2020-01-10 22:43:12 +08:00
# Proxmark3 command dump
Some commands are available only if a Proxmark3 is actually connected.
Check column "offline" for their availability.
2020-01-04 19:50:54 +08:00
|command |offline |description
|------- |------- |-----------
|`help `|Y |` This help. Use '< command > help' for details of a particular command.`
2020-01-10 22:43:12 +08:00
|`auto `|N |` Automated detection process for unknown tags`
2020-01-04 19:50:54 +08:00
|`msleep `|Y |` Add a pause in milliseconds`
|`rem `|Y |` Add a text line in log file`
|`quit `|Y |` `
|`exit `|Y |` Exit program`
### analyse
{ Analyse utils... }
|command |offline |description
|------- |------- |-----------
|`analyse help `|Y |` This help`
|`analyse lcr `|Y |` Generate final byte for XOR LRC`
|`analyse crc `|Y |` Stub method for CRC evaluations`
|`analyse chksum `|Y |` Checksum with adding, masking and one's complement`
|`analyse dates `|Y |` Look for datestamps in a given array of bytes`
|`analyse tea `|Y |` Crypto TEA test`
|`analyse lfsr `|Y |` LFSR tests`
|`analyse a `|Y |` num bits test`
|`analyse nuid `|Y |` create NUID from 7byte UID`
|`analyse demodbuff `|Y |` Load binary string to demodbuffer`
### data
{ Plot window / data buffer manipulation... }
|command |offline |description
|------- |------- |-----------
|`data help `|Y |` This help`
|`data askedgedetect `|Y |` [threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)`
|`data autocorr `|Y |` [window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)`
|`data biphaserawdecode `|Y |` [offset] [invert< 0 | 1 > ] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0|1 bits to shift the decode start)`
|`data bin2hex `|Y |` < digits > -- Converts binary to hexadecimal`
2020-01-10 22:43:12 +08:00
|`data bitsamples `|N |` Get raw samples as bitstring`
2020-01-04 19:50:54 +08:00
|`data buffclear `|Y |` Clears bigbuff on deviceside and graph window`
|`data convertbitstream `|Y |` Convert GraphBuffer's 0/1 values to 127 / -127`
|`data dec `|Y |` Decimate samples`
|`data detectclock `|Y |` [< a | f | n | p > ] Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer`
|`data fsktonrz `|Y |` Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)`
|`data getbitstream `|Y |` Convert GraphBuffer's >=1 values to 1 and < 1 to 0 `
|`data grid `|Y |` < x > < y > -- overlay grid on graph window, use zero value to turn off either`
2020-01-10 22:43:12 +08:00
|`data hexsamples `|N |` < bytes > [< offset > ] -- Dump big buffer as hex bytes`
2020-01-04 19:50:54 +08:00
|`data hex2bin `|Y |` < hexadecimal > -- Converts hexadecimal to binary`
|`data hide `|Y |` Hide graph window`
|`data hpf `|Y |` Remove DC offset from trace`
|`data load `|Y |` < filename > -- Load trace (to graph window`
|`data ltrim `|Y |` < samples > -- Trim samples from left of trace`
|`data rtrim `|Y |` < location to end trace > -- Trim samples from right of trace`
|`data mtrim `|Y |` < start > < stop > -- Trim out samples from the specified start to the specified stop`
|`data manrawdecode `|Y |` [invert] [maxErr] -- Manchester decode binary stream in DemodBuffer`
|`data norm `|Y |` Normalize max/min to +/-128`
|`data plot `|Y |` Show graph window (hit 'h' in window for keystroke help)`
|`data printdemodbuffer `|Y |` [x] [o] < offset > [l] < length > -- print the data in the DemodBuffer - 'x' for hex output`
|`data rawdemod `|Y |` [modulation] ... < options > -see help (h option) -- Demodulate the data in the GraphBuffer and output binary`
2020-01-10 22:43:12 +08:00
|`data samples `|N |` [512 - 40000] -- Get raw samples for graph window (GraphBuffer)`
2020-01-04 19:50:54 +08:00
|`data save `|Y |` Save trace (from graph window)`
|`data setgraphmarkers `|Y |` [orange_marker] [blue_marker] (in graph window)`
|`data scale `|Y |` < int > -- Set cursor display scale in carrier frequency expressed in kHz`
|`data setdebugmode `|Y |` < 0 | 1 | 2 > -- Set Debugging Level on client side`
|`data shiftgraphzero `|Y |` < shift > -- Shift 0 for Graphed wave + or - shift value`
|`data dirthreshold `|Y |` < thres up > < thres down > -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.`
2020-01-10 22:43:12 +08:00
|`data tune `|N |` Get hw tune samples for graph window`
2020-01-04 19:50:54 +08:00
|`data undec `|Y |` Un-decimate samples by 2`
|`data zerocrossings `|Y |` Count time between zero-crossings`
|`data iir `|Y |` apply IIR buttersworth filter on plotdata`
### emv
{ EMV ISO-14443 / ISO-7816... }
|command |offline |description
|------- |------- |-----------
