RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-11 18:33:18 +08:00
Code Issues Projects Releases Packages Wiki Activity
proxmark3/doc/commands.md
Philippe Teuwen 59667e5d1b make style (linux)
2020-11-29 00:28:56 +01:00

1026 lines
47 KiB
Markdown
Raw Blame History

# Proxmark3 command dump
Some commands are available only if a Proxmark3 is actually connected.
Check column "offline" for their availability.
|command |offline |description
|------- |------- |-----------
|`auto `|N |`Automated detection process for unknown tags`
|`clear `|Y |`Clear screen`
|`help `|Y |`This help. Use '<command> help' for details of a particular command.`
|`hints `|Y |`Turn hints on / off`
|`msleep `|Y |`Add a pause in milliseconds`
|`pref `|Y |`Edit preferences`
|`rem `|Y |`Add a text line in log file`
|`quit `|Y |``
|`exit `|Y |`Exit program`
### analyse
{ Analyse utils... }
|command |offline |description
|------- |------- |-----------
|`analyse help `|Y |`This help`
|`analyse lcr `|Y |`Generate final byte for XOR LRC`
|`analyse crc `|Y |`Stub method for CRC evaluations`
|`analyse chksum `|Y |`Checksum with adding, masking and one's complement`
|`analyse dates `|Y |`Look for datestamps in a given array of bytes`
|`analyse tea `|Y |`Crypto TEA test`
|`analyse lfsr `|Y |`LFSR tests`
|`analyse a `|Y |`num bits test`
|`analyse nuid `|Y |`create NUID from 7byte UID`
|`analyse demodbuff `|Y |`Load binary string to demodbuffer`
|`analyse freq `|Y |`Calc wave lengths`
### data
{ Plot window / data buffer manipulation... }
|command |offline |description
|------- |------- |-----------
|`data help `|Y |`This help`
|`data biphaserawdecode `|Y |`Biphase decode bin stream in DemodBuffer`
|`data detectclock `|Y |`Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer`
|`data fsktonrz `|Y |`Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)`
|`data manrawdecode `|Y |`Manchester decode binary stream in DemodBuffer`
|`data modulation `|Y |`Identify LF signal for clock and modulation`
|`data rawdemod `|Y |`Demodulate the data in the GraphBuffer and output binary`
|`data askedgedetect `|Y |`[threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)`
|`data autocorr `|Y |`Autocorrelation over window`
|`data dirthreshold `|Y |`<thres up> <thres down> -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.`
|`data decimate `|Y |`Decimate samples`
|`data undecimate `|Y |`Un-decimate samples`
|`data hide `|Y |`Hide graph window`
|`data hpf `|Y |`Remove DC offset from trace`
|`data iir `|Y |`apply IIR buttersworth filter on plotdata`
|`data grid `|Y |`<x> <y> -- overlay grid on graph window, use zero value to turn off either`
|`data ltrim `|Y |`<samples> -- Trim samples from left of trace`
|`data mtrim `|Y |`<start> <stop> -- Trim out samples from the specified start to the specified stop`
|`data norm `|Y |`Normalize max/min to +/-128`
|`data plot `|Y |`Show graph window (hit 'h' in window for keystroke help)`
|`data rtrim `|Y |`<location to end trace> -- Trim samples from right of trace`
|`data setgraphmarkers `|Y |`[orange_marker] [blue_marker] (in graph window)`
|`data shiftgraphzero `|Y |`<shift> -- Shift 0 for Graphed wave + or - shift value`
|`data timescale `|Y |`Set a timescale to get a differential reading between the yellow and purple markers as time duration
`
|`data zerocrossings `|Y |`Count time between zero-crossings`
|`data convertbitstream `|Y |`Convert GraphBuffer's 0/1 values to 127 / -127`
|`data getbitstream `|Y |`Convert GraphBuffer's >=1 values to 1 and <1 to 0`
|`data bin2hex `|Y |`Converts binary to hexadecimal`
|`data bitsamples `|N |`Get raw samples as bitstring`
|`data clear `|Y |`Clears bigbuf on deviceside and graph window`
|`data hexsamples `|N |`<bytes> [<offset>] -- Dump big buffer as hex bytes`
|`data hex2bin `|Y |`Converts hexadecimal to binary`
|`data load `|Y |`Load contents of file into graph window`
|`data ndef `|Y |`Decode NDEF records`
|`data print `|Y |`print the data in the DemodBuffer`
|`data samples `|N |`[512 - 40000] -- Get raw samples for graph window (GraphBuffer)`
|`data save `|Y |`Save signal trace data (from graph window)`
|`data setdebugmode `|Y |`<0|1|2> -- Set Debugging Level on client side`
|`data tune `|N |`Measure tuning of device antenna. Results shown in graph window`
### emv
{ EMV ISO-14443 / ISO-7816... }
|command |offline |description
|------- |------- |-----------
|`emv help `|Y |`This help`
|`emv exec `|N |`Executes EMV contactless transaction.`
|`emv pse `|N |`Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.`
