proxmark3/doc/commands.md
2020-11-29 00:28:56 +01:00

47 KiB

Proxmark3 command dump

Some commands are available only if a Proxmark3 is actually connected.

Check column "offline" for their availability.

command offline description
auto N Automated detection process for unknown tags
clear Y Clear screen
help Y This help. Use '<command> help' for details of a particular command.
hints Y Turn hints on / off
msleep Y Add a pause in milliseconds
pref Y Edit preferences
rem Y Add a text line in log file
quit Y ``
exit Y Exit program

analyse

{ Analyse utils... }

command offline description
analyse help Y This help
analyse lcr Y Generate final byte for XOR LRC
analyse crc Y Stub method for CRC evaluations
analyse chksum Y Checksum with adding, masking and one's complement
analyse dates Y Look for datestamps in a given array of bytes
analyse tea Y Crypto TEA test
analyse lfsr Y LFSR tests
analyse a Y num bits test
analyse nuid Y create NUID from 7byte UID
analyse demodbuff Y Load binary string to demodbuffer
analyse freq Y Calc wave lengths

data

{ Plot window / data buffer manipulation... }

command offline description
data help Y This help
data biphaserawdecode Y Biphase decode bin stream in DemodBuffer
data detectclock Y Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer
data fsktonrz Y Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)
data manrawdecode Y Manchester decode binary stream in DemodBuffer
data modulation Y Identify LF signal for clock and modulation
data rawdemod Y Demodulate the data in the GraphBuffer and output binary
data askedgedetect Y [threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)
data autocorr Y Autocorrelation over window
data dirthreshold Y <thres up> <thres down> -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.
data decimate Y Decimate samples
data undecimate Y Un-decimate samples
data hide Y Hide graph window
data hpf Y Remove DC offset from trace
data iir Y apply IIR buttersworth filter on plotdata
data grid Y <x> <y> -- overlay grid on graph window, use zero value to turn off either
data ltrim Y <samples> -- Trim samples from left of trace
data mtrim Y <start> <stop> -- Trim out samples from the specified start to the specified stop
data norm Y Normalize max/min to +/-128
data plot Y Show graph window (hit 'h' in window for keystroke help)
data rtrim Y <location to end trace> -- Trim samples from right of trace
data setgraphmarkers Y [orange_marker] [blue_marker] (in graph window)
data shiftgraphzero Y <shift> -- Shift 0 for Graphed wave + or - shift value
data timescale Y `Set a timescale to get a differential reading between the yellow and purple markers as time duration
`
data zerocrossings Y Count time between zero-crossings
data convertbitstream Y Convert GraphBuffer's 0/1 values to 127 / -127
data getbitstream Y Convert GraphBuffer's >=1 values to 1 and <1 to 0
data bin2hex Y Converts binary to hexadecimal
data bitsamples N Get raw samples as bitstring
data clear Y Clears bigbuf on deviceside and graph window
data hexsamples N <bytes> [<offset>] -- Dump big buffer as hex bytes
data hex2bin Y Converts hexadecimal to binary
data load Y Load contents of file into graph window
data ndef Y Decode NDEF records
data print Y print the data in the DemodBuffer
data samples N [512 - 40000] -- Get raw samples for graph window (GraphBuffer)
data save Y Save signal trace data (from graph window)
data setdebugmode Y `<0
data tune N Measure tuning of device antenna. Results shown in graph window

emv

{ EMV ISO-14443 / ISO-7816... }

command offline description
emv help Y This help
emv exec N Executes EMV contactless transaction.
emv pse N Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.
emv search N Try to select all applets from applets list and print installed applets.
emv select N Select applet.
emv gpo N Execute GetProcessingOptions.
emv readrec N Read files from card.
emv genac N Generate ApplicationCryptogram.
emv challenge N Generate challenge.
emv intauth N Internal authentication.
emv scan N Scan EMV card and save it contents to json file for emulator.
emv test Y Crypto logic test.
emv list Y List ISO7816 history
emv roca N Extract public keys and run ROCA test

