From 3fa7992940015bf8b61fa0ba76c2774c60052226 Mon Sep 17 00:00:00 2001
From: Alex Dib <scund00r@gmail.com>
Date: Tue, 13 Aug 2019 18:48:56 +1000
Subject: [PATCH] Updated Cheatsheet

---
 doc/cheatsheet.md | 228 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 228 insertions(+)

diff --git a/doc/cheatsheet.md b/doc/cheatsheet.md
index 30dfa5b6b..8770b7551 100644
--- a/doc/cheatsheet.md
+++ b/doc/cheatsheet.md
@@ -138,6 +138,19 @@ pm3 --> hf iclass loclass f iclass_mac_attack.bin
 pm3 --> hf iclass dump k <Kcus> e
 ```
 
+Verify custom iClass key
+```
+Options
+---
+f <filename> : Dictionary file with default iclass keys
+u            : CSN
+p            : EPURSE
+m            : macs
+e            : elite
+
+pm3 --> hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f default_iclass_keys.dic e
+```
+
 ## Mifare
 
 Check for default keys
@@ -225,3 +238,218 @@ pm3 --> hf mf chk *1 ? d default_keys.dic
 pm3 --> hf mf dump
 pm3 --> hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
 ```
+
+## HID Prox
+
+Read HID Prox card
+```
+pm3 --> lf hid read
+```
+
+Demodulate HID Prox card
+```
+pm3 --> lf hid demod
+```
+
+Convert Site & Facility code to Wiegand
+```
+Options
+---
+<OEM> <FC> <CN> 
+OEM           : OEM number / site code          
+FC            : facility code          
+CN            : card number  
+
+pm3 --> lf hid wiegand 0 56 150
+```
+
+Simulate Prox card
+```
+
+pm3 --> lf hid sim 200670012d
+```
+
+Clone Prox to T5577 card
+```
+pm3 --> lf hid clone 200670012d
+```
+
+Brute force HID reader
+```
+Options
+---
+a <format>        :  26|33|34|35|37|40|44|84");
+f <facility-code> :  8-bit value HID facility code");
+c <cardnumber>    :  (optional) cardnumber to start with, max 65535");
+d <delay>         :  delay betweens attempts in ms. Default 1000ms");
+v                 :  verbose logging, show all tries");
+
+pm3 --> lf hid brute a 26 f 224
+pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
+```
+
+## Indala
+
+Read Indala card
+```
+pm3 --> lf indala read
+```
+
+Demodulate Indala card
+```
+pm3 --> lf indala demod
+```
+
+Simulate Indala card
+```
+Options
+---
+<uid> :  64/224 UID
+
+pm3 --> lf indala sim a0000000c2c436c1
+```
+
+Clone to T55x7 card
+```
+Options
+---
+<uid> :  64/224 UID
+
+pm3 --> lf indala clone a0000000c2c436c1
+```
+
+## Hitag
+
+Read Hitag information
+```
+pm3 --> lf hitag info
+```
+
+Act as Hitag reader
+```
+Options
+---
+HitagS:
+01 <nr> <ar>    : Read all pages, challenge mode
+02 <key>        : Read all pages, crypto mode. Set key=0 for no auth
+
+Hitag2:
+21 <password>   : Read all pages, password mode. Default: 4D494B52 (\"MIKR\")
+22 <nr> <ar>    : Read all pages, challenge mode
+23 <key>        : Read all pages, crypto mode. Key format: ISK high + ISK low. Default: 4F4E4D494B52 ("ONMIKR")
+25              : Test recorded authentications
+26              : Just read UID
+
+pm3 --> lf hitag 26
+pm3 --> lf hitag 21 4D494B52
+```
+
+Sniff Hitag traffic 
+```
+pm3 --> lf hitag sniff
+pm3 --> lf hitag list
+```
+
+Simulate Hitag
+```
+pm3 --> lf hitag sim c378181c_a8f7.ht2 
+```
+
+Write to Hitag block
+```
+Options
+---
+HitagS:
+03 <nr,ar> <page> <byte0...byte3>     : Write page, challenge mode
+04 <key> <page> <byte0...byte3>       : Write page, crypto mode. Set key=0 for no auth
+
+Hitag2:
+24  <key> <page> <byte0...byte3>      : Write page, crypto mode. Key format: ISK high + ISK low.
+27  <password> <page> <byte0...byte3> : Write page, password mode. Default: 4D494B52 ("MIKR")
+
+pm3 --> lf hitag writer 24 499602D2 1 00000000
+```
+
+Simulate Hitag2 sequence
+```
+pm3 --> lf hitag reader 21 56713368
+pm3 --> lf hitag sim c378181c_a8f7.ht2 
+```
+
+## T55XX
+
+Detect T55XX card
+```
+pm3 --> lf t55xx detect
+```
+
+Configure demodulation
+```
+Options
+---
+<FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  : Set demodulation
+EM is ASK
+HID Prox is FSK
+Indala is PSK
+
+pm3 --> lf t55xx config FSK
+```
+
+Write to T55xx block
+```
+b <block>    : block number to write. Between 0-7          
+d <data>     : 4 bytes of data to write (8 hex characters) 
+
+pm3 --> lf t55xx wr b 0 d 00081040
+```
+
+Wipe a T55xx tag and set defaults
+```
+lf t55xx wipe
+```
+
+## Data
+
+Get raw samples [512-40000]
+```
+data samples <size>
+```
+
+Save samples to file
+```
+data save <filename>
+```
+
+Load samples from file
+```
+data load <filename>
+```
+
+## Lua Scripts
+
+List Lua Scripts
+
+```
+script list
+```
+
+Convert .bin to .eml
+```
+Options
+---
+i <file>	: Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
+
+script run dumptoemul -i xxxxxxxxxxxxxx.bin
+```
+
+Format Mifare card
+```
+Options
+---
+k <key>       : the current six byte key with write access
+n <key>       : the new key that will be written to the card
+a <access>    : the new access bytes that will be written to the card
+x             : execute the commands aswell.
+
+script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
+```