Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.
The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.
Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state
Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
When no --keys or --mfc-keys arguments are given, automatically
look for hf-mfp-<UID>-key.json and hf-mf-<UID>-key.bin files,
matching the output of hf mfp chk --dump and hf mf chk --dump.
Fail with helpful message if no keys are available, matching
the behaviour of hf mf dump.
Restructure dump into 4 phases:
1. Classify sectors via single MFC probe (SL3 vs SL1)
2. AES dictionary only on SL3 sectors
3. MFC dictionary only on SL1 sectors
4. Read with found keys
Suppress firmware debug output during key probing to prevent
auth error message flood, matching MifareChkKeys behavior.
Replace mf_check_keys (which hangs in firmware infinite retry loop)
with mf_read_sector for SL1 key probing. Defer MFC key probing to
the read phase so it only runs per-sector when SL3 auth fails.
Also fix mfcProbeKeys memory leak on early exit paths.
D:/a/proxmark3/proxmark3/client/deps/mqtt/win32_sockets.h: In function 'open_nb_socket':
D:/a/proxmark3/proxmark3/client/deps/mqtt/win32_sockets.h:35:25: error: format '%s' expects argument of type 'char *', but argument 3 has type 'WCHAR *' {aka 'short unsigned int *'} [-Werror=format=]
35 | fprintf(stderr, "error: getaddrinfo: %s", gai_strerror(rv));
| ^~~~~~~~~~~~~~~~~~~~~~~~
Iceman