Add inline comments throughout wiegand_formatutils and callers to explain
sentinel-bit stripping, HID transport framing, and the normalization contract
between input modes and downstream consumers.
Replace sim-only LF HID online tests with T55xx clone+readback flows and add
a full encode/decode roundtrip harness for hf mf encodehid, including sector
restore/cleanup and an optional --manual flag for external reader verification.
Extract the reusable Wiegand normalization and packing flow into
wiegand_formatutils and move existing callers onto that shared path.
This rebuilds the feat-wiegand branch as one focused commit against
upstream/master instead of trying to preserve the original commit chain.
Key changes:
- add shared helpers for plain binary, raw HID, new PACS, and formatted
Wiegand input
- centralize binary rendering used by cmdwiegand and PACS decode output
- update lf hid sim/clone to resolve one input mode through the shared
Wiegand layer and enforce the LF packed transport limit explicitly
- update hf mf encodehid to accept bin/raw/new/formatted Wiegand input
through the same normalization path
- preserve legacy raw HID transport behavior while clarifying the
packed-HID vs LF transport limits in error reporting
- add offline regression coverage for the new PACS decode output and add
interactive online targets for LF HID Wiegand and MIFARE encodehid
Validation performed:
- make client
- bash -n tools/pm3_tests.sh
- bash -n tools/pm3_online_tests.sh
- ./tools/pm3_online_tests.sh -h
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337'
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337 --new'
- ./client/proxmark3 -c 'wiegand decode --new 068F80A8C0'
- Reinitialize BigBuf memory before FpgaSetupSsc to reset PDC internal buffer pointers
- With properly reset DMA pointers, the field stabilization time can be safely reduced from 5.0ms down to 0.25ms (which matches the timing originally intended by the near-field-chaos patch)
- Further reduced the ST25TB charge capacitor drain wait time from 10ms to an aggressive 0.5ms (the tRST minimum specified in ST25TB datasheet)
Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
iceman1001