4 "command": "analyse a",
5 "description": "Iceman's personal garbage test command",
7 "analyse a -d 137AF00A0A0D"
11 "-h, --help This help",
12 "-d, --data <hex> bytes to manipulate"
14 "usage": "analyse a [-h] -d <hex>"
17 "command": "analyse chksum",
18 "description": "The bytes will be added with eachother and than limited with the applied mask Finally compute ones' complement of the least significant bytes.",
20 "analyse chksum -d 137AF00A0A0D -> expected output: 0x61",
21 "analyse chksum -d 137AF00A0A0D -m FF"
25 "-h, --help This help",
26 "-d, --data <hex> bytes to calc checksum",
27 "-m, --mask <hex> bit mask to limit the output (4 hex bytes max)",
28 "-v, --verbose verbose output"
30 "usage": "analyse chksum [-hv] -d <hex> [-m <hex>]"
33 "command": "analyse crc",
34 "description": "A stub method to test different crc implementations inside the PM3 sourcecode. Just because you figured out the poly, doesn't mean you get the desired output",
36 "analyse crc -d 137AF00A0A0D"
40 "-h, --help This help",
41 "-d, --data <hex> bytes to calc crc"
43 "usage": "analyse crc [-h] -d <hex>"
46 "command": "analyse dates",
47 "description": "Tool to look for date/time stamps in a given array of bytes",
53 "-h, --help This help"
55 "usage": "analyse dates [-h]"
57 "analyse demodbuff": {
58 "command": "analyse demodbuff",
59 "description": "loads a binary string into DemodBuffer",
61 "analyse demodbuff -d 0011101001001011"
65 "-h, --help This help",
66 "-d, --data <bin> binary string to load"
68 "usage": "analyse demodbuff [-h] -d <bin>"
71 "command": "analyse foo",
72 "description": "experiments of cliparse",
74 "analyse foo -r a0000000a0002021"
78 "-h, --help This help",
79 "-r, --raw <hex> raw bytes"
81 "usage": "analyse foo [-h] -r <hex>"
84 "command": "analyse freq",
85 "description": "calc wave lengths",
91 "-h, --help This help",
92 "-F, --freq <int> resonating frequency F in hertz (Hz)",
93 "-L, --cap <int> capacitance C in micro farads (F)",
94 "-C, --ind <int> inductance in micro henries (H)"
96 "usage": "analyse freq [-h] [-F <int>] [-L <int>] [-C <int>]"
99 "command": "analyse help",
100 "description": "help This help lcr Generate final byte for XOR LRC crc Stub method for CRC evaluations chksum Checksum with adding, masking and one's complement dates Look for datestamps in a given array of bytes lfsr LFSR tests a num bits test nuid create NUID from 7byte UID demodbuff Load binary string to DemodBuffer freq Calc wave lengths foo muxer units convert ETU <> US <> SSP_CLK (3.39MHz) --------------------------------------------------------------------------------------- analyse lcr available offline: yes Specifying the bytes of a UID with a known LRC will find the last byte value needed to generate that LRC with a rolling XOR. All bytes should be specified in HEX.",
102 "analyse lcr -d 04008064BA -> Target (BA) requires final LRC XOR byte value: 5A"
106 "-h, --help This help",
107 "-d, --data <hex> bytes to calc missing XOR in a LCR"
109 "usage": "analyse lcr [-h] -d <hex>"
112 "command": "analyse lfsr",
113 "description": "looks at LEGIC Prime's lfsr, iterates the first 48 values",
115 "analyse lfsr --iv 55"
119 "-h, --help This help",
120 "--iv <hex> init vector data (1 hex byte)",
121 "--find <hex> lfsr data to find (1 hex byte)"
123 "usage": "analyse lfsr [-h] --iv <hex> [--find <hex>]"
126 "command": "analyse nuid",
127 "description": "Generate 4byte NUID from 7byte UID",
129 "analyse nuid -d 11223344556677"
133 "-h, --help This help",
134 "-d, --data <hex> bytes to send",
135 "-t, --test self test"
137 "usage": "analyse nuid [-ht] [-d <hex>]"
140 "command": "analyse units",
141 "description": "experiments of unit conversions found in HF. ETU (1/13.56mhz), US or SSP_CLK (1/3.39MHz)",
143 "analyse uints --etu 10",
144 "analyse uints --us 100"
148 "-h, --help This help",
149 "--etu <dec> number in ETU",
150 "--us <dec> number in micro seconds (us)",
151 "-t, --selftest self tests"
153 "usage": "analyse units [-ht] [--etu <dec>] [--us <dec>]"
157 "description": "Clear the Proxmark3 client terminal screen",
159 "clear -> clear the terminal screen",
160 "clear -b -> clear the terminal screen and the scrollback buffer"
164 "-h, --help This help",
165 "-b, --back also clear the scrollback buffer"
167 "usage": "clear [-hb]"
169 "data askedgedetect": {
170 "command": "data askedgedetect",
171 "description": "Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave",
173 "data askedgedetect -t 20"
177 "-h, --help This help",
178 "-t, --thres <dec> threshold, use 20 - 45 (def 25)"
180 "usage": "data askedgedetect [-h] [-t <dec>]"
183 "command": "data asn1",
184 "description": "Decode ASN1 bytearray",
186 "data asn1 -d 303381050186922305a5020500a6088101010403030008a7188516eeee4facacf4fbde5e5c49d95e55bfbca74267b02407a9020500"
190 "-h, --help This help",
191 "-d <hex> ASN1 encoded byte array",
192 "-t, --test perform self test"
194 "usage": "data asn1 [-ht] [-d <hex>]"
197 "command": "data atr",
198 "description": "look up ATR record from bytearray",
200 "data atr -d 3B6B00000031C064BE1B0100079000"
204 "-h, --help This help",
205 "-d <hex> ASN1 encoded byte array"
207 "usage": "data atr [-h] [-d <hex>]"
210 "command": "data autocorr",
211 "description": "Autocorrelate over window is used to detect repeating sequences. We use it as detection of how long in bits a message inside the signal is",
213 "data autocorr -w 4000",
214 "data autocorr -w 4000 -g"
218 "-h, --help This help",
219 "-g save back to GraphBuffer (overwrite)",
220 "-w, --win <dec> window length for correlation. def 4000"
222 "usage": "data autocorr [-hg] [-w <dec>]"
224 "data biphaserawdecode": {
225 "command": "data biphaserawdecode",
226 "description": "Biphase decode binary stream in DemodBuffer Converts 10 or 01 -> 1 and 11 or 00 -> 0 - must have binary sequence in DemodBuffer (run `data rawdemod --ar` before) - invert for Conditional Dephase Encoding (CDP) AKA Differential Manchester",
228 "data biphaserawdecode -> decode biphase bitstream from the DemodBuffer",
229 "data biphaserawdecode -oi -> decode biphase bitstream from the DemodBuffer, adjust offset, and invert output"
233 "-h, --help This help",
234 "-o, --offset set to adjust decode start position",
235 "-i, --inv invert output",
236 "--err <dec> set max errors tolerated (def 20)"
238 "usage": "data biphaserawdecode [-hoi] [--err <dec>]"
241 "command": "data bitsamples",
242 "description": "Get raw samples from device as bitstring",
248 "-h, --help This help"
250 "usage": "data bitsamples [-h]"
253 "command": "data bmap",
254 "description": "Breaks down a hex value to binary according a template data bmap -d 16 -m 4,4 This will give two rows each with four bits",
257 "data bmap -d 3B -m 2,5,1"
261 "-h, --help This help",
262 "-d <hex> hex string",
263 "-m <str> binary template"
265 "usage": "data bmap [-h] [-d <hex>] [-m <str>]"
267 "data convertbitstream": {
268 "command": "data convertbitstream",
269 "description": "Convert GraphBuffer's 0|1 values to 127|-127",
271 "data convertbitstream"
275 "-h, --help This help"
277 "usage": "data convertbitstream [-h]"
280 "command": "data crypto",
281 "description": "Encrypt data, right here, right now. Or decrypt.",
283 "Supply data, key, IV (needed for des MAC or aes), and cryptography action.",
284 "To calculate a MAC for FMCOS, supply challenge as IV, data as data, and session/line protection key as key.",
285 "To calculate a MAC for FeliCa, supply first RC as IV, BLE+data as data and session key as key.",
286 "data crypto -d 04D6850E06AABB80 -k FFFFFFFFFFFFFFFF --iv 9EA0401A00000000 --des -> Calculate a MAC for FMCOS chip. The result should be ED3A0133"
290 "-h, --help This help",
291 "-d, --data <hex> Data to process",
292 "-k, --key <hex> Key to use",
293 "-r, --rev Decrypt, not encrypt",
294 "--des Cipher with DES, not AES",
295 "--mac Calculate AES CMAC/FeliCa Lite MAC",
296 "--iv <hex> IV value if needed"
298 "usage": "data crypto [-hr] -d <hex> -k <hex> [--des] [--mac] [--iv <hex>]"
301 "command": "data cthreshold",
302 "description": "Inverse of dirty threshold command, all values between up and down will be average out",
304 "data cthreshold -u 10 -d -10"
308 "-h, --help This help",
309 "-d, --down <dec> threshold down",
310 "-u, --up <dec> threshold up"
312 "usage": "data cthreshold [-h] -d <dec> -u <dec>"
315 "command": "data decimate",
316 "description": "Performs decimation, by reducing samples N times in the grapbuf. Good for PSK",
323 "-h, --help This help",
324 "-n <dec> factor to reduce sample set (default 2)"
326 "usage": "data decimate [-h] [-n <dec>]"
328 "data detectclock": {
329 "command": "data detectclock",
330 "description": "Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer",
332 "data detectclock --ask",
333 "data detectclock --nzr -> detect clock of an nrz/direct wave in GraphBuffer"
337 "-h, --help This help",
338 "--ask specify ASK modulation clock detection",
339 "--fsk specify FSK modulation clock detection",
340 "--nzr specify NZR/DIRECT modulation clock detection",
341 "--psk specify PSK modulation clock detection"
343 "usage": "data detectclock [-h] [--ask] [--fsk] [--nzr] [--psk]"
346 "command": "data diff",
347 "description": "Diff takes a multitude of input data and makes a binary compare. It accepts filenames (filesystem or RDV4 flashmem SPIFFS), emulator memory, magic gen1",
349 "data diff -w 4 -a hf-mfu-01020304.bin -b hf-mfu-04030201.bin",
350 "data diff -a fileA -b fileB",
351 "data diff -a fileA --eb",
352 "data diff --fa fileA -b fileB",
353 "data diff --fa fileA --fb fileB"
357 "-h, --help This help",
358 "-a <fn> input file name A",
359 "-b <fn> input file name B",
360 "--eb emulator memory <hf mf esave>",
361 "--fa <fn> input spiffs file A",
362 "--fb <fn> input spiffs file B",
363 "-w <4|8|16> Width of data output"
365 "usage": "data diff [-h] [-a <fn>] [-b <fn>] [--eb] [--fa <fn>] [--fb <fn>] [-w <4|8|16>]"
367 "data dirthreshold": {
368 "command": "data dirthreshold",
369 "description": "Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.",
371 "data dirthreshold -u 10 -d -10"
375 "-h, --help This help",
376 "-d, --down <dec> threshold down",
377 "-u, --up <dec> threshold up"
379 "usage": "data dirthreshold [-h] -d <dec> -u <dec>"
382 "command": "data envelope",
383 "description": "Create an square envelop of the samples",
389 "-h, --help This help"
391 "usage": "data envelop [-h]"
394 "command": "data fsktonrz",
395 "description": "Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk) Omitted values are autodetect instead",
398 "data fsktonrz -c 32 --low 8 --hi 10"
402 "-h, --help This help",
403 "-c, --clk <dec> clock",
404 "--low <dec> low field clock",
405 "--hi <dec> high field clock"
407 "usage": "data fsktonrz [-h] [-c <dec>] [--low <dec>] [--hi <dec>]"
409 "data getbitstream": {
410 "command": "data getbitstream",
411 "description": "Convert GraphBuffer's value accordingly - larger or equal to ONE becomes ONE - less than ONE becomes ZERO",
417 "-h, --help This help"
419 "usage": "data getbitstream [-h]"
422 "command": "data grid",
423 "description": "This function overlay grid on graph plot window. use zero value to turn off either",
425 "data grid -> turn off",
426 "data grid -x 64 -y 50"
430 "-h, --help This help",
431 "-x <dec> plot grid X coord",
432 "-y <dec> plot grid Y coord"
434 "usage": "data grid [-h] [-x <dec>] [-y <dec>]"
437 "command": "data help",
438 "description": "help This help ----------- ------------------------- General------------------------- clear Clears various buffers used by the graph window hide Hide the graph window load Load contents of file into graph window num Converts dec/hex/bin plot Show the graph window print Print the data in the DemodBuffer save Save signal trace data setdebugmode Set Debugging Level on client side xor Xor a input string ----------- ------------------------- Modulation------------------------- biphaserawdecode Biphase decode bin stream in DemodBuffer detectclock Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer fsktonrz Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk) manrawdecode Manchester decode binary stream in DemodBuffer modulation Identify LF signal for clock and modulation rawdemod Demodulate the data in the GraphBuffer and output binary ----------- ------------------------- Graph------------------------- askedgedetect Adjust Graph for manual ASK demod autocorr Autocorrelation over window convertbitstream Convert GraphBuffer's 0/1 values to 127 / -127 cthreshold Average out all values between dirthreshold Max rising higher up-thres/ Min falling lower down-thres decimate Decimate samples envelope Generate square envelope of samples grid overlay grid on graph window getbitstream Convert GraphBuffer's >=1 values to 1 and <1 to 0 hpf Remove DC offset from trace iir Apply IIR buttersworth filter on plot data ltrim Trim samples from left of trace mtrim Trim out samples from the specified start to the specified stop norm Normalize max/min to +/-128 rtrim Trim samples from right of trace setgraphmarkers Set the markers in the graph window shiftgraphzero Shift 0 for Graphed wave + or - shift value timescale Set cursor display timescale undecimate Un-decimate samples zerocrossings Count time between zero-crossings ----------- ------------------------- Operations------------------------- asn1 ASN1 decoder atr ATR lookup bmap Convert hex value according a binary template crypto Encrypt and decrypt data diff Diff of input files --------------------------------------------------------------------------------------- data clear available offline: yes This function clears the BigBuf on device side and graph window ( graphbuffer )",
444 "-h, --help This help"
446 "usage": "data clear [-h]"
449 "command": "data hexsamples",
450 "description": "Dump big buffer as hex bytes",
452 "data hexsamples -n 128 -> dumps 128 bytes from offset 0"
456 "-h, --help This help",
457 "-b, --breaks <dec> row break, def 16",
458 "-n <dec> num of bytes to download",
459 "-o, --offset <hex> offset in big buffer"
461 "usage": "data hexsamples [-h] [-b <dec>] [-n <dec>] [-o <hex>]"
464 "command": "data hide",
465 "description": "Show graph window",
471 "-h, --help This help"
473 "usage": "data hide [-h]"
476 "command": "data hpf",
477 "description": "Remove DC offset from trace. It should centralize around 0",
483 "-h, --help This help"
485 "usage": "data hpf [-h]"
488 "command": "data iir",
489 "description": "Apply IIR buttersworth filter on plot data",
495 "-h, --help This help",
498 "usage": "data iir [-h] -n <dec>"
501 "command": "data load",
502 "description": "This command loads the contents of a pm3 file into graph window",
504 "data load -f myfilename"
508 "-h, --help This help",
509 "-f, --file <fn> file to load",
510 "-b, --bin binary file",
511 "-n, --no-fix Load data from file without any transformations"
513 "usage": "data load [-hbn] -f <fn>"
516 "command": "data ltrim",
517 "description": "Trim samples from left of trace",
519 "data ltrim -i 300 -> remove from start 0 to index 300"
523 "-h, --help This help",
524 "-i, --idx <dec> index in graph buffer"
526 "usage": "data ltrim [-h] -i <dec>"
528 "data manrawdecode": {
529 "command": "data manrawdecode",
530 "description": "Manchester decode binary stream in DemodBuffer Converts 10 and 01 and converts to 0 and 1 respectively - must have binary sequence in DemodBuffer (run `data rawdemod --ar` before)",
536 "-h, --help This help",
537 "-i, --inv invert output",
538 "--err <dec> set max errors tolerated (def 20)"
540 "usage": "data manrawdecode [-hi] [--err <dec>]"
543 "command": "data modulation",
544 "description": "search LF signal after clock and modulation",
550 "-h, --help This help"
552 "usage": "data modulation [-h]"
555 "command": "data mtrim",
556 "description": "Trim out samples from start 0 to `-s index` AND from `-e index` to end of graph buffer",
558 "data mtrim -s 1000 -e 2000 -> keep all between index 1000 and 2000"
562 "-h, --help This help",
563 "-s, --start <dec> start point",
564 "-e, --end <dec> end point"
566 "usage": "data mtrim [-h] -s <dec> -e <dec>"
569 "command": "data norm",
570 "description": "Normalize max/min to +/-128",
576 "-h, --help This help"
578 "usage": "data norm [-h]"
581 "command": "data num",
582 "description": "Function takes a decimal or hexdecimal number and print it in decimal/hex/binary Will print message if number is a prime number",
584 "data num --dec 2023",
585 "data num --hex 0x1000"
589 "-h, --help This help",
590 "--dec <dec> decimal value",
591 "--hex <hex> hexadecimal value",
592 "--bin <bin> binary value",
593 "-i print inverted value",
594 "-r print reversed value"
596 "usage": "data num [-hir] [--dec <dec>] [--hex <hex>] [--bin <bin>]"
599 "command": "data plot",
600 "description": "Show graph window hit 'h' in window for detail keystroke help available",
606 "-h, --help This help"
608 "usage": "data plot [-h]"
611 "command": "data print",
612 "description": "Print the data in the DemodBuffer as hex or binary. Defaults to binary output",
618 "-h, --help This help",
619 "-i, --inv invert DemodBuffer before printing",
620 "-o, --offset <dec> offset in # of bits",
621 "-s, --strip strip leading zeroes, i.e. set offset to first bit equal to one",
622 "-x, --hex output in hex (omit for binary output)"
624 "usage": "data print [-hisx] [-o <dec>]"
627 "command": "data rawdemod",
628 "description": "Demodulate the data in the GraphBuffer and output binary",
630 "data rawdemod --fs -> demod FSK - autodetect",
631 "data rawdemod --ab -> demod ASK/BIPHASE - autodetect",
632 "data rawdemod --am -> demod ASK/MANCHESTER - autodetect",
633 "data rawdemod --ar -> demod ASK/RAW - autodetect",
634 "data rawdemod --nr -> demod NRZ/DIRECT - autodetect",
635 "data rawdemod --p1 -> demod PSK1 - autodetect",
636 "data rawdemod --p2 -> demod PSK2 - autodetect"
640 "-h, --help This help",
641 "--ab ASK/Biphase demodulation",
642 "--am ASK/Manchester demodulation",
643 "--ar ASK/Raw demodulation",
644 "--fs FSK demodulation",
645 "--nr NRZ/Direct demodulation",
646 "--p1 PSK 1 demodulation",
647 "--p2 PSK 2 demodulation",
648 "<params> params for sub command"
650 "usage": "data rawdemod [-h] [--ab] [--am] [--ar] [--fs] [--nr] [--p1] [--p2] [<params>]..."
653 "command": "data rtrim",
654 "description": "Trim samples from right of trace",
656 "data rtrim -i 4000 -> remove from index 4000 to end of graph buffer"
660 "-h, --help This help",
661 "-i, --idx <dec> index in graph buffer"
663 "usage": "data rtrim [-h] -i <dec>"
666 "command": "data samples",
667 "description": "Get raw samples for graph window (GraphBuffer) from device. If 0, then get whole big buffer from device.",
670 "data samples -n 10000"
674 "-h, --help This help",
675 "-n <dec> num of samples (512 - 40000)",
676 "-v, --verbose verbose output"
678 "usage": "data samples [-hv] [-n <dec>]"
681 "command": "data save",
682 "description": "Save signal trace from graph window , i.e. the GraphBuffer This is a text file with number -127 to 127. With the option `w` you can save it as wave file Filename should be without file extension",
684 "data save -f myfilename -> save graph buffer to file",
685 "data save --wave -f myfilename -> save graph buffer to wave file"
689 "-h, --help This help",
690 "-w, --wave save as wave format (.wav)",
691 "-f, --file <fn w/o ext> save file name"
693 "usage": "data save [-hw] -f <fn w/o ext>"
695 "data setdebugmode": {
696 "command": "data setdebugmode",
697 "description": "Set debugging level on client side",
703 "-h, --help This help",
704 "-0 no debug messages",
706 "-2 verbose debugging"
708 "usage": "data setdebugmode [-h012]"
710 "data setgraphmarkers": {
711 "command": "data setgraphmarkers",
712 "description": "Set the locations of the markers in the graph window",
714 "data setgraphmarkers -> reset the markers",
715 "data setgraphmarkers -a 64 -> set A, reset the rest",
716 "data setgraphmarkers -d --keep -> set D, keep the rest"
720 "-h, --help This help",
721 "--keep keep the current values of the markers",
722 "-a <dec> yellow marker",
723 "-b <dec> purple marker",
724 "-c <dec> orange marker",
725 "-d <dec> blue marker"
727 "usage": "data setgraphmarkers [-h] [--keep] [-a <dec>] [-b <dec>] [-c <dec>] [-d <dec>]"
729 "data shiftgraphzero": {
730 "command": "data shiftgraphzero",
731 "description": "Shift 0 for Graphed wave + or - shift value",
733 "data shiftgraphzero -n 10 -> shift 10 points",
734 "data shiftgraphzero -n -22 -> shift negative 22 points"
738 "-h, --help This help",
739 "-n <dec> shift + or -"
741 "usage": "data shiftgraphzero [-h] -n <dec>"
744 "command": "data test_ss32",
745 "description": "Tests the implementation of Buffer Save States (32-bit buffer)",
751 "-h, --help This help"
753 "usage": "data test_ss32 [-h]"
756 "command": "data test_ss32s",
757 "description": "Tests the implementation of Buffer Save States (32-bit signed buffer)",
763 "-h, --help This help"
765 "usage": "data test_ss32s [-h]"
768 "command": "data test_ss8",
769 "description": "Tests the implementation of Buffer Save States (8-bit buffer)",
775 "-h, --help This help"
777 "usage": "data test_ss8 [-h]"
780 "command": "data timescale",
781 "description": "Set cursor display timescale. Setting the timescale makes the differential `dt` reading between the yellow and purple markers meaningful. once the timescale is set, the differential reading between brackets can become a time duration.",
783 "data timescale --sr 125 -u ms -> for LF sampled at 125 kHz. Reading will be in milliseconds",
784 "data timescale --sr 1.695 -u us -> for HF sampled at 16 * fc/128. Reading will be in microseconds",
785 "data timescale --sr 16 -u ETU -> for HF with 16 samples per ETU (fc/128). Reading will be in ETUs"
789 "-h, --help This help",
790 "--sr <float> sets timescale factor according to sampling rate",
791 "-u, --unit <string> time unit to display (max 10 chars)"
793 "usage": "data timescale [-h] --sr <float> [-u <string>]"
796 "command": "data undecimate",
797 "description": "Performs un-decimation, by repeating each sample N times in the graphbuf",
800 "data undecimate -n 4"
804 "-h, --help This help",
805 "-n <dec> factor to repeat each sample (default 2)"
807 "usage": "data undecimate [-h] [-n <dec>]"
810 "command": "data xor",
811 "description": "takes input string and xor string. Perform xor on it. If no xor string, try the most reoccuring value to xor against",
813 "data xor -d 99aabbcc8888888888",
814 "data xor -d 99aabbcc --xor 88888888"
818 "-h, --help This help",
819 "-d, --data <hex> input hex string",
820 "-x, --xor <str> input xor string"
822 "usage": "data xor [-h] -d <hex> [-x <str>]"
824 "data zerocrossings": {
825 "command": "data zerocrossings",
826 "description": "Count time between zero-crossings",
832 "-h, --help This help"
834 "usage": "data zerocrossings [-h]"
837 "command": "emv challenge",
838 "description": "Executes Generate Challenge command. It returns 4 or 8-byte random number from card. Needs a EMV applet to be selected and GPO to be executed.",
840 "emv challenge -> get challenge",
841 "emv challenge -k -> get challenge, keep filled ON"
845 "-h, --help This help",
846 "-k, --keep Keep field ON for next command",
847 "-a, --apdu Show APDU requests and responses",
848 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
850 "usage": "emv challenge [-hkaw]"
853 "command": "emv exec",
854 "description": "Executes EMV contactless transaction",
856 "emv exec -sat -> select card, execute MSD transaction, show APDU and TLV",
857 "emv exec -satc -> select card, execute CDA transaction, show APDU and TLV"
861 "-h, --help This help",
862 "-s, --select Activate field and select card",
863 "-a, --apdu Show APDU requests and responses",
864 "-t, --tlv TLV decode results",
865 "-j, --jload Load transaction parameters from `emv_defparams.json` file",
866 "--force Force search AID. Search AID instead of execute PPSE",
867 "By default: Transaction type - MSD",
868 "-v, --qvsdc Transaction type - qVSDC or M/Chip",
869 "-c, --qvsdccda Transaction type - qVSDC or M/Chip plus CDA (SDAD generation)",
870 "-x, --vsdc Transaction type - VSDC. For test only. Not a standard behavior",
871 "-g, --acgpo VISA. generate AC from GPO",
872 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
874 "usage": "emv exec [-hsatjvcxgw] [--force] By default:"
877 "command": "emv genac",
878 "description": "Generate Application Cryptogram command. It returns data in TLV format. Needs a EMV applet to be selected and GPO to be executed.",
880 "emv genac -k 0102 -> generate AC with 2-byte CDOLdata and keep field ON after command",
881 "emv genac -t 01020304 -> generate AC with 4-byte CDOL data, show result in TLV",
882 "emv genac -Daac 01020304 -> generate AC with 4-byte CDOL data and terminal decision 'declined'",
883 "emv genac -pmt 9F 37 04 -> load params from file, make CDOL data from CDOL, generate AC with CDOL, show result in TLV"
887 "-h, --help This help",
888 "-k, --keep Keep field ON for next command",
889 "-c, --cda Executes CDA transaction. Needs to get SDAD in results.",
890 "-d, --decision <aac|tc|arqc> Terminal decision. aac - declined, tc - approved, arqc - online authorisation requested",
891 "-p, --params Load parameters from `emv_defparams.json` file for CDOLdata making from CDOL and parameters",
892 "-m, --make Make CDOLdata from CDOL (tag 8C and 8D) and parameters (def: use default parameters)",
893 "-a, --apdu Show APDU requests and responses",
894 "-t, --tlv TLV decode results of selected applets",
895 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
896 "<hex> CDOLdata/CDOL"
898 "usage": "emv genac [-hkcpmatw] [-d <aac|tc|arqc>] <hex> [<hex>]..."
901 "command": "emv gpo",
902 "description": "Executes Get Processing Options command. It returns data in TLV format (0x77 - format2) or plain format (0x80 - format1). Needs a EMV applet to be selected.",
904 "emv gpo -k -> execute GPO",
905 "emv gpo -t 01020304 -> execute GPO with 4-byte PDOL data, show result in TLV",
906 "emv gpo -pmt 9F 37 04 -> load params from file, make PDOL data from PDOL, execute GPO with PDOL, show result in TLV"
910 "-h, --help This help",
911 "-k, --keep Keep field ON for next command",
912 "-p, --params Load parameters from `emv_defparams.json` file for PDOLdata making from PDOL and parameters",
913 "-m, --make Make PDOLdata from PDOL (tag 9F38) and parameters (def: uses default parameters)",
914 "-a, --apdu Show APDU requests and responses",
915 "-t, --tlv TLV decode results of selected applets",
916 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
917 "<hex> PDOLdata/PDOL"
919 "usage": "emv gpo [-hkpmatw] [<hex>]..."
922 "command": "emv help",
923 "description": "----------- ----------------------- General ----------------------- help This help list List ISO7816 history test Crypto logic selftest --------------------------------------------------------------------------------------- emv list available offline: yes Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
925 "emv list --frame -> show frame delay times",
926 "emv list -1 -> use trace buffer"
930 "-h, --help This help",
931 "-1, --buffer use data from trace buffer",
932 "--frame show frame delay times",
934 "-r show relative times (gap and duration)",
935 "-u display times in microseconds instead of clock cycles",
936 "-x show hexdump to convert to pcap(ng)",
937 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
938 "-f, --file <fn> filename of dictionary"
940 "usage": "emv list [-h1crux] [--frame] [-f <fn>]"
943 "command": "emv intauth",
944 "description": "Generate Internal Authenticate command. Usually needs 4-byte random number. It returns data in TLV format . Needs a EMV applet to be selected and GPO to be executed.",
946 "emv intauth -k 01020304 -> execute Internal Authenticate with 4-byte DDOLdata and keep field ON after command",
947 "emv intauth -t 01020304 -> execute Internal Authenticate with 4-byte DDOL data, show result in TLV",
948 "emv intauth -pmt 9F 37 04 -> load params from file, make DDOL data from DDOL, Internal Authenticate with DDOL, show result in TLV"
952 "-h, --help This help",
953 "-k, --keep Keep field ON for next command",
954 "-p, --params Load parameters from `emv_defparams.json` file for DDOLdata making from DDOL and parameters",
955 "-m, --make Make DDOLdata from DDOL (tag 9F49) and parameters (def: use default parameters)",
956 "-a, --apdu Show APDU requests and responses",
957 "-t, --tlv TLV decode results of selected applets",
958 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
959 "<hex> DDOLdata/DDOL"
961 "usage": "emv intauth [-hkpmatw] <hex> [<hex>]..."
964 "command": "emv pse",
965 "description": "Executes PSE/PPSE select command. It returns list of applet on the card:",
967 "emv pse -s1 -> select, get pse",
968 "emv pse -st2 -> select, get ppse, show result in TLV"
972 "-h, --help This help",
973 "-s, --select Activate field and select card",
974 "-k, --keep Keep field ON for next command",
975 "-1, --pse PSE (1PAY.SYS.DDF01) mode",
976 "-2, --ppse PPSE (2PAY.SYS.DDF01) mode (def)",
977 "-a, --apdu Show APDU requests and responses",
978 "-t, --tlv TLV decode results of selected applets",
979 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
981 "usage": "emv pse [-hsk12atw]"
984 "command": "emv reader",
985 "description": "Act as a EMV reader to identify tag. Look for EMV tags until Enter or the pm3 button is pressed In `verbose` mode it will also try to extract and decode the transaction logs stored on card in either channel.",
989 "emv reader -@ -> Continuous mode"
993 "-h, --help This help",
994 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
995 "-v, --verbose Verbose output",
996 "-@ continuous reader mode"
998 "usage": "emv reader [-hwv@]"
1001 "command": "emv readrec",
1002 "description": "Executes Read Record command. It returns data in TLV format. Needs a bank applet to be selected and sometimes needs GPO to be executed.",
1004 "emv readrec -k 0101 -> read file SFI=01, SFIrec=01",
1005 "emv readrec -kt 0201 -> read file 0201 and show result in TLV"
1009 "-h, --help This help",
1010 "-k, --keep Keep field ON for next command",
1011 "-a, --apdu Show APDU requests and responses",
1012 "-t, --tlv TLV decode results of selected applets",
1013 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
1014 "<hex> <SFI 1 byte><SFIrecord 1 byte"
1016 "usage": "emv readrec [-hkatw] <hex> [<hex>]..."
1019 "command": "emv roca",
1020 "description": "Tries to extract public keys and run the ROCA test against them.",
1022 "emv roca -w -> select --CONTACT-- card and run test",
1023 "emv roca -> select --CONTACTLESS-- card and run test"
1027 "-h, --help This help",
1028 "-t, --selftest Self test",
1029 "-a, --apdu Show APDU requests and responses",
1030 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
1032 "usage": "emv roca [-htaw]"
1035 "command": "emv scan",
1036 "description": "Scan EMV card and save it contents to a file. It executes EMV contactless transaction and saves result to a file which can be used for emulation",
1038 "emv scan -at -> scan MSD transaction mode and show APDU and TLV",
1039 "emv scan -c -> scan CDA transaction mode"
1043 "-h, --help This help",
1044 "-a, --apdu Show APDU requests and responses",
1045 "-t, --tlv TLV decode results",
1046 "-e, --extract Extract TLV elements and fill Application Data",
1047 "-j, --jload Load transaction parameters from `emv_defparams.json` file",
1048 "By default: Transaction type - MSD",
1049 "-v, --qvsdc Transaction type - qVSDC or M/Chip",
1050 "-c, --qvsdccda Transaction type - qVSDC or M/Chip plus CDA (SDAD generation)",
1051 "-x, --vsdc Transaction type - VSDC. For test only. Not a standard behavior",
1052 "-g, --acgpo VISA. generate AC from GPO",
1053 "-m, --merge Merge output file with card's data. (warning: the file may be corrupted!)",
1054 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
1055 "<fn> JSON output file name"
1057 "usage": "emv scan [-hatejvcxgmw] By default: <fn>"
1060 "command": "emv search",
1061 "description": "Tries to select all applets from applet list",
1063 "emv search -s -> select card and search",
1064 "emv search -st -> select card, search and show result in TLV"
1068 "-h, --help This help",
1069 "-s, --select Activate field and select card",
1070 "-k, --keep Keep field ON for next command",
1071 "-a, --apdu Show APDU requests and responses",
1072 "-t, --tlv TLV decode results of selected applets",
1073 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
1075 "usage": "emv search [-hskatw]"
1078 "command": "emv select",
1079 "description": "Executes select applet command",
1081 "emv select -s a00000000101 -> select card, select applet",
1082 "emv select -st a00000000101 -> select card, select applet, show result in TLV"
1086 "-h, --help This help",
1087 "-s, --select Activate field and select card",
1088 "-k, --keep Keep field for next command",
1089 "-a, --apdu Show APDU requests and responses",
1090 "-t, --tlv TLV decode results",
1091 "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
1094 "usage": "emv select [-hskatw] <hex>"
1097 "command": "emv test",
1098 "description": "Executes tests",
1105 "-h, --help This help",
1106 "-i, --ignore Ignore timing tests for VM",
1107 "-l, --long Run long tests too"
1109 "usage": "emv test [-hil]"
1113 "description": "Quit the Proxmark3 client terminal",
1119 "-h, --help This help"
1121 "usage": "quit [-h]"
1125 "description": "help Use `<command> help` for details of a command prefs { Edit client/device preferences... } -------- ----------------------- Technology ----------------------- analyse { Analyse utils... } data { Plot window / data buffer manipulation... } emv { EMV ISO-14443 / ISO-7816... } hf { High frequency commands... } hw { Hardware commands... } lf { Low frequency commands... } nfc { NFC commands... } piv { PIV commands... } reveng { CRC calculations from RevEng software... } smart { Smart card ISO-7816 commands... } script { Scripting commands... } trace { Trace manipulation... } wiegand { Wiegand format manipulation... } -------- ----------------------- General ----------------------- clear Clear screen hints Turn hints on / off msleep Add a pause in milliseconds rem Add a text line in log file quit exit Exit program --------------------------------------------------------------------------------------- auto available offline: no Run LF SEARCH / HF SEARCH / DATA PLOT / DATA SAVE",
1131 "-h, --help This help",
1132 "-c Continue searching even after a first hit"
1134 "usage": "auto [-hc]"
1136 "hf 14a antifuzz": {
1137 "command": "hf 14a antifuzz",
1138 "description": "Tries to fuzz the ISO14443a anticollision phase",
1140 "hf 14a antifuzz -4"
1144 "-h, --help This help",
1149 "usage": "hf 14a antifuzz [-h47] [--10]"
1152 "command": "hf 14a apdu",
1153 "description": "Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). Works with all APDU types from ISO 7816-4:2013 note: `-m` and `-d` goes hand in hand -m <CLA INS P1 P2> -d 325041592E5359532E4444463031 OR use `-d` with complete APDU data -d 00A404000E325041592E5359532E444446303100",
1155 "hf 14a apdu -st -d 00A404000E325041592E5359532E444446303100",
1156 "hf 14a apdu -sd -d 00A404000E325041592E5359532E444446303100 -> decode apdu",
1157 "hf 14a apdu -sm 00A40400 -d 325041592E5359532E4444463031 -l 256 -> encode standard apdu",
1158 "hf 14a apdu -sm 00A40400 -d 325041592E5359532E4444463031 -el 65536 -> encode extended apdu"
1162 "-h, --help This help",
1163 "-s, --select activate field and select card",
1164 "-k, --keep keep signal field ON after receive",
1165 "-t, --tlv decode TLV",
1166 "--decode decode APDU request",
1167 "-m, --make <hex> APDU header, 4 bytes <CLA INS P1 P2>",
1168 "-e, --extended make extended length apdu if `m` parameter included",
1169 "-l, --le <dec> Le APDU parameter if `m` parameter included",
1170 "-d, --data <hex> full APDU package or data if `m` parameter included"
1172 "usage": "hf 14a apdu [-hskte] [--decode] [-m <hex>] [-l <dec>] -d <hex> [-d <hex>]..."
1174 "hf 14a apdufind": {
1175 "command": "hf 14a apdufind",
1176 "description": "Enumerate APDU's of ISO7816 protocol to find valid CLS/INS/P1/P2 commands. It loops all 256 possible values for each byte. The loop oder is INS -> P1/P2 (alternating) -> CLA. Tag must be on antenna before running.",
1179 "hf 14a apdufind --cla 80",
1180 "hf 14a apdufind --cla 80 --error-limit 20 --skip-ins a4 --skip-ins b0 --with-le"
1184 "-h, --help This help",
1185 "-c, --cla <hex> Start value of CLASS (1 hex byte)",
1186 "-i, --ins <hex> Start value of INSTRUCTION (1 hex byte)",
1187 "--p1 <hex> Start value of P1 (1 hex byte)",
1188 "--p2 <hex> Start value of P2 (1 hex byte)",
1189 "-r, --reset <number> Minimum secondes before resetting the tag (to prevent timeout issues). Default is 5 minutes",
1190 "-e, --error-limit <number> Maximum times an status word other than 0x9000 or 0x6D00 is shown. Default is 512.",
1191 "-s, --skip-ins <hex> Do not test an instruction (can be specified multiple times)",
1192 "-l, --with-le Search for APDUs with Le=0 (case 2S) as well",
1193 "-v, --verbose Verbose output"
1195 "usage": "hf 14a apdufind [-hlv] [-c <hex>] [-i <hex>] [--p1 <hex>] [--p2 <hex>] [-r <number>] [-e <number>] [-s <hex>]..."
1197 "hf 14a chaining": {
1198 "command": "hf 14a chaining",
1199 "description": "Enable/Disable ISO14443a input chaining. Maximum input length goes from ATS.",
1201 "hf 14a chaining -> show chaining enable/disable state",
1202 "hf 14a chaining --off -> disable chaining"
1206 "-h, --help This help",
1207 "-1, --on enabled chaining",
1208 "-0, --off disable chaining"
1210 "usage": "hf 14a chaining [-h10]"
1213 "command": "hf 14a cuids",
1214 "description": "Collect n>0 ISO14443-a UIDs in one go",
1216 "hf 14a cuids -n 5 -> Collect 5 UIDs"
1220 "-h, --help This help",
1221 "-n, --num <dec> Number of UIDs to collect"
1223 "usage": "hf 14a cuids [-h] [-n <dec>]"
1226 "command": "hf 14a help",
1227 "description": "----------- ----------------------- General ----------------------- help This help list List ISO 14443-a history --------------------------------------------------------------------------------------- hf 14a list available offline: yes Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
1229 "hf 14a list --frame -> show frame delay times",
1230 "hf 14a list -1 -> use trace buffer"
1234 "-h, --help This help",
1235 "-1, --buffer use data from trace buffer",
1236 "--frame show frame delay times",
1237 "-c mark CRC bytes",
1238 "-r show relative times (gap and duration)",
1239 "-u display times in microseconds instead of clock cycles",
1240 "-x show hexdump to convert to pcap(ng)",
1241 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
1242 "-f, --file <fn> filename of dictionary"
1244 "usage": "hf 14a list [-h1crux] [--frame] [-f <fn>]"
1247 "command": "hf 14a info",
1248 "description": "This command makes more extensive tests against a ISO14443a tag in order to collect information",
1250 "hf 14a info -nsv -> shows full information about the card"
1254 "-h, --help This help",
1255 "-v, --verbose verbose output",
1256 "-n, --nacktest test for nack bug",
1257 "-s, --aidsearch checks if AIDs from aidlist.json is present on the card and prints information about found AIDs"
1259 "usage": "hf 14a info [-hvns]"
1261 "hf 14a ndefformat": {
1262 "command": "hf 14a ndefformat",
1263 "description": "Format ISO14443-a Tag as a NFC tag with Data Exchange Format (NDEF)",
1269 "-h, --help This help",
1270 "-v, --verbose verbose output"
1272 "usage": "hf 14a ndefformat [-hv]"
1274 "hf 14a ndefread": {
1275 "command": "hf 14a ndefread",
1276 "description": "Read NFC Data Exchange Format (NDEF) file on Type 4 NDEF tag",
1279 "hf 14a ndefread -f myfilename -> save raw NDEF to file"
1283 "-h, --help This help",
1284 "-f, --file <fn> save raw NDEF to file",
1285 "-v, --verbose verbose output"
1287 "usage": "hf 14a ndefread [-hv] [-f <fn>]"
1289 "hf 14a ndefwrite": {
1290 "command": "hf 14a ndefwrite",
1291 "description": "Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted.",
1293 "hf 14a ndefwrite -d 0300FE -> write empty record to tag",
1294 "hf 14a ndefwrite -f myfilename",
1295 "hf 14a ndefwrite -d 003fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031"
1299 "-h, --help This help",
1300 "-d <hex> raw NDEF hex bytes",
1301 "-f, --file <fn> write raw NDEF file to tag",
1302 "-p fix NDEF record headers / terminator block if missing",
1303 "-v, --verbose verbose output"
1305 "usage": "hf 14a ndefwrite [-hpv] [-d <hex>] [-f <fn>]"
1308 "command": "hf 14a raw",
1309 "description": "Sends raw bytes over ISO14443a. With option to use TOPAZ 14a mode.",
1311 "hf 14a raw -sc 3000 -> select, crc, where 3000 == 'read block 00'",
1312 "hf 14a raw -ak -b 7 40 -> send 7 bit byte 0x40",
1313 "hf 14a raw --ecp -s -> send ECP before select"
1317 "-h, --help This help",
1318 "-a Active signal field ON without select",
1319 "-c Calculate and append CRC",
1320 "-k Keep signal field ON after receive",
1321 "-3 ISO14443-3 select only (skip RATS)",
1322 "-r Do not read response",
1323 "-s Active signal field ON with select",
1324 "-t, --timeout <ms> Timeout in milliseconds",
1325 "-b <dec> Number of bits to send. Useful for send partial byte",
1326 "-v, --verbose Verbose output",
1327 "--ecp Use enhanced contactless polling",
1328 "--mag Use Apple magsafe polling",
1329 "--topaz Use Topaz protocol to send command",
1330 "<hex> Raw bytes to send"
1332 "usage": "hf 14a raw [-hack3rsv] [-t <ms>] [-b <dec>] [--ecp] [--mag] [--topaz] <hex> [<hex>]..."
