CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES needs 6 bytes of data.

used as SendCommandMIX(CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, 4, NULL, 0);
sent to MifareAcquireEncryptedNonces(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain) {
  [...]
  uint64_t ui64Key = bytes_to_num(datain, 6);

=> we should always send 6 bytes for "bytes_to_num"

client/cmdhfmfhard.c

@@ -1385,15 +1385,16 @@ static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_
         flags |= field_off ? 0x0004 : 0;
 
         clearCommandBuffer();
-        SendCommandOLD(CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags, key, 6);
+        SendCommandMIX(CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags, key, 6);
 
         if (field_off) break;
 
         if (initialize) {
             if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
+                uint8_t nullkey[6] = {0};
                 //strange second call (iceman)
                 clearCommandBuffer();
-                SendCommandMIX(CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, 4, NULL, 0);
+                SendCommandMIX(CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, 4, nullkey, sizeof(nullkey));
                 return 1;
             }
             if (resp.oldarg[0]) return resp.oldarg[0];  // error during nested_hard