diff --git a/firmware/test/card_emu_tests.c b/firmware/test/card_emu_tests.c
index bad315c3..0a690e9b 100644
--- a/firmware/test/card_emu_tests.c
+++ b/firmware/test/card_emu_tests.c
@@ -112,7 +112,7 @@ static void io_start_card(struct card_handle *ch)
 	verify_atr(ch);
 }
 
-static void send_bytes(struct card_handle *ch, const uint8_t *bytes, unsigned int len)
+static void reader_send_bytes(struct card_handle *ch, const uint8_t *bytes, unsigned int len)
 {
 	unsigned int i;
 	for (i = 0; i < len; i++) {
@@ -145,16 +145,16 @@ static void dump_rctx(struct req_ctx *rctx)
 }
 
 /* emulate a TPDU header being sent by the reader/phone */
-static void send_tpdu_hdr(struct card_handle *ch, const uint8_t *tpdu_hdr)
+static void rdr_send_tpdu_hdr(struct card_handle *ch, const uint8_t *tpdu_hdr)
 {
 	struct req_ctx *rctx;
 
 	/* we don't want a receive context to become available during
 	 * the first four bytes */
-	send_bytes(ch, tpdu_hdr, 4);
+	reader_send_bytes(ch, tpdu_hdr, 4);
 	assert(!req_ctx_find_get(0, RCTX_S_USB_TX_PENDING, RCTX_S_USB_TX_BUSY));
 
-	send_bytes(ch, tpdu_hdr+4, 1);
+	reader_send_bytes(ch, tpdu_hdr+4, 1);
 	/* but then after the final byte of the TPDU header, we want a
 	 * receive context to be available for USB transmission */
 	rctx = req_ctx_find_get(0, RCTX_S_USB_TX_PENDING, RCTX_S_USB_TX_BUSY);
@@ -166,7 +166,7 @@ static void send_tpdu_hdr(struct card_handle *ch, const uint8_t *tpdu_hdr)
 }
 
 /* emulate a CEMU_USB_MSGT_DT_TX_DATA received from USB */
-static void host_to_device_data(const uint8_t *data, uint16_t len, int continue_rx)
+static void host_to_device_data(const uint8_t *data, uint16_t len, unsigned int flags)
 {
 	struct req_ctx *rctx;
 	struct cardemu_usb_msg_tx_data *rd;
@@ -177,13 +177,9 @@ static void host_to_device_data(const uint8_t *data, uint16_t len, int continue_
 
 	/* initialize the header */
 	rd = (struct cardemu_usb_msg_rx_data *) rctx->data;
-	rctx->tot_len = sizeof(*rd);
+	rctx->tot_len = sizeof(*rd) + len;
 	cardemu_hdr_set(&rd->hdr, CEMU_USB_MSGT_DT_TX_DATA);
-	rd->flags = CEMU_DATA_F_FINAL;
-	if (continue_rx)
-		rd->flags |= CEMU_DATA_F_PB_AND_RX;
-	else
-		rd->flags |= CEMU_DATA_F_PB_AND_TX;
+	rd->flags = flags;
 	/* copy data and set length */
 	rd->hdr.data_len = len;
 	memcpy(rd->data, data, len);
@@ -192,7 +188,8 @@ static void host_to_device_data(const uint8_t *data, uint16_t len, int continue_
 	req_ctx_set_state(rctx, RCTX_S_UART_TX_PENDING);
 }
 
-static int print_tx_chars(struct card_handle *ch)
+/* card-transmit any pending characters */
+static int card_tx_print_chars(struct card_handle *ch)
 {
 	uint8_t byte;
 	int count = 0;
@@ -206,8 +203,13 @@ static int print_tx_chars(struct card_handle *ch)
 const uint8_t tpdu_hdr_sel_mf[] = { 0xA0, 0xA4, 0x00, 0x00, 0x00 };
 const uint8_t tpdu_pb_sw[] = { 0x90, 0x00 };
 
-const uint8_t tpdu_hdr_upd_bin[] = { 0xA0, 0xB2, 0x00, 0x00, 0x0A };
-const uint8_t tpdu_body_upd_bin[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 };
+/* READ RECORD (offset 0, 10 bytes) */
+const uint8_t tpdu_hdr_read_rec[] = { 0xA0, 0xB2, 0x00, 0x00, 0x0A };
+const uint8_t tpdu_body_read_rec[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 };
+
+/* WRITE RECORD */
+const uint8_t tpdu_hdr_write_rec[] = { 0xA0, 0xD2, 0x00, 0x00, 0x07 };
+const uint8_t tpdu_body_write_rec[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
 
 int main(int argc, char **argv)
 {
@@ -222,17 +224,19 @@ int main(int argc, char **argv)
 