1335 "command": "hf 14a reader",
1336 "description": "Act as a ISO-14443a reader to identify tag. Look for ISO-14443a tags until Enter or the pm3 button is pressed",
1339 "hf 14a reader -@ -> Continuous mode",
1340 "hf 14a reader --ecp -> trigger apple enhanced contactless polling",
1341 "hf 14a reader --mag -> trigger apple magsafe polling"
1345 "-h, --help This help",
1346 "-k, --keep keep the field active after command executed",
1347 "-s, --silent silent (no messages)",
1348 "--drop just drop the signal field",
1349 "--skip ISO14443-3 select only (skip RATS)",
1350 "--ecp Use enhanced contactless polling",
1351 "--mag Use Apple magsafe polling",
1352 "-@ continuous reader mode"
1354 "usage": "hf 14a reader [-hks@] [--drop] [--skip] [--ecp] [--mag]"
1357 "command": "hf 14a sim",
1358 "description": "Simulate ISO/IEC 14443 type A tag with 4,7 or 10 byte UID Use type 7 for Mifare Ultralight EV1, Amiibo (NTAG215 pack 0x8080)",
1360 "hf 14a sim -t 1 --uid 11223344 -> MIFARE Classic 1k",
1361 "hf 14a sim -t 2 -> MIFARE Ultralight",
1362 "hf 14a sim -t 3 -> MIFARE Desfire",
1363 "hf 14a sim -t 4 -> ISO/IEC 14443-4",
1364 "hf 14a sim -t 5 -> MIFARE Tnp3xxx",
1365 "hf 14a sim -t 6 -> MIFARE Mini",
1366 "hf 14a sim -t 7 -> MFU EV1 / NTAG 215 Amiibo",
1367 "hf 14a sim -t 8 -> MIFARE Classic 4k",
1368 "hf 14a sim -t 9 -> FM11RF005SH Shanghai Metro",
1369 "hf 14a sim -t 10 -> ST25TA IKEA Rothult",
1370 "hf 14a sim -t 11 -> Javacard (JCOP)",
1371 "hf 14a sim -t 12 -> 4K Seos card"
1375 "-h, --help This help",
1376 "-t, --type <1-12> Simulation type to use",
1377 "-u, --uid <hex> <4|7|10> hex bytes UID",
1378 "-n, --num <dec> Exit simulation after <numreads> blocks have been read by reader. 0 = infinite",
1379 "-x Performs the 'reader attack', nr/ar attack against a reader",
1380 "--sk Fill simulator keys from found keys",
1381 "-v, --verbose verbose output"
1383 "usage": "hf 14a sim [-hxv] -t <1-12> [-u <hex>] [-n <dec>] [--sk]"
1386 "command": "hf 14a sniff",
1387 "description": "Sniff the communication between Hitag reader and tag. Use `hf 14a list` to view collected data.",
1389 "hf 14a sniff -c -r"
1393 "-h, --help This help",
1394 "-c, --card triggered by first data from card",
1395 "-r, --reader triggered by first 7-bit request from reader (REQ, WUP)",
1396 "-i, --interactive Console will not be returned until sniff finishes or is aborted"
1398 "usage": "hf 14a sniff [-hcri]"
1401 "command": "hf 14b apdu",
1402 "description": "Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). works with all apdu types from ISO 7816-4:2013",
1404 "hf 14b apdu -s -d 94a40800043f000002",
1405 "hf 14b apdu -s --decode -d 00A404000E325041592E5359532E444446303100 -> decode apdu",
1406 "hf 14b apdu -sm 00A40400 -l 256 -d 325041592E5359532E4444463031 -> encode standard apdu",
1407 "hf 14b apdu -sm 00A40400 -el 65536 -d 325041592E5359532E4444463031 -> encode extended apdu"
1411 "-h, --help This help",
1412 "-s, --select activate field and select card",
1413 "-k, --keep leave the signal field ON after receive response",
1414 "-t, --tlv executes TLV decoder if it possible",
1415 "--decode decode apdu request if it possible",
1416 "-m, --make <hex> make apdu with head from this field and data from data field.",
1417 "must be 4 bytes: <CLA INS P1 P2>",
1418 "-e, --extended make extended length apdu if `m` parameter included",
1419 "-l, --le <int> Le apdu parameter if `m` parameter included",
1420 "-d, --data <hex> <APDU | data> if `m` parameter included",
1421 "--timeout <dec> timeout in ms"
1423 "usage": "hf 14b apdu [-hskte] [--decode] [-m <hex>] [-l <int>] -d <hex> [--timeout <dec>]"
1426 "command": "hf 14b calypso",
1427 "description": "Reads out the contents of a ISO14443B Calypso card",
1433 "-h, --help This help"
1435 "usage": "hf 14b calypso [-h]"
1438 "command": "hf 14b dump",
1439 "description": "This command dumps the contents of a ISO-14443-B tag and save it to file Tries to autodetect cardtype, memory size defaults to SRI4K",
1442 "hf 14b dump -f myfilename"
1446 "-h, --help This help",
1447 "-f, --file <fn> (optional) filename, if no <name> UID will be used as filename",
1448 "--ns no save to file",
1449 "-z, --dense dense dump output style"
1451 "usage": "hf 14b dump [-hz] [-f <fn>] [--ns]"
1454 "command": "hf 14b help",
1455 "description": "--------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- view Display content from tag dump file valid SRIX4 checksum test --------- ------------------ Calypso / Mobib ------------------ --------------------------------------------------------------------------------------- hf 14b list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
1457 "hf 14b list --frame -> show frame delay times",
1458 "hf 14b list -1 -> use trace buffer"
1462 "-h, --help This help",
1463 "-1, --buffer use data from trace buffer",
1464 "--frame show frame delay times",
1465 "-c mark CRC bytes",
1466 "-r show relative times (gap and duration)",
1467 "-u display times in microseconds instead of clock cycles",
1468 "-x show hexdump to convert to pcap(ng)",
1469 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
1470 "-f, --file <fn> filename of dictionary"
1472 "usage": "hf 14b list [-h1crux] [--frame] [-f <fn>]"
1475 "command": "hf 14b info",
1476 "description": "Tag information for ISO/IEC 14443 type B based tags",
1482 "-h, --help This help",
1483 "-s, --aidsearch checks if AIDs from aidlist.json is present on the card and prints information about found AIDs",
1484 "-v, --verbose verbose output"
1486 "usage": "hf 14b info [-hsv]"
1489 "command": "hf 14b mobib",
1490 "description": "Reads out the contents of a ISO14443B Mobib card",
1496 "-h, --help This help"
1498 "usage": "hf 14b mobib [-h]"
1500 "hf 14b ndefread": {
1501 "command": "hf 14b ndefread",
1502 "description": "Print NFC Data Exchange Format (NDEF)",
1505 "hf 14b ndefread -f myfilename -> save raw NDEF to file"
1509 "-h, --help This help",
1510 "-f, --file <fn> Save raw NDEF to file",
1511 "-v, --verbose Verbose output"
1513 "usage": "hf 14b ndefread [-hv] [-f <fn>]"
1516 "command": "hf 14b raw",
1517 "description": "Sends raw bytes to card. Activates field by default",
1519 "hf 14b raw -cks --data 0200a40400 -> standard select, apdu 0200a4000 (7816)",
1520 "hf 14b raw -ck --sr --data 0200a40400 -> SRx select",
1521 "hf 14b raw -ck --cts --data 0200a40400 -> C-ticket select"
1525 "-h, --help This help",
1526 "-a active signal field ON without select",
1527 "-c, --crc calculate and append CRC",
1528 "-k, --keep leave the signal field ON after receive response",
1529 "-d, --data <hex> data, bytes to send",
1530 "-r do not read response from card",
1531 "-t, --timeout <dec> timeout in ms",
1532 "-s, --std use ISO14B select",
1533 "--sr use SRx ST select",
1534 "--cts use ASK C-ticket select",
1535 "--xrx use Fuji/Xerox select",
1536 "--pico use Picopass select",
1537 "-v, --verbose verbose output"
1539 "usage": "hf 14b raw [-hackrsv] [-d <hex>] [-t <dec>] [--sr] [--cts] [--xrx] [--pico]"
1542 "command": "hf 14b rdbl",
1543 "description": "Read SRI512 | SRIX4K block",
1549 "-h, --help This help",
1550 "-b, --block <dec> block number"
1552 "usage": "hf 14b rdbl [-h] [-b <dec>]"
1555 "command": "hf 14b reader",
1556 "description": "Act as a 14443B reader to identify a tag",
1559 "hf 14b reader -@ -> continuous reader mode"
1563 "-h, --help This help",
1564 "--plot show anticollision signal trace in plot window",
1565 "-v, --verbose verbose output",
1566 "-@ optional - continuous reader mode"
1568 "usage": "hf 14b reader [-hv@] [--plot]"
1571 "command": "hf 14b restore",
1572 "description": "Restore data from (bin/eml/json) dump file to tag If the dump file includes the special block at the end it will be ignored",
1574 "hf 14b restore --4k -f myfilename",
1575 "hf 14b restore --512 -f myfilename"
1579 "-h, --help This help",
1580 "-f, --file <fn> (optional) filename, if no <name> UID will be used as filename",
1581 "--512 target SRI 512 tag",
1582 "--4k target SRIX 4k tag (def)"
1584 "usage": "hf 14b restore [-h] [-f <fn>] [--512] [--4k]"
1587 "command": "hf 14b sim",
1588 "description": "Simulate a ISO/IEC 14443 type B tag with 4 byte UID / PUPI",
1590 "hf 14b sim -u 11AA33BB"
1594 "-h, --help This help",
1595 "-u, --uid hex 4byte UID/PUPI"
1597 "usage": "hf 14b sim [-h] -u hex"
1600 "command": "hf 14b sniff",
1601 "description": "Sniff the communication between reader and tag. Use `hf 14b list` to view collected data.",
1607 "-h, --help This help"
1609 "usage": "hf 14b sniff [-h]"
1612 "command": "hf 14b valid",
1613 "description": "SRIX checksum test",
1619 "-h, --help This help"
1621 "usage": "hf 14b valid [-h]"
1624 "command": "hf 14b view",
1625 "description": "Print a ISO14443-B dump file (bin/eml/json) note: - command expects the filename to contain a UID which is needed to determine card memory type",
1627 "hf 14b view -f hf-14b-01020304-dump.bin"
1631 "-h, --help This help",
1632 "-f, --file <fn> Specify a filename for dump file",
1633 "-v, --verbose verbose output",
1634 "-z, --dense dense dump output style"
1636 "usage": "hf 14b view [-hvz] -f <fn>"
1639 "command": "hf 14b wrbl",
1640 "description": "Write data to a SRI512 or SRIX4K block If writing to a block out-of-range, use `--force` to override checks Special block at end denots OTP and lock bits among others",
1642 "hf 14b wrbl --4k -b 100 -d 11223344",
1643 "hf 14b wrbl --4k --sb -d 11223344 -> special block write",
1644 "hf 14b wrbl --512 -b 15 -d 11223344",
1645 "hf 14b wrbl --512 --sb -d 11223344 -> special block write"
1649 "-h, --help This help",
1650 "-b, --block <dec> block number",
1651 "-d, --data <hex> 4 hex bytes",
1652 "--512 target SRI 512 tag",
1653 "--4k target SRIX 4k tag (def)",
1654 "--sb special block write at end of memory (0xFF)",
1655 "--force overrides block range checks"
1657 "usage": "hf 14b wrbl [-h] [-b <dec>] -d <hex> [--512] [--4k] [--sb] [--force]"
1660 "command": "hf 15 csetuid",
1661 "description": "Set UID for magic Chinese card (only works with such cards)",
1663 "hf 15 csetuid -u E011223344556677 -> use gen1 command",
1664 "hf 15 csetuid -u E011223344556677 --v2 -> use gen2 command"
1668 "-h, --help This help",
1669 "-u, --uid <hex> UID, 8 hex bytes",
1670 "-2, --v2 Use gen2 magic command"
1672 "usage": "hf 15 csetuid [-h2] -u <hex>"
1675 "command": "hf 15 demod",
1676 "description": "Tries to demodulate / decode ISO-15693, from downloaded samples. Gather samples with 'hf 15 samples' / 'hf 15 sniff'",
1682 "-h, --help This help"
1684 "usage": "hf 15 demod [-h]"
1687 "command": "hf 15 dump",
1688 "description": "This command dumps the contents of a ISO-15693 tag and save to file (bin/json)",
1692 "hf 15 dump -u E011223344556677 -f hf-15-my-dump.bin"
1696 "-h, --help This help",
1697 "-u, --uid <hex> full UID (8 hex bytes)",
1698 "--ua unaddressed mode",
1700 "-2 use slower '1 out of 256' mode",
1701 "-o, --opt set OPTION Flag (needed for TI)",
1702 "-f, --file <fn> Specify a filename for dump file",
1703 "--bs <dec> block size (def 4)",
1704 "--ns no save to file",
1705 "-v, --verbose verbose output",
1706 "-z, --dense dense dump output style"
1708 "usage": "hf 15 dump [-h*2ovz] [-u <hex>] [--ua] [-f <fn>] [--bs <dec>] [--ns]"
1711 "command": "hf 15 eload",
1712 "description": "Load memory dump from file to be used with 'hf 15 sim'",
1714 "hf 15 eload -f hf-15-01020304.bin"
1718 "-h, --help This help",
1719 "-f, --file <fn> filename of dump"
1721 "usage": "hf 15 eload [-h] -f <fn>"
1724 "command": "hf 15 esave",
1725 "description": "Save emulator memory into two files (bin/json)",
1727 "hf 15 esave -f hf-15-01020304"
1731 "-h, --help This help",
1732 "-f, --file <fn> Specify a filename for dump file"
1734 "usage": "hf 15 esave [-h] -f <fn>"
1737 "command": "hf 15 eview",
1738 "description": "It displays emulator memory",
1745 "-h, --help This help",
1746 "-z, --dense dense dump output style"
1748 "usage": "hf 15 eview [-hz]"
1751 "command": "hf 15 findafi",
1752 "description": "This command attempts to brute force AFI of an ISO-15693 tag Estimated execution time is around 2 minutes",
1758 "-h, --help This help",
1759 "-2 use slower '1 out of 256' mode"
1761 "usage": "hf 15 findafi [-h2]"
1764 "command": "hf 15 help",
1765 "description": "----------- ----------------------- General ----------------------- help This help list List ISO-15693 history ----------- ----------------------- Operations ----------------------- demod Demodulate ISO-15693 from tag view Display content from tag dump file --------------------------------------------------------------------------------------- hf 15 list available offline: yes Alias of `trace list -t 15 -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
1767 "hf 15 list --frame -> show frame delay times",
1768 "hf 15 list -1 -> use trace buffer"
1772 "-h, --help This help",
1773 "-1, --buffer use data from trace buffer",
1774 "--frame show frame delay times",
1775 "-c mark CRC bytes",
1776 "-r show relative times (gap and duration)",
1777 "-u display times in microseconds instead of clock cycles",
1778 "-x show hexdump to convert to pcap(ng)",
1779 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
1780 "-f, --file <fn> filename of dictionary"
1782 "usage": "hf 15 list [-h1crux] [--frame] [-f <fn>]"
1785 "command": "hf 15 info",
1786 "description": "Uses the optional command `get_systeminfo` 0x2B to try and extract information",
1790 "hf 15 info -u E011223344556677"
1794 "-h, --help This help",
1795 "-u, --uid <hex> full UID (8 hex bytes)",
1796 "--ua unaddressed mode",
1798 "-2 use slower '1 out of 256' mode",
1799 "-o, --opt set OPTION Flag (needed for TI)"
1801 "usage": "hf 15 info [-h*2o] [-u <hex>] [--ua]"
1803 "hf 15 passprotectafi": {
1804 "command": "hf 15 passprotectafi",
1805 "description": "This command enables the password protect of AFI. *** OBS! This action can not be undone! ***",
1807 "hf 15 passprotectafi -p 00000000 --force"
1811 "-h, --help This help",
1812 "-p, --pwd <hex> EAS/AFI password, 4 hex bytes",
1813 "--force Force execution of command (irreversible)"
1815 "usage": "hf 15 passprotectafi [-h] -p <hex> [--force]"
1817 "hf 15 passprotecteas": {
1818 "command": "hf 15 passprotecteas",
1819 "description": "This command enables the password protect of EAS. *** OBS! This action can not be undone! ***",
1821 "hf 15 passprotecteas -p 00000000 --force"
1825 "-h, --help This help",
1826 "-p, --pwd <hex> EAS/AFI password, 4 hex bytes",
1827 "--force Force execution of command (irreversible)"
1829 "usage": "hf 15 passprotecteas [-h] -p <hex> [--force]"
1832 "command": "hf 15 raw",
1833 "description": "Sends raw bytes over ISO-15693 to card",
1835 "hf 15 raw -ac -d 260100 -> activate, add crc",
1836 "hf 15 raw -akrc -d 260100 -> activate, add crc, keep field on, skip response"
1840 "-h, --help This help",
1841 "-a activate field",
1842 "-c, --crc calculate and append CRC",
1843 "-k keep signal field ON after receive",
1844 "-2 use slower '1 out of 256' mode",
1845 "-r do not read response",
1846 "-d, --data <hex> raw bytes to send",
1847 "-w, --wait wait longer for response. For writes etc."
1849 "usage": "hf 15 raw [-hack2rw] -d <hex>"
1852 "command": "hf 15 rdbl",
1853 "description": "Read page on ISO-15693 tag",
1855 "hf 15 rdbl -* -b 12",
1856 "hf 15 rdbl -u E011223344556677 -b 12"
1860 "-h, --help This help",
1861 "-u, --uid <hex> full UID (8 hex bytes)",
1862 "--ua unaddressed mode",
1864 "-2 use slower '1 out of 256' mode",
1865 "-o, --opt set OPTION Flag (needed for TI)",
1866 "-b, --blk <dec> page number (0-255)",
1867 "--bs <dec> block size (def 4)",
1868 "-v, --verbose verbose output"
1870 "usage": "hf 15 rdbl [-h*2ov] [-u <hex>] [--ua] -b <dec> [--bs <dec>]"
1873 "command": "hf 15 rdmulti",
1874 "description": "Read multiple pages on a ISO-15693 tag",
1876 "hf 15 rdmulti -* -b 1 --cnt 6 -> read 6 blocks",
1877 "hf 15 rdmulti -u E011223344556677 -b 12 --cnt 3 -> read three blocks"
1881 "-h, --help This help",
1882 "-u, --uid <hex> full UID (8 hex bytes)",
1883 "--ua unaddressed mode",
1885 "-2 use slower '1 out of 256' mode",
1886 "-o, --opt set OPTION Flag (needed for TI)",
1887 "-b <dec> first page number (0-255)",
1888 "--cnt <dec> number of pages (1-6)",
1889 "--bs <dec> block size (def 4)",
1890 "-v, --verbose verbose output"
1892 "usage": "hf 15 rdmulti [-h*2ov] [-u <hex>] [--ua] -b <dec> --cnt <dec> [--bs <dec>]"
1895 "command": "hf 15 reader",
1896 "description": "Act as a ISO-15693 reader. Look for ISO-15693 tags until Enter or the pm3 button is pressed",
1899 "hf 15 reader -@ -> Continuous mode"
1903 "-h, --help This help",
1904 "-@ continuous reader mode"
1906 "usage": "hf 15 reader [-h@]"
1909 "command": "hf 15 restore",
1910 "description": "This command restore the contents of a dump file (bin/eml/json) onto a ISO-15693 tag",
1914 "hf 15 restore -u E011223344556677 -f hf-15-my-dump.bin"
1918 "-h, --help This help",
1919 "-u, --uid <hex> full UID (8 hex bytes)",
1920 "--ua unaddressed mode",
1922 "-2 use slower '1 out of 256' mode",
1923 "-o, --opt set OPTION Flag (needed for TI)",
1924 "-f, --file <fn> Specify a filename for dump file",
1925 "-r, --retry <dec> number of retries (def 3)",
1926 "-v, --verbose verbose output"
1928 "usage": "hf 15 restore [-h*2ov] [-u <hex>] [--ua] [-f <fn>] [-r <dec>]"
1931 "command": "hf 15 samples",
1932 "description": "Acquire samples as Reader (enables carrier, send inquiry and download it to graphbuffer. Try 'hf 15 demod' to try to demodulate/decode signal",
1938 "-h, --help This help"
1940 "usage": "hf 15 samples [-h]"
1943 "command": "hf 15 sim",
1944 "description": "Simulate a ISO-15693 tag",
1947 "hf 15 sim -u E011223344556677"
1951 "-h, --help This help",
1952 "-u, --uid <hex> UID, 8 hex bytes",
1953 "-b, --blocksize <dec> block size (def 4)"
1955 "usage": "hf 15 sim [-h] [-u <hex>] [-b <dec>]"
1957 "hf 15 slixeasdisable": {
1958 "command": "hf 15 slixeasdisable",
1959 "description": "Disable EAS mode on SLIX ISO-15693 tag",
1961 "hf 15 slixeasdisable -p 0F0F0F0F"
1965 "-h, --help This help",
1966 "-p, --pwd <hex> optional password, 4 hex bytes"
1968 "usage": "hf 15 slixeasdisable [-h] [-p <hex>]"
1970 "hf 15 slixeasenable": {
1971 "command": "hf 15 slixeasenable",
1972 "description": "Enable EAS mode on SLIX ISO-15693 tag",
1974 "hf 15 slixeasenable -p 0F0F0F0F"
1978 "-h, --help This help",
1979 "-p, --pwd <hex> optional password, 4 hex bytes"
1981 "usage": "hf 15 slixeasenable [-h] [-p <hex>]"
1983 "hf 15 slixprivacydisable": {
1984 "command": "hf 15 slixprivacydisable",
1985 "description": "Disable privacy mode on SLIX ISO-15693 tag",
1987 "hf 15 slixprivacydisable -p 0F0F0F0F"
1991 "-h, --help This help",
1992 "-p, --pwd <hex> password, 4 hex bytes"
1994 "usage": "hf 15 slixprivacydisable [-h] -p <hex>"
1996 "hf 15 slixprivacyenable": {
1997 "command": "hf 15 slixprivacyenable",
1998 "description": "Enable privacy mode on SLIX ISO-15693 tag",
2000 "hf 15 slixprivacyenable -p 0F0F0F0F"
2004 "-h, --help This help",
2005 "-p, --pwd <hex> password, 4 hex bytes"
2007 "usage": "hf 15 slixprivacyenable [-h] -p <hex>"
2009 "hf 15 slixwritepwd": {
2010 "command": "hf 15 slixwritepwd",
2011 "description": "Write a password on a SLIX family ISO-15693 tag.nSome tags do not support all different password types.",
2013 "hf 15 slixwritepwd -t READ -o 00000000 -n 12131415"
2017 "-h, --help This help",
2018 "-t, --type <read|write|privacy|destroy|easafi> which password field to write to",
2019 "-o, --old <hex> old password (if present), 4 hex bytes",
2020 "-n, --new <hex> new password, 4 hex bytes"
2022 "usage": "hf 15 slixwritepwd [-h] -t <read|write|privacy|destroy|easafi> [-o <hex>] -n <hex>"
2025 "command": "hf 15 sniff",
2026 "description": "Sniff activity without enabling carrier",
2032 "-h, --help This help"
2034 "usage": "hf 15 sniff [-h]"
2037 "command": "hf 15 view",
2038 "description": "Print a ISO-15693 tag dump file (bin/eml/json)",
2040 "hf 15 view -f hf-iclass-AA162D30F8FF12F1-dump.bin"
2044 "-h, --help This help",
2045 "-f, --file <fn> Specify a filename for dump file",
2046 "-z, --dense dense dump output style"
2048 "usage": "hf 15 view [-hz] -f <fn>"
2051 "command": "hf 15 wipe",
2052 "description": "Wipe a ISO-15693 tag by filled memory with zeros",
2058 "-h, --help This help",
2059 "-u, --uid <hex> full UID (8 hex bytes)",
2060 "--ua unaddressed mode",
2062 "-2 use slower '1 out of 256' mode",
2063 "-o, --opt set OPTION Flag (needed for TI)",
2064 "--bs <dec> block size (def 4)",
2065 "-v, --verbose verbose output"
2067 "usage": "hf 15 wipe [-h*2ov] [-u <hex>] [--ua] [--bs <dec>]"
2070 "command": "hf 15 wrbl",
2071 "description": "Write block on ISO-15693 tag",
2073 "hf 15 wrbl -* -b 12 -d AABBCCDD",
2074 "hf 15 wrbl -u E011223344556677 -b 12 -d AABBCCDD"
2078 "-h, --help This help",
2079 "-u, --uid <hex> full UID (8 hex bytes)",
2080 "--ua unaddressed mode",
2082 "-2 use slower '1 out of 256' mode",
2083 "-o, --opt set OPTION Flag (needed for TI)",
2084 "-b, --blk <dec> page number (0-255)",
2085 "-d, --data <hex> data, 4 bytes",
2086 "-v, --verbose verbose output"
2088 "usage": "hf 15 wrbl [-h*2ov] [-u <hex>] [--ua] -b <dec> -d <hex>"
2091 "command": "hf 15 writeafi",
2092 "description": "Write AFI on card",
2094 "hf 15 writeafi -* --afi 12",
2095 "hf 15 writeafi -u E011223344556677 --afi 12 -p 0F0F0F0F"
2099 "-h, --help This help",
2100 "-u, --uid <hex> full UID, 8 hex bytes",
2101 "--afi <dec> AFI number (0-255)",
2102 "-p, --pwd <hex> optional AFI/EAS password"
2104 "usage": "hf 15 writeafi [-h] [-u <hex>] --afi <dec> [-p <hex>]"
2106 "hf 15 writedsfid": {
2107 "command": "hf 15 writedsfid",
2108 "description": "Write DSFID on card",
2110 "hf 15 writedsfid -* --dsfid 12",
2111 "hf 15 writedsfid -u E011223344556677 --dsfid 12"
2115 "-h, --help This help",
2116 "-u, --uid <hex> full UID (8 hex bytes)",
2117 "--ua unaddressed mode",
2119 "-2 use slower '1 out of 256' mode",
2120 "-o, --opt set OPTION Flag (needed for TI)",
2121 "--dsfid <dec> DSFID number (0-255)",
2122 "-v, --verbose verbose output"
2124 "usage": "hf 15 writedsfid [-h*2ov] [-u <hex>] [--ua] --dsfid <dec>"
2126 "hf cipurse aread": {
2127 "command": "hf cipurse aread",
2128 "description": "Read file attributes by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2130 "hf cipurse aread --fid 2ff7 -> Select MF, Authenticate with keyID 1, read file attributes with id 2ff7",
2131 "hf cipurse aread --mfd -> read file attributes for master file (MF)",
2132 "hf cipurse aread --chfid 0102 -> read file 0102 attributes in the default application",
2133 "hf cipurse aread --aid 4144204632 --chfid 0102 -> read file 0102 attributes in the 4144204632 application",
2134 "hf cipurse aread -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2, read file attributes"
2138 "-h, --help This help",
2139 "-a, --apdu Show APDU requests and responses",
2140 "-v, --verbose Verbose mode",
2142 "-k, --key <hex> Auth key",
2143 "--mfd Show info about master file",
2144 "--aid <hex> Select application ID (AID) ( 1..16 bytes )",
2145 "--fid <hex> File ID",
2146 "--chfid <hex> Child file ID (EF under application/master file) ( 2 bytes )",
2147 "--noauth Read file attributes without authentication",
2148 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2149 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)"
2151 "usage": "hf cipurse aread [-hav] [-n <dec>] [-k <hex>] [--mfd] [--aid <hex>] [--fid <hex>] [--chfid <hex>] [--noauth] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>]"
2153 "hf cipurse auth": {
2154 "command": "hf cipurse auth",
2155 "description": "Authenticate with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2157 "hf cipurse auth -> Authenticate with keyID 1, default key",
2158 "hf cipurse auth -n 2 -k 65656565656565656565656565656565 -> Authenticate keyID 2 with key"
2162 "-h, --help This help",
2163 "-a, --apdu Show APDU requests and responses",
2164 "-v, --verbose Verbose mode",
2165 "--aid <hex> Application ID (AID) ( 1..16 bytes )",
2166 "--fid <hex> Top file/application ID (FID) ( 2 bytes )",
2167 "--mfd Select masterfile by empty id",
2169 "-k, --key <hex> Auth key"
2171 "usage": "hf cipurse auth [-hav] [--aid <hex>] [--fid <hex>] [--mfd] [-n <dec>] [-k <hex>]"
2173 "hf cipurse awrite": {
2174 "command": "hf cipurse awrite",
2175 "description": "Write file attributes by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2177 "hf cipurse awrite --fid 2ff7 -d 080000C1C1C1C1C1C1C1C1C1 -> write default file attributes with id 2ff7",
2178 "hf cipurse awrite --mfd -d 080000FFFFFFFFFFFFFFFFFF86023232 --commit -> write file attributes for master file (MF)",
2179 "hf cipurse awrite --chfid 0102 -d 020000ffffff -> write file 0102 attributes in the default application to full access",
2180 "hf cipurse awrite --chfid 0102 -d 02000040ffff -> write file 0102 attributes in the default application to full access with keys 1 and 2"
2184 "-h, --help This help",
2185 "-a, --apdu Show APDU requests and responses",
2186 "-v, --verbose Verbose mode",
2188 "-k, --key <hex> Auth key",
2189 "--mfd Show info about master file",
2190 "--aid <hex> Select application ID (AID) ( 1..16 bytes )",
2191 "--fid <hex> File ID",
2192 "--chfid <hex> Child file ID (EF under application/master file) ( 2 bytes )",
2193 "--noauth Read file attributes without authentication",
2194 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2195 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)",
2196 "-d, --data <hex> File attributes",
2197 "--commit Commit after write"
2199 "usage": "hf cipurse awrite [-hav] [-n <dec>] [-k <hex>] [--mfd] [--aid <hex>] [--fid <hex>] [--chfid <hex>] [--noauth] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>] [-d <hex>] [--commit]"
2201 "hf cipurse create": {
2202 "command": "hf cipurse create",
2203 "description": "Create application/file/key by provide appropriate DGI. If no key is supplied, default key of 737373...7373 will be used",
2205 "hf cipurse create -d 9200123F00200008000062098407A0000005070100 -> create PTSE file with FID 0x2000 and space for 8 AIDs",
2206 "hf cipurse create -d 92002438613F010A050200004040FF021009021009621084054144204631D407A0000005070100A00F2873737373737373737373737373737373015FD67B000102030405060708090A0B0C0D0E0F01C6A13B -> create default file with FID 3F01 and 2 keys",
2207 "hf cipurse create --aid 4144204631 -d 92010C010001020030020000FFFFFF -> create 0x0102 binary data EF under application 4144204631"
2211 "-h, --help This help",
2212 "-a, --apdu Show APDU requests and responses",
2213 "-v, --verbose Verbose mode",
2215 "-k, --key <hex> Auth key",
2216 "--aid <hex> Application ID (AID) ( 1..16 bytes )",
2217 "--fid <hex> File ID (FID) ( 2 bytes )",
2218 "--mfd Select masterfile by empty id",
2219 "-d, --data <hex> Data with DGI for create",
2220 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2221 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)",
2222 "--no-auth Execute without authentication",
2223 "--commit Commit after create"
2225 "usage": "hf cipurse create [-hav] [-n <dec>] [-k <hex>] [--aid <hex>] [--fid <hex>] [--mfd] [-d <hex>] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>] [--no-auth] [--commit]"
2227 "hf cipurse default": {
2228 "command": "hf cipurse default",
2229 "description": "Set default parameters for access to cipurse card",
2231 "hf cipurse default --reset -> reset parameters to default",
2232 "hf cipurse default -n 1 -k 65656565656565656565656565656565 --fid 2ff7 -> Set key, key id and file id",
2233 "hf cipurse default --aid 4144204632 -> set default application id"
2237 "-h, --help This help",
2238 "--clear Resets to defaults",
2240 "-k, --key <hex> Authentication key",
2241 "--aid <hex> Application ID (AID) ( 1..16 bytes )",
2242 "--fid <hex> File ID ( 2 bytes )"
2244 "usage": "hf cipurse default [-h] [--clear] [-n <dec>] [-k <hex>] [--aid <hex>] [--fid <hex>]"
2246 "hf cipurse delete": {
2247 "command": "hf cipurse delete",
2248 "description": "Delete file by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2250 "hf cipurse delete --fid 2ff7 -> Authenticate with keyID 1, delete file with id 2ff7 at top level",
2251 "hf cipurse delete -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and delete file",
2252 "hf cipurse delete --aid A0000005070100 --no-auth -> delete PTSE file with AID A0000005070100 without authentication",
2253 "hf cipurse delete --aid 4144204631 --chfid 0102 -> delete EF with FID 0x0102 under default application"
2257 "-h, --help This help",
2258 "-a, --apdu Show APDU requests and responses",
2259 "-v, --verbose Verbose mode",
2261 "-k, --key <hex> Auth key",
2262 "--fid <hex> File/application ID under MF for delete",
2263 "--aid <hex> Application ID (AID) for delete ( 1..16 bytes )",
2264 "--chfid <hex> Child file ID (EF under application/master file) ( 2 bytes )",
2265 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2266 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)",
2267 "--no-auth Execute without authentication",
2268 "--commit commit after delete"
2270 "usage": "hf cipurse delete [-hav] [-n <dec>] [-k <hex>] [--fid <hex>] [--aid <hex>] [--chfid <hex>] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>] [--no-auth] [--commit]"
2272 "hf cipurse formatall": {
2273 "command": "hf cipurse formatall",
2274 "description": "Format card. Erases all the data at the card level!",
2276 "hf cipurse formatall -> Format card with default key",
2277 "hf cipurse formatall -n 2 -k 65656565656565656565656565656565 -> Format card with keyID 2",
2278 "hf cipurse formatall --no-auth -> Format card without authentication. Works for card in perso state"
2282 "-h, --help This help",
2283 "-a, --apdu Show APDU requests and responses",
2284 "-v, --verbose Verbose mode",
2286 "-k, --key <hex> Auth key",
2287 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2288 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)",
2289 "--no-auth Execute without authentication"
2291 "usage": "hf cipurse formatall [-hav] [-n <dec>] [-k <hex>] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>] [--no-auth]"
2293 "hf cipurse help": {
2294 "command": "hf cipurse help",
2295 "description": "help This help. test Regression tests --------------------------------------------------------------------------------------- hf cipurse info available offline: no Get info from CIPURSE tags",
2301 "-h, --help This help"
2303 "usage": "hf cipurse info [-h]"
2305 "hf cipurse read": {
2306 "command": "hf cipurse read",
2307 "description": "Read file in the application by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2309 "hf cipurse read --fid 2ff7 -> Authenticate with keyID 1, read file with id 2ff7",
2310 "hf cipurse read -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and read file",
2311 "hf cipurse read --aid 4144204631 --fid 0102 -> read file with id 0102 from application 4144204631"
2315 "-h, --help This help",
2316 "-a, --apdu Show APDU requests and responses",
2317 "-v, --verbose Verbose mode",
2319 "-k, --key <hex> Auth key",
2320 "--aid <hex> Application ID (AID) ( 1..16 bytes )",
2321 "--fid <hex> File ID",
2322 "-o, --offset <dec> Offset for reading data from file",
2323 "--noauth Read file without authentication",
2324 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2325 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)"
2327 "usage": "hf cipurse read [-hav] [-n <dec>] [-k <hex>] [--aid <hex>] [--fid <hex>] [-o <dec>] [--noauth] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>]"
2329 "hf cipurse select": {
2330 "command": "hf cipurse select",
2331 "description": "Select application or file",
2333 "hf cipurse select --aid A0000005070100 -> Select PTSE application by AID",
2334 "hf cipurse select --fid 3f00 -> Select master file by FID 3f00",
2335 "hf cipurse select --fid 2ff7 -> Select attribute file by FID 2ff7",
2336 "hf cipurse select --mfd -vt -> Select default file by empty FID and show response data in plain and TLV decoded format"
2340 "-h, --help This help",
2341 "-a, --apdu Show APDU requests and responses",
2342 "-v, --verbose Verbose mode",
2343 "-t, --tlv TLV decode returned data",
2344 "--aid <hex> Application ID (AID) 1..16 bytes",
2345 "--fid <hex> Top level file (or application) ID (FID) 2 bytes",
2346 "--mfd Select masterfile by empty id",
2347 "--chfid <hex> Child file ID (EF under application/master file) 2 bytes"
2349 "usage": "hf cipurse select [-havt] [--aid <hex>] [--fid <hex>] [--mfd] [--chfid <hex>]"
2351 "hf cipurse test": {
2352 "command": "hf cipurse test",
2353 "description": "Regression tests",
2359 "-h, --help This help"
2361 "usage": "hf cipurse test [-h]"
2363 "hf cipurse updakey": {
2364 "command": "hf cipurse updakey",
2365 "description": "Update key attributes. Factory default - 0x02. b0 - Update right - 1 self b1 - Change key and rights - 0 frozen b2 - Use as key encryption key - 1 blocked b8 - Key validity - 0 valid",
2367 "hf cipurse updakey --trgkeyn 2 --attr 80 -> block key 2 for lifetime (WARNING!)",
2368 "hf cipurse updakey --trgkeyn 1 --attr 02 --commit -> for key 1"
2372 "-h, --help This help",
2373 "-a, --apdu Show APDU requests and responses",
2374 "-v, --verbose Show technical data",
2375 "-n <dec> Key ID for authentication",
2376 "-k, --key <hex> Auth key",
2377 "--aid <hex 1..16 bytes> Application ID (AID)",
2378 "--fid <hex 2 bytes> File ID (FID)",
2379 "--mfd Select masterfile by empty id",
2380 "--trgkeyn <dec> Target key ID",
2381 "--attr <hex 1 byte> Key attributes 1 byte",
2382 "--sreq <plain|mac(default)|encode> Communication reader-PICC security level",
2383 "--sresp <plain|mac(default)|encode> Communication PICC-reader security level",
2384 "--no-auth Execute without authentication",
2387 "usage": "hf cipurse updakey [-hav] [-n <dec>] [-k <hex>] [--aid <hex 1..16 bytes>] [--fid <hex 2 bytes>] [--mfd] [--trgkeyn <dec>] [--attr <hex 1 byte>] [--sreq <plain|mac(default)|encode>] [--sresp <plain|mac(default)|encode>] [--no-auth] [--commit]"
2389 "hf cipurse updkey": {
2390 "command": "hf cipurse updkey",
2391 "description": "Update key",
2393 "hf cipurse updkey --aid 4144204631 --newkeyn 2 --newkeya 00 --newkey 73737373737373737373737373737373 -> update default application key 2 with default value 73..73",
2394 "hf cipurse updkey --newkeyn 1 --newkeya 00 --newkey 0102030405060708090a0b0c0d0e0f10 --commit -> for key 1"
2398 "-h, --help This help",
2399 "-a, --apdu Show APDU requests and responses",
2400 "-v, --verbose Show technical data",
2401 "-n <dec> Key ID for authentication",
2402 "-k, --key <hex> Auth key",
2403 "--aid <hex 1..16 bytes> Application ID (AID)",
2404 "--fid <hex 2 bytes> File ID (FID)",
2405 "--mfd Select masterfile by empty id",
2406 "--newkeyn <dec> Target key ID",
2407 "--newkey <hex 16 byte> New key",
2408 "--newkeya <hex 1 byte> New key additional info (def: 0x00)",
2409 "--enckeyn <dec> Encrypt key ID (must be equal to the key on the card)",
2410 "--enckey <hex 16 byte> Encrypt key (must be equal to the key on the card)",
2411 "--sreq <plain|mac(default)|encode> Communication reader-PICC security level",
2412 "--sresp <plain|mac(default)|encode> Communication PICC-reader security level",
2413 "--no-auth Execute without authentication",
2416 "usage": "hf cipurse updkey [-hav] [-n <dec>] [-k <hex>] [--aid <hex 1..16 bytes>] [--fid <hex 2 bytes>] [--mfd] [--newkeyn <dec>] [--newkey <hex 16 byte>] [--newkeya <hex 1 byte>] [--enckeyn <dec>] [--enckey <hex 16 byte>] [--sreq <plain|mac(default)|encode>] [--sresp <plain|mac(default)|encode>] [--no-auth] [--commit]"
2418 "hf cipurse write": {
2419 "command": "hf cipurse write",
2420 "description": "Write file in the application by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used",
2422 "hf cipurse write --fid 2ff7 -d aabb -> Authenticate with keyID 1, write file with id 2ff7",
2423 "hf cipurse write -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -d aabb -> Authenticate keyID 2 and write file",
2424 "hf cipurse write --aid 4144204631 --fid 0102 -d aabb -> write file with id 0102 in the 4144204631 application",
2425 "hf cipurse write --fid 0102 -d aabb --commit -> write file with id 0102 and perform commit after write"
2429 "-h, --help This help",
2430 "-a, --apdu Show APDU requests and responses",
2431 "-v, --verbose Verbose mode",
2433 "-k, --key <hex> Auth key",
2434 "--aid <hex> Application ID (AID) ( 1..16 bytes )",
2435 "--fid <hex> File ID",
2436 "-o, --offset <dec> Offset for reading data from file",
2437 "--noauth Read file without authentication",
2438 "--sreq <plain|mac|encode> Communication reader-PICC security level (def: mac)",
2439 "--sresp <plain|mac|encode> Communication PICC-reader security level (def: mac)",
2440 "-d, --data <hex> Data to write to new file",
2441 "--commit Commit after write"
2443 "usage": "hf cipurse write [-hav] [-n <dec>] [-k <hex>] [--aid <hex>] [--fid <hex>] [-o <dec>] [--noauth] [--sreq <plain|mac|encode>] [--sresp <plain|mac|encode>] [-d <hex>] [--commit]"
2446 "command": "hf emrtd help",
2447 "description": "help This help info Display info about an eMRTD list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf emrtd dump available offline: no Dump all files on an eMRTD",
2450 "hf emrtd dump --dir ../dump",
2451 "hf emrtd dump -n 123456789 -d 890101 -e 250401"
2455 "-h, --help This help",
2456 "-n, --doc <alphanum> document number, up to 9 chars",
2457 "-d, --date <YYMMDD> date of birth in YYMMDD format",
2458 "-e, --expiry <YYMMDD> expiry in YYMMDD format",
2459 "-m, --mrz <[0-9A-Z<]> 2nd line of MRZ, 44 chars",
2460 "--dir <str> save dump to the given dirpath"
2462 "usage": "hf emrtd dump [-h] [-n <alphanum>] [-d <YYMMDD>] [-e <YYMMDD>] [-m <[0-9A-Z<]>] [--dir <str>]"
2465 "command": "hf emrtd info",
2466 "description": "Display info about an eMRTD",
2469 "hf emrtd info --dir ../dumps",
2470 "hf emrtd info -n 123456789 -d 890101 -e 250401",
2471 "hf emrtd info -n 123456789 -d 890101 -e 250401 -i"
2475 "-h, --help This help",
2476 "-n, --doc <alphanum> document number, up to 9 chars",
2477 "-d, --date <YYMMDD> date of birth in YYMMDD format",
2478 "-e, --expiry <YYMMDD> expiry in YYMMDD format",
2479 "-m, --mrz <[0-9A-Z<]> 2nd line of MRZ, 44 chars (passports only)",
2480 "--dir <str> display info from offline dump stored in dirpath",
2481 "-i, --images show images"
2483 "usage": "hf emrtd info [-hi] [-n <alphanum>] [-d <YYMMDD>] [-e <YYMMDD>] [-m <[0-9A-Z<]>] [--dir <str>]"
2486 "command": "hf emrtd list",
2487 "description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
2489 "hf emrtd list --frame -> show frame delay times",
2490 "hf emrtd list -1 -> use trace buffer"
2494 "-h, --help This help",
2495 "-1, --buffer use data from trace buffer",
2496 "--frame show frame delay times",
2497 "-c mark CRC bytes",
2498 "-r show relative times (gap and duration)",
2499 "-u display times in microseconds instead of clock cycles",
2500 "-x show hexdump to convert to pcap(ng)",
2501 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
2502 "-f, --file <fn> filename of dictionary"
2504 "usage": "hf emrtd list [-h1crux] [--frame] [-f <fn>]"
2507 "command": "hf epa help",
2508 "description": "help This help --------------------------------------------------------------------------------------- hf epa cnonces available offline: no Tries to collect nonces when doing part of PACE protocol.",
2510 "hf epa cnonces --size 4 --num 4 --delay 1"
2514 "-h, --help This help",
2515 "--size <dec> nonce size",
