proxmark3/doc/cheatsheet.md

770 lines
23 KiB
Markdown
Raw Normal View History

2019-08-18 17:53:20 +08:00
<a id="Top"></a>
2020-05-19 16:17:46 +08:00
# Command Cheat Sheet
2019-08-18 17:53:20 +08:00
2020-10-23 07:24:54 +08:00
|Generic|Low Frequency 125 kHz|High Frequency 13.56 MHz|
2019-08-16 17:20:06 +08:00
|---|---|---|
2020-07-23 17:47:16 +08:00
|[Generic](#Generic)|[T55XX](#T55XX)|[MIFARE](#MIFARE)|
|[Data](#Data)|[HID Prox](#HID-Prox)|[iCLASS](#iCLASS)|
2019-08-16 17:22:47 +08:00
|[Memory](#Memory)|[Indala](#Indala)||
|[Sim Module](#Sim-Module)|[Hitag](#Hitag)||
|[Lua Scripts](#Lua-Scripts)|||
|[Smart Card](#Smart-Card)|||
2019-09-20 19:19:19 +08:00
|[Wiegand convertion](#Wiegand-manipulation)|||
2019-08-13 04:24:33 +08:00
## Generic
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 04:24:33 +08:00
Identify High Frequency cards
```
pm3 --> hf search
```
Identify Low Frequency cards
```
pm3 --> lf search
```
Measure antenna characteristics, LF/HF voltage should be around 20-45+ V
```
pm3 --> hw tune
```
Check versioning
```
pm3 --> hw version
```
Check overall status
```
pm3 --> hw status
```
2020-07-23 17:47:16 +08:00
## iCLASS
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 04:24:33 +08:00
2020-07-23 17:47:16 +08:00
Reverse permute iCLASS master key
2019-08-13 04:24:33 +08:00
```
Options
---
2020-10-06 21:03:24 +08:00
-r --reverse : reverse permuted key
--key <bytes> : input key
2019-08-13 04:24:33 +08:00
2020-10-06 21:03:24 +08:00
pm3 --> hf iclass permute --reverse --key 3F90EBF0910F7B6F
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
iCLASS Reader
2019-08-13 04:24:33 +08:00
```
pm3 --> hf iclass reader
```
2020-07-23 17:47:16 +08:00
Dump iCLASS card contents
2019-08-13 04:24:33 +08:00
```
Options
---
2020-11-26 03:02:52 +08:00
-f, --file <filename> filename to save dump to
-k, --key <hex> debit key as 16 hex symbols OR NR/MAC for replay
--ki <dec> debit key index to select key from memory 'hf iclass managekeys'
--credit <hex> credit key as 16 hex symbols
--ci <dec> credit key index to select key from memory 'hf iclass managekeys'
2020-11-26 03:02:52 +08:00
--elite elite computations applied to key
--raw raw, the key is interpreted as raw block 3/4
--nr replay of NR/MAC
2019-08-13 04:24:33 +08:00
2020-11-26 03:02:52 +08:00
pm3 --> hf iclass dump --ki 0
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Read iCLASS Block
2019-08-13 04:24:33 +08:00
```
Options
---
-k, --key <hex> Access key as 16 hex symbols
-b, --block <dec> The block number to read as an integer
--ki <dec> Key index to select key from memory 'hf iclass managekeys'
2020-11-26 10:16:08 +08:00
--credit key is assumed to be the credit key
--elite elite computations applied to key
--raw no computations applied to key (raw)
--nr replay of NR/MAC
2019-08-13 04:24:33 +08:00
2020-11-26 10:16:08 +08:00
pm3 --> hf iclass rdbl -b 7 --ki 0
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Write to iCLASS Block
2019-08-13 04:24:33 +08:00
```
Options
---
-k, --key <hex> Access key as 16 hex symbols
-b, --block <dec> The block number to read as an integer
-d, --data <hex> data to write as 16 hex symbols
--ki <dec> Key index to select key from memory 'hf iclass managekeys'
--credit key is assumed to be the credit key
--elite elite computations applied to key
--raw no computations applied to key (raw)
--nr replay of NR/MAC
2019-08-13 04:24:33 +08:00
2020-11-26 13:11:54 +08:00
pm3 --> hf iclass wrbl -b 7 -d 6ce099fe7e614fd0 --ki 0