|`emv search `|N |`Try to select all applets from applets list and print installed applets.`
|`emv select `|N |`Select applet.`
|`emv gpo `|N |`Execute GetProcessingOptions.`
|`emv readrec `|N |`Read files from card.`
|`emv genac `|N |`Generate ApplicationCryptogram.`
|`emv challenge `|N |`Generate challenge.`
|`emv intauth `|N |`Internal authentication.`
|`emv scan `|N |`Scan EMV card and save it contents to json file for emulator.`
|`emv test `|Y |`Crypto logic test.`
|`emv list `|Y |`List ISO7816 history`
|`emv roca `|N |`Extract public keys and run ROCA test`
### hf
{ High frequency commands... }
|command |offline |description
|------- |------- |-----------
|`hf help `|Y |`This help`
|`hf list `|Y |`List protocol data in trace buffer`
|`hf plot `|N |`Plot signal`
|`hf tune `|N |`Continuously measure HF antenna tuning`
|`hf search `|Y |`Search for known HF tags`
|`hf sniff `|N |`<samples to skip (10000)> <triggers to skip (1)> Generic HF Sniff`
### hf 14a
{ ISO14443A RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 14a help `|Y |`This help`
|`hf 14a list `|Y |`List ISO 14443-a history`
|`hf 14a info `|N |`Tag information`
|`hf 14a reader `|N |`Act like an ISO14443-a reader`
|`hf 14a cuids `|N |`<n> Collect n>0 ISO14443-a UIDs in one go`
|`hf 14a sim `|N |`<UID> -- Simulate ISO 14443-a tag`
|`hf 14a sniff `|N |`sniff ISO 14443-a traffic`
|`hf 14a apdu `|N |`Send ISO 14443-4 APDU to tag`
|`hf 14a chaining `|N |`Control ISO 14443-4 input chaining`
|`hf 14a raw `|N |`Send raw hex data to tag`
|`hf 14a antifuzz `|N |`Fuzzing the anticollision phase. Warning! Readers may react strange`
|`hf 14a config `|N |`Configure 14a settings (use with caution)`
### hf 14b
{ ISO14443B RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 14b help `|Y |`This help`
|`hf 14b apdu `|N |`Send ISO 14443-4 APDU to tag`
|`hf 14b dump `|N |`Read all memory pages of an ISO14443-B tag, save to file`
|`hf 14b info `|N |`Tag information`
|`hf 14b list `|Y |`List ISO 14443B history`
|`hf 14b ndef `|N |`Read NDEF file on tag`
|`hf 14b raw `|N |`Send raw hex data to tag`
|`hf 14b reader `|N |`Act as a 14443B reader to identify a tag`
|`hf 14b sim `|N |`Fake ISO 14443B tag`
|`hf 14b sniff `|N |`Eavesdrop ISO 14443B`
|`hf 14b rdbl `|N |`Read SRI512/SRIX4x block`
|`hf 14b sriwrite `|N |`Write data to a SRI512 | SRIX4K tag`
### hf 15
{ ISO15693 RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf 15 help `|Y |`This help`
|`hf 15 list `|Y |`List ISO15693 history`
|`hf 15 demod `|Y |`Demodulate ISO15693 from tag`
|`hf 15 dump `|N |`Read all memory pages of an ISO15693 tag, save to file`
|`hf 15 info `|N |`Tag information`
|`hf 15 sniff `|N |`Sniff ISO15693 traffic`
|`hf 15 raw `|N |`Send raw hex data to tag`
|`hf 15 rdbl `|N |`Read a block`
|`hf 15 reader `|N |`Act like an ISO15693 reader`
|`hf 15 readmulti `|N |`Reads multiple Blocks`
|`hf 15 restore `|N |`Restore from file to all memory pages of an ISO15693 tag`
|`hf 15 samples `|N |`Acquire Samples as Reader (enables carrier, sends inquiry)`
|`hf 15 sim `|N |`Fake an ISO15693 tag`
|`hf 15 wrbl `|N |`Write a block`
|`hf 15 findafi `|N |`Brute force AFI of an ISO15693 tag`
|`hf 15 writeafi `|N |`Writes the AFI on an ISO15693 tag`
|`hf 15 writedsfid `|N |`Writes the DSFID on an ISO15693 tag`
|`hf 15 csetuid `|N |`Set UID for magic Chinese card`
### hf epa
{ German Identification Card... }
|command |offline |description
|------- |------- |-----------
|`hf epa help `|Y |`This help`
|`hf epa cnonces `|N |`<m> <n> <d> Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses`
|`hf epa preplay `|N |`<mse> <get> <map> <pka> <ma> Perform PACE protocol by replaying given APDUs`
### hf felica
{ ISO18092 / FeliCa RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf felica help `|Y |`This help`
|`hf felica list `|Y |`List ISO 18092/FeliCa history`
|`hf felica reader `|N |`Act like an ISO18092/FeliCa reader`
|`hf felica sniff `|N |`Sniff ISO 18092/FeliCa traffic`
|`hf felica raw `|N |`Send raw hex data to tag`
|`hf felica rdunencrypted`|N |`read Block Data from authentication-not-required Service.`
|`hf felica wrunencrypted`|N |`write Block Data to an authentication-not-required Service.`
|`hf felica rqservice `|N |`verify the existence of Area and Service, and to acquire Key Version.`
|`hf felica rqresponse `|N |`verify the existence of a card and its Mode.`
|`hf felica scsvcode `|N |`acquire Area Code and Service Code.`
|`hf felica rqsyscode `|N |`acquire System Code registered to the card.`