2516 "--num <dec> number of nonces to collect",
2517 "-d, --delay <dec> delay between attempts"
2519 "usage": "hf epa cnonces [-h] --size <dec> --num <dec> -d <dec>"
2522 "command": "hf epa replay",
2523 "description": "Perform PACE protocol by replaying given APDUs",
2525 "hf epa replay --mse 0022C1A4 --get 1068000000 --map 1086000002 --pka 1234ABCDEF --ma 1A2B3C4D"
2529 "-h, --help This help",
2530 "--mse <hex> msesa APDU",
2531 "--get <hex> gn APDU",
2532 "--map <hex> map APDU",
2533 "--pka <hex> pka APDU",
2534 "--ma <hex> ma APDU"
2536 "usage": "hf epa replay [-h] --mse <hex> --get <hex> --map <hex> --pka <hex> --ma <hex>"
2539 "command": "hf epa sim",
2540 "description": "Simulate PACE protocol with given password pwd of type pty. The crypto is performed on pc or proxmark",
2542 "hf epa sim --pwd 112233445566",
2543 "hf epa sim --pc --pty 1 --pwd 112233445566"
2547 "-h, --help This help",
2548 "--pc perform crypto on PC",
2549 "--pty <hex> type of password",
2550 "-p, --pwd <hex> password"
2552 "usage": "hf epa sim [-h] --pc --pty <hex> -p <hex>"
2554 "hf felica auth1": {
2555 "command": "hf felica auth1",
2556 "description": "Initiate mutual authentication. This command must always be executed before Auth2 command and mutual authentication is achieve only after Auth2 command has succeeded. INCOMPLETE / EXPERIMENTAL COMMAND!!!",
2558 "hf felica auth1 --an 01 --acl 0000 --sn 01 --scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB",
2559 "hf felica auth1 --an 01 --acl 0000 --sn 01 --scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAA",
2560 "hf felica auth1 -i 11100910C11BC407 --an 01 --acl 0000 --sn 01 ..scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB"
2564 "-h, --help This help",
2565 "--an <hex> number of areas, 1 byte",
2566 "--acl <hex> area code list, 2 bytes",
2567 "-i <hex> set custom IDm",
2568 "--sn <hex> number of service, 1 byte",
2569 "--scl <hex> service code list, 2 bytes",
2570 "-k, --key <hex> 3des key, 16 bytes",
2571 "-v, --verbose verbose output"
2573 "usage": "hf felica auth1 [-hv] [--an <hex>] [--acl <hex>] [-i <hex>] [--sn <hex>] [--scl <hex>] [-k <hex>]"
2575 "hf felica auth2": {
2576 "command": "hf felica auth2",
2577 "description": "Complete mutual authentication. This command can only be executed subsquent to Auth1 INCOMPLETE / EXPERIMENTAL COMMAND!!! EXPERIMENTAL COMMAND - M2c/P2c will be not checked",
2579 "hf felica auth2 --cc 0102030405060708 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB",
2580 "hf felica auth2 -i 11100910C11BC407 --cc 0102030405060708 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB"
2584 "-h, --help This help",
2585 "-i <hex> set custom IDm",
2586 "-c, --cc <hex> M3c card challenge, 8 bytes",
2587 "-k, --key <hex> 3des M3c decryption key, 16 bytes",
2588 "-v, --verbose verbose output"
2590 "usage": "hf felica auth2 [-hv] [-i <hex>] [-c <hex>] [-k <hex>]"
2593 "command": "hf felica help",
2594 "description": "----------- ----------------------- General ----------------------- help This help list List ISO 18092/FeliCa history ----------- ----------------------- Operations ----------------------- ----------- ----------------------- FeliCa Standard ----------------------- ----------- ----------------------- FeliCa Light ----------------------- --------------------------------------------------------------------------------------- hf felica list available offline: yes Alias of `trace list -t felica` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
2596 "hf felica list --frame -> show frame delay times",
2597 "hf felica list -1 -> use trace buffer"
2601 "-h, --help This help",
2602 "-1, --buffer use data from trace buffer",
2603 "--frame show frame delay times",
2604 "-c mark CRC bytes",
2605 "-r show relative times (gap and duration)",
2606 "-u display times in microseconds instead of clock cycles",
2607 "-x show hexdump to convert to pcap(ng)",
2608 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
2609 "-f, --file <fn> filename of dictionary"
2611 "usage": "hf felica list [-h1crux] [--frame] [-f <fn>]"
2614 "command": "hf felica info",
2615 "description": "Reader for FeliCa based tags",
2621 "-h, --help This help"
2623 "usage": "hf felica info [-h]"
2625 "hf felica litedump": {
2626 "command": "hf felica litedump",
2627 "description": "Dump ISO/18092 FeliCa Lite tag. It will timeout after 200sec",
2629 "hf felica litedump"
2633 "-h, --help This help"
2635 "usage": "hf felica litedump [-h]"
2637 "hf felica litesim": {
2638 "command": "hf felica litesim",
2639 "description": "Emulating ISO/18092 FeliCa Lite tag",
2641 "hf felica litesim -u 1122334455667788"
2645 "-h, --help This help",
2646 "-u, --uid <hex> UID/NDEF2 8 hex bytes"
2648 "usage": "hf felica litesim [-h] -u <hex>"
2651 "command": "hf felica raw",
2652 "description": "Send raw hex data to tag",
2654 "hf felica raw -cs 20",
2655 "hf felica raw -cs 2008"
2659 "-h, --help This help",
2660 "-a active signal field ON without select",
2661 "-c calculate and append CRC",
2662 "-k keep signal field ON after receive",
2663 "-n <dec> number of bits",
2664 "-r do not read response",
2665 "-s active signal field ON with select",
2666 "<hex> raw bytes to send"
2668 "usage": "hf felica raw [-hackrs] [-n <dec>] <hex>"
2671 "command": "hf felica rdbl",
2672 "description": "Use this command to read block data from authentication-not-required Service. - Mode shall be Mode0. - Successful == block data - Unsuccessful == Status Flag1 and Flag2",
2674 "hf felica rdbl --sn 01 --scl 8B00 --bn 01 --ble 8000",
2675 "hf felica rdbl --sn 01 --scl 4B18 --bn 01 --ble 8000 -b",
2676 "hf felica rdbl -i 01100910c11bc407 --sn 01 --scl 8B00 --bn 01 --ble 8000"
2680 "-h, --help This help",
2681 "-b get all block list elements 00 -> FF",
2682 "-i <hex> set custom IDm",
2683 "-l, --long use 3 byte block list element block number",
2684 "--sn <hex> number of service",
2685 "--scl <hex> service code list",
2686 "--bn <hex> number of block",
2687 "--ble <hex> block list element (def 2|3 bytes)",
2688 "-v, --verbose verbose output"
2690 "usage": "hf felica rdbl [-hblv] [-i <hex>] [--sn <hex>] [--scl <hex>] [--bn <hex>] [--ble <hex>]"
2692 "hf felica reader": {
2693 "command": "hf felica reader",
2694 "description": "Act as a ISO 18092 / FeliCa reader. Look for FeliCa tags until Enter or the pm3 button is pressed",
2696 "hf felica reader -@ -> Continuous mode"
2700 "-h, --help This help",
2701 "-s, --silent silent (no messages)",
2702 "-@ optional - continuous reader mode"
2704 "usage": "hf felica reader [-hs@]"
2706 "hf felica resetmode": {
2707 "command": "hf felica resetmode",
2708 "description": "Use this command to reset Mode to Mode 0.",
2710 "hf felica resetmode",
2711 "hf felica resetmode -r 0001",
2712 "hf felica resetmode -i 11100910C11BC407"
2716 "-h, --help This help",
2717 "-i <hex> set custom IDm",
2718 "-r <hex> set custom reserve",
2719 "-v, --verbose verbose output"
2721 "usage": "hf felica resetmode [-hv] [-i <hex>] [-r <hex>]"
2723 "hf felica rqresponse": {
2724 "command": "hf felica rqresponse",
2725 "description": "Use this command to verify the existence of a card and its Mode. - current mode of the card is returned",
2727 "hf felica rqresponse -i 11100910C11BC407"
2731 "-h, --help This help",
2732 "-i <hex> set custom IDm"
2734 "usage": "hf felica rqresponse [-h] [-i <hex>]"
2736 "hf felica rqservice": {
2737 "command": "hf felica rqservice",
2738 "description": "Use this command to verify the existence of Area and Service, and to acquire Key Version: - When the specified Area or Service exists, the card returns Key Version. - When the specified Area or Service does not exist, the card returns FFFFh as Key Version. For Node Code List of a command packet, Area Code or Service Code of the target of acquisition of Key Version shall be enumerated in Little Endian format. If Key Version of System is the target of acquisition, FFFFh shall be specified in the command packet.",
2740 "hf felcia rqservice --node 01 --code FFFF",
2741 "hf felcia rqservice -a --code FFFF",
2742 "hf felica rqservice -i 011204126417E405 --node 01 --code FFFF"
2746 "-h, --help This help",
2747 "-a, --all auto node number mode, iterates through all nodes 1 < n < 32",
2748 "-n, --node <hex> Number of Node",
2749 "-c, --code <hex> Node Code List (little endian)",
2750 "-i, --idm <hex> use custom IDm"
2752 "usage": "hf felica rqservice [-ha] [-n <hex>] [-c <hex>] [-i <hex>]"
2754 "hf felica rqspecver": {
2755 "command": "hf felica rqspecver",
2756 "description": "Use this command to acquire the version of card OS. Response: - Format version: Fixed value 00h. Provided only if Status Flag1 = 00h - Basic version: Each value of version is expressed in BCD notation. Provided only if Status Flag1 = 00h - Number of Option: value = 0: AES card, value = 1: AES/DES card. Provided only if Status Flag1 = 00h - Option version list: Provided only if Status Flag1 = 00h - AES card: not added - AES/DES card: DES option version is added - BCD notation",
2758 "hf felica rqspecver",
2759 "hf felica rqspecver -r 0001",
2760 "hf felica rqspecver -i 11100910C11BC407"
2764 "-h, --help This help",
2765 "-i <hex> set custom IDm",
2766 "-r <hex> set custom reserve",
2767 "-v, --verbose verbose output"
2769 "usage": "hf felica rqspecver [-hv] [-i <hex>] [-r <hex>]"
2771 "hf felica rqsyscode": {
2772 "command": "hf felica rqsyscode",
2773 "description": "Use this command to acquire System Code registered to the card. - if a card is divided into more than one System, this command acquires System Code of each System existing in the card.",
2775 "hf felica rqsyscode",
2776 "hf felica rqsyscode -i 11100910C11BC407"
2780 "-h, --help This help",
2781 "-i <hex> set custom IDm"
2783 "usage": "hf felica rqsyscode [-h] [-i <hex>]"
2785 "hf felica scsvcode": {
2786 "command": "hf felica scsvcode",
2787 "description": "Feature not implemented yet. Feel free to contribute!",
2789 "hf felica scsvcode"
2793 "-h, --help This help"
2795 "usage": "hf felica scsvcode [-h]"
2797 "hf felica sniff": {
2798 "command": "hf felica sniff",
2799 "description": "Collect data from the field and save into command buffer. Buffer accessible from `hf felica list`",
2802 "hf felica sniff -s 10 -t 19"
2806 "-h, --help This help",
2807 "-s, --samples <dec> samples to skip",
2808 "-t, --trig <dec> triggers to skip"
2810 "usage": "hf felica sniff [-h] [-s <dec>] [-t <dec>]"
2813 "command": "hf felica wrbl",
2814 "description": "Use this command to write block data to authentication-not-required Service. - Mode shall be Mode0. - Un-/Ssuccessful == Status Flag1 and Flag2",
2816 "hf felica wrbl --sn 01 --scl CB10 --bn 01 --ble 8001 -d 0102030405060708090A0B0C0D0E0F10",
2817 "hf felica wrbl -i 01100910c11bc407 --sn 01 --scl CB10 --bn 01 --ble 8001 -d 0102030405060708090A0B0C0D0E0F10"
2821 "-h, --help This help",
2822 "-d, --data <hex> data, 16 hex bytes",
2823 "-i <hex> set custom IDm",
2824 "--sn <hex> number of service",
2825 "--scl <hex> service code list",
2826 "--bn <hex> number of block",
2827 "--ble <hex> block list element (def 2|3 bytes)",
2828 "-v, --verbose verbose output"
2830 "usage": "hf felica wrbl [-hv] [-d <hex>] [-i <hex>] [--sn <hex>] [--scl <hex>] [--bn <hex>] [--ble <hex>]"
2833 "command": "hf fido assert",
2834 "description": "Execute a FIDO2 Get Assertion command. Needs json file with parameters. Sample file `fido2_defparams.json` in `client/resources/`. - Needs if `rk` option is `false` (authenticator doesn't store credential to its memory) - for yubikey there must be only one option `\"up\": true` or false note: `-vv` shows full certificates data",
2836 "hf fido assert -> default parameters file `fido2_defparams.json`",
2837 "hf fido assert -f test.json -l -> use parameters file `text.json` and add to request CredentialId"
2841 "-h, --help This help",
2842 "-a, --apdu Show APDU requests and responses",
2843 "-v, --verbose Verbose output",
2844 "-c, --cbor Show CBOR decoded data",
2845 "-l, --list Add CredentialId from json to allowList",
2846 "-f, --file <fn> Parameter JSON file name"
2848 "usage": "hf fido assert [-havcl] [-f <fn>]"
2851 "command": "hf fido auth",
2852 "description": "Initiate a U2F token authentication. Needs key handle and two 32-byte hash numbers. key handle(var 0..255), challenge parameter (32b) and application parameter (32b) The default config filename is `fido2_defparams.json`",
2854 "hf fido auth --kh 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with 2 parameters, filled 0x00 and key handle",
2856 "--kh 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f",
2857 "--cpx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f",
2858 "--apx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters"
2862 "-h, --help This help",
2863 "-a, --apdu Show APDU requests and responses",
2864 "-v, --verbose Verbose output",
2865 "default mode: dont-enforce-user-presence-and-sign",
2866 "-u, --user mode: enforce-user-presence-and-sign",
2867 "-c, --check mode: check-only",
2868 "-f, --file <fn> JSON file name for parameters",
2869 "-k, --key <hex> Public key to verify signature",
2870 "--kh <hex> Key handle (var 0..255b)",
2871 "--cp <str> Challenge parameter (1..16 chars)",
2872 "--ap <str> Application parameter (1..16 chars)",
2873 "--cpx <hex> Challenge parameter (32 bytes hex)",
2874 "--apx <hex> Application parameter (32 bytes hex)"
2876 "usage": "hf fido auth [-havuc] default mode: [-f <fn>] [-k <hex>] [--kh <hex>] [--cp <str>] [--ap <str>] [--cpx <hex>] [--apx <hex>]"
2879 "command": "hf fido help",
2880 "description": "help This help. list List ISO 14443A history --------------------------------------------------------------------------------------- hf fido list available offline: yes Alias of `trace list -t 14a` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
2882 "hf fido list --frame -> show frame delay times",
2883 "hf fido list -1 -> use trace buffer"
2887 "-h, --help This help",
2888 "-1, --buffer use data from trace buffer",
2889 "--frame show frame delay times",
2890 "-c mark CRC bytes",
2891 "-r show relative times (gap and duration)",
2892 "-u display times in microseconds instead of clock cycles",
2893 "-x show hexdump to convert to pcap(ng)",
2894 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
2895 "-f, --file <fn> filename of dictionary"
2897 "usage": "hf fido list [-h1crux] [--frame] [-f <fn>]"
2900 "command": "hf fido info",
2901 "description": "Get info from Fido tags",
2907 "-h, --help This help"
2909 "usage": "hf fido info [-h]"
2912 "command": "hf fido make",
2913 "description": "Execute a FIDO2 Make Credential command. Needs json file with parameters. Sample file `fido2_defparams.json` in `client/resources/`. - for yubikey there must be only one option `\"rk\": true` or false note: `-vv` shows full certificates data",
2915 "hf fido make -> use default parameters file `fido2_defparams.json`",
2916 "hf fido make -f test.json -> use parameters file `text.json`"
2920 "-h, --help This help",
2921 "-a, --apdu Show APDU requests and responses",
2922 "-v, --verbose Verbose output",
2923 "-t, --tlv Show DER certificate contents in TLV representation",
2924 "-c, --cbor Show CBOR decoded data",
2925 "-f, --file <fn> Parameter JSON file name"
2927 "usage": "hf fido make [-havtc] [-f <fn>]"
2930 "command": "hf fido reg",
2931 "description": "Initiate a U2F token registration. Needs two 32-byte hash numbers. challenge parameter (32b) and application parameter (32b). The default config filename is `fido2_defparams.json` note: `-vv` shows full certificates data",
2933 "hf fido reg -> execute command with 2 parameters, filled 0x00",
2934 "hf fido reg --cp s0 --ap s1 -> execute command with plain parameters",
2935 "hf fido reg --cpx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f --apx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f",
2936 "hf fido reg -f fido2-params -> execute command with custom config file"
2940 "-h, --help This help",
2941 "-a, --apdu Show APDU requests and responses",
2942 "-v, --verbose Verbose output",
2943 "-t, --tlv Show DER certificate contents in TLV representation",
2944 "-f, --file <fn> JSON input file name for parameters",
2945 "--cp <str> Challenge parameter (1..16 chars)",
2946 "--ap <str> Application parameter (1..16 chars)",
2947 "--cpx <hex> Challenge parameter (32 bytes hex)",
2948 "--apx <hex> Application parameter (32 bytes hex)"
2950 "usage": "hf fido reg [-havt] [-f <fn>] [--cp <str>] [--ap <str>] [--cpx <hex>] [--apx <hex>]"
2953 "command": "hf fudan dump",
2954 "description": "Dump FUDAN tag to file (bin/json) If no <name> given, UID will be used as filename",
2956 "hf fudan dump -f mydump -> dump using filename"
2960 "-h, --help This help",
2961 "-f, --file <fn> Specify a filename for dump file",
2962 "--ns no save to file"
2964 "usage": "hf fudan dump [-h] [-f <fn>] [--ns]"
2967 "command": "hf fudan help",
2968 "description": "help This help view Display content from tag dump file --------------------------------------------------------------------------------------- hf fudan reader available offline: no Read a fudan tag",
2971 "hf fudan reader -@ -> continuous reader mode"
2975 "-h, --help This help",
2976 "-v, --verbose verbose output",
2977 "-@ optional - continuous reader mode"
2979 "usage": "hf fudan reader [-hv@]"
2982 "command": "hf fudan rdbl",
2983 "description": "Read fudan block",
2985 "hf fudan rdbl --blk 0 -k FFFFFFFFFFFF",
2986 "hf fudan rdbl --blk 3 -v"
2990 "-h, --help This help",
2991 "--blk <dec> block number",
2992 "-k, --key <hex> key, 6 hex bytes",
2993 "-v, --verbose verbose output"
2995 "usage": "hf fudan rdbl [-hv] --blk <dec> [-k <hex>]"
2998 "command": "hf fudan view",
2999 "description": "Print a FUDAN dump file (bin/eml/json)",
3001 "hf fudan view -f hf-fudan-01020304-dump.bin"
3005 "-h, --help This help",
3006 "-f, --file <fn> Specify a filename for dump file"
3008 "usage": "hf fudan view [-h] -f <fn>"
3011 "command": "hf fudan wrbl",
3012 "description": "Write fudan block with 4 hex bytes of data",
3014 "hf fudan wrbl --blk 1 -k FFFFFFFFFFFF -d 01020304"
3018 "-h, --help This help",
3019 "--blk <dec> block number",
3020 "-k, --key <hex> key, 6 hex bytes",
3021 "-d, --data <hex> bytes to write, 4 hex bytes"
3023 "usage": "hf fudan wrbl [-h] --blk <dec> [-k <hex>] [-d <hex>]"
3025 "hf gallagher clone": {
3026 "command": "hf gallagher clone",
3027 "description": "Clone Gallagher credentials to a writable DESFire card Specify site key is required if using non-default key Key, lengths for the different crypto: DES 8 bytes 2TDEA or AES 16 bytes 3TDEA 24 bytes AID, default finds lowest available in range 0x??81F4, where ?? >= 0x20.",
3029 "hf gallagher clone --rc 1 --fc 22 --cn 3333 --il 4 --sitekey 00112233445566778899aabbccddeeff"
3033 "-h, --help This help",
3034 "-n, --keynum <dec> PICC key number [default = 0]",
3035 "-t, --algo <DES|2TDEA|3TDEA|AES> PICC crypt algo: DES, 2TDEA, 3TDEA, AES",
3036 "-k, --key <hex> Key for authentication to the PICC to create applications",
3037 "--rc <dec> Region code. 4 bits max",
3038 "--fc <dec> Facility code. 2 bytes max",
3039 "--cn <dec> Card number. 3 bytes max",
3040 "--il <dec> Issue level. 4 bits max",
3041 "--aid <hex> Application ID to write (3 bytes) [default automatically chooses]",
3042 "--sitekey <hex> Site key to compute diversified keys (16 bytes)",
3043 "--cadkey <hex> Custom AES key 0 to modify the Card Application Directory (16 bytes)",
3044 "--nocadupdate Don't modify the Card Application Directory (only creates the app)",
3045 "--noappcreate Don't create the application (only modifies the CAD)",
3046 "--apdu Show APDU requests and responses",
3047 "-v, --verbose Verbose output"
3049 "usage": "hf gallagher clone [-hv] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] --rc <dec> --fc <dec> --cn <dec> --il <dec> [--aid <hex>] [--sitekey <hex>] [--cadkey <hex>] [--nocadupdate] [--noappcreate] [--apdu]"
3051 "hf gallagher decode": {
3052 "command": "hf gallagher decode",
3053 "description": "Decode Gallagher credential block Credential block can be specified with or without the bitwise inverse.",
3055 "hf gallagher decode --data A3B4B0C151B0A31B"
3059 "-h, --help This help",
3060 "--data <hex> Credential block (8 or 16 bytes)"
3062 "usage": "hf gallagher decode [-h] --data <hex>"
3064 "hf gallagher delete": {
3065 "command": "hf gallagher delete",
3066 "description": "Delete Gallagher application from a DESFire card Specify site key is required if using non-default key",
3068 "hf gallagher delete --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff"
3072 "-h, --help This help",
3073 "--aid <hex> Application ID to delete (3 bytes)",
3074 "--sitekey <hex> Site key to compute diversified keys (16 bytes)",
3075 "--cadkey <hex> Custom AES key 0 to modify the Card Application Directory (16 bytes)",
3076 "--nocadupdate Don't modify the Card Application Directory (only deletes the app)",
3077 "--noappdelete Don't delete the application (only modifies the CAD)",
3078 "--apdu Show APDU requests and responses",
3079 "-v, --verbose Verbose output"
3081 "usage": "hf gallagher delete [-hv] --aid <hex> [--sitekey <hex>] [--cadkey <hex>] [--nocadupdate] [--noappdelete] [--apdu]"
3083 "hf gallagher diversifykey": {
3084 "command": "hf gallagher diversifykey",
3085 "description": "Diversify Gallagher key Specify site key is required if using non-default key",
3087 "hf gallagher diversify --uid 11223344556677 --aid 2081f4"
3091 "-h, --help This help",
3092 "--aid <hex> Application ID for diversification (3 bytes)",
3093 "--keynum <dec> Key number [default = 0]",
3094 "--uid <hex> Card UID to delete (4 or 7 bytes)",
3095 "--sitekey <hex> Site key to compute diversified keys (16 bytes)",
3096 "--apdu Show APDU requests and responses"
3098 "usage": "hf gallagher diversify [-h] --aid <hex> [--keynum <dec>] [--uid <hex>] [--sitekey <hex>] [--apdu]"
3100 "hf gallagher help": {
3101 "command": "hf gallagher help",
3102 "description": "help This help diversifykey Diversify Gallagher key decode Decode Gallagher credential block --------------------------------------------------------------------------------------- hf gallagher reader available offline: no Read a Gallagher DESFire tag from the Card Application Directory, CAD Specify site key is required if using non-default key",
3104 "hf gallagher reader -@ -> continuous reader mode",
3105 "hf gallagher reader --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff -> skip CAD"
3109 "-h, --help This help",
3110 "--aid <hex> Application ID to read (3 bytes). If specified, the CAD is not used",
3111 "--sitekey <hex> Site key to compute diversified keys (16 bytes)",
3112 "-@, --continuous Continuous reader mode",
3113 "--apdu Show APDU requests and responses",
3114 "-v, --verbose Verbose output"
3116 "usage": "hf gallagher reader [-h@v] [--aid <hex>] [--sitekey <hex>] [--apdu]"
3119 "command": "hf help",
3120 "description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } iclass { ICLASS RFIDs... } ict { ICT MFC/DESfire RFIDs... } jooki { Jooki RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } vas { Apple Value Added Service } waveshare { Waveshare NFC ePaper... } xerox { Fuji/Xerox cartridge RFIDs... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags --------------------------------------------------------------------------------------- hf list available offline: yes Alias of `trace list -t raw` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
3122 "hf list --frame -> show frame delay times",
3123 "hf list -1 -> use trace buffer"
3127 "-h, --help This help",
3128 "-1, --buffer use data from trace buffer",
3129 "--frame show frame delay times",
3130 "-c mark CRC bytes",
3131 "-r show relative times (gap and duration)",
3132 "-u display times in microseconds instead of clock cycles",
3133 "-x show hexdump to convert to pcap(ng)",
3134 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
3135 "-f, --file <fn> filename of dictionary"
3137 "usage": "hf list [-h1crux] [--frame] [-f <fn>]"
3139 "hf iclass calcnewkey": {
3140 "command": "hf iclass calcnewkey",
3141 "description": "Calculate new keys for updating (blocks 3 & 4)",
3143 "hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 --csn deadbeafdeadbeaf --elite2 -> e key to e key given csn",
3144 "hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 --elite -> std key to e key read csn",
3145 "hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 -> std to std read csn"
3149 "-h, --help This help",
3150 "--old <hex> Specify key as 8 hex bytes",
3151 "--oki <dec> Old key index to select key from memory 'hf iclass managekeys'",
3152 "--new <hex> Specify key as 8 hex bytes",
3153 "--nki <dec> New key index to select key from memory 'hf iclass managekeys'",
3154 "--csn <hex> Specify a Card Serial Number (CSN) to diversify the key (if omitted will attempt to read a CSN)",
3155 "--elite Elite computations applied to new key",
3156 "--elite2 Elite computations applied to both old and new key",
3157 "--oldelite Elite computations applied only to old key"
3159 "usage": "hf iclass calcnewkey [-h] [--old <hex>] [--oki <dec>] [--new <hex>] [--nki <dec>] [--csn <hex>] [--elite] [--elite2] [--oldelite]"
3162 "command": "hf iclass chk",
3163 "description": "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag",
3165 "hf iclass chk -f iclass_default_keys.dic",
3166 "hf iclass chk -f iclass_elite_keys.dic --elite"
3170 "-h, --help This help",
3171 "-f, --file <fn> Dictionary file with default iclass keys",
3172 "--credit key is assumed to be the credit key",
3173 "--elite elite computations applied to key",
3174 "--raw no computations applied to key (raw)",
3175 "--shallow use shallow (ASK) reader modulation instead of OOK"
3177 "usage": "hf iclass chk [-h] -f <fn> [--credit] [--elite] [--raw] [--shallow]"
3179 "hf iclass configcard": {
3180 "command": "hf iclass configcard",
3181 "description": "Manage reader configuration card via Cardhelper or internal database, The generated config card will be uploaded to device emulator memory. You can start simulating `hf iclass sim -t 3` or use the emul commands",
3183 "hf iclass configcard -l -> download config card settings from cardhelper",
3184 "hf iclass configcard -p -> print all config cards in the database",
3185 "hf iclass configcard --ci 1 -> view config card setting in slot 1",
3186 "hf iclass configcard -g --ci 0 -> generate config file from slot 0"
3190 "-h, --help This help",
3191 "--ci <dec> use config slot at index",
3192 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3193 "-g generate card dump file",
3194 "-l load available cards",
3195 "-p print available cards"
3197 "usage": "hf iclass configcard [-hglp] [--ci <dec>] [--ki <dec>]"
3199 "hf iclass creditepurse": {
3200 "command": "hf iclass creditepurse",
3201 "description": "Credit the epurse on an iCLASS tag. The provided key must be the credit key. The first two bytes of the epurse are the debit value (big endian) and may be any value except FFFF. The remaining two bytes of the epurse are the credit value and must be smaller than the previous value.",
3203 "hf iclass creditepurse -d FEFFFFFF -k 001122334455667B",
3204 "hf iclass creditepurse -d FEFFFFFF --ki 0"
3208 "-h, --help This help",
3209 "-k, --key <hex> Credit key as 8 hex bytes",
3210 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3211 "-d, --data <hex> data to write as 8 hex bytes",
3212 "--elite elite computations applied to key",
3213 "--raw no computations applied to key",
3214 "-v, --verbose verbose output",
3215 "--shallow use shallow (ASK) reader modulation instead of OOK"
3217 "usage": "hf iclass creditepurse [-hv] [-k <hex>] [--ki <dec>] -d <hex> [--elite] [--raw] [--shallow]"
3219 "hf iclass decrypt": {
3220 "command": "hf iclass decrypt",
3221 "description": "3DES decrypt data This is a naive implementation, it tries to decrypt every block after block 6. Correct behaviour would be to decrypt only the application areas where the key is valid, which is defined by the configuration block. OBS! In order to use this function, the file `iclass_decryptionkey.bin` must reside in the resources directory. The file must be 16 bytes binary data or... make sure your cardhelper is placed in the sim module",
3223 "hf iclass decrypt -f hf-iclass-AA162D30F8FF12F1-dump.bin",
3224 "hf iclass decrypt -f hf-iclass-AA162D30F8FF12F1-dump.bin -k 000102030405060708090a0b0c0d0e0f",
3225 "hf iclass decrypt -d 1122334455667788 -k 000102030405060708090a0b0c0d0e0f"
3229 "-h, --help This help",
3230 "-f, --file <fn> Specify a filename for dump file",
3231 "-d, --data <hex> 3DES encrypted data",
3232 "-k, --key <hex> 3DES transport key",
3233 "-v, --verbose verbose output",
3234 "--d6 decode as block 6",
3235 "-z, --dense dense dump output style"
3237 "usage": "hf iclass decrypt [-hvz] [-f <fn>] [-d <hex>] [-k <hex>] [--d6]"
3240 "command": "hf iclass dump",
3241 "description": "Dump all memory from a iCLASS tag",
3243 "hf iclass dump -k 001122334455667B",
3244 "hf iclass dump -k AAAAAAAAAAAAAAAA --credit 001122334455667B",
3245 "hf iclass dump -k AAAAAAAAAAAAAAAA --elite",
3246 "hf iclass dump --ki 0",
3247 "hf iclass dump --ki 0 --ci 2"
3251 "-h, --help This help",
3252 "-f, --file <fn> save filename",
3253 "-k, --key <hex> debit key or NR/MAC for replay as 8 hex bytes",
3254 "--ki <dec> debit key index to select key from memory 'hf iclass managekeys'",
3255 "--credit <hex> credit key as 8 hex bytes",
3256 "--ci <dec> credit key index to select key from memory 'hf iclass managekeys'",
3257 "--elite elite computations applied to key",
3258 "--raw raw, the key is interpreted as raw block 3/4",
3259 "--nr replay of NR/MAC",
3260 "-z, --dense dense dump output style",
3261 "--force force unsecure card read",
3262 "--shallow use shallow (ASK) reader modulation instead of OOK",
3263 "--ns no save to file"
3265 "usage": "hf iclass dump [-hz] [-f <fn>] [-k <hex>] [--ki <dec>] [--credit <hex>] [--ci <dec>] [--elite] [--raw] [--nr] [--force] [--shallow] [--ns]"
3267 "hf iclass eload": {
3268 "command": "hf iclass eload",
3269 "description": "Load emulator memory with data from (bin/json) iCLASS dump file",
3271 "hf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.json",
3272 "hf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.bin -m"
3276 "-h, --help This help",
3277 "-f, --file <fn> Specify a filename for dump file",
3278 "-m, --mem use RDV4 spiffs",
3279 "-v, --verbose verbose output"
3281 "usage": "hf iclass eload [-hmv] -f <fn>"
3283 "hf iclass encode": {
3284 "command": "hf iclass encode",
3285 "description": "Encode binary wiegand to block 7,8,9 Use either --bin or --wiegand/--fc/--cn",
3287 "hf iclass encode --bin 10001111100000001010100011 --ki 0 -> FC 31 CN 337 (H10301)",
3288 "hf iclass encode -w H10301 --fc 31 --cn 337 --ki 0 -> FC 31 CN 337 (H10301)",
3289 "hf iclass encode --bin 10001111100000001010100011 --ki 0 --elite -> FC 31 CN 337 (H10301), writing w elite key"
3293 "-h, --help This help",
3294 "--bin <bin> Binary string i.e 0001001001",
3295 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3296 "--credit key is assumed to be the credit key",
3297 "--elite elite computations applied to key",
3298 "--raw no computations applied to key",
3299 "--enckey <hex> 3DES transport key, 16 hex bytes",
3300 "--fc <dec> facility code",
3301 "--cn <dec> card number",
3302 "-w, --wiegand <format> see `wiegand list` for available formats",
3303 "--shallow use shallow (ASK) reader modulation instead of OOK",
3304 "-v verbose (print encoded blocks)"
3306 "usage": "hf iclass encode [-hv] [--bin <bin>] --ki <dec> [--credit] [--elite] [--raw] [--enckey <hex>] [--fc <dec>] [--cn <dec>] [-w <format>] [--shallow]"
3308 "hf iclass encrypt": {
3309 "command": "hf iclass encrypt",
3310 "description": "3DES encrypt data OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside in the resources directory. The file should be 16 hex bytes of binary data",
3312 "hf iclass encrypt -d 0102030405060708",
3313 "hf iclass encrypt -d 0102030405060708 -k 00112233445566778899AABBCCDDEEFF"
3317 "-h, --help This help",
3318 "-d, --data <hex> data to encrypt",
3319 "-k, --key <hex> 3DES transport key",
3320 "-v, --verbose verbose output"
3322 "usage": "hf iclass encrypt [-hv] -d <hex> [-k <hex>]"
3324 "hf iclass esave": {
3325 "command": "hf iclass esave",
3326 "description": "Save emulator memory to file (bin/json) if filename is not supplied, CSN will be used.",
3329 "hf iclass esave -f hf-iclass-dump",
3330 "hf iclass esave -s 2048 -f hf-iclass-dump"
3334 "-h, --help This help",
3335 "-f, --file <fn> Specify a filename for dump file",
3336 "-s, --size <256|2048> number of bytes to save (default 256)"
3338 "usage": "hf iclass esave [-h] [-f <fn>] [-s <256|2048>]"
3340 "hf iclass esetblk": {
3341 "command": "hf iclass esetblk",
3342 "description": "Sets an individual block in emulator memory.",
3344 "hf iclass esetblk --blk 7 -d 0000000000000000"
3348 "-h, --help This help",
3349 "--blk <dec> block number",
3350 "-d, --data <hex> bytes to write, 8 hex bytes"
3352 "usage": "hf iclass esetblk [-h] --blk <dec> [-d <hex>]"
3354 "hf iclass eview": {
3355 "command": "hf iclass eview",
3356 "description": "Display emulator memory. Number of bytes to download defaults to 256. Other value is 2048.",
3359 "hf iclass eview -s 2048",
3360 "hf iclass eview -s 2048 -v"
3364 "-h, --help This help",
3365 "-s, --size <256|2048> number of bytes to save (default 256)",
3366 "-v, --verbose verbose output",
3367 "-z, --dense dense dump output style"
3369 "usage": "hf iclass eview [-hvz] [-s <256|2048>]"
3372 "command": "hf iclass help",
3373 "description": "help This help list List iclass history view Display content from tag dump file ----------- --------------------- Recovery -------------------- loclass Use loclass to perform bruteforce reader attack lookup Uses authentication trace to check for key in dictionary file ----------- ---------------------- Utils ---------------------- calcnewkey Calc diversified keys (blocks 3 & 4) to write new keys encode Encode binary wiegand to block 7 encrypt Encrypt given block data decrypt Decrypt given block data or tag dump file managekeys Manage keys to use with iclass commands permutekey Permute function from 'heart of darkness' paper --------------------------------------------------------------------------------------- hf iclass list available offline: yes Alias of `trace list -t iclass -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
3375 "hf iclass list --frame -> show frame delay times",
3376 "hf iclass list -1 -> use trace buffer"
3380 "-h, --help This help",
3381 "-1, --buffer use data from trace buffer",
3382 "--frame show frame delay times",
3383 "-c mark CRC bytes",
3384 "-r show relative times (gap and duration)",
3385 "-u display times in microseconds instead of clock cycles",
3386 "-x show hexdump to convert to pcap(ng)",
3387 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
3388 "-f, --file <fn> filename of dictionary"
3390 "usage": "hf iclass list [-h1crux] [--frame] [-f <fn>]"
3393 "command": "hf iclass info",
3394 "description": "Act as a iCLASS reader. Reads / fingerprints a iCLASS tag.",
3400 "-h, --help This help",
3401 "--shallow use shallow (ASK) reader modulation instead of OOK"
3403 "usage": "hf iclass info [-h] [--shallow]"
3405 "hf iclass loclass": {
3406 "command": "hf iclass loclass",
3407 "description": "Execute the offline part of loclass attack An iclass dumpfile is assumed to consist of an arbitrary number of malicious CSNs, and their protocol responses The binary format of the file is expected to be as follows: <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> ... totalling N*24 bytes",
3409 "hf iclass loclass -f iclass_dump.bin",
3410 "hf iclass loclass --test"
3414 "-h, --help This help",
3415 "-f, --file <fn> filename with nr/mac data from `hf iclass sim -t 2`",
3416 "--test Perform self test",
3417 "--long Perform self test, including long ones"
3419 "usage": "hf iclass loclass [-h] [-f <fn>] [--test] [--long]"
3421 "hf iclass lookup": {
3422 "command": "hf iclass lookup",
3423 "description": "This command take sniffed trace data and try to recovery a iCLASS Standard or iCLASS Elite key.",
3425 "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic",
3426 "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite"
3430 "-h, --help This help",
3431 "-f, --file <fn> Dictionary file with default iclass keys",
3432 "--csn <hex> Specify CSN as 8 hex bytes",
3433 "--epurse <hex> Specify ePurse as 8 hex bytes",
3434 "--macs <hex> MACs",
3435 "--elite Elite computations applied to key",
3436 "--raw no computations applied to key"
3438 "usage": "hf iclass lookup [-h] -f <fn> --csn <hex> --epurse <hex> --macs <hex> [--elite] [--raw]"
3440 "hf iclass managekeys": {
3441 "command": "hf iclass managekeys",
3442 "description": "Manage iCLASS Keys in client memory",
3444 "hf iclass managekeys --ki 0 -k 1122334455667788 -> set key 1122334455667788 at index 0",
3445 "hf iclass managekeys -f mykeys.bin --save -> save key file",
3446 "hf iclass managekeys -f mykeys.bin --load -> load key file",
3447 "hf iclass managekeys -p -> print keys"
3451 "-h, --help This help",
3452 "-f, --file <fn> Specify a filename for load / save operations",
3453 "-k, --key <hex> Access key as 8 hex bytes",
3454 "--ki <dec> Specify key index to set key in memory",
3455 "--save Save keys in memory to file specified by filename",
3456 "--load Load keys to memory from file specified by filename",
3457 "-p, --print Print keys loaded into memory"
3459 "usage": "hf iclass managekeys [-hp] [-f <fn>] [-k <hex>] [--ki <dec>] [--save] [--load]"
3461 "hf iclass permutekey": {
3462 "command": "hf iclass permutekey",
3463 "description": "Permute function from 'heart of darkness' paper.",
3465 "hf iclass permutekey --reverse --key 0123456789abcdef",
3466 "hf iclass permutekey --key ff55330f0055330f"
3470 "-h, --help This help",
3471 "-r, --reverse reverse permuted key",
3472 "--key <hex> input key, 8 hex bytes"
3474 "usage": "hf iclass permutekey [-hr] --key <hex>"
3477 "command": "hf iclass rdbl",
3478 "description": "Read a iCLASS block from tag",
3480 "hf iclass rdbl --blk 6 -k 0011223344556677",
3481 "hf iclass rdbl --blk 27 -k 0011223344556677 --credit",
3482 "hf iclass rdbl --blk 10 --ki 0"
3486 "-h, --help This help",
3487 "-k, --key <hex> Access key as 8 hex bytes",
3488 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3489 "--blk <dec> Block number",
3490 "--credit key is assumed to be the credit key",
3491 "--elite elite computations applied to key",
3492 "--raw no computations applied to key",
3493 "--nr replay of NR/MAC",
3494 "-v, --verbose verbose output",
3495 "--shallow use shallow (ASK) reader modulation instead of OOK"
3497 "usage": "hf iclass rdbl [-hv] [-k <hex>] [--ki <dec>] --blk <dec> [--credit] [--elite] [--raw] [--nr] [--shallow]"
3499 "hf iclass reader": {
3500 "command": "hf iclass reader",
3501 "description": "Act as a iCLASS reader. Look for iCLASS tags until Enter or the pm3 button is pressed",
3503 "hf iclass reader -@ -> continuous reader mode"
3507 "-h, --help This help",
3508 "-@ optional - continuous reader mode",
3509 "--shallow use shallow (ASK) reader modulation instead of OOK"
3511 "usage": "hf iclass reader [-h@] [--shallow]"
3513 "hf iclass restore": {
3514 "command": "hf iclass restore",
