Added new standalone mode HF_ST25_TEAROFF to store/restore ST25TB tags with tearoff for counters (@seclabz)

2025-07-06 04:51:36 -07:00 · 2025-04-16 14:05:10 +02:00 · 2025-04-16 14:05:10 +02:00 · 19789381df
commit 19789381df
parent cf3cb6e03a
7 changed files with 1186 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 ## [unreleased][unreleased]
 - Fixed `hf mf fchk --mem` to actually use flash dict (@doegox)
 - Fixed `make install` on OSX thanks DaveItsLong (@doegox)
+- Added new standalone mode `HF_ST25_TEAROFF` to store/restore ST25TB tags with tearoff for counters (@seclabz)

 ## [Blue Ice.4.20142][2025-03-25]
 - Added `des_talk.py` script for easier MIFARE DESFire handling (@trigat)
--- a/armsrc/Standalone/Makefile.hal
+++ b/armsrc/Standalone/Makefile.hal
@ -119,6 +119,9 @@ define KNOWN_STANDALONE_DEFINITIONS
 | HF_REBLAY       | 14A Relay over BT                      |
 | (RDV4 only)     |  - Salvador Mendoza                    |
 +----------------------------------------------------------+
+| HF_ST25_TEAROFF | Store/restore ST25TB tags with         |
+|                 | tear-off for counters - SecLabz        |
+----------------------------------------------------------+
 | HF_TCPRST       | IKEA Rothult read/sim/dump/emul        |
 |                 | - Nick Draffen                         |
 +----------------------------------------------------------+
@ -139,7 +142,7 @@ endef

 STANDALONE_MODES := LF_SKELETON
 STANDALONE_MODES += LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_MULTIHID LF_NEDAP_SIM LF_NEXID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE
-STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_15SIM HF_AVEFUL HF_BOG HF_CARDHOPPER HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_TCPRST HF_TMUDFORD HF_UNISNIFF HF_YOUNG
+STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_15SIM HF_AVEFUL HF_BOG HF_CARDHOPPER HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_ST25_TEAROFF HF_TCPRST HF_TMUDFORD HF_UNISNIFF HF_YOUNG
 STANDALONE_MODES += DANKARMULTI
 STANDALONE_MODES_REQ_BT := HF_CARDHOPPER HF_REBLAY
 STANDALONE_MODES_REQ_SMARTCARD :=
--- a/armsrc/Standalone/Makefile.inc
+++ b/armsrc/Standalone/Makefile.inc
@ -157,6 +157,10 @@ endif
 ifneq (,$(findstring WITH_STANDALONE_HF_YOUNG,$(APP_CFLAGS)))
    SRC_STANDALONE = hf_young.c
 endif
+# WITH_STANDALONE_HF_ST25_TEAROFF
+ifneq (,$(findstring WITH_STANDALONE_HF_ST25_TEAROFF,$(APP_CFLAGS)))
+    SRC_STANDALONE = hf_st25_tearoff.c
+endif

 ifneq (,$(findstring WITH_STANDALONE_DANKARMULTI,$(APP_CFLAGS)))
    SRC_STANDALONE = dankarmulti.c
--- a/armsrc/Standalone/hf_st25_tearoff.c
+++ b/armsrc/Standalone/hf_st25_tearoff.c
--- a/armsrc/iso14443b.c
+++ b/armsrc/iso14443b.c
@ -1585,7 +1585,7 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len, bool framing) {
 /*
 *  Convenience function to encode, transmit and trace iso 14443b comms
 */
-static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
+void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
    const tosend_t *ts = get_tosend();
    CodeIso14443bAsReader(cmd, len, framing);
    TransmitFor14443b_AsReader(start_time);
@ -1800,7 +1800,7 @@ static int iso14443b_select_cts_card(iso14b_cts_card_select_t *card) {
 /**
 * SRx Initialise.
 */
-static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
+int iso14443b_select_srx_card(iso14b_card_select_t *card) {
    // INITIATE command: wake up the tag using the INITIATE
    static const uint8_t init_srx[] = { ISO14443B_INITIATE, 0x00, 0x97, 0x5b };
    uint8_t r_init[3] = { 0x00 };
@ -2307,7 +2307,7 @@ void iso14443b_setup(void) {
 //
 // I tried to be systematic and check every answer of the tag, every CRC, etc...
 //-----------------------------------------------------------------------------
-static int read_14b_srx_block(uint8_t blocknr, uint8_t *block) {
+int read_14b_srx_block(uint8_t blocknr, uint8_t *block) {

    uint8_t cmd[] = {ISO14443B_READ_BLK, blocknr, 0x00, 0x00};
    AddCrc14B(cmd, 2);
--- a/armsrc/iso14443b.h
+++ b/armsrc/iso14443b.h
@ -45,8 +45,11 @@ int iso14443b_select_card(iso14b_card_select_t *card);

 void SimulateIso14443bTag(const uint8_t *pupi);
 void read_14b_st_block(uint8_t blocknr);
+int read_14b_srx_block(uint8_t blocknr, uint8_t *block);
+int iso14443b_select_srx_card(iso14b_card_select_t *card);
 void SniffIso14443b(void);
 void SendRawCommand14443B(iso14b_raw_cmd_t *p);
+void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing);

 // States for 14B SIM command
 #define SIM_POWER_OFF   0
--- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
+++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
@ -140,6 +140,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo
 | HF_MFCSIM       | Simulate Mifare Classic 1k card storing in flashmem - Ray Lee
 | HF_MSDSAL       | EMV Read and emulation - Salvador Mendoza
 | HF_REBLAY       | 14A relay over BT  - Salvador Mendoza
+| HF_ST25_TEAROFF | Store/restore ST25TB tags with tear-off for counters - SecLabz 
 | HF_TCPRST       | IKEA Rothult ST25TA, Standalone Master Key Dump/Emulation - Nick Draffen
 | HF_TMUDFORD     | Read and emulate ISO15693 card UID - Tim Mudford
 | HF_UNISNIFF     | Combined 14a/14b/15 sniffer with runtime selection & extra save options