Add inline comments throughout wiegand_formatutils and callers to explain
sentinel-bit stripping, HID transport framing, and the normalization contract
between input modes and downstream consumers.
Replace sim-only LF HID online tests with T55xx clone+readback flows and add
a full encode/decode roundtrip harness for hf mf encodehid, including sector
restore/cleanup and an optional --manual flag for external reader verification.
Extract the reusable Wiegand normalization and packing flow into
wiegand_formatutils and move existing callers onto that shared path.
This rebuilds the feat-wiegand branch as one focused commit against
upstream/master instead of trying to preserve the original commit chain.
Key changes:
- add shared helpers for plain binary, raw HID, new PACS, and formatted
Wiegand input
- centralize binary rendering used by cmdwiegand and PACS decode output
- update lf hid sim/clone to resolve one input mode through the shared
Wiegand layer and enforce the LF packed transport limit explicitly
- update hf mf encodehid to accept bin/raw/new/formatted Wiegand input
through the same normalization path
- preserve legacy raw HID transport behavior while clarifying the
packed-HID vs LF transport limits in error reporting
- add offline regression coverage for the new PACS decode output and add
interactive online targets for LF HID Wiegand and MIFARE encodehid
Validation performed:
- make client
- bash -n tools/pm3_tests.sh
- bash -n tools/pm3_online_tests.sh
- ./tools/pm3_online_tests.sh -h
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337'
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337 --new'
- ./client/proxmark3 -c 'wiegand decode --new 068F80A8C0'
Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
When no --keys or --mfc-keys arguments are given, automatically
look for hf-mfp-<UID>-key.json and hf-mf-<UID>-key.bin files,
matching the output of hf mfp chk --dump and hf mf chk --dump.
Fail with helpful message if no keys are available, matching
the behaviour of hf mf dump.
Restructure dump into 4 phases:
1. Classify sectors via single MFC probe (SL3 vs SL1)
2. AES dictionary only on SL3 sectors
3. MFC dictionary only on SL1 sectors
4. Read with found keys
Suppress firmware debug output during key probing to prevent
auth error message flood, matching MifareChkKeys behavior.
Replace mf_check_keys (which hangs in firmware infinite retry loop)
with mf_read_sector for SL1 key probing. Defer MFC key probing to
the read phase so it only runs per-sector when SL3 auth fails.
Also fix mfcProbeKeys memory leak on early exit paths.
Aaron Tulino (Aaronjamt)