3515 "description": "Restore data from dumpfile (bin/eml/json) onto a iCLASS tag",
3517 "hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 --ki 0",
3518 "hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 --ki 0 --elite",
3519 "hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 -k 1122334455667788 --elite"
3523 "-h, --help This help",
3524 "-f, --file <fn> specify a filename to restore",
3525 "-k, --key <hex> Access key as 8 hex bytes",
3526 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3527 "--first <dec> The first block number to restore",
3528 "--last <dec> The last block number to restore",
3529 "--credit key is assumed to be the credit key",
3530 "--elite elite computations applied to key",
3531 "--raw no computations applied to key",
3532 "-v, --verbose verbose output",
3533 "--shallow use shallow (ASK) reader modulation instead of OOK"
3535 "usage": "hf iclass restore [-hv] -f <fn> [-k <hex>] [--ki <dec>] --first <dec> --last <dec> [--credit] [--elite] [--raw] [--shallow]"
3538 "command": "hf iclass sam",
3539 "description": "Extract PACS via a HID SAM",
3545 "-h, --help This help",
3546 "-v, --verbose verbose output"
3548 "usage": "hf iclass sam [-hv]"
3551 "command": "hf iclass sim",
3552 "description": "Simulate a iCLASS legacy/standard tag",
3554 "hf iclass sim -t 0 --csn 031FEC8AF7FF12E0 -> simulate with specified CSN",
3555 "hf iclass sim -t 1 -> simulate with default CSN",
3556 "hf iclass sim -t 2 -> execute loclass attack online part",
3557 "hf iclass sim -t 3 -> simulate full iCLASS 2k tag",
3558 "hf iclass sim -t 4 -> Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key"
3562 "-h, --help This help",
3563 "-t, --type <0-4> Simulation type to use",
3564 "--csn <hex> Specify CSN as 8 hex bytes to use with sim type 0"
3566 "usage": "hf iclass sim [-h] -t <0-4> [--csn <hex>]"
3568 "hf iclass sniff": {
3569 "command": "hf iclass sniff",
3570 "description": "Sniff the communication reader and tag",
3573 "hf iclass sniff -j -> jam e-purse updates"
3577 "-h, --help This help",
3578 "-j, --jam Jam (prevent) e-purse updates"
3580 "usage": "hf iclass sniff [-hj]"
3583 "command": "hf iclass view",
3584 "description": "Print a iCLASS tag dump file (bin/eml/json)",
3586 "hf iclass view -f hf-iclass-AA162D30F8FF12F1-dump.bin",
3587 "hf iclass view --first 1 -f hf-iclass-AA162D30F8FF12F1-dump.bin",
3589 "If --first is not specified it will default to the first user block",
3590 "which is block 6 for secured chips or block 3 for non-secured chips"
3594 "-h, --help This help",
3595 "-f, --file <fn> Specify a filename for dump file",
3596 "--first <dec> Begin printing from this block (default first user block)",
3597 "--last <dec> End printing at this block (default 0, ALL)",
3598 "-v, --verbose verbose output",
3599 "-z, --dense dense dump output style"
3601 "usage": "hf iclass view [-hvz] -f <fn> [--first <dec>] [--last <dec>]"
3604 "command": "hf iclass wrbl",
3605 "description": "Write data to an iCLASS tag",
3607 "hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B",
3608 "hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B --credit",
3609 "hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA --ki 0"
3613 "-h, --help This help",
3614 "-k, --key <hex> Access key as 8 hex bytes",
3615 "--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
3616 "--blk <dec> block number",
3617 "-d, --data <hex> data to write as 8 hex bytes",
3618 "-m, --mac <hex> replay mac data (4 hex bytes)",
3619 "--credit key is assumed to be the credit key",
3620 "--elite elite computations applied to key",
3621 "--raw no computations applied to key",
3622 "--nr replay of NR/MAC",
3623 "-v, --verbose verbose output",
3624 "--shallow use shallow (ASK) reader modulation instead of OOK"
3626 "usage": "hf iclass wrbl [-hv] [-k <hex>] [--ki <dec>] --blk <dec> -d <hex> [-m <hex>] [--credit] [--elite] [--raw] [--nr] [--shallow]"
3629 "command": "hf ict help",
3630 "description": "help This help list List ICT history reader Act like an IS14443-a reader --------------------------------------------------------------------------------------- hf ict credential available offline: no Read ICT sector from tag and decode",
3636 "-h, --help This help",
3637 "-v, --verbose verbose output"
3639 "usage": "hf ict credential [-hv]"
3642 "command": "hf ict info",
3643 "description": "Get info from ICT encoded credential tags (MIFARE Classic / DESfire)",
3649 "-h, --help This help"
3651 "usage": "hf ict info [-h]"
3654 "command": "hf ict list",
3655 "description": "Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
3657 "hf ict list --frame -> show frame delay times",
3658 "hf ict list -1 -> use trace buffer"
3662 "-h, --help This help",
3663 "-1, --buffer use data from trace buffer",
3664 "--frame show frame delay times",
3665 "-c mark CRC bytes",
3666 "-r show relative times (gap and duration)",
3667 "-u display times in microseconds instead of clock cycles",
3668 "-x show hexdump to convert to pcap(ng)",
3669 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
3670 "-f, --file <fn> filename of dictionary"
3672 "usage": "hf ict list [-h1crux] [--frame] [-f <fn>]"
3675 "command": "hf ict reader",
3676 "description": "Act as a reader",
3682 "-h, --help This help"
3684 "usage": "hf ict reader [-h]"
3686 "hf jooki decode": {
3687 "command": "hf jooki decode",
3688 "description": "Decode a base64-encode Jooki token in NDEF URI format",
3690 "hf jooki decode -d 7WzlgEzqLgwTnWNy"
3694 "-h, --help This help",
3695 "-d, --data <base64> base64 url parameter",
3696 "-v, --verbose verbose output"
3698 "usage": "hf jooki decode [-hv] -d <base64>"
3700 "hf jooki encode": {
3701 "command": "hf jooki encode",
3702 "description": "Encode a Jooki token to base64 NDEF URI format",
3704 "hf jooki encode -t -> selftest",
3705 "hf jooki encode -r --dragon -> read uid from tag and use for encoding",
3706 "hf jooki encode --uid 04010203040506 --dragon",
3707 "hf jooki encode --uid 04010203040506 --tid 1 --fid 1"
3711 "-h, --help This help",
3712 "-u, --uid <hex> uid bytes",
3713 "-r read uid from tag instead",
3715 "-v, --verbose verbose output",
3716 "--dragon figurine type",
3717 "--fox figurine type",
3718 "--ghost figurine type",
3719 "--knight figurine type",
3720 "--whale figurine type",
3721 "--blackdragon figurine type",
3722 "--blackfox figurine type",
3723 "--blackknight figurine type",
3724 "--blackwhale figurine type",
3725 "--whitedragon figurine type",
3726 "--whitefox figurine type",
3727 "--whiteknight figurine type",
3728 "--whitewhale figurine type",
3729 "--tid <dec> figurine type id",
3730 "--fid <dec> figurine id"
3732 "usage": "hf jooki encode [-hrtv] [-u <hex>] [--dragon] [--fox] [--ghost] [--knight] [--whale] [--blackdragon] [--blackfox] [--blackknight] [--blackwhale] [--whitedragon] [--whitefox] [--whiteknight] [--whitewhale] [--tid <dec>] [--fid <dec>]"
3735 "command": "hf jooki help",
3736 "description": "help This help decode Decode Jooki token encode Encode Jooki token --------------------------------------------------------------------------------------- hf jooki clone available offline: no Write a Jooki token to a Ultralight or NTAG tag",
3738 "hf jooki clone -d <hex bytes> -> where hex is raw NDEF",
3739 "hf jooki clone --b64 7WzlgEzqLgwTnWNy -> using base64 url parameter"
3743 "-h, --help This help",
3744 "-b, --b64 <base64> base64 url parameter",
3745 "-d, --data <hex> raw NDEF bytes",
3746 "-p, --pwd <hex> password for authentication (EV1/NTAG 4 bytes)"
3748 "usage": "hf jooki clone [-h] [-b <base64>] [-d <hex>] [-p <hex>]"
3751 "command": "hf jooki sim",
3752 "description": "Simulate a Jooki token. Either `hf mfu eload` before or use `-d` param",
3754 "hf jooki sim -> use token in emulator memory",
3755 "hf jooki sim -b 7WzlgEzqLgwTnWNy -> using base64 url parameter"
3759 "-h, --help This help",
3760 "-b, --b64 <base64> base64 url parameter"
3762 "usage": "hf jooki sim [-h] [-b <base64>]"
3764 "hf ksx6924 balance": {
3765 "command": "hf ksx6924 balance",
3766 "description": "Gets the current purse balance",
3768 "hf ksx6924 balance"
3772 "-h, --help This help",
3773 "-k, --keep keep field ON for next command",
3774 "-a, --apdu Show APDU requests and responses"
3776 "usage": "hf ksx6924 balance [-hka]"
3778 "hf ksx6924 help": {
3779 "command": "hf ksx6924 help",
3780 "description": "help This help --------------------------------------------------------------------------------------- hf ksx6924 select available offline: no Selects KS X 6924 application, and leaves field up",
3786 "-h, --help This help",
3787 "-a, --apdu Show APDU requests and responses"
3789 "usage": "hf ksx6924 select [-ha]"
3791 "hf ksx6924 info": {
3792 "command": "hf ksx6924 info",
3793 "description": "Get info about a KS X 6924 transit card. This application is used by T-Money (South Korea) and Snapper+ (Wellington, New Zealand).",
3799 "-h, --help This help",
3800 "-k, --keep keep field ON for next command",
3801 "-a, --apdu Show APDU requests and responses"
3803 "usage": "hf ksx6924 info [-hka]"
3805 "hf ksx6924 init": {
3806 "command": "hf ksx6924 init",
3807 "description": "Perform transaction initialization with Mpda (Money of Purchase Transaction)",
3809 "hf ksx6924 init 000003e8 -> Mpda"
3813 "-h, --help This help",
3814 "-k, --keep keep field ON for next command",
3815 "-a, --apdu Show APDU requests and responses"
3817 "usage": "hf ksx6924 init [-hka] <Mpda 4 bytes hex>"
3819 "hf ksx6924 prec": {
3820 "command": "hf ksx6924 prec",
3821 "description": "Executes proprietary read record command. Data format is unknown. Other records are available with 'emv getrec'.",
3823 "hf ksx6924 prec 0b -> read proprietary record 0x0b"
3827 "-h, --help This help",
3828 "-k, --keep keep field ON for next command",
3829 "-a, --apdu Show APDU requests and responses"
3831 "usage": "hf ksx6924 prec [-hka] <record 1byte HEX>"
3834 "command": "hf legic crc",
3835 "description": "Calculates the legic crc8/crc16 on the given data",
3837 "hf legic crc -d deadbeef1122",
3838 "hf legic crc -d deadbeef1122 --mcc 9A -t 16 -> CRC Type 16"
3842 "-h, --help This help",
3843 "-d, --data <hex> bytes to calculate crc over",
3844 "--mcc <hex> MCC hex byte (UID CRC)",
3845 "-t, --type <dec> CRC Type (default: 8)"
3847 "usage": "hf legic crc [-h] -d <hex> [--mcc <hex>] [-t <dec>]"
3850 "command": "hf legic einfo",
3851 "description": "It decodes and displays emulator memory",
3854 "hf legic eview --22"
3858 "-h, --help This help",
3859 "--22 LEGIC Prime MIM22",
3860 "--256 LEGIC Prime MIM256 (def)",
3861 "--1024 LEGIC Prime MIM1024"
3863 "usage": "hf legic einfo [-h] [--22] [--256] [--1024]"
3866 "command": "hf legic eload",
3867 "description": "Loads a LEGIC Prime dump file into emulator memory",
3869 "hf legic eload -f myfile",
3870 "hf legic eload -f myfile --obfuscate"
3874 "-h, --help This help",
3875 "-f, --file <fn> Filename to load",
3876 "--obfuscate Obfuscate dump data (xor with MCC)"
3878 "usage": "hf legic eload [-h] -f <fn> [--obfuscate]"
3881 "command": "hf legic esave",
3882 "description": "Saves a (bin/json) dump file of emulator memory",
3884 "hf legic esave -> uses UID as filename",
3885 "hf legic esave -f myfile --22",
3886 "hf legic esave -f myfile --22 --de"
3890 "-h, --help This help",
3891 "-f, --file <fn> Filename to save",
3892 "--22 LEGIC Prime MIM22",
3893 "--256 LEGIC Prime MIM256 (def)",
3894 "--1024 LEGIC Prime MIM1024",
3895 "--de De-obfuscate dump data (xor with MCC)"
3897 "usage": "hf legic esave [-h] [-f <fn>] [--22] [--256] [--1024] [--de]"
3900 "command": "hf legic eview",
3901 "description": "It displays emulator memory",
3904 "hf legic eview --22"
3908 "-h, --help This help",
3909 "--22 LEGIC Prime MIM22",
3910 "--256 LEGIC Prime MIM256 (def)",
3911 "--1024 LEGIC Prime MIM1024",
3912 "-v, --verbose verbose output"
3914 "usage": "hf legic eview [-hv] [--22] [--256] [--1024]"
3917 "command": "hf legic help",
3918 "description": "----------- --------------------- operations --------------------- help This help list List LEGIC history ----------- --------------------- simulation --------------------- ----------- --------------------- utils --------------------- crc Calculate Legic CRC over given bytes view Display deobfuscated and decoded content from tag dump file --------------------------------------------------------------------------------------- hf legic dump available offline: no Read all memory from LEGIC Prime tags and saves to (bin/json) dump file It autodetects card type (MIM22, MIM256, MIM1024)",
3920 "hf legic dump -> use UID as filename",
3921 "hf legic dump -f myfile",
3922 "hf legic dump --de -> use UID as filename and deobfuscate data"
3926 "-h, --help This help",
3927 "-f, --file <fn> Dump filename",
3928 "--de deobfuscate dump data (xor with MCC)"
3930 "usage": "hf legic dump [-h] [-f <fn>] [--de]"
3933 "command": "hf legic info",
3934 "description": "Gets information from a LEGIC Prime tag like systemarea, user areas, etc",
3940 "-h, --help This help",
3941 "-v, --verbose verbose output"
3943 "usage": "hf legic info [-hv]"
3946 "command": "hf legic list",
3947 "description": "Alias of `trace list -t legic` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
3949 "hf legic list --frame -> show frame delay times",
3950 "hf legic list -1 -> use trace buffer"
3954 "-h, --help This help",
3955 "-1, --buffer use data from trace buffer",
3956 "--frame show frame delay times",
3957 "-c mark CRC bytes",
3958 "-r show relative times (gap and duration)",
3959 "-u display times in microseconds instead of clock cycles",
3960 "-x show hexdump to convert to pcap(ng)",
3961 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
3962 "-f, --file <fn> filename of dictionary"
3964 "usage": "hf legic list [-h1crux] [--frame] [-f <fn>]"
3967 "command": "hf legic rdbl",
3968 "description": "Read data from a LEGIC Prime tag",
3970 "hf legic rdbl -o 0 -l 16 -> read 16 bytes from offset 0 (system header)",
3971 "hf legic rdbl -o 0 -l 4 --iv 55 -> read 4 bytes from offset 0",
3972 "hf legic rdbl -o 0 -l 256 --iv 55 -> read 256 bytes from offset 0"
3976 "-h, --help This help",
3977 "-o, --offset <dec> offset in data array to start download from",
3978 "-l, --length <dec> number of bytes to read",
3979 "--iv <hex> Initialization vector to use. Must be odd and 7bits max"
3981 "usage": "hf legic rdbl [-h] [-o <dec>] [-l <dec>] [--iv <hex>]"
3983 "hf legic reader": {
3984 "command": "hf legic reader",
3985 "description": "Read UID and type information from a LEGIC Prime tag",
3991 "-h, --help This help",
3992 "-@ optional - continuous reader mode"
3994 "usage": "hf legic reader [-h@]"
3996 "hf legic restore": {
3997 "command": "hf legic restore",
3998 "description": "Reads (bin/eml/json) file and it autodetects card type and verifies that the file has the same size Then write the data back to card. All bytes except the first 7bytes [UID(4) MCC(1) DCF(2)]",
4000 "hf legic restore -f myfile -> use user specified filename",
4001 "hf legic restore -f myfile --ob -> use UID as filename and obfuscate data"
4005 "-h, --help This help",
4006 "-f, --file <fn> Specify a filename to restore",
4007 "--ob obfuscate dump data (xor with MCC)"
4009 "usage": "hf legic restore [-h] -f <fn> [--ob]"
4012 "command": "hf legic sim",
4013 "description": "Simulates a LEGIC Prime tag. Following types supported (MIM22, MIM256, MIM1024)",
4019 "-h, --help This help",
4020 "--22 LEGIC Prime MIM22",
4021 "--256 LEGIC Prime MIM256 (def)",
4022 "--1024 LEGIC Prime MIM1024"
4024 "usage": "hf legic sim [-h] [--22] [--256] [--1024]"
4027 "command": "hf legic view",
4028 "description": "Print a LEGIC Prime dump file (bin/eml/json)",
4030 "hf legic view -f hf-legic-01020304-dump.bin"
4034 "-h, --help This help",
4035 "-f, --file <fn> Specify a filename for dump file",
4036 "-v, --verbose verbose output"
4038 "usage": "hf legic view [-hv] -f <fn>"
4041 "command": "hf legic wipe",
4042 "description": "Fills a LEGIC Prime tags memory with zeros. From byte7 and to the end It autodetects card type",
4048 "-h, --help This help"
4050 "usage": "hf legic wipe [-h]"
4053 "command": "hf legic wrbl",
4054 "description": "Write data to a LEGIC Prime tag. It autodetects tagsize to ensure proper write",
4056 "hf legic wrbl -o 0 -d 11223344 -> Write 0x11223344 starting from offset 0)",
4057 "hf legic wrbl -o 10 -d DEADBEEF -> Write 0xdeadbeef starting from offset 10"
4061 "-h, --help This help",
4062 "-o, --offset <dec> offset in data array to start writing",
4063 "-d, --data <hex> data to write",
4064 "--danger Auto-confirm dangerous operations"
4066 "usage": "hf legic wrbl [-h] -o <dec> -d <hex> [--danger]"
4069 "command": "hf lto help",
4070 "description": "help This help list List LTO-CM history --------------------------------------------------------------------------------------- hf lto dump available offline: no Dump data from LTO tag",
4072 "hf lto dump -f myfile"
4076 "-h, --help This help",
4077 "-f, --file <fn> specify a filename for dumpfile"
4079 "usage": "hf lto dump [-h] [-f <fn>]"
4082 "command": "hf lto info",
4083 "description": "Get info from LTO tags",
4089 "-h, --help This help"
4091 "usage": "hf lto info [-h]"
4094 "command": "hf lto list",
4095 "description": "Alias of `trace list -t lto -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
4097 "hf lto list --frame -> show frame delay times",
4098 "hf lto list -1 -> use trace buffer"
4102 "-h, --help This help",
4103 "-1, --buffer use data from trace buffer",
4104 "--frame show frame delay times",
4105 "-c mark CRC bytes",
4106 "-r show relative times (gap and duration)",
4107 "-u display times in microseconds instead of clock cycles",
4108 "-x show hexdump to convert to pcap(ng)",
4109 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
4110 "-f, --file <fn> filename of dictionary"
4112 "usage": "hf lto list [-h1crux] [--frame] [-f <fn>]"
4115 "command": "hf lto rdbl",
4116 "description": "Reead blocks from LTO tag",
4118 "hf lto rdbl --first 0 --last 254"
4122 "-h, --help This help",
4123 "--first <dec> The first block number to read as an integer",
4124 "--last <dec> The last block number to read as an integer"
4126 "usage": "hf lto rdbl [-h] [--first <dec>] [--last <dec>]"
4129 "command": "hf lto reader",
4130 "description": "Act as a LTO-CM reader. Look for LTO-CM tags until Enter or the pm3 button is pressed",
4132 "hf lto reader -@ -> continuous reader mode"
4136 "-h, --help This help",
4137 "-@ optional - continuous reader mode"
4139 "usage": "hf lto reader [-h@]"
4142 "command": "hf lto restore",
4143 "description": "Restore data from dumpfile to LTO tag",
4145 "hf lto restore -f hf-lto-92C7842CFF.bin|.eml"
4149 "-h, --help This help",
4150 "-f, --file <fn> specify a filename for dumpfile"
4152 "usage": "hf lto restore [-h] -f <fn>"
4155 "command": "hf lto wrbl",
4156 "description": "Write data to block on LTO tag",
4158 "hf lto wrbl --blk 128 -d 0001020304050607080910111213141516171819202122232425262728293031"
4162 "-h, --help This help",
4163 "-d, --data <hex> 32 bytes of data to write (64 hex symbols, no spaces)",
4164 "--blk <dec> The block number to write to as an integer"
4166 "usage": "hf lto wrbl [-h] -d <hex> --blk <dec>"
4169 "command": "hf mf acl",
4170 "description": "Print decoded MIFARE access rights (ACL), A = key A B = key B AB = both key A and B ACCESS = access bytes inside sector trailer block Increment, decrement, transfer, restore is for value blocks",
4173 "hf mf acl -d FF0780"
4177 "-h, --help This help",
4178 "-d, --data <hex> ACL bytes specified as 3 hex bytes"
4180 "usage": "hf mf acl [-h] -d <hex>"
4183 "command": "hf mf auth4",
4184 "description": "Executes AES authentication command in ISO14443-4",
4186 "hf mf auth4 -n 4000 -k 000102030405060708090a0b0c0d0e0f -> executes authentication",
4187 "hf mf auth4 -n 9003 -k FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication"
4191 "-h, --help This help",
4192 "-n <hex> key num, 2 hex bytes",
4193 "-k, --key <hex> key, 16 hex bytes"
4195 "usage": "hf mf auth4 [-h] -n <hex> -k <hex>"
4198 "command": "hf mf autopwn",
4199 "description": "This command automates the key recovery process on MIFARE Classic cards. It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys. If all keys are found, it try dumping card content both to file and emulator memory.",
4202 "hf mf autopwn -s 0 -a -k FFFFFFFFFFFF -> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'",
4203 "hf mf autopwn --1k -f mfc_default_keys -> target MFC 1K card, default dictionary",
4204 "hf mf autopwn --1k -s 0 -a -k FFFFFFFFFFFF -f mfc_default_keys -> combo of the two above samples",
4205 "hf mf autopwn --1k -s 0 -a -k FFFFFFFFFFFF -k a0a1a2a3a4a5 -> multiple user supplied keys"
4209 "-h, --help This help",
4210 "-k, --key <hex> Known key, 12 hex bytes",
4211 "-s, --sector <dec> Input sector number",
4212 "-a Input key A (def)",
4214 "-f, --file <fn> filename of dictionary",
4215 "--slow Slower acquisition (required by some non standard cards)",
4216 "-l, --legacy legacy mode (use the slow `hf mf chk`)",
4217 "-v, --verbose verbose output",
4218 "--mini MIFARE Classic Mini / S20",
4219 "--1k MIFARE Classic 1k / S50 (default)",
4220 "--2k MIFARE Classic/Plus 2k",
4221 "--4k MIFARE Classic 4k / S70",
4222 "--in None (use CPU regular instruction set)",
4229 "usage": "hf mf autopwn [-hablv] [-k <hex>]... [-s <dec>] [-f <fn>] [--slow] [--mini] [--1k] [--2k] [--4k] [--in] [--im] [--is] [--ia] [--i2] [--i5]"
4232 "command": "hf mf brute",
4233 "description": "This is a smart bruteforce, exploiting common patterns, bugs and bad designs in key generators.",
4235 "hf mf brute --mini -> Key recovery against MIFARE Mini",
4236 "hf mf brute --1k -> Key recovery against MIFARE Classic 1k",
4237 "hf mf brute --2k -> Key recovery against MIFARE 2k",
4238 "hf mf brute --4k -> Key recovery against MIFARE 4k",
4239 "hf mf brute --1k --emu -> Target 1K, write keys to emulator memory",
4240 "hf mf brute --1k --dump -> Target 1K, write keys to file"
4244 "-h, --help This help",
4245 "--mini MIFARE Classic Mini / S20",
4246 "--1k MIFARE Classic 1k / S50 (default)",
4247 "--2k MIFARE Classic/Plus 2k",
4248 "--4k MIFARE Classic 4k / S70",
4249 "--emu Fill simulator keys from found keys",
4250 "--dump Dump found keys to binary file"
4252 "usage": "hf mf brute [-h] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump]"
4255 "command": "hf mf cgetblk",
4256 "description": "Get block data from magic Chinese card. Only works with magic gen1a cards",
4258 "hf mf cgetblk --blk 0 -> get block 0 (manufacturer)",
4259 "hf mf cgetblk --blk 3 -v -> get block 3, decode sector trailer"
4263 "-h, --help This help",
4264 "-b, --blk <dec> block number",
4265 "-v, --verbose verbose output"
4267 "usage": "hf mf cgetblk [-hv] -b <dec>"
4270 "command": "hf mf cgetsc",
4271 "description": "Get sector data from magic Chinese card. Only works with magic gen1a cards",
4277 "-h, --help This help",
4278 "-s, --sec <dec> sector number",
4279 "-v, --verbose verbose output"
4281 "usage": "hf mf cgetsc [-hv] -s <dec>"
4284 "command": "hf mf chk",
4285 "description": "Check keys on MIFARE Classic card",
4287 "hf mf chk --mini -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE Mini",
4288 "hf mf chk --1k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE Classic 1k",
4289 "hf mf chk --2k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE 2k",
4290 "hf mf chk --4k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE 4k",
4291 "hf mf chk --1k --emu -> Check all sectors, all keys, 1K, and write to emulator memory",
4292 "hf mf chk --1k --dump -> Check all sectors, all keys, 1K, and write to file",
4293 "hf mf chk -a --tblk 0 -f mfc_default_keys.dic -> Check dictionary against block 0, key A"
4297 "-h, --help This help",
4298 "-k, --key <hex> Key specified as 12 hex symbols",
4299 "--tblk <dec> Target block number",
4302 "-*, --all Target both key A & B (default)",
4303 "--mini MIFARE Classic Mini / S20",
4304 "--1k MIFARE Classic 1k / S50 (default)",
4305 "--2k MIFARE Classic/Plus 2k",
4306 "--4k MIFARE Classic 4k / S70",
4307 "--emu Fill simulator keys from found keys",
4308 "--dump Dump found keys to binary file",
4309 "-f, --file <fn> Filename of dictionary"
4311 "usage": "hf mf chk [-hab*] [-k <hex>]... [--tblk <dec>] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [-f <fn>]"
4314 "command": "hf mf cload",
4315 "description": "Load magic gen1a card with data from (bin/eml/json) dump file or from emulator memory.",
4317 "hf mf cload --emu",
4318 "hf mf cload -f hf-mf-01020304.eml"
4322 "-h, --help This help",
4323 "-f, --file <fn> Specify a filename for dump file",
4324 "--mini MIFARE Classic Mini / S20",
4325 "--1k MIFARE Classic 1k / S50 (def)",
4326 "--2k MIFARE Classic/Plus 2k",
4327 "--4k MIFARE Classic 4k / S70",
4328 "--emu from emulator memory"
4330 "usage": "hf mf cload [-h] [-f <fn>] [--mini] [--1k] [--2k] [--4k] [--emu]"
4333 "command": "hf mf csave",
4334 "description": "Save magic gen1a card memory to file (bin/json)or into emulator memory",
4341 "-h, --help This help",
4342 "-f, --file <fn> Specify a filename for dump file",
4343 "--mini MIFARE Classic Mini / S20",
4344 "--1k MIFARE Classic 1k / S50 (def)",
4345 "--2k MIFARE Classic/Plus 2k",
4346 "--4k MIFARE Classic 4k / S70",
4347 "--emu to emulator memory"
4349 "usage": "hf mf csave [-h] [-f <fn>] [--mini] [--1k] [--2k] [--4k] [--emu]"
4352 "command": "hf mf csetblk",
4353 "description": "Set block data on a magic gen1a card",
4355 "hf mf csetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f"
4359 "-h, --help This help",
4360 "-b, --blk <dec> block number",
4361 "-d, --data <hex> bytes to write, 16 hex bytes",
4362 "-w, --wipe wipes card with backdoor cmd before writing"
4364 "usage": "hf mf csetblk [-hw] -b <dec> [-d <hex>]"
4367 "command": "hf mf csetuid",
4368 "description": "Set UID, ATQA, and SAK for magic gen1a card",
4370 "hf mf csetuid -u 01020304",
4371 "hf mf csetuid -w -u 01020304 --atqa 0004 --sak 08"
4375 "-h, --help This help",
4376 "-w, --wipe wipes card with backdoor cmd`",
4377 "-u, --uid <hex> UID, 4/7 hex bytes",
4378 "-a, --atqa <hex> ATQA, 2 hex bytes",
4379 "-s, --sak <hex> SAK, 1 hex byte"
4381 "usage": "hf mf csetuid [-hw] [-u <hex>] [-a <hex>] [-s <hex>]"
4384 "command": "hf mf cview",
4385 "description": "View `magic gen1a` card memory",
4392 "-h, --help This help",
4393 "--mini MIFARE Classic Mini / S20",
4394 "--1k MIFARE Classic 1k / S50 (def)",
4395 "--2k MIFARE Classic/Plus 2k",
4396 "--4k MIFARE Classic 4k / S70",
4397 "-v, --verbose verbose output"
4399 "usage": "hf mf cview [-hv] [--mini] [--1k] [--2k] [--4k]"
4402 "command": "hf mf cwipe",
4403 "description": "Wipe gen1 magic chinese card. Set UID / ATQA / SAK / Data / Keys / Access to default values",
4406 "hf mf cwipe -u 09080706 -a 0004 -s 18 -> set UID, ATQA and SAK and wipe card"
4410 "-h, --help This help",
4411 "-u, --uid <hex> UID, 4 hex bytes",
4412 "-a, --atqa <hex> ATQA, 2 hex bytes",
4413 "-s, --sak <hex> SAK, 1 hex byte"
4415 "usage": "hf mf cwipe [-h] [-u <hex>] [-a <hex>] [-s <hex>]"
4418 "command": "hf mf darkside",
4419 "description": "Darkside attack",
4422 "hf mf darkside --blk 16",
4423 "hf mf darkside --blk 16 -b"
4427 "-h, --help This help",
4428 "--blk <dec> Target block",
4429 "-b Target key B instead of default key A"
4431 "usage": "hf mf darkside [-hb] [--blk <dec> ]"
4434 "command": "hf mf decrypt",
4435 "description": "Decrypt Crypto-1 encrypted bytes given some known state of crypto. See tracelog to gather needed values",
4437 "hf mf decrypt --nt b830049b --ar 9248314a --at 9280e203 -d 41e586f9",
4438 "-> 41e586f9 becomes 3003999a",
4439 "-> which annotates 30 03 [99 9a] read block 3 [crc]"
4443 "-h, --help This help",
4444 "--nt <hex> tag nonce",
4445 "--ar <hex> ar_enc, encrypted reader response",
4446 "--at <hex> at_enc, encrypted tag response",
4447 "-d, --data <hex> encrypted data, taken directly after at_enc and forward"
4449 "usage": "hf mf decrypt [-h] --nt <hex> --ar <hex> --at <hex> -d <hex>"
4452 "command": "hf mf dump",
4453 "description": "Dump MIFARE Classic tag to file (bin/json) If no <name> given, UID will be used as filename",
4455 "hf mf dump --mini -> MIFARE Mini",
4456 "hf mf dump --1k -> MIFARE Classic 1k",
4457 "hf mf dump --2k -> MIFARE 2k",
4458 "hf mf dump --4k -> MIFARE 4k",
4459 "hf mf dump --keys hf-mf-066C8B78-key.bin -> MIFARE 1k with keys from specified file"
4463 "-h, --help This help",
4464 "-f, --file <fn> Specify a filename for dump file",
4465 "-k, --keys <fn> filename of keys",
4466 "--mini MIFARE Classic Mini / S20",
4467 "--1k MIFARE Classic 1k / S50 (def)",
4468 "--2k MIFARE Classic/Plus 2k",
4469 "--4k MIFARE Classic 4k / S70",
4470 "--ns no save to file",
4471 "-v, --verbose verbose output"
4473 "usage": "hf mf dump [-hv] [-f <fn>] [-k <fn>] [--mini] [--1k] [--2k] [--4k] [--ns]"
4476 "command": "hf mf ecfill",
4477 "description": "Dump card and transfer the data to emulator memory. Keys must be in the emulator memory",
4479 "hf mf ecfill -> use key type A",
4480 "hf mf ecfill --4k -b -> target 4K card with key type B"
4484 "-h, --help This help",
4485 "-a input key type is key A(def)",
4486 "-b input key type is key B",
4487 "--mini MIFARE Classic Mini / S20",
4488 "--1k MIFARE Classic 1k / S50 (def)",
4489 "--2k MIFARE Classic/Plus 2k",
4490 "--4k MIFARE Classic 4k / S70"
4492 "usage": "hf mf ecfill [-hab] [--mini] [--1k] [--2k] [--4k]"
4495 "command": "hf mf eclr",
4496 "description": "It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF",
4502 "-h, --help This help"
4504 "usage": "hf mf eclr [-h]"
4507 "command": "hf mf egetblk",
4508 "description": "Get emulator memory block",
4510 "hf mf egetblk --blk 0 -> get block 0 (manufacturer)",
4511 "hf mf egetblk --blk 3 -v -> get block 3, decode sector trailer"
4515 "-h, --help This help",
4516 "-b, --blk <dec> block number",
4517 "-v, --verbose verbose output"
4519 "usage": "hf mf egetblk [-hv] -b <dec>"
4522 "command": "hf mf egetsc",
4523 "description": "Get emulator memory sector",
4529 "-h, --help This help",
4530 "-s, --sec <dec> sector number",
4531 "-v, --verbose verbose output"
4533 "usage": "hf mf egetsc [-hv] -s <dec>"
4536 "command": "hf mf ekeyprn",
4537 "description": "Download and print the keys from emulator memory",
4539 "hf mf ekeyprn --1k -> print MFC 1K keyset",
4540 "hf mf ekeyprn -w -> write keys to binary file"
4544 "-h, --help This help",
4545 "-w, --write write keys to binary file `hf-mf-<UID>-key.bin`",
4546 "--mini MIFARE Classic Mini / S20",
4547 "--1k MIFARE Classic 1k / S50 (def)",
4548 "--2k MIFARE Classic/Plus 2k",
4549 "--4k MIFARE Classic 4k / S70"
4551 "usage": "hf mf ekeyprn [-hw] [--mini] [--1k] [--2k] [--4k]"
4554 "command": "hf mf eload",
4555 "description": "Load emulator memory with data from (bin/eml/json) dump file",
4557 "hf mf eload -f hf-mf-01020304.bin",
4558 "hf mf eload --4k -f hf-mf-01020304.eml"
4562 "-h, --help This help",
4563 "-f, --file <fn> Specify a filename for dump file",
4564 "--mini MIFARE Classic Mini / S20",
4565 "--1k MIFARE Classic 1k / S50 (def)",
4566 "--2k MIFARE Classic/Plus 2k",
4567 "--4k MIFARE Classic 4k / S70",
4568 "--ul MIFARE Ultralight family",
4569 "-m, --mem use RDV4 spiffs",
4570 "-q, --qty <dec> manually set number of blocks (overrides)",
4571 "-v, --verbose verbose output"
4573 "usage": "hf mf eload [-hmv] -f <fn> [--mini] [--1k] [--2k] [--4k] [--ul] [-q <dec>]"
4575 "hf mf encodehid": {
4576 "command": "hf mf encodehid",
4577 "description": "Encode binary wiegand to card Use either --bin or --wiegand/--fc/--cn",
4579 "hf mf encodehid --bin 10001111100000001010100011 -> FC 31 CN 337 (H10301)",
4580 "hf mf encodehid -w H10301 --fc 31 --cn 337"
4584 "-h, --help This help",
4585 "--bin <bin> Binary string i.e 0001001001",
4586 "--fc <dec> facility code",
4587 "--cn <dec> card number",
4588 "-w, --wiegand <format> see `wiegand list` for available formats",
4589 "-v, --verbose verbose output"
4591 "usage": "hf mf encodehid [-hv] [--bin <bin>] [--fc <dec>] [--cn <dec>] [-w <format>]"
4594 "command": "hf mf esave",
4595 "description": "Save emulator memory to file (bin/json)",
4599 "hf mf esave --4k -f hf-mf-01020304.eml"
4603 "-h, --help This help",
4604 "-f, --file <fn> Specify a filename for dump file",
4605 "--mini MIFARE Classic Mini / S20",
4606 "--1k MIFARE Classic 1k / S50 (def)",
4607 "--2k MIFARE Classic/Plus 2k",
4608 "--4k MIFARE Classic 4k / S70"
4610 "usage": "hf mf esave [-h] [-f <fn>] [--mini] [--1k] [--2k] [--4k]"
4613 "command": "hf mf esetblk",
4614 "description": "Set emulator memory block",
4616 "hf mf esetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f"
4620 "-h, --help This help",
4621 "-b, --blk <dec> block number",
4622 "-d, --data <hex> bytes to write, 16 hex bytes"
4624 "usage": "hf mf esetblk [-h] -b <dec> [-d <hex>]"
4627 "command": "hf mf eview",
4628 "description": "It displays emulator memory",
4635 "-h, --help This help",
4636 "--mini MIFARE Classic Mini / S20",
4637 "--1k MIFARE Classic 1k / S50 (def)",
4638 "--2k MIFARE Classic/Plus 2k",
4639 "--4k MIFARE Classic 4k / S70",
4640 "-v, --verbose verbose output",
4641 "--sk Save extracted keys to binary file"
4643 "usage": "hf mf eview [-hv] [--mini] [--1k] [--2k] [--4k] [--sk]"
4646 "command": "hf mf fchk",
4647 "description": "This is a improved checkkeys method speedwise. It checks MIFARE Classic tags sector keys against a dictionary file with keys",
4649 "hf mf fchk --mini -k FFFFFFFFFFFF -> Key recovery against MIFARE Mini",
4650 "hf mf fchk --1k -k FFFFFFFFFFFF -> Key recovery against MIFARE Classic 1k",
4651 "hf mf fchk --2k -k FFFFFFFFFFFF -> Key recovery against MIFARE 2k",
4652 "hf mf fchk --4k -k FFFFFFFFFFFF -> Key recovery against MIFARE 4k",
4653 "hf mf fchk --1k -f mfc_default_keys.dic -> Target 1K using default dictionary file",
4654 "hf mf fchk --1k --emu -> Target 1K, write keys to emulator memory",
4655 "hf mf fchk --1k --dump -> Target 1K, write keys to file",
4656 "hf mf fchk --1k --mem -> Target 1K, use dictionary from flash memory"
4660 "-h, --help This help",
4661 "-k, --key <hex> Key specified as 12 hex symbols",
4662 "--mini MIFARE Classic Mini / S20",
4663 "--1k MIFARE Classic 1k / S50 (default)",
4664 "--2k MIFARE Classic/Plus 2k",
4665 "--4k MIFARE Classic 4k / S70",
4666 "--emu Fill simulator keys from found keys",
4667 "--dump Dump found keys to binary file",
4668 "--mem Use dictionary from flashmemory",
4669 "-f, --file <fn> filename of dictionary"
4671 "usage": "hf mf fchk [-h] [-k <hex>]... [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [--mem] [-f <fn>]"
4674 "command": "hf mf gchpwd",
4675 "description": "Change access password for Gen4 GTU card. WARNING! If you dont KNOW the password - you CAN'T access it!!!",
4677 "hf mf gchpwd --pwd 00000000 --newpwd 01020304"
4681 "-h, --help This help",
4682 "-p, --pwd <hex> password 4 bytes",
4683 "-n, --newpwd <hex> new password 4 bytes",
4684 "-v, --verbose verbose output"
4686 "usage": "hf mf gchpwd [-hv] [-p <hex>] [-n <hex>]"
4689 "command": "hf mf gdmcfg",
4690 "description": "Get configuration data from magic gen4 GDM card.",
4696 "-h, --help This help",
4697 "-k, --key <hex> key 6 bytes (only for regular wakeup)",
4698 "--gen1a use gen1a (40/43) magic wakeup",
4699 "--gdm use gdm alt (20/23) magic wakeup"
4701 "usage": "hf mf gdmcfg [-h] [-k <hex>] [--gen1a] [--gdm]"
4703 "hf mf gdmparsecfg": {
4704 "command": "hf mf gdmparsecfg",
4705 "description": "Parse configuration data on a magic gen4 GDM card",
4707 "hf mf gdmparsecfg -d 850000000000000000005A5A00000008"
4711 "-h, --help This help",
4712 "-d, --data <hex> bytes to write, 16 hex bytes"
4714 "usage": "hf mf gdmparsecfg [-h] -d <hex>"
4716 "hf mf gdmsetblk": {
4717 "command": "hf mf gdmsetblk",
4718 "description": "Set block data on a magic gen4 GDM card `--force` param is used to override warnings like bad ACL writes. if not specified, it will exit if detected",
4720 "hf mf gdmsetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f"
4724 "-h, --help This help",
4725 "--blk <dec> block number",
4726 "-d, --data <hex> bytes to write, 16 hex bytes",
4727 "-k, --key <hex> key, 6 hex bytes",
4728 "--force override warnings"
4730 "usage": "hf mf gdmsetblk [-h] --blk <dec> [-d <hex>] [-k <hex>] [--force]"
4732 "hf mf gdmsetcfg": {
4733 "command": "hf mf gdmsetcfg",
4734 "description": "Set configuration data on a magic gen4 GDM card",
4736 "hf mf gdmsetcfg -d 850000000000000000005A5A00000008"
4740 "-h, --help This help",
4741 "-d, --data <hex> bytes to write, 16 hex bytes",
4742 "-k, --key <hex> key 6 bytes (only for regular wakeup)",
4743 "--gen1a use gen1a (40/43) magic wakeup",
4744 "--gdm use gdm alt (20/23) magic wakeup"
4746 "usage": "hf mf gdmsetcfg [-h] -d <hex> [-k <hex>] [--gen1a] [--gdm]"
4749 "command": "hf mf gen3blk",
4750 "description": "Overwrite full manufacturer block for magic Gen3 card - You can specify part of manufacturer block as 4/7-bytes for UID change only NOTE: BCC, SAK, ATQA will be calculated automatically",
4752 "hf mf gen3blk -> print current data",
4753 "hf mf gen3blk -d 01020304 -> set 4 byte uid",
4754 "hf mf gen3blk -d 01020304050607 -> set 7 byte uid",
4755 "hf mf gen3blk -d 01020304FFFFFFFF0102030405060708"
4759 "-h, --help This help",
4760 "-d, --data <hex> manufacturer block data up to 16 hex bytes"
4762 "usage": "hf mf gen3blk [-h] [-d <hex>]"
4764 "hf mf gen3freeze": {
4765 "command": "hf mf gen3freeze",
4766 "description": "Perma lock further UID changes. No more UID changes available after operation completed Note: operation is ! irreversible !",
4768 "hf mf gen3freeze -y"
4772 "-h, --help This help",
4773 "-y, --yes confirm UID lock operation"
4775 "usage": "hf mf gen3freeze -y[h]"
4778 "command": "hf mf gen3uid",
4779 "description": "Set UID for magic Gen3 card _without_ changes to manufacturer block 0",
4781 "hf mf gen3uid --uid 01020304 -> set 4 byte uid",
4782 "hf mf gen3uid --uid 01020304050607 -> set 7 byte uid"
4786 "-h, --help This help",
4787 "-u, --uid <hex> UID 4/7 hex bytes"
4789 "usage": "hf mf gen3uid [-h] [-u <hex>]"
4792 "command": "hf mf ggetblk",
4793 "description": "Get block data from magic gen4 GTU card.",
4795 "hf mf ggetblk --blk 0 -> get block 0 (manufacturer)",
4796 "hf mf ggetblk --blk 3 -v -> get block 3, decode sector trailer"
4800 "-h, --help This help",
4801 "-b, --blk <dec> block number",
4802 "-v, --verbose verbose output",
4803 "-p, --pwd <hex> password 4bytes"
4805 "usage": "hf mf ggetblk [-hv] -b <dec> [-p <hex>]"
4808 "command": "hf mf ginfo",
4809 "description": "Read info about magic gen4 GTU card.",
4811 "hf mf ginfo -> get info with default password 00000000",
4812 "hf mf ginfo --pwd 01020304 -> get info with password",
4813 "hf mf ginfo -d 00000000000002090978009102BDAC19131011121314151604001800FF0002FD -v -> decode config block"
4817 "-h, --help This help",
4818 "-v, --verbose verbose output",
4819 "-p, --pwd <hex> password 4 bytes",
4820 "-d, --data <hex> config bytes 32 bytes"
4822 "usage": "hf mf ginfo [-hv] [-p <hex>] [-d <hex>]"
4825 "command": "hf mf gload",
4826 "description": "Load magic gen4 gtu card with data from (bin/eml/json) dump file or from emulator memory.",
4828 "hf mf gload --emu",
4829 "hf mf gload -f hf-mf-01020304.eml",
4830 "hf mf gload -p AABBCCDD --4k -v -f hf-mf-01020304-dump.bin",
4832 "Card must be configured beforehand with `script run hf_mf_ultimatecard`.",
4833 "Blocks are 16 bytes long."