|`emv help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`emv exec `|N |` Executes EMV contactless transaction.`
|`emv pse `|N |` Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.`
|`emv search `|N |` Try to select all applets from applets list and print installed applets.`
|`emv select `|N |` Select applet.`
|`emv gpo `|N |` Execute GetProcessingOptions.`
|`emv readrec `|N |` Read files from card.`
|`emv genac `|N |` Generate ApplicationCryptogram.`
|`emv challenge `|N |` Generate challenge.`
|`emv intauth `|N |` Internal authentication.`
|`emv scan `|N |` Scan EMV card and save it contents to json file for emulator.`
2020-01-04 19:50:54 +08:00
|`emv test `|Y |` Crypto logic test.`
|`emv list `|Y |` List ISO7816 history`
2020-01-10 22:43:12 +08:00
|`emv roca `|N |` Extract public keys and run ROCA test`
2020-01-04 19:50:54 +08:00
### hf
{ High frequency commands... }
|command |offline |description
|------- |------- |-----------
|`hf help `|Y |` This help`
|`hf list `|Y |` List protocol data in trace buffer`
2020-01-10 22:43:12 +08:00
|`hf tune `|N |` Continuously measure HF antenna tuning`
2020-01-04 19:50:54 +08:00
|`hf search `|Y |` Search for known HF tags`
2020-01-10 22:43:12 +08:00
|`hf sniff `|N |` < samples to skip ( 10000 ) > < triggers to skip ( 1 ) > Generic HF Sniff`
2020-01-04 19:50:54 +08:00
### hf 14a
{ ISO14443A RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 14a help `|Y |` This help`
|`hf 14a list `|Y |` List ISO 14443-a history`
2020-01-10 22:43:12 +08:00
|`hf 14a info `|N |` Tag information`
|`hf 14a reader `|N |` Act like an ISO14443-a reader`
|`hf 14a cuids `|N |` < n > Collect n>0 ISO14443-a UIDs in one go`
|`hf 14a sim `|N |` < UID > -- Simulate ISO 14443-a tag`
|`hf 14a sniff `|N |` sniff ISO 14443-a traffic`
|`hf 14a apdu `|N |` Send ISO 14443-4 APDU to tag`
|`hf 14a chaining `|N |` Control ISO 14443-4 input chaining`
|`hf 14a raw `|N |` Send raw hex data to tag`
|`hf 14a antifuzz `|N |` Fuzzing the anticollision phase. Warning! Readers may react strange`
2020-01-04 19:50:54 +08:00
### hf 14b
{ ISO14443B RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 14b help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf 14b dump `|N |` Read all memory pages of an ISO14443-B tag, save to file`
|`hf 14b info `|N |` Tag information`
2020-01-04 19:50:54 +08:00
|`hf 14b list `|Y |` List ISO 14443B history`
2020-01-10 22:43:12 +08:00
|`hf 14b raw `|N |` Send raw hex data to tag`
|`hf 14b reader `|N |` Act as a 14443B reader to identify a tag`
|`hf 14b sim `|N |` Fake ISO 14443B tag`
|`hf 14b sniff `|N |` Eavesdrop ISO 14443B`
|`hf 14b sriread `|N |` Read contents of a SRI512 | SRIX4K tag`
|`hf 14b sriwrite `|N |` Write data to a SRI512 | SRIX4K tag`
2020-01-04 19:50:54 +08:00
### hf 15
{ ISO15693 RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 15 help `|Y |` This help`
|`hf 15 demod `|Y |` Demodulate ISO15693 from tag`
2020-01-10 22:43:12 +08:00
|`hf 15 dump `|N |` Read all memory pages of an ISO15693 tag, save to file`
|`hf 15 findafi `|N |` Brute force AFI of an ISO15693 tag`
|`hf 15 writeafi `|N |` Writes the AFI on an ISO15693 tag`
|`hf 15 writedsfid `|N |` Writes the DSFID on an ISO15693 tag`
|`hf 15 info `|N |` Tag information`
2020-01-04 19:50:54 +08:00
|`hf 15 list `|Y |` List ISO15693 history`
2020-01-10 22:43:12 +08:00
|`hf 15 raw `|N |` Send raw hex data to tag`
|`hf 15 reader `|N |` Act like an ISO15693 reader`
|`hf 15 record `|N |` Record Samples (ISO15693)`
|`hf 15 restore `|N |` Restore from file to all memory pages of an ISO15693 tag`
|`hf 15 sim `|N |` Fake an ISO15693 tag`
|`hf 15 samples `|N |` Acquire Samples as Reader (enables carrier, sends inquiry)`
|`hf 15 read `|N |` Read a block`
|`hf 15 write `|N |` Write a block`
|`hf 15 readmulti `|N |` Reads multiple Blocks`
|`hf 15 csetuid `|N |` Set UID for magic Chinese card`
2020-01-04 19:50:54 +08:00
### hf epa
{ German Identification Card... }
|command |offline |description
|------- |------- |-----------
|`hf epa help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf epa cnonces `|N |` < m > < n > < d > Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses`
|`hf epa preplay `|N |` < mse > < get > < map > < pka > < ma > Perform PACE protocol by replaying given APDUs`
2020-01-04 19:50:54 +08:00
### hf felica
{ ISO18092 / Felica RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf felica help `|Y |` This help`
|`hf felica list `|Y |` List ISO 18092/FeliCa history`
2020-01-10 22:43:12 +08:00
|`hf felica reader `|N |` Act like an ISO18092/FeliCa reader`
|`hf felica sniff `|N |` Sniff ISO 18092/FeliCa traffic`