hf

{ High frequency commands... }

command offline description
hf help Y This help
hf list Y List protocol data in trace buffer
hf plot N Plot signal
hf tune N Continuously measure HF antenna tuning
hf search Y Search for known HF tags
hf sniff N <samples to skip (10000)> <triggers to skip (1)> Generic HF Sniff

hf 14a

{ ISO14443A RFIDs... }

command offline description
hf 14a help Y This help
hf 14a list Y List ISO 14443-a history
hf 14a info N Tag information
hf 14a reader N Act like an ISO14443-a reader
hf 14a cuids N <n> Collect n>0 ISO14443-a UIDs in one go
hf 14a sim N <UID> -- Simulate ISO 14443-a tag
hf 14a sniff N sniff ISO 14443-a traffic
hf 14a apdu N Send ISO 14443-4 APDU to tag
hf 14a chaining N Control ISO 14443-4 input chaining
hf 14a raw N Send raw hex data to tag
hf 14a antifuzz N Fuzzing the anticollision phase. Warning! Readers may react strange
hf 14a config N Configure 14a settings (use with caution)

hf 14b

{ ISO14443B RFIDs... }

command offline description
hf 14b help Y This help
hf 14b apdu N Send ISO 14443-4 APDU to tag
hf 14b dump N Read all memory pages of an ISO14443-B tag, save to file
hf 14b info N Tag information
hf 14b list Y List ISO 14443B history
hf 14b ndef N Read NDEF file on tag
hf 14b raw N Send raw hex data to tag
hf 14b reader N Act as a 14443B reader to identify a tag
hf 14b sim N Fake ISO 14443B tag
hf 14b sniff N Eavesdrop ISO 14443B
hf 14b rdbl N Read SRI512/SRIX4x block
hf 14b sriwrite N `Write data to a SRI512

hf 15

{ ISO15693 RFIDs... }

command offline description
hf 15 help Y This help
hf 15 list Y List ISO15693 history
hf 15 demod Y Demodulate ISO15693 from tag
hf 15 dump N Read all memory pages of an ISO15693 tag, save to file
hf 15 info N Tag information
hf 15 sniff N Sniff ISO15693 traffic
hf 15 raw N Send raw hex data to tag
hf 15 rdbl N Read a block
hf 15 reader N Act like an ISO15693 reader
hf 15 readmulti N Reads multiple Blocks
hf 15 restore N Restore from file to all memory pages of an ISO15693 tag
hf 15 samples N Acquire Samples as Reader (enables carrier, sends inquiry)
hf 15 sim N Fake an ISO15693 tag
hf 15 wrbl N Write a block
hf 15 findafi N Brute force AFI of an ISO15693 tag
hf 15 writeafi N Writes the AFI on an ISO15693 tag
hf 15 writedsfid N Writes the DSFID on an ISO15693 tag
hf 15 csetuid N Set UID for magic Chinese card

hf epa

{ German Identification Card... }

command offline description
hf epa help Y This help
hf epa cnonces N <m> <n> <d> Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses
hf epa preplay N <mse> <get> <map> <pka> <ma> Perform PACE protocol by replaying given APDUs

hf felica

{ ISO18092 / FeliCa RFIDs... }

command offline description
hf felica help Y This help
hf felica list Y List ISO 18092/FeliCa history
hf felica reader N Act like an ISO18092/FeliCa reader
hf felica sniff N Sniff ISO 18092/FeliCa traffic
hf felica raw N Send raw hex data to tag
hf felica rdunencrypted N read Block Data from authentication-not-required Service.
hf felica wrunencrypted N write Block Data to an authentication-not-required Service.
hf felica rqservice N verify the existence of Area and Service, and to acquire Key Version.
hf felica rqresponse N verify the existence of a card and its Mode.
hf felica scsvcode N acquire Area Code and Service Code.
hf felica rqsyscode N acquire System Code registered to the card.
hf felica auth1 N authenticate a card. Start mutual authentication with Auth1
hf felica auth2 N allow a card to authenticate a Reader/Writer. Complete mutual authentication
hf felica rqspecver N acquire the version of card OS.
hf felica resetmode N reset Mode to Mode 0.
hf felica litesim N <NDEF2> - only reply to poll request
hf felica litedump N Wait for and try dumping FelicaLite

hf fido

{ FIDO and FIDO2 authenticators... }

command offline description
hf fido help Y This help.
hf fido list N List ISO 14443A history
hf fido info N Info about FIDO tag.
hf fido reg N FIDO U2F Registration Message.
hf fido auth N FIDO U2F Authentication Message.
hf fido make N FIDO2 MakeCredential command.
hf fido assert N FIDO2 GetAssertion command.

