Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
- Removed 'Known Issues in the Iceman Repo' table as requested
- Maintained manual pipeline steps and troubleshooting sections
- See PR #3090 discussion for context
Step-by-step guide for recovering all sector keys from Fudan FM11RF08S
MIFARE Classic 1K cards when the automated fm11rf08s_recovery.py script
fails due to missing _pm3 SWIG bindings, hardcoded tool paths, or
backdoor auth errors.
Documents a manual pipeline using hf mf isen for nonce collection,
staticnested_1nt for offline candidate generation, and hf mf fchk for
brute force verification. Includes troubleshooting for known issues
(#2553, #2565, #2689, #2766, #2838) and timing expectations.
Tested on RDV4 with Iceman firmware v4.20728 on macOS (aarch64).
Added a small section with instructions for fixing USB device access in WSL2, due to the user not having access to dialout.
Signed-off-by: Justin Widen <jdogwiden5@gmail.com>
kormax