RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-01-09 01:36:52 +08:00
Code Issues Projects Releases Packages Wiki Activity

text

Browse source
This commit is contained in:
iceman1001 2021-04-15 19:16:15 +02:00
parent 46bf529763
commit 9eccb07106
1 changed files with 100 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

169
doc/cheatsheet.md
View file

@ -205,7 +205,7 @@ pm3 --> hf iclass dump --ki 7 --elite
Verify custom iCLASS key Verify custom iCLASS key
``` ```
Options options
--- ---
-f, --file <filename> Dictionary file with default iclass keys -f, --file <filename> Dictionary file with default iclass keys
--csn <hex> Specify CSN as 8 bytes (16 hex symbols) --csn <hex> Specify CSN as 8 bytes (16 hex symbols)
@ -222,7 +222,7 @@ pm3 --> hf iclass lookup --csn 010a0ffff7ff12e0 --epurse feffffffffffffff --macs
Check for default keys Check for default keys
``` ```
Options options
--- ---
-k, --key <hex> Key specified as 12 hex symbols -k, --key <hex> Key specified as 12 hex symbols
--blk <dec> Input block number --blk <dec> Input block number
@ -257,9 +257,10 @@ Options
pm3 --> hf mf fchk --1k --mem pm3 --> hf mf fchk --1k --mem
``` ```
Dump MIFARE card contents Dump MIFARE Classic card contents
``` ```
options: Options:
---
-f, --file <filename> filename of dump -f, --file <filename> filename of dump
-k, --keys <filename> filename of keys -k, --keys <filename> filename of keys
--mini MIFARE Classic Mini / S20 --mini MIFARE Classic Mini / S20
@ -267,52 +268,66 @@ options:
--2k MIFARE Classic/Plus 2k --2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70 --4k MIFARE Classic 4k / S70
examples/notes:
hf mf dump --mini -> MIFARE Mini
hf mf dump --1k -> MIFARE Classic 1k
hf mf dump --2k -> MIFARE 2k
hf mf dump --4k -> MIFARE 4k
hf mf dump -f hf-mf-066C8B78-key-5.bin -> MIFARE 1k with keys from specified file
pm3 --> hf mf dump pm3 --> hf mf dump
pm3 --> hf mf dump --1k -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin pm3 --> hf mf dump --1k -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin
``` ```
Convert .bin to .eml Write to MIFARE Classic block
``` ```
Options Options:
--- ---
-i <file> dump-file (input). If omitted, 'dumpdata.bin' is used --blk <dec> block number
-o <filename> output file, if omitted, <uid>.eml is use -a input key type is key A (def)
-b input key type is key B
-k, --key <hex> key, 6 hex bytes
-d, --data <hex> bytes to write, 16 hex bytes
pm3 --> script run data_mf_bin2eml -i dumpdata.bin -o hf-mf-myfile.bin pm3 --> hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d d3a2859f6b880400c801002000000016
``` ```
Write to MIFARE block Run autopwn, to extract all keys and backup a MIFARE Classic tag
``` ```
Options Options:
--- ---
<block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)> -k, --key <hex> Known key, 12 hex bytes
-s, --sector <dec> Input sector number
pm3 --> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016 -a Input key A (def)
``` -b Input key B
-f, --file <fn> filename of dictionary
Run autopwn, to backup a MIFARE tag -s, --slow Slower acquisition (required by some non standard cards)
``` -l, --legacy legacy mode (use the slow `hf mf chk`)
Options -v, --verbose verbose output (statistics)
--- --mini MIFARE Classic Mini / S20
--1k MIFARE Classic 1k / S50 (default)
--2k MIFARE Classic/Plus 2k
--4k MIFARE Classic 4k / S70
pm3 --> hf mf autopwn pm3 --> hf mf autopwn
// target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'
pm3 --> hf mf autopwn -s 0 -a -k FFFFFFFFFFFF
// target MFC 1K card, default dictionary
pm3 --> hf mf autopwn --1k -f mfc_default_keys
``` ```
Run hardnested attack Run hardnested attack
``` ```
Options Options
--- ---
<block number> <key A|B> <key (12 hex symbols)> <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s] -k, --key <hex> Key, 12 hex bytes
w : Acquire nonces and write them to binary file nonces.bin --blk <dec> Input block number
-a Input key A (def)
-b Input key B
--tblk <dec> Target block number
--ta Target key A
--tb Target key B
--tk <hex> Target key, 12 hex bytes
-f, --file <fn> R/W <name> instead of default name
-s, --slow Slower acquisition (required by some non standard cards)
-w, --wr Acquire nonces and UID, and write them to file `hf-mf-<UID>-nonces.bin`
pm3 --> hf mf hardnested 0 A 8829da9daf76 0 A w pm3 --> hf mf hardnested --blk 0 -a -k 8829da9daf76 --tblk 4 --ta -w
``` ```
Load MIFARE Classic dump file into emulator memory for simulation Load MIFARE Classic dump file into emulator memory for simulation
@ -503,19 +518,20 @@ Act as Hitag reader
``` ```
Options Options
--- ---
HitagS: --01 HitagS, read all pages, challenge mode
01 <nr> <ar> : Read all pages, challenge mode --02 HitagS, read all pages, crypto mode. Set key=0 for no auth
02 <key> : Read all pages, crypto mode. Set key=0 for no auth
Hitag2: --21 Hitag2, read all pages, password mode. def 4D494B52 (MIKR)
21 <password> : Read all pages, password mode. Default: 4D494B52 ("MIKR") --22 Hitag2, read all pages, challenge mode