|`hf felica auth1 `|N |`authenticate a card. Start mutual authentication with Auth1`
|`hf felica auth2 `|N |`allow a card to authenticate a Reader/Writer. Complete mutual authentication`
|`hf felica rqspecver `|N |`acquire the version of card OS.`
|`hf felica resetmode `|N |`reset Mode to Mode 0.`
|`hf felica litesim `|N |`<NDEF2> - only reply to poll request`
|`hf felica litedump `|N |`Wait for and try dumping FelicaLite`
### hf fido
{ FIDO and FIDO2 authenticators... }
|command |offline |description
|------- |------- |-----------
|`hf fido help `|Y |`This help.`
|`hf fido list `|N |`List ISO 14443A history`
|`hf fido info `|N |`Info about FIDO tag.`
|`hf fido reg `|N |`FIDO U2F Registration Message.`
|`hf fido auth `|N |`FIDO U2F Authentication Message.`
|`hf fido make `|N |`FIDO2 MakeCredential command.`
|`hf fido assert `|N |`FIDO2 GetAssertion command.`
### hf iclass
{ ICLASS RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf iclass help `|Y |`This help`
|`hf iclass dump `|N |`[options..] Dump Picopass / iCLASS tag to file`
|`hf iclass info `|Y |` Tag information`
|`hf iclass list `|Y |` List iclass history`
|`hf iclass rdbl `|N |`[options..] Read Picopass / iCLASS block`
|`hf iclass reader `|N |` Act like an Picopass / iCLASS reader`
|`hf iclass restore `|N |`[options..] Restore a dump file onto a Picopass / iCLASS tag`
|`hf iclass sniff `|N |` Eavesdrop Picopass / iCLASS communication`
|`hf iclass wrbl `|N |`[options..] Write Picopass / iCLASS block`
|`hf iclass chk `|N |`[options..] Check keys`
|`hf iclass loclass `|Y |`[options..] Use loclass to perform bruteforce reader attack`
|`hf iclass lookup `|Y |`[options..] Uses authentication trace to check for key in dictionary file`
|`hf iclass sim `|N |`[options..] Simulate iCLASS tag`
|`hf iclass eload `|N |`[f <fn> ] Load Picopass / iCLASS dump file into emulator memory`
|`hf iclass esave `|N |`[f <fn> ] Save emulator memory to file`
|`hf iclass eview `|N |`[options..] View emulator memory`
|`hf iclass calcnewkey `|Y |`[options..] Calc diversified keys (blocks 3 & 4) to write new keys`
|`hf iclass encrypt `|Y |`[options..] Encrypt given block data`
|`hf iclass decrypt `|Y |`[options..] Decrypt given block data or tag dump file`
|`hf iclass managekeys `|Y |`[options..] Manage keys to use with iclass commands`
|`hf iclass permute `|N |` Permute function from 'heart of darkness' paper`
|`hf iclass view `|Y |`[options..] Display content from tag dump file`
### hf legic
{ LEGIC RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf legic help `|Y |`This help`
|`hf legic list `|Y |`List LEGIC history`
|`hf legic reader `|N |`LEGIC Prime Reader UID and tag info`
|`hf legic info `|N |`Display deobfuscated and decoded LEGIC Prime tag data`
|`hf legic dump `|N |`Dump LEGIC Prime tag to binary file`
|`hf legic restore `|N |`Restore a dump file onto a LEGIC Prime tag`
|`hf legic rdbl `|N |`Read bytes from a LEGIC Prime tag`
|`hf legic sim `|N |`Start tag simulator`
|`hf legic wrbl `|N |`Write data to a LEGIC Prime tag`
|`hf legic crc `|Y |`Calculate Legic CRC over given bytes`
|`hf legic eload `|Y |`Load binary dump to emulator memory`
|`hf legic esave `|Y |`Save emulator memory to binary file`
|`hf legic wipe `|N |`Wipe a LEGIC Prime tag`
### hf lto
{ LTO Cartridge Memory RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf lto help `|Y |`This help`
|`hf lto dump `|N |`Dump LTO-CM tag to file`
|`hf lto restore `|N |`Restore dump file to LTO-CM tag`
|`hf lto info `|N |`Tag information`
|`hf lto rdbl `|N |`Read block`
|`hf lto wrbl `|N |`Write block`
|`hf lto list `|Y |`List LTO-CM history`
### hf mf
{ MIFARE RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mf help `|Y |`This help`
|`hf mf list `|Y |`List MIFARE history`
|`hf mf darkside `|N |`Darkside attack`
|`hf mf nested `|N |`Nested attack`
|`hf mf hardnested `|Y |`Nested attack for hardened MIFARE Classic cards`
|`hf mf staticnested `|N |`Nested attack against static nonce MIFARE Classic cards`
|`hf mf autopwn `|N |`Automatic key recovery tool for MIFARE Classic`
|`hf mf nack `|N |`Test for MIFARE NACK bug`
|`hf mf chk `|N |`Check keys`
|`hf mf fchk `|N |`Check keys fast, targets all keys on card`
|`hf mf decrypt `|Y |`[nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace`
|`hf mf supercard `|N |`Extract info from a `super card``
|`hf mf auth4 `|N |`ISO14443-4 AES authentication`
|`hf mf dump `|N |`Dump MIFARE Classic tag to binary file`
|`hf mf mad `|N |`Checks and prints MAD`
|`hf mf ndef `|N |`Prints NDEF records from card`
