From d99911a03d2bc7ce2acc849943fefa227bf2b29b Mon Sep 17 00:00:00 2001 From: Alex Dib Date: Fri, 16 Aug 2019 09:20:57 +1000 Subject: [PATCH] Cheatsheet update - Added commands & fixed typos --- doc/cheatsheet.md | 156 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 133 insertions(+), 23 deletions(-) diff --git a/doc/cheatsheet.md b/doc/cheatsheet.md index 8770b7551..06af60d56 100644 --- a/doc/cheatsheet.md +++ b/doc/cheatsheet.md @@ -1,5 +1,18 @@ # Cheatsheet +- [Generic](#Generic) +- [iClass](#iClass) +- [Mifare](#Mifare) +- [HID Prox](#HID-Prox) +- [Indala](#Indala) +- [Hitag](#Hitag) +- [T55XX](#T55XX) +- [Data](#Data) +- [Lua Scripts](#Lua-Scripts) +- [Memory](#Memory) +- [Sim Module](#Sim-Module) +- [Smart Card](#Smart-Card) + ## Generic Identify High Frequency cards @@ -22,6 +35,11 @@ Check versioning pm3 --> hw version ``` +Check overall status +``` +pm3 --> hw status +``` + ## iClass Reverse permute iClass master key @@ -158,20 +176,30 @@ Check for default keys Options --- <*card memory> [t|d|s|ss] -* - all sectors -card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K -d - write keys to binary file +* : all sectors +card memory : 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K +d : write keys to binary file pm3 --> hf mf chk *1 ? d default_keys.dic ``` +Check for default keys from local memory +``` +Options +--- +card memory : 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K +m : use dictionary from flashmemory + +pm3 --> hf mf fchk 1 m +``` + Dump Mifare card contents ``` Options --- -: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K -k : key filename, if no given, UID will be used as filename" -f : data filename, if no given, UID will be used as filename + : 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K +k : key filename, if no given, UID will be used as filename" +f : data filename, if no given, UID will be used as filename pm3 --> hf mf dump 1 pm3 --> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin @@ -181,7 +209,7 @@ Convert .bin to .eml ``` Options --- -i ????????????? +i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used pm3 --> script run dumptoemul -i dumpdata.bin ``` @@ -278,11 +306,11 @@ Brute force HID reader ``` Options --- -a : 26|33|34|35|37|40|44|84"); -f : 8-bit value HID facility code"); -c : (optional) cardnumber to start with, max 65535"); -d : delay betweens attempts in ms. Default 1000ms"); -v : verbose logging, show all tries"); +a : 26|33|34|35|37|40|44|84 +f : 8-bit value HID facility code +c : (optional) cardnumber to start with, max 65535 +d : delay betweens attempts in ms. Default 1000ms +v : verbose logging, show all tries pm3 --> lf hid brute a 26 f 224 pm3 --> lf hid brute v a 26 f 21 c 200 d 2000 @@ -334,7 +362,7 @@ HitagS: 02 : Read all pages, crypto mode. Set key=0 for no auth Hitag2: -21 : Read all pages, password mode. Default: 4D494B52 (\"MIKR\") +21 : Read all pages, password mode. Default: 4D494B52 ("MIKR") 22 : Read all pages, challenge mode 23 : Read all pages, crypto mode. Key format: ISK high + ISK low. Default: 4F4E4D494B52 ("ONMIKR") 25 : Test recorded authentications @@ -383,11 +411,11 @@ Detect T55XX card pm3 --> lf t55xx detect ``` -Configure demodulation +Configure modulation ``` Options --- - : Set demodulation + : Set modulation EM is ASK HID Prox is FSK Indala is PSK @@ -395,6 +423,16 @@ Indala is PSK pm3 --> lf t55xx config FSK ``` +Set timings to default +``` +Options +--- +p : persist to flashmemory +z : Set default t55x7 timings (use p to save if required) + +pm3 --> lf t55xx deviceconfig z p +``` + Write to T55xx block ``` b : block number to write. Between 0-7 @@ -405,24 +443,24 @@ pm3 --> lf t55xx wr b 0 d 00081040 Wipe a T55xx tag and set defaults ``` -lf t55xx wipe +pm3 --> lf t55xx wipe ``` ## Data Get raw samples [512-40000] ``` -data samples +pm3 --> data samples ``` Save samples to file ``` -data save +pm3 --> data save ``` Load samples from file ``` -data load +pm3 --> data load ``` ## Lua Scripts @@ -430,16 +468,16 @@ data load List Lua Scripts ``` -script list +pm3 --> script list ``` Convert .bin to .eml ``` Options --- -i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used +i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used -script run dumptoemul -i xxxxxxxxxxxxxx.bin +pm3 --> script run dumptoemul -i xxxxxxxxxxxxxx.bin ``` Format Mifare card @@ -451,5 +489,77 @@ n : the new key that will be written to the card a : the new access bytes that will be written to the card x : execute the commands aswell. -script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x +pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x +``` + +## Memory + +Load default keys into memory +``` +Options +--- +o : offset in memory +f : file name +m : upload 6 bytes keys (mifare key dictionary) +i : upload 8 bytes keys (iClass key dictionary) +t : upload 4 bytes keys (pwd dictionary) + +pm3 --> mem load f default_keys m +pm3 --> mem load f default_pwd t +pm3 --> mem load f default_iclass_keys i +``` + +## Sim Module + +Upgrade Sim Module firmware +``` +pm3 --> sc upgrade f ../tools/simmodule/SIM011.BIN +``` + +## Smart Card + +Get Smart Card Information +``` +pm3 --> sc info +``` + +Act like an IS07816 reader +``` +pm3 --> sc reader +``` + +Set clock speed +``` +Options +--- +c : clockspeed (0 = 16MHz, 1=8MHz, 2=4MHz) + +pm3 --> sc setclock c 2 +``` + +Send raw hex data +``` +Options +--- +r : do not read response +a : active smartcard without select (reset sc module) +s : active smartcard with select (get ATR) +t : executes TLV decoder if it possible +0 : use protocol T=0 +d : bytes to send + +pm3 --> sc raw s 0 d 00a404000e315041592e5359532e4444463031 : 1PAY.SYS.DDF01 PPSE directory with get ATR +pm3 --> sc raw 0 d 00a404000e325041592e5359532e4444463031 : 2PAY.SYS.DDF01 PPSE directory +pm3 --> sc raw 0 t d 00a4040007a0000000041010 : Mastercard +pm3 --> sc raw 0 t d 00a4040007a0000000031010 : Visa +```` + +Bruteforce SPI +``` +Options +--- +t : executes TLV decoder if it possible + +pm3 --> sc brute +pm3 --> sc brute t ```