Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
Ubuntu Build and Test / ubuntu-make (push) Successful in 5m35s
Ubuntu Build and Test / ubuntu-make-btaddon (push) Successful in 5m11s
Ubuntu Build and Test / ubuntu-cmake (push) Failing after 4m33s
Windows Build and Test / proxspace (push) Has been cancelled
Windows Build and Test / wsl (push) Has been cancelled
MacOS Build and Test / macos-make (push) Has been cancelled
MacOS Build and Test / macos-make-btaddon (push) Has been cancelled
MacOS Build and Test / macos-cmake (push) Has been cancelled
CodeQL / Analyze (python) (push) Failing after 2m7s
CodeQL / Analyze (cpp) (push) Failing after 9m27s
Some static RAMFUNC got inlined which means they weren't relocated in RAM.
By forcing noinline on RAMFUNC, the following functions move to RAM:
F .data 00000034 optimizedSniff
F .data 00000148 skipSniff
F .data 000002c8 ManchesterDecoding_Thinfilm
But ManchesterDecoding_Thinfilm worked fine without being in RAM,
so we remove its RAMFUNC attribute and it works as previously,
and avoid eating some RAM bytes.
In summary, impacted command is only:
hf sniff
Implemented an iclass sim function that prevents simulated card responses after updating block 3.
Block 3 gets updated with the XOR key as if it was in personalization mode.
Added an option for hf iclass legrec to further increase speeds by using a shorter delay of 1500 vs the default of 3390.
This seems to be stable on new silicon especially now that we're keeping the field always on.
It may be more risky for the --fast operation.
1- Added a --fast option for hf iclass legrec that further increases the speed from 4.6 key updates/second to 7.4 key updates/second. This is achieved by skipping some safety checks and is a very fast but more risky operation.
2- Automated AA2 block selection based on the values in the config block
3- Other minor code cleanups