|`hf mf personalize `|N |`Personalize UID (MIFARE Classic EV1 only)`
|`hf mf rdbl `|N |`Read MIFARE Classic block`
|`hf mf rdsc `|N |`Read MIFARE Classic sector`
|`hf mf restore `|N |`Restore MIFARE Classic binary file to BLANK tag`
|`hf mf setmod `|N |`Set MIFARE Classic EV1 load modulation strength`
|`hf mf wrbl `|N |`Write MIFARE Classic block`
|`hf mf sim `|N |`Simulate MIFARE card`
|`hf mf ecfill `|N |`Fill simulator memory with help of keys from simulator`
|`hf mf eclr `|N |`Clear simulator memory`
|`hf mf egetblk `|N |`Get simulator memory block`
|`hf mf egetsc `|N |`Get simulator memory sector`
|`hf mf ekeyprn `|N |`Print keys from simulator memory`
|`hf mf eload `|N |`Load from file emul dump`
|`hf mf esave `|N |`Save to file emul dump`
|`hf mf eset `|N |`Set simulator memory block`
|`hf mf eview `|N |`View emul memory`
|`hf mf cgetblk `|N |`Read block`
|`hf mf cgetsc `|N |`Read sector`
|`hf mf cload `|N |`Load dump`
|`hf mf csave `|N |`Save dump from card into file or emulator`
|`hf mf csetblk `|N |`Write block`
|`hf mf csetuid `|N |`Set UID`
|`hf mf cview `|N |`view card`
|`hf mf cwipe `|N |`Wipe card to default UID/Sectors/Keys`
|`hf mf gen3uid `|N |`Set UID without manufacturer block`
|`hf mf gen3blk `|N |`Overwrite full manufacturer block`
|`hf mf gen3freeze `|N |`Perma lock further UID changes`
|`hf mf ice `|N |`collect MIFARE Classic nonces to file`
### hf mfp
{ MIFARE Plus RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfp help `|Y |`This help`
|`hf mfp info `|N |`Info about Mifare Plus tag`
|`hf mfp wrp `|N |`Write Perso command`
|`hf mfp initp `|N |`Fills all the card's keys`
|`hf mfp commitp `|N |`Move card to SL1 or SL3 mode`
|`hf mfp auth `|N |`Authentication`
|`hf mfp rdbl `|N |`Read blocks`
|`hf mfp rdsc `|N |`Read sectors`
|`hf mfp wrbl `|N |`Write blocks`
|`hf mfp chk `|N |`Check keys`
|`hf mfp mad `|N |`Checks and prints MAD`
|`hf mfp ndef `|N |`Prints NDEF records from card`
### hf mfu
{ MIFARE Ultralight RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfu help `|Y |`This help`
|`hf mfu info `|N |`Tag information`
|`hf mfu dump `|N |`Dump Ultralight / Ultralight-C / NTAG tag to binary file`
|`hf mfu restore `|N |`Restore a dump onto a MFU MAGIC tag`
|`hf mfu eload `|N |`load Ultralight .eml dump file into emulator memory`
|`hf mfu rdbl `|N |`Read block`
|`hf mfu wrbl `|N |`Write block`
|`hf mfu cauth `|N |`Authentication - Ultralight C`
|`hf mfu setpwd `|N |`Set 3des password - Ultralight-C`
|`hf mfu setuid `|N |`Set UID - MAGIC tags only`
|`hf mfu sim `|N |`Simulate Ultralight from emulator memory`
|`hf mfu gen `|Y |`Generate 3des mifare diversified keys`
|`hf mfu pwdgen `|Y |`Generate pwd from known algos`
|`hf mfu otptear `|N |`Tear-off test on OTP bits`
|`hf mfu ndef `|N |`Prints NDEF records from card`
### hf mfdes
{ MIFARE Desfire RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf mfdes help `|Y |`This help`
|`hf mfdes auth `|N |`Tries a MIFARE DesFire Authentication`
|`hf mfdes changekey `|N |`Change Key`
|`hf mfdes chk `|N |`Check keys`
|`hf mfdes enum `|N |`Tries enumerate all applications`
|`hf mfdes formatpicc `|N |`Format PICC`
|`hf mfdes getuid `|N |`Get random uid`
|`hf mfdes info `|N |`Tag information`
|`hf mfdes list `|Y |`List DESFire (ISO 14443A) history`
|`hf mfdes createaid `|N |`Create Application ID`
|`hf mfdes deleteaid `|N |`Delete Application ID`
|`hf mfdes selectaid `|N |`Select Application ID`
|`hf mfdes changevalue `|N |`Write value of a value file (credit/debit/clear)`
|`hf mfdes clearfile `|N |`Clear record File`
|`hf mfdes createfile `|N |`Create Standard/Backup File`
|`hf mfdes createvaluefile`|N |`Create Value File`
|`hf mfdes createrecordfile`|N |`Create Linear/Cyclic Record File`
|`hf mfdes deletefile `|N |`Create Delete File`
|`hf mfdes dump `|N |`Dump all files`
|`hf mfdes getvalue `|N |`Get value of file`
|`hf mfdes readdata `|N |`Read data from standard/backup/record file`
|`hf mfdes writedata `|N |`Write data to standard/backup/record file`
### hf st
{ ST Rothult RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf st help `|Y |`This help`
|`hf st info `|N |`Tag information`
|`hf st list `|Y |`List ISO 14443A/7816 history`
|`hf st ndef `|Y |`read NDEF file on tag`
|`hf st protect `|N |`change protection on tag`
|`hf st pwd `|N |`change password on tag`
|`hf st sim `|N |`Fake ISO 14443A/ST tag`
### hf thinfilm
{ Thinfilm RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf thinfilm help `|Y |`This help`
|`hf thinfilm info `|N |`Tag information`
