dandri/proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2026-05-13 23:03:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
21,249 Commits 3 Branches 20 Tags
d962e30856c7bb08097655997baa0263ce24be52
Commit Graph

280 Commits

Author SHA1 Message Date
xNovyz 286df8f4eb feat(14b): add interactive hf 14b tearoff command 
Add an interactive command for performing tear-off attacks on ST25TB/SRx
monotonic counter blocks. This exploits EEPROM tearing to increment
counters that normally can only be decremented, based on the
near-field-chaos project by SecLabz.

The command sweeps tear-off timing from --start downward in --adj
microsecond steps, automatically consolidates partial writes, verifies
stability across multiple reads, and reports progress in real-time with
color-coded output.

Performance optimizations:
- One-time full iso14443b_setup() at start; subsequent field cycles use
  lightweight tearoff_field_on()/tearoff_field_off() that skip FPGA
  bitstream reload and buffer reallocation
- Periodic CMD_WTX keepalives to prevent USB timeouts during long attacks
- Calls FpgaResetBitstream() on exit to ensure clean FPGA state

Usage: hf 14b tearoff -b <block> -d <target> [--start <us>] [--adj <us>]
 2026-03-11 21:43:37 +01:00
Philippe Teuwen b8a5e7b656 hf mf cauth/aesauth/cchk/aeschk: make fast READ0 optional 2026-02-24 16:46:00 +01:00
Philippe Teuwen 118652bd90 CMD_HF_DECAY: factor with structs, remove cast align warning 2026-02-21 23:54:51 +01:00
Philippe Teuwen b62658f5ac make style 2026-02-21 12:43:25 +01:00
michael 3eb594ce29 Cleaned up verbiage in user feedback 2026-02-18 20:44:08 -08:00
michael fe878be492 Added a new command (hw decay [which monitors the decay rate of the hf antenna cap]) and updated hw tune to detect booster boards and if the pm3 easy is on a metal surface 2026-02-18 15:51:08 -08:00
Philippe Teuwen 9f70011fee hf mfu setkey: supports ulc/ulaes auth and ulaes schann 2026-02-09 01:08:23 +01:00
Aaron Tulino d62e3cff15 Promote MFUL readblock bytelen 
Resolves #3087
 2026-02-07 00:51:18 +01:00
Philippe Teuwen c00e4801b7 make style 2026-02-06 13:43:41 +01:00
Philippe Teuwen a26892a891 Add hf mfu cchk/aeschk and options to hf mf cauth/aesauth 2026-01-19 21:47:49 +01:00
Aaron Tulino (Aaronjamt) c0e82539f2 [hf seos] Simulate support 2025-12-21 04:26:44 -07:00
kormax 34f18a0002 Add polling loop annotation support for iso14443b 2025-12-19 09:29:31 +02:00
iceman1001 a0efcb2686 fix data crypt - output error. We have 8 bytes. 2025-10-17 08:53:54 +02:00
Philippe Teuwen 11fe8f783a Add --skip to hw tearoff, to cope with more complex commands. Example provided for hf mfu wrbl 2025-10-09 22:26:52 +02:00
Philippe Teuwen 4aac77aaa2 support for Ultralight AES auth in hf mfu info/rdbl/wrbl/dump/ndefread/wipe/setkey 2025-10-04 02:00:23 +02:00
iceman1001 b097e10aa3 this commit refactors the signature checks. First we introduce a common pm3 generic private / public key pair in order to allow for users to self sign their own modded device. The verification checks now looks at both hard coded public keys. If a vendor wants to add their own public key thus allowing for a simple way for us to identify their devices they can now do so. The downside is that the firmware mismatch detection becomes a bit dodgy. mem info; mem info -v; mem info -s -p <filename.pem>; mem info -s -p <filename.pem> -w contains the changes. OBS! when -w be careful to not overwrite your genuine RDV4 signature. As always, with great power comes great responsibility 2025-09-25 19:44:36 +02:00
Oleg Moiseenko 944a80d217 make style 2025-09-21 16:41:30 +03:00
iceman1001 c3e29789a9 added a --override MAD crc check parameter to NDEF read commands 2025-08-29 13:55:00 +02:00
Philippe Teuwen 48724e44b4 hf mf sim: add --allowover option, needed for RF08S originality check 2025-07-25 20:54:18 +02:00
iceman1001 5de4dd68e5 text 2025-06-22 20:34:54 +02:00
iceman1001 65607fc727 added Ultralight-C simulation. hf mfu sim -t 13. Use eload first. Also added support to upload UL-C dictionaries and UL-AES to spiffs memory. A lot of textual reworked across client. Unifiy texts and a bit more color ;) 2025-06-19 17:26:20 +02:00