hf iclass

{ ICLASS RFIDs... }

command offline description
hf iclass help Y This help
hf iclass dump N [options..] Dump Picopass / iCLASS tag to file
hf iclass info Y Tag information
hf iclass list Y List iclass history
hf iclass rdbl N [options..] Read Picopass / iCLASS block
hf iclass reader N Act like an Picopass / iCLASS reader
hf iclass restore N [options..] Restore a dump file onto a Picopass / iCLASS tag
hf iclass sniff N Eavesdrop Picopass / iCLASS communication
hf iclass wrbl N [options..] Write Picopass / iCLASS block
hf iclass chk N [options..] Check keys
hf iclass loclass Y [options..] Use loclass to perform bruteforce reader attack
hf iclass lookup Y [options..] Uses authentication trace to check for key in dictionary file
hf iclass sim N [options..] Simulate iCLASS tag
hf iclass eload N [f <fn> ] Load Picopass / iCLASS dump file into emulator memory
hf iclass esave N [f <fn> ] Save emulator memory to file
hf iclass eview N [options..] View emulator memory
hf iclass calcnewkey Y [options..] Calc diversified keys (blocks 3 & 4) to write new keys
hf iclass encrypt Y [options..] Encrypt given block data
hf iclass decrypt Y [options..] Decrypt given block data or tag dump file
hf iclass managekeys Y [options..] Manage keys to use with iclass commands
hf iclass permute N Permute function from 'heart of darkness' paper
hf iclass view Y [options..] Display content from tag dump file

hf legic

{ LEGIC RFIDs... }

command offline description
hf legic help Y This help
hf legic list Y List LEGIC history
hf legic reader N LEGIC Prime Reader UID and tag info
hf legic info N Display deobfuscated and decoded LEGIC Prime tag data
hf legic dump N Dump LEGIC Prime tag to binary file
hf legic restore N Restore a dump file onto a LEGIC Prime tag
hf legic rdbl N Read bytes from a LEGIC Prime tag
hf legic sim N Start tag simulator
hf legic wrbl N Write data to a LEGIC Prime tag
hf legic crc Y Calculate Legic CRC over given bytes
hf legic eload Y Load binary dump to emulator memory
hf legic esave Y Save emulator memory to binary file
hf legic wipe N Wipe a LEGIC Prime tag

hf lto

{ LTO Cartridge Memory RFIDs... }

command offline description
hf lto help Y This help
hf lto dump N Dump LTO-CM tag to file
hf lto restore N Restore dump file to LTO-CM tag
hf lto info N Tag information
hf lto rdbl N Read block
hf lto wrbl N Write block
hf lto list Y List LTO-CM history