4837 "-h, --help This help",
4838 "--mini MIFARE Classic Mini / S20",
4839 "--1k MIFARE Classic 1k / S50 (def)",
4840 "--2k MIFARE Classic/Plus 2k",
4841 "--4k MIFARE Classic 4k / S70",
4842 "-p, --pwd <hex> password 4bytes",
4843 "-v, --verbose verbose output",
4844 "-f, --file <fn> Specify a filename for dump file",
4845 "--emu from emulator memory",
4846 "--start <dec> index of block to start writing (default 0)",
4847 "--end <dec> index of block to end writing (default last block)"
4849 "usage": "hf mf gload [-hv] [--mini] [--1k] [--2k] [--4k] [-p <hex>] [-f <fn>] [--emu] [--start <dec>] [--end <dec>]"
4852 "command": "hf mf gsave",
4853 "description": "Save `magic gen4 gtu` card memory to file (bin/json)or into emulator memory",
4857 "hf mf gsave -p DEADBEEF -f hf-mf-01020304.json"
4861 "-h, --help This help",
4862 "--mini MIFARE Classic Mini / S20",
4863 "--1k MIFARE Classic 1k / S50 (def)",
4864 "--2k MIFARE Classic/Plus 2k",
4865 "--4k MIFARE Classic 4k / S70",
4866 "-p, --pwd <hex> password 4 bytes",
4867 "-f, --file <fn> Specify a filename for dump file",
4868 "--emu to emulator memory"
4870 "usage": "hf mf gsave [-h] [--mini] [--1k] [--2k] [--4k] [-p <hex>] [-f <fn>] [--emu]"
4873 "command": "hf mf gsetblk",
4874 "description": "Set block data on a magic gen4 GTU card",
4876 "hf mf gsetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f"
4880 "-h, --help This help",
4881 "-b, --blk <dec> block number",
4882 "-d, --data <hex> bytes to write, 16 hex bytes",
4883 "-p, --pwd <hex> password 4bytes"
4885 "usage": "hf mf gsetblk [-h] -b <dec> [-d <hex>] [-p <hex>]"
4888 "command": "hf mf gview",
4889 "description": "View `magic gen4 gtu` card memory",
4896 "-h, --help This help",
4897 "--mini MIFARE Classic Mini / S20",
4898 "--1k MIFARE Classic 1k / S50 (def)",
4899 "--2k MIFARE Classic/Plus 2k",
4900 "--4k MIFARE Classic 4k / S70",
4901 "-p, --pwd <hex> password 4bytes",
4902 "-v, --verbose verbose output"
4904 "usage": "hf mf gview [-hv] [--mini] [--1k] [--2k] [--4k] [-p <hex>]"
4906 "hf mf hardnested": {
4907 "command": "hf mf hardnested",
4908 "description": "Nested attack for hardened MIFARE Classic cards. if card is EV1, command can detect and use known key see example below `--i<X>` set type of SIMD instructions. Without this flag programs autodetect it. or hf mf hardnested -r --tk [known target key] Add the known target key to check if it is present in the remaining key space hf mf hardnested --blk 0 -a -k A0A1A2A3A4A5 --tblk 4 --ta --tk FFFFFFFFFFFF",
4910 "hf mf hardnested --tblk 4 --ta -> works for MFC EV1",
4911 "hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta",
4912 "hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -w",
4913 "hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -f nonces.bin -w -s",
4914 "hf mf hardnested -r",
4915 "hf mf hardnested -r --tk a0a1a2a3a4a5",
4916 "hf mf hardnested -t --tk a0a1a2a3a4a5",
4917 "hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --ta --tk FFFFFFFFFFFF"
4921 "-h, --help This help",
4922 "-k, --key <hex> Key, 12 hex bytes",
4923 "--blk <dec> Input block number",
4924 "-a Input key A (def)",
4926 "--tblk <dec> Target block number",
4927 "--ta Target key A",
4928 "--tb Target key B",
4929 "--tk <hex> Target key, 12 hex bytes",
4930 "-u, --uid <hex> R/W `hf-mf-<UID>-nonces.bin` instead of default name",
4931 "-f, --file <fn> R/W <name> instead of default name",
4932 "-r, --read Read `hf-mf-<UID>-nonces.bin` if tag present, otherwise `nonces.bin`, and start attack",
4933 "-s, --slow Slower acquisition (required by some non standard cards)",
4934 "-t, --tests Run tests",
4935 "-w, --wr Acquire nonces and UID, and write them to file `hf-mf-<UID>-nonces.bin`",
4936 "--in None (use CPU regular instruction set)",
4943 "usage": "hf mf hardnested [-habrstw] [-k <hex>] [--blk <dec>] [--tblk <dec>] [--ta] [--tb] [--tk <hex>] [-u <hex>] [-f <fn>] [--in] [--im] [--is] [--ia] [--i2] [--i5]"
4946 "command": "hf mf help",
4947 "description": "help This help list List MIFARE history hardnested Nested attack for hardened MIFARE Classic cards decrypt Decrypt Crypto1 data from sniff or trace acl Decode and print MIFARE Classic access rights bytes mad Checks and prints MAD value Value blocks view Display content from tag dump file gdmparsecfg Parse config block to card --------------------------------------------------------------------------------------- hf mf list available offline: yes Alias of `trace list -t mf -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
4949 "hf mf list --frame -> show frame delay times",
4950 "hf mf list -1 -> use trace buffer"
4954 "-h, --help This help",
4955 "-1, --buffer use data from trace buffer",
4956 "--frame show frame delay times",
4957 "-c mark CRC bytes",
4958 "-r show relative times (gap and duration)",
4959 "-u display times in microseconds instead of clock cycles",
4960 "-x show hexdump to convert to pcap(ng)",
4961 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
4962 "-f, --file <fn> filename of dictionary"
4964 "usage": "hf mf list [-h1crux] [--frame] [-f <fn>]"
4967 "command": "hf mf info",
4968 "description": "Information and check vulnerabilities in a MIFARE Classic card Some cards in order to extract information you need to specify key and/or specific keys in the command line",
4971 "hf mf info -k FFFFFFFFFFFF -n -v"
4975 "-h, --help This help",
4976 "--blk <dec> block number",
4977 "-a input key type is key A (def)",
4978 "-b input key type is key B",
4979 "-k, --key <hex> key, 6 hex bytes",
4980 "-n, --nack do nack test",
4981 "-v, --verbose verbose output"
4983 "usage": "hf mf info [-habnv] [--blk <dec>] [-k <hex>]"
4986 "command": "hf mf mad",
4987 "description": "Checks and prints MIFARE Application Directory (MAD)",
4989 "hf mf mad -> shows MAD if exists",
4990 "hf mf mad --aid e103 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B",
4991 "hf mf mad --dch -k ffffffffffff -> decode CardHolder information"
4995 "-h, --help This help",
4996 "-v, --verbose verbose output",
4997 "--aid <hex> print all sectors with specified aid",
4998 "-k, --key <hex> key for printing sectors",
4999 "-b, --keyb use key B for access printing sectors (by default: key A)",
5000 "--be (optional, BigEndian)",
5001 "--dch decode Card Holder information",
5002 "-f, --file <fn> load dump file and decode MAD"
5004 "usage": "hf mf mad [-hvb] [--aid <hex>] [-k <hex>] [--be] [--dch] [-f <fn>]"
5007 "command": "hf mf nack",
5008 "description": "Test a MIFARE Classic based card for the NACK bug",
5014 "-h, --help This help",
5015 "-v, --verbose verbose output`"
5017 "usage": "hf mf nack [-hv]"
5019 "hf mf ndefformat": {
5020 "command": "hf mf ndefformat",
5021 "description": "format MIFARE Classic Tag as a NFC tag with Data Exchange Format (NDEF) If no <name> given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before",
5024 "hf mf ndefformat --1k -> MIFARE Classic 1k",
5025 "hf mf ndefformat --keys hf-mf-01020304-key.bin -> MIFARE 1k with keys from specified file"
5029 "-h, --help This help",
5030 "-k, --keys <fn> filename of keys",
5031 "--mini MIFARE Classic Mini / S20",
5032 "--1k MIFARE Classic 1k / S50 (def)",
5033 "--2k MIFARE Classic/Plus 2k",
5034 "--4k MIFARE Classic 4k / S70"
5036 "usage": "hf mf ndefformat [-h] [-k <fn>] [--mini] [--1k] [--2k] [--4k]"
5039 "command": "hf mf ndefread",
5040 "description": "Prints NFC Data Exchange Format (NDEF)",
5042 "hf mf ndefread -> shows NDEF parsed data",
5043 "hf mf ndefread -vv -> shows NDEF parsed and raw data",
5044 "hf mf ndefread --aid e103 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B",
5045 "hf mf ndefread -f myfilename -> save raw NDEF to file"
5049 "-h, --help This help",
5050 "-v, --verbose Verbose output",
5051 "--aid <aid> replace default aid for NDEF",
5052 "-k, --key <key> replace default key for NDEF",
5053 "-b, --keyb use key B for access sectors (by default: key A)",
5054 "-f, --file <fn> save raw NDEF to file"
5056 "usage": "hf mf ndefread [-hvb] [--aid <aid>] [-k <key>] [-f <fn>]"
5058 "hf mf ndefwrite": {
5059 "command": "hf mf ndefwrite",
5060 "description": "Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted.",
5062 "hf mf ndefwrite -d 0300FE -> write empty record to tag",
5063 "hf mf ndefwrite -f myfilename",
5064 "hf mf ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031"
5068 "-h, --help This help",
5069 "-d <hex> raw NDEF hex bytes",
5070 "-f, --file <fn> write raw NDEF file to tag",
5071 "-p fix NDEF record headers / terminator block if missing",
5072 "--mini MIFARE Classic Mini / S20",
5073 "--1k MIFARE Classic 1k / S50 (def)",
5074 "--2k MIFARE Classic/Plus 2k",
5075 "--4k MIFARE Classic 4k / S70",
5076 "-v, --verbose verbose output"
5078 "usage": "hf mf ndefwrite [-hpv] [-d <hex>] [-f <fn>] [--mini] [--1k] [--2k] [--4k]"
5081 "command": "hf mf nested",
5082 "description": "Execute Nested attack against MIFARE Classic card for key recovery",
5084 "hf mf nested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -> Use block 0 Key A to find block 4 Key A (single sector key recovery)",
5085 "hf mf nested --mini --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE Mini",
5086 "hf mf nested --1k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE Classic 1k",
5087 "hf mf nested --2k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE 2k",
5088 "hf mf nested --4k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE 4k"
5092 "-h, --help This help",
5093 "-k, --key <hex> Key specified as 12 hex symbols",
5094 "--mini MIFARE Classic Mini / S20",
5095 "--1k MIFARE Classic 1k / S50",
5096 "--2k MIFARE Classic/Plus 2k",
5097 "--4k MIFARE Classic 4k / S70",
5098 "--blk <dec> Input block number",
5099 "-a Input key specified is A key (default)",
5100 "-b Input key specified is B key",
5101 "--tblk <dec> Target block number",
5102 "--ta Target A key (default)",
5103 "--tb Target B key",
5104 "--emu Fill simulator keys from found keys",
5105 "--dump Dump found keys to file",
5106 "--mem Use dictionary from flashmemory"
5108 "usage": "hf mf nested [-hab] [-k <hex>] [--mini] [--1k] [--2k] [--4k] [--blk <dec>] [--tblk <dec>] [--ta] [--tb] [--emu] [--dump] [--mem]"
5110 "hf mf personalize": {
5111 "command": "hf mf personalize",
5112 "description": "Personalize the UID of a MIFARE Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized.",
5114 "hf mf personalize --f0 -> double size UID",
5115 "hf mf personalize --f1 -> double size UID, optional usage of selection process shortcut",
5116 "hf mf personalize --f2 -> single size random ID",
5117 "hf mf personalize --f3 -> single size NUID",
5118 "hf mf personalize -b -k B0B1B2B3B4B5 --f3 -> use key B = 0xB0B1B2B3B4B5"
5122 "-h, --help This help",
5123 "-a use key A to authenticate sector 0 (def)",
5124 "-b use key B to authenticate sector 0",
5125 "-k, --key <hex> key (def FFFFFFFFFFFF)",
5126 "--f0 UIDFO, double size UID",
5127 "--f1 UIDF1, double size UID, optional usage of selection process shortcut",
5128 "--f2 UIDF2, single size random ID",
5129 "--f3 UIDF3, single size NUID"
5131 "usage": "hf mf personalize [-hab] [-k <hex>] [--f0] [--f1] [--f2] [--f3]"
5134 "command": "hf mf rdbl",
5135 "description": "Read MIFARE Classic block",
5137 "hf mf rdbl --blk 0",
5138 "hf mf rdbl --blk 0 -k A0A1A2A3A4A5",
5139 "hf mf rdbl --blk 3 -v -> get block 3, decode sector trailer"
5143 "-h, --help This help",
5144 "--blk <dec> block number",
5145 "-a input key type is key A (def)",
5146 "-b input key type is key B",
5147 "-k, --key <hex> key, 6 hex bytes",
5148 "-v, --verbose verbose output"
5150 "usage": "hf mf rdbl [-habv] --blk <dec> [-k <hex>]"
5153 "command": "hf mf rdsc",
5154 "description": "Read MIFARE Classic sector",
5157 "hf mf rdsc -s 0 -k A0A1A2A3A4A5"
5161 "-h, --help This help",
5162 "-a input key specified is A key (def)",
5163 "-b input key specified is B key",
5164 "-k, --key <hex> key specified as 6 hex bytes",
5165 "-s, --sec <dec> sector number",
5166 "-v, --verbose verbose output"
5168 "usage": "hf mf rdsc [-habv] [-k <hex>] -s <dec>"
5171 "command": "hf mf restore",
5172 "description": "Restore MIFARE Classic dump file to tag. The key file and dump file will program the card sector trailers. By default we authenticate to card with key 0xFFFFFFFFFFFF. If access rights in dump file is all zeros, it will be replaced with default values `--uid` param is used for filename templates `hf-mf-<uid>-dump.bin` and `hf-mf-<uid>-key.bin. if not specified, it will read the card uid instead. `--ka` param you can indicate that the key file should be used for authentication instead. if so we also try both B/A keys `--force` param is used to override warnings and allow bad ACL block writes. if not specified, it will skip blocks with bad ACL.",
5175 "hf mf restore --1k --uid 04010203",
5176 "hf mf restore --1k --uid 04010203 -k hf-mf-AABBCCDD-key.bin",
5177 "hf mf restore --4k"
5181 "-h, --help This help",
5182 "--mini MIFARE Classic Mini / S20",
5183 "--1k MIFARE Classic 1k / S50 (def)",
5184 "--2k MIFARE Classic/Plus 2k",
5185 "--4k MIFARE Classic 4k / S70",
5186 "-u, --uid <hex> uid, (4|7|10 hex bytes)",
5187 "-f, --file <fn> specify a filename for dump file",
5188 "-k, --kfn <fn> key filename",
5189 "--ka use specified keyfile to authenticate",
5190 "--force override warnings"
5192 "usage": "hf mf restore [-h] [--mini] [--1k] [--2k] [--4k] [-u <hex>] [-f <fn>] [-k <fn>] [--ka] [--force]"
5195 "command": "hf mf setmod",
5196 "description": "Sets the load modulation strength of a MIFARE Classic EV1 card",
5198 "hf mf setmod -k ffffffffffff -0"
5202 "-h, --help This help",
5203 "-0 normal modulation",
5204 "-1 strong modulation (def)",
5205 "-k, --key <hex> key A, Sector 0, 6 hex bytes"
5207 "usage": "hf mf setmod [-h01] [-k <hex>]"
5210 "command": "hf mf sim",
5211 "description": "Simulate MIFARE Classic family type based upon ISO/IEC 14443 type A tag with 4,7 or 10 byte UID from emulator memory. See `hf mf eload` first. The UID from emulator memory will be used if not specified.",
5213 "hf mf sim --mini -> MIFARE Mini",
5214 "hf mf sim --1k -> MIFARE Classic 1k (default)",
5215 "hf mf sim --1k -u 0a0a0a0a -> MIFARE Classic 1k with 4b UID",
5216 "hf mf sim --1k -u 11223344556677 -> MIFARE Classic 1k with 7b UID",
5217 "hf mf sim --1k -u 11223344 -i -x -> Perform reader attack in interactive mode",
5218 "hf mf sim --2k -> MIFARE 2k",
5219 "hf mf sim --4k -> MIFARE 4k"
5223 "-h, --help This help",
5224 "-u, --uid <hex> <4|7|10> hex bytes UID",
5225 "--mini MIFARE Classic Mini / S20",
5226 "--1k MIFARE Classic 1k / S50",
5227 "--2k MIFARE Classic/Plus 2k",
5228 "--4k MIFARE Classic 4k / S70",
5229 "--atqa <hex> Provide explicit ATQA (2 bytes, overrides option t)",
5230 "--sak <hex> Provide explicit SAK (1 bytes, overrides option t)",
5231 "-n, --num <dec> Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite",
5232 "-i, --interactive Console will not be returned until simulation finishes or is aborted",
5233 "-x Performs the 'reader attack', nr/ar attack against a reader",
5234 "-e, --emukeys Fill simulator keys from found keys",
5235 "-v, --verbose verbose output",
5236 "--cve trigger CVE 2021_0430"
5238 "usage": "hf mf sim [-hixev] [-u <hex>] [--mini] [--1k] [--2k] [--4k] [--atqa <hex>] [--sak <hex>] [-n <dec> ] [--cve]"
5240 "hf mf staticnested": {
5241 "command": "hf mf staticnested",
5242 "description": "Execute static nested attack against MIFARE Classic card with static nonce for key recovery. Supply a known key from one block to recover all keys",
5244 "hf mf staticnested --mini --blk 0 -a -k FFFFFFFFFFFF",
5245 "hf mf staticnested --1k --blk 0 -a -k FFFFFFFFFFFF",
5246 "hf mf staticnested --2k --blk 0 -a -k FFFFFFFFFFFF",
5247 "hf mf staticnested --4k --blk 0 -a -k FFFFFFFFFFFF"
5251 "-h, --help This help",
5252 "-k, --key <hex> Known key (12 hex symbols)",
5253 "--mini MIFARE Classic Mini / S20",
5254 "--1k MIFARE Classic 1k / S50",
5255 "--2k MIFARE Classic/Plus 2k",
5256 "--4k MIFARE Classic 4k / S70",
5257 "--blk <dec> Input block number",
5258 "-a Input key specified is keyA (def)",
5259 "-b Input key specified is keyB",
5260 "-e, --emukeys Fill simulator keys from found keys",
5261 "--dumpkeys Dump found keys to file"
5263 "usage": "hf mf staticnested [-habe] [-k <hex>] [--mini] [--1k] [--2k] [--4k] [--blk <dec>] [--dumpkeys]"
5265 "hf mf supercard": {
5266 "command": "hf mf supercard",
5267 "description": "Extract info from a `super card`",
5269 "hf mf supercard -> recover key",
5270 "hf mf supercard -r -> reset card",
5271 "hf mf supercard -u 11223344 -> change UID"
5275 "-h, --help This help",
5276 "-r, --reset Reset card",
5277 "-u, --uid <hex> New UID (4 hex bytes)",
5278 "--furui Furui detection card"
5280 "usage": "hf mf supercard [-hr] [-u <hex>] [--furui]"
5283 "command": "hf mf value",
5284 "description": "MIFARE Classic value data commands",
5286 "hf mf value --blk 16 -k FFFFFFFFFFFF --set 1000",
5287 "hf mf value --blk 16 -k FFFFFFFFFFFF --inc 10",
5288 "hf mf value --blk 16 -k FFFFFFFFFFFF -b --dec 10",
5289 "hf mf value --blk 16 -k FFFFFFFFFFFF -b --get",
5290 "hf mf value --blk 16 -k FFFFFFFFFFFF --res --transfer 30 --tk FFFFFFFFFFFF -> transfer block 16 value to block 30 (even if block can't be incremented by ACL)",
5291 "hf mf value --get -d 87D612007829EDFF87D6120011EE11EE"
5295 "-h, --help This help",
5296 "-k, --key <hex> key, 6 hex bytes",
5297 "-a input key type is key A (def)",
5298 "-b input key type is key B",
5299 "--inc <dec> Increment value by X (0 - 2147483647)",
5300 "--dec <dec> Decrement value by X (0 - 2147483647)",
5301 "--set <dec> Set value to X (-2147483647 - 2147483647)",
5302 "--transfer <dec> Transfer value to other block (after inc/dec/restore)",
5303 "--tkey <hex> transfer key, 6 hex bytes (if transfer is preformed to other sector)",
5304 "--ta transfer key type is key A (def)",
5305 "--tb transfer key type is key B",
5306 "--get Get value from block",
5307 "--res Restore (copy value to card buffer, should be used with --transfer)",
5308 "--blk <dec> block number",
5309 "-d, --data <hex> block data to extract values from (16 hex bytes)"
5311 "usage": "hf mf value [-hab] [-k <hex>] [--inc <dec>] [--dec <dec>] [--set <dec>] [--transfer <dec>] [--tkey <hex>] [--ta] [--tb] [--get] [--res] [--blk <dec>] [-d <hex>]"
5314 "command": "hf mf view",
5315 "description": "Print a MIFARE Classic dump file (bin/eml/json)",
5317 "hf mf view -f hf-mf-01020304-dump.bin"
5321 "-h, --help This help",
5322 "-f, --file <fn> Specify a filename for dump file",
5323 "-v, --verbose verbose output",
5324 "--sk Save extracted keys to binary file"
5326 "usage": "hf mf view [-hv] -f <fn> [--sk]"
5329 "command": "hf mf wipe",
5330 "description": "Wipe card to zeros and default keys/acc. This command takes a key file to wipe card Will use UID from card to generate keyfile name if not specified. New A/B keys..... FF FF FF FF FF FF New acc rights... FF 07 80 New GPB.......... 69",
5332 "hf mf wipe -> reads card uid to generate file name",
5333 "hf mf wipe --gen2 -> force write to S0, B0 manufacture block",
5334 "hf mf wipe -f mykey.bin -> use mykey.bin"
5338 "-h, --help This help",
5339 "-f, --file <fn> key filename",
5340 "--gen2 force write to Sector 0, block 0 (GEN2)"
5342 "usage": "hf mf wipe [-h] [-f <fn>] [--gen2]"
5345 "command": "hf mf wrbl",
5346 "description": "Write MIFARE Classic block with 16 hex bytes of data Sector 0 / Block 0 - Manufacturer block When writing to block 0 you must use a VALID block 0 data (UID, BCC, SAK, ATQA) Writing an invalid block 0 means rendering your Magic GEN2 card undetectable. Look in the magic_cards_notes.md file for help to resolve it. `--force` param is used to override warnings like bad ACL and BLOCK 0 writes. if not specified, it will exit if detected",
5348 "hf mf wrbl --blk 1 -d 000102030405060708090a0b0c0d0e0f",
5349 "hf mf wrbl --blk 1 -k A0A1A2A3A4A5 -d 000102030405060708090a0b0c0d0e0f"
5353 "-h, --help This help",
5354 "--blk <dec> block number",
5355 "-a input key type is key A (def)",
5356 "-b input key type is key B",
5357 "--force override warnings",
5358 "-k, --key <hex> key, 6 hex bytes",
5359 "-d, --data <hex> bytes to write, 16 hex bytes"
5361 "usage": "hf mf wrbl [-hab] --blk <dec> [--force] [-k <hex>] [-d <hex>]"
5364 "command": "hf mfdes auth",
5365 "description": "Select application on the card. It selects app if it is a valid one or returns an error.",
5367 "hf mfdes auth -n 0 -t des -k 0000000000000000 --kdf none -> select PICC level and authenticate with key num=0, key type=des, key=00..00 and key derivation = none",
5368 "hf mfdes auth -n 0 -t aes -k 00000000000000000000000000000000 -> select PICC level and authenticate with key num=0, key type=aes, key=00..00 and key derivation = none",
5369 "hf mfdes auth -n 0 -t des -k 0000000000000000 --save -> select PICC level and authenticate and in case of successful authentication - save channel parameters to defaults",
5370 "hf mfdes auth --aid 123456 -> select application 123456 and authenticate via parameters from `default` command"
5374 "-h, --help This help",
5375 "-a, --apdu Show APDU requests and responses",
5376 "-v, --verbose Verbose output",
5377 "-n, --keyno <dec> Key number",
5378 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5379 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5380 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5381 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5382 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5383 "-c, --ccset <native|niso|iso> Communicaton command set",
5384 "--schann <d40|ev1|ev2|lrp> Secure channel",
5385 "--aid <hex> Application ID of application for some parameters (3 hex bytes, big endian)",
5386 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5387 "--save saves channels parameters to defaults if authentication succeeds"
5389 "usage": "hf mfdes auth [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--save]"
5391 "hf mfdes bruteaid": {
5392 "command": "hf mfdes bruteaid",
5393 "description": "Recover AIDs by bruteforce. WARNING: This command takes a loooong time",
5395 "hf mfdes bruteaid -> Search all apps",
5396 "hf mfdes bruteaid --start F0000F -i 16 -> Search MAD range manually"
5400 "-h, --help This help",
5401 "--start <hex> Starting App ID as hex bytes (3 bytes, big endian)",
5402 "--end <hex> Last App ID as hex bytes (3 bytes, big endian)",
5403 "-i, --step <dec> Increment step when bruteforcing",
5404 "-m, --mad Only bruteforce the MAD range"
5406 "usage": "hf mfdes bruteaid [-hm] [--start <hex>] [--end <hex>] [-i <dec>]"
5408 "hf mfdes changekey": {
5409 "command": "hf mfdes changekey",
5410 "description": "Change PICC/Application key. Needs to provide keynum/key for a valid authentication (may get from default parameters).",
5412 "Change crypto algorithm for PICC key is possible,",
5413 "but for APP keys crypto algorithm is set by createapp command and can't be changed wo application delete",
5415 "hf mfdes changekey --aid 123456 -> execute with default factory setup. change des key 0 in the app 123456 from 00..00 to 00..00",
5416 "hf mfdes changekey --isoid df01 -t aes --schann lrp --newkeyno 01 -> change key 01 via lrp channelhf mfdes changekey -t des --newalgo aes --newkey 11223344556677889900112233445566 --newver a5 -> change card master key to AES one",
5417 "hf mfdes changekey --aid 123456 -t aes --key 00000000000000000000000000000000 --newkey 11223344556677889900112233445566 -> change app master key",
5418 "hf mfdes changekey --aid 123456 -t des -n 0 --newkeyno 1 --oldkey 5555555555555555 --newkey 1122334455667788 -> change key 1 with auth from key 0",
5419 "hf mfdes changekey --aid 123456 -t 3tdea --newkey 112233445566778899001122334455667788990011223344 -> change 3tdea key 0 from default 00..00 to provided"
5423 "-h, --help This help",
5424 "-a, --apdu Show APDU requests and responses",
5425 "-v, --verbose Verbose output",
5426 "-n, --keyno <dec> Key number",
5427 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5428 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5429 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5430 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5431 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5432 "-c, --ccset <native|niso|iso> Communicaton command set",
5433 "--schann <d40|ev1|ev2|lrp> Secure channel",
5434 "--aid <hex> Application ID of application (3 hex bytes, big endian)",
5435 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
5436 "--oldalgo <DES|2TDEA|3TDEA|AES> Old key crypto algorithm",
5437 "--oldkey <old key> Old key (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5438 "--newkeyno <dec> Key number for change",
5439 "--newalgo <DES|2TDEA|3TDEA|AES> New key crypto algorithm",
5440 "--newkey <hex> New key (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5441 "--newver <hex> Version of new key (1 hex byte)"
5443 "usage": "hf mfdes changekey [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--oldalgo <DES|2TDEA|3TDEA|AES>] [--oldkey <old key>] [--newkeyno <dec>] [--newalgo <DES|2TDEA|3TDEA|AES>] [--newkey <hex>] [--newver <hex>]"
5445 "hf mfdes chfilesettings": {
5446 "command": "hf mfdes chfilesettings",
5447 "description": "Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
5449 "hf mfdes chfilesettings --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> change file settings app=123456, file=01 with defaults from `default` command",
5450 "hf mfdes chfilesettings -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --rawdata 00EEEE -> execute with default factory setup",
5451 "hf mfdes chfilesettings --aid 123456 --fid 01 --rawdata 810000021f112f22 -> change file settings with additional rights for keys 1 and 2",
5452 "hf mfdes chfilesettings --isoid df01 --fid 00 --amode plain --rawrights eee0 --schann lrp -t aes -> change file settings via lrp channel"
5456 "-h, --help This help",
5457 "-a, --apdu Show APDU requests and responses",
5458 "-v, --verbose Verbose output",
5459 "-n, --keyno <dec> Key number",
5460 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5461 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5462 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5463 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5464 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5465 "-c, --ccset <native|niso|iso> Communicaton command set",
5466 "--schann <d40|ev1|ev2|lrp> Secure channel",
5467 "--aid <hex> Application ID (3 hex bytes, big endian)",
5468 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5469 "--fid <hex> File ID (1 hex byte)",
5470 "--rawdata <hex> File settings (HEX > 5 bytes). Have priority over the other settings",
5471 "--amode <plain|mac|encrypt> File access mode",
5472 "--rawrights <hex> Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied",
5473 "--rrights <key0..13|free|deny> Read file access mode: the specified key, free, deny",
5474 "--wrights <key0..13|free|deny> Write file access mode: the specified key, free, deny",
5475 "--rwrights <key0..13|free|deny> Read/Write file access mode: the specified key, free, deny",
5476 "--chrights <key0..13|free|deny> Change file settings access mode: the specified key, free, deny",
5477 "--no-auth Execute without authentication"
5479 "usage": "hf mfdes chfilesettings [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [--rawdata <hex>] [--amode <plain|mac|encrypt>] [--rawrights <hex>] [--rrights <key0..13|free|deny>] [--wrights <key0..13|free|deny>] [--rwrights <key0..13|free|deny>] [--chrights <key0..13|free|deny>] [--no-auth]"
5482 "command": "hf mfdes chk",
5483 "description": "Checks keys with MIFARE DESFire card.",
5485 "hf mfdes chk --aid 123456 -k 000102030405060708090a0b0c0d0e0f -> check key on aid 0x123456",
5486 "hf mfdes chk -d mfdes_default_keys -> check keys against all existing aid on card",
5487 "hf mfdes chk -d mfdes_default_keys --aid 123456 -> check keys against aid 0x123456",
5488 "hf mfdes chk --aid 123456 --pattern1b -j keys -> check all 1-byte keys pattern on aid 0x123456 and save found keys to `keys.json`",
5489 "hf mfdes chk --aid 123456 --pattern2b --startp2b FA00 -> check all 2-byte keys pattern on aid 0x123456. Start from key FA00FA00...FA00"
5493 "-h, --help This help",
5494 "--aid <hex> Use specific AID (3 hex bytes, big endian)",
5495 "-k, --key <hex> Key for checking (HEX 16 bytes)",
5496 "-d, --dict <fn> Dictionary file with keys",
5497 "--pattern1b Check all 1-byte combinations of key (0000...0000, 0101...0101, 0202...0202, ...)",
5498 "--pattern2b Check all 2-byte combinations of key (0000...0000, 0001...0001, 0002...0002, ...)",
5499 "--startp2b <pattern> Start key (2-byte HEX) for 2-byte search (use with `--pattern2b`)",
5500 "-j, --json <fn> Json file name to save keys",
5501 "-v, --verbose Verbose output",
5502 "--kdf <0|1|2> Key Derivation Function (KDF) (0=None, 1=AN10922, 2=Gallagher)",
5503 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5504 "-a, --apdu Show APDU requests and responses"
5506 "usage": "hf mfdes chk [-hva] [--aid <hex>] [-k <hex>] [-d <fn>] [--pattern1b] [--pattern2b] [--startp2b <pattern>] [-j <fn>] [--kdf <0|1|2>] [-i <hex>]"
5508 "hf mfdes chkeysettings": {
5509 "command": "hf mfdes chkeysettings",
5510 "description": "Change key settings for card level or application level. WARNING: card level changes may block the card!",
5512 "hf mfdes chkeysettings -d 0f -> set picc key settings with default key/channel setup",
5513 "hf mfdes chkeysettings --aid 123456 -d 0f -> set app 123456 key settings with default key/channel setup"
5517 "-h, --help This help",
5518 "-a, --apdu Show APDU requests and responses",
5519 "-v, --verbose Verbose output",
5520 "-n, --keyno <dec> Key number",
5521 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5522 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5523 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5524 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5525 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5526 "-c, --ccset <native|niso|iso> Communicaton command set",
5527 "--schann <d40|ev1|ev2|lrp> Secure channel",
5528 "--aid <hex> Application ID (3 hex bytes, big endian)",
5529 "-d, --data <HEX> Key settings (1 hex byte)"
5531 "usage": "hf mfdes chkeysettings [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [-d <HEX>]"
5533 "hf mfdes clearrecfile": {
5534 "command": "hf mfdes clearrecfile",
5535 "description": "Clear record file. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
5537 "hf mfdes clearrecfile --aid 123456 --fid 01 -> clear record file for: app=123456, file=01 with defaults from `default` command",
5538 "hf mfdes clearrecfile --isoid df01 --fid 01 --schann lrp -t aes -n 3 -> clear record file for lrp channel with key number 3"
5542 "-h, --help This help",
5543 "-a, --apdu Show APDU requests and responses",
5544 "-v, --verbose Verbose output",
5545 "-n, --keyno <dec> Key number",
5546 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5547 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5548 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5549 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5550 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5551 "-c, --ccset <native|niso|iso> Communicaton command set",
5552 "--schann <d40|ev1|ev2|lrp> Secure channel",
5553 "--aid <hex> Application ID (3 hex bytes, big endian)",
5554 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5555 "--fid <hex> File ID for clearing (1 hex byte)",
5556 "--no-auth Execute without authentication"
5558 "usage": "hf mfdes clearrecfile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [--no-auth]"
5560 "hf mfdes createapp": {
5561 "command": "hf mfdes createapp",
5562 "description": "Create application. Master key needs to be provided.",
5564 "option rawdata have priority over the rest settings, and options ks1 and ks2 have priority over corresponded key settings",
5566 "KeySetting 1 (AMK Setting, ks1):",
5567 "0: Allow change master key. 1 - allow, 0 - frozen",
5568 "1: Free Directory list access without master key",
5569 "0: AMK auth needed for GetFileSettings and GetKeySettings",
5570 "1: No AMK auth needed for GetFileIDs, GetISOFileIDs, GetFileSettings, GetKeySettings",
5571 "2: Free create/delete without master key",
5572 "0: CreateFile/DeleteFile only with AMK auth",
5573 "1: CreateFile/DeleteFile always",
5574 "3: Configuration changeable",
5575 "0: Configuration frozen",
5576 "1: Configuration changeable if authenticated with AMK (default)",
5577 "4-7: ChangeKey Access Rights",
5578 "0: Application master key needed (default)",
5579 "0x1..0xD: Auth with specific key needed to change any key",
5580 "0xE: Auth with the key to be changed (same KeyNo) is necessary to change a key",
5581 "0xF: All Keys within this application are frozen",
5583 "KeySetting 2 (ks2):",
5584 "0..3: Number of keys stored within the application (max. 14 keys)",
5585 "4: ks3 is present",
5586 "5: Use of 2 byte ISO FID, 0: No, 1: Yes",
5587 "6..7: Crypto Method 00: DES|2TDEA, 01: 3TDEA, 10: AES, 11: RFU",
5589 "2E = with FID, DES|2TDEA, 14 keys",
5590 "6E = with FID, 3TDEA, 14 keys",
5591 "AE = with FID, AES, 14 keys",
5593 "hf mfdes createapp --rawdata 5634122F2E4523616964313233343536 -> execute create by rawdata",
5594 "hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 -> app aid, iso file id, and iso df name is specified",
5595 "hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes -> with algorithm for key AES"
5599 "-h, --help This help",
5600 "-a, --apdu Show APDU requests and responses",
5601 "-v, --verbose Verbose output",
5602 "-n, --keyno <dec> Key number",
5603 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5604 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5605 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5606 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5607 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5608 "-c, --ccset <native|niso|iso> Communicaton command set",
5609 "--schann <d40|ev1|ev2|lrp> Secure channel",
5610 "--rawdata <hex> Raw data that sends to command",
5611 "--aid <hex> Application ID for create. Mandatory. (3 hex bytes, big endian)",
5612 "--fid <hex> ISO file ID. Forbidden values: 0000 3F00, 3FFF, FFFF. (2 hex bytes, big endian)",
5613 "--dfname <string> ISO DF Name (1..16 chars)",
5614 "--dfhex <hex> ISO DF Name as hex (1..16 bytes)",
5615 "--ks1 <hex> Key settings 1 (1 hex byte). Application Master Key Settings (def: 0x0F)",
5616 "--ks2 <hex> Key settings 2 (1 hex byte). (def: 0x0E)",
5617 "--dstalgo <DES|2TDEA|3TDEA|AES> Application key crypt algo (def: DES)",
5618 "--numkeys <dec> Number of keys 0x00..0x0e (def: 0x0E)",
5619 "--no-auth Execute without authentication"
5621 "usage": "hf mfdes createapp [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--rawdata <hex>] [--aid <hex>] [--fid <hex>] [--dfname <string>] [--dfhex <hex>] [--ks1 <hex>] [--ks2 <hex>] [--dstalgo <DES|2TDEA|3TDEA|AES>] [--numkeys <dec>] [--no-auth]"
5623 "hf mfdes createfile": {
5624 "command": "hf mfdes createfile",
5625 "description": "Create Standard/Backup file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings).",
5627 "--rawtype/--rawdata have priority over the other settings. and with these parameters you can create any file. file id comes from parameters, all the rest data must be in the --rawdata parameter",
5628 "--rawrights have priority over the separate rights settings.",
5629 "Key/mode/etc of the authentication depends on application settings",
5630 "hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 -> create file with iso id. Authentication with defaults from `default` command",
5631 "hf mfdes createfile --aid 123456 --fid 01 --rawtype 01 --rawdata 000100EEEE000100 -> create file via sending rawdata to the card. Can be used to create any type of file. Authentication with defaults from `default` command",
5632 "hf mfdes createfile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> create file app=123456, file=01 and mentioned rights with defaults from `default` command",
5633 "hf mfdes createfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --rawtype 00 --rawdata 00EEEE000100 -> execute with default factory setup"
5637 "-h, --help This help",
5638 "-a, --apdu Show APDU requests and responses",
5639 "-v, --verbose Verbose output",
5640 "-n, --keyno <dec> Key number",
5641 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5642 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5643 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5644 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5645 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5646 "-c, --ccset <native|niso|iso> Communicaton command set",
5647 "--schann <d40|ev1|ev2|lrp> Secure channel",
5648 "--aid <hex> Application ID (3 hex bytes, big endian)",
5649 "--fid <hex> File ID (1 hex byte)",
5650 "--isofid <hex> ISO File ID (2 hex bytes)",
5651 "--rawtype <hex> Raw file type (1 hex byte)",
5652 "--rawdata <hex> Raw file settings (hex > 5 bytes)",
5653 "--amode <plain|mac|encrypt> File access mode",
5654 "--rawrights <hex> Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied",
5655 "--rrights <key0..key13|free|deny> Read file access mode: the specified key, free, deny",
5656 "--wrights <key0..key13|free|deny> Write file access mode: the specified key, free, deny",
5657 "--rwrights <key0..key13|free|deny> Read/Write file access mode: the specified key, free, deny",
5658 "--chrights <key0..key13|free|deny> Change file settings access mode: the specified key, free, deny",
5659 "--no-auth Execute without authentication",
5660 "--size <hex> File size (3 hex bytes, big endian)",
5661 "--backup Create backupfile instead of standard file"
5663 "usage": "hf mfdes createfile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--fid <hex>] [--isofid <hex>] [--rawtype <hex>] [--rawdata <hex>] [--amode <plain|mac|encrypt>] [--rawrights <hex>] [--rrights <key0..key13|free|deny>] [--wrights <key0..key13|free|deny>] [--rwrights <key0..key13|free|deny>] [--chrights <key0..key13|free|deny>] [--no-auth] [--size <hex>] [--backup]"
5665 "hf mfdes createmacfile": {
5666 "command": "hf mfdes createmacfile",
5667 "description": "Create Transaction MAC file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings).",
5669 "--rawrights have priority over the separate rights settings.",
5670 "Key/mode/etc of the authentication depends on application settings",
5671 "Write right should be always 0xF. Read-write right should be 0xF if you not need to submit CommitReaderID command each time transaction starts",
5673 "hf mfdes createmacfile --aid 123456 --fid 01 --rawrights 0FF0 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file with parameters. Rights from default. Authentication with defaults from `default` command",
5674 "hf mfdes createmacfile --aid 123456 --fid 01 --amode plain --rrights free --wrights deny --rwrights free --chrights key0 --mackey 00112233445566778899aabbccddeeff -> create file app=123456, file=01, with key, and mentioned rights with defaults from `default` command",
5675 "hf mfdes createmacfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup. key and keyver == 0x00..00",
5676 "hf mfdes createmacfile --isoid df01 --fid 0f --schann lrp -t aes --rawrights 0FF0 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file via lrp channel",
5677 "hf mfdes createmacfile --isoid df01 --fid 0f --schann lrp -t aes --rawrights 0F10 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file via lrp channel with CommitReaderID command enable"
5681 "-h, --help This help",
5682 "-a, --apdu Show APDU requests and responses",
5683 "-v, --verbose Verbose output",
5684 "-n, --keyno <dec> Key number",
5685 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5686 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5687 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5688 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5689 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5690 "-c, --ccset <native|niso|iso> Communicaton command set",
5691 "--schann <d40|ev1|ev2|lrp> Secure channel",
5692 "--aid <hex> Application ID (3 hex bytes, big endian)",
5693 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5694 "--fid <hex> File ID (1 hex byte)",
5695 "--amode <plain|mac|encrypt> File access mode",
5696 "--rawrights <hex> Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied",
5697 "--rrights <key0..key13|free|deny> Read file access mode: the specified key, free, deny",
5698 "--wrights <key0..key13|free|deny> Write file access mode: the specified key, free, deny",
5699 "--rwrights <key0..key13|free|deny> Read/Write file access mode: the specified key, free, deny",
5700 "--chrights <key0..key13|free|deny> Change file settings access mode: the specified key, free, deny",
5701 "--no-auth Execute without authentication",
5702 "--mackey <hex> AES-128 key for MAC (16 hex bytes, big endian). (def: all zeros)",
5703 "--mackeyver <hex> AES key version for MAC (1 hex byte). (def: 0x0)"
5705 "usage": "hf mfdes createmacfile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [--amode <plain|mac|encrypt>] [--rawrights <hex>] [--rrights <key0..key13|free|deny>] [--wrights <key0..key13|free|deny>] [--rwrights <key0..key13|free|deny>] [--chrights <key0..key13|free|deny>] [--no-auth] [--mackey <hex>] [--mackeyver <hex>]"
5707 "hf mfdes createrecordfile": {
5708 "command": "hf mfdes createrecordfile",
5709 "description": "Create Linear/Cyclic Record file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings).",
5711 "--rawrights have priority over the separate rights settings.",
5712 "Key/mode/etc of the authentication depends on application settings",
5713 "hf mfdes createrecordfile --aid 123456 --fid 01 --size 000010 --maxrecord 000010 --cyclic -> create cyclic record file with parameters. Rights from default. Authentication with defaults from `default` command",
5714 "hf mfdes createrecordfile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 --size 000010 --maxrecord 000010 -> create linear record file app=123456, file=01 and mentioned rights with defaults from `default` command",
5715 "hf mfdes createrecordfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --size 000010 --maxrecord 000010 -> execute with default factory setup"