2019-08-13 04:24:33 +08:00
```
Print keystore
```
Options
---
-p, --print Print keys loaded into memory
2019-08-13 04:24:33 +08:00
pm3 --> hf iclass managekeys -p
2019-08-13 04:24:33 +08:00
```
Add key to keystore [0-7]
```
Options
---
-f, --file <filename> Specify a filename to use with load or save operations
--ki <dec> Specify key index to set key in memory
2019-08-13 04:24:33 +08:00
pm3 --> hf iclass managekeys --ki 3 -k AFA785A7DAB33378
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Encrypt iCLASS Block
```
Options
---
-d, --data <hex> data to encrypt
-k, --key <hex> 3DES transport key
2020-11-24 04:42:32 +08:00
-v, --verbose verbose output
2020-07-23 17:47:16 +08:00
2020-11-24 04:42:32 +08:00
pm3 --> hf iclass encrypt -d 0000000f2aa3dba8
2020-07-23 17:47:16 +08:00
```
Decrypt iCLASS Block / file
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Options
---
2020-11-24 03:46:07 +08:00
-f, --file <filename> filename of dumpfile
-d, --data <hex> 3DES encrypted data
-k, --key <hex> 3DES transport key
2020-11-24 03:46:07 +08:00
-v, --verbose verbose output
2020-07-23 17:47:16 +08:00
2020-11-24 03:46:07 +08:00
pm3 --> hf iclass decrypt -d 2AD4C8211F996871
pm3 --> hf iclass decrypt -f hf-iclass-db883702f8ff12e0.bin
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Load iCLASS dump into memory for simulation
2019-08-13 04:24:33 +08:00
```
Options
---
2021-01-05 05:22:32 +08:00
-f, --file <filename> filename of dump
--json load JSON type dump
--eml load EML type dump
2019-08-13 04:24:33 +08:00
2020-11-02 09:10:13 +08:00
pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Clone iCLASS Legacy Sequence
```
2020-11-26 10:16:08 +08:00
pm3 --> hf iclass rdbl -b 7 --ki 0
2020-11-26 13:11:54 +08:00
pm3 --> hf iclass wrbl -b 7 -d 6ce099fe7e614fd0 --ki 0
2020-07-23 17:47:16 +08:00
```
Simulate iCLASS
2019-08-13 04:24:33 +08:00
```
Options
---
2020-11-28 10:22:23 +08:00
-t, --type <int> Simulation type to use
--csn <hex> Specify CSN as 8 bytes (16 hex symbols) to use with sim type 0
Types:
2021-04-11 16:43:10 +08:00
0 simulate the given CSN
1 simulate default CSN
2 runs online part of LOCLASS attack
3 full simulation using emulator memory (see 'hf iclass eload')
4 runs online part of LOCLASS attack against reader in keyroll mode
2019-08-13 04:24:33 +08:00
2020-11-28 10:22:23 +08:00
pm3 --> hf iclass sim -t 3
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Simulate iCLASS Sequence
2019-08-13 04:24:33 +08:00
```
2020-11-26 03:02:52 +08:00
pm3 --> hf iclass dump --ki 0
2020-11-02 09:10:13 +08:00
pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
2020-11-28 10:22:23 +08:00
pm3 --> hf iclass sim -t 3
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Extract custom iCLASS key (loclass attack)
2019-08-13 04:24:33 +08:00
```
Options
---
2021-01-05 05:14:58 +08:00
-f <filename> specify a filename to clone from
-k <key> Access Key as 16 hex symbols or 1 hex to select key from memory
--elite Elite computations applied to key
2019-08-13 04:24:33 +08:00
2020-11-28 10:22:23 +08:00
pm3 --> hf iclass sim -t 2
2020-11-02 10:02:51 +08:00
pm3 --> hf iclass loclass -f iclass_mac_attack.bin
2020-11-28 10:22:23 +08:00
pm3 --> hf iclass managekeys --ki 7 -k <Kcus>
2020-11-26 03:02:52 +08:00
pm3 --> hf iclass dump --ki 7 --elite
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Verify custom iCLASS key
2019-08-13 16:48:56 +08:00
```
2021-04-16 01:16:15 +08:00
options
2019-08-13 16:48:56 +08:00
---
-f, --file <filename> Dictionary file with default iclass keys
