From 84a49bf03b1c62a2f70719e7ddc3e38d2de5a819 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 23 Jul 2020 11:47:16 +0200 Subject: [PATCH] textual --- doc/cheatsheet.md | 135 +++++++++++++++++++++++++++++----------------- 1 file changed, 86 insertions(+), 49 deletions(-) diff --git a/doc/cheatsheet.md b/doc/cheatsheet.md index 47d3cd702..a032d620d 100644 --- a/doc/cheatsheet.md +++ b/doc/cheatsheet.md @@ -3,8 +3,8 @@ |Generic|Low Frequence 125 kHz|High Frequence 13.56 MHz| |---|---|---| -|[Generic](#Generic)|[T55XX](#T55XX)|[Mifare](#Mifare)| -|[Data](#Data)|[HID Prox](#HID-Prox)|[iClass](#iClass)| +|[Generic](#Generic)|[T55XX](#T55XX)|[MIFARE](#MIFARE)| +|[Data](#Data)|[HID Prox](#HID-Prox)|[iCLASS](#iCLASS)| |[Memory](#Memory)|[Indala](#Indala)|| |[Sim Module](#Sim-Module)|[Hitag](#Hitag)|| |[Lua Scripts](#Lua-Scripts)||| @@ -39,10 +39,10 @@ Check overall status pm3 --> hw status ``` -## iClass +## iCLASS ^[Top](#top) -Reverse permute iClass master key +Reverse permute iCLASS master key ``` Options --- @@ -51,12 +51,13 @@ r reverse permuted key pm3 --> hf iclass permute r 3F90EBF0910F7B6F ``` -iClass Reader +iCLASS Reader + ``` pm3 --> hf iclass reader ``` -Dump iClass card contents +Dump iCLASS card contents ``` Options --- @@ -65,7 +66,7 @@ k : *Access Key as 16 hex symbols or 1 hex to select key from memory m3 --> hf iclass dump k 0 ``` -Read iClass Block +Read iCLASS Block ``` Options --- @@ -75,7 +76,7 @@ k : Access Key as 16 hex symbols or 1 hex to select key from memory pm3 --> hf iclass rdbl b 7 k 0 ``` -Write to iClass Block +Write to iCLASS Block ``` Options --- @@ -105,21 +106,44 @@ k : set a key in memory pm3 --> hf iclass managekeys n 3 k AFA785A7DAB33378 ``` -Encrypt iClass Block -``` -pm3 --> hf iclass encrypt 0000000f2aa3dba8 -``` - -Load iClass dump into memory for simulation +Encrypt iCLASS Block ``` Options --- -f : load iclass tag-dump filename +d : 16 bytes hex +k : 16 bytes hex + +pm3 --> hf iclass encrypt d 0000000f2aa3dba8 +``` + +Decrypt iCLASS Block / file +``` +Options +--- +d : 16 bytes hex +f : filename of dump +k : 16 bytes hex + +pm3 --> hf iclass decrypt d 2AD4C8211F996871 +pm3 --> hf iclass decrypt f hf-iclass-db883702f8ff12e0.bin +``` + +Load iCLASS dump into memory for simulation +``` +Options +--- +f : load iCLASS tag-dump filename pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin ``` -Simulate iClass +Clone iCLASS Legacy Sequence +``` +pm3 --> hf iclass rdbl b 7 k 0 +pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0 +``` + +Simulate iCLASS ``` Options --- @@ -132,20 +156,14 @@ Options pm3 --> hf iclass sim 3 ``` -Clone iClass Legacy Sequence -``` -pm3 --> hf iclass rdbl b 7 k 0 -pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0 -``` - -Simulate iClass Sequence +Simulate iCLASS Sequence ``` pm3 --> hf iclass dump k 0 pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin pm3 --> hf iclass sim 3 ``` -Extract custom iClass key (loclass attack) +Extract custom iCLASS key (loclass attack) ``` Options --- @@ -155,14 +173,15 @@ e : If 'e' is specified, elite computations applied to key pm3 --> hf iclass sim 2 pm3 --> hf iclass loclass f iclass_mac_attack.bin -pm3 --> hf iclass dump k e +pm3 --> hf iclass managekeys n 7 k +pm3 --> hf iclass dump k 7 e ``` -Verify custom iClass key +Verify custom iCLASS key ``` Options --- -f : Dictionary file with default iclass keys +f : Dictionary file with default iCLASS keys u : CSN p : EPURSE m : macs @@ -171,7 +190,7 @@ e : elite pm3 --> hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f iclass_default_keys e ``` -## Mifare +## MIFARE ^[Top](#top) Check for default keys @@ -196,11 +215,11 @@ m : use dictionary from flashmemory pm3 --> hf mf fchk 1 m ``` -Dump Mifare card contents +Dump MIFARE card contents ``` Options --- - : 