iceman1001 804acfbefa the device side of iclass tear off is implemented. The base was done by @antiklesys. This version differs by the concept of trying to stabilize weak bits by performing a write operation in conjuction with the detected tear. Its untested but I can replicate most of the tears we performed client side. You will need to call the proxmark3 client with -f , ./pm3 -f to force flush out text which is needed for the inplace printing. I thought this was done automatically but it wasnt. hf iclass tear --arm + all the normal params to run on device side 2025-05-30 01:37:13 +02:00
iceman1001 cb4a0e2333 rename struct to follow code style 2025-04-30 13:27:41 +02:00
kormax 3550f11726 Remove mag argument from commands; Add support for magsafe polling via 14a config 2025-04-20 17:55:55 +03:00
kormax 56336d9d82 Add support for polling loop annotations 2025-04-09 12:31:21 +03:00
iceman1001 87c2e82e2f style 2025-03-19 12:53:24 +01:00
douniwan5788 4bde83b89d Added lf hitag htu support for Hitag µ/8265 2025-03-19 18:56:23 +08:00
iceman1001 2137284a93 style\n Some improvements to trace list -t seos annotations. 2025-03-12 16:41:06 +01:00
leecher1337 0e2a02bdf0 Implement new command hf 15 slixprotectpage to do ISO15693_PROTECT_PAGE on slix tags 2025-03-09 11:54:51 +01:00
iceman1001 cef07dedf6 code style, code clean up of redundant functions, comments, its many minor fixes across the platform. Sorry for not making 20 commits 2025-02-21 15:38:33 +01:00
Philippe Teuwen 1acc030fd4 rework simaid & rename few vars 2025-02-12 08:44:42 +01:00
n-hutton 4a23fb05f0 Cherry pick POC of emv simulation 2024-11-21 19:23:03 +00:00
ANTodorov 48ec109a1e use all spi flash v0.1 
* introduced a new communication command CMD_FLASHMEM_PAGES64K to get the number of 64k pages
* "the last page" is a special, holding the dicts and some other stuff, relocated to there
* raised timeout when wiping a mem page (W25Q16 looks a bit slower than W25X20BV)
* loop all pages in Flash_WipeMemory()
 2024-11-17 19:03:15 +02:00
Philippe Teuwen 46813e0e50 hf mf isen: rewrite counters, add specific NONCE_SUPERSTATIC case (when first nt == nested nt) 2024-11-05 17:07:54 +01:00
Philippe Teuwen 838e0adfa7 rework Mifare simulation flags 2024-10-19 20:34:40 +02:00
Philippe Teuwen 079689628b hf mf sim: add nested reader attack (needs data & rf08s nonces) 2024-10-16 19:54:03 +02:00
Philippe Teuwen 5b7ba3bf50 MFsim: RATS_IN_DATA was not a proper bit flag 2024-10-16 15:24:01 +02:00
Philippe Teuwen a11ba61b01 hf mf ecfill: add support for quick dump via backdoor auth 2024-10-13 22:55:41 +02:00
iceman1001 c002ae9f77 style 2024-10-06 10:08:17 +02:00
douniwan5788 9a50e608e0 add PM3_REASON_UNKNOWN 2024-10-04 23:25:15 +08:00
douniwan5788 96d462acee add: split PacketResponseNG status to status and reason 2024-09-24 03:10:53 +08:00
Adam Jon Foster 03fcc1d8d6 Update pm3_cmd.h 
Signed-off-by: Adam Jon Foster <me@evildaemond.com>
 2024-09-23 15:31:46 +08:00
Adam Jon Foster d48d69b3e2 Update pm3_cmd.h 
Added Header File

Signed-off-by: Adam Jon Foster <me@evildaemond.com>
 2024-09-23 14:42:22 +08:00
Adam Jon Foster 92767a685f Update pm3_cmd.h 
Added RATS_IN_DATA as a definition

Signed-off-by: Adam Jon Foster <me@evildaemond.com>
 2024-09-23 14:33:30 +08:00
iceman1001 db1b28f327 rename hts read/write commands to rdbl/wrbl to match rest of the client. added a lf hitag hts reader comamnd, modified the lf search to identify hitag2/s/82xx in the chipset detection 2024-09-14 21:00:42 +02:00
douniwan5788 9b879b0dc0 fix: exit status 2024-09-05 19:31:37 +08:00
douniwan5788 970c2d0999 refactor: remove positive error codes 2024-09-04 22:50:26 +08:00
Philippe Teuwen c73e2ea623 Added support for collecting all fm11rf08s nT/{nT}/par_err at once 2024-09-02 23:11:36 +02:00
douniwan5788 8928883f2d refactor: move FPGA_BITSTREAM_* to fpga.h 2024-08-26 20:55:58 +08:00
douniwan5788 d15537bbf1 Unified hitag naming style 2024-08-22 02:01:43 +08:00