|`hf thinfilm list `|Y |`List NFC Barcode / Thinfilm history - not correct`
|`hf thinfilm sim `|N |`Fake Thinfilm tag`
### hf topaz
{ TOPAZ (NFC Type 1) RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf topaz help `|Y |`This help`
|`hf topaz list `|Y |`List Topaz history`
|`hf topaz info `|N |`Tag information`
|`hf topaz reader `|N |`Act like a Topaz reader`
|`hf topaz sim `|N |`<UID> -- Simulate Topaz tag`
|`hf topaz sniff `|N |`Sniff Topaz reader-tag communication`
|`hf topaz raw `|N |`Send raw hex data to tag`
### hf waveshare
{ Waveshare NFC ePaper... }
|command |offline |description
|------- |------- |-----------
|`hf waveshare help `|Y |`This help`
|`hf waveshare loadbmp `|N |`Load BMP file to Waveshare NFC ePaper`
### hw
{ Hardware commands... }
|command |offline |description
|------- |------- |-----------
|`hw help `|Y |`This help`
|`hw connect `|Y |`connect Proxmark3 to serial port`
|`hw dbg `|N |`Set Proxmark3 debug level`
|`hw detectreader `|N |`['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)`
|`hw fpgaoff `|N |`Set FPGA off`
|`hw lcd `|N |`<HEX command> <count> -- Send command/data to LCD`
|`hw lcdreset `|N |`Hardware reset LCD`
|`hw ping `|N |`Test if the Proxmark3 is responsive`
|`hw readmem `|N |`[address] -- Read memory at decimal address from flash`
|`hw reset `|N |`Reset the Proxmark3`
|`hw setlfdivisor `|N |`<19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)`
|`hw setmux `|N |`Set the ADC mux to a specific value`
|`hw standalone `|N |`Jump to the standalone mode`
|`hw status `|N |`Show runtime status information about the connected Proxmark3`
|`hw tearoff `|N |`Program a tearoff hook for the next command supporting tearoff`
|`hw tia `|N |`Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider`
|`hw tune `|N |`Measure antenna tuning`
|`hw version `|N |`Show version information about the connected Proxmark3`
### lf
{ Low frequency commands... }
|command |offline |description
|------- |------- |-----------
|`lf help `|Y |`This help`
|`lf config `|N |`Get/Set config for LF sampling, bit/sample, decimation, frequency`
|`lf cmdread `|N |`Modulate LF reader field to send command before read (all periods in microseconds)`
|`lf read `|N |`Read LF tag`
|`lf search `|Y |`Read and Search for valid known tag (in offline mode it you can load first then search)`
|`lf sim `|N |`Simulate LF tag from buffer with optional GAP (in microseconds)`
|`lf simask `|N |`Simulate LF ASK tag from demodbuffer or input`
|`lf simfsk `|N |`Simulate LF FSK tag from demodbuffer or input`
|`lf simpsk `|N |`Simulate LF PSK tag from demodbuffer or input`
|`lf simbidir `|N |`Simulate LF tag (with bidirectional data transmission between reader and tag)`
|`lf sniff `|N |`Sniff LF traffic between reader and tag`
|`lf tune `|N |`Continuously measure LF antenna tuning`
### lf awid
{ AWID RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf awid help `|Y |`this help`
|`lf awid demod `|Y |`demodulate an AWID FSK tag from the GraphBuffer`
|`lf awid read `|N |`attempt to read and extract tag data`
|`lf awid clone `|N |`clone AWID tag to T55x7 or Q5/T5555`
|`lf awid sim `|N |`simulate AWID tag`
|`lf awid brute `|N |`Bruteforce card number against reader`
|`lf awid watch `|N |`continuously watch for cards. Reader mode`
### lf cotag
{ COTAG CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf cotag help `|Y |`This help`
|`lf cotag demod `|Y |`Tries to decode a COTAG signal`
|`lf cotag read `|N |`Attempt to read and extract tag data`
### lf destron
{ FDX-A Destron RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf destron help `|Y |`This help`
|`lf destron demod `|Y |`Demodulate an Destron tag from the GraphBuffer`
|`lf destron read `|N |`Attempt to read and extract tag data from the antenna`
|`lf destron clone `|N |`Clone Destron tag to T55x7`
|`lf destron sim `|N |`Simulate Destron tag`
### lf em
{ EM4X CHIPs & RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf em help `|Y |`This help`
|`lf em 410x_demod `|Y |`demodulate a EM410x tag from the GraphBuffer`
|`lf em 410x_read `|N |`attempt to read and extract tag data`
|`lf em 410x_sim `|N |`simulate EM410x tag`
|`lf em 410x_brute `|N |`reader bruteforce attack by simulating EM410x tags`
|`lf em 410x_watch `|N |`watches for EM410x 125/134 kHz tags (option 'h' for 134)`
|`lf em 410x_spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)`
|`lf em 410x_clone `|N |`write EM410x UID to T55x7 or Q5/T5555 tag`
|`lf em 4x05_chk `|N |`Check passwords from dictionary`
