X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/bd20f8f47847787e1f3e933043933272908c5beb..da9d456e9fabb82fcaefdddcaac50d38b35cf3d9:/armsrc/hitag2.c

diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c
index 15daa25e..1a0e9b56 100644
--- a/armsrc/hitag2.c
+++ b/armsrc/hitag2.c
@@ -1,14 +1,19 @@
 //-----------------------------------------------------------------------------
-// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
-//
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //-----------------------------------------------------------------------------
-// Hitag2 emulation
+// Hitag2 emulation (preliminary test version)
+//
+// (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
+//-----------------------------------------------------------------------------
+// Hitag2 complete rewrite of the code
+// - Fixed modulation/encoding issues
+// - Rewrote code for transponder emulation
+// - Added snooping of transponder communication
+// - Added reader functionality
 //
-// Contains state and functions for an emulated Hitag2 tag. Offers an entry
-// point to handle commands, needs a callback to send response.
+// (c) 2012 Roel Verdult
 //-----------------------------------------------------------------------------
 
 #include "proxmark3.h"
@@ -17,166 +22,84 @@
 #include "hitag2.h"
 #include "string.h"
 
-struct hitag2_cipher_state {
-	uint64_t state;
-};
+static bool bQuiet;
+
+bool bCrypto;
+bool bAuthenticating;
+bool bPwd;
+bool bSuccessful;
+
+int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwParity, int bReader)
+{
+  // Return when trace is full
+  if (traceLen >= TRACE_SIZE) return FALSE;
+  
+  // Trace the random, i'm curious
+  rsamples += iSamples;
+  trace[traceLen++] = ((rsamples >> 0) & 0xff);
+  trace[traceLen++] = ((rsamples >> 8) & 0xff);
+  trace[traceLen++] = ((rsamples >> 16) & 0xff);
+  trace[traceLen++] = ((rsamples >> 24) & 0xff);
+  if (!bReader) {
+    trace[traceLen - 1] |= 0x80;
+  }
+  trace[traceLen++] = ((dwParity >> 0) & 0xff);
+  trace[traceLen++] = ((dwParity >> 8) & 0xff);
+  trace[traceLen++] = ((dwParity >> 16) & 0xff);
+  trace[traceLen++] = ((dwParity >> 24) & 0xff);
+  trace[traceLen++] = iBits;
+  memcpy(trace + traceLen, btBytes, nbytes(iBits));
+  traceLen += nbytes(iBits);
+  return TRUE;
+}
 
 struct hitag2_tag {
 	uint32_t uid;
 	enum {
-		TAG_STATE_RESET,          // Just powered up, awaiting GetSnr
-		TAG_STATE_ACTIVATING,     // In activation phase (password mode), sent UID, awaiting reader password
-		TAG_STATE_AUTHENTICATING, // In activation phase (crypto mode), awaiting reader authentication
-		TAG_STATE_ACTIVATED,      // Activation complete, awaiting read/write commands
-		TAG_STATE_WRITING,        // In write command, awaiting sector contents to be written
+		TAG_STATE_RESET      = 0x01,       // Just powered up, awaiting GetSnr
+		TAG_STATE_ACTIVATING = 0x02 ,      // In activation phase (password mode), sent UID, awaiting reader password
+		TAG_STATE_ACTIVATED  = 0x03,       // Activation complete, awaiting read/write commands
+		TAG_STATE_WRITING    = 0x04,       // In write command, awaiting sector contents to be written
 	} state;
 	unsigned int active_sector;
-	char crypto_active;
-	struct hitag2_cipher_state cs;
-	char sectors[8][4];
+	byte_t crypto_active;
+	uint64_t cs;
+	byte_t sectors[12][4];
 };
 
-static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *challenge);
-static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator);
-static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits);
-
-static struct hitag2_tag tag;
-static const struct hitag2_tag resetdata = {
-		.state = TAG_STATE_RESET,
-		.sectors = {                                     // Password mode:               | Crypto mode:
-				[0] = { 0x35, 0x33, 0x70, 0x11}, // UID                          | UID
-				[1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD                 | 32 bit LSB key
-				[2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved                     | 16 bit MSB key, 16 bit reserved
-				[3] = { 0x0e, 0xaa, 'H', 'T'},   // Configuration, password TAG  | Configuration, password TAG
-		},
+static struct hitag2_tag tag = {
+    .state = TAG_STATE_RESET,
+    .sectors = {                         // Password mode:               | Crypto mode:
+        [0]  = { 0x02, 0x4e, 0x02, 0x20}, // UID                          | UID
+        [1]  = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD                 | 32 bit LSB key
+        [2]  = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved                     | 16 bit MSB key, 16 bit reserved
+        [3]  = { 0x0e, 0xaa, 0x48, 0x54}, // Configuration, password TAG  | Configuration, password TAG
+        [4]  = { 0x46, 0x5f, 0x4f, 0x4b}, // Data: F_OK
+        [5]  = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
+        [6]  = { 0xaa, 0xaa, 0xaa, 0xaa}, // Data: ....