|`hf felica raw `|N |` Send raw hex data to tag`
|`hf felica rqservice `|N |` verify the existence of Area and Service, and to acquire Key Version.`
|`hf felica rqresponse `|N |` verify the existence of a card and its Mode.`
|`hf felica rdunencrypted`|N |`read Block Data from authentication-not-required Service.`
|`hf felica wrunencrypted`|N |`write Block Data to an authentication-not-required Service.`
|`hf felica scsvcode `|N |` acquire Area Code and Service Code.`
|`hf felica rqsyscode `|N |` acquire System Code registered to the card.`
|`hf felica auth1 `|N |` authenticate a card. Start mutual authentication with Auth1`
|`hf felica auth2 `|N |` allow a card to authenticate a Reader/Writer. Complete mutual authentication`
|`hf felica read `|N |` read Block Data from authentication-required Service.`
|`hf felica rqspecver `|N |` acquire the version of card OS.`
|`hf felica resetmode `|N |` reset Mode to Mode 0.`
|`hf felica litesim `|N |` < NDEF2 > - only reply to poll request`
|`hf felica litedump `|N |` Wait for and try dumping FelicaLite`
2020-01-04 19:50:54 +08:00
### hf legic
{ LEGIC RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf legic help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf legic reader `|N |` LEGIC Prime Reader UID and tag info`
|`hf legic info `|N |` Display deobfuscated and decoded LEGIC Prime tag data`
|`hf legic dump `|N |` Dump LEGIC Prime tag to binary file`
|`hf legic restore `|N |` Restore a dump file onto a LEGIC Prime tag`
|`hf legic rdmem `|N |` Read bytes from a LEGIC Prime tag`
|`hf legic sim `|N |` Start tag simulator`
|`hf legic write `|N |` Write data to a LEGIC Prime tag`
2020-01-04 19:50:54 +08:00
|`hf legic crc `|Y |` Calculate Legic CRC over given bytes`
2020-01-10 22:43:12 +08:00
|`hf legic eload `|N |` Load binary dump to emulator memory`
|`hf legic esave `|N |` Save emulator memory to binary file`
2020-01-04 19:50:54 +08:00
|`hf legic list `|Y |` List LEGIC history`
2020-01-10 22:43:12 +08:00
|`hf legic wipe `|N |` Wipe a LEGIC Prime tag`
2020-01-04 19:50:54 +08:00
### hf iclass
{ ICLASS RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf iclass help `|Y |` This help`
|`hf iclass calcnewkey `|Y |` [options..] Calc diversified keys (blocks 3 & 4) to write new keys`
|`hf iclass chk `|Y |` [options..] Check keys`
2020-01-10 22:43:12 +08:00
|`hf iclass clone `|N |` [options..] Restore a dump file onto a iClass tag`
2020-01-04 19:50:54 +08:00
|`hf iclass decrypt `|Y |` [options..] Decrypt given block data or tag dump file`
2020-01-10 22:43:12 +08:00
|`hf iclass dump `|N |` [options..] Dump iClass tag to file`
|`hf iclass eload `|N |` [f < fname > ] Load iClass dump file into emulator memory`
2020-01-04 19:50:54 +08:00
|`hf iclass encrypt `|Y |` [options..] Encrypt given block data`
|`hf iclass info `|Y |` Tag information`
|`hf iclass list `|Y |` List iClass history`
|`hf iclass loclass `|Y |` [options..] Use loclass to perform bruteforce reader attack`
|`hf iclass lookup `|Y |` [options..] Uses authentication trace to check for key in dictionary file`
|`hf iclass managekeys `|Y |` [options..] Manage keys to use with iClass`
2020-01-10 22:43:12 +08:00
|`hf iclass permutekey `|N |` Permute function from 'heart of darkness' paper`
|`hf iclass rdbl `|N |` [options..] Read iClass block`
|`hf iclass reader `|N |` Act like an iClass reader`
2020-01-04 19:50:54 +08:00
|`hf iclass readtagfile `|Y |` [options..] Display content from tag dump file`
2020-01-10 22:43:12 +08:00
|`hf iclass replay `|N |` < mac > Read iClass tag via replay attack`
|`hf iclass sim `|N |` [options..] Simulate iClass tag`
|`hf iclass sniff `|N |` Eavesdrop iClass communication`
|`hf iclass wrbl `|N |` [options..] Write iClass block`
2020-01-04 19:50:54 +08:00
### hf mf
{ MIFARE RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mf help `|Y |` This help`
|`hf mf list `|Y |` List MIFARE history`
2020-01-10 22:43:12 +08:00
|`hf mf darkside `|N |` Darkside attack`
|`hf mf nested `|N |` Nested attack`
2020-01-04 19:50:54 +08:00
|`hf mf hardnested `|Y |` Nested attack for hardened MIFARE Classic cards`
2020-01-10 22:43:12 +08:00
|`hf mf autopwn `|N |` Automatic key recovery tool for MIFARE Classic`
|`hf mf nack `|N |` Test for MIFARE NACK bug`
|`hf mf chk `|N |` Check keys`
|`hf mf fchk `|N |` Check keys fast, targets all keys on card`
2020-01-04 19:50:54 +08:00
|`hf mf decrypt `|Y |` [nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace`
2020-01-10 22:43:12 +08:00
|`hf mf rdbl `|N |` Read MIFARE classic block`
|`hf mf rdsc `|N |` Read MIFARE classic sector`