22 <nr> <ar> : Read all pages, challenge mode --23 Hitag2, read all pages, crypto mode. Key ISK high + ISK low. def 4F4E4D494B52 (ONMIKR)
23 <key> : Read all pages, crypto mode. Key format: ISK high + ISK low. Default: 4F4E4D494B52 ("ONMIKR") --25 Hitag2, test recorded authentications (replay?)
25 : Test recorded authentications --26 Hitag2, read UID
26 : Just read UID -k, --key <hex> key, 4 or 6 hex bytes
--nrar <hex> nonce / answer reader, 8 hex bytes
pm3 --> lf hitag 26
pm3 --> lf hitag 21 4D494B52 pm3 --> lf hitag --26
pm3 --> lf hitag --21 -k 4D494B52
pm3 --> lf hitag reader --23 -k 4F4E4D494B52
``` ```
Sniff Hitag traffic Sniff Hitag traffic
@ -524,30 +540,32 @@ pm3 --> lf hitag sniff
pm3 --> lf hitag list pm3 --> lf hitag list
``` ```
Simulate Hitag Simulate Hitag2
``` ```
pm3 --> lf hitag sim c378181c_a8f7.ht2 pm3 --> lf hitag sim -2
``` ```
Write to Hitag block Write to Hitag block
``` ```
Options Options
--- ---
HitagS: --03 HitagS, write page, challenge mode
03 <nr,ar> <page> <byte0...byte3> : Write page, challenge mode --04 HitagS, write page, crypto mode. Set key=0 for no auth
04 <key> <page> <byte0...byte3> : Write page, crypto mode. Set key=0 for no auth
Hitag2: --24 Hitag2, write page, crypto mode.
24 <key> <page> <byte0...byte3> : Write page, crypto mode. Key format: ISK high + ISK low. --27 Hitag2, write page, password mode
27 <password> <page> <byte0...byte3> : Write page, password mode. Default: 4D494B52 ("MIKR") -p, --page <dec> page address to write to
-d, --data <hex> data, 4 hex bytes
-k, --key <hex> key, 4 or 6 hex bytes
--nrar <hex> nonce / answer writer, 8 hex bytes
pm3 --> lf hitag writer 24 499602D2 1 00000000 pm3 --> lf hitag writer --24 -k 499602D2 -p 1 -d 00000000
``` ```
Simulate Hitag2 sequence Simulate Hitag2 sequence
``` ```
pm3 --> lf hitag reader 21 56713368 pm3 --> lf hitag reader --21 -k 56713368
pm3 --> lf hitag sim c378181c_a8f7.ht2 pm3 --> lf hitag sim -2
``` ```
## T55XX ## T55XX
@ -562,7 +580,19 @@ Configure modulation
``` ```
Options Options
--- ---
<FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> : Set modulation --FSK set demodulation FSK
--FSK1 set demodulation FSK 1
--FSK1A set demodulation FSK 1a (inv)
--FSK2 set demodulation FSK 2
--FSK2A set demodulation FSK 2a (inv)
--ASK set demodulation ASK
--PSK1 set demodulation PSK 1
--PSK2 set demodulation PSK 2
--PSK3 set demodulation PSK 3
--NRZ set demodulation NRZ
--BI set demodulation Biphase
--BIA set demodulation Diphase (inverted biphase)
EM is ASK EM is ASK
HID Prox is FSK HID Prox is FSK
Indala is PSK Indala is PSK
@ -574,18 +604,19 @@ Set timings to default
``` ```
Options Options
--- ---
-p : persist to flash memory (RDV4)
-z : Set default t55x7 timings (use `-p` to save if required)
pm3 --> lf t55xx deviceconfig -z -p -p, --persist persist to flash memory (RDV4)
-z Set default t55x7 timings (use `-p` to save if required)
pm3 --> lf t55xx deviceconfig -zp
``` ```
Write to T55xx block Write to T55xx block
``` ```
b <block> : block number to write. Between 0-7 -b, --blk <0-7> block number to write
d <data> : 4 bytes of data to write (8 hex characters) -d, --data <hex> data to write (4 hex bytes)
-p, --pwd <hex> password (4 hex bytes)
pm3 --> lf t55xx wr -b 0 -d 00081040 pm3 --> lf t55xx write -b 0 -d 00081040
``` ```
Wipe a T55xx tag and set defaults Wipe a T55xx tag and set defaults
@ -631,8 +662,8 @@ Convert .bin to .eml
``` ```
Options Options
--- ---
-i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used -i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
-o <filename> Specifies the output file. If omitted, <uid>.eml is used -o <filename> Specifies the output file. If omitted, <uid>.eml is used
pm3 --> script run data_mf_bin2eml -i xxxxxxxxxxxxxx.bin pm3 --> script run data_mf_bin2eml -i xxxxxxxxxxxxxx.bin
``` ```
@ -641,8 +672,8 @@ Convert .eml to .bin
``` ```
Options Options
--- ---
-i <filename> Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used -i <filename> Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used
-o <filename> Specifies the output file. If omitted, <currdate>.bin is used -o <filename> Specifies the output file. If omitted, <currdate>.bin is used
pm3 --> script run data_mf_eml2bin -i myfile.eml -o myfile.bin pm3 --> script run data_mf_eml2bin -i myfile.eml -o myfile.bin
``` ```
@ -651,10 +682,10 @@ Format Mifare card
``` ```
Options Options
--- ---
-k <key> The current six byte key with write access -k <key> The current six byte key with write access
-n <key> The new key that will be written to the card -n <key> The new key that will be written to the card
-a <access> The new access bytes that will be written to the card -a <access> The new access bytes that will be written to the card
-x Execute the commands as well -x Execute the commands as well
pm3 --> script run hf_mf_format -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x pm3 --> script run hf_mf_format -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
``` ```