|`lf em 4x05_demod `|Y |`demodulate a EM4x05/EM4x69 tag from the GraphBuffer`
|`lf em 4x05_dump `|N |`dump EM4x05/EM4x69 tag`
|`lf em 4x05_wipe `|N |`wipe EM4x05/EM4x69 tag`
|`lf em 4x05_info `|N |`tag information EM4x05/EM4x69`
|`lf em 4x05_read `|N |`read word data from EM4x05/EM4x69`
|`lf em 4x05_write `|N |`write word data to EM4x05/EM4x69`
|`lf em 4x05_unlock `|N |`execute tear off against EM4x05/EM4x69`
|`lf em 4x05_sniff `|Y |`Attempt to recover em4x05 commands from sample buffer`
|`lf em 4x05_brute `|N |`Bruteforce password`
|`lf em 4x50_dump `|N |`dump EM4x50 tag`
|`lf em 4x50_info `|N |`tag information EM4x50`
|`lf em 4x50_write `|N |`write word data to EM4x50`
|`lf em 4x50_write_password`|N |`change password of EM4x50 tag`
|`lf em 4x50_read `|N |`read word data from EM4x50`
|`lf em 4x50_wipe `|N |`wipe data from EM4x50`
### lf fdxb
{ FDX-B RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf fdxb help `|Y |`this help`
|`lf fdxb demod `|Y |`demodulate a FDX-B ISO11784/85 tag from the GraphBuffer`
|`lf fdxb read `|N |`attempt to read at 134kHz and extract tag data`
|`lf fdxb clone `|N |`clone animal ID tag to T55x7 or Q5/T5555`
|`lf fdxb sim `|N |`simulate Animal ID tag`
### lf gallagher
{ GALLAGHER RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf gallagher help `|Y |`This help`
|`lf gallagher demod `|Y |`Demodulate an GALLAGHER tag from the GraphBuffer`
|`lf gallagher read `|N |`Attempt to read and extract tag data from the antenna`
|`lf gallagher clone `|N |`clone GALLAGHER tag to T55x7`
|`lf gallagher sim `|N |`simulate GALLAGHER tag`
### lf gproxii
{ Guardall Prox II RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf gproxii help `|Y |`this help`
|`lf gproxii demod `|Y |`demodulate a G Prox II tag from the GraphBuffer`
|`lf gproxii read `|N |`attempt to read and extract tag data from the antenna`
|`lf gproxii clone `|N |`clone Guardall tag to T55x7 or Q5/T5555`
|`lf gproxii sim `|N |`simulate Guardall tag`
### lf hid
{ HID Prox RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf hid help `|Y |`this help`
|`lf hid demod `|Y |`demodulate HID Prox tag from the GraphBuffer`
|`lf hid read `|N |`attempt to read and extract tag data`
|`lf hid clone `|N |`clone HID tag to T55x7`
|`lf hid sim `|N |`simulate HID tag`
|`lf hid brute `|N |`bruteforce card number against reader`
|`lf hid watch `|N |`continuously watch for cards. Reader mode`
### lf hitag
{ Hitag CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf hitag help `|Y |`This help`
|`lf hitag list `|N |`List Hitag trace history`
|`lf hitag info `|N |`Tag information`
|`lf hitag reader `|N |`Act like a Hitag Reader`
|`lf hitag sim `|N |`Simulate Hitag transponder`
|`lf hitag sniff `|N |`Eavesdrop Hitag communication`
|`lf hitag writer `|N |`Act like a Hitag Writer`
|`lf hitag dump `|N |`Dump Hitag2 tag`
|`lf hitag cc `|N |`Test all challenges`
### lf idteck
{ Idteck RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf idteck help `|Y |`This help`
|`lf idteck demod `|Y |`Demodulate an Idteck tag from the GraphBuffer`
|`lf idteck read `|N |`Attempt to read and Extract tag data from the antenna`
### lf indala
{ Indala RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf indala help `|Y |`this help`
|`lf indala demod `|Y |`demodulate an indala tag (PSK1) from GraphBuffer`
|`lf indala altdemod `|Y |`alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)`
|`lf indala read `|N |`read an Indala Prox tag from the antenna`
|`lf indala clone `|N |`clone Indala tag to T55x7 or Q5/T5555`
|`lf indala sim `|N |`simulate Indala tag`
### lf io
{ ioProx RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf io help `|Y |`this help`
|`lf io demod `|Y |`demodulate an IOProx tag from the GraphBuffer`
|`lf io read `|N |`attempt to read and extract tag data`
|`lf io clone `|N |`clone IOProx tag to T55x7 or Q5/T5555`
|`lf io sim `|N |`simulate IOProx tag`
|`lf io watch `|N |`continuously watch for cards. Reader mode`
### lf jablotron
{ Jablotron RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf jablotron help `|Y |`This help`
|`lf jablotron demod `|Y |`Demodulate an Jablotron tag from the GraphBuffer`
|`lf jablotron read `|N |`Attempt to read and extract tag data from the antenna`
|`lf jablotron clone `|N |`clone jablotron tag to T55x7 or Q5/T5555`
|`lf jablotron sim `|N |`simulate jablotron tag`
### lf keri
{ KERI RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf keri help `|Y |`This help`
|`lf keri demod `|Y |`Demodulate an KERI tag from the GraphBuffer`