|`hf mf dump `|N |` Dump MIFARE classic tag to binary file`
|`hf mf restore `|N |` Restore MIFARE classic binary file to BLANK tag`
|`hf mf wrbl `|N |` Write MIFARE classic block`
|`hf mf setmod `|N |` Set MIFARE Classic EV1 load modulation strength`
|`hf mf auth4 `|N |` ISO14443-4 AES authentication`
|`hf mf sim `|N |` Simulate MIFARE card`
|`hf mf eclr `|N |` Clear simulator memory`
|`hf mf eget `|N |` Get simulator memory block`
|`hf mf eset `|N |` Set simulator memory block`
|`hf mf eload `|N |` Load from file emul dump`
|`hf mf esave `|N |` Save to file emul dump`
|`hf mf ecfill `|N |` Fill simulator memory with help of keys from simulator`
|`hf mf ekeyprn `|N |` Print keys from simulator memory`
|`hf mf csetuid `|N |` Set UID (magic chinese card)`
|`hf mf cwipe `|N |` Wipe card to default UID/Sectors/Keys`
|`hf mf csetblk `|N |` Write block (magic chinese card)`
|`hf mf cgetblk `|N |` Read block (magic chinese card)`
|`hf mf cgetsc `|N |` Read sector (magic chinese card)`
|`hf mf cload `|N |` Load dump (magic chinese card)`
|`hf mf csave `|N |` Save dump from magic chinese card into file or emulator`
|`hf mf mad `|N |` Checks and prints MAD`
|`hf mf ndef `|N |` Prints NDEF records from card`
|`hf mf ice `|N |` collect MIFARE Classic nonces to file`
2020-01-04 19:50:54 +08:00
### hf mfp
{ MIFARE Plus RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfp help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf mfp info `|N |` Info about Mifare Plus tag`
|`hf mfp wrp `|N |` Write Perso command`
|`hf mfp initp `|N |` Fills all the card's keys`
|`hf mfp commitp `|N |` Move card to SL1 or SL3 mode`
|`hf mfp auth `|N |` Authentication`
|`hf mfp rdbl `|N |` Read blocks`
|`hf mfp rdsc `|N |` Read sectors`
|`hf mfp wrbl `|N |` Write blocks`
|`hf mfp chk `|N |` Check keys`
|`hf mfp mad `|N |` Checks and prints MAD`
|`hf mfp ndef `|N |` Prints NDEF records from card`
2020-01-04 19:50:54 +08:00
### hf mfu
{ MIFARE Ultralight RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfu help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf mfu info `|N |` Tag information`
|`hf mfu dump `|N |` Dump Ultralight / Ultralight-C / NTAG tag to binary file`
|`hf mfu restore `|N |` Restore a dump onto a MFU MAGIC tag`
|`hf mfu eload `|N |` load Ultralight .eml dump file into emulator memory`
|`hf mfu rdbl `|N |` Read block`
|`hf mfu wrbl `|N |` Write block`
|`hf mfu cauth `|N |` Authentication - Ultralight C`
|`hf mfu setpwd `|N |` Set 3des password - Ultralight-C`
|`hf mfu setuid `|N |` Set UID - MAGIC tags only`
|`hf mfu sim `|N |` Simulate Ultralight from emulator memory`
2020-01-04 19:50:54 +08:00
|`hf mfu gen `|Y |` Generate 3des mifare diversified keys`
|`hf mfu pwdgen `|Y |` Generate pwd from known algos`
2020-01-10 22:43:12 +08:00
|`hf mfu otptear `|N |` Tear-off test on OTP bits`
2020-01-04 19:50:54 +08:00
### hf mfdes
{ MIFARE Desfire RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfdes help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf mfdes info `|N |` Tag information`
|`hf mfdes enum `|N |` Tries enumerate all applications`
|`hf mfdes auth `|N |` Tries a MIFARE DesFire Authentication`
2020-01-04 19:50:54 +08:00
### hf topaz
{ TOPAZ (NFC Type 1) RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf topaz help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf topaz reader `|N |` Act like a Topaz reader`
|`hf topaz sim `|N |` < UID > -- Simulate Topaz tag`
|`hf topaz sniff `|N |` Sniff Topaz reader-tag communication`
|`hf topaz raw `|N |` Send raw hex data to tag`
2020-01-04 19:50:54 +08:00
|`hf topaz list `|Y |` List Topaz history`
### hf fido
{ FIDO and FIDO2 authenticators... }
|command |offline |description
|------- |------- |-----------
|`hf fido help `|Y |` This help.`
2020-01-10 22:43:12 +08:00
|`hf fido info `|N |` Info about FIDO tag.`
|`hf fido reg `|N |` FIDO U2F Registration Message.`
|`hf fido auth `|N |` FIDO U2F Authentication Message.`
|`hf fido make `|N |` FIDO2 MakeCredential command.`
|`hf fido assert `|N |` FIDO2 GetAssertion command.`
2020-01-04 19:50:54 +08:00
### hf thinfilm
{ Thinfilm RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf thinfilm help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`hf thinfilm info `|N |` Tag information`
2020-01-04 19:50:54 +08:00
|`hf thinfilm list `|Y |` List NFC Barcode / Thinfilm history - not correct`
2020-01-10 22:43:12 +08:00
|`hf thinfilm sim `|N |` Fake Thinfilm tag`
2020-01-04 19:50:54 +08:00
### hw
{ Hardware commands... }
|command |offline |description
