Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
Ubuntu Build and Test / ubuntu-make (push) Successful in 5m35s
Ubuntu Build and Test / ubuntu-make-btaddon (push) Successful in 5m11s
Ubuntu Build and Test / ubuntu-cmake (push) Failing after 4m33s
Windows Build and Test / proxspace (push) Has been cancelled
Windows Build and Test / wsl (push) Has been cancelled
MacOS Build and Test / macos-make (push) Has been cancelled
MacOS Build and Test / macos-make-btaddon (push) Has been cancelled
MacOS Build and Test / macos-cmake (push) Has been cancelled
CodeQL / Analyze (python) (push) Failing after 2m7s
CodeQL / Analyze (cpp) (push) Failing after 9m27s
Some static RAMFUNC got inlined which means they weren't relocated in RAM.
By forcing noinline on RAMFUNC, the following functions move to RAM:
F .data 00000034 optimizedSniff
F .data 00000148 skipSniff
F .data 000002c8 ManchesterDecoding_Thinfilm
But ManchesterDecoding_Thinfilm worked fine without being in RAM,
so we remove its RAMFUNC attribute and it works as previously,
and avoid eating some RAM bytes.
In summary, impacted command is only:
hf sniff
Implemented an iclass sim function that prevents simulated card responses after updating block 3.
Block 3 gets updated with the XOR key as if it was in personalization mode.