hf mf

{ MIFARE RFIDs... }

command offline description
hf mf help Y This help
hf mf list Y List MIFARE history
hf mf darkside N Darkside attack
hf mf nested N Nested attack
hf mf hardnested Y Nested attack for hardened MIFARE Classic cards
hf mf staticnested N Nested attack against static nonce MIFARE Classic cards
hf mf autopwn N Automatic key recovery tool for MIFARE Classic
hf mf nack N Test for MIFARE NACK bug
hf mf chk N Check keys
hf mf fchk N Check keys fast, targets all keys on card
hf mf decrypt Y [nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace
hf mf supercard N Extract info from a super card``
hf mf auth4 N ISO14443-4 AES authentication
hf mf dump N Dump MIFARE Classic tag to binary file
hf mf mad N Checks and prints MAD
hf mf ndef N Prints NDEF records from card
hf mf personalize N Personalize UID (MIFARE Classic EV1 only)
hf mf rdbl N Read MIFARE Classic block
hf mf rdsc N Read MIFARE Classic sector
hf mf restore N Restore MIFARE Classic binary file to BLANK tag
hf mf setmod N Set MIFARE Classic EV1 load modulation strength
hf mf wrbl N Write MIFARE Classic block
hf mf sim N Simulate MIFARE card
hf mf ecfill N Fill simulator memory with help of keys from simulator
hf mf eclr N Clear simulator memory
hf mf egetblk N Get simulator memory block
hf mf egetsc N Get simulator memory sector
hf mf ekeyprn N Print keys from simulator memory
hf mf eload N Load from file emul dump
hf mf esave N Save to file emul dump
hf mf eset N Set simulator memory block
hf mf eview N View emul memory
hf mf cgetblk N Read block
hf mf cgetsc N Read sector
hf mf cload N Load dump
hf mf csave N Save dump from card into file or emulator
hf mf csetblk N Write block
hf mf csetuid N Set UID
hf mf cview N view card
hf mf cwipe N Wipe card to default UID/Sectors/Keys
hf mf gen3uid N Set UID without manufacturer block
hf mf gen3blk N Overwrite full manufacturer block
hf mf gen3freeze N Perma lock further UID changes
hf mf ice N collect MIFARE Classic nonces to file

hf mfp

{ MIFARE Plus RFIDs... }

command offline description
hf mfp help Y This help
hf mfp info N Info about Mifare Plus tag
hf mfp wrp N Write Perso command
hf mfp initp N Fills all the card's keys
hf mfp commitp N Move card to SL1 or SL3 mode
hf mfp auth N Authentication
hf mfp rdbl N Read blocks
hf mfp rdsc N Read sectors
hf mfp wrbl N Write blocks
hf mfp chk N Check keys
hf mfp mad N Checks and prints MAD
hf mfp ndef N Prints NDEF records from card

hf mfu

{ MIFARE Ultralight RFIDs... }

command offline description
hf mfu help Y This help
hf mfu info N Tag information
hf mfu dump N Dump Ultralight / Ultralight-C / NTAG tag to binary file
hf mfu restore N Restore a dump onto a MFU MAGIC tag
hf mfu eload N load Ultralight .eml dump file into emulator memory
hf mfu rdbl N Read block
hf mfu wrbl N Write block
hf mfu cauth N Authentication - Ultralight C
hf mfu setpwd N Set 3des password - Ultralight-C
hf mfu setuid N Set UID - MAGIC tags only
hf mfu sim N Simulate Ultralight from emulator memory
hf mfu gen Y Generate 3des mifare diversified keys
hf mfu pwdgen Y Generate pwd from known algos
hf mfu otptear N Tear-off test on OTP bits
hf mfu ndef N Prints NDEF records from card

hf mfdes

{ MIFARE Desfire RFIDs... }

command offline description
hf mfdes help Y This help
hf mfdes auth N Tries a MIFARE DesFire Authentication
hf mfdes changekey N Change Key
hf mfdes chk N Check keys
hf mfdes enum N Tries enumerate all applications
hf mfdes formatpicc N Format PICC
hf mfdes getuid N Get random uid
hf mfdes info N Tag information
hf mfdes list Y List DESFire (ISO 14443A) history
hf mfdes createaid N Create Application ID
hf mfdes deleteaid N Delete Application ID
hf mfdes selectaid N Select Application ID
hf mfdes changevalue N Write value of a value file (credit/debit/clear)
hf mfdes clearfile N Clear record File
hf mfdes createfile N Create Standard/Backup File
hf mfdes createvaluefile N Create Value File
hf mfdes createrecordfile N Create Linear/Cyclic Record File
hf mfdes deletefile N Create Delete File
hf mfdes dump N Dump all files
hf mfdes getvalue N Get value of file
hf mfdes readdata N Read data from standard/backup/record file
hf mfdes writedata N Write data to standard/backup/record file

hf st

{ ST Rothult RFIDs... }

command offline description
hf st help Y This help
hf st info N Tag information
hf st list Y List ISO 14443A/7816 history
hf st ndef Y read NDEF file on tag
hf st protect N change protection on tag
hf st pwd N change password on tag
hf st sim N Fake ISO 14443A/ST tag