--csn <hex> Specify CSN as 8 bytes (16 hex symbols)
--epurse <hex> Specify ePurse as 8 bytes (16 hex symbols)
--macs <hex> MACs
--raw no computations applied to key (raw)
--elite Elite computations applied to key
2019-08-13 16:48:56 +08:00
pm3 --> hf iclass lookup --csn 010a0ffff7ff12e0 --epurse feffffffffffffff --macs 66348979153c41b9 -f iclass_default_keys --elite
2019-08-13 16:48:56 +08:00
```
2020-07-23 17:47:16 +08:00
## MIFARE
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 04:24:33 +08:00
Check for default keys
```
2021-04-16 01:16:15 +08:00
options
2019-08-13 04:24:33 +08:00
---
2021-04-11 16:43:10 +08:00
-k, --key <hex> Key specified as 12 hex symbols
--blk <dec> Input block number
-a Target Key A, if found also check Key B for duplicate
-b Target Key B
-*, --all Target both key A & B (default)
--mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (default)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
--emu Fill simulator keys from found keys
--dump Dump found keys to binary file
-f, --file <filename> filename of dictionary
2021-02-14 03:37:47 +08:00
pm3 --> hf mf chk --1k -f mfc_default_keys
2019-08-13 04:24:33 +08:00
```
Check for default keys from local memory
```
Options
---
2021-04-11 16:43:10 +08:00
-k, --key <hex> Key specified as 12 hex symbols
--mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (default)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
--emu Fill simulator keys from found keys
--dump Dump found keys to binary file
--mem Use dictionary from flashmemory
-f, --file <filename> filename of dictionary
pm3 --> hf mf fchk --1k --mem
```
2021-04-16 01:16:15 +08:00
Dump MIFARE Classic card contents
2019-08-13 04:24:33 +08:00
```
2021-04-16 01:16:15 +08:00
Options:
---
2021-04-11 16:43:10 +08:00
-f, --file <filename> filename of dump
-k, --keys <filename> filename of keys
--mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (default)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
2021-02-08 04:06:10 +08:00
pm3 --> hf mf dump
pm3 --> hf mf dump --1k -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin
2019-08-13 04:24:33 +08:00
```
2021-04-16 01:16:15 +08:00
Write to MIFARE Classic block
2019-08-13 04:24:33 +08:00
```
2021-04-16 01:16:15 +08:00
Options:
2019-08-13 04:24:33 +08:00
---
2021-04-16 01:16:15 +08:00
--blk <dec> block number
-a input key type is key A (def)
-b input key type is key B
-k, --key <hex> key, 6 hex bytes
-d, --data <hex> bytes to write, 16 hex bytes
2019-08-13 04:24:33 +08:00
2021-04-16 01:16:15 +08:00
pm3 --> hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d d3a2859f6b880400c801002000000016
2019-08-13 04:24:33 +08:00
```
2021-04-16 01:16:15 +08:00
Run autopwn, to extract all keys and backup a MIFARE Classic tag
2019-08-13 04:24:33 +08:00
```
2021-04-16 01:16:15 +08:00
Options:
---
-k, --key <hex> Known key, 12 hex bytes
-s, --sector <dec> Input sector number
-a Input key A (def)
-b Input key B
-f, --file <fn> filename of dictionary
-s, --slow Slower acquisition (required by some non standard cards)
-l, --legacy legacy mode (use the slow `hf mf chk`)
-v, --verbose verbose output (statistics)
--mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (default)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
2019-08-13 04:24:33 +08:00
2021-04-16 01:16:15 +08:00
pm3 --> hf mf autopwn
2019-08-13 04:24:33 +08:00
2021-04-16 01:16:15 +08:00
// target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'