|------- |------- |-----------
|`hw help `|Y |` This help`
|`hw connect `|Y |` connect Proxmark3 to serial port`
2020-01-10 22:43:12 +08:00
|`hw dbg `|N |` Set Proxmark3 debug level`
|`hw detectreader `|N |` ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)`
|`hw fpgaoff `|N |` Set FPGA off`
2020-01-04 19:50:54 +08:00
|`hw lcd `|N |` < HEX command > < count > -- Send command/data to LCD`
|`hw lcdreset `|N |` Hardware reset LCD`
2020-01-10 22:43:12 +08:00
|`hw ping `|N |` Test if the Proxmark3 is responsive`
|`hw readmem `|N |` [address] -- Read memory at decimal address from flash`
|`hw reset `|N |` Reset the Proxmark3`
|`hw setlfdivisor `|N |` < 19 - 255 > -- Drive LF antenna at 12MHz/(divisor+1)`
|`hw setmux `|N |` Set the ADC mux to a specific value`
|`hw standalone `|N |` Jump to the standalone mode`
|`hw status `|N |` Show runtime status information about the connected Proxmark3`
|`hw tia `|N |` Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider`
|`hw tune `|N |` Measure antenna tuning`
|`hw version `|N |` Show version information about the connected Proxmark3`
2020-01-04 19:50:54 +08:00
### lf
{ Low frequency commands... }
|command |offline |description
|------- |------- |-----------
|`lf help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`lf config `|N |` Get/Set config for LF sampling, bit/sample, decimation, frequency`
|`lf cmdread `|N |` Modulate LF reader field to send command before read (all periods in microseconds)`
|`lf read `|N |` Read LF tag`
|`lf search `|Y |` Read and Search for valid known tag (in offline mode it you can load first then search)`
|`lf sim `|N |` Simulate LF tag from buffer with optional GAP (in microseconds)`
|`lf simask `|N |` Simulate LF ASK tag from demodbuffer or input`
|`lf simfsk `|N |` Simulate LF FSK tag from demodbuffer or input`
|`lf simpsk `|N |` Simulate LF PSK tag from demodbuffer or input`
|`lf simbidir `|N |` Simulate LF tag (with bidirectional data transmission between reader and tag)`
|`lf sniff `|N |` Sniff LF traffic between reader and tag`
|`lf tune `|N |` Continuously measure LF antenna tuning`
2020-01-04 19:50:54 +08:00
### lf awid
{ AWID RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf awid help `|Y |` this help`
|`lf awid demod `|Y |` demodulate an AWID FSK tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf awid read `|N |` attempt to read and extract tag data`
|`lf awid clone `|N |` clone AWID tag to T55x7 (or to q5/T5555)`
|`lf awid sim `|N |` simulate AWID tag`
|`lf awid brute `|N |` Bruteforce card number against reader`
|`lf awid watch `|N |` continuously watch for cards. Reader mode`
2020-01-04 19:50:54 +08:00
### lf cotag
{ COTAG CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf cotag help `|Y |` This help`
|`lf cotag demod `|Y |` Tries to decode a COTAG signal`
2020-01-10 22:43:12 +08:00
|`lf cotag read `|N |` Attempt to read and extract tag data`
2020-01-04 19:50:54 +08:00
### lf em
{ EM4X CHIPs & RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf em help `|Y |` This help`
|`lf em 410x_demod `|Y |` demodulate a EM410x tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf em 410x_read `|N |` attempt to read and extract tag data`
|`lf em 410x_sim `|N |` simulate EM410x tag`
|`lf em 410x_brute `|N |` reader bruteforce attack by simulating EM410x tags`
|`lf em 410x_watch `|N |` watches for EM410x 125/134 kHz tags (option 'h' for 134)`
|`lf em 410x_spoof `|N |` watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)`
|`lf em 410x_write `|N |` write EM410x UID to T5555(Q5) or T55x7 tag`
2020-01-04 19:50:54 +08:00
|`lf em 4x05_demod `|Y |` demodulate a EM4x05/EM4x69 tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf em 4x05_dump `|N |` dump EM4x05/EM4x69 tag`
|`lf em 4x05_wipe `|N |` wipe EM4x05/EM4x69 tag`
|`lf em 4x05_info `|N |` tag information EM4x05/EM4x69`
|`lf em 4x05_read `|N |` read word data from EM4x05/EM4x69`
|`lf em 4x05_write `|N |` write word data to EM4x05/EM4x69`
2020-01-04 19:50:54 +08:00
|`lf em 4x50_demod `|Y |` demodulate a EM4x50 tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf em 4x50_dump `|N |` dump EM4x50 tag`
|`lf em 4x50_read `|N |` read word data from EM4x50`
|`lf em 4x50_write `|N |` write word data to EM4x50`
2020-01-04 19:50:54 +08:00
### lf fdx
{ FDX-B RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf fdx help `|Y |` this help`
|`lf fdx demod `|Y |` demodulate a FDX-B ISO11784/85 tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf fdx read `|N |` attempt to read and extract tag data`
|`lf fdx clone `|N |` clone animal ID tag to T55x7 (or to q5/T5555)`