+        [7]  = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
+        [8]  = { 0x00, 0x00, 0x00, 0x00}, // RSK Low
+        [9]  = { 0x00, 0x00, 0x00, 0x00}, // RSK High
+        [10] = { 0x00, 0x00, 0x00, 0x00}, // RCF
+        [11] = { 0x00, 0x00, 0x00, 0x00}, // SYNC
+    },
 };
 
-int hitag2_reset(void)
-{
-	tag.state = TAG_STATE_RESET;
-	tag.crypto_active = 0;
-	return 0;
-}
-
-int hitag2_init(void)
-{
-	memcpy(&tag, &resetdata, sizeof(tag));
-	hitag2_reset();
-	return 0;
-}
-
-int hitag2_handle_command(const char* data, const int length, hitag2_response_callback_t cb, void *cb_cookie)
-{
-	(void)data; (void)length; (void)cb; (void)cb_cookie;
-	int retry = 0, done = 0, result=0;
-	char temp[10];
-
-	if(tag.crypto_active && length < sizeof(temp)*8) {
-		/* Decrypt command */
-		memcpy(temp, data, (length+7)/8);
-		hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8);
-		data = temp;
-	}
-
-
-handle_command_retry:
-	switch(tag.state) {
-	case TAG_STATE_RESET:
-		if(length == 5 && data[0] == 0xC0) {
-			/* Received 11000 from the reader, request for UID, send UID */
-			result=cb(tag.sectors[0], sizeof(tag.sectors[0])*8, 208, cb_cookie);
-			done=1;
-			if(tag.sectors[3][0] & 0x08) {
-				tag.state=TAG_STATE_AUTHENTICATING;
-			} else {
-				tag.state=TAG_STATE_ACTIVATING;
-			}
-		}
-		break;
-	case TAG_STATE_ACTIVATING:
-		if(length == 0x20) {
-			/* Received RWD password, respond with configuration and our password */
-			result=cb(tag.sectors[3], sizeof(tag.sectors[3])*8, 208, cb_cookie);
-			done=1;
-			tag.state=TAG_STATE_ACTIVATED;
-		}
-		break;
-	case TAG_STATE_AUTHENTICATING:
-		if(length == 0x40) {
-			/* Received initialisation vector || authentication token, fire up cipher, send our password */
-			hitag2_cipher_reset(&tag, data);
-			if(hitag2_cipher_authenticate(&(tag.cs), data+4)) {
-				char response_enc[4];
-				memcpy(response_enc, tag.sectors[3], 4);
-				hitag2_cipher_transcrypt(&(tag.cs), response_enc, 4, 0);
-				result=cb(response_enc, 4*8, 208, cb_cookie);
-				done=1;
-				tag.crypto_active = 1;
-				tag.state = TAG_STATE_ACTIVATED;
-			} else {
-				/* The reader failed to authenticate, do nothing */
-				DbpString("Reader authentication failed");
-			}
-		}
-		break;
-	case TAG_STATE_ACTIVATED:
-		if(length == 10) {
-			if( ((data[0] & 0xC0) == 0xC0) && ((data[0] & 0x06) == 0) ) {
-				/* Read command: 11xx x00y  yy with yyy == ~xxx, xxx is sector number */
-				unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07);
-				if(sector == ( (data[0]>>3)&0x07 ) ) {
-					memcpy(temp, tag.sectors[sector], 4);
-					if(tag.crypto_active) {
-						hitag2_cipher_transcrypt(&(tag.cs), temp, 4, 0);
-					}
-					/* Respond with contents of sector sector */
-					result = cb(temp, 4*8, 208, cb_cookie);
-					done=1;
-				} else {
-					/* transmission error */
-					DbpString("Transmission error (read) in activated state");
-				}
-			} else if( ((data[0] & 0xC0) == 0x80) && ((data[0] & 0x06) == 2) ) {
-				/* Write command: 10xx x01y  yy with yyy == ~xxx, xxx is sector number */
-				unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07);
-				if(sector == ( (data[0]>>3)&0x07 ) ) {
-					/* Prepare write, acknowledge by repeating command */
-					if(tag.crypto_active) {
-						hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8);
-					}
-					result = cb(data, length, 208, cb_cookie);
-					done=1;
-					tag.active_sector = sector;
-					tag.state=TAG_STATE_WRITING;
-				} else {
-					/* transmission error */
-					DbpString("Transmission error (write) in activated state");
-				}
-			}
-
-		}
-	case TAG_STATE_WRITING:
-		if(length == 32) {
-			/* These are the sector contents to be written. We don't have to do anything else. */
-			memcpy(tag.sectors[tag.active_sector], data, length/8);
-			tag.state=TAG_STATE_ACTIVATED;
-			done=1;
-		}
-	}
+//#define TRACE_LENGTH 3000
+//uint8_t *trace = (uint8_t *) BigBuf;
+//int traceLen = 0;
+//int rsamples = 0;
 
-	if(!done && !retry) {
-		/* We didn't respond, maybe our state is faulty. Reset and try again. */
-		retry=1;
-		if(tag.crypto_active) {
-			/* Restore undeciphered data */
-			memcpy(temp, data, (length+7)/8);
-		}
-		hitag2_reset();
-		goto handle_command_retry;
-	}
+#define AUTH_TABLE_OFFSET FREE_BUFFER_OFFSET
+#define AUTH_TABLE_LENGTH FREE_BUFFER_SIZE
+byte_t* auth_table = (byte_t *)BigBuf+AUTH_TABLE_OFFSET;
+size_t auth_table_pos = 0;
+size_t auth_table_len = AUTH_TABLE_LENGTH;
 
-	return result;
-}
+byte_t password[4];
+byte_t NrAr[8];
+byte_t key[8];
+uint64_t cipher_state;
 
 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
@@ -254,42 +177,1218 @@ static u32 _hitag2_byte (u64 * x)
 	return c;
 }
 
+int hitag2_reset(void)
+{
+	tag.state = TAG_STATE_RESET;
+	tag.crypto_active = 0;
+	return 0;
+}
 
-/* Cipher/tag glue code: */
+int hitag2_init(void)
+{
+//	memcpy(&tag, &resetdata, sizeof(tag));
+	hitag2_reset();
+	return 0;
+}
 
-static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *iv)
+static void hitag2_cipher_reset(struct hitag2_tag *tag, const byte_t *iv)
 {
-	uint64_t key = ((uint64_t)tag->sectors[2][2]) |
-			((uint64_t)tag->sectors[2][3] << 8) |
-			((uint64_t)tag->sectors[1][0] << 16) |
-			((uint64_t)tag->sectors[1][1] << 24) |
-			((uint64_t)tag->sectors[1][2] << 32) |
-			((uint64_t)tag->sectors[1][3] << 40);
-	uint32_t uid = ((uint32_t)tag->sectors[0][0]) |
-			((uint32_t)tag->sectors[0][1] << 8) |
-			((uint32_t)tag->sectors[0][2] << 16) |
-			((uint32_t)tag->sectors[0][3] << 24);
+	uint64_t key =  ((uint64_t)tag->sectors[2][2]) |
+                  ((uint64_t)tag->sectors[2][3] << 8) |
+                  ((uint64_t)tag->sectors[1][0] << 16) |
+                  ((uint64_t)tag->sectors[1][1] << 24) |
+                  ((uint64_t)tag->sectors[1][2] << 32) |
+                  ((uint64_t)tag->sectors[1][3] << 40);
+	uint32_t uid =  ((uint32_t)tag->sectors[0][0]) |
+                  ((uint32_t)tag->sectors[0][1] << 8) |