hf thinfilm

{ Thinfilm RFIDs... }

command offline description
hf thinfilm help Y This help
hf thinfilm info N Tag information
hf thinfilm list Y List NFC Barcode / Thinfilm history - not correct
hf thinfilm sim N Fake Thinfilm tag

hf topaz

{ TOPAZ (NFC Type 1) RFIDs... }

command offline description
hf topaz help Y This help
hf topaz list Y List Topaz history
hf topaz info N Tag information
hf topaz reader N Act like a Topaz reader
hf topaz sim N <UID> -- Simulate Topaz tag
hf topaz sniff N Sniff Topaz reader-tag communication
hf topaz raw N Send raw hex data to tag

hf waveshare

{ Waveshare NFC ePaper... }

command offline description
hf waveshare help Y This help
hf waveshare loadbmp N Load BMP file to Waveshare NFC ePaper

hw

{ Hardware commands... }

command offline description
hw help Y This help
hw connect Y connect Proxmark3 to serial port
hw dbg N Set Proxmark3 debug level
hw detectreader N `['l'
hw fpgaoff N Set FPGA off
hw lcd N <HEX command> <count> -- Send command/data to LCD
hw lcdreset N Hardware reset LCD
hw ping N Test if the Proxmark3 is responsive
hw readmem N [address] -- Read memory at decimal address from flash
hw reset N Reset the Proxmark3
hw setlfdivisor N <19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)
hw setmux N Set the ADC mux to a specific value
hw standalone N Jump to the standalone mode
hw status N Show runtime status information about the connected Proxmark3
hw tearoff N Program a tearoff hook for the next command supporting tearoff
hw tia N Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider
hw tune N Measure antenna tuning
hw version N Show version information about the connected Proxmark3

lf

{ Low frequency commands... }

command offline description
lf help Y This help
lf config N Get/Set config for LF sampling, bit/sample, decimation, frequency
lf cmdread N Modulate LF reader field to send command before read (all periods in microseconds)
lf read N Read LF tag
lf search Y Read and Search for valid known tag (in offline mode it you can load first then search)
lf sim N Simulate LF tag from buffer with optional GAP (in microseconds)
lf simask N Simulate LF ASK tag from demodbuffer or input
lf simfsk N Simulate LF FSK tag from demodbuffer or input
lf simpsk N Simulate LF PSK tag from demodbuffer or input
lf simbidir N Simulate LF tag (with bidirectional data transmission between reader and tag)
lf sniff N Sniff LF traffic between reader and tag
lf tune N Continuously measure LF antenna tuning

lf awid

{ AWID RFIDs... }

command offline description
lf awid help Y this help
lf awid demod Y demodulate an AWID FSK tag from the GraphBuffer
lf awid read N attempt to read and extract tag data
lf awid clone N clone AWID tag to T55x7 or Q5/T5555
lf awid sim N simulate AWID tag
lf awid brute N Bruteforce card number against reader
lf awid watch N continuously watch for cards. Reader mode

lf cotag

{ COTAG CHIPs... }

command offline description
lf cotag help Y This help
lf cotag demod Y Tries to decode a COTAG signal
lf cotag read N Attempt to read and extract tag data

lf destron

{ FDX-A Destron RFIDs... }

command offline description
lf destron help Y This help
lf destron demod Y Demodulate an Destron tag from the GraphBuffer
lf destron read N Attempt to read and extract tag data from the antenna
lf destron clone N Clone Destron tag to T55x7
lf destron sim N Simulate Destron tag