 	/* start up the card (VCC/RST, ATR) */
 	io_start_card(ch);
-	assert(!print_tx_chars(ch));
+	assert(!card_tx_print_chars(ch));
 
 	for (i = 0; i < 2; i++) {
 		printf("\n==> transmitting APDU (SW 90 00 #%u)\n", i);
 		/* emulate the reader sending a TPDU header */
-		send_tpdu_hdr(ch, tpdu_hdr_sel_mf);
-		assert(!print_tx_chars(ch));
-		/* card emulator sends a response via USB */
-		host_to_device_data(tpdu_pb_sw, sizeof(tpdu_pb_sw), 0);
-		/* obtain any pending tx chars */
-		assert(print_tx_chars(ch) == sizeof(tpdu_pb_sw));
+		rdr_send_tpdu_hdr(ch, tpdu_hdr_sel_mf);
+		/* we shouldn't have any pending card-TX yet */
+		assert(!card_tx_print_chars(ch));
+		/* card emulator PC sends a response via USB */
+		host_to_device_data(tpdu_pb_sw, sizeof(tpdu_pb_sw),
+				    CEMU_DATA_F_FINAL | CEMU_DATA_F_PB_AND_TX);
+		/* card emulator transmits chars just received via PC */
+		assert(card_tx_print_chars(ch) == sizeof(tpdu_pb_sw));
 
 		/* simulate some clock stop */
 		card_emu_io_statechg(ch, CARD_IO_CLK, 0);
@@ -240,17 +244,19 @@ int main(int argc, char **argv)
 	}
 
 	for (i = 0; i < 2; i++) {
-		printf("\n==> transmitting APDU (PB + RX #%u)\n", i);
+		printf("\n==> transmitting APDU (PB + card-RX #%u)\n", i);
 		/* emulate the reader sending a TPDU header */
-		send_tpdu_hdr(ch, tpdu_hdr_upd_bin);
-		assert(!print_tx_chars(ch));
-		/* card emulator sends a response via USB */
-		host_to_device_data(tpdu_hdr_upd_bin+1, 1, 1);
-		/* obtain any pending tx chars */
-		assert(print_tx_chars(ch) == 1);
+		rdr_send_tpdu_hdr(ch, tpdu_hdr_read_rec);
+		/* we shouldn't have any pending card-TX yet */
+		assert(!card_tx_print_chars(ch));
+		/* card emulator PC sends a singly byte PB response via USB */
+		host_to_device_data(tpdu_hdr_read_rec+1, 1,
+				    CEMU_DATA_F_FINAL | CEMU_DATA_F_PB_AND_RX);
+		/* card actually sends that single PB */
+		assert(card_tx_print_chars(ch) == 1);
 
 		/* emulate more characters from reader to card */
-		send_bytes(ch, tpdu_body_upd_bin, sizeof(tpdu_body_upd_bin));
+		reader_send_bytes(ch, tpdu_body_read_rec, sizeof(tpdu_body_read_rec));
 
 		/* check if we have received them on the USB side */
 		rctx = req_ctx_find_get(0, RCTX_S_USB_TX_PENDING, RCTX_S_USB_TX_BUSY);
@@ -262,9 +268,43 @@ int main(int argc, char **argv)
 		assert(!req_ctx_find_get(0, RCTX_S_USB_TX_PENDING, RCTX_S_USB_TX_BUSY));
 
 		/* card emulator sends SW via USB */
-		host_to_device_data(tpdu_pb_sw, sizeof(tpdu_pb_sw), 0);
+		host_to_device_data(tpdu_pb_sw, sizeof(tpdu_pb_sw),
+				    CEMU_DATA_F_FINAL | CEMU_DATA_F_PB_AND_TX);
 		/* obtain any pending tx chars */
-		assert(print_tx_chars(ch) == sizeof(tpdu_pb_sw));
+		assert(card_tx_print_chars(ch) == sizeof(tpdu_pb_sw));
+
+		/* simulate some clock stop */
+		card_emu_io_statechg(ch, CARD_IO_CLK, 0);
+		card_emu_io_statechg(ch, CARD_IO_CLK, 1);
+	}
+
+	for (i = 0; i < 2; i++) {
+		printf("\n==> transmitting APDU (PB + card-TX #%u)\n", i);
+
+		/* emulate the reader sending a TPDU header */
+		rdr_send_tpdu_hdr(ch, tpdu_hdr_write_rec);
+		assert(!card_tx_print_chars(ch));
+
+		/* card emulator PC sends a response PB via USB */
+		host_to_device_data(tpdu_hdr_write_rec+1, 1,
+				    CEMU_DATA_F_PB_AND_TX);
+		/* card actually sends that PB */
+		assert(card_tx_print_chars(ch) == 1);
+
+		/* emulate more characters from card to reader */
+		host_to_device_data(tpdu_body_write_rec, sizeof(tpdu_body_write_rec),
+				    0);
+		/* obtain those bytes as they arrvive on the card */
+		assert(card_tx_print_chars(ch) == sizeof(tpdu_body_write_rec));
+
+		/* ensure there is no extra data received on usb */
+		assert(!req_ctx_find_get(0, RCTX_S_USB_TX_PENDING, RCTX_S_USB_TX_BUSY));
+
+		/* card emulator sends SW via USB */
+		host_to_device_data(tpdu_pb_sw, sizeof(tpdu_pb_sw),
+				    CEMU_DATA_F_FINAL);
+		/* obtain any pending tx chars */
+		assert(card_tx_print_chars(ch) == sizeof(tpdu_pb_sw));
 
 		/* simulate some clock stop */
 		card_emu_io_statechg(ch, CARD_IO_CLK, 0);