There was an issue inside of the GET Data response where if the response was longer than 255 bytes (such as the FF41 tag on NVX's Zero Key format), it would fail to parse. I've added some extra wrapping to clean this up, but longer term we would need to refactor how we parse SM responses anyway.
Signed-off-by: Adam Jon Foster <me@evildaemond.com>
Add inline comments throughout wiegand_formatutils and callers to explain
sentinel-bit stripping, HID transport framing, and the normalization contract
between input modes and downstream consumers.
Replace sim-only LF HID online tests with T55xx clone+readback flows and add
a full encode/decode roundtrip harness for hf mf encodehid, including sector
restore/cleanup and an optional --manual flag for external reader verification.
Extract the reusable Wiegand normalization and packing flow into
wiegand_formatutils and move existing callers onto that shared path.
This rebuilds the feat-wiegand branch as one focused commit against
upstream/master instead of trying to preserve the original commit chain.
Key changes:
- add shared helpers for plain binary, raw HID, new PACS, and formatted
Wiegand input
- centralize binary rendering used by cmdwiegand and PACS decode output
- update lf hid sim/clone to resolve one input mode through the shared
Wiegand layer and enforce the LF packed transport limit explicitly
- update hf mf encodehid to accept bin/raw/new/formatted Wiegand input
through the same normalization path
- preserve legacy raw HID transport behavior while clarifying the
packed-HID vs LF transport limits in error reporting
- add offline regression coverage for the new PACS decode output and add
interactive online targets for LF HID Wiegand and MIFARE encodehid
Validation performed:
- make client
- bash -n tools/pm3_tests.sh
- bash -n tools/pm3_online_tests.sh
- ./tools/pm3_online_tests.sh -h
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337'
- ./client/proxmark3 -c 'wiegand encode -w H10301 --fc 31 --cn 337 --new'
- ./client/proxmark3 -c 'wiegand decode --new 068F80A8C0'
Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
kormax