lf em

{ EM4X CHIPs & RFIDs... }

command offline description
lf em help Y This help
lf em 410x_demod Y demodulate a EM410x tag from the GraphBuffer
lf em 410x_read N attempt to read and extract tag data
lf em 410x_sim N simulate EM410x tag
lf em 410x_brute N reader bruteforce attack by simulating EM410x tags
lf em 410x_watch N watches for EM410x 125/134 kHz tags (option 'h' for 134)
lf em 410x_spoof N watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)
lf em 410x_clone N write EM410x UID to T55x7 or Q5/T5555 tag
lf em 4x05_chk N Check passwords from dictionary
lf em 4x05_demod Y demodulate a EM4x05/EM4x69 tag from the GraphBuffer
lf em 4x05_dump N dump EM4x05/EM4x69 tag
lf em 4x05_wipe N wipe EM4x05/EM4x69 tag
lf em 4x05_info N tag information EM4x05/EM4x69
lf em 4x05_read N read word data from EM4x05/EM4x69
lf em 4x05_write N write word data to EM4x05/EM4x69
lf em 4x05_unlock N execute tear off against EM4x05/EM4x69
lf em 4x05_sniff Y Attempt to recover em4x05 commands from sample buffer
lf em 4x05_brute N Bruteforce password
lf em 4x50_dump N dump EM4x50 tag
lf em 4x50_info N tag information EM4x50
lf em 4x50_write N write word data to EM4x50
lf em 4x50_write_password N change password of EM4x50 tag
lf em 4x50_read N read word data from EM4x50
lf em 4x50_wipe N wipe data from EM4x50

lf fdxb

{ FDX-B RFIDs... }

command offline description
lf fdxb help Y this help
lf fdxb demod Y demodulate a FDX-B ISO11784/85 tag from the GraphBuffer
lf fdxb read N attempt to read at 134kHz and extract tag data
lf fdxb clone N clone animal ID tag to T55x7 or Q5/T5555
lf fdxb sim N simulate Animal ID tag

lf gallagher

{ GALLAGHER RFIDs... }

command offline description
lf gallagher help Y This help
lf gallagher demod Y Demodulate an GALLAGHER tag from the GraphBuffer
lf gallagher read N Attempt to read and extract tag data from the antenna
lf gallagher clone N clone GALLAGHER tag to T55x7
lf gallagher sim N simulate GALLAGHER tag

lf gproxii

{ Guardall Prox II RFIDs... }

command offline description
lf gproxii help Y this help
lf gproxii demod Y demodulate a G Prox II tag from the GraphBuffer
lf gproxii read N attempt to read and extract tag data from the antenna
lf gproxii clone N clone Guardall tag to T55x7 or Q5/T5555
lf gproxii sim N simulate Guardall tag

lf hid

{ HID Prox RFIDs... }

command offline description
lf hid help Y this help
lf hid demod Y demodulate HID Prox tag from the GraphBuffer
lf hid read N attempt to read and extract tag data
lf hid clone N clone HID tag to T55x7
lf hid sim N simulate HID tag
lf hid brute N bruteforce card number against reader
lf hid watch N continuously watch for cards. Reader mode

lf hitag

{ Hitag CHIPs... }

command offline description
lf hitag help Y This help
lf hitag list N List Hitag trace history
lf hitag info N Tag information
lf hitag reader N Act like a Hitag Reader
lf hitag sim N Simulate Hitag transponder
lf hitag sniff N Eavesdrop Hitag communication
lf hitag writer N Act like a Hitag Writer
lf hitag dump N Dump Hitag2 tag
lf hitag cc N Test all challenges

lf idteck

{ Idteck RFIDs... }

command offline description
lf idteck help Y This help
lf idteck demod Y Demodulate an Idteck tag from the GraphBuffer
lf idteck read N Attempt to read and Extract tag data from the antenna

lf indala

{ Indala RFIDs... }

command offline description
lf indala help Y this help
lf indala demod Y demodulate an indala tag (PSK1) from GraphBuffer
lf indala altdemod Y alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)
lf indala read N read an Indala Prox tag from the antenna
lf indala clone N clone Indala tag to T55x7 or Q5/T5555
lf indala sim N simulate Indala tag

lf io

{ ioProx RFIDs... }

command offline description
lf io help Y this help
lf io demod Y demodulate an IOProx tag from the GraphBuffer
lf io read N attempt to read and extract tag data
lf io clone N clone IOProx tag to T55x7 or Q5/T5555
lf io sim N simulate IOProx tag
lf io watch N continuously watch for cards. Reader mode

lf jablotron

{ Jablotron RFIDs... }

command offline description
lf jablotron help Y This help
lf jablotron demod Y Demodulate an Jablotron tag from the GraphBuffer
lf jablotron read N Attempt to read and extract tag data from the antenna
lf jablotron clone N clone jablotron tag to T55x7 or Q5/T5555
lf jablotron sim N simulate jablotron tag