+                  ((uint32_t)tag->sectors[0][2] << 16) |
+                  ((uint32_t)tag->sectors[0][3] << 24);
 	uint32_t iv_ = (((uint32_t)(iv[0]))) |
 			(((uint32_t)(iv[1])) << 8) |
 			(((uint32_t)(iv[2])) << 16) |
 			(((uint32_t)(iv[3])) << 24);
-	tag->cs.state = _hitag2_init(rev64(key), rev32(uid), rev32(iv_));
+	tag->cs = _hitag2_init(rev64(key), rev32(uid), rev32(iv_));
 }
 
-static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator_is)
+static int hitag2_cipher_authenticate(uint64_t* cs, const byte_t *authenticator_is)
 {
-	char authenticator_should[4];
-	authenticator_should[0] = ~_hitag2_byte(&(cs->state));
-	authenticator_should[1] = ~_hitag2_byte(&(cs->state));
-	authenticator_should[2] = ~_hitag2_byte(&(cs->state));
-	authenticator_should[3] = ~_hitag2_byte(&(cs->state));
-	return memcmp(authenticator_should, authenticator_is, 4) == 0;
+	byte_t authenticator_should[4];
+	authenticator_should[0] = ~_hitag2_byte(cs);
+	authenticator_should[1] = ~_hitag2_byte(cs);
+	authenticator_should[2] = ~_hitag2_byte(cs);
+	authenticator_should[3] = ~_hitag2_byte(cs);
+	return (memcmp(authenticator_should, authenticator_is, 4) == 0);
 }
 
-static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits)
+static int hitag2_cipher_transcrypt(uint64_t* cs, byte_t *data, unsigned int bytes, unsigned int bits)
 {
 	int i;
-	for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(&(cs->state));
-	for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(&(cs->state)) << (7-i);
+	for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(cs);
+	for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(cs) << (7-i);
 	return 0;
 }
+
+// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
+// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
+// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
+// T0 = TIMER_CLOCK1 / 125000 = 192
+#define T0 192
+
+#define SHORT_COIL()	LOW(GPIO_SSC_DOUT)
+#define OPEN_COIL()		HIGH(GPIO_SSC_DOUT)
+
+#define HITAG_FRAME_LEN 20
+#define HITAG_T_STOP  36 /* T_EOF should be > 36 */
+#define HITAG_T_LOW		8  /* T_LOW should be 4..10 */
+#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
+#define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
+//#define HITAG_T_EOF   40 /* T_EOF should be > 36 */
+#define HITAG_T_EOF   80	 /* T_EOF should be > 36 */
+#define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
+#define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
+#define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
+
+#define HITAG_T_TAG_ONE_HALF_PERIOD			10
+#define HITAG_T_TAG_TWO_HALF_PERIOD			25
+#define HITAG_T_TAG_THREE_HALF_PERIOD		41 
+#define HITAG_T_TAG_FOUR_HALF_PERIOD    57 
+
+#define HITAG_T_TAG_HALF_PERIOD					16
+#define HITAG_T_TAG_FULL_PERIOD					32
+
+#define HITAG_T_TAG_CAPTURE_ONE_HALF		13
+#define HITAG_T_TAG_CAPTURE_TWO_HALF		25
+#define HITAG_T_TAG_CAPTURE_THREE_HALF	41 
+#define HITAG_T_TAG_CAPTURE_FOUR_HALF   57 
+
+
+static void hitag_send_bit(int bit) {
+	LED_A_ON();
+	// Reset clock for the next bit 
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+	
+	// Fixed modulation, earlier proxmark version used inverted signal
+	if(bit == 0) {
+		// Manchester: Unloaded, then loaded |__--|
+		LOW(GPIO_SSC_DOUT);
+		while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
+		HIGH(GPIO_SSC_DOUT);
+		while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
+	} else {
+		// Manchester: Loaded, then unloaded |--__|
+		HIGH(GPIO_SSC_DOUT);
+		while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
+		LOW(GPIO_SSC_DOUT);
+		while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
+	}
+	LED_A_OFF();
+}
+
+static void hitag_send_frame(const byte_t* frame, size_t frame_len)
+{
+	// Send start of frame
+	for(size_t i=0; i<5; i++) {
+		hitag_send_bit(1);
+	}
+
+	// Send the content of the frame
+	for(size_t i=0; i<frame_len; i++) {
+		hitag_send_bit((frame[i/8] >> (7-(i%8)))&1);
+	}
+
+	// Drop the modulation
+	LOW(GPIO_SSC_DOUT);
+}
+
+void hitag2_handle_reader_command(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen)
+{
+	byte_t rx_air[HITAG_FRAME_LEN];
+	
+	// Copy the (original) received frame how it is send over the air
+	memcpy(rx_air,rx,nbytes(rxlen));
+
+	if(tag.crypto_active) {
+		hitag2_cipher_transcrypt(&(tag.cs),rx,rxlen/8,rxlen%8);
+	}
+	
+	// Reset the transmission frame length 
+	*txlen = 0;
+	
+	// Try to find out which command was send by selecting on length (in bits)
+	switch (rxlen) {
+		// Received 11000 from the reader, request for UID, send UID 
+		case 05: {
+			// Always send over the air in the clear plaintext mode
+			if(rx_air[0] != 0xC0) {
+				// Unknown frame ?
+				return;
+			}
+			*txlen = 32;
+			memcpy(tx,tag.sectors[0],4);
+			tag.crypto_active = 0;
+		}
+		break;
+
+		// Read/Write command: ..xx x..y  yy with yyy == ~xxx, xxx is sector number 
+		case 10: {
+			unsigned int sector = (~( ((rx[0]<<2)&0x04) | ((rx[1]>>6)&0x03) ) & 0x07);
+			// Verify complement of sector index
+			if(sector != ((rx[0]>>3)&0x07)) {
+				//DbpString("Transmission error (read/write)");
+				return;
+			}
+
+			switch (rx[0] & 0xC6) {
+				// Read command: 11xx x00y
+				case 0xC0:
+					memcpy(tx,tag.sectors[sector],4);
+					*txlen = 32;
+				break;
+					
+				 // Inverted Read command: 01xx x10y
+				case 0x44:
+					for (size_t i=0; i<4; i++) {
+						tx[i] = tag.sectors[sector][i] ^ 0xff;
+					}
+					*txlen = 32;
+				break;
+
+				// Write command: 10xx x01y
+				case 0x82:
+					// Prepare write, acknowledge by repeating command
+					memcpy(tx,rx,nbytes(rxlen));
+					*txlen = rxlen;
+					tag.active_sector = sector;
+					tag.state=TAG_STATE_WRITING;
+				break;
+				
+				// Unknown command
+				default:
+					Dbprintf("Uknown command: %02x %02x",rx[0],rx[1]);
+					return;
+				break;
+			}
+		}
+		break;
+
+		// Writing data or Reader password
+		case 32: {
+			if(tag.state == TAG_STATE_WRITING) {
+				// These are the sector contents to be written. We don't have to do anything else.