pm3 --> hf mf autopwn -s 0 -a -k FFFFFFFFFFFF
2019-09-20 19:19:19 +08:00
2021-04-16 01:16:15 +08:00
// target MFC 1K card, default dictionary
pm3 --> hf mf autopwn --1k -f mfc_default_keys
2019-09-20 19:19:19 +08:00
```
2020-07-23 17:47:16 +08:00
Run hardnested attack
2019-08-13 04:24:33 +08:00
```
Options
---
2021-04-16 01:16:15 +08:00
-k, --key <hex> Key, 12 hex bytes
--blk <dec> Input block number
-a Input key A (def)
-b Input key B
--tblk <dec> Target block number
--ta Target key A
--tb Target key B
--tk <hex> Target key, 12 hex bytes
-f, --file <fn> R/W <name> instead of default name
-s, --slow Slower acquisition (required by some non standard cards)
-w, --wr Acquire nonces and UID, and write them to file `hf-mf-<UID>-nonces.bin`
2019-08-13 04:24:33 +08:00
2021-04-16 01:16:15 +08:00
pm3 --> hf mf hardnested --blk 0 -a -k 8829da9daf76 --tblk 4 --ta -w
2019-08-13 04:24:33 +08:00
```
2021-04-11 16:43:10 +08:00
Load MIFARE Classic dump file into emulator memory for simulation
Accepts (BIN/EML/JSON)
2019-08-13 04:24:33 +08:00
```
Options
---
2021-04-11 16:43:10 +08:00
-f, --file <fn> filename of dump
--mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (def)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
--ul MIFARE Ultralight family
-q, --qty <dec> manually set number of blocks (overrides)
2019-08-13 04:24:33 +08:00
2021-04-11 16:43:10 +08:00
pm3 --> hf mf eload -f hf-mf-353C2AA6-dump.bin
pm3 --> hf mf eload --1k -f hf-mf-353C2AA6-dump.bin
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Simulate MIFARE
2019-08-13 04:24:33 +08:00
```
u : (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used
2021-02-08 05:15:22 +08:00
pm3 --> hf mf sim -u 353c2aa6
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Simulate MIFARE Sequence
2019-08-13 04:24:33 +08:00
```
2021-04-16 04:31:46 +08:00
pm3 --> hf mf fchk --1k -f mfc_default_keys.dic
2021-04-11 16:43:10 +08:00
pm3 --> hf mf dump
pm3 --> hf mf eload -f hf-mf-<UID>-dump.bin
2021-02-08 05:15:22 +08:00
pm3 --> hf mf sim -u 353c2aa6
2019-08-13 04:24:33 +08:00
```
2020-07-23 17:47:16 +08:00
Clone MIFARE 1K Sequence
2019-08-13 04:24:33 +08:00
```
2021-04-11 16:43:10 +08:00
pm3 --> hf mf fchk --1k -f mfc_default_keys.dic
2019-08-13 04:24:33 +08:00
pm3 --> hf mf dump
2021-04-16 04:31:46 +08:00
pm3 --> hf mf restore --1k --uid 4A6CE843 -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin
2019-08-13 04:24:33 +08:00
```
2019-08-13 16:48:56 +08:00
2020-07-23 17:47:16 +08:00
Read MIFARE Ultralight EV1
```
pm3 --> hf mfu info
```
2020-07-23 17:47:16 +08:00
Clone MIFARE Ultralight EV1 Sequence
```
2021-01-05 05:14:58 +08:00
pm3 --> hf mfu dump -k FFFFFFFF
2022-02-13 19:19:06 +08:00
pm3 --> hf mfu eload -f hf-mfu-XXXX-dump.bin
2021-02-12 16:10:55 +08:00
pm3 --> hf mfu sim -t 7
```
2020-07-23 17:47:16 +08:00
Bruteforce MIFARE Classic card numbers from 11223344 to 11223346
```
pm3 --> script run hf_mf_uidbruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
```
2020-07-23 17:47:16 +08:00
Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679
```
pm3 --> script run hf_mf_uidbruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
```
2019-09-20 19:19:19 +08:00
## Wiegand manipulation
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
2020-10-23 07:24:54 +08:00
List all available wiegand formats in client
2019-08-13 16:48:56 +08:00
```
2019-09-20 19:19:19 +08:00
pm3 --> wiegand list
2019-08-13 16:48:56 +08:00
```
2019-09-20 19:19:19 +08:00
Convert Site & Facility code to Wiegand raw hex
