diff --git a/README.md b/README.md
index a5c6e25b9..7ace5a53e 100644
--- a/README.md
+++ b/README.md
@@ -40,11 +40,11 @@ File management:
 Internal TX improvements:
 - [ ] Attempt downstream modulation techniques in addition to upstream, like the LF RFID worker does when writing.
 - [ ] Implement using the timer system, rather than direct-writing to pins
-- [ ] Use the NFC (HF RFID) coil instead of or in addition to the LF coil (likely unfruitful from initial tests; we can enable/disable the oscillating field, but even with transparent mode to the ST25R3916, it seems we don't get low-enough-level control to pull it high/low correctly) 
+- [X] Use the NFC (HF RFID) coil instead of or in addition to the LF coil (likely unfruitful from initial tests; we can enable/disable the oscillating field, but even with transparent mode to the ST25R3916, it seems we don't get low-enough-level control to pull it high/low correctly) 
 - [ ] Add "subcarriers" to each half-bit transmitted (wiggle the pin high and low rapidly)
   - [ ] Piezo subcarrier tests
   - [ ] LF subcarrier tests
-  - [ ] Retry NFC oscillating field? 
+  - [X] Retry NFC oscillating field? 
 
 External RX options:
 1. [TTL / PS/2 mag reader connected to UART](https://www.alibaba.com/product-detail/Mini-portable-12-3-tracks-usb_60679900708.html) (bulky, harder to source, but likely easiest to read over GPIO, and means one can read all tracks)
diff --git a/application.fam b/application.fam
index 47bc1446e..3b2551c2f 100644
--- a/application.fam
+++ b/application.fam
@@ -16,7 +16,7 @@ App(
     fap_icon="icons/mag_10px.png",
     fap_category="Tools",
     fap_icon_assets="icons",
-    fap_version=(0, 4),  # major, minor
+    fap_version=(0, 5),  # major, minor
     fap_description="WIP MagSpoof port using the RFID subsystem",
     fap_author="Zachary Weiss",
     fap_weburl="https://github.com/zacharyweiss/magspoof_flipper",
diff --git a/helpers/mag_helpers.c b/helpers/mag_helpers.c
index 7e386d6fe..c95d13e7a 100644
--- a/helpers/mag_helpers.c
+++ b/helpers/mag_helpers.c
@@ -22,6 +22,10 @@ void play_halfbit(bool value, MagSetting* setting) {
     switch(setting->tx) {
     case MagTxStateRFID:
         furi_hal_gpio_write(RFID_PIN_OUT, value);
+        /*furi_hal_gpio_write(RFID_PIN_OUT, !value);
+        furi_hal_gpio_write(RFID_PIN_OUT, value);
+        furi_hal_gpio_write(RFID_PIN_OUT, !value);
+        furi_hal_gpio_write(RFID_PIN_OUT, value);*/
         break;
     case MagTxStateGPIO:
         furi_hal_gpio_write(GPIO_PIN_A, value);
@@ -29,10 +33,44 @@ void play_halfbit(bool value, MagSetting* setting) {
         break;
     case MagTxStatePiezo:
         furi_hal_gpio_write(&gpio_speaker, value);
+        /*furi_hal_gpio_write(&gpio_speaker, !value);
+        furi_hal_gpio_write(&gpio_speaker, value);
+        furi_hal_gpio_write(&gpio_speaker, !value);
+        furi_hal_gpio_write(&gpio_speaker, value);*/
+
         break;
     case MagTxStateLF_P:
         furi_hal_gpio_write(RFID_PIN_OUT, value);
         furi_hal_gpio_write(&gpio_speaker, value);
+
+        /* // Weaker but cleaner signal
+        if(value) {
+            furi_hal_gpio_write(RFID_PIN_OUT, value);
+            furi_hal_gpio_write(&gpio_speaker, value);
+            furi_delay_us(10);
+            furi_hal_gpio_write(RFID_PIN_OUT, !value);
+            furi_hal_gpio_write(&gpio_speaker, !value);
+        } else {
+            furi_delay_us(10);
+        }*/
+
+        /*furi_hal_gpio_write(RFID_PIN_OUT, value);
+        furi_hal_gpio_write(&gpio_speaker, value);
+        furi_hal_gpio_write(RFID_PIN_OUT, !value);
+        furi_hal_gpio_write(&gpio_speaker, !value);
+        furi_hal_gpio_write(RFID_PIN_OUT, value);
+        furi_hal_gpio_write(&gpio_speaker, value);*/
+        break;
+    case MagTxStateNFC:
+        // turn on for duration of half-bit? or "blip" the field on / off?
+        // getting nothing from the mag reader either way
+        //(value) ? furi_hal_nfc_ll_txrx_on() : furi_hal_nfc_ll_txrx_off();
+
+        if(last_value == 2 || value != (bool)last_value) {
+            furi_hal_nfc_ll_txrx_on();
+            //furi_delay_us(64);
+            furi_hal_nfc_ll_txrx_off();
+        }
         break;
     case MagTxCC1101_434:
     case MagTxCC1101_868:
@@ -167,6 +205,9 @@ bool tx_init(MagSetting* setting) {
         tx_init_piezo();
         tx_init_rfid();
         break;
+    case MagTxStateNFC:
+        furi_hal_nfc_exit_sleep();
+        break;
     case MagTxCC1101_434:
         tx_init_rf(434000000);
         break;
@@ -202,6 +243,10 @@ bool tx_deinit(MagSetting* setting) {
         tx_deinit_piezo();
         tx_deinit_rfid();
         break;
+    case MagTxStateNFC:
+        furi_hal_nfc_ll_txrx_off();
+        furi_hal_nfc_start_sleep();
+        break;
     case MagTxCC1101_434:
     case MagTxCC1101_868:
         furi_hal_gpio_write(&gpio_cc1101_g0, false);
@@ -251,7 +296,11 @@ void mag_spoof(Mag* mag) {
         data3, (uint8_t*)bits_t3_manchester, (uint8_t*)bits_t3_raw, bitlen[2], sublen[2]);
 