+				memcpy(tag.sectors[tag.active_sector],rx,nbytes(rxlen));
+				tag.state=TAG_STATE_RESET;
+				return;
+			} else {
+				// Received RWD password, respond with configuration and our password
+				if(memcmp(rx,tag.sectors[1],4) != 0) {
+					DbpString("Reader password is wrong");
+					return;
+				}
+				*txlen = 32;
+				memcpy(tx,tag.sectors[3],4);
+			}
+		}
+		break;
+
+		// Received RWD authentication challenge and respnse
+		case 64: {
+			// Store the authentication attempt
+			if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
+				memcpy(auth_table+auth_table_len,rx,8);
+				auth_table_len += 8;
+			}
+
+			// Reset the cipher state
+			hitag2_cipher_reset(&tag,rx);
+			// Check if the authentication was correct
+			if(!hitag2_cipher_authenticate(&(tag.cs),rx+4)) {
+				// The reader failed to authenticate, do nothing
+				Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
+				return;
+			}
+			// Succesful, but commented out reporting back to the Host, this may delay to much.
+			// Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
+
+			// Activate encryption algorithm for all further communication
+			tag.crypto_active = 1;
+
+			// Use the tag password as response
+			memcpy(tx,tag.sectors[3],4);
+			*txlen = 32;
+		}
+		break;
+	}
+
+//	LogTraceHitag(rx,rxlen,0,0,false);
+//	LogTraceHitag(tx,*txlen,0,0,true);
+	
+	if(tag.crypto_active) {
+		hitag2_cipher_transcrypt(&(tag.cs), tx, *txlen/8, *txlen%8);
+	}
+}
+
+static void hitag_reader_send_bit(int bit) {
+	LED_A_ON();
+	// Reset clock for the next bit 
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+	
+	// Binary puls length modulation (BPLM) is used to encode the data stream
+	// This means that a transmission of a one takes longer than that of a zero
+	
+	// Enable modulation, which means, drop the the field
+	HIGH(GPIO_SSC_DOUT);
+	
+	// Wait for 4-10 times the carrier period
+	while(AT91C_BASE_TC0->TC_CV < T0*6);
+	//	SpinDelayUs(8*8);
+	
+	// Disable modulation, just activates the field again
+	LOW(GPIO_SSC_DOUT);
+	
+	if(bit == 0) {
+		// Zero bit: |_-|
+		while(AT91C_BASE_TC0->TC_CV < T0*22);
+		//		SpinDelayUs(16*8);
+	} else {
+		// One bit: |_--|
+		while(AT91C_BASE_TC0->TC_CV < T0*28);
+		//		SpinDelayUs(22*8);
+	}
+	LED_A_OFF();
+}
+
+static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len)
+{
+	// Send the content of the frame
+	for(size_t i=0; i<frame_len; i++) {
+		hitag_reader_send_bit((frame[i/8] >> (7-(i%8)))&1);
+	}
+	// Send EOF 
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+	// Enable modulation, which means, drop the the field
+	HIGH(GPIO_SSC_DOUT);
+	// Wait for 4-10 times the carrier period
+	while(AT91C_BASE_TC0->TC_CV < T0*6);
+	// Disable modulation, just activates the field again
+	LOW(GPIO_SSC_DOUT);
+}
+
+size_t blocknr;
+
+bool hitag2_password(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
+	// Reset the transmission frame length
+	*txlen = 0;
+	
+	// Try to find out which command was send by selecting on length (in bits)
+	switch (rxlen) {
+		// No answer, try to resurrect
+		case 0: {
+			// Stop if there is no answer (after sending password)
+			if (bPwd) {
+				DbpString("Password failed!");
+				return false;
+			}
+			*txlen = 5;
+			memcpy(tx,"\xc0",nbytes(*txlen));
+		} break;
+			
+		// Received UID, tag password
+		case 32: {
+			if (!bPwd) {
+				*txlen = 32;
+				memcpy(tx,password,4);
+				bPwd = true;
+        memcpy(tag.sectors[blocknr],rx,4);
+        blocknr++;
+			} else {
+				
+			if(blocknr == 1){
+				//store password in block1, the TAG answers with Block3, but we need the password in memory
+				memcpy(tag.sectors[blocknr],tx,4);
+			}else{
+				memcpy(tag.sectors[blocknr],rx,4);
+			}
+			
+			blocknr++;
+			if (blocknr > 7) {
+			  DbpString("Read succesful!");
+        bSuccessful = true;
+			  return false;
+			}
+			*txlen = 10;
+			tx[0] = 0xc0 | (blocknr << 3) | ((blocknr^7) >> 2);
+			tx[1] = ((blocknr^7) << 6);
+			}
+		} break;
+			
+		// Unexpected response
+    default: {
+			Dbprintf("Uknown frame length: %d",rxlen);
+			return false;
+		} break;
+	}
+	return true;
+}
+
+bool hitag2_crypto(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
+	// Reset the transmission frame length
+	*txlen = 0;
+	
+  if(bCrypto) {
+		hitag2_cipher_transcrypt(&cipher_state,rx,rxlen/8,rxlen%8);
+	}
+
+	// Try to find out which command was send by selecting on length (in bits)
+	switch (rxlen) {
+      // No answer, try to resurrect
+		case 0: {
+			// Stop if there is no answer while we are in crypto mode (after sending NrAr)
+			if (bCrypto) {
+        // Failed during authentication
+        if (bAuthenticating) {
+          DbpString("Authentication failed!");
+          return false;
+        } else {
+          // Failed reading a block, could be (read/write) locked, skip block and re-authenticate
+          if (blocknr == 1) {
+            // Write the low part of the key in memory
+            memcpy(tag.sectors[1],key+2,4);
+          } else if (blocknr == 2) {
+            // Write the high part of the key in memory
+            tag.sectors[2][0] = 0x00;
+            tag.sectors[2][1] = 0x00;
+            tag.sectors[2][2] = key[0];
+            tag.sectors[2][3] = key[1];
+          } else {
+            // Just put zero's in the memory (of the unreadable block)
+            memset(tag.sectors[blocknr],0x00,4);
+          }
+          blocknr++;
+          bCrypto = false;
+        }
+			} else {
+        *txlen = 5;
