When autopwn detects a HardNested vulnerable card (nt_level=2) with some known keys,
it now automatically attempts to recover remaining keys using the hardnested attack,
instead of only printing an advisory message. The implementation:
- Iterates over each missing key slot, picking a known key before each attempt
(allows newly recovered keys to be reused for subsequent targets)
- Invokes hardnested.recover_key() with standard parameters (200 max runs, 3 max attempts)
- After each found key, checks if it is reusable for other sectors
- Falls back to senested attack if hardnested does not recover all keys
This matches the existing behavior for nested and static-encrypted-nested attacks.
Split the single --id argument into --cn (8 ASCII chars) and --raw
(32 hex char T55XX bitstream, directly compatible with PM3 raw output).
Add Python-side PAC bitstream encoder/decoder for raw format support.
Output now shows CN and Raw labels matching PM3's format.
Add NRF_LOG module registration to pac.c for debug logging,
consistent with other protocol implementations.
Reassign PAC command IDs (3014/3015) to avoid collision with ioProx
(3010/3011) after rebase onto upstream/main.
- Remove lf pac debug command (development-only)
- Accept both 16-hex and 8-ASCII card ID formats with 7-bit validation
- Add T55xx write command under lf pac write
- Handle unknown TagSpecificType values in slot list without crashing
- Auto-initialize slot data when setting tag type
- Simplify pac_write_to_t55xx by removing unused key parameters
Add pac_t55xx_writer() for encoding PAC card data into T55XX blocks,
along with the T5577_PAC_CONFIG (NRZ/Direct, RF/32, password-protected,
4 data blocks). Wire DATA_CMD_PAC_WRITE_TO_T55XX (3011) through the
command processor, dispatch table, and Python client.
Implements NRZ/Direct modulation decoder for PAC/Stanley 125kHz cards
using SAADC ADC sampling with spike-aware threshold calibration.
The LC antenna produces brief high-amplitude transients at NRZ transitions
which are clipped before the moving-average filter to isolate the actual
data levels.
Real NTAG 215 chips never reveal the stored password over NFC, so
Flipper .nfc dumps always have zeros for pages 133-134 (PWD/PACK).
This causes readers to reject the emulated tag when they attempt
PWD_AUTH as part of their amiibo validation flow.
The --amiibo flag derives the correct PWD from the UID using the
well-known XOR algorithm and sets PACK to the standard 0x8080,
enabling proper authentication with Nintendo devices.
Usage: hf mfu nfcimport -f Kirby.nfc -s 6 --amiibo
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `hf mfu nfcimport` command to import Flipper Zero .nfc files
directly into ChameleonUltra emulator slots. Supports NTAG 210/212/
213/215/216, Mifare Ultralight, Ultralight C, and Ultralight EV1.
The importer parses the Flipper .nfc format and configures the slot
with the correct tag type, anti-collision data (UID/ATQA/SAK),
GET_VERSION response, READ_SIG signature, counter values, and full
page data.
Handles NTAG counter index mapping (Flipper's NFC counter index 2
maps to firmware internal index 0) and gracefully skips unsupported
counters with a warning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fauzan Mirza