     if(furi_log_get_level() >= FuriLogLevelDebug) {
-        printf("Manchester bitcount: T1: %d, T2: %d\r\n", bits_t1_count, bits_t2_count);
+        printf(
+            "Manchester bitcount: T1: %d, T2: %d, T3: %d\r\n",
+            bits_t1_count,
+            bits_t2_count,
+            bits_t3_count);
         printf("T1 raw: ");
         for(int i = 0; i < bits_t1_count / 16; i++) printf("%02x ", bits_t1_raw[i]);
         printf("\r\nT1 manchester: ");
@@ -275,7 +324,7 @@ void mag_spoof(Mag* mag) {
     FURI_CRITICAL_ENTER();
     for(uint16_t i = 0; i < (ZERO_PREFIX * 2); i++) {
         // is this right?
-        bit ^= 0xFF;
+        if(!!(i % 2)) bit ^= 1;
         play_halfbit(bit, setting);
         furi_delay_us(setting->us_clock);
     }
@@ -285,7 +334,7 @@ void mag_spoof(Mag* mag) {
 
     if((setting->track == MagTrackStateOneAndTwo))
         for(uint16_t i = 0; i < (ZERO_BETWEEN * 2); i++) {
-            bit ^= 0xFF;
+            if(!!(i % 2)) bit ^= 1;
             play_halfbit(bit, setting);
             furi_delay_us(setting->us_clock);
         }
@@ -301,7 +350,7 @@ void mag_spoof(Mag* mag) {
         play_track((uint8_t*)bits_t3_manchester, bits_t3_count, setting, false);
 
     for(uint16_t i = 0; i < (ZERO_SUFFIX * 2); i++) {
-        bit ^= 0xFF;
+        if(!!(i % 2)) bit ^= 1;
         play_halfbit(bit, setting);
         furi_delay_us(setting->us_clock);
     }
diff --git a/helpers/mag_types.h b/helpers/mag_types.h
index 286d6d882..196b73016 100644
--- a/helpers/mag_types.h
+++ b/helpers/mag_types.h
@@ -1,6 +1,6 @@
 #pragma once
 
-#define MAG_VERSION_APP "0.04"
+#define MAG_VERSION_APP "0.05"
 #define MAG_DEVELOPER "Zachary Weiss"
 #define MAG_GITHUB "github.com/zacharyweiss/magspoof_flipper"
 
@@ -32,6 +32,7 @@ typedef enum {
     MagTxStateGPIO,
     MagTxStatePiezo,
     MagTxStateLF_P, // combo of RFID and Piezo
+    MagTxStateNFC,
     MagTxCC1101_434,
     MagTxCC1101_868,
 } MagTxState;
diff --git a/scenes/mag_scene_emulate_config.c b/scenes/mag_scene_emulate_config.c
index 87b3fb72b..437f536a7 100644
--- a/scenes/mag_scene_emulate_config.c
+++ b/scenes/mag_scene_emulate_config.c
@@ -10,12 +10,13 @@ enum MagSettingIndex {
     MagSettingIndexInterpacket,
 };
 
-#define TX_COUNT 6
+#define TX_COUNT 7
 const char* const tx_text[TX_COUNT] = {
     "RFID",
     "GPIO",
     "Piezo",
     "LF + P",
+    "NFC",
     "434MHz",
     "868MHz",
 };
@@ -24,6 +25,7 @@ const uint32_t tx_value[TX_COUNT] = {
     MagTxStateGPIO,
     MagTxStatePiezo,
     MagTxStateLF_P,
+    MagTxStateNFC,
     MagTxCC1101_434,
     MagTxCC1101_868,
 };