRAME_SIZE);
+       memset(Demod.output, 0x00, 3);
  }
  
  static void DemodInit(uint8_t *data) {
         Demod.output = data;
         DemodReset();
  }
  }
  
  static void DemodInit(uint8_t *data) {
         Demod.output = data;
         DemodReset();
  }
+*/
  
  /*
   *  Demodulate the samples we received from the tag, also log to tracebuffer
   *  quiet: set to 'TRUE' to disable debug output
   */
  
  /*
   *  Demodulate the samples we received from the tag, also log to tracebuffer
   *  quiet: set to 'TRUE' to disable debug output
   */
+ 
+ /*
   #define LEGIC_DMA_BUFFER_SIZE 256
   #define LEGIC_DMA_BUFFER_SIZE 256
-static void GetSamplesForLegicDemod(int n, bool quiet)
+
+ static void GetSamplesForLegicDemod(int n, bool quiet)
  {
         int max = 0;
         bool gotFrame = FALSE;
  {
         int max = 0;
         bool gotFrame = FALSE;
@@ -1482,9 +1481,13 @@ static void GetSamplesForLegicDemod(int n, bool quiet)
                 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
         }
  }
                 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
         }
  }
+
+*/
+
  //-----------------------------------------------------------------------------
  // Transmit the command (to the tag) that was placed in ToSend[].
  //-----------------------------------------------------------------------------
  //-----------------------------------------------------------------------------
  // Transmit the command (to the tag) that was placed in ToSend[].
  //-----------------------------------------------------------------------------
+/*
  static void TransmitForLegic(void)
  {
         int c;
  static void TransmitForLegic(void)
  {
         int c;
@@ -1531,12 +1534,13 @@ static void TransmitForLegic(void)
         }
         LED_B_OFF();
  }
         }
         LED_B_OFF();
  }
-
+*/
  
  //-----------------------------------------------------------------------------
  // Code a layer 2 command (string of octets, including CRC) into ToSend[],
  // so that it is ready to transmit to the tag using TransmitForLegic().
  //-----------------------------------------------------------------------------
  
  //-----------------------------------------------------------------------------
  // Code a layer 2 command (string of octets, including CRC) into ToSend[],
  // so that it is ready to transmit to the tag using TransmitForLegic().
  //-----------------------------------------------------------------------------
+/*
  static void CodeLegicBitsAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
  {
         int i, j;
  static void CodeLegicBitsAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
  {
         int i, j;
@@ -1568,11 +1572,12 @@ static void CodeLegicBitsAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
         // Convert from last character reference to length
         ++ToSendMax;
  }
         // Convert from last character reference to length
         ++ToSendMax;
  }
-
+*/
  /**
    Convenience function to encode, transmit and trace Legic comms
    **/
  /**
    Convenience function to encode, transmit and trace Legic comms
    **/
-static void CodeAndTransmitLegicAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
+/*
+  static void CodeAndTransmitLegicAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
  {
         CodeLegicBitsAsReader(cmd, cmdlen, bits);
         TransmitForLegic();
  {
         CodeLegicBitsAsReader(cmd, cmdlen, bits);
         TransmitForLegic();
@@ -1582,59 +1587,9 @@ static void CodeAndTransmitLegicAsReader(const uint8_t *cmd, uint8_t cmdlen, int
         }
  }
  
         }
  }
  
-int ice_legic_select_card()
-{
-       //int cmd_size=0, card_size=0;
-       uint8_t wakeup[] = { 0x7F };
-       uint8_t getid[] = {0x19};
-
-       legic_prng_init(SESSION_IV);
-
-       // first, wake up the tag, 7bits
-       CodeAndTransmitLegicAsReader(wakeup, sizeof(wakeup), 7);
-
-       GetSamplesForLegicDemod(1000, TRUE);
-
-       // frame_clean(&current_frame);
-       //frame_receive_rwd(&current_frame, 6, 1);
-
-       legic_prng_forward(1); /* we wait anyways */
-       
-       //while(timer->TC_CV < 387) ; /* ~ 258us */
-       //frame_send_rwd(0x19, 6);
-       CodeAndTransmitLegicAsReader(getid, sizeof(getid), 8);
-       GetSamplesForLegicDemod(1000, TRUE);
-
-       //if (Demod.len < 14) return 2; 
-       Dbprintf("CARD TYPE: %02x  LEN: %d", Demod.output[0], Demod.len);
-
-       switch(Demod.output[0]) {
-               case 0x1d:
-                       DbpString("MIM 256 card found");
-            // cmd_size = 9;
-                       // card_size = 256;
-                       break;
-               case 0x3d:
-                       DbpString("MIM 1024 card found");
-            // cmd_size = 11;
-                       // card_size = 1024;
-                       break;
-               default:
-                       return -1;
-       }
-       
-       // if(bytes == -1)
-               // bytes = card_size;
-
-       // if(bytes + offset >= card_size)
-               // bytes = card_size - offset;  
-       
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       set_tracing(FALSE);
-       return 1;
-}
-
+*/
  // Set up LEGIC communication
  // Set up LEGIC communication
+/*
  void ice_legic_setup() {
  
         // standard things.
  void ice_legic_setup() {
  
         // standard things.
@@ -1654,7 +1609,7 @@ void ice_legic_setup() {
         // Signal field is on with the appropriate LED
      LED_D_ON();
         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
         // Signal field is on with the appropriate LED
      LED_D_ON();
         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
-       SpinDelay(200);
+       SpinDelay(20);
         // Start the timer
         //StartCountSspClk();
         
         // Start the timer
         //StartCountSspClk();
         
@@ -1663,4 +1618,5 @@ void ice_legic_setup() {
  
         // initalize prng
         legic_prng_init(0);
  
         // initalize prng
         legic_prng_init(0);
-}
-\ No newline at end of file
+}
+*/
+\ No newline at end of file