2019-08-13 16:48:56 +08:00
```
2019-09-20 19:19:19 +08:00
Options
---
2021-04-11 16:43:10 +08:00
--fc <dec> facility number
--cn <dec> card number
--issue <dec> issue level
--oem <dec> OEM code
-w, --wiegand <format> see `wiegand list` for available formats
--pre add HID ProxII preamble to wiegand output
2020-10-04 17:07:26 +08:00
2021-04-11 16:43:10 +08:00
pm3 --> wiegand encode -w H10301 --oem 0 --fc 101 --cn 1337
pm3 --> wiegand encode --fc 101 --cn 1337
2019-08-13 16:48:56 +08:00
```
2019-09-20 19:19:19 +08:00
Convert Site & Facility code from Wiegand raw hex to numbers
2019-08-13 16:48:56 +08:00
```
Options
---
2021-04-11 16:43:10 +08:00
-p, --parity ignore invalid parity
-r, --raw <hex> raw hex to be decoded
-b, --bin <bin> binary string to be decoded
2019-09-20 19:19:19 +08:00
2020-10-04 17:07:26 +08:00
pm3 --> wiegand decode --raw 2006f623ae
2019-09-20 19:19:19 +08:00
```
## HID Prox
^[Top](#top)
Read HID Prox card
```
pm3 --> lf hid read
```
2019-08-13 16:48:56 +08:00
2019-09-20 19:19:19 +08:00
Demodulate HID Prox card
```
pm3 --> lf hid demod
2019-08-13 16:48:56 +08:00
```
Simulate Prox card
```
pm3 --> lf hid sim -r 200670012d
pm3 --> lf hid sim -w H10301 --fc 10 --cn 1337
2019-08-13 16:48:56 +08:00
```
Clone Prox to T5577 card
```
pm3 --> lf hid clone -r 200670012d
pm3 --> lf hid clone -w H10301 --fc 10 --cn 1337
2019-08-13 16:48:56 +08:00
```
Brute force HID reader
```
Options
---
2021-01-05 05:14:58 +08:00
-v, --verbose verbose logging, show all tries
-w, --wiegand format see `wiegand list` for available formats
-f, --fn dec facility code
-c, --cn dec card number to start with
-i dec issue level
-o, --oem dec OEM code
-d, --delay dec delay betweens attempts in ms. Default 1000ms
--up direction to increment card number. (default is both directions)
--down direction to decrement card number. (default is both directions)
pm3 --> lf hid brute -w H10301 -f 224
pm3 --> lf hid brute -v -w H10301 -f 21 -c 200 -d 2000
2019-08-13 16:48:56 +08:00
```
## Indala
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
Read Indala card
```
pm3 --> lf indala read
```
Demodulate Indala card
```
pm3 --> lf indala demod
```
Simulate Indala card
```
Options
---
2021-01-05 05:14:58 +08:00
-r, --raw <hex> raw bytes
--heden <decimal> Cardnumber for Heden 2L format
2019-08-13 16:48:56 +08:00
2021-01-05 05:14:58 +08:00
pm3 --> lf indala sim -r a0000000c2c436c1
2019-08-13 16:48:56 +08:00
```
Clone to T55x7 card
```
Options
---
2021-01-05 05:14:58 +08:00
-r, --raw <hex> raw bytes
--heden <decimal> Cardnumber for Heden 2L format
--fc <decimal> Facility Code (26 bit H10301 format)
--cn <decimal> Cardnumber (26 bit H10301 format)
--q5 specify writing to Q5/T5555 tag
--em specify writing to EM4305/4469 tag
2019-08-13 16:48:56 +08:00
2021-01-05 05:14:58 +08:00
pm3 --> lf indala clone -r a0000000c2c436c1
2019-08-13 16:48:56 +08:00
```
## Hitag
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
Read Hitag information
```
pm3 --> lf hitag info
```
Act as Hitag reader
```
Options
---
2021-04-16 01:16:15 +08:00
--01 HitagS, read all pages, challenge mode
--02 HitagS, read all pages, crypto mode. Set key=0 for no auth
2019-08-13 16:48:56 +08:00
2021-04-16 01:16:15 +08:00
--21 Hitag2, read all pages, password mode. def 4D494B52 (MIKR)
--22 Hitag2, read all pages, challenge mode
--23 Hitag2, read all pages, crypto mode. Key ISK high + ISK low. def 4F4E4D494B52 (ONMIKR)
--25 Hitag2, test recorded authentications (replay?)
