LupusE requested in the PR #407 review (2026-05-13) to move IDTECK
command IDs since PR #404 (Jablotron) also uses 3017 / 5010 / 5011.
Both PRs are open with the feature-freeze label; Jablotron retains
the original slots and IDTECK shifts up:
DATA_CMD_IDTECK_WRITE_TO_T55XX: 3017 -> 3018
DATA_CMD_IDTECK_SET_EMU_ID: 5010 -> 5012
DATA_CMD_IDTECK_GET_EMU_ID: 5011 -> 5013
Files changed:
- firmware/application/src/data_cmd.h
- software/script/chameleon_enum.py
app_cmd.c references the constants by name only, no edit needed there.
Adds host-side CLI support for IDTECK:
- lf idteck econfig -s <slot> [--id <hex>] set or read the emulated frame
- lf idteck write --id <hex> clone to a T55xx tag in reader mode
- lf clone -t idteck --id <hex> same via the unified clone command
- hw slot list now renders Frame and Card ID
for IDTECK slots
Input accepts 16 hex characters for the full 64-bit frame, or 8 hex
for the 32-bit payload (the fixed preamble 4944544B is auto-prepended).
A non-blocking informational note is emitted when the payload checksum
does not match the value computed from the card number, since some
readers validate this field and some do not.
Private helpers in chameleon_cli_unit.py (_idteck_compute_checksum,
_idteck_compose_frame, _idteck_frame_info) parse and compose IDTECK
frames and expose card-number-driven composition for a future
`lf idteck compose` command.
Adds hf des chk and hf des info commands for MIFARE DESFire EV1/EV2/EV3 key checking and card info enumeration.
Tested against: DESFire EV1 (SAK 0x20, 2KB storage) via Chameleon Ultra v2.1 USB
The firmware limits mf1_read_emu_block_data to at most 32 blocks per
request, but eview's chunk_count only honored data_max_length (256).
Added the same 32-block cap already used by esave.
When autopwn detects a HardNested vulnerable card (nt_level=2) with some known keys,
it now automatically attempts to recover remaining keys using the hardnested attack,
instead of only printing an advisory message. The implementation:
- Iterates over each missing key slot, picking a known key before each attempt
(allows newly recovered keys to be reused for subsequent targets)
- Invokes hardnested.recover_key() with standard parameters (200 max runs, 3 max attempts)
- After each found key, checks if it is reusable for other sectors
- Falls back to senested attack if hardnested does not recover all keys
This matches the existing behavior for nested and static-encrypted-nested attacks.
Split the single --id argument into --cn (8 ASCII chars) and --raw
(32 hex char T55XX bitstream, directly compatible with PM3 raw output).
Add Python-side PAC bitstream encoder/decoder for raw format support.
Output now shows CN and Raw labels matching PM3's format.
Add NRF_LOG module registration to pac.c for debug logging,
consistent with other protocol implementations.
Reassign PAC command IDs (3014/3015) to avoid collision with ioProx
(3010/3011) after rebase onto upstream/main.
- Remove lf pac debug command (development-only)
- Accept both 16-hex and 8-ASCII card ID formats with 7-bit validation
- Add T55xx write command under lf pac write
- Handle unknown TagSpecificType values in slot list without crashing
- Auto-initialize slot data when setting tag type
- Simplify pac_write_to_t55xx by removing unused key parameters
Add pac_t55xx_writer() for encoding PAC card data into T55XX blocks,
along with the T5577_PAC_CONFIG (NRZ/Direct, RF/32, password-protected,
4 data blocks). Wire DATA_CMD_PAC_WRITE_TO_T55XX (3011) through the
command processor, dispatch table, and Python client.
Implements NRZ/Direct modulation decoder for PAC/Stanley 125kHz cards
using SAADC ADC sampling with spike-aware threshold calibration.
The LC antenna produces brief high-amplitude transients at NRZ transitions
which are clipped before the moving-average filter to isolate the actual
data levels.
Real NTAG 215 chips never reveal the stored password over NFC, so
Flipper .nfc dumps always have zeros for pages 133-134 (PWD/PACK).
This causes readers to reject the emulated tag when they attempt
PWD_AUTH as part of their amiibo validation flow.
The --amiibo flag derives the correct PWD from the UID using the
well-known XOR algorithm and sets PACK to the standard 0x8080,
enabling proper authentication with Nintendo devices.
Usage: hf mfu nfcimport -f Kirby.nfc -s 6 --amiibo
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `hf mfu nfcimport` command to import Flipper Zero .nfc files
directly into ChameleonUltra emulator slots. Supports NTAG 210/212/
213/215/216, Mifare Ultralight, Ultralight C, and Ultralight EV1.
The importer parses the Flipper .nfc format and configures the slot
with the correct tag type, anti-collision data (UID/ATQA/SAK),
GET_VERSION response, READ_SIG signature, counter values, and full
page data.
Handles NTAG counter index mapping (Flipper's NFC counter index 2
maps to firmware internal index 0) and gracefully skips unsupported
counters with a warning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The pthreads4w dependency uses MSVC-specific architecture detection
(_M_X64, _M_IX86 macros) which fails under MinGW/MSYS2/ProxSpace
with "unknown not supported in version.rc".
MinGW-w64 ships with winpthreads, so only MSVC builds need pthreads4w.
Fixes#378
matteoscrugli