+        memcpy(tx,"\xc0",nbytes(*txlen));
+      }
+		} break;
+			
+      // Received UID, crypto tag answer
+		case 32: {
+			if (!bCrypto) {
+        uint64_t ui64key = key[0] | ((uint64_t)key[1]) << 8 | ((uint64_t)key[2]) << 16 | ((uint64_t)key[3]) << 24 | ((uint64_t)key[4]) << 32 | ((uint64_t)key[5]) << 40;
+        uint32_t ui32uid = rx[0] | ((uint32_t)rx[1]) << 8 | ((uint32_t)rx[2]) << 16 | ((uint32_t)rx[3]) << 24;
+        cipher_state = _hitag2_init(rev64(ui64key), rev32(ui32uid), 0);
+        memset(tx,0x00,4);
+        memset(tx+4,0xff,4);
+        hitag2_cipher_transcrypt(&cipher_state,tx+4,4,0);
+				*txlen = 64;
+				bCrypto = true;
+        bAuthenticating = true;
+			} else {
+        // Check if we received answer tag (at)
+        if (bAuthenticating) {
+          bAuthenticating = false;
+        } else {
+          // Store the received block
+          memcpy(tag.sectors[blocknr],rx,4);
+          blocknr++;
+        }
+        if (blocknr > 7) {
+          DbpString("Read succesful!");
+          bSuccessful = true;
+          return false;
+        }
+        *txlen = 10;
+        tx[0] = 0xc0 | (blocknr << 3) | ((blocknr^7) >> 2);
+        tx[1] = ((blocknr^7) << 6);
+			}
+		} break;
+			
+      // Unexpected response
+		default: {
+			Dbprintf("Uknown frame length: %d",rxlen);
+			return false;
+		} break;
+	}
+	
+  
+  if(bCrypto) {
+    // We have to return now to avoid double encryption
+    if (!bAuthenticating) {
+      hitag2_cipher_transcrypt(&cipher_state,tx,*txlen/8,*txlen%8);
+    }
+	}
+
+	return true;
+}
+
+
+bool hitag2_authenticate(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
+	// Reset the transmission frame length 
+	*txlen = 0;
+	
+	// Try to find out which command was send by selecting on length (in bits)
+	switch (rxlen) {
+		// No answer, try to resurrect
+		case 0: {
+			// Stop if there is no answer while we are in crypto mode (after sending NrAr)
+			if (bCrypto) {
+				DbpString("Authentication failed!");
+				return false;
+			}
+			*txlen = 5;
+			memcpy(tx,"\xc0",nbytes(*txlen));
+		} break;
+			
+		// Received UID, crypto tag answer
+		case 32: {
+			if (!bCrypto) {
+				*txlen = 64;
+				memcpy(tx,NrAr,8);
+				bCrypto = true;
+			} else {
+				DbpString("Authentication succesful!");
+				// We are done... for now
+				return false;
+			}
+		} break;
+			
+		// Unexpected response
+		default: {
+			Dbprintf("Uknown frame length: %d",rxlen);
+			return false;
+		} break;
+	}
+	
+	return true;
+}
+
+bool hitag2_test_auth_attempts(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
+	// Reset the transmission frame length 
+	*txlen = 0;
+	
+	// Try to find out which command was send by selecting on length (in bits)
+	switch (rxlen) {
+			// No answer, try to resurrect
+		case 0: {
+			// Stop if there is no answer while we are in crypto mode (after sending NrAr)
+			if (bCrypto) {
+				Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed, removed entry!",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
+
+        // Removing failed entry from authentiations table
+        memcpy(auth_table+auth_table_pos,auth_table+auth_table_pos+8,8);
+        auth_table_len -= 8;
+
+        // Return if we reached the end of the authentiactions table
+				bCrypto = false;
+				if (auth_table_pos == auth_table_len) {
+					return false;
+				}
+        
+        // Copy the next authentication attempt in row (at the same position, b/c we removed last failed entry)
+				memcpy(NrAr,auth_table+auth_table_pos,8);
+			}
+			*txlen = 5;
+			memcpy(tx,"\xc0",nbytes(*txlen));
+		}	break;
+			
+			// Received UID, crypto tag answer, or read block response
+		case 32: {
+			if (!bCrypto) {
+				*txlen = 64;
+				memcpy(tx,NrAr,8);
+				bCrypto = true;
+			} else {
+				Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
+				bCrypto = false;
+				if ((auth_table_pos+8) == auth_table_len) {
+					return false;
+				}
+				auth_table_pos += 8;
+				memcpy(NrAr,auth_table+auth_table_pos,8);
+			}
+		} break;
+			
+		default: {
+			Dbprintf("Uknown frame length: %d",rxlen);
+			return false;
+		} break;
+	}
+	
+	return true;
+}
+
+void SnoopHitag(uint32_t type) {
+	int frame_count;
+	int response;
+	int overflow;
+	bool rising_edge;
+	bool reader_frame;
+	int lastbit;
+	bool bSkip;
+	int tag_sof;
+	byte_t rx[HITAG_FRAME_LEN];
+	size_t rxlen=0;
+	
+	// Clean up trace and prepare it for storing frames
+	iso14a_set_tracing(TRUE);
+	iso14a_clear_trace();
+
+	auth_table_len = 0;
+	auth_table_pos = 0;
+	memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
+	
+	DbpString("Starting Hitag2 snoop");
+	LED_D_ON();
+	
+	// Set up eavesdropping mode, frequency divisor which will drive the FPGA
+	// and analog mux selection.
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
+	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+	RELAY_OFF();
+	
+	// Configure output pin that is connected to the FPGA (for modulating)
+	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+
+	// Disable modulation, we are going to eavesdrop, not modulate ;)
+	LOW(GPIO_SSC_DOUT);
+	
+	// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
+	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
+	AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
+	
+  // Disable timer during configuration	
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+	
+	// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
+	// external trigger rising edge, load RA on rising edge of TIOA.