lf keri

{ KERI RFIDs... }

command offline description
lf keri help Y This help
lf keri demod Y Demodulate an KERI tag from the GraphBuffer
lf keri read N Attempt to read and extract tag data from the antenna
lf keri clone N clone KERI tag to T55x7 or Q5/T5555
lf keri sim N simulate KERI tag

lf motorola

{ Motorola RFIDs... }

command offline description
lf motorola help Y This help
lf motorola demod Y Demodulate an MOTOROLA tag from the GraphBuffer
lf motorola read N Attempt to read and extract tag data from the antenna
lf motorola clone N clone MOTOROLA tag to T55x7
lf motorola sim N simulate MOTOROLA tag

lf nedap

{ Nedap RFIDs... }

command offline description
lf nedap help Y This help
lf nedap demod Y Demodulate Nedap tag from the GraphBuffer
lf nedap generate Y Generate Nedap bitstream in DemodBuffer
lf nedap read N Attempt to read and extract tag data from the antenna
lf nedap clone N Clone Nedap tag to T55x7 or Q5/T5555
lf nedap sim N Simulate Nedap tag

lf nexwatch

{ NexWatch RFIDs... }

command offline description
lf nexwatch help Y This help
lf nexwatch demod Y Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer
lf nexwatch read N Attempt to Read and Extract tag data from the antenna
lf nexwatch clone N clone NexWatch tag to T55x7
lf nexwatch sim N simulate NexWatch tag

lf noralsy

{ Noralsy RFIDs... }

command offline description
lf noralsy help Y This help
lf noralsy demod Y Demodulate an Noralsy tag from the GraphBuffer
lf noralsy read N Attempt to read and extract tag data from the antenna
lf noralsy clone N clone Noralsy tag to T55x7 or Q5/T5555
lf noralsy sim N simulate Noralsy tag

lf pac

{ PAC/Stanley RFIDs... }

command offline description
lf pac help Y This help
lf pac demod Y Demodulate a PAC tag from the GraphBuffer
lf pac read N Attempt to read and extract tag data from the antenna
lf pac clone N clone PAC tag to T55x7
lf pac sim N simulate PAC tag

lf paradox

{ Paradox RFIDs... }

command offline description
lf paradox help Y This help
lf paradox demod Y Demodulate a Paradox FSK tag from the GraphBuffer
lf paradox reader N Attempt to read and Extract tag data from the antenna
lf paradox clone N clone paradox tag
lf paradox sim N simulate paradox tag

lf pcf7931

{ PCF7931 CHIPs... }

command offline description
lf pcf7931 help Y This help
lf pcf7931 read N Read content of a PCF7931 transponder
lf pcf7931 write N Write data on a PCF7931 transponder.
lf pcf7931 config Y Configure the password, the tags initialization delay and time offsets (optional)

lf presco

{ Presco RFIDs... }

command offline description
lf presco help Y This help
lf presco demod Y demodulate Presco tag from the GraphBuffer
lf presco reader N Attempt to read and Extract tag data
lf presco clone N clone presco tag to T55x7 or Q5/T5555
lf presco sim N simulate presco tag

lf pyramid

{ Farpointe/Pyramid RFIDs... }

command offline description
lf pyramid help Y this help
lf pyramid demod Y demodulate a Pyramid FSK tag from the GraphBuffer
lf pyramid reader N attempt to read and extract tag data
lf pyramid clone N clone pyramid tag to T55x7 or Q5/T5555
lf pyramid sim N simulate pyramid tag

lf securakey

{ Securakey RFIDs... }

command offline description
lf securakey help Y This help
lf securakey demod Y Demodulate an Securakey tag from the GraphBuffer
lf securakey reader N Attempt to read and extract tag data from the antenna
lf securakey clone N clone Securakey tag to T55x7
lf securakey sim N simulate Securakey tag

lf ti

{ TI CHIPs... }

command offline description
lf ti help Y This help
lf ti demod Y Demodulate raw bits for TI-type LF tag from the GraphBuffer
lf ti reader N Read and decode a TI 134 kHz tag
lf ti write N Write new data to a r/w TI 134 kHz tag