5719 "-h, --help This help",
5720 "-a, --apdu Show APDU requests and responses",
5721 "-v, --verbose Verbose output",
5722 "-n, --keyno <dec> Key number",
5723 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5724 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5725 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5726 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5727 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5728 "-c, --ccset <native|niso|iso> Communicaton command set",
5729 "--schann <d40|ev1|ev2|lrp> Secure channel",
5730 "--aid <hex> Application ID (3 hex bytes, big endian)",
5731 "--fid <hex> File ID (1 hex byte)",
5732 "--isofid <hex> ISO File ID (2 hex bytes)",
5733 "--amode <plain|mac|encrypt> File access mode",
5734 "--rawrights <hex> Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied",
5735 "--rrights <key0..key13|free|deny> Read file access mode: the specified key, free, deny",
5736 "--wrights <key0..key13|free|deny> Write file access mode: the specified key, free, deny",
5737 "--rwrights <key0..key13|free|deny> Read/Write file access mode: the specified key, free, deny",
5738 "--chrights <key0..key13|free|deny> Change file settings access mode: the specified key, free, deny",
5739 "--no-auth Execute without authentication",
5740 "--size <hex> Record size (3 hex bytes, big endian, 000001 to FFFFFF)",
5741 "--maxrecord <hex> Max. Number of Records (3 hex bytes, big endian)",
5742 "--cyclic Create cyclic record file instead of linear record file"
5744 "usage": "hf mfdes createrecordfile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--fid <hex>] [--isofid <hex>] [--amode <plain|mac|encrypt>] [--rawrights <hex>] [--rrights <key0..key13|free|deny>] [--wrights <key0..key13|free|deny>] [--rwrights <key0..key13|free|deny>] [--chrights <key0..key13|free|deny>] [--no-auth] [--size <hex>] [--maxrecord <hex>] [--cyclic]"
5746 "hf mfdes createvaluefile": {
5747 "command": "hf mfdes createvaluefile",
5748 "description": "Create Value file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings).",
5750 "--rawrights have priority over the separate rights settings.",
5751 "Key/mode/etc of the authentication depends on application settings",
5752 "hf mfdes createvaluefile --aid 123456 --fid 01 --lower 00000010 --upper 00010000 --value 00000100 -> create file with parameters. Rights from default. Authentication with defaults from `default` command",
5753 "hf mfdes createvaluefile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> create file app=123456, file=01 and mentioned rights with defaults from `default` command",
5754 "hf mfdes createvaluefile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup"
5758 "-h, --help This help",
5759 "-a, --apdu Show APDU requests and responses",
5760 "-v, --verbose Verbose output",
5761 "-n, --keyno <dec> Key number",
5762 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5763 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5764 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5765 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5766 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5767 "-c, --ccset <native|niso|iso> Communicaton command set",
5768 "--schann <d40|ev1|ev2|lrp> Secure channel",
5769 "--aid <hex> Application ID (3 hex bytes, big endian)",
5770 "--fid <hex> File ID (1 hex byte)",
5771 "--amode <plain|mac|encrypt> File access mode",
5772 "--rawrights <hex> Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied",
5773 "--rrights <key0..key13|free|deny> Read file access mode: the specified key, free, deny",
5774 "--wrights <key0..key13|free|deny> Write file access mode: the specified key, free, deny",
5775 "--rwrights <key0..key13|free|deny> Read/Write file access mode: the specified key, free, deny",
5776 "--chrights <key0..key13|free|deny> Change file settings access mode: the specified key, free, deny",
5777 "--no-auth Execute without authentication",
5778 "--lower <hex> Lower limit (4 hex bytes, big endian)",
5779 "--upper <hex> Upper limit (4 hex bytes, big endian)",
5780 "--value <hex> Value (4 hex bytes, big endian)",
5781 "--lcredit <dec> Limited Credit enabled (Bit 0 = Limited Credit, 1 = FreeValue)"
5783 "usage": "hf mfdes createvaluefile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--fid <hex>] [--amode <plain|mac|encrypt>] [--rawrights <hex>] [--rrights <key0..key13|free|deny>] [--wrights <key0..key13|free|deny>] [--rwrights <key0..key13|free|deny>] [--chrights <key0..key13|free|deny>] [--no-auth] [--lower <hex>] [--upper <hex>] [--value <hex>] [--lcredit <dec>]"
5785 "hf mfdes default": {
5786 "command": "hf mfdes default",
5787 "description": "Set default parameters for access to MIFARE DESfire card.",
5789 "hf mfdes default -n 0 -t des -k 0000000000000000 --kdf none -> save to the default parameters"
5793 "-h, --help This help",
5794 "-n, --keyno <dec> Key number",
5795 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5796 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5797 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5798 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5799 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5800 "-c, --ccset <native|niso|iso> Communicaton command set",
5801 "--schann <d40|ev1|ev2|lrp> Secure channel"
5803 "usage": "hf mfdes default [-h] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>]"
5805 "hf mfdes deleteapp": {
5806 "command": "hf mfdes deleteapp",
5807 "description": "Delete application by its 3-byte AID. Master key needs to be provided.",
5809 "hf mfdes deleteapp --aid 123456 -> execute with default factory setup"
5813 "-h, --help This help",
5814 "-a, --apdu Show APDU requests and responses",
5815 "-v, --verbose Verbose output",
5816 "-n, --keyno <dec> Key number",
5817 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5818 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5819 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5820 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5821 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5822 "-c, --ccset <native|niso|iso> Communicaton command set",
5823 "--schann <d40|ev1|ev2|lrp> Secure channel",
5824 "--aid <hex> Application ID to delete (3 hex bytes, big endian)"
5826 "usage": "hf mfdes deleteapp [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>]"
5828 "hf mfdes deletefile": {
5829 "command": "hf mfdes deletefile",
5830 "description": "Delete file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
5832 "hf mfdes deletefile --aid 123456 --fid 01 -> delete file for: app=123456, file=01 with defaults from `default` command",
5833 "hf mfdes deletefile --isoid df01 --fid 0f --schann lrp -t aes -> delete file for lrp channel"
5837 "-h, --help This help",
5838 "-a, --apdu Show APDU requests and responses",
5839 "-v, --verbose Verbose output",
5840 "-n, --keyno <dec> Key number",
5841 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5842 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5843 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5844 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5845 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5846 "-c, --ccset <native|niso|iso> Communicaton command set",
5847 "--schann <d40|ev1|ev2|lrp> Secure channel",
5848 "--aid <hex> Application ID (3 hex bytes, big endian)",
5849 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5850 "--fid <hex> File ID (1 hex byte)",
5851 "--no-auth Execute without authentication"
5853 "usage": "hf mfdes deletefile [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [--no-auth]"
5855 "hf mfdes detect": {
5856 "command": "hf mfdes detect",
5857 "description": "Detect key type and tries to find one from the list.",
5859 "hf mfdes detect -> detect key 0 from PICC level",
5860 "hf mfdes detect --schann d40 -> detect key 0 from PICC level via secure channel D40",
5861 "hf mfdes detect --dict mfdes_default_keys -> detect key 0 from PICC level with help of the standard dictionary",
5862 "hf mfdes detect --aid 123456 -n 2 --save -> detect key 2 from app 123456 and if succeed - save params to defaults (`default` command)",
5863 "hf mfdes detect --isoid df01 --save -> detect key 0 and save to defaults with card in the LRP mode"
5867 "-h, --help This help",
5868 "-a, --apdu Show APDU requests and responses",
5869 "-v, --verbose Verbose output",
5870 "-n, --keyno <dec> Key number",
5871 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5872 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5873 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5874 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5875 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5876 "-c, --ccset <native|niso|iso> Communicaton command set",
5877 "--schann <d40|ev1|ev2|lrp> Secure channel",
5878 "--aid <hex> Application ID (3 hex bytes, big endian)",
5879 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
5880 "--dict <fn> Dictionary file name with keys",
5881 "--save Save found key and parameters to defaults"
5883 "usage": "hf mfdes detect [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--dict <fn>] [--save]"
5886 "command": "hf mfdes dump",
5887 "description": "For each application show fil list and then file content. Key needs to be provided for authentication or flag --no-auth set (depend on cards settings).",
5889 "hf mfdes dump --aid 123456 -> show file dump for: app=123456 with channel defaults from `default` command/nhf mfdes dump --isoid df01 --schann lrp -t aes --length 000090 -> lrp default settings with length limit"
5893 "-h, --help This help",
5894 "-a, --apdu Show APDU requests and responses",
5895 "-v, --verbose Verbose output",
5896 "-n, --keyno <dec> Key number",
5897 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5898 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5899 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5900 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5901 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5902 "-c, --ccset <native|niso|iso> Communicaton command set",
5903 "--schann <d40|ev1|ev2|lrp> Secure channel",
5904 "--aid <hex> Application ID (3 hex bytes, big endian)",
5905 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
5906 "-l, --length <hex> Maximum length for read data files (3 hex bytes, big endian)",
5907 "--no-auth Execute without authentication"
5909 "usage": "hf mfdes dump [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [-l <hex>] [--no-auth]"
5911 "hf mfdes formatpicc": {
5912 "command": "hf mfdes formatpicc",
5913 "description": "Format card. Can be done only if enabled in the configuration. Master key needs to be provided.",
5915 "hf mfdes formatpicc -> execute with default factory setup"
5919 "-h, --help This help",
5920 "-a, --apdu Show APDU requests and responses",
5921 "-v, --verbose Verbose output",
5922 "-n, --keyno <dec> Key number",
5923 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5924 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5925 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5926 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5927 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5928 "-c, --ccset <native|niso|iso> Communicaton command set",
5929 "--schann <d40|ev1|ev2|lrp> Secure channel",
5930 "--aid <hex> Application ID of delegated application (3 hex bytes, big endian)"
5932 "usage": "hf mfdes formatpicc [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>]"
5934 "hf mfdes freemem": {
5935 "command": "hf mfdes freemem",
5936 "description": "Get card's free memory. Can be done with or without authentication. Master key may be provided.",
5938 "hf mfdes getfreemem -> execute with default factory setup"
5942 "-h, --help This help",
5943 "-a, --apdu Show APDU requests and responses",
5944 "-v, --verbose Verbose output",
5945 "-n, --keyno <dec> Key number",
5946 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5947 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5948 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5949 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5950 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5951 "-c, --ccset <native|niso|iso> Communicaton command set",
5952 "--schann <d40|ev1|ev2|lrp> Secure channel",
5953 "--no-auth Execute without authentication"
5955 "usage": "hf mfdes getfreemem [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--no-auth]"
5957 "hf mfdes getaids": {
5958 "command": "hf mfdes getaids",
5959 "description": "Get Application IDs list from card. Master key needs to be provided or flag --no-auth set.",
5961 "hf mfdes getaids -n 0 -t des -k 0000000000000000 --kdf none -> execute with default factory setup"
5965 "-h, --help This help",
5966 "-a, --apdu Show APDU requests and responses",
5967 "-v, --verbose Verbose output",
5968 "-n, --keyno <dec> Key number",
5969 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5970 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5971 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5972 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5973 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5974 "-c, --ccset <native|niso|iso> Communicaton command set",
5975 "--schann <d40|ev1|ev2|lrp> Secure channel",
5976 "--no-auth Execute without authentication"
5978 "usage": "hf mfdes getaids [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--no-auth]"
5980 "hf mfdes getappnames": {
5981 "command": "hf mfdes getappnames",
5982 "description": "Get Application IDs, ISO IDs and DF names from card. Master key needs to be provided or flag --no-auth set.",
5984 "hf mfdes getappnames -n 0 -t des -k 0000000000000000 --kdf none -> execute with default factory setup"
5988 "-h, --help This help",
5989 "-a, --apdu Show APDU requests and responses",
5990 "-v, --verbose Verbose output",
5991 "-n, --keyno <dec> Key number",
5992 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
5993 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
5994 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
5995 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
5996 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
5997 "-c, --ccset <native|niso|iso> Communicaton command set",
5998 "--schann <d40|ev1|ev2|lrp> Secure channel",
5999 "--no-auth Execute without authentication"
6001 "usage": "hf mfdes getappnames [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--no-auth]"
6003 "hf mfdes getfileids": {
6004 "command": "hf mfdes getfileids",
6005 "description": "Get File IDs list from card. Master key needs to be provided or flag --no-auth set.",
6007 "hf mfdes getfileids --aid 123456 -> execute with defaults from `default` command",
6008 "hf mfdes getfileids -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 -> execute with default factory setup"
6012 "-h, --help This help",
6013 "-a, --apdu Show APDU requests and responses",
6014 "-v, --verbose Verbose output",
6015 "-n, --keyno <dec> Key number",
6016 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6017 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6018 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6019 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6020 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6021 "-c, --ccset <native|niso|iso> Communicaton command set",
6022 "--schann <d40|ev1|ev2|lrp> Secure channel",
6023 "--aid <hex> Application ID (3 hex bytes, big endian)",
6024 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
6025 "--no-auth Execute without authentication"
6027 "usage": "hf mfdes getfileids [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--no-auth]"
6029 "hf mfdes getfileisoids": {
6030 "command": "hf mfdes getfileisoids",
6031 "description": "Get File IDs list from card. Master key needs to be provided or flag --no-auth set.",
6033 "hf mfdes getfileisoids --aid 123456 -> execute with defaults from `default` command",
6034 "hf mfdes getfileisoids -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 -> execute with default factory setup",
6035 "hf mfdes getfileisoids --isoid df01 -> get iso file ids from Desfire Light with factory card settings",
6036 "hf mfdes getfileisoids --isoid df01 --schann lrp -t aes -> get iso file ids from Desfire Light via lrp channel with default key authentication"
6040 "-h, --help This help",
6041 "-a, --apdu Show APDU requests and responses",
6042 "-v, --verbose Verbose output",
6043 "-n, --keyno <dec> Key number",
6044 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6045 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6046 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6047 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6048 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6049 "-c, --ccset <native|niso|iso> Communicaton command set",
6050 "--schann <d40|ev1|ev2|lrp> Secure channel",
6051 "--aid <hex> Application ID (3 hex bytes, big endian)",
6052 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
6053 "--no-auth Execute without authentication"
6055 "usage": "hf mfdes getfileisoids [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--no-auth]"
6057 "hf mfdes getfilesettings": {
6058 "command": "hf mfdes getfilesettings",
6059 "description": "Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
6061 "hf mfdes getfilesettings --aid 123456 --fid 01 -> execute with defaults from `default` command",
6062 "hf mfdes getfilesettings --isoid df01 --fid 00 --no-auth -> get file settings with select by iso id",
6063 "hf mfdes getfilesettings -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup"
6067 "-h, --help This help",
6068 "-a, --apdu Show APDU requests and responses",
6069 "-v, --verbose Verbose output",
6070 "-n, --keyno <dec> Key number",
6071 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6072 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6073 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6074 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6075 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6076 "-c, --ccset <native|niso|iso> Communicaton command set",
6077 "--schann <d40|ev1|ev2|lrp> Secure channel",
6078 "--aid <hex> Application ID (3 hex bytes, big endian)",
6079 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6080 "--fid <hex> File ID (1 hex byte). (def: 1)",
6081 "--no-auth Execute without authentication"
6083 "usage": "hf mfdes getfilesettings [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [--no-auth]"
6085 "hf mfdes getkeysettings": {
6086 "command": "hf mfdes getkeysettings",
6087 "description": "Get key settings for card level or application level.",
6089 "hf mfdes getkeysettings -> get picc key settings with default key/channel setup",
6090 "hf mfdes getkeysettings --aid 123456 -> get app 123456 key settings with default key/channel setup"
6094 "-h, --help This help",
6095 "-a, --apdu Show APDU requests and responses",
6096 "-v, --verbose Verbose output",
6097 "-n, --keyno <dec> Key number",
6098 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6099 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6100 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6101 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6102 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6103 "-c, --ccset <native|niso|iso> Communicaton command set",
6104 "--schann <d40|ev1|ev2|lrp> Secure channel",
6105 "--aid <hex> Application ID (3 hex bytes, big endian)"
6107 "usage": "hf mfdes getkeysettings [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>]"
6109 "hf mfdes getkeyversions": {
6110 "command": "hf mfdes getkeyversions",
6111 "description": "Get key versions for card level or application level.",
6113 "--keynum parameter: App level: key number. PICC level: 00..0d - keys count, 21..23 vc keys, default 0x00.",
6114 "hf mfdes getkeyversions --keynum 00 -> get picc master key version with default key/channel setup",
6115 "hf mfdes getkeyversions --aid 123456 --keynum 0d -> get app 123456 all key versions with default key/channel setup",
6116 "hf mfdes getkeyversions --aid 123456 --keynum 0d --no-auth -> get key version without authentication"
6120 "-h, --help This help",
6121 "-a, --apdu Show APDU requests and responses",
6122 "-v, --verbose Verbose output",
6123 "-n, --keyno <dec> Key number for authentication",
6124 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6125 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6126 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6127 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6128 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6129 "-c, --ccset <native|niso|iso> Communicaton command set",
6130 "--schann <d40|ev1|ev2|lrp> Secure channel",
6131 "--aid <hex> Application ID (3 hex bytes, big endian)",
6132 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
6133 "--keynum <hex> Key number/count (1 hex byte). (def: 0x00)",
6134 "--keyset <hex> Keyset number (1 hex byte)",
6135 "--no-auth Execute without authentication"
6137 "usage": "hf mfdes getkeyversions [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--keynum <hex>] [--keyset <hex>] [--no-auth]"
6139 "hf mfdes getuid": {
6140 "command": "hf mfdes getuid",
6141 "description": "Get UID from card. Get the real UID if the random UID bit is on and get the same UID as in anticollision if not. Any card's key needs to be provided.",
6143 "hf mfdes getuid -> execute with default factory setup",
6144 "hf mfdes getuid --isoid df01 -t aes --schan lrp -> for desfire lights default settings"
6148 "-h, --help This help",
6149 "-a, --apdu Show APDU requests and responses",
6150 "-v, --verbose Verbose output",
6151 "-n, --keyno <dec> Key number",
6152 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6153 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6154 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6155 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6156 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6157 "-c, --ccset <native|niso|iso> Communicaton command set",
6158 "--schann <d40|ev1|ev2|lrp> Secure channel",
6159 "--aid <hex> Application ID (3 hex bytes, big endian)",
6160 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)"
6162 "usage": "hf mfdes getuid [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>]"
6165 "command": "hf mfdes help",
6166 "description": "help This help list List DESFire (ISO 14443A) history test Regression crypto tests --------------------------------------------------------------------------------------- hf mfdes list available offline: yes Alias of `trace list -t des -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
6168 "hf mfdes list --frame -> show frame delay times",
6169 "hf mfdes list -1 -> use trace buffer"
6173 "-h, --help This help",
6174 "-1, --buffer use data from trace buffer",
6175 "--frame show frame delay times",
6176 "-c mark CRC bytes",
6177 "-r show relative times (gap and duration)",
6178 "-u display times in microseconds instead of clock cycles",
6179 "-x show hexdump to convert to pcap(ng)",
6180 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
6181 "-f, --file <fn> filename of dictionary"
6183 "usage": "hf mfdes list [-h1crux] [--frame] [-f <fn>]"
6186 "command": "hf mfdes info",
6187 "description": "Get info from MIFARE DESfire tags",
6193 "-h, --help This help"
6195 "usage": "hf mfdes info [-h]"
6198 "command": "hf mfdes lsapp",
6199 "description": "Show application list. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
6201 "hf mfdes lsapp -> show application list with defaults from `default` command",
6202 "hf mfdes lsapp --files -> show application list and show each file type/settings/etc"
6206 "-h, --help This help",
6207 "-a, --apdu Show APDU requests and responses",
6208 "-v, --verbose Verbose output",
6209 "-n, --keyno <dec> Key number",
6210 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6211 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6212 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6213 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6214 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6215 "-c, --ccset <native|niso|iso> Communicaton command set",
6216 "--schann <d40|ev1|ev2|lrp> Secure channel",
6217 "--no-auth Execute without authentication",
6218 "--no-deep not to check authentication commands that avail for any application",
6219 "--files scan files and print file settings"
6221 "usage": "hf mfdes lsapp [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--no-auth] [--no-deep] [--files]"
6223 "hf mfdes lsfiles": {
6224 "command": "hf mfdes lsfiles",
6225 "description": "This commands List files inside application AID / ISOID. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
6227 "hf mfdes lsfiles --aid 123456 -> AID 123456, list files using `default` command creds",
6228 "hf mfdes lsfiles --isoid df01 --no-auth -> list files for DESFire light"
6232 "-h, --help This help",
6233 "-a, --apdu Show APDU requests and responses",
6234 "-v, --verbose Verbose output",
6235 "-n, --keyno <dec> Key number",
6236 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6237 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6238 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6239 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6240 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6241 "-c, --ccset <native|niso|iso> Communicaton command set",
6242 "--schann <d40|ev1|ev2|lrp> Secure channel",
6243 "--aid <hex> Application ID (3 hex bytes, big endian)",
6244 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6245 "--no-auth Execute without authentication"
6247 "usage": "hf mfdes lsfiles [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--no-auth]"
6250 "command": "hf mfdes mad",
6251 "description": "Reads and prints MIFARE Application directory (MAD).",
6253 "MAD consists of one file with issuer info (AID ffffff) and several files with AID in the special format `faaaav` (a - MAD ID, v - multiple AID over one MAD ID)",
6254 "The MIFARE DESFire Card Master Key settings have to allow the MIFARE DESFire command GetApplicationIDs without authentication (from datasheet)",
6256 "hf mfdes mad -> shows MAD data",
6257 "hf mfdes mad -v -> shows MAD parsed and raw data",
6258 "hf mfdes mad -a e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows MAD data with custom AID and key"
6262 "-h, --help This help",
6263 "-a, --apdu Show APDU requests and responses",
6264 "-v, --verbose Verbose output",
6265 "-n, --keyno <dec> Key number",
6266 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6267 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6268 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6269 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6270 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6271 "-c, --ccset <native|niso|iso> Communicaton command set",
6272 "--schann <d40|ev1|ev2|lrp> Secure channel",
6273 "--aid <hex> Application ID of issuer info file, (3 hex bytes, big endian), (non-standard feature!)",
6274 "--auth Authenticate to get info from GetApplicationIDs command (non-standard feature!)"
6276 "usage": "hf mfdes mad [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--auth]"
6279 "command": "hf mfdes read",
6280 "description": "Read data from file. Key needs to be provided or flag --no-auth set (depend on file settings).",
6282 "It reads file via all command sets.",
6283 "For ISO command set it can be read by specifying full 2-byte iso id or 1-byte short iso id (first byte of the full iso id). ISO id lays in the data in BIG ENDIAN format.",
6284 "ISO record commands: offset - record number (0-current, 1..ff-number, 1-lastest), length - if 0 - all records, if 1 - one",
6286 "hf mfdes read --aid 123456 --fid 01 -> read file: app=123456, file=01, offset=0, all the data. use default channel settings from `default` command",
6287 "hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 -> read one last record from record file. use default channel settings from `default` command",
6288 "hf mfdes read --aid 123456 --fid 10 --type data -c iso -> read file via ISO channel: app=123456, short iso id=10, offset=0.",
6289 "hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso -> read file via ISO channel: app=123456, iso id=1000, offset=0. Select via native ISO wrapper",
6290 "hf mfdes read --isoid 0102 --fileisoid 1000 --type data -c iso -> read file via ISO channel: app iso id=0102, iso id=1000, offset=0. Select via ISO commands",
6291 "hf mfdes read --isoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 -> get one record (number 5) from file 1100 via iso commands",
6292 "hf mfdes read --isoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 -> get all record (from 5 to 1) from file 1100 via iso commands",
6293 "hf mfdes read --isoid df01 --fid 00 --schann lrp -t aes --length 000010 -> read via lrp channel",
6294 "hf mfdes read --isoid df01 --fid 00 --schann ev2 -t aes --length 000010 --isochain -> read Desfire Light via ev2 channel"
6298 "-h, --help This help",
6299 "-a, --apdu Show APDU requests and responses",
6300 "-v, --verbose Verbose output",
6301 "-n, --keyno <dec> Key number",
6302 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6303 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6304 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6305 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6306 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6307 "-c, --ccset <native|niso|iso> Communicaton command set",
6308 "--schann <d40|ev1|ev2|lrp> Secure channel",
6309 "--aid <hex> Application ID (3 hex bytes, big endian)",
6310 "--fid <hex> File ID (1 hex byte)",
6311 "--no-auth Execute without authentication",
6312 "--type <auto|data|value|record|mac> File Type, Auto - check file settings and then read. (def: auto)",
6313 "-o, --offset <hex> File Offset (3 hex bytes, big endian). For records - record number (0 - lastest record). (def: 0)",
6314 "-l, --length <hex> Length to read (3 hex bytes, big endian -> 000000 = Read all data). For records - records count (0 - all). (def: 0)",
6315 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6316 "--fileisoid <hex> File ISO ID (ISO DF ID) (2 hex bytes, big endian). Works only for ISO read commands",
6317 "--isochain use iso chaining commands. Switched on by default if secure channel = lrp"
6319 "usage": "hf mfdes read [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--fid <hex>] [--no-auth] [--type <auto|data|value|record|mac>] [-o <hex>] [-l <hex>] [--isoid <hex>] [--fileisoid <hex>] [--isochain]"
6321 "hf mfdes selectapp": {
6322 "command": "hf mfdes selectapp",
6323 "description": "Select application on the card. It selects app if it is a valid one or returns an error.",
6325 "hf mfdes selectapp --aid 123456 -> select application 123456",
6326 "hf mfdes selectapp --mf -> select master file (PICC level)",
6327 "hf mfdes selectapp --dfname aid123456 -> select application aid123456 by DF name",
6328 "hf mfdes selectapp --isoid 1111 -> select application 1111 by ISO ID",
6329 "hf mfdes selectapp --isoid 1111 --fileisoid 2222 -> select application 1111 file 2222 by ISO ID",
6330 "hf mfdes selectapp --isoid 01df --fileisoid 00ef -> select file 00 on the Desfire Light"
6334 "-h, --help This help",
6335 "-a, --apdu Show APDU requests and responses",
6336 "-v, --verbose Verbose output",
6337 "-n, --keyno <dec> Key number",
6338 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6339 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6340 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6341 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6342 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6343 "-c, --ccset <native|niso|iso> Communicaton command set",
6344 "--schann <d40|ev1|ev2|lrp> Secure channel",
6345 "--aid <hex> Application ID of application for some parameters (3 hex bytes, big endian)",
6346 "--dfname <str> Application DF Name (string, max 16 chars). Selects application via ISO SELECT command",
6347 "--mf Select MF (master file) via ISO channel",
6348 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6349 "--fileisoid <hex> Select file inside application by ISO ID (ISO DF ID) (2 hex bytes, big endian)."
6351 "usage": "hf mfdes selectapp [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--dfname <str>] [--mf] [--isoid <hex>] [--fileisoid <hex>]"
6353 "hf mfdes setconfig": {
6354 "command": "hf mfdes setconfig",
6355 "description": "Set card configuration. WARNING! Danger zone! Needs to provide card's master key and works if not blocked by config.",
6357 "More about options MF2DLHX0.pdf.",
6359 "00h PICC configuration.",
6362 "04h Secure Messaging Configuration.",
6363 "05h Capability data. (here change for LRP in the Desfire Light [enable 00000000010000000000])",
6364 "06h DF Name renaming (one-time)",
6365 "08h File renaming (one-time)",
6366 "09h Value file configuration (one-time)",
6367 "0Ah Failed authentication counter setting [disable 00ffffffff]",
6368 "0Bh HW configuration",
6370 "hf mfdes setconfig --param 03 --data 0428 -> set SAK",
6371 "hf mfdes setconfig --param 02 --data 0875778102637264 -> set ATS (first byte - length)",
6372 "hf mfdes setconfig --isoid df01 -t aes --schann ev2 --param 05 --data 00000000020000000000 -> set LRP mode enable for Desfire Light",
6373 "hf mfdes setconfig --isoid df01 -t aes --schann ev2 --param 0a --data 00ffffffff -> Disable failed auth counters for Desfire Light",
6374 "hf mfdes setconfig --isoid df01 -t aes --schann lrp --param 0a --data 00ffffffff -> Disable failed auth counters for Desfire Light via lrp"
6378 "-h, --help This help",
6379 "-a, --apdu Show APDU requests and responses",
6380 "-v, --verbose Verbose output",
6381 "-n, --keyno <dec> Key number",
6382 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6383 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6384 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6385 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6386 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6387 "-c, --ccset <native|niso|iso> Communicaton command set",
6388 "--schann <d40|ev1|ev2|lrp> Secure channel",
6389 "--aid <hex> Application ID of application for some parameters (3 hex bytes, big endian)",
6390 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian).",
6391 "-p, --param <hex> Parameter id (1 hex byte)",
6392 "-d, --data <hex> Data for parameter (1..30 hex bytes)"
6394 "usage": "hf mfdes setconfig [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [-p <hex>] [-d <hex>]"
6397 "command": "hf mfdes test",
6398 "description": "Regression crypto tests",
6404 "-h, --help This help"
6406 "usage": "hf mfdes test [-h]"
6409 "command": "hf mfdes value",
6410 "description": "Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings).",
6412 "hf mfdes value --aid 123456 --fid 01 -> get value app=123456, file=01 with defaults from `default` command",
6413 "hf mfdes value --aid 123456 --fid 01 --op credit -d 00000001 -> credit value app=123456, file=01 with defaults from `default` command",
6414 "hf mfdes value -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> get value with default factory setup",
6415 "hf mfdes val --isoid df01 --fid 03 --schann lrp -t aes -n 1 --op credit --d 00000001 -m encrypt -> credit value in the lrp encrypted mode",
6416 "hf mfdes val --isoid df01 --fid 03 --schann lrp -t aes -n 1 --op get -m plain -> get value in plain (nevertheless of mode) works for desfire light (look SetConfiguration option 0x09)"
6420 "-h, --help This help",
6421 "-a, --apdu Show APDU requests and responses",
6422 "-v, --verbose Verbose output",
6423 "-n, --keyno <dec> Key number",
6424 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6425 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6426 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6427 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6428 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6429 "-c, --ccset <native|niso|iso> Communicaton command set",
6430 "--schann <d40|ev1|ev2|lrp> Secure channel",
6431 "--aid <hex> Application ID (3 hex bytes, big endian)",
6432 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6433 "--fid <hex> File ID (1 hex byte)",
6434 "-o, --op <get/credit/limcredit/debit/clear> Operation: get(default)/credit/limcredit(limited credit)/debit/clear. Operation clear: get-getopt-debit to min value",
6435 "-d, --data <hex> Value for operation (HEX 4 bytes)",
6436 "--no-auth Execute without authentication"
6438 "usage": "hf mfdes value [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--isoid <hex>] [--fid <hex>] [-o <get/credit/limcredit/debit/clear>] [-d <hex>] [--no-auth]"
6441 "command": "hf mfdes write",
6442 "description": "Write data from file. Key needs to be provided or flag --no-auth set (depend on file settings).",
6444 "In the mode with CommitReaderID to decode previous reader id command needs to read transaction counter via dump/read command and specify --trkey",
6446 "hf mfdes write --aid 123456 --fid 01 -d 01020304 -> AID 123456, file=01, offset=0, get file type from card. use default channel settings from `default` command",
6447 "hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --0ffset 000100 -> write data to std file with offset 0x100",
6448 "hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit -> write data to backup file with commit",
6449 "hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 -> increment value file",
6450 "hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit -> decrement value file",
6451 "hf mfdes write --aid 123456 --fid 01 -d 01020304 -> write data to file with `auto` type",
6452 "hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 -> write data to record file",
6453 "hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 -> update record in the record file. record 0 - lastest record.",
6454 "hf mfdes write --aid 123456 --fid 01 --type record --offset 000000 -d 11223344 -> write record to record file. use default channel settings from `default` command",
6455 "hf mfdes write --isoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 -> write data to std/backup file via iso commandset",
6456 "hf mfdes write --isoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 -> send record to record file via iso commandset",
6457 "hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write",
6458 "hf mfdes write --isoid df01 --fid 04 -d 01020304 --trkey 00112233445566778899aabbccddeeff --readerid 5532 -t aes --schann lrp -> advanced CommitReaderID via lrp channel sample"
6462 "-h, --help This help",
6463 "-a, --apdu Show APDU requests and responses",
6464 "-v, --verbose Verbose output",
6465 "-n, --keyno <dec> Key number",
6466 "-t, --algo <DES|2TDEA|3TDEA|AES> Crypt algo",
6467 "-k, --key <hex> Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)",
6468 "--kdf <none|AN10922|gallagher> Key Derivation Function (KDF)",
6469 "-i, --kdfi <hex> KDF input (1-31 hex bytes)",
6470 "-m, --cmode <plain|mac|encrypt> Communicaton mode",
6471 "-c, --ccset <native|niso|iso> Communicaton command set",
6472 "--schann <d40|ev1|ev2|lrp> Secure channel",
6473 "--aid <hex> Application ID (3 hex bytes, big endian)",
6474 "--fid <hex> File ID (1 hex byte)",
6475 "--no-auth Execute without authentication",
6476 "--type <auto|data|value|record|mac> File Type, Auto - check file settings and then write. (def: auto)",
6477 "-o, --offset <hex> File Offset (3 hex bytes, big endian). For records - record number (0 - lastest record). (def: 0)",
6478 "-d, --data <hex> data for write (data/record file), credit/debit(value file)",
6479 "--debit use for value file debit operation instead of credit",
6480 "--commit commit needs for backup file only. For the other file types and in the `auto` mode - command set it automatically",
6481 "--updaterec <dec> Record number for update record command. Updates record instead of write. Lastest record - 0",
6482 "--isoid <hex> Application ISO ID (ISO DF ID) (2 hex bytes, big endian)",
6483 "--fileisoid <hex> File ISO ID (ISO DF ID) (2 hex bytes, big endian). Works only for ISO write commands",
6484 "--readerid <hex> reader id for CommitReaderID command. If present - the command issued before write command",
6485 "--trkey <hex> key for decode previous reader id"
6487 "usage": "hf mfdes write [-hav] [-n <dec>] [-t <DES|2TDEA|3TDEA|AES>] [-k <hex>] [--kdf <none|AN10922|gallagher>] [-i <hex>] [-m <plain|mac|encrypt>] [-c <native|niso|iso>] [--schann <d40|ev1|ev2|lrp>] [--aid <hex>] [--fid <hex>] [--no-auth] [--type <auto|data|value|record|mac>] [-o <hex>] [-d <hex>] [--debit] [--commit] [--updaterec <dec>] [--isoid <hex>] [--fileisoid <hex>] [--readerid <hex>] [--trkey <hex>]"
6490 "command": "hf mfp auth",
6491 "description": "Executes AES authentication command for MIFARE Plus card",
6493 "hf mfp auth --ki 4000 --key 000102030405060708090a0b0c0d0e0f -> executes authentication",
6494 "hf mfp auth --ki 9003 --key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -v -> executes authentication and shows all the system data"
6498 "-h, --help This help",
6499 "-v, --verbose Verbose output",
6500 "--ki <hex> Key number, 2 hex bytes",
6501 "--key <hex> Key, 16 hex bytes"
6503 "usage": "hf mfp auth [-hv] --ki <hex> --key <hex>"
6506 "command": "hf mfp chconf",
6507 "description": "Change the configuration on a Mifare Plus tag. DANGER!",
6509 "This requires Card Master Key (9000) or Card Configuration Key (9001).",
6510 "Configuration block info can be found below.",
6511 "* Block B000 (00; CMK): Max amount of commands without MAC (byte 0), as well as plain mode access (unknown).",
6512 "* Block B001 (01; CCK): Installation identifier for Virtual Card. Please consult NXP for data.",
6513 "* Block B002 (02; CCK): ATS data.",
6514 "* Block B003 (03; CCK): Use Random ID in SL3, decide whether proximity check is mandatory.",
6515 "* DO NOT WRITE THIS BLOCK UNDER ANY CIRCUMSTANCES! Risk of bricking.",
6516 "More configuration tips to follow. Check JMY600 Series IC Card Module.",
6517 "hf mfp chconf -c 00 -d 10ffffffffffffffffffffffffffffff --key A0A1A2A3A4A5A6A7A0A1A2A3A4A5A6A7 -> Allow 16 commands without MAC in a single transaction."