|`lf fdx sim `|N |` simulate Animal ID tag`
2020-01-04 19:50:54 +08:00
### lf gallagher
{ GALLAGHER RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf gallagher help `|Y |` This help`
|`lf gallagher demod `|Y |` Demodulate an GALLAGHER tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf gallagher read `|N |` Attempt to read and extract tag data from the antenna`
|`lf gallagher clone `|N |` clone GALLAGHER tag to T55x7`
|`lf gallagher sim `|N |` simulate GALLAGHER tag`
2020-01-04 19:50:54 +08:00
### lf gproxii
{ Guardall Prox II RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf gproxii help `|Y |` this help`
|`lf gproxii demod `|Y |` demodulate a G Prox II tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf gproxii read `|N |` attempt to read and extract tag data from the antenna`
|`lf gproxii clone `|N |` clone Guardall tag to T55x7`
|`lf gproxii sim `|N |` simulate Guardall tag`
2020-01-04 19:50:54 +08:00
### lf hid
{ HID RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf hid help `|Y |` this help`
|`lf hid demod `|Y |` demodulate HID Prox tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf hid read `|N |` attempt to read and extract tag data`
|`lf hid clone `|N |` clone HID tag to T55x7`
|`lf hid sim `|N |` simulate HID tag`
|`lf hid brute `|N |` bruteforce card number against reader`
|`lf hid watch `|N |` continuously watch for cards. Reader mode`
2020-01-04 19:50:54 +08:00
### lf hitag
{ Hitag CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf hitag help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`lf hitag list `|N |` List Hitag trace history`
|`lf hitag info `|N |` Tag information`
|`lf hitag reader `|N |` Act like a Hitag Reader`
|`lf hitag sim `|N |` Simulate Hitag transponder`
|`lf hitag sniff `|N |` Eavesdrop Hitag communication`
|`lf hitag writer `|N |` Act like a Hitag Writer`
|`lf hitag cc `|N |` Test all challenges`
2020-01-04 19:50:54 +08:00
### lf indala
{ Indala RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf indala help `|Y |` this help`
|`lf indala demod `|Y |` demodulate an indala tag (PSK1) from GraphBuffer`
|`lf indala altdemod `|Y |` alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)`
2020-01-10 22:43:12 +08:00
|`lf indala read `|N |` read an Indala Prox tag from the antenna`
|`lf indala clone `|N |` clone Indala tag to T55x7`
|`lf indala sim `|N |` simulate Indala tag`
2020-01-04 19:50:54 +08:00
### lf io
{ ioProx RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf io help `|Y |` this help`
|`lf io demod `|Y |` demodulate an IOProx tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf io read `|N |` attempt to read and extract tag data`
|`lf io clone `|N |` clone IOProx tag to T55x7 (or to q5/T5555)`
|`lf io sim `|N |` simulate IOProx tag`
|`lf io watch `|N |` continuously watch for cards. Reader mode`
2020-01-04 19:50:54 +08:00
### lf jablotron
{ Jablotron RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf jablotron help `|Y |` This help`
|`lf jablotron demod `|Y |` Demodulate an Jablotron tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf jablotron read `|N |` Attempt to read and extract tag data from the antenna`
|`lf jablotron clone `|N |` clone jablotron tag to T55x7 (or to q5/T5555)`
|`lf jablotron sim `|N |` simulate jablotron tag`
2020-01-04 19:50:54 +08:00
### lf keri
{ KERI RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf keri help `|Y |` This help`
|`lf keri demod `|Y |` Demodulate an KERI tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf keri read `|N |` Attempt to read and extract tag data from the antenna`
|`lf keri clone `|N |` clone KERI tag to T55x7 (or to q5/T5555)`
|`lf keri sim `|N |` simulate KERI tag`
2020-01-04 19:50:54 +08:00
### lf nedap
{ Nedap RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf nedap help `|Y |` This help`
|`lf nedap demod `|Y |` Demodulate Nedap tag from the GraphBuffer`
|`lf nedap generate `|Y |` Generate Nedap bitstream in DemodBuffer`
2020-01-10 22:43:12 +08:00
|`lf nedap read `|N |` Attempt to read and extract tag data from the antenna`
|`lf nedap clone `|N |` Clone Nedap tag to T55x7`
|`lf nedap sim `|N |` Simulate Nedap tag`
2020-01-04 19:50:54 +08:00
### lf nexwatch
{ NexWatch RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf nexwatch help `|Y |` This help`
|`lf nexwatch demod `|Y |` Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf nexwatch read `|N |` Attempt to Read and Extract tag data from the antenna`
|`lf nexwatch clone `|N |` clone NexWatch tag to T55x7`