|`lf keri read `|N |`Attempt to read and extract tag data from the antenna`
|`lf keri clone `|N |`clone KERI tag to T55x7 or Q5/T5555`
|`lf keri sim `|N |`simulate KERI tag`
### lf motorola
{ Motorola RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf motorola help `|Y |`This help`
|`lf motorola demod `|Y |`Demodulate an MOTOROLA tag from the GraphBuffer`
|`lf motorola read `|N |`Attempt to read and extract tag data from the antenna`
|`lf motorola clone `|N |`clone MOTOROLA tag to T55x7`
|`lf motorola sim `|N |`simulate MOTOROLA tag`
### lf nedap
{ Nedap RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf nedap help `|Y |`This help`
|`lf nedap demod `|Y |`Demodulate Nedap tag from the GraphBuffer`
|`lf nedap generate `|Y |`Generate Nedap bitstream in DemodBuffer`
|`lf nedap read `|N |`Attempt to read and extract tag data from the antenna`
|`lf nedap clone `|N |`Clone Nedap tag to T55x7 or Q5/T5555`
|`lf nedap sim `|N |`Simulate Nedap tag`
### lf nexwatch
{ NexWatch RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf nexwatch help `|Y |`This help`
|`lf nexwatch demod `|Y |`Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer`
|`lf nexwatch read `|N |`Attempt to Read and Extract tag data from the antenna`
|`lf nexwatch clone `|N |`clone NexWatch tag to T55x7`
|`lf nexwatch sim `|N |`simulate NexWatch tag`
### lf noralsy
{ Noralsy RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf noralsy help `|Y |`This help`
|`lf noralsy demod `|Y |`Demodulate an Noralsy tag from the GraphBuffer`
|`lf noralsy read `|N |`Attempt to read and extract tag data from the antenna`
|`lf noralsy clone `|N |`clone Noralsy tag to T55x7 or Q5/T5555`
|`lf noralsy sim `|N |`simulate Noralsy tag`
### lf pac
{ PAC/Stanley RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf pac help `|Y |`This help`
|`lf pac demod `|Y |`Demodulate a PAC tag from the GraphBuffer`
|`lf pac read `|N |`Attempt to read and extract tag data from the antenna`
|`lf pac clone `|N |`clone PAC tag to T55x7`
|`lf pac sim `|N |`simulate PAC tag`
### lf paradox
{ Paradox RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf paradox help `|Y |`This help`
|`lf paradox demod `|Y |`Demodulate a Paradox FSK tag from the GraphBuffer`
|`lf paradox reader `|N |`Attempt to read and Extract tag data from the antenna`
|`lf paradox clone `|N |`clone paradox tag`
|`lf paradox sim `|N |`simulate paradox tag`
### lf pcf7931
{ PCF7931 CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf pcf7931 help `|Y |`This help`
|`lf pcf7931 read `|N |`Read content of a PCF7931 transponder`
|`lf pcf7931 write `|N |`Write data on a PCF7931 transponder.`
|`lf pcf7931 config `|Y |`Configure the password, the tags initialization delay and time offsets (optional)`
### lf presco
{ Presco RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf presco help `|Y |`This help`
|`lf presco demod `|Y |`demodulate Presco tag from the GraphBuffer`
|`lf presco reader `|N |`Attempt to read and Extract tag data`
|`lf presco clone `|N |`clone presco tag to T55x7 or Q5/T5555`
|`lf presco sim `|N |`simulate presco tag`
### lf pyramid
{ Farpointe/Pyramid RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf pyramid help `|Y |`this help`
|`lf pyramid demod `|Y |`demodulate a Pyramid FSK tag from the GraphBuffer`
|`lf pyramid reader `|N |`attempt to read and extract tag data`
|`lf pyramid clone `|N |`clone pyramid tag to T55x7 or Q5/T5555`
|`lf pyramid sim `|N |`simulate pyramid tag`
### lf securakey
{ Securakey RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf securakey help `|Y |`This help`
|`lf securakey demod `|Y |`Demodulate an Securakey tag from the GraphBuffer`
|`lf securakey reader `|N |`Attempt to read and extract tag data from the antenna`
|`lf securakey clone `|N |`clone Securakey tag to T55x7`
|`lf securakey sim `|N |`simulate Securakey tag`
### lf ti
{ TI CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf ti help `|Y |`This help`
|`lf ti demod `|Y |`Demodulate raw bits for TI-type LF tag from the GraphBuffer`
|`lf ti reader `|N |`Read and decode a TI 134 kHz tag`
|`lf ti write `|N |`Write new data to a r/w TI 134 kHz tag`
### lf t55xx
{ T55xx CHIPs... }
|command |offline |description
|------- |------- |-----------
|`lf t55xx help `|Y |`This help`
|`lf t55xx clonehelp `|N |`Shows the available clone commands`
|`lf t55xx config `|Y |`Set/Get T55XX configuration (modulation, inverted, offset, rate)`
|`lf t55xx dangerraw `|N |`Sends raw bitstream. Dangerous, do not use!! b <bitstream> t <timing>`