6521 "-h, --help This help",
6522 "-v, --verbose Verbose output",
6523 "--nmr Do not expect MAC in response",
6524 "-c, --conf <hex> Config block number, 0-3",
6525 "-k, --key <hex> Card key, 16 hex bytes",
6526 "--cck Auth as Card Configuration key instead of Card Master Key",
6527 "-d, --data <hex> New configuration data, 16 hex bytes"
6529 "usage": "hf mfp chconf [-hv] [--nmr] -c <hex> [-k <hex>] [--cck] -d <hex>"
6532 "command": "hf mfp chk",
6533 "description": "Checks keys on MIFARE Plus card",
6535 "hf mfp chk -k 000102030405060708090a0b0c0d0e0f -> check key on sector 0 as key A and B",
6536 "hf mfp chk -s 2 -a -> check default key list on sector 2, only key A",
6537 "hf mfp chk -d mfp_default_keys -s0 -e6 -> check keys from dictionary against sectors 0-6",
6538 "hf mfp chk --pattern1b --dump -> check all 1-byte keys pattern and save found keys to file",
6539 "hf mfp chk --pattern2b --startp2b FA00 -> check all 2-byte keys pattern. Start from key FA00FA00...FA00"
6543 "-h, --help This help",
6544 "-a, --keya Check only key A (def: check all keys)",
6545 "-b, --keyb Check only key B (def: check all keys)",
6546 "-s, --startsec <0..255> Start sector number",
6547 "-e, --endsec <0..255> End sector number",
6548 "-k, --key <hex> Key for checking (HEX 16 bytes)",
6549 "-d, --dict <fn> Dictionary file with keys",
6550 "--pattern1b Check all 1-byte combinations of key (0000...0000, 0101...0101, 0202...0202, ...)",
6551 "--pattern2b Check all 2-byte combinations of key (0000...0000, 0001...0001, 0002...0002, ...)",
6552 "--startp2b <pattern> Start key (2-byte HEX) for 2-byte search (use with `--pattern2b`)",
6553 "--dump Dump found keys to JSON file",
6554 "-v, --verbose Verbose output"
6556 "usage": "hf mfp chk [-habv] [-s <0..255>] [-e <0..255>] [-k <hex>] [-d <fn>] [--pattern1b] [--pattern2b] [--startp2b <pattern>] [--dump]"
6559 "command": "hf mfp chkey",
6560 "description": "Change the keys on a Mifare Plus tag",
6562 "This requires the key that can update the key that you are trying to update.",
6563 "hf mfp chkey --ki 401f -d FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --key A0A1A2A3A4A5A6A7A0A1A2A3A4A5A6A7 -> Change key B for Sector 15 from MAD to default",
6564 "hf mfp chkey --ki 9000 -d 32F9351A1C02B35FF97E0CA943F814F6 --key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> Change card master key to custom from default"
6568 "-h, --help This help",
6569 "-v, --verbose Verbose output",
6570 "--nmr Do not expect MAC in response",
6571 "--ki <hex> Key Index, 2 hex bytes",
6572 "-k, --key <hex> Current sector key, 16 hex bytes",
6573 "-b, --typeb Sector key is key B",
6574 "-d, --data <hex> New key, 16 hex bytes"
6576 "usage": "hf mfp chkey [-hvb] [--nmr] --ki <hex> [-k <hex>] -d <hex>"
6579 "command": "hf mfp commitp",
6580 "description": "Executes Commit Perso command. Can be used in SL0 mode only. OBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.",
6586 "-h, --help This help",
6587 "-v, --verbose Verbose output"
6589 "usage": "hf mfp commitp [-hv]"
6592 "command": "hf mfp dump",
6593 "description": "Dump MIFARE Plus tag to file (bin/json) If no <name> given, UID will be used as filename",
6596 "hf mfp dump --keys hf-mf-066C8B78-key.bin -> MIFARE Plus with keys from specified file"
6600 "-h, --help This help",
6601 "-f, --file <fn> Specify a filename for dump file",
6602 "-k, --keys <fn> Specify a filename for keys file"
6604 "usage": "hf mfp dump [-h] [-f <fn>] [-k <fn>]"
6607 "command": "hf mfp help",
6608 "description": "help This help list List MIFARE Plus history --------------------------------------------------------------------------------------- hf mfp list available offline: yes Alias of `trace list -t mfp -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
6610 "hf mfp list --frame -> show frame delay times",
6611 "hf mfp list -1 -> use trace buffer"
6615 "-h, --help This help",
6616 "-1, --buffer use data from trace buffer",
6617 "--frame show frame delay times",
6618 "-c mark CRC bytes",
6619 "-r show relative times (gap and duration)",
6620 "-u display times in microseconds instead of clock cycles",
6621 "-x show hexdump to convert to pcap(ng)",
6622 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
6623 "-f, --file <fn> filename of dictionary"
6625 "usage": "hf mfp list [-h1crux] [--frame] [-f <fn>]"
6628 "command": "hf mfp info",
6629 "description": "Get info from MIFARE Plus tags",
6635 "-h, --help This help"
6637 "usage": "hf mfp info [-h]"
6640 "command": "hf mfp initp",
6641 "description": "Executes Write Perso command for all card's keys. Can be used in SL0 mode only.",
6643 "hf mfp initp --key 000102030405060708090a0b0c0d0e0f -> fill all the keys with key (00..0f)",
6644 "hf mfp initp -vv -> fill all the keys with default key(0xff..0xff) and show all the data exchange"
6648 "-h, --help This help",
6649 "-v, --verbose Verbose output",
6650 "-k, --key <hex> Key, 16 hex bytes"
6652 "usage": "hf mfp initp [-hv] [-k <hex>]"
6655 "command": "hf mfp mad",
6656 "description": "Checks and prints MIFARE Application Directory (MAD)",
6659 "hf mfp mad --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> read and print NDEF data from MAD aid"
6663 "-h, --help This help",
6664 "-v, --verbose Verbose output",
6665 "--aid <hex> Print all sectors with aid",
6666 "-k, --key <hex> Key for printing sectors",
6667 "-b, --keyb Use key B for access printing sectors (def: key A)",
6668 "--be (optional: BigEndian)",
6669 "--dch Decode Card Holder information"
6671 "usage": "hf mfp mad [-hvb] [--aid <hex>] [-k <hex>] [--be] [--dch]"
6673 "hf mfp ndefformat": {
6674 "command": "hf mfp ndefformat",
6675 "description": "format MIFARE Plus Tag as a NFC tag with Data Exchange Format (NDEF) If no <name> given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before",
6677 "hf mfp ndefformat",
6678 "hf mfp ndefformat --keys hf-mf-01020304-key.bin -> with keys from specified file"
6682 "-h, --help This help",
6683 "-k, --keys <fn> filename of keys"
6685 "usage": "hf mfp ndefformat [-h] [-k <fn>]"
6687 "hf mfp ndefread": {
6688 "command": "hf mfp ndefread",
6689 "description": "Prints NFC Data Exchange Format (NDEF)",
6692 "hf mfp ndefread -vv -> shows NDEF parsed and raw data",
6693 "hf mfp ndefread --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key",
6694 "hf mfp ndefread -f myfilename -> save raw NDEF to file"
6698 "-h, --help This help",
6699 "-v, --verbose verbose output",
6700 "--aid <aid> replace default aid for NDEF",
6701 "-k, --key <key> replace default key for NDEF",
6702 "-b, --keyb use key B for access sectors (by default: key A)",
6703 "-f, --file <fn> save raw NDEF to file"
6705 "usage": "hf mfp ndefread [-hvb] [--aid <aid>] [-k <key>] [-f <fn>]"
6707 "hf mfp ndefwrite": {
6708 "command": "hf mfp ndefwrite",
6709 "description": "Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted.",
6711 "hf mfp ndefwrite -d 0300FE -> write empty record to tag",
6712 "hf mfp ndefwrite -f myfilename",
6713 "hf mfp ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031"
6717 "-h, --help This help",
6718 "-d <hex> raw NDEF hex bytes",
6719 "-f, --file <fn> write raw NDEF file to tag",
6720 "-p fix NDEF record headers / terminator block if missing",
6721 "-v, --verbose verbose output"
6723 "usage": "hf mfp ndefwrite [-hpv] [-d <hex>] [-f <fn>]"
6726 "command": "hf mfp rdbl",
6727 "description": "Reads blocks from MIFARE Plus card",
6729 "hf mfp rdbl --blk 0 --key 000102030405060708090a0b0c0d0e0f -> executes authentication and read block 0 data",
6730 "hf mfp rdbl --blk 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF"
6734 "-h, --help This help",
6735 "-v, --verbose Verbose output",
6736 "-n, --count <dec> Blocks count (def: 1)",
6737 "-b, --keyb Use key B (def: keyA)",
6738 "-p, --plain Do not use encrypted communication mode between reader and card",
6739 "--nmc Do not append MAC to command",
6740 "--nmr Do not expect MAC in reply",
6741 "--blk <0..255> Block number",
6742 "-k, --key <hex> Key, 16 hex bytes"
6744 "usage": "hf mfp rdbl [-hvbp] [-n <dec>] [--nmc] [--nmr] --blk <0..255> [-k <hex>]"
6747 "command": "hf mfp rdsc",
6748 "description": "Reads one sector from MIFARE Plus card",
6750 "hf mfp rdsc -s 0 --key 000102030405060708090a0b0c0d0e0f -> executes authentication and read sector 0 data",
6751 "hf mfp rdsc -s 1 -v -> executes authentication and shows sector 1 data with default key"
6755 "-h, --help This help",
6756 "-v, --verbose Verbose output",
6757 "-b, --keyb Use key B (def: keyA)",
6758 "-p, --plain Do not use encrypted communication mode between reader and card",
6759 "--nmc Do not append MAC to command",
6760 "--nmr Do not expect MAC in reply",
6761 "-s, --sn <0..255> Sector number",
6762 "-k, --key <hex> Key, 16 hex bytes"
6764 "usage": "hf mfp rdsc [-hvbp] [--nmc] [--nmr] -s <0..255> [-k <hex>]"
6767 "command": "hf mfp wrbl",
6768 "description": "Writes one block to MIFARE Plus card",
6770 "hf mfp wrbl --blk 1 -d ff0000000000000000000000000000ff --key 000102030405060708090a0b0c0d0e0f -> write block 1 data",
6771 "hf mfp wrbl --blk 2 -d ff0000000000000000000000000000ff -v -> write block 2 data with default key 0xFF..0xFF"
6775 "-h, --help This help",
6776 "-v, --verbose Verbose output",
6777 "-b, --keyb Use key B (def: keyA)",
6778 "--blk <0..255> Block number",
6779 "-p, --plain Do not use encrypted transmission",
6780 "--nmr Do not expect MAC in response",
6781 "-d, --data <hex> Data, 16 hex bytes",
6782 "-k, --key <hex> Key, 16 hex bytes"
6784 "usage": "hf mfp wrbl [-hvbp] --blk <0..255> [--nmr] -d <hex> [-k <hex>]"
6787 "command": "hf mfp wrp",
6788 "description": "Executes Write Perso command. Can be used in SL0 mode only.",
6790 "Use this command to program AES keys, as well as personalize other data on the tag.",
6792 "* Address 00 [00-FF]: Memory blocks (as well as ACLs and Crypto1 keys)",
6793 "* Address 40 [00-40]: AES sector keys",
6794 "* Address 90 [00-04]: AES administrative keys",
6795 "* Address A0 [00, 01, 80, 81]: Virtual Card keys",
6796 "* Address B0 [00-03]: Configuration data (DO NOT TOUCH B003)",
6798 "hf mfp wrp --adr 4000 --data 000102030405060708090a0b0c0d0e0f -> write key (00..0f) to key number 4000",
6799 "hf mfp wrp --adr 4000 -> write default key(0xff..0xff) to key number 4000",
6800 "hf mfp wrp --adr b000 -d FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> allow 255 commands without MAC in configuration block (B000)",
6801 "hf mfp wrp --adr 0003 -d 1234561234567F078869B0B1B2B3B4B5 -> write crypto1 keys A: 123456123456 and B: B0B1B2B3B4B5 to block 3"
6805 "-h, --help This help",
6806 "-v, --verbose Verbose output",
6807 "-a, --adr <hex> Address, 2 hex bytes",
6808 "-d, --data <hex> Data, 16 hex bytes"
6810 "usage": "hf mfp wrp [-hv] -a <hex> [-d <hex>]"
6813 "command": "hf mfu amiibo",
6814 "description": "Tries to read all memory from amiibo tag and decrypt it",
6816 "hf mfu amiiboo --dec -f hf-mfu-04579DB27C4880-dump.bin -> decrypt file",
6817 "hf mfu amiiboo -v --dec -> decrypt tag"
6821 "-h, --help This help",
6822 "--dec Decrypt memory",
6823 "--enc Encrypt memory",
6824 "-i, --in <fn> Specify a filename for input dump file",
6825 "-o, --out <fn> Specify a filename for output dump file",
6826 "-v, --verbose Verbose output"
6828 "usage": "hf mfu amiibo [-hv] [--dec] [--enc] [-i <fn>] [-o <fn>]"
6831 "command": "hf mfu cauth",
6832 "description": "Tests 3DES password on Mifare Ultralight-C tag. If password is not specified, a set of known defaults will be tested.",
6835 "hf mfu cauth --key 000102030405060708090a0b0c0d0e0f"
6839 "-h, --help This help",
6840 "--key <hex> Authentication key (UL-C 16 hex bytes)",
6841 "-l Swap entered key's endianness",
6842 "-k Keep field on (only if a password is provided)"
6844 "usage": "hf mfu cauth [-hlk] [--key <hex>]"
6847 "command": "hf mfu dump",
6848 "description": "Dump MIFARE Ultralight/NTAG tag to files (bin/json) It autodetects card type.Supports: Ultralight, Ultralight-C, Ultralight EV1 NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216",
6850 "hf mfu dump -f myfile",
6851 "hf mfu dump -k AABBCCDD -> dump whole tag using pwd AABBCCDD",
6852 "hf mfu dump -p 10 -> start at page 10 and dump rest of blocks",
6853 "hf mfu dump -p 10 -q 2 -> start at page 10 and dump two blocks",
6854 "hf mfu dump --key 00112233445566778899AABBCCDDEEFF"
6858 "-h, --help This help",
6859 "-f, --file <fn> Specify a filename for dump file",
6860 "-k, --key <hex> Key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes)",
6861 "-l Swap entered key's endianness",
6862 "-p, --page <dec> Manually set start page number to start from",
6863 "-q, --qty <dec> Manually set number of pages to dump",
6864 "--ns no save to file",
6865 "-z, --dense dense dump output style"
6867 "usage": "hf mfu dump [-hlz] [-f <fn>] [-k <hex>] [-p <dec>] [-q <dec>] [--ns]"
6870 "command": "hf mfu eload",
6871 "description": "Load emulator memory with data from (bin/eml/json) dump file",
6873 "hf mfu eload -f hf-mfu-04010203040506.bin",
6874 "hf mfu eload -f hf-mfu-04010203040506.bin -q 57 -> load 57 blocks from myfile"
6878 "-h, --help This help",
6879 "-f, --file <fn> Specify a filename for dump file",
6880 "-q, --qty <dec> Number of blocks to load from eml file",
6881 "-v, --verbose verbose output"
6883 "usage": "hf mfu eload [-hv] -f <fn> [-q <dec>]"
6886 "command": "hf mfu esave",
6887 "description": "Saves emulator memory to a MIFARE Ultralight/NTAG dump file (bin/json) By default number of pages saved depends on defined tag type. You can override this with option --end.",
6890 "hf mfu esave --end 255 -> saves whole memory",
6891 "hf mfu esave -f hf-mfu-04010203040506-dump"
6895 "-h, --help This help",
6896 "-e, --end <dec> index of last block",
6897 "-f, --file <fn> Specify a filename for dump file"
6899 "usage": "hf mfu esave [-h] [-e <dec>] [-f <fn>]"
6902 "command": "hf mfu eview",
6903 "description": "Displays emulator memory By default number of pages shown depends on defined tag type. You can override this with option --end.",
6906 "hf mfu eview --end 255 -> dumps whole memory"
6910 "-h, --help This help",
6911 "-e, --end <dec> index of last block",
6912 "-z, --dense dense dump output style"
6914 "usage": "hf mfu eview [-hz] [-e <dec>]"
6917 "command": "hf mfu help",
6918 "description": "help This help list List MIFARE Ultralight / NTAG history keygen Generate DES/3DES/AES MIFARE diversified keys pwdgen Generate pwd from known algos view Display content from tag dump file --------------------------------------------------------------------------------------- hf mfu list available offline: yes Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
6920 "hf 14a list --frame -> show frame delay times",
6921 "hf 14a list -1 -> use trace buffer"
6925 "-h, --help This help",
6926 "-1, --buffer use data from trace buffer",
6927 "--frame show frame delay times",
6928 "-c mark CRC bytes",
6929 "-r show relative times (gap and duration)",
6930 "-u display times in microseconds instead of clock cycles",
6931 "-x show hexdump to convert to pcap(ng)",
6932 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
6933 "-f, --file <fn> filename of dictionary"
6935 "usage": "hf 14a list [-h1crux] [--frame] [-f <fn>]"
6938 "command": "hf mfu info",
6939 "description": "Get info about MIFARE Ultralight Family styled tag. Sometimes the tags are locked down, and you may need a key to be able to read the information",
6942 "hf mfu info -k AABBCCDD",
6943 "hf mfu info --key 00112233445566778899AABBCCDDEEFF"
6947 "-h, --help This help",
6948 "-k, --key <hex> Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes)",
6949 "-l Swap entered key's endianness",
6950 "--force override `hw dbg` settings"
6952 "usage": "hf mfu info [-hl] [-k <hex>] [--force]"
6955 "command": "hf mfu keygen",
6956 "description": "Set the DES/3DES/AES key on MIFARE Ultralight-C tag.",
6959 "hf mfu keygen --uid 11223344556677"
6963 "-h, --help This help",
6964 "-u, --uid <hex> <4|7> hex byte UID",
6965 "-r Read UID from tag",
6966 "-b, --blk <dec> Block number"
6968 "usage": "hf mfu keygen [-hr] [-u <hex>] [-b <dec>]"
6970 "hf mfu ndefread": {
6971 "command": "hf mfu ndefread",
6972 "description": "Prints NFC Data Exchange Format (NDEF)",
6974 "hf mfu ndefread -> shows NDEF data",
6975 "hf mfu ndefread -k ffffffff -> shows NDEF data with key",
6976 "hf mfu ndefread -f myfilename -> save raw NDEF to file"
6980 "-h, --help This help",
6981 "-l Swap entered key's endianness",
6982 "-f, --file <fn> Save raw NDEF to file",
6983 "-v, --verbose Verbose output"
6985 "usage": "hf mfu ndefread [-hlv] [-k Replace default key for NDEF] [-f <fn>]"
6988 "command": "hf mfu otptear",
6989 "description": "Tear-off test against OTP block",
6991 "hf mfu otptear -b 3",
6992 "hf mfu otptear -b 3 -i 100 -s 1000",
6993 "hf mfu otptear -b 3 -i 1 -e 200",
6994 "hf mfu otptear -b 3 -i 100 -s 200 -e 2500 -d FFFFFFFF -t EEEEEEEE",
6995 "hf mfu otptear -b 3 -i 100 -s 200 -e 2500 -d FFFFFFFF -t EEEEEEEE -m 00000000 -> quit when OTP is reset"
6999 "-h, --help This help",
7000 "-b, --blk <dec> target block (def 8)",
7001 "-i, --inc <dec> increase time steps (def 500 us)",
7002 "-e, --end <dec> end time (def 3000 us)",
7003 "-s, --start <dec> start time (def 0 us)",
7004 "-d, --data <hex> initialise data before run (4 bytes)",
7005 "-t, --test <hex> test write data (4 bytes, 00000000 by default)",
7006 "-m, --match <hex> exit criteria, if block matches this value (4 bytes)"
7008 "usage": "hf mfu otptear [-h] [-b <dec>] [-i <dec>] [-e <dec>] [-s <dec>] [-d <hex>] [-t <hex>] [-m <hex>]"
7011 "command": "hf mfu pwdgen",
7012 "description": "Generate different passwords from known pwdgen algos",
7016 "hf mfu pwdgen --uid 11223344556677"
7020 "-h, --help This help",
7021 "-u, --uid <hex> UID (7 hex bytes)",
7022 "-r Read UID from tag",
7025 "usage": "hf mfu pwdgen [-hrt] [-u <hex>]"
7028 "command": "hf mfu rdbl",
7029 "description": "Read a block and print. It autodetects card type.",
7032 "hf mfu rdbl -b 0 -k AABBCCDD",
7033 "hf mfu rdbl -b 0 --key 00112233445566778899AABBCCDDEEFF"
7037 "-h, --help This help",
7038 "-k, --key <hex> Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes)",
7039 "-l Swap entered key's endianness",
7040 "-b, --block <dec> Block number to read",
7041 "--force Force operation even if address is out of range"
7043 "usage": "hf mfu rdbl [-hl] [-k <hex>] -b <dec> [--force]"
7046 "command": "hf mfu restore",
7047 "description": "Restore MIFARE Ultralight/NTAG dump file (bin/eml/json) to tag.",
7049 "hf mfu restore -f myfile -s -> special write",
7050 "hf mfu restore -f myfile -k AABBCCDD -s -> special write, use key",
7051 "hf mfu restore -f myfile -k AABBCCDD -ser -> special write, use key, write dump pwd, ..."
7055 "-h, --help This help",
7056 "-f, --file <fn> Specify a filename for dump file",
7057 "-k, --key <hex> key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes)",
7058 "-l swap entered key's endianness",
7059 "-s enable special write UID -MAGIC TAG ONLY-",
7060 "-e enable special write version/signature -MAGIC NTAG 21* ONLY-",
7061 "-r use password found in dumpfile to configure tag. Requires '-e' parameter to work",
7062 "-v, --verbose verbose output",
7063 "-z, --dense dense dump output style"
7065 "usage": "hf mfu restore [-hlservz] -f <fn> [-k <hex>]"
7068 "command": "hf mfu setpwd",
7069 "description": "Set the 3DES key on MIFARE Ultralight-C tag.",
7071 "hf mfu setpwd --key 000102030405060708090a0b0c0d0e0f"
7075 "-h, --help This help",
7076 "-k, --key <hex> New key (16 hex bytes)"
7078 "usage": "hf mfu setpwd [-h] [-k <hex>]"
7081 "command": "hf mfu setuid",
7082 "description": "Set UID on MIFARE Ultralight tag. This only works for `magic Ultralight` tags.",
7084 "hf mfu setuid --uid 11223344556677"
7088 "-h, --help This help",
7089 "-u, --uid <hex> New UID (7 hex bytes)"
7091 "usage": "hf mfu setuid [-h] [-u <hex>]"
7094 "command": "hf mfu sim",
7095 "description": "Simulate MIFARE Ultralight family type based upon ISO/IEC 14443 type A tag with 4,7 or 10 byte UID from emulator memory. See `hf mfu eload` first. The UID from emulator memory will be used if not specified. See `hf 14a sim -h` to see available types. You want 2 or 7 usually.",
7097 "hf mfu sim -t 2 --uid 11223344556677 -> MIFARE Ultralight",
7098 "hf mfu sim -t 7 --uid 11223344556677 -n 5 -> MFU EV1 / NTAG 215 Amiibo",
7099 "hf mfu sim -t 7 -> MFU EV1 / NTAG 215 Amiibo"
7103 "-h, --help This help",
7104 "-t, --type <1..12> Simulation type to use",
7105 "-u, --uid <hex> <4|7|10> hex bytes UID",
7106 "-n, --num <dec> Exit simulation after <numreads> blocks. 0 = infinite",
7107 "-v, --verbose Verbose output"
7109 "usage": "hf mfu sim [-hv] -t <1..12> [-u <hex>] [-n <dec>]"
7112 "command": "hf mfu tamper",
7113 "description": "Set the configuration of the NTAG 213TT tamper feature Supports: NTAG 213TT",
7115 "hf mfu tamper -e -> enable tamper feature",
7116 "hf mfu tamper -d -> disable tamper feature",
7117 "hf mfu tamper -m 0A0A0A0A -> set the tamper message to 0A0A0A0A",
7118 "hf mfu tamper --lockmessage -> permanently lock the tamper message and mask it from memory"
7122 "-h, --help This help",
7123 "-e, --enable Enable the tamper feature",
7124 "-d, --disable Disable the tamper feature",
7125 "-m, --message <hex> Set the tamper message (4 bytes)",
7126 "--lockmessage Permanently lock the tamper message and mask it from memory (does not lock tamper feature itself)"
7128 "usage": "hf mfu tamper [-hed] [-m <hex>] [--lockmessage]"
7131 "command": "hf mfu view",
7132 "description": "Print a MIFARE Ultralight/NTAG dump file (bin/eml/json)",
7134 "hf mfu view -f hf-mfu-01020304-dump.bin"
7138 "-h, --help This help",
7139 "-f, --file <fn> Specify a filename for dump file",
7140 "-v, --verbose Verbose output",
7141 "-z, --dense dense dump output style"
7143 "usage": "hf mfu view [-hvz] -f <fn>"
7146 "command": "hf mfu wipe",
7147 "description": "Wipe card to zeros. It will ignore block0,1,2,3 you will need to call it with password in order to wipe the config and sett default pwd/pack Abort by pressing a key New password... FFFFFFFF",
7153 "-h, --help This help",
7154 "-k, --key <hex> Key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes)",
7155 "-l Swap entered key's endianness"
7157 "usage": "hf mfu wipe [-hl] [-k <hex>]"
7160 "command": "hf mfu wrbl",
7161 "description": "Write a block. It autodetects card type.",
7163 "hf mfu wrbl -b 0 -d 01234567",
7164 "hf mfu wrbl -b 0 -d 01234567 -k AABBCCDD",
7165 "hf mfu wrbl -b 0 -d 01234567 -k 00112233445566778899AABBCCDDEEFF"
7169 "-h, --help This help",
7170 "-k, --key <hex> Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes)",
7171 "-l Swap entered key's endianness",
7172 "-b, --block <dec> Block number to write",
7173 "-d, --data <hex> Block data (4 or 16 hex bytes, 16 hex bytes will do a compatibility write)",
7174 "--force Force operation even if address is out of range"
7176 "usage": "hf mfu wrbl [-hl] [-k <hex>] -b <dec> -d <hex> [--force]"
7178 "hf ntag424 auth": {
7179 "command": "hf ntag424 auth",
7180 "description": "Authenticate with selected key against NTAG424.",
7182 "hf ntag424 auth --keyno 0 -k 00000000000000000000000000000000"
7186 "-h, --help This help",
7187 "--keyno <dec> Key number",
7188 "-k, --key <hex> Key for authenticate (HEX 16 bytes)"
7190 "usage": "hf ntag424 auth [-h] --keyno <dec> -k <hex>"
7192 "hf ntag424 changefs": {
7193 "command": "hf ntag424 changefs",
7194 "description": "Updates file settings for file, must be authenticated. This is a short explanation of the settings. See AN12196 for more information: options: byte with bit flags Bit: Setting: 6 Enable SDM and mirroring access: two byte access rights. Each nibble is a key number, or E for free access. Order is key for readwrite, change, read and write sdmoptions: byte with bit flags Bit: Setting: 0 ASCII encoding 4 SDMEncFileData 5 SDMReadCtrLimit 6 SDMReadCtr 7 SDMOptionsUID sdmaccess: two byte access rights. Each nibble is a key, or E for plain mirror and F for no mirroring Order is Reserved, SDMCtrRet, SDMMetaRead and SDMFileRead sdm_data: Three bytes of data used to control SDM settings. Can be specified multiple times. Data means different things depending on settings. Note: Not all of these settings will be written. It depends on the option byte, and the keys set. See AN12196 for more information. You must also start with sdmdata1, then sdmdata2, up to the number of sdm_data you want to write",
7196 "hf ntag424 changefs --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 40 -a 00E0 -s C1 -c F000 --data1 000020 --data2 000043 --data3 000043"
7200 "-h, --help This help",
7201 "--fileno <dec> File number",
7202 "--keyno <dec> Key number",
7203 "-k, --key <hex> Key for authentication (HEX 16 bytes)",
7204 "-o, --options <hex> File options byte (HEX 1 byte)",
7205 "-a, --access <hex> File access settings (HEX 2 bytes)",
7206 "-s, --sdmoptions <hex> SDM options (HEX 1 byte)",
7207 "-c, --sdmaccess <hex> SDM access settings (HEX 2 bytes)",
7208 "--data1 <hex> SDM data (HEX 3 bytes)",
7209 "--data2 <hex> SDM data (HEX 3 bytes)",
7210 "--data3 <hex> SDM data (HEX 3 bytes)",
7211 "--data4 <hex> SDM data (HEX 3 bytes)",
7212 "--data5 <hex> SDM data (HEX 3 bytes)",
7213 "--data6 <hex> SDM data (HEX 3 bytes)",
7214 "--data7 <hex> SDM data (HEX 3 bytes)",
7215 "--data8 <hex> SDM data (HEX 3 bytes)"
7217 "usage": "hf ntag424 changefs [-h] --fileno <dec> --keyno <dec> -k <hex> [-o <hex>] [-a <hex>] [-s <hex>] [-c <hex>] [--data1 <hex>] [--data2 <hex>] [--data3 <hex>] [--data4 <hex>] [--data5 <hex>] [--data6 <hex>] [--data7 <hex>] [--data8 <hex>]"
7219 "hf ntag424 changekey": {
7220 "command": "hf ntag424 changekey",
7221 "description": "Change a key. Authentication key must currently be different to the one we want to change.",
7223 "hf ntag424 changekey --keyno 1 --oldkey 00000000000000000000000000000000 --newkey 11111111111111111111111111111111 --key0 00000000000000000000000000000000 --kv 1",
7224 "hf ntag424 changekey --keyno 0 --newkey 11111111111111111111111111111111 --key0 00000000000000000000000000000000 --kv 1"
7228 "-h, --help This help",
7229 "--keyno <dec> Key number to change",
7230 "--oldkey <hex> Old key (only needed when changing key 1-4, HEX 16 bytes)",
7231 "--newkey <hex> New key (HEX 16 bytes)",
7232 "--key0 <hex> Authentication key (must be key 0, HEX 16 bytes)",
7233 "--kv <dec> New key version number"
7235 "usage": "hf ntag424 changekey [-h] --keyno <dec> [--oldkey <hex>] --newkey <hex> --key0 <hex> --kv <dec>"
7237 "hf ntag424 getfs": {
7238 "command": "hf ntag424 getfs",
7239 "description": "Read and print file settings for file",
7241 "hf ntag424 getfs --fileno 2"
7245 "-h, --help This help",
7246 "--fileno <dec> File number"
7248 "usage": "hf ntag424 getfs [-h] --fileno <dec>"
7250 "hf ntag424 help": {
7251 "command": "hf ntag424 help",
7252 "description": "help This help view Display content from tag dump file --------------------------------------------------------------------------------------- hf ntag424 info available offline: no Get info about NXP NTAG424 DNA Family styled tag.",
7258 "-h, --help This help"
7260 "usage": "hf ntag424 info [-h]"
7262 "hf ntag424 read": {
7263 "command": "hf ntag424 read",
7264 "description": "Read and print data from file on NTAG424 tag. Will authenticate if key information is provided.",
7266 "hf ntag424 read --fileno 1 --keyno 0 -k 00000000000000000000000000000000 -o 0 -l 32",
7267 "hf ntag424 read --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 0 -l 256",
7268 "hf ntag424 read --fileno 3 --keyno 3 -k 00000000000000000000000000000000 -o 0 -l 128 -m encrypt"
7272 "-h, --help This help",
7273 "--fileno <1|2|3> File number",
7274 "--keyno <dec> Key number",
7275 "-k, --key <hex> Key for authentication (HEX 16 bytes)",
7276 "-o, --offset <dec> Offset to read in file (def 0)",
7277 "-l, --length <dec> Number of bytes to read",
7278 "-m, --cmode <plain|mac|encrypt> Communication mode"
7280 "usage": "hf ntag424 read [-h] --fileno <1|2|3> [--keyno <dec>] [-k <hex>] [-o <dec>] -l <dec> [-m <plain|mac|encrypt>]"
7282 "hf ntag424 view": {
7283 "command": "hf ntag424 view",
7284 "description": "Print a NTAG 424 DNA dump file (bin/eml/json)",
7286 "hf ntag424 view -f hf-ntag424-01020304-dump.bin"
7290 "-h, --help This help",
7291 "-f, --file <fn> Specify a filename for dump file",
7292 "-v, --verbose Verbose output"
7294 "usage": "hf ntag424 view [-hv] -f <fn>"
7296 "hf ntag424 write": {
7297 "command": "hf ntag424 write",
7298 "description": "Write data to file on NTAG424 tag. Will authenticate if key information is provided.",
7300 "hf ntag424 write --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 0 -d 1122334455667788",
7301 "hf ntag424 write --fileno 3 --keyno 3 -k 00000000000000000000000000000000 -o 0 -d 1122334455667788 -m encrypt"
7305 "-h, --help This help",
7306 "--fileno <1|2|3> File number (def 2)",
7307 "--keyno <dec> Key number",
7308 "-k, --key <hex> Key for authentication (HEX 16 bytes)",
7309 "-o, --offset <dec> Offset to write in file (def 0)",
7310 "-d, --data <hex> Data to write",
7311 "-m, --cmode <plain|mac|encrypt> Communication mode"
7313 "usage": "hf ntag424 write [-h] --fileno <1|2|3> [--keyno <dec>] [-k <hex>] [-o <dec>] -d <hex> [-m <plain|mac|encrypt>]"
7316 "command": "hf plot",
7317 "description": "Plots HF signal after RF signal path and A/D conversion.",
7319 "This can be used after any hf command and will show the last few milliseconds of the HF signal.",
7320 "Note: If the last hf command terminated because of a timeout you will most probably see nothing."
7324 "-h, --help This help"
7326 "usage": "hf plot [-h]"
7329 "command": "hf search",
7330 "description": "Will try to find a HF read out of the unknown tag. Continues to search for all different HF protocols.",
7336 "-h, --help This help",
7337 "-v, --verbose verbose output"
7339 "usage": "hf search [-hv]"
7342 "command": "hf seos help",
7343 "description": "help This help list List SEOS history --------------------------------------------------------------------------------------- hf seos info available offline: no Get info from SEOS tags",
7349 "-h, --help This help"
7351 "usage": "hf seos info [-h]"
7354 "command": "hf seos list",
7355 "description": "Alias of `trace list -t seos -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7357 "hf seos list --frame -> show frame delay times",
7358 "hf seos list -1 -> use trace buffer"
7362 "-h, --help This help",
7363 "-1, --buffer use data from trace buffer",
7364 "--frame show frame delay times",
7365 "-c mark CRC bytes",
7366 "-r show relative times (gap and duration)",
7367 "-u display times in microseconds instead of clock cycles",
7368 "-x show hexdump to convert to pcap(ng)",
7369 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7370 "-f, --file <fn> filename of dictionary"
7372 "usage": "hf seos list [-h1crux] [--frame] [-f <fn>]"
7375 "command": "hf sniff",
7376 "description": "The high frequency sniffer will assign all available memory on device for sniffed data. Use `data samples` to download from device and `data plot` to visualize it. Press button to quit the sniffing.",
7379 "hf sniff --sp 1000 --st 0 -> skip 1000 pairs, skip 0 triggers"
7383 "-h, --help This help",
7384 "--sp <dec> skip sample pairs",
7385 "--st <dec> skip number of triggers",
7386 "--smode [none|drop|min|max|avg] Skip mode. It switches on the function that applies to several samples before they saved to memory",
7387 "--sratio <dec, ms> Skip ratio. It applied the function above to (ratio * 2) samples. For ratio = 1 it 2 samples."
7389 "usage": "hf sniff [-h] [--sp <dec>] [--st <dec>] [--smode [none|drop|min|max|avg]] [--sratio <dec, ms>]"
7392 "command": "hf st25ta help",
7393 "description": "help This help list List ISO 14443A/7816 history ndefread read NDEF file on tag --------------------------------------------------------------------------------------- hf st25ta info available offline: no Get info about ST25TA tag",
7399 "-h, --help This help"
7401 "usage": "hf st25ta info [-h]"
7404 "command": "hf st25ta list",
7405 "description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7407 "hf st25ta list --frame -> show frame delay times",
7408 "hf st25ta list -1 -> use trace buffer"
7412 "-h, --help This help",
7413 "-1, --buffer use data from trace buffer",
7414 "--frame show frame delay times",
7415 "-c mark CRC bytes",
7416 "-r show relative times (gap and duration)",
7417 "-u display times in microseconds instead of clock cycles",
7418 "-x show hexdump to convert to pcap(ng)",
7419 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7420 "-f, --file <fn> filename of dictionary"
7422 "usage": "hf st25ta list [-h1crux] [--frame] [-f <fn>]"
7424 "hf st25ta ndefread": {
7425 "command": "hf st25ta ndefread",
7426 "description": "Read NFC Data Exchange Format (NDEF) file on ST25TA",
7428 "hf st25ta ndefread -p 82E80053D4CA5C0B656D852CC696C8A1",
7429 "hf st25ta ndefread -f myfilename -> save raw NDEF to file"
7433 "-h, --help This help",
7434 "-p, --pwd <hex> 16 byte read password",
7435 "-f, --file <fn> save raw NDEF to file",
7436 "-v, --verbose verbose output"
7438 "usage": "hf st25ta ndefread [-hv] [-p <hex>] [-f <fn>]"
7440 "hf st25ta protect": {
7441 "command": "hf st25ta protect",
7442 "description": "Change read or write protection for NFC Data Exchange Format (NDEF) file on ST25TA",
7444 "hf st25ta protect -p 82E80053D4CA5C0B656D852CC696C8A1 -r -e -> enable read protection",
7445 "hf st25ta protect -p 82E80053D4CA5C0B656D852CC696C8A1 -w -d -> disable write protection"
7449 "-h, --help This help",
7450 "-e, --enable enable protection",
7451 "-d, --disable disable protection (default)",
7452 "-r, --read change read protection",
7453 "-w, --write change write protection (default)",
7454 "-p, --password <hex> 16 byte write password"
7456 "usage": "hf st25ta protect [-hedrw] -p <hex>"
7459 "command": "hf st25ta pwd",
7460 "description": "Change read or write password for NFC Data Exchange Format (NDEF) file on ST25TA",
7462 "hf st25ta pwd -p 82E80053D4CA5C0B656D852CC696C8A1 -r -n 00000000000000000000000000000000 -> change read password",
7463 "hf st25ta pwd -p 82E80053D4CA5C0B656D852CC696C8A1 -w -n 00000000000000000000000000000000 -> change write password"
7467 "-h, --help This help",
7468 "-r, --read change the read password (default)",
7469 "-w, --write change the write password",
7470 "-p, --password <hex> current 16 byte write password",
7471 "-n, --new <hex> new 16 byte password"
7473 "usage": "hf st25ta pwd [-hrw] -p <hex> -n <hex>"
7476 "command": "hf st25ta sim",
7477 "description": "Emulating ST25TA512B tag with 7 byte UID",
7479 "hf st25ta sim -u 02E2007D0FCA4C"
7483 "-h, --help This help",
7484 "-u, --uid <hex> 7 byte UID"
7486 "usage": "hf st25ta sim [-h] -u <hex>"
7489 "command": "hf tesla help",
7490 "description": "help This help list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf tesla info available offline: no Get info about TESLA Key tag",
7496 "-h, --help This help"
7498 "usage": "hf telsa info [-h]"
7501 "command": "hf tesla list",
7502 "description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7504 "hf tesla list --frame -> show frame delay times",
7505 "hf tesla list -1 -> use trace buffer"
7509 "-h, --help This help",
7510 "-1, --buffer use data from trace buffer",
7511 "--frame show frame delay times",
7512 "-c mark CRC bytes",
7513 "-r show relative times (gap and duration)",
7514 "-u display times in microseconds instead of clock cycles",
7515 "-x show hexdump to convert to pcap(ng)",
7516 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7517 "-f, --file <fn> filename of dictionary"
7519 "usage": "hf tesla list [-h1crux] [--frame] [-f <fn>]"
7522 "command": "hf texkom help",
7523 "description": "help This help --------------------------------------------------------------------------------------- hf texkom reader available offline: no Read a texkom tag",
7526 "hf texkom reader -@ -> continuous reader mode"
7530 "-h, --help This help",
7531 "-1 Use data from Graphbuffer (offline mode)",
7532 "-v, --verbose Verbose output",
7533 "-@ optional - continuous reader mode"
7535 "usage": "hf texkom reader [-h1v@]"
7538 "command": "hf texkom sim",
7539 "description": "Simulate a texkom tag",
7542 "hf texkom sim --raw FFFF638C7DC45553 -> simulate TK13 tag with id 8C7DC455",
7543 "hf texkom sim --tk17 --raw FFFFCA17F31EC512 -> simulate TK17 tag with id 17F31EC5",
7544 "hf texkom sim --id 8C7DC455 -> simulate TK13 tag with id 8C7DC455",
7545 "hf texkom sim --id 8C7DC455 --tk17 -> simulate TK17 tag with id 17F31EC5"
7549 "-h, --help This help",
7550 "-v, --verbose Verbose output",
7551 "-t, --tk17 Use TK-17 modulation (TK-13 by default)",
7552 "--raw <hex 8 bytes> Raw data for texkom card, 8 bytes. Manual modulation select.",
7553 "--id <hex 4 bytes> Raw data for texkom card, 8 bytes. Manual modulation select.",
7554 "--timeout <dec, ms> Simulation timeout in the ms. If not specified or 0 - infinite. Command can be skipped by pressing the button"
7556 "usage": "hf texkom sim [-hvt] [--raw <hex 8 bytes>] [--id <hex 4 bytes>] [--timeout <dec, ms>]"
7558 "hf thinfilm help": {
7559 "command": "hf thinfilm help",
7560 "description": "help This help list List NFC Barcode / Thinfilm history - not correct --------------------------------------------------------------------------------------- hf thinfilm info available offline: no Get info from Thinfilm tags",
7566 "-h, --help This help"
7568 "usage": "hf thinfilm info [-h]"
7570 "hf thinfilm list": {
7571 "command": "hf thinfilm list",
7572 "description": "Alias of `trace list -t thinfilm` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7574 "hf thinfilm list --frame -> show frame delay times",
7575 "hf thinfilm list -1 -> use trace buffer"
7579 "-h, --help This help",
7580 "-1, --buffer use data from trace buffer",
7581 "--frame show frame delay times",
7582 "-c mark CRC bytes",
7583 "-r show relative times (gap and duration)",
7584 "-u display times in microseconds instead of clock cycles",
7585 "-x show hexdump to convert to pcap(ng)",
7586 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7587 "-f, --file <fn> filename of dictionary"
7589 "usage": "hf thinfilm list [-h1crux] [--frame] [-f <fn>]"
7591 "hf thinfilm sim": {
7592 "command": "hf thinfilm sim",
7593 "description": "Simulate Thinfilm tag",
7595 "hf thinfilm sim -d B70470726f786d61726b2e636f6d"
7599 "-h, --help This help",
7600 "-d, --data <hex> bytes to send",
7601 "--raw raw, provided bytes should include CRC"
7603 "usage": "hf thinfilm sim [-h] -d <hex> [--raw]"
7606 "command": "hf topaz dump",
7607 "description": "Dump TOPAZ tag to file (bin/json) If no <name> given, UID will be used as filename",
7613 "-h, --help This help",
7614 "-f, --file <fn> Specify a filename for dump file",
7615 "--ns no save to file"
7617 "usage": "hf topaz dump [-h] [-f <fn>] [--ns]"
7620 "command": "hf topaz help",
7621 "description": "help This help list List Topaz history view Display content from tag dump file --------------------------------------------------------------------------------------- hf topaz list available offline: yes Alias of `trace list -t topaz -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7623 "hf topaz list --frame -> show frame delay times",
7624 "hf topaz list -1 -> use trace buffer"
7628 "-h, --help This help",
7629 "-1, --buffer use data from trace buffer",
7630 "--frame show frame delay times",
7631 "-c mark CRC bytes",
7632 "-r show relative times (gap and duration)",
7633 "-u display times in microseconds instead of clock cycles",
7634 "-x show hexdump to convert to pcap(ng)",
7635 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7636 "-f, --file <fn> filename of dictionary"
7638 "usage": "hf topaz list [-h1crux] [--frame] [-f <fn>]"
7641 "command": "hf topaz info",
7642 "description": "Get info from Topaz tags",
7645 "hf topaz info -f myfilename -> save raw NDEF to file"
7649 "-h, --help This help",
7650 "-f, --file <fn> save raw NDEF to file",
7651 "-v, --verbose verbose output"
7653 "usage": "hf topaz info [-hv] [-f <fn>]"
7656 "command": "hf topaz raw",
7657 "description": "Send raw hex data to Topaz tags",
7663 "-h, --help This help"
7665 "usage": "hf topaz raw [-h]"
7668 "command": "hf topaz rdbl",
7669 "description": "Read Topaz block",
7671 "hf topaz rdbl --blk 7"
7675 "-h, --help This help",
7676 "--blk <dec> Block number"
7678 "usage": "hf topaz rdbl [-h] --blk <dec>"
7680 "hf topaz reader": {
7681 "command": "hf topaz reader",
7682 "description": "Read UID from Topaz tags",
7685 "hf topaz reader -@ -> Continuous mode"
7689 "-h, --help This help",
7690 "-v, --verbose verbose output",
7691 "-@ optional - continuous reader mode"
7693 "usage": "hf topaz reader [-hv@]"
7696 "command": "hf topaz sim",
7697 "description": "Simulate a Topaz tag",
7699 "hf topaz sim -> Not yet implemented"
7703 "-h, --help This help"
7705 "usage": "hf topaz sim [-h]"