+	uint32_t t1_channel_mode = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_BOTH | AT91C_TC_ABETRG | AT91C_TC_LDRA_BOTH;
+	AT91C_BASE_TC1->TC_CMR = t1_channel_mode;
+	
+	// Enable and reset counter
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	
+	// Reset the received frame, frame count and timing info
+	memset(rx,0x00,sizeof(rx));
+	frame_count = 0;
+	response = 0;
+	overflow = 0;
+	reader_frame = false;
+	lastbit = 1;
+	bSkip = true;
+	tag_sof = 4;
+	
+	while(!BUTTON_PRESS()) {
+		// Watchdog hit
+		WDT_HIT();
+		
+		// Receive frame, watch for at most T0*EOF periods
+		while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
+			// Check if rising edge in modulation is detected
+			if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
+				// Retrieve the new timing values 
+				int ra = (AT91C_BASE_TC1->TC_RA/T0);
+				
+				// Find out if we are dealing with a rising or falling edge
+				rising_edge = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME) > 0;
+
+				// Shorter periods will only happen with reader frames
+				if (!reader_frame && rising_edge && ra < HITAG_T_TAG_CAPTURE_ONE_HALF) {
+					// Switch from tag to reader capture
+					LED_C_OFF();
+					reader_frame = true;
+					memset(rx,0x00,sizeof(rx));
+					rxlen = 0;
+				}
+				
+				// Only handle if reader frame and rising edge, or tag frame and falling edge
+				if (reader_frame != rising_edge) {
+				  overflow += ra;
+					continue;
+				}
+				
+				// Add the buffered timing values of earlier captured edges which were skipped
+				ra += overflow;
+				overflow = 0;
+				
+				if (reader_frame) {
+					LED_B_ON();
+					// Capture reader frame
+					if(ra >= HITAG_T_STOP) {
+						if (rxlen != 0) {
+							//DbpString("wierd0?");
+						}
+						// Capture the T0 periods that have passed since last communication or field drop (reset)
+						response = (ra - HITAG_T_LOW);
+					} else if(ra >= HITAG_T_1_MIN ) {
+						// '1' bit 
+						rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+						rxlen++;
+					} else if(ra >= HITAG_T_0_MIN) {
+						// '0' bit 
+						rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+						rxlen++;
+					} else {
+						// Ignore wierd value, is to small to mean anything
+					}
+				} else {
+					LED_C_ON();
+					// Capture tag frame (manchester decoding using only falling edges)
+					if(ra >= HITAG_T_EOF) {
+						if (rxlen != 0) {
+							//DbpString("wierd1?");
+						}
+						// Capture the T0 periods that have passed since last communication or field drop (reset)
+						// We always recieve a 'one' first, which has the falling edge after a half period |-_|
+						response = ra-HITAG_T_TAG_HALF_PERIOD;
+					} else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
+						// Manchester coding example |-_|_-|-_| (101)
+						rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+						rxlen++;
+						rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+						rxlen++;
+					} else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
+						// Manchester coding example |_-|...|_-|-_| (0...01)
+						rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+						rxlen++;
+						// We have to skip this half period at start and add the 'one' the second time 
+						if (!bSkip) {
+							rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+							rxlen++;
+						}
+						lastbit = !lastbit;
+						bSkip = !bSkip;
+					} else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
+						// Manchester coding example |_-|_-| (00) or |-_|-_| (11)
+						if (tag_sof) {
+							// Ignore bits that are transmitted during SOF
+							tag_sof--;
+						} else {
+							// bit is same as last bit
+							rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
+							rxlen++;
+						}
+					} else {
+						// Ignore wierd value, is to small to mean anything
+					}
+				}
+			}
+		}
+		
+		// Check if frame was captured
+		if(rxlen > 0) {
+			frame_count++;
+			if (!LogTraceHitag(rx,rxlen,response,0,reader_frame)) {
+				DbpString("Trace full");
+				break;
+			}
+
+			// Check if we recognize a valid authentication attempt
+			if (nbytes(rxlen) == 8) {
+				// Store the authentication attempt
+				if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
+					memcpy(auth_table+auth_table_len,rx,8);
+					auth_table_len += 8;
+				}
+			}
+			
+			// Reset the received frame and response timing info
+			memset(rx,0x00,sizeof(rx));
+			response = 0;
+			reader_frame = false;
+			lastbit = 1;
+			bSkip = true;
+			tag_sof = 4;
+			overflow = 0;
+			
+			LED_B_OFF();
+			LED_C_OFF();
+		} else {
+			// Save the timer overflow, will be 0 when frame was received
+			overflow += (AT91C_BASE_TC1->TC_CV/T0);
+		}
+		// Reset the frame length
+		rxlen = 0;
+		// Reset the timer to restart while-loop that receives frames
+		AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
+	}
+    LED_A_ON();
+	LED_B_OFF();
+	LED_C_OFF();
+	LED_D_OFF();
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+    AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    LED_A_OFF();
+	
+//	Dbprintf("frame received: %d",frame_count);
+//	Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
+//	DbpString("All done");
+}
+
+void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
+	int frame_count;
+	int response;
+	int overflow;
+	byte_t rx[HITAG_FRAME_LEN];
+	size_t rxlen=0;
+	byte_t tx[HITAG_FRAME_LEN];
+	size_t txlen=0;
+	bool bQuitTraceFull = false;
+	bQuiet = false;
+	
+	// Clean up trace and prepare it for storing frames
+  iso14a_set_tracing(TRUE);
+  iso14a_clear_trace();
+	auth_table_len = 0;
+	auth_table_pos = 0;
+	memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
+
+	DbpString("Starting Hitag2 simulation");
+	LED_D_ON();
+	hitag2_init();
+	
+	if (tag_mem_supplied) {
+		DbpString("Loading hitag2 memory...");
+		memcpy((byte_t*)tag.sectors,data,48);
+	}
+
+	uint32_t block = 0;
+	for (size_t i=0; i<12; i++) {
+		for (size_t j=0; j<4; j++) {
+			block <<= 8;
+			block |= tag.sectors[i][j];
+		}
+		Dbprintf("| %d | %08x |",i,block);
+	}
+	
+	// Set up simulator mode, frequency divisor which will drive the FPGA
+	// and analog mux selection.