--26 Hitag2, read UID
-k, --key <hex> key, 4 or 6 hex bytes
--nrar <hex> nonce / answer reader, 8 hex bytes
pm3 --> lf hitag --26
pm3 --> lf hitag --21 -k 4D494B52
pm3 --> lf hitag reader --23 -k 4F4E4D494B52
2019-08-13 16:48:56 +08:00
```
Sniff Hitag traffic
2019-08-13 16:48:56 +08:00
```
pm3 --> lf hitag sniff
pm3 --> lf hitag list
```
2021-04-16 01:16:15 +08:00
Simulate Hitag2
2019-08-13 16:48:56 +08:00
```
2021-04-16 01:16:15 +08:00
pm3 --> lf hitag sim -2
2019-08-13 16:48:56 +08:00
```
Write to Hitag block
```
Options
---
2021-04-16 01:16:15 +08:00
--03 HitagS, write page, challenge mode
--04 HitagS, write page, crypto mode. Set key=0 for no auth
2019-08-13 16:48:56 +08:00
2021-04-16 01:16:15 +08:00
--24 Hitag2, write page, crypto mode.
--27 Hitag2, write page, password mode
-p, --page <dec> page address to write to
-d, --data <hex> data, 4 hex bytes
-k, --key <hex> key, 4 or 6 hex bytes
--nrar <hex> nonce / answer writer, 8 hex bytes
2019-08-13 16:48:56 +08:00
2021-04-16 01:16:15 +08:00
pm3 --> lf hitag writer --24 -k 499602D2 -p 1 -d 00000000
2019-08-13 16:48:56 +08:00
```
Simulate Hitag2 sequence
```
2021-04-16 01:16:15 +08:00
pm3 --> lf hitag reader --21 -k 56713368
pm3 --> lf hitag sim -2
2019-08-13 16:48:56 +08:00
```
## T55XX
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
Detect T55XX card
```
pm3 --> lf t55xx detect
```
Configure modulation
2019-08-13 16:48:56 +08:00
```
Options
---
2021-04-16 01:16:15 +08:00
--FSK set demodulation FSK
--FSK1 set demodulation FSK 1
--FSK1A set demodulation FSK 1a (inv)
--FSK2 set demodulation FSK 2
--FSK2A set demodulation FSK 2a (inv)
--ASK set demodulation ASK
--PSK1 set demodulation PSK 1
--PSK2 set demodulation PSK 2
--PSK3 set demodulation PSK 3
--NRZ set demodulation NRZ
--BI set demodulation Biphase
--BIA set demodulation Diphase (inverted biphase)
2019-08-13 16:48:56 +08:00
EM is ASK
HID Prox is FSK
Indala is PSK
2021-03-08 18:31:40 +08:00
pm3 --> lf t55xx config --FSK
2019-08-13 16:48:56 +08:00
```
Set timings to default
```
Options
---
2021-04-16 01:16:15 +08:00
-p, --persist persist to flash memory (RDV4)
-z Set default t55x7 timings (use `-p` to save if required)
pm3 --> lf t55xx deviceconfig -zp
```
2019-08-13 16:48:56 +08:00
Write to T55xx block
```
2021-04-16 01:16:15 +08:00
-b, --blk <0-7> block number to write
-d, --data <hex> data to write (4 hex bytes)
-p, --pwd <hex> password (4 hex bytes)
2019-08-13 16:48:56 +08:00
2021-04-16 01:16:15 +08:00
pm3 --> lf t55xx write -b 0 -d 00081040
2019-08-13 16:48:56 +08:00
```
Wipe a T55xx tag and set defaults
```
pm3 --> lf t55xx wipe
2019-08-13 16:48:56 +08:00
```
## Data
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
Get raw samples [512-40000]
```
2021-03-23 01:21:35 +08:00
pm3 --> data samples -n <size>
2019-08-13 16:48:56 +08:00
```
Save samples to file
```
2020-10-10 04:25:33 +08:00
pm3 --> data save -f <filename>
2019-08-13 16:48:56 +08:00
```
Load samples from file
```
2020-10-10 04:25:33 +08:00
pm3 --> data load -f <filename>
2019-08-13 16:48:56 +08:00
```
## Lua Scripts
2019-08-18 17:53:20 +08:00
^[Top](#top)
2019-08-13 16:48:56 +08:00
2020-07-23 17:47:16 +08:00
List lua Scripts
2019-08-13 16:48:56 +08:00
```
