Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
After aggressive field cycling (e.g. tear-off attacks), the FPGA's
internal SSC/DMA state can become corrupted even though the bitstream
is technically loaded. FpgaDownloadAndGo() caches downloaded_bitstream
and skips re-download if it matches, so subsequent commands fail
silently or hang.
Add FpgaResetBitstream() which sets downloaded_bitstream to
FPGA_BITSTREAM_UNKNOWN, forcing the next FpgaDownloadAndGo() to
perform a complete reload.
In Get14443bAnswerFromTag(), the behindBy == 0 idle loop (waiting for
FPGA DMA samples) had no watchdog kick, no button check, and no
timeout. If the FPGA stops providing the SSC clock, this loop spins
infinitely until the hardware watchdog triggers a reboot.
Add WDT_HIT(), BUTTON_PRESS() check, and a 200ms failsafe timeout
using GetTickCountDelta() to prevent infinite spins.
- Implements mfc_algo_vanderbilt_one() and mfc_algo_vanderbilt_all()
- Generates keys using 'Acces' + block ID pattern (416363657300-4163636573FF)
- Supports all 40 sectors for 4K cards
- Eliminates need for 256+ keys in dictionary file
- Keys generated dynamically on-demand
PLATFORM_DEFS is built with += on an initially empty variable, which
produces a leading space in GNU make. The cached value written to
.Makefile.options.cache has no leading space, so the ifneq comparison
always evaluates to true, causing PLATFORM_CHANGED=true on every
invocation and triggering a clean of bootrom/armsrc/recovery after
every build.
When no --keys or --mfc-keys arguments are given, automatically
look for hf-mfp-<UID>-key.json and hf-mf-<UID>-key.bin files,
matching the output of hf mfp chk --dump and hf mf chk --dump.
Fail with helpful message if no keys are available, matching
the behaviour of hf mf dump.
Restructure dump into 4 phases:
1. Classify sectors via single MFC probe (SL3 vs SL1)
2. AES dictionary only on SL3 sectors
3. MFC dictionary only on SL1 sectors
4. Read with found keys
Suppress firmware debug output during key probing to prevent
auth error message flood, matching MifareChkKeys behavior.
Replace mf_check_keys (which hangs in firmware infinite retry loop)
with mf_read_sector for SL1 key probing. Defer MFC key probing to
the read phase so it only runs per-sector when SL3 auth fails.
Also fix mfcProbeKeys memory leak on early exit paths.
Iceman