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
+	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+	RELAY_OFF();
+
+	// Configure output pin that is connected to the FPGA (for modulating)
+	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+
+	// Disable modulation at default, which means release resistance
+	LOW(GPIO_SSC_DOUT);
+	
+	// Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
+	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
+	
+	// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
+	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
+	AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
+	
+  // Disable timer during configuration	
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+	// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
+	// external trigger rising edge, load RA on rising edge of TIOA.
+	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
+	
+	// Enable and reset counter
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+	// Reset the received frame, frame count and timing info
+	memset(rx,0x00,sizeof(rx));
+	frame_count = 0;
+	response = 0;
+	overflow = 0;
+	
+	while(!BUTTON_PRESS()) {
+		// Watchdog hit
+		WDT_HIT();
+		
+		// Receive frame, watch for at most T0*EOF periods
+		while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
+			// Check if rising edge in modulation is detected
+			if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
+				// Retrieve the new timing values 
+				int ra = (AT91C_BASE_TC1->TC_RA/T0) + overflow;
+				overflow = 0;
+
+				// Reset timer every frame, we have to capture the last edge for timing
+				AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+				
+				LED_B_ON();
+				
+				// Capture reader frame
+				if(ra >= HITAG_T_STOP) {
+					if (rxlen != 0) {
+						//DbpString("wierd0?");
+					}
+					// Capture the T0 periods that have passed since last communication or field drop (reset)
+					response = (ra - HITAG_T_LOW);
+				} else if(ra >= HITAG_T_1_MIN ) {
+					// '1' bit 
+					rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+					rxlen++;
+				} else if(ra >= HITAG_T_0_MIN) {
+					// '0' bit 
+					rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+					rxlen++;
+				} else {
+					// Ignore wierd value, is to small to mean anything
+				}
+			}
+		}
+		
+		// Check if frame was captured
+		if(rxlen > 4) {
+			frame_count++;
+			if (!bQuiet) {
+				if (!LogTraceHitag(rx,rxlen,response,0,true)) {
+					DbpString("Trace full");
+					if (bQuitTraceFull) {
+						break;
+					} else {
+						bQuiet = true;
+					}
+				}
+			}
+			
+			// Disable timer 1 with external trigger to avoid triggers during our own modulation
+			AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+			// Process the incoming frame (rx) and prepare the outgoing frame (tx)
+			hitag2_handle_reader_command(rx,rxlen,tx,&txlen);
+			
+			// Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
+			// not that since the clock counts since the rising edge, but T_Wait1 is
+			// with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
+			// periods. The gap time T_Low varies (4..10). All timer values are in 
+			// terms of T0 units
+			while(AT91C_BASE_TC0->TC_CV < T0*(HITAG_T_WAIT_1-HITAG_T_LOW));
+
+			// Send and store the tag answer (if there is any)
+			if (txlen) {
+				// Transmit the tag frame
+				hitag_send_frame(tx,txlen);
+				// Store the frame in the trace
+				if (!bQuiet) {
+					if (!LogTraceHitag(tx,txlen,0,0,false)) {
+						DbpString("Trace full");
+						if (bQuitTraceFull) {
+							break;
+						} else {
+							bQuiet = true;
+						}
+					}
+				}
+			}
+			
+			// Reset the received frame and response timing info
+			memset(rx,0x00,sizeof(rx));
+			response = 0;
+			
+			// Enable and reset external trigger in timer for capturing future frames
+			AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+			LED_B_OFF();
+		}
+		// Reset the frame length
+		rxlen = 0;
+		// Save the timer overflow, will be 0 when frame was received
+		overflow += (AT91C_BASE_TC1->TC_CV/T0);
+		// Reset the timer to restart while-loop that receives frames
+		AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
+	}
+	LED_B_OFF();
+	LED_D_OFF();
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+//	Dbprintf("frame received: %d",frame_count);
+//	Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
+//	DbpString("All done");
+}
+
+void ReaderHitag(hitag_function htf, hitag_data* htd) {
+	int frame_count;
+	int response;
+	byte_t rx[HITAG_FRAME_LEN];
+	size_t rxlen=0;
+	byte_t txbuf[HITAG_FRAME_LEN];
+	byte_t* tx = txbuf;
+	size_t txlen=0;
+	int lastbit;
+	bool bSkip;
+	int reset_sof; 
+	int tag_sof;
+	int t_wait = HITAG_T_WAIT_MAX;
+	bool bStop;
+	bool bQuitTraceFull = false;
+  
+  // Reset the return status
+  bSuccessful = false;
+  
+	// Clean up trace and prepare it for storing frames
+  iso14a_set_tracing(TRUE);
+  iso14a_clear_trace();
+	DbpString("Starting Hitag reader family");
+
+	// Check configuration
+	switch(htf) {
+		case RHT2F_PASSWORD: {
+      Dbprintf("List identifier in password mode");
+			memcpy(password,htd->pwd.password,4);
+      blocknr = 0;
+			bQuitTraceFull = false;
+			bQuiet = false;
+			bPwd = false;
+		} break;
+      
+		case RHT2F_AUTHENTICATE: {
+			DbpString("Authenticating using nr,ar pair:");
+			memcpy(NrAr,htd->auth.NrAr,8);
+			Dbhexdump(8,NrAr,false);
+			bQuiet = false;
+			bCrypto = false;
+      bAuthenticating = false;
+			bQuitTraceFull = true;
+		} break;
+      
+		case RHT2F_CRYPTO: {
+			DbpString("Authenticating using key:");
+			memcpy(key,htd->crypto.key,6);
+			Dbhexdump(6,key,false);
+      blocknr = 0;
+			bQuiet = false;
+			bCrypto = false;
+      bAuthenticating = false;
+			bQuitTraceFull = true;
+		} break;
+
+		case RHT2F_TEST_AUTH_ATTEMPTS: {
+			Dbprintf("Testing %d authentication attempts",(auth_table_len/8));
+			auth_table_pos = 0;
+			memcpy(NrAr,auth_table,8);
+			bQuitTraceFull = false;
+			bQuiet = false;
+			bCrypto = false;
+		} break;
+			
+		default: {
+			Dbprintf("Error, unknown function: %d",htf);
+			return;
+		} break;
+	}
+	
+	LED_D_ON();
+	hitag2_init();
+	
+	// Configure output and enable pin that is connected to the FPGA (for modulating)
+	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+	
+	// Set fpga in edge detect with reader field, we can modulate as reader now
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
+
+	// Set Frequency divisor which will drive the FPGA and analog mux selection
+	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+	RELAY_OFF();
+
+	// Disable modulation at default, which means enable the field
+	LOW(GPIO_SSC_DOUT);
+
+	// Give it a bit of time for the resonant antenna to settle.