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K + : 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K k : key filename, if no given, UID will be used as filename" f : data filename, if no given, UID will be used as filename @@ -217,7 +236,7 @@ i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is us pm3 --> script run dumptoemul -i dumpdata.bin ``` -Write to Mifare block +Write to MIFARE block ``` Options --- @@ -226,7 +245,7 @@ Options pm3 --> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016 ``` -Run autopwn +Run autopwn, to backup a MIFARE tag ``` Options --- @@ -234,7 +253,7 @@ Options pm3 --> hf mf autopwn ``` -Run Hardnested attack +Run hardnested attack ``` Options --- @@ -244,25 +263,25 @@ w : Acquire nonces and write them to binary file nonces.bin pm3 --> hf mf hardnested 0 A 8829da9daf76 0 A w ``` -Load Mifare emul dump file into memory for simulation +Load MIFARE emul dump file into memory for simulation ``` Options --- -[card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL +[card memory]: 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL pm3 --> hf mf eload hf-mf-353C2AA6 pm3 --> hf mf eload 1 hf-mf-353C2AA6 ``` -Simulate Mifare +Simulate MIFARE ``` u : (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used pm3 --> hf mf sim u 353c2aa6 ``` -Simulate Mifare Sequence +Simulate MIFARE Sequence ``` pm3 --> hf mf chk *1 ? d mfc_default_keys pm3 --> hf mf dump 1 @@ -271,19 +290,19 @@ pm3 --> hf mf eload 353C2AA6 pm3 --> hf mf sim u 353c2aa6 ``` -Clone Mifare 1K Sequence +Clone MIFARE 1K Sequence ``` pm3 --> hf mf chk *1 ? d mfc_default_keys pm3 --> hf mf dump pm3 --> hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-dump.bin ``` -Read Mifare Ultralight EV1 +Read MIFARE Ultralight EV1 ``` pm3 --> hf mfu info ``` -Clone Mifare Ultralight EV1 Sequence +Clone MIFARE Ultralight EV1 Sequence ``` pm3 --> hf mfu dump k FFFFFFFF pm3 --> script run dumptoemul-mfu -i hf-mfu-XXXX-dump.bin -o hf-mfu-XXXX-dump.eml @@ -291,12 +310,12 @@ pm3 --> hf mfu eload u hf-mfu-XXXX-dump.eml pm3 --> hf mfu sim t 7 u hf-mfu-XXXX-dump.eml ``` -Bruteforce Mifare Classic card numbers from 11223344 to 11223346 +Bruteforce MIFARE Classic card numbers from 11223344 to 11223346 ``` pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc ``` -Bruteforce Mifare Ultralight EV1 card numbers from 11223344556677 to 11223344556679 +Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679 ``` pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu ``` @@ -524,29 +543,47 @@ pm3 --> data load ## Lua Scripts ^[Top](#top) -List Lua Scripts +List lua Scripts ``` pm3 --> script list ``` +View lua helptext + +``` +pm3 --> script run -h +``` + + Convert .bin to .eml ``` Options --- -i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used +-i Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used +-o Specifies the output file. If omitted, .eml is used pm3 --> script run dumptoemul -i xxxxxxxxxxxxxx.bin ``` +Convert .eml to .bin +``` +Options +--- +-i Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used +-o Specifies the output file. If omitted, .bin is used + +pm3 --> script run emul2dump -i myfile.eml -o myfile.bin +``` + Format Mifare card ``` Options --- -k : the current six byte key with write access -n : the new key that will be written to the card -a : the new access bytes that will be written to the card -x : execute the commands aswell. +-k The current six byte key with write access +-n The new key that will be written to the card +-a The new access bytes that will be written to the card +-x Execute the commands aswell pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x ``` @@ -554,7 +591,7 @@ pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x ## Memory ^[Top](#top) -Load default keys into memory +Load default keys into flash memory (RDV4 only) ``` Options ---