|`lf nexwatch sim `|N |` simulate NexWatch tag`
2020-01-04 19:50:54 +08:00
### lf noralsy
{ Noralsy RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf noralsy help `|Y |` This help`
|`lf noralsy demod `|Y |` Demodulate an Noralsy tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf noralsy read `|N |` Attempt to read and extract tag data from the antenna`
|`lf noralsy clone `|N |` clone Noralsy tag to T55x7 (or to q5/T5555)`
|`lf noralsy sim `|N |` simulate Noralsy tag`
2020-01-04 19:50:54 +08:00
### lf motorola
{ Motorola RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf motorola help `|Y |` This help`
|`lf motorola demod `|Y |` Demodulate an MOTOROLA tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf motorola read `|N |` Attempt to read and extract tag data from the antenna`
|`lf motorola clone `|N |` clone MOTOROLA tag to T55x7`
|`lf motorola sim `|N |` simulate MOTOROLA tag`
2020-01-04 19:50:54 +08:00
### lf pac
{ PAC/Stanley RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf pac help `|Y |` This help`
|`lf pac demod `|Y |` Demodulate a PAC tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf pac read `|N |` Attempt to read and extract tag data from the antenna`
|`lf pac clone `|N |` clone PAC tag to T55x7`
|`lf pac sim `|N |` simulate PAC tag`
2020-01-04 19:50:54 +08:00
### lf paradox
{ Paradox RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf paradox help `|Y |` This help`
|`lf paradox demod `|Y |` Demodulate a Paradox FSK tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf paradox read `|N |` Attempt to read and Extract tag data from the antenna`
|`lf paradox clone `|N |` clone paradox tag to T55x7`
|`lf paradox sim `|N |` simulate paradox tag`
2020-01-04 19:50:54 +08:00
### lf pcf7931
{ PCF7931 CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf pcf7931 help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`lf pcf7931 read `|N |` Read content of a PCF7931 transponder`
|`lf pcf7931 write `|N |` Write data on a PCF7931 transponder.`
2020-01-04 19:50:54 +08:00
|`lf pcf7931 config `|Y |` Configure the password, the tags initialization delay and time offsets (optional)`
### lf presco
{ Presco RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf presco help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`lf presco read `|N |` Attempt to read and Extract tag data`
|`lf presco clone `|N |` clone presco tag to T55x7 (or to q5/T5555)`
|`lf presco sim `|N |` simulate presco tag`
2020-01-04 19:50:54 +08:00
### lf pyramid
{ Farpointe/Pyramid RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf pyramid help `|Y |` this help`
|`lf pyramid demod `|Y |` demodulate a Pyramid FSK tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf pyramid read `|N |` attempt to read and extract tag data`
|`lf pyramid clone `|N |` clone pyramid tag to T55x7 (or to q5/T5555)`
|`lf pyramid sim `|N |` simulate pyramid tag`
2020-01-04 19:50:54 +08:00
### lf securakey
{ Securakey RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf securakey help `|Y |` This help`
|`lf securakey demod `|Y |` Demodulate an Securakey tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf securakey read `|N |` Attempt to read and extract tag data from the antenna`
|`lf securakey clone `|N |` clone Securakey tag to T55x7`
|`lf securakey sim `|N |` simulate Securakey tag`
2020-01-04 19:50:54 +08:00
### lf ti
{ TI CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf ti help `|Y |` This help`
|`lf ti demod `|Y |` Demodulate raw bits for TI-type LF tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf ti read `|N |` Read and decode a TI 134 kHz tag`
|`lf ti write `|N |` Write new data to a r/w TI 134 kHz tag`
2020-01-04 19:50:54 +08:00
### lf t55xx
{ T55xx CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf t55xx help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`lf t55xx bruteforce `|N |` < start password > < end password > Simple bruteforce attack to find password`
2020-01-04 19:50:54 +08:00
|`lf t55xx config `|Y |` Set/Get T55XX configuration (modulation, inverted, offset, rate)`
2020-01-10 22:43:12 +08:00
|`lf t55xx chk `|N |` Check passwords from dictionary/flash`
|`lf t55xx clonehelp `|N |` Shows the available clone commands`
|`lf t55xx dangerraw `|N |` Sends raw bitstream. Dangerous, do not use!! b < bitstream > t < timing > `
2020-01-04 19:50:54 +08:00
|`lf t55xx detect `|Y |` [1] Try detecting the tag modulation from reading the configuration block.`
2020-01-10 22:43:12 +08:00
|`lf t55xx deviceconfig `|N |` Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap`
