- Reinitialize BigBuf memory before FpgaSetupSsc to reset PDC internal buffer pointers
- With properly reset DMA pointers, the field stabilization time can be safely reduced from 5.0ms down to 0.25ms (which matches the timing originally intended by the near-field-chaos patch)
- Further reduced the ST25TB charge capacitor drain wait time from 10ms to an aggressive 0.5ms (the tRST minimum specified in ST25TB datasheet)
Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
After aggressive field cycling (e.g. tear-off attacks), the FPGA's
internal SSC/DMA state can become corrupted even though the bitstream
is technically loaded. FpgaDownloadAndGo() caches downloaded_bitstream
and skips re-download if it matches, so subsequent commands fail
silently or hang.
Add FpgaResetBitstream() which sets downloaded_bitstream to
FPGA_BITSTREAM_UNKNOWN, forcing the next FpgaDownloadAndGo() to
perform a complete reload.
In Get14443bAnswerFromTag(), the behindBy == 0 idle loop (waiting for
FPGA DMA samples) had no watchdog kick, no button check, and no
timeout. If the FPGA stops providing the SSC clock, this loop spins
infinitely until the hardware watchdog triggers a reboot.
Add WDT_HIT(), BUTTON_PRESS() check, and a 200ms failsafe timeout
using GetTickCountDelta() to prevent infinite spins.
- Implements mfc_algo_vanderbilt_one() and mfc_algo_vanderbilt_all()
- Generates keys using 'Acces' + block ID pattern (416363657300-4163636573FF)
- Supports all 40 sectors for 4K cards
- Eliminates need for 256+ keys in dictionary file
- Keys generated dynamically on-demand
PLATFORM_DEFS is built with += on an initially empty variable, which
produces a leading space in GNU make. The cached value written to
.Makefile.options.cache has no leading space, so the ifneq comparison
always evaluates to true, causing PLATFORM_CHANGED=true on every
invocation and triggering a clean of bootrom/armsrc/recovery after
every build.
kormax