pm3 --> script list
2019-08-13 16:48:56 +08:00
```
2020-07-23 17:47:16 +08:00
View lua helptext
```
2020-10-04 17:07:26 +08:00
pm3 --> script run <nameofscript> -h
2020-07-23 17:47:16 +08:00
```
2019-08-13 16:48:56 +08:00
Convert .bin to .eml
```
Options
---
2021-04-16 01:16:15 +08:00
-i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
-o <filename> Specifies the output file. If omitted, <uid>.eml is used
2019-08-13 16:48:56 +08:00
2020-09-23 07:00:05 +08:00
pm3 --> script run data_mf_bin2eml -i xxxxxxxxxxxxxx.bin
2019-08-13 16:48:56 +08:00
```
2020-07-23 17:47:16 +08:00
Convert .eml to .bin
```
Options
---
2021-04-16 01:16:15 +08:00
-i <filename> Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used
-o <filename> Specifies the output file. If omitted, <currdate>.bin is used
2020-07-23 17:47:16 +08:00
2020-09-23 07:00:05 +08:00
pm3 --> script run data_mf_eml2bin -i myfile.eml -o myfile.bin
2020-07-23 17:47:16 +08:00
```
2019-08-13 16:48:56 +08:00
Format Mifare card
```
Options
---
2021-04-16 01:16:15 +08:00
-k <key> The current six byte key with write access
-n <key> The new key that will be written to the card
-a <access> The new access bytes that will be written to the card
-x Execute the commands as well
2019-08-13 16:48:56 +08:00
2020-09-23 06:11:11 +08:00
pm3 --> script run hf_mf_format -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
```
## Memory
2019-08-18 17:53:20 +08:00
^[Top](#top)
2020-07-23 17:47:16 +08:00
Load default keys into flash memory (RDV4 only)
```
Options
---
2021-01-05 05:14:58 +08:00
-o <offset> offset in memory
-f <filename> file name
--mfc upload 6 bytes keys (mifare key dictionary)
--iclass upload 8 bytes keys (iClass key dictionary)
--t55xx upload 4 bytes keys (pwd dictionary)
2020-10-04 17:07:26 +08:00
pm3 --> mem load -f mfc_default_keys --mfc
pm3 --> mem load -f t55xx_default_pwds --t5xx
pm3 --> mem load -f iclass_default_keys --iclass
```
## Sim Module
2019-08-18 17:53:20 +08:00
^[Top](#top)
Upgrade Sim Module firmware
```
pm3 --> smart upgrade -f sim013.bin
```
## Smart Card
2019-08-18 17:53:20 +08:00
^[Top](#top)
Get Smart Card Information
```
pm3 --> smart info
```
Act like an IS07816 reader
```
pm3 --> smart reader
```
2021-01-07 20:04:52 +08:00
Set clock speed for smart card interface
```
Options
---
2021-01-07 20:04:52 +08:00
--16mhz 16 MHz clock speed
--8mhz 8 MHz clock speed
--4mhz 4 MHz clock speed
2021-01-07 20:04:52 +08:00
pm3 --> smart setclock --8mhz
```
Send raw hex data
```
Options
---
2021-01-07 20:04:52 +08:00
-r do not read response
-a active smartcard without select (reset sc module)
-s active smartcard with select (get ATR)
-t, --tlv executes TLV decoder if it possible
-0 use protocol T=0
-d, --data <hex> bytes to send
2021-01-07 20:04:52 +08:00
pm3 --> smart raw -s -0 -d 00a404000e315041592e5359532e4444463031
pm3 --> smart raw -0 -d 00a404000e325041592e5359532e4444463031
pm3 --> smart raw -0 -t -d 00a4040007a0000000041010
pm3 --> smart raw -0 -t -d 00a4040007a0000000031010
````
Bruteforce SPI
```
Options
---
2021-01-07 20:04:52 +08:00
-t, --tlv executes TLV decoder if it possible
pm3 --> smart brute
2021-01-07 20:04:52 +08:00
pm3 --> smart brute --tlv
2019-08-13 16:48:56 +08:00
```