|`lf t55xx dump `|N |` [password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]`
|`lf t55xx restore `|N |` f < filename > [p < password > ] Restore T55xx card Page 0 / Page 1 blocks`
2020-01-04 19:50:54 +08:00
|`lf t55xx info `|Y |` [1] Show T55x7 configuration data (page 0/ blk 0)`
2020-01-10 22:43:12 +08:00
|`lf t55xx p1detect `|N |` [1] Try detecting if this is a t55xx tag by reading page 1`
|`lf t55xx protect `|N |` Password protect tag`
|`lf t55xx read `|N |` b < block > p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]`
|`lf t55xx resetread `|N |` Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)`
|`lf t55xx recoverpw `|N |` [password] Try to recover from bad password write from a cloner. Only use on PW protected chips!`
|`lf t55xx special `|N |` Show block changes with 64 different offsets`
2020-01-04 19:50:54 +08:00
|`lf t55xx trace `|Y |` [1] Show T55x7 traceability data (page 1/ blk 0-1)`
2020-01-10 22:43:12 +08:00
|`lf t55xx wakeup `|N |` Send AOR wakeup command`
|`lf t55xx wipe `|N |` [q] Wipe a T55xx tag and set defaults (will destroy any data on tag)`
|`lf t55xx write `|N |` b < block > d < data > p [password] [1] -- Write T55xx block data. Optional [p password], [page1]`
2020-01-04 19:50:54 +08:00
### lf viking
{ Viking RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf viking help `|Y |` This help`
|`lf viking demod `|Y |` Demodulate a Viking tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf viking read `|N |` Attempt to read and Extract tag data from the antenna`
|`lf viking clone `|N |` clone Viking tag to T55x7 (or to q5/T5555)`
|`lf viking sim `|N |` simulate Viking tag`
2020-01-04 19:50:54 +08:00
### lf visa2000
{ Visa2000 RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf visa2000 help `|Y |` This help`
|`lf visa2000 demod `|Y |` demodulate an VISA2000 tag from the GraphBuffer`
2020-01-10 22:43:12 +08:00
|`lf visa2000 read `|N |` attempt to read and extract tag data from the antenna`
|`lf visa2000 clone `|N |` clone Visa2000 tag to T55x7 (or to q5/T5555)`
|`lf visa2000 sim `|N |` simulate Visa2000 tag`
2020-01-04 19:50:54 +08:00
### mem
{ Flash Memory manipulation... }
|command |offline |description
|------- |------- |-----------
|`mem help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`mem spiffs `|N |` High level SPI FileSystem Flash manipulation [rdv40]`
|`mem spibaud `|N |` Set Flash memory Spi baudrate [rdv40]`
|`mem info `|N |` Flash memory information [rdv40]`
|`mem load `|N |` Load data into flash memory [rdv40]`
|`mem dump `|N |` Dump data from flash memory [rdv40]`
|`mem wipe `|N |` Wipe data from flash memory [rdv40]`
2020-01-04 19:50:54 +08:00
### reveng
{ CRC calculations from RevEng software }
### sc
{ Smart card ISO-7816 commands... }
|command |offline |description
|------- |------- |-----------
|`sc help `|Y |` This help`
2020-01-10 22:43:12 +08:00
|`sc list `|N |` List ISO 7816 history`
|`sc info `|N |` Tag information`
|`sc reader `|N |` Act like an IS07816 reader`
|`sc raw `|N |` Send raw hex data to tag`
2020-01-04 19:50:54 +08:00
|`sc upgrade `|Y |` Upgrade sim module firmware`
2020-01-10 22:43:12 +08:00
|`sc setclock `|N |` Set clock speed`
|`sc brute `|N |` Bruteforce SFI`
2020-01-04 19:50:54 +08:00
### script
{ Scripting commands }
|command |offline |description
|------- |------- |-----------
|`script help `|Y |` This help`
|`script list `|Y |` List available scripts`
|`script run `|Y |` < name > -- Execute a script`
### trace
{ Trace manipulation... }
|command |offline |description
|------- |------- |-----------
|`trace help `|Y |` This help`
|`trace list `|Y |` List protocol data in trace buffer`
|`trace load `|Y |` Load trace from file`
|`trace save `|Y |` Save trace buffer to file`
### usart
{ USART commands... }
|command |offline |description
|------- |------- |-----------
|`usart help `|Y |` This help`
|`usart btpin `|N |` Change BT add-on PIN`
|`usart btfactory `|N |` Reset BT add-on to factory settings`
|`usart tx `|N |` Send string over USART`
|`usart rx `|N |` Receive string over USART`
|`usart txrx `|N |` Send string over USART and wait for response`
|`usart txhex `|N |` Send bytes over USART`
|`usart rxhex `|N |` Receive bytes over USART`
|`usart config `|N |` Configure USART`
### wiegand
{ Wiegand format manipulation... }
|command |offline |description
|------- |------- |-----------
|`wiegand help `|Y |` This help`
|`wiegand list `|Y |` List available wiegand formats`
|`wiegand encode `|Y |` Convert `
|`wiegand decode `|Y |` Convert raw hex to wiegand format`