lf t55xx

{ T55xx CHIPs... }

command offline description
lf t55xx help Y This help
lf t55xx clonehelp N Shows the available clone commands
lf t55xx config Y Set/Get T55XX configuration (modulation, inverted, offset, rate)
lf t55xx dangerraw N Sends raw bitstream. Dangerous, do not use!! b <bitstream> t <timing>
lf t55xx detect Y [1] Try detecting the tag modulation from reading the configuration block.
lf t55xx deviceconfig N Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap
lf t55xx dump N [password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]
lf t55xx info Y [1] Show T55x7 configuration data (page 0/ blk 0)
lf t55xx p1detect N [1] Try detecting if this is a t55xx tag by reading page 1
lf t55xx read N b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]
lf t55xx resetread N Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)
lf t55xx restore N f <filename> [p <password>] Restore T55xx card Page 0 / Page 1 blocks
lf t55xx trace Y [1] Show T55x7 traceability data (page 1/ blk 0-1)
lf t55xx wakeup N Send AOR wakeup command
lf t55xx write N b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]
lf t55xx bruteforce N <start password> <end password> Simple bruteforce attack to find password
lf t55xx chk N Check passwords from dictionary/flash
lf t55xx protect N Password protect tag
lf t55xx recoverpw N [password] Try to recover from bad password write from a cloner. Only use on PW protected chips!
lf t55xx sniff Y Attempt to recover T55xx commands from sample buffer
lf t55xx special N Show block changes with 64 different offsets
lf t55xx wipe N [q] Wipe a T55xx tag and set defaults (will destroy any data on tag)

lf viking

{ Viking RFIDs... }

command offline description
lf viking help Y This help
lf viking demod Y Demodulate a Viking tag from the GraphBuffer
lf viking reader N Attempt to read and Extract tag data from the antenna
lf viking clone N clone Viking tag to T55x7 or Q5/T5555
lf viking sim N simulate Viking tag

lf visa2000

{ Visa2000 RFIDs... }

command offline description
lf visa2000 help Y This help
lf visa2000 demod Y demodulate an VISA2000 tag from the GraphBuffer
lf visa2000 reader N attempt to read and extract tag data from the antenna
lf visa2000 clone N clone Visa2000 tag to T55x7 or Q5/T5555
lf visa2000 sim N simulate Visa2000 tag

mem

{ Flash memory manipulation... }

command offline description
mem help Y This help
mem baudrate N Set Flash memory Spi baudrate
mem spiffs N High level SPI FileSystem Flash manipulation
mem info N Flash memory information
mem load N Load data into flash memory
mem dump N Dump data from flash memory
mem wipe N Wipe data from flash memory

reveng

{ CRC calculations from RevEng software... }

[=] reveng: no mode switch specified. Use reveng -h for help.

smart

{ Smart card ISO-7816 commands... }

command offline description
smart help Y This help
smart list N List ISO 7816 history
smart info N Tag information
smart reader N Act like an IS07816 reader
smart raw N Send raw hex data to tag
smart upgrade Y Upgrade sim module firmware
smart setclock N Set clock speed
smart brute N Bruteforce SFI

script

{ Scripting commands... }

command offline description
script help Y Usage info
script list Y List available scripts
script run Y <name> -- execute a script

trace

{ Trace manipulation... }

command offline description
trace help Y This help
trace list Y List protocol data in trace buffer
trace load Y Load trace from file
trace save Y Save trace buffer to file

usart

{ USART commands... }

command offline description
usart help Y This help
usart btpin N Change BT add-on PIN
usart btfactory N Reset BT add-on to factory settings
usart tx N Send string over USART
usart rx N Receive string over USART
usart txrx N Send string over USART and wait for response
usart txhex N Send bytes over USART
usart rxhex N Receive bytes over USART
usart config N Configure USART

wiegand

{ Wiegand format manipulation... }

command offline description
wiegand help Y This help
wiegand list Y List available wiegand formats
wiegand encode Y Encode to wiegand raw hex
wiegand decode Y Convert raw hex to decoded wiegand format