+	SpinDelay(30);
+	
+	// Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
+	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
+
+	// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
+	AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
+	AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
+	
+    // Disable timer during configuration	
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+	
+	// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
+	// external trigger rising edge, load RA on falling edge of TIOA.
+	AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
+	
+	// Enable and reset counters
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+	// Reset the received frame, frame count and timing info
+	frame_count = 0;
+	response = 0;
+	lastbit = 1;
+	bStop = false;
+
+  // Tag specific configuration settings (sof, timings, etc.)
+  if (htf < 10){
+    // hitagS settings
+    reset_sof = 1;
+    t_wait = 200;
+    DbpString("Configured for hitagS reader");
+  } else if (htf < 20) {
+    // hitag1 settings
+    reset_sof = 1;
+    t_wait = 200;
+    DbpString("Configured for hitag1 reader");
+  } else if (htf < 30) {
+    // hitag2 settings
+    reset_sof = 4;
+    t_wait = HITAG_T_WAIT_2;
+    DbpString("Configured for hitag2 reader");
+	} else {
+    Dbprintf("Error, unknown hitag reader type: %d",htf);
+    return;
+  }
+		
+	while(!bStop && !BUTTON_PRESS()) {
+		// Watchdog hit
+		WDT_HIT();
+		
+		// Check if frame was captured and store it
+		if(rxlen > 0) {
+			frame_count++;
+			if (!bQuiet) {
+				if (!LogTraceHitag(rx,rxlen,response,0,false)) {
+					DbpString("Trace full");
+					if (bQuitTraceFull) {
+						break;
+					} else {
+						bQuiet = true;
+					}
+				}
+			}
+		}
+		
+		// By default reset the transmission buffer
+		tx = txbuf;
+		switch(htf) {
+			case RHT2F_PASSWORD: {
+				bStop = !hitag2_password(rx,rxlen,tx,&txlen);
+			} break;
+			case RHT2F_AUTHENTICATE: {
+				bStop = !hitag2_authenticate(rx,rxlen,tx,&txlen);
+			} break;
+			case RHT2F_CRYPTO: {
+				bStop = !hitag2_crypto(rx,rxlen,tx,&txlen);
+			} break;
+			case RHT2F_TEST_AUTH_ATTEMPTS: {
+				bStop = !hitag2_test_auth_attempts(rx,rxlen,tx,&txlen);
+			} break;
+			default: {
+				Dbprintf("Error, unknown function: %d",htf);
+				return;
+			} break;
+		}
+		
+		// Send and store the reader command
+		// Disable timer 1 with external trigger to avoid triggers during our own modulation
+		AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+			
+		// Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
+		// Since the clock counts since the last falling edge, a 'one' means that the
+		// falling edge occured halfway the period. with respect to this falling edge,
+		// we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
+		// All timer values are in terms of T0 units
+		while(AT91C_BASE_TC0->TC_CV < T0*(t_wait+(HITAG_T_TAG_HALF_PERIOD*lastbit)));
+		
+		// Transmit the reader frame
+		hitag_reader_send_frame(tx,txlen);
+
+		// Enable and reset external trigger in timer for capturing future frames
+		AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+		// Add transmitted frame to total count
+		if(txlen > 0) {
+			frame_count++;
+			if (!bQuiet) {
+				// Store the frame in the trace
+				if (!LogTraceHitag(tx,txlen,HITAG_T_WAIT_2,0,true)) {
+					if (bQuitTraceFull) {
+						break;
+					} else {
+						bQuiet = true;
+					}
+				}
+			}
+		}
+				
+		// Reset values for receiving frames
+		memset(rx,0x00,sizeof(rx));
+		rxlen = 0;
+		lastbit = 1;
+		bSkip = true;
+		tag_sof = reset_sof;
+		response = 0;
+		
+		// Receive frame, watch for at most T0*EOF periods
+		while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_WAIT_MAX) {
+			// Check if falling edge in tag modulation is detected
+			if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
+				// Retrieve the new timing values 
+				int ra = (AT91C_BASE_TC1->TC_RA/T0);
+				
+				// Reset timer every frame, we have to capture the last edge for timing
+				AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+				
+				LED_B_ON();
+				
+				// Capture tag frame (manchester decoding using only falling edges)
+				if(ra >= HITAG_T_EOF) {
+					if (rxlen != 0) {
+						//DbpString("wierd1?");
+					}
+					// Capture the T0 periods that have passed since last communication or field drop (reset)
+					// We always recieve a 'one' first, which has the falling edge after a half period |-_|
+					response = ra-HITAG_T_TAG_HALF_PERIOD;
+				} else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
+					// Manchester coding example |-_|_-|-_| (101)
+					rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+					rxlen++;
+					rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+					rxlen++;
+				} else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
+					// Manchester coding example |_-|...|_-|-_| (0...01)
+					rx[rxlen / 8] |= 0 << (7-(rxlen%8));
+					rxlen++;
+					// We have to skip this half period at start and add the 'one' the second time 
+					if (!bSkip) {
+						rx[rxlen / 8] |= 1 << (7-(rxlen%8));
+						rxlen++;
+					}
+					lastbit = !lastbit;
+					bSkip = !bSkip;
+				} else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
+					// Manchester coding example |_-|_-| (00) or |-_|-_| (11)
+					if (tag_sof) {
+						// Ignore bits that are transmitted during SOF
+						tag_sof--;
+					} else {
+						// bit is same as last bit
+						rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
+						rxlen++;
+					}
+				} else {
+					// Ignore wierd value, is to small to mean anything
+				}
+			}
+
+			// We can break this loop if we received the last bit from a frame
+			if (AT91C_BASE_TC1->TC_CV > T0*HITAG_T_EOF) {
+				if (rxlen>0) break;
+			}
+		}
+	}
+	LED_B_OFF();
+	LED_D_OFF();
+	AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+	AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+	Dbprintf("frame received: %d",frame_count);
+  DbpString("All done");
+  cmd_send(CMD_ACK,bSuccessful,0,0,(byte_t*)tag.sectors,48);
+}