|`lf t55xx detect `|Y |`[1] Try detecting the tag modulation from reading the configuration block.`
|`lf t55xx deviceconfig `|N |`Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap`
|`lf t55xx dump `|N |`[password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]`
|`lf t55xx info `|Y |`[1] Show T55x7 configuration data (page 0/ blk 0)`
|`lf t55xx p1detect `|N |`[1] Try detecting if this is a t55xx tag by reading page 1`
|`lf t55xx read `|N |`b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]`
|`lf t55xx resetread `|N |`Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)`
|`lf t55xx restore `|N |`f <filename> [p <password>] Restore T55xx card Page 0 / Page 1 blocks`
|`lf t55xx trace `|Y |`[1] Show T55x7 traceability data (page 1/ blk 0-1)`
|`lf t55xx wakeup `|N |`Send AOR wakeup command`
|`lf t55xx write `|N |`b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]`
|`lf t55xx bruteforce `|N |`<start password> <end password> Simple bruteforce attack to find password`
|`lf t55xx chk `|N |`Check passwords from dictionary/flash`
|`lf t55xx protect `|N |`Password protect tag`
|`lf t55xx recoverpw `|N |`[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!`
|`lf t55xx sniff `|Y |`Attempt to recover T55xx commands from sample buffer`
|`lf t55xx special `|N |`Show block changes with 64 different offsets`
|`lf t55xx wipe `|N |`[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)`
### lf viking
{ Viking RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf viking help `|Y |`This help`
|`lf viking demod `|Y |`Demodulate a Viking tag from the GraphBuffer`
|`lf viking reader `|N |`Attempt to read and Extract tag data from the antenna`
|`lf viking clone `|N |`clone Viking tag to T55x7 or Q5/T5555`
|`lf viking sim `|N |`simulate Viking tag`
### lf visa2000
{ Visa2000 RFIDs... }
|command |offline |description
|------- |------- |-----------
|`lf visa2000 help `|Y |`This help`
|`lf visa2000 demod `|Y |`demodulate an VISA2000 tag from the GraphBuffer`
|`lf visa2000 reader `|N |`attempt to read and extract tag data from the antenna`
|`lf visa2000 clone `|N |`clone Visa2000 tag to T55x7 or Q5/T5555`
|`lf visa2000 sim `|N |`simulate Visa2000 tag`
### mem
{ Flash memory manipulation... }
|command |offline |description
|------- |------- |-----------
|`mem help `|Y |`This help`
|`mem baudrate `|N |`Set Flash memory Spi baudrate`
|`mem spiffs `|N |`High level SPI FileSystem Flash manipulation`
|`mem info `|N |`Flash memory information`
|`mem load `|N |`Load data into flash memory`
|`mem dump `|N |`Dump data from flash memory`
|`mem wipe `|N |`Wipe data from flash memory`
### reveng
{ CRC calculations from RevEng software... }
[=] reveng: no mode switch specified. Use reveng -h for help.
### smart
{ Smart card ISO-7816 commands... }
|command |offline |description
|------- |------- |-----------
|`smart help `|Y |`This help`
|`smart list `|N |`List ISO 7816 history`
|`smart info `|N |`Tag information`
|`smart reader `|N |`Act like an IS07816 reader`
|`smart raw `|N |`Send raw hex data to tag`
|`smart upgrade `|Y |`Upgrade sim module firmware`
|`smart setclock `|N |`Set clock speed`
|`smart brute `|N |`Bruteforce SFI`
### script
{ Scripting commands... }
|command |offline |description
|------- |------- |-----------
|`script help `|Y |`Usage info`
|`script list `|Y |`List available scripts`
|`script run `|Y |`<name> -- execute a script`
### trace
{ Trace manipulation... }
|command |offline |description
|------- |------- |-----------
|`trace help `|Y |`This help`
|`trace list `|Y |`List protocol data in trace buffer`
|`trace load `|Y |`Load trace from file`
|`trace save `|Y |`Save trace buffer to file`
### usart
{ USART commands... }
|command |offline |description
|------- |------- |-----------
|`usart help `|Y |`This help`
|`usart btpin `|N |`Change BT add-on PIN`
|`usart btfactory `|N |`Reset BT add-on to factory settings`
|`usart tx `|N |`Send string over USART`
|`usart rx `|N |`Receive string over USART`
|`usart txrx `|N |`Send string over USART and wait for response`
|`usart txhex `|N |`Send bytes over USART`
|`usart rxhex `|N |`Receive bytes over USART`
|`usart config `|N |`Configure USART`
### wiegand
{ Wiegand format manipulation... }
|command |offline |description
|------- |------- |-----------
|`wiegand help `|Y |`This help`
|`wiegand list `|Y |`List available wiegand formats`
|`wiegand encode `|Y |`Encode to wiegand raw hex`
|`wiegand decode `|Y |`Convert raw hex to decoded wiegand format`
Reference in a new issue View git blame Copy permalink