7708 "command": "hf topaz sniff",
7709 "description": "Sniff Topaz reader-tag communication",
7715 "-h, --help This help"
7717 "usage": "hf topaz sniff [-h]"
7720 "command": "hf topaz view",
7721 "description": "Print a Topaz tag dump file (bin/eml/json)",
7723 "hf topaz view -f hf-topaz-04010203-dump.bin"
7727 "-h, --help This help",
7728 "-f, --file <fn> Specify a filename for dump file"
7730 "usage": "hf topaz view [-h] -f <fn>"
7733 "command": "hf topaz wrbl",
7734 "description": "Write Topaz block with 8 hex bytes of data",
7736 "hf topaz wrbl --blk 7 -d 1122334455667788"
7740 "-h, --help This help",
7741 "--blk <dec> Block number",
7742 "-d, --data <hex> Block data (8 hex bytes)"
7744 "usage": "hf topaz wrbl [-h] --blk <dec> -d <hex>"
7747 "command": "hf tune",
7748 "description": "Continuously measure HF antenna tuning. Press pm3 button or <Enter> to interrupt.",
7755 "-h, --help This help",
7756 "-n, --iter <dec> number of iterations (default: 0=infinite)",
7758 "--mix mixed style",
7759 "--value values style",
7760 "-v, --verbose verbose output"
7762 "usage": "hf tune [-hv] [-n <dec>] [--bar] [--mix] [--value]"
7765 "command": "hf vas decrypt",
7766 "description": "Decrypt a previously captured cryptogram",
7768 "hf vas decrypt --pid pass.com.passkit.pksamples.nfcdemo -f vas_privkey.der -d c0b77375eae416b79449347f9fe838c05cdb57dc7470b97b93b806cb348771d9bfbe29d58538c7c7d7c3d015fa205b68bfccd726058a62f7f44085ac98dbf877120fd9059f1507b956e0a6d56d0a"
7772 "-h, --help This help",
7773 "--pid <str> PID, pass type id",
7774 "-f, --file <fn> path to terminal private key file",
7775 "-d, --data <hex> cryptogram to decrypt"
7777 "usage": "hf vas decrypt [-h] [--pid <str>] [-f <fn>] [-d <hex>]"
7780 "command": "hf vas help",
7781 "description": "-------- ----------- Value Added Service ----------- help This help -------- ----------------- General ----------------- decrypt Decrypt a previously captured VAS cryptogram --------------------------------------------------------------------------------------- hf vas reader available offline: no Read and decrypt Value Added Services (VAS) message",
7783 "hf vas reader --url https://example.com -> URL Only mode",
7784 "hf vas reader --pid pass.com.passkit.pksamples.nfcdemo -f vas_privkey.der -@"
7788 "-h, --help This help",
7789 "--pid <str> PID, pass type id",
7790 "-f, --file <fn> path to terminal private key file",
7791 "--url <str> a URL to provide to the mobile device",
7792 "-@ continuous mode",
7793 "-v, --verbose Verbose output"
7795 "usage": "hf vas reader [-h@v] [--pid <str>] [-f <fn>] [--url <str>]"
7797 "hf waveshare help": {
7798 "command": "hf waveshare help",
7799 "description": "help This help load Load image file to Waveshare NFC ePaper --------------------------------------------------------------------------------------- hf waveshare load available offline: yes Load image file to Waveshare NFC ePaper",
7801 "hf waveshare load -f myfile -m 0 -> 2.13 inch e-paper ( 122, 250 )",
7802 "hf waveshare load -f myfile -m 1 -> 2.9 inch e-paper ( 296, 128 )",
7803 "hf waveshare load -f myfile -m 2 -> 4.2 inch e-paper ( 400, 300 )",
7804 "hf waveshare load -f myfile -m 3 -> 7.5 inch e-paper ( 800, 480 )",
7805 "hf waveshare load -f myfile -m 4 -> 2.7 inch e-paper ( 176, 276 )",
7806 "hf waveshare load -f myfile -m 5 -> 2.13 inch e-paper B (with red) ( 104, 212 )",
7807 "hf waveshare load -f myfile -m 6 -> 1.54 inch e-paper B (with red) ( 200, 200 )",
7808 "hf waveshare load -f myfile -m 7 -> 7.5 inch e-paper HD ( 880, 528 )"
7812 "-h, --help This help",
7813 "-m <nr> model number [0 - 7] of your tag",
7814 "-f, --file <fn> specify image to upload to tag",
7815 "-s, --save <fn> save paletized version in file"
7817 "usage": "hf waveshare load [-h] -m <nr> -f <fn> [-s <fn>]"
7820 "command": "hf xerox dump",
7821 "description": "Dump all memory from a Fuji/Xerox tag ISO/IEC 14443 type B based communications",
7827 "-h, --help This help",
7828 "-f, --file <fn> filename to save dump to",
7829 "-d, --decrypt decrypt secret blocks",
7830 "--ns no save to file",
7831 "-v, --verbose verbose output",
7832 "-z, --dense dense dump output style"
7834 "usage": "hf xerox dump [-hdvz] [-f <fn>] [--ns]"
7837 "command": "hf xerox help",
7838 "description": "help This help list List ISO-14443B history -------- ----------------------- General ----------------------- view Display content from tag dump file --------------------------------------------------------------------------------------- hf xerox list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
7840 "hf 14b list --frame -> show frame delay times",
7841 "hf 14b list -1 -> use trace buffer"
7845 "-h, --help This help",
7846 "-1, --buffer use data from trace buffer",
7847 "--frame show frame delay times",
7848 "-c mark CRC bytes",
7849 "-r show relative times (gap and duration)",
7850 "-u display times in microseconds instead of clock cycles",
7851 "-x show hexdump to convert to pcap(ng)",
7852 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
7853 "-f, --file <fn> filename of dictionary"
7855 "usage": "hf 14b list [-h1crux] [--frame] [-f <fn>]"
7858 "command": "hf xerox info",
7859 "description": "Tag information for Fuji Xerox based tags ISO/IEC 14443 type B based communications",
7865 "-h, --help This help",
7866 "-v, --verbose verbose output"
7868 "usage": "hf xerox info [-hv]"
7871 "command": "hf xerox rdbl",
7872 "description": "Read a Fuji/Xerox tag block",
7874 "hf xerox rdbl -b 1"
7878 "-h, --help This help",
7879 "-b, --blk <dec> page number (0-255)"
7881 "usage": "hf xerox rdbl [-h] -b <dec>"
7883 "hf xerox reader": {
7884 "command": "hf xerox reader",
7885 "description": "Act as a 14443B reader to identify a Fuji Xerox based tag ISO/IEC 14443 type B based communications",
7888 "hf xerox reader -@"
7892 "-h, --help This help",
7893 "-v, --verbose verbose output",
7894 "-@ optional - continuous reader mode"
7896 "usage": "hf xerox reader [-hv@]"
7899 "command": "hf xerox view",
7900 "description": "Print a Fuji/Xerox dump file (bin/eml/json) note: - command expects the filename to contain a UID which is needed to determine card memory type",
7902 "hf xerox view -f hf-xerox-0102030405060708-dump.bin"
7906 "-h, --help This help",
7907 "-f, --file <fn> Specify a filename for dump file",
7908 "-v, --verbose verbose output",
7909 "-z, --dense dense dump output style"
7911 "usage": "hf xerox view [-hvz] -f <fn>"
7915 "description": "Turn on/off hints",
7922 "-h, --help This help",
7923 "-1, --on turn on hints",
7924 "-0, --off turn off hints"
7926 "usage": "hints [-h10]"
7929 "command": "hw bootloader",
7930 "description": "Reboot Proxmark3 into bootloader mode",
7936 "-h, --help This help"
7938 "usage": "hw bootloader [-h]"
7941 "command": "hw break",
7942 "description": "send break loop package",
7948 "-h, --help This help"
7950 "usage": "hw break [-h]"
7953 "command": "hw connect",
7954 "description": "Connects to a Proxmark3 device via specified serial port. Baudrate here is only for physical UART or UART-BT, NOT for USB-CDC or blue shark add-on",
7956 "hw connect -p /dev/ttyACM0",
7957 "hw connect -p /dev/ttyACM0 -b 115200"
7961 "-h, --help This help",
7962 "-p, --port <string> Serial port to connect to, else retry the last used one",
7963 "-b, --baud <dec> Baudrate"
7965 "usage": "hw connect [-h] [-p <string>] [-b <dec>]"
7968 "command": "hw dbg",
7969 "description": "Set device side debug level output. Note: option `-4`, this option may cause malfunction itself by introducing delays in time critical functions like simulation or sniffing",
7971 "hw dbg -> get current log level",
7972 "hw dbg -1 -> set log level to _error_"
7976 "-h, --help This help",
7977 "-0 no debug messages",
7978 "-1 error messages",
7979 "-2 plus information messages",
7980 "-3 plus debug messages",
7981 "-4 print even debug messages in timing critical functions"
7983 "usage": "hw dbg [-h01234]"
7986 "command": "hw fpgaoff",
7987 "description": "Turn of fpga and antenna field",
7993 "-h, --help This help"
7995 "usage": "hw fpgaoff [-h]"
7998 "command": "hw help",
7999 "description": "help This help ------------- ----------------------- Operation ----------------------- timeout Set the communication timeout on the client side version Show version information about the client and Proxmark3 ------------- ----------------------- Hardware ----------------------- connect Connect to the device via serial port --------------------------------------------------------------------------------------- hw detectreader available offline: no Start to detect presences of reader field",
8002 "hw detectreader -L"
8006 "-h, --help This help",
8007 "-L, --LF only detect low frequency 125/134 kHz",
8008 "-H, --HF only detect high frequency 13.56 MHZ"
8010 "usage": "hw detectreader [-hLH]"
8013 "command": "hw lcd",
8014 "description": "Send command/data to LCD",
8016 "hw lcd -r AA -c 03 -> sends 0xAA three times"
8020 "-h, --help This help",
8021 "-r, --raw <hex> data",
8022 "-c, --cnt <dec> number of times to send"
8024 "usage": "hw lcd [-h] -r <hex> -c <dec>"
8027 "command": "hw lcdreset",
8028 "description": "Hardware reset LCD",
8034 "-h, --help This help"
8036 "usage": "hw lcdreset [-h]"
8039 "command": "hw ping",
8040 "description": "Test if the Proxmark3 is responsive",
8047 "-h, --help This help",
8048 "-l, --len <dec> length of payload to send"
8050 "usage": "hw ping [-h] [-l <dec>]"
8053 "command": "hw readmem",
8054 "description": "Reads processor flash memory into a file or views on console",
8056 "hw readmem -f myfile -> save 512KB processor flash memory to file",
8057 "hw readmem -a 8192 -l 512 -> display 512 bytes from offset 8192"
8061 "-h, --help This help",
8062 "-a, --adr <dec> flash address to start reading from",
8063 "-l, --len <dec> length (default 32 or 512KB)",
8064 "-f, --file <fn> save to file",
8065 "-c, --cols <dec> column breaks",
8066 "-r, --raw use raw address mode: read from anywhere, not just flash"
8068 "usage": "hw readmem [-hr] [-a <dec>] [-l <dec>] [-f <fn>] [-c <dec>]"
8071 "command": "hw reset",
8072 "description": "Reset the Proxmark3 device.",
8078 "-h, --help This help"
8080 "usage": "hw reset [-h]"
8083 "command": "hw sethfthresh",
8084 "description": "Set thresholds in HF/14a and Legic mode.",
8086 "hw sethfthresh -t 7 -i 20 -l 8"
8090 "-h, --help This help",
8091 "-t, --thresh <dec> threshold, used in 14a reader mode (def 7)",
8092 "-i, --high <dec> high threshold, used in 14a sniff mode (def 20)",
8093 "-l, --legic <dec> threshold used in Legic mode (def 8)"
8095 "usage": "hw sethfthresh [-h] [-t <dec>] [-i <dec>] [-l <dec>]"
8097 "hw setlfdivisor": {
8098 "command": "hw setlfdivisor",
8099 "description": "Drive LF antenna at 12 MHz / (divisor + 1).",
8101 "hw setlfdivisor -d 88"
8105 "-h, --help This help",
8106 "-d, --div <dec> 19 - 255 divisor value (def 95)"
8108 "usage": "hw setlfdivisor [-h] -d <dec>"
8111 "command": "hw setmux",
8112 "description": "Set the ADC mux to a specific value",
8114 "hw setmux --hipkd -> set HIGH PEAK"
8118 "-h, --help This help",
8121 "--hipkd high peak",
8124 "usage": "hw setmux [-h] [--lopkd] [--loraw] [--hipkd] [--hiraw]"
8127 "command": "hw standalone",
8128 "description": "Start standalone mode",
8130 "hw standalone -> start",
8131 "hw standalone -a 1 -> start and send arg 1"
8135 "-h, --help This help",
8136 "-a, --arg <dec> argument byte",
8137 "-b <str> UniSniff arg: 14a, 14b, 15, iclass"
8139 "usage": "hw standalone [-h] [-a <dec>] [-b <str>]"
8142 "command": "hw status",
8143 "description": "Show runtime status information about the connected Proxmark3",
8146 "hw status --ms 1000 -> Test connection speed with 1000ms timeout"
8150 "-h, --help This help",
8151 "-m, --ms <ms> speed test timeout in micro seconds"
8153 "usage": "hw status [-h] [-m <ms>]"
8156 "command": "hw tearoff",
8157 "description": "Configure a tear-off hook for the next write command supporting tear-off After having been triggered by a write command, the tear-off hook is deactivated Delay (in us) must be between 1 and 43000 (43ms). Precision is about 1/3us.",
8159 "hw tearoff --delay 1200 -> define delay of 1200us",
8160 "hw tearoff --on -> (re)activate a previously defined delay",
8161 "hw tearoff --off -> deactivate a previously activated but not yet triggered hook"
8165 "-h, --help This help",
8166 "--delay <dec> Delay in us before triggering tear-off, must be between 1 and 43000",
8167 "--on Activate tear-off hook",
8168 "--off Deactivate tear-off hook",
8169 "-s, --silent less verbose output"
8171 "usage": "hw tearoff [-hs] [--delay <dec>] [--on] [--off]"
8174 "command": "hw tia",
8175 "description": "Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider",
8181 "-h, --help This help"
8183 "usage": "hw tia [-h]"
8186 "command": "hw timeout",
8187 "description": "Set the communication timeout on the client side",
8189 "hw timeout -> Show current timeout",
8190 "hw timeout -m 20 -> Set the timeout to 20ms",
8191 "hw timeout --ms 500 -> Set the timeout to 500ms"
8195 "-h, --help This help",
8196 "-m, --ms <ms> timeout in micro seconds"
8198 "usage": "hw timeout [-h] [-m <ms>]"
8201 "command": "hw tune",
8202 "description": "Measure tuning of device antenna. Results shown in graph window. This command doesn't actively tune your antennas, it's only informative by measuring voltage that the antennas will generate",
8208 "-h, --help This help"
8210 "usage": "hw tune [-h]"
8213 "command": "hw version",
8214 "description": "Show version information about the client and the connected Proxmark3",
8220 "-h, --help This help"
8222 "usage": "hw version [-h]"
8225 "command": "lf awid brute",
8226 "description": "Enables bruteforce of AWID reader with specified facility-code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535",
8228 "lf awid brute --fmt 26 --fc 224",
8229 "lf awid brute --fmt 50 --fc 2001 --delay 2000",
8230 "lf awid brute --fmt 50 --fc 2001 --cn 200 --delay 2000 -v"
8234 "-h, --help This help",
8235 "--fmt <dec> format length 26|50",
8236 "--fc <dec> 8|16bit value facility code",
8237 "--cn <dec> optional - card number to start with, max 65535",
8238 "--delay <dec> optional - delay betweens attempts in ms. Default 1000ms",
8239 "-v, --verbose verbose output"
8241 "usage": "lf awid brute [-hv] --fmt <dec> --fc <dec> [--cn <dec>] [--delay <dec>]"
8244 "command": "lf awid clone",
8245 "description": "clone a AWID Prox tag to a T55x7, Q5/T5555 or EM4305/4469 tag",
8247 "lf awid clone --fmt 26 --fc 123 --cn 1337 -> encode for T55x7 tag",
8248 "lf awid clone --fmt 50 --fc 2001 --cn 13371337 -> encode long fmt for T55x7 tag",
8249 "lf awid clone --fmt 26 --fc 123 --cn 1337 --q5 -> encode for Q5/T5555 tag",
8250 "lf awid clone --fmt 26 --fc 123 --cn 1337 --em -> encode for EM4305/4469"
8254 "-h, --help This help",
8255 "--fmt <dec> format length 26|34|37|50",
8256 "--fc <dec> 8|16bit value facility code",
8257 "--cn <dec> 16|32-bit value card number",
8258 "--q5 optional - specify writing to Q5/T5555 tag",
8259 "--em optional - specify writing to EM4305/4469 tag"
8261 "usage": "lf awid clone [-h] --fmt <dec> --fc <dec> --cn <dec> [--q5] [--em]"
8264 "command": "lf awid demod",
8265 "description": "Try to find AWID Prox preamble, if found decode / descramble data",
8268 "lf awid demod --raw"
8272 "-h, --help This help"
8274 "usage": "lf awid demod [-h]"
8277 "command": "lf awid help",
8278 "description": "help this help demod demodulate an AWID FSK tag from the GraphBuffer --------------------------------------------------------------------------------------- lf awid brute available offline: no Enables bruteforce of AWID reader with specified facility-code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535",
8280 "lf awid brute --fmt 26 --fc 224",
8281 "lf awid brute --fmt 50 --fc 2001 --delay 2000",
8282 "lf awid brute --fmt 50 --fc 2001 --cn 200 --delay 2000 -v"
8286 "-h, --help This help",
8287 "--fmt <dec> format length 26|50",
8288 "--fc <dec> 8|16bit value facility code",
8289 "--cn <dec> optional - card number to start with, max 65535",
8290 "--delay <dec> optional - delay betweens attempts in ms. Default 1000ms",
8291 "-v, --verbose verbose output"
8293 "usage": "lf awid brute [-hv] --fmt <dec> --fc <dec> [--cn <dec>] [--delay <dec>]"
8296 "command": "lf awid reader",
8297 "description": "read a AWID Prox tag",
8299 "lf awid reader -@ -> continuous reader mode"
8303 "-h, --help This help",
8304 "-@ optional - continuous reader mode"
8306 "usage": "lf awid reader [-h@]"
8309 "command": "lf awid sim",
8310 "description": "Enables simulation of AWID card with specified facility-code and card number. Simulation runs until the button is pressed or another USB command is issued.",
8312 "lf awid sim --fmt 26 --fc 123 --cn 1337",
8313 "lf awid sim --fmt 50 --fc 2001 --cn 13371337"
8317 "-h, --help This help",
8318 "--fmt <dec> format length 26|32|36|40",
8319 "--fc <dec> 8-bit value facility code",
8320 "--cn <dec> 16-bit value card number"
8322 "usage": "lf awid sim [-h] --fmt <dec> --fc <dec> --cn <dec>"
8325 "command": "lf awid watch",
8326 "description": "Enables AWID compatible reader mode printing details of scanned AWID26 or AWID50 tags. Run until the button is pressed or another USB command is issued.",
8332 "-h, --help This help"
8334 "usage": "lf awid watch [-h]"
8337 "command": "lf cmdread",
8338 "description": "Modulate LF reader field to send command before read. All periods in microseconds. - use `lf config` to set parameters",
8340 "lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -> probing for Hitag1/S",
8341 "lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W11000 -> probing for Hitag2",
8342 "lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W11000 -s 2000 -@ -> probing for Hitag2, oscilloscope style",
8343 "lf cmdread -d 48 -z 112 -o 176 -e W3000 -e S240 -e E336 -c W0S00000010000E -> probing for Hitag (us)"
8347 "-h, --help This help",
8348 "-d, --duration <us> delay OFF period, (0 for bitbang mode)",
8349 "-c, --cmd <0|1|...> command symbols",
8350 "-e, --extra <us> Extra symbol definition and duration (up to 4)",
8351 "-o, --one <us> ONE time period",
8352 "-z, --zero <us> ZERO time period",
8353 "-s, --samples <dec> number of samples to collect",
8354 "-v, --verbose verbose output",
8355 "-k, --keep keep signal field ON after receive",
8356 "--crc-ht calculate and append CRC-8/HITAG (also for ZX8211)",
8357 "-@ continuous mode"
8359 "usage": "lf cmdread [-hvk@] [-d <us>] [-c <0|1|...>] [-e <us>]... [-o <us>] [-z <us>] [-s <dec>] [--crc-ht]"
8362 "command": "lf cotag help",
8363 "description": "help This help demod demodulate an COTAG tag --------------------------------------------------------------------------------------- lf cotag demod available offline: yes Try to find COTAG preamble, if found decode / descramble data",
8369 "-h, --help This help",
8370 "-v, --verbose verbose output"
8372 "usage": "lf cotag demod [-hv]"
8374 "lf cotag reader": {
8375 "command": "lf cotag reader",
8376 "description": "read a COTAG tag, the current support for COTAG is limited.",
8378 "lf cotag reader -2"
8382 "-h, --help This help",
8383 "-1 HIGH/LOW signal; maxlength bigbuff",
8384 "-2 translation of HIGH/LOW into bytes with manchester 0,1",
8385 "-3 raw signal; maxlength bigbuff"
8387 "usage": "lf cotag reader [-h123]"
8389 "lf destron clone": {
8390 "command": "lf destron clone",
8391 "description": "clone a Destron tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
8393 "lf destron clone --uid 1A2B3C4D5E",
8394 "lf destron clone --q5 --uid 1A2B3C4D5E -> encode for Q5/T5555 tag",
8395 "lf destron clone --em --uid 1A2B3C4D5E -> encode for EM4305/4469"
8399 "-h, --help This help",
8400 "-u, --uid <hex> 5 bytes max",
8401 "--q5 optional - specify writing to Q5/T5555 tag",
8402 "--em optional - specify writing to EM4305/4469 tag"
8404 "usage": "lf destron clone [-h] -u <hex> [--q5] [--em]"
8406 "lf destron help": {
8407 "command": "lf destron help",
8408 "description": "help This help demod demodulate an Destron tag from the GraphBuffer --------------------------------------------------------------------------------------- lf destron demod available offline: yes Try to find Destron preamble, if found decode / descramble data",
8414 "-h, --help This help"
8416 "usage": "lf destron demod [-h]"
8418 "lf destron reader": {
8419 "command": "lf destron reader",
8420 "description": "read a Destron tag",
8422 "lf destron reader -@ -> continuous reader mode"
8426 "-h, --help This help",
8427 "-@ optional - continuous reader mode"
8429 "usage": "lf destron reader [-h@]"
8432 "command": "lf destron sim",
8433 "description": "Try to find Destron preamble, if found decode / descramble data",
8439 "-h, --help This help"
8441 "usage": "lf destron sim [-h]"
8443 "lf em 410x brute": {
8444 "command": "lf em 410x brute",
8445 "description": "bruteforcing by emulating EM 410x tag",
8447 "lf em 410x brute -f ids.txt",
8448 "lf em 410x brute -f ids.txt --clk 32",
8449 "lf em 410x brute -f ids.txt --delay 3000",
8450 "lf em 410x brute -f ids.txt --delay 3000 --clk 32"
8454 "-h, --help This help",
8455 "--clk <dec> <32|64> clock (default 64)",
8456 "--delay <dec> pause delay in milliseconds between UIDs simulation (default 1000ms)",
8457 "-f, --file <hex> file with EM Tag IDs, one id per line",
8458 "--gap <dec> gap (0's) between ID repeats (default 20)"
8460 "usage": "lf em 410x brute [-h] [--clk <dec>] [--delay <dec>] -f <hex> [--gap <dec>]"
8462 "lf em 410x clone": {
8463 "command": "lf em 410x clone",
8464 "description": "clone a EM410x ID to a T55x7, Q5/T5555 or EM4305/4469 tag.",
8466 "lf em 410x clone --id 0F0368568B -> encode for T55x7 tag",
8467 "lf em 410x clone --id 0F0368568B --q5 -> encode for Q5/T5555 tag",
8468 "lf em 410x clone --id 0F0368568B --em -> encode for EM4305/4469"
8472 "-h, --help This help",
8473 "--clk <dec> <16|32|40|64> clock (default 64)",
8474 "--id <hex> EM Tag ID number (5 hex bytes)",
8475 "--q5 optional - specify writing to Q5/T5555 tag",
8476 "--em optional - specify writing to EM4305/4469 tag",
8477 "--electra optional - add Electra blocks to tag"
8479 "usage": "lf em 410x clone [-h] [--clk <dec>] --id <hex> [--q5] [--em] [--electra]"
8481 "lf em 410x reader": {
8482 "command": "lf em 410x reader",
8483 "description": "read EM 410x tag",
8485 "lf em 410x reader",
8486 "lf em 410x reader -@ -> continuous reader mode",
8487 "lf em 410x reader --clk 32 -> using a clock of RF/32",
8488 "lf em 410x reader --clk 32 -i -> using a clock of RF/32 and inverting data",
8489 "lf em 410x reader -i -> inverting data",
8490 "lf em 410x reader --clk 64 -i --err 0 -> using a clock of RF/64 and inverting data and allowing 0 demod errors"
8494 "-h, --help This help",
8495 "--clk <dec> clock (default autodetect)",
8496 "--err <dec> maximum allowed errors (default 100)",
8497 "--len <dec> maximum length",
8498 "-i, --invert invert output",
8499 "-a, --amp amplify signal",
8500 "-b break on first found",
8501 "-@ continuous reader mode",
8502 "-v, --verbose verbose output"
8504 "usage": "lf em 410x reader [-hiab@v] [--clk <dec>] [--err <dec>] [--len <dec>]"
8507 "command": "lf em 410x sim",
8508 "description": "Enables simulation of EM 410x card. Simulation runs until the button is pressed or another USB command is issued.",
8510 "lf em 410x sim --id 0F0368568B",
8511 "lf em 410x sim --id 0F0368568B --clk 32",
8512 "lf em 410x sim --id 0F0368568B --gap 0"
8516 "-h, --help This help",
8517 "--clk <dec> <32|64> clock (default 64)",
8518 "--id <hex> EM Tag ID number (5 hex bytes)",
8519 "--gap <dec> gap (0's) between ID repeats (default 20)"
8521 "usage": "lf em 410x sim [-h] [--clk <dec>] --id <hex> [--gap <dec>]"
8523 "lf em 410x spoof": {
8524 "command": "lf em 410x spoof",
8525 "description": "Watch 'nd Spoof, activates reader Waits until a EM 410x tag gets presented then Proxmark3 starts simulating the found EM Tag ID",
8531 "-h, --help This help"
8533 "usage": "lf em 410x spoof [-h]"
8535 "lf em 410x watch": {
8536 "command": "lf em 410x watch",
8537 "description": "Enables Electro Marine (EM) compatible reader mode printing details of scanned tags. Run until the button is pressed or another USB command is issued.",
8543 "-h, --help This help"
8545 "usage": "lf em 410x watch [-h]"
8547 "lf em 4x05 brute": {
8548 "command": "lf em 4x05 brute",
8549 "description": "This command tries to bruteforce the password of a EM4205/4305/4469/4569 The loop is running on device side, press Proxmark3 button to abort",
8551 "Note: if you get many false positives, change position on the antennalf em 4x05 brute",
8552 "lf em 4x05 brute -n 1 -> stop after first candidate found",
8553 "lf em 4x05 brute -s 000022AA -> start at 000022AA"
8557 "-h, --help This help",
8558 "-s, --start <hex> Start bruteforce enumeration from this password value",
8559 "-n <dec> Stop after having found n candidates. Default: 0 (infinite)"
8561 "usage": "lf em 4x05 brute [-h] [-s <hex>] [-n <dec>]"
8564 "command": "lf em 4x05 chk",
8565 "description": "This command uses a dictionary attack against EM4205/4305/4469/4569",
8568 "lf em 4x05 chk -e 000022B8 -> check password 000022B8",
8569 "lf em 4x05 chk -f t55xx_default_pwds -> use T55xx default dictionary"
8573 "-h, --help This help",
8574 "-f, --file <fn> loads a default keys dictionary file <*.dic>",
8575 "-e, --em <EM4100> try the calculated password from some cloners based on EM4100 ID"
8577 "usage": "lf em 4x05 chk [-h] [-f <fn>] [-e <EM4100>]"
8579 "lf em 4x05 config": {
8580 "command": "lf em 4x05 config",
8581 "description": "Create common configuration blocks",
8587 "-h, --help This help"
8589 "usage": "lf em 4x05 config [-h]"
8591 "lf em 4x05 demod": {
8592 "command": "lf em 4x05 demod",
8593 "description": "Try to find EM 4x05 preamble, if found decode / descramble data",
8599 "-h, --help This help"
8601 "usage": "lf em 4x05 demod [-h]"
8603 "lf em 4x05 dump": {
8604 "command": "lf em 4x05 dump",
8605 "description": "Dump EM4x05/EM4x69. Tag must be on antenna.",
8608 "lf em 4x05 dump -p 11223344",
8609 "lf em 4x05 dump -f myfile -p 11223344"
8613 "-h, --help This help",
8614 "-p, --pwd <hex> password (00000000)",
8615 "-f, --file <fn> override filename prefix (optional). Default is based on UID",
8616 "--ns no save to file"
8618 "usage": "lf em 4x05 dump [-h] [-p <hex>] [-f <fn>] [--ns]"
8620 "lf em 4x05 help": {
8621 "command": "lf em 4x05 help",
8622 "description": "----------- ----------------------- General ----------------------- help This help ----------- ----------------------- Operations ----------------------- config Create common configuration words demod Demodulate a EM4x05/EM4x69 tag from the GraphBuffer sniff Attempt to recover em4x05 commands from sample buffer view Display content from tag dump file --------------------------------------------------------------------------------------- lf em 4x05 clonehelp available offline: no Display a list of available commands for cloning specific techs on EM4305/4469 tags",
8624 "lf em 4x05 clonehelp"
8628 "-h, --help This help"
8630 "usage": "lf em 4x05 clonehelp [-h]"
8632 "lf em 4x05 info": {
8633 "command": "lf em 4x05 info",
8634 "description": "Tag information EM4205/4305/4469//4569 tags. Tag must be on antenna.",
8637 "lf em 4x05 info -p 11223344"
8641 "-h, --help This help",
8642 "-p, --pwd <hex> optional - password, 4 hex bytes",
8643 "-v, --verbose Verbose output"
8645 "usage": "lf em 4x05 info [-hv] [-p <hex>]"
8647 "lf em 4x05 read": {
8648 "command": "lf em 4x05 read",
8649 "description": "Read EM4x05/EM4x69. Tag must be on antenna.",
8651 "lf em 4x05 read -a 1",
8652 "lf em 4x05 read --addr 1 --pwd 11223344"
8656 "-h, --help This help",
8657 "-a, --addr <dec> memory address to read. (0-15)",
8658 "-p, --pwd <hex> optional - password, 4 bytes hex"
8660 "usage": "lf em 4x05 read [-h] -a <dec> [-p <hex>]"
8662 "lf em 4x05 sniff": {
8663 "command": "lf em 4x05 sniff",
8664 "description": "Sniff EM4x05 commands sent from a programmer",
8666 "lf em 4x05 sniff -> sniff via lf sniff",
8667 "lf em 4x05 sniff -1 -> sniff from data loaded into the buffer",
8668 "lf em 4x05 sniff -r -> reverse the bit order when showing block data"
8672 "-h, --help This help",
8673 "-1, --buf Use the data in the buffer",
8674 "-r, --rev Reverse the bit order for data blocks"
8676 "usage": "lf em 4x05 sniff [-h1r]"
8678 "lf em 4x05 unlock": {
8679 "command": "lf em 4x05 unlock",
8680 "description": "execute tear off against EM4205/4305/4469/4569",
8682 "lf em 4x05 unlock",
8683 "lf em 4x05 unlock -s 4100 -e 4100 -> lock on and autotune at 4100us",
8684 "lf em 4x05 unlock -n 10 -s 3000 -e 4400 -> scan delays 3000us -> 4400us"
8688 "-h, --help This help",
8689 "-n <int> steps to skip",
8690 "-s, --start <us> start scan from delay (us)",
8691 "-e, --end <us> end scan at delay (us)",
8692 "-p, --pwd <hex> password (def 00000000)",
8693 "-v, --verbose verbose output"
8695 "usage": "lf em 4x05 unlock [-hv] [-n <int>] [-s <us>] [-e <us>] [-p <hex>]"
8697 "lf em 4x05 view": {
8698 "command": "lf em 4x05 view",
8699 "description": "Print a EM4205/4305/4369/4469 dump file note: We don't track if password is known in current dump file formats. All zeros password block might be filler data",
8701 "lf em 4x05 view -f lf-4x05-01020304-dump.json"
8705 "-h, --help This help",
8706 "-f, --file <fn> Specify a filename for dump file",
8707 "-v, --verbose Verbose output"
8709 "usage": "lf em 4x05 view [-hv] -f <fn>"
8711 "lf em 4x05 wipe": {
8712 "command": "lf em 4x05 wipe",
8713 "description": "Wipe EM4x05/EM4x69. Tag must be on antenna.",
8715 "lf em 4x05 wipe --4305 -p 11223344 -> wipe EM 4305 w pwd",
8716 "lf em 4x05 wipe --4205 -> wipe EM 4205",
8717 "lf em 4x05 wipe --4369 -> wipe EM 4369"
8721 "-h, --help This help",
8722 "--4205 target chip type EM 4205",
8723 "--4305 target chip type EM 4305 (default)",
8724 "--4369 target chip type EM 4369",
8725 "--4469 target chip type EM 4469",
8726 "-p, --pwd <hex> optional - password, 4 bytes hex"
8728 "usage": "lf em 4x05 wipe [-h] [--4205] [--4305] [--4369] [--4469] [-p <hex>]"
8730 "lf em 4x05 write": {
8731 "command": "lf em 4x05 write",
8732 "description": "Write EM4x05/EM4x69. Tag must be on antenna.",
8734 "lf em 4x05 write -a 1 -d deadc0de",
8735 "lf em 4x05 write --addr 1 --pwd 11223344 --data deadc0de",
8736 "lf em 4x05 write --po --pwd 11223344 --data deadc0de"
8740 "-h, --help This help",
8741 "-a, --addr <dec> memory address to write to. (0-13)",
8742 "-d, --data <hex> data to write (4 hex bytes)",
8743 "-p, --pwd <hex> password (4 hex bytes)",
8744 "--po protect operation"
8746 "usage": "lf em 4x05 write [-h] [-a <dec>] -d <hex> [-p <hex>] [--po]"
8749 "command": "lf em 4x50 chk",
8750 "description": "Run dictionary key recovery against EM4x50 card.",
8752 "lf em 4x50 chk -> uses T55xx default dictionary",
8753 "lf em 4x50 chk -f my.dic"
8757 "-h, --help This help",
8758 "-f, --file <fn> specify dictionary filename"
8760 "usage": "lf em 4x50 chk [-h] [-f <fn>]"
8762 "lf em 4x50 dump": {
8763 "command": "lf em 4x50 dump",
8764 "description": "Reads all blocks/words from EM4x50 tag and saves dump in (bin/json) format",
8767 "lf em 4x50 dump -f mydump",
8768 "lf em 4x50 dump -p 12345678",
8769 "lf em 4x50 dump -f mydump -p 12345678"
8773 "-h, --help This help",
8774 "-f, --file <fn> specify dump filename",
8775 "-p, --pwd <hex> password, 4 hex bytes, lsb",
8776 "--ns no save to file"
8778 "usage": "lf em 4x50 dump [-h] [-f <fn>] [-p <hex>] [--ns]"
8780 "lf em 4x50 eload": {
8781 "command": "lf em 4x50 eload",
8782 "description": "Loads EM4x50 tag dump (bin/eml/json) into emulator memory on device",
8784 "lf em 4x50 eload -f mydump.bin"
8788 "-h, --help This help",
8789 "-f, --file <fn> Specify a filename for dump file"
8791 "usage": "lf em 4x50 eload [-h] -f <fn>"
8793 "lf em 4x50 esave": {
8794 "command": "lf em 4x50 esave",
8795 "description": "Saves bin/json dump file of emulator memory.",
8797 "lf em 4x50 esave -> use UID as filename",
8798 "lf em 4x50 esave -f mydump"
8802 "-h, --help This help",
8803 "-f, --file <fn> specifiy filename"
8805 "usage": "lf em 4x50 esave [-h] [-f <fn>]"
8807 "lf em 4x50 eview": {
8808 "command": "lf em 4x50 eview",
8809 "description": "Displays em4x50 content of emulator memory.",
8815 "-h, --help This help"
8817 "usage": "lf em 4x50 eview [-h]"
8819 "lf em 4x50 help": {
8820 "command": "lf em 4x50 help",
8821 "description": "help This help ----------- --------------------- operations --------------------- view Display content from tag dump file ----------- --------------------- simulation --------------------- --------------------------------------------------------------------------------------- lf em 4x50 brute available offline: no Tries to bruteforce the password of a EM4x50 card. Function can be stopped by pressing pm3 button.",
8823 "lf em 4x50 brute --mode range --begin 12330000 --end 12340000 -> tries pwds from 0x12330000 to 0x12340000",
8824 "lf em 4x50 brute --mode charset --digits --uppercase -> tries all combinations of ASCII codes for digits and uppercase letters",
8825 "lf em 4x50 brute --mode smart -> enable 'smart' pattern key cracking"
8829 "-h, --help This help",
8830 "--mode <str> Bruteforce mode (range|charset|smart)",
8831 "--begin <hex> Range mode - start of the key range",
8832 "--end <hex> Range mode - end of the key range",
8833 "--digits Charset mode - include ASCII codes for digits",
8834 "--uppercase Charset mode - include ASCII codes for uppercase letters"
8836 "usage": "lf em 4x50 brute [-h] --mode <str> [--begin <hex>] [--end <hex>] [--digits] [--uppercase]"
8838 "lf em 4x50 info": {
8839 "command": "lf em 4x50 info",
8840 "description": "Tag information EM4x50.",
8843 "lf em 4x50 info -v -> show data section",
8844 "lf em 4x50 info -p 12345678 -> uses pwd 0x12345678"
8848 "-h, --help This help",
8849 "-p, --pwd <hex> password, 4 hex bytes, lsb",
8850 "-v, --verbose verbose output"
8852 "usage": "lf em 4x50 info [-hv] [-p <hex>]"
8854 "lf em 4x50 login": {
8855 "command": "lf em 4x50 login",
8856 "description": "Login into EM4x50 tag.",
8858 "lf em 4x50 login -p 12345678 -> login with password 12345678"
8862 "-h, --help This help",
8863 "-p, --passsword <hex> password, 4 bytes, lsb"
8865 "usage": "lf em 4x50 login [-h] -p <hex>"
8867 "lf em 4x50 rdbl": {
8868 "command": "lf em 4x50 rdbl",
8869 "description": "Reads single EM4x50 block/word.",
8871 "lf em 4x50 rdbl -b 3",
8872 "lf em 4x50 rdbl -b 32 -p 12345678 -> reads block 32 with pwd 0x12345678"
8876 "-h, --help This help",
8877 "-b, --block <dec> block/word address",
8878 "-p, --pwd <hex> password, 4 hex bytes, lsb"
8880 "usage": "lf em 4x50 rdbl [-h] -b <dec> [-p <hex>]"
8882 "lf em 4x50 reader": {
8883 "command": "lf em 4x50 reader",
8884 "description": "Shows standard read data of EM4x50 tag.",
8886 "lf em 4x50 reader",
8887 "lf em 4x50 reader -@ -> continuous reader mode"
8891 "-h, --help This help",
8892 "-@ optional - continuous reader mode"
8894 "usage": "lf em 4x50 reader [-h@]"
8896 "lf em 4x50 restore": {
8897 "command": "lf em 4x50 restore",
8898 "description": "Restores data from dumpfile (bin/eml/json) onto a EM4x50 tag. if used with -u, the filetemplate `lf-4x50-UID-dump.bin` is used as filename",
8900 "lf em 4x50 restore -u 1b5aff5c -> uses lf-4x50-1B5AFF5C-dump.bin",
8901 "lf em 4x50 restore -f mydump.eml",
8902 "lf em 4x50 restore -u 1b5aff5c -p 12345678",
8903 "lf em 4x50 restore -f mydump.eml -p 12345678"
8907 "-h, --help This help",
8908 "-u, --uid <hex> uid, 4 hex bytes, msb",
8909 "-f, --file <fn> specify a filename for dump file",
8910 "-p, --pwd <hex> password, 4 hex bytes, lsb"
8912 "usage": "lf em 4x50 restore [-h] [-u <hex>] [-f <fn>] [-p <hex>]"
8915 "command": "lf em 4x50 sim",
8916 "description": "Simulates a EM4x50 tag First upload to device using `lf em 4x50 eload`",
8919 "lf em 4x50 sim -p 27182818 -> uses password for eload data"
8923 "-h, --help This help",
8924 "-p, --passsword <hex> password, 4 bytes, lsb"
8926 "usage": "lf em 4x50 sim [-h] [-p <hex>]"
8928 "lf em 4x50 view": {
8929 "command": "lf em 4x50 view",
8930 "description": "Print a EM4x50 dump file",
8932 "lf em 4x50 view -f lf-4x50-01020304-dump.json"
8936 "-h, --help This help",
8937 "-f, --file <fn> specify a filename for dump file"
8939 "usage": "lf em 4x50 view [-h] [-f <fn>]"
8941 "lf em 4x50 wipe": {
8942 "command": "lf em 4x50 wipe",
8943 "description": "Wipes EM4x50 tag by filling it with zeros, including the new password Must give a password.",
8945 "lf em 4x50 wipe -p 12345678"
8949 "-h, --help This help",
8950 "-p, --passsword <hex> password, 4 bytes, lsb"
8952 "usage": "lf em 4x50 wipe [-h] -p <hex>"
8954 "lf em 4x50 wrbl": {
8955 "command": "lf em 4x50 wrbl",
8956 "description": "Writes single block/word to EM4x50 tag.",
8958 "lf em 4x50 wrbl -b 3 -d 4f22e7ff",
8959 "lf em 4x50 wrbl -b 3 -d 4f22e7ff -p 12345678"
8963 "-h, --help This help",
8964 "-b, --block <dec> block/word address, dec",
8965 "-d, --data <hex> data, 4 bytes, lsb",
8966 "-p, --pwd <hex> password, 4 bytes, lsb"
8968 "usage": "lf em 4x50 wrbl [-h] -b <dec> -d <hex> [-p <hex>]"
8970 "lf em 4x50 wrpwd": {
8971 "command": "lf em 4x50 wrpwd",
8972 "description": "Writes EM4x50 password.",
8974 "lf em 4x50 wrpwd -p 4f22e7ff -n 12345678"
8978 "-h, --help This help",
8979 "-p, --pwd <hex> password, 4 hex bytes, lsb",
8980 "-n, --new <hex> new password, 4 hex bytes, lsb"
8982 "usage": "lf em 4x50 wrpwd [-h] -p <hex> -n <hex>"
8984 "lf em 4x70 auth": {
8985 "command": "lf em 4x70 auth",
8986 "description": "Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag key, the tag will not respond If F(RN) is correct based on the tag key, the tag will give a 20-bit response",
8988 "lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> (using pm3 test key)",
8989 "lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)",
8990 "lf em 4x70 auth --rnd 7D5167003571F8 --frn 982DBCC0 -> (autorecovery test key)"
8994 "-h, --help This help",
8995 "--par Add parity bit when sending commands",
8996 "--rnd <hex> Random 56-bit",
8997 "--frn <hex> F(RN) 28-bit as 4 hex bytes"
8999 "usage": "lf em 4x70 auth [-h] [--par] --rnd <hex> --frn <hex>"
9001 "lf em 4x70 autorecover": {
9002 "command": "lf em 4x70 autorecover",
9003 "description": "This command will perform automatic recovery of the key from a writable tag. All steps are possible to do manually. The corresponding sequence, if done manually, is as follows: 1. Verify passed parameters authenticate with the tag (safety check) lf em 4x70 auth --rnd <rnd_1> --frn <frn_1> 2. Brute force the key bits in block 9 lf em 4x70 write -b 9 -d 0000 lf em 4x70 recover -b 9 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 9 -d <key_block_9> 3. Brute force the key bits in block 8 lf em 4x70 write -b 8 -d 0000 lf em 4x70 recover -b 8 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 8 -d <key_block_8> 4. Brute force the key bits in block 7 lf em 4x70 write -b 7 -d 0000) lf em 4x70 recover -b 7 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 7 -d <key_block_7> 5. Recover potential values of the lower 48 bits of the key lf em 4x70 recover --key <key_block_9><key_block_8><key_block_7> --rnd <rnd_1> --frn <frn_1> 6. Verify which potential key is actually on the tag (using a different rnd/frn combination) lf em 4x70 auth --rnd <rnd_2> --frn <frn_N> 7. Print the validated key This command simply requires the rnd/frn/grn from a single known-good authentication.",
9005 "lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
9006 "lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)",
9007 "lf em 4x70 autorecover --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)"
9011 "-h, --help This help",
9012 "--par Add parity bit when sending commands",
9013 "--rnd <hex> Random 56-bit from known-good authentication",
9014 "--frn <hex> F(RN) 28-bit as 4 hex bytes from known-good authentication",
9015 "--grn <hex> G(RN) 20-bit as 3 hex bytes from known-good authentication"
9017 "usage": "lf em 4x70 autorecover [-h] [--par] --rnd <hex> --frn <hex> --grn <hex>"
9019 "lf em 4x70 help": {
9020 "command": "lf em 4x70 help",
9021 "description": "help This help recover Recover remaining key from partial key --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'",
9023 "lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80"
9027 "-h, --help This help",
9028 "--par Add parity bit when sending commands",
9029 "-b, --block <dec> block/word address, dec",
9030 "--rnd <hex> Random 56-bit",
9031 "--frn <hex> F(RN) 28-bit as 4 hex bytes",
9032 "-s, --start <hex> Start bruteforce enumeration from this key value"
9034 "usage": "lf em 4x70 brute [-h] [--par] -b <dec> --rnd <hex> --frn <hex> [-s <hex>]"
9036 "lf em 4x70 info": {
9037 "command": "lf em 4x70 info",
9038 "description": "Tag Information EM4x70 Tag variants include ID48 automotive transponder. ID48 does not use command parity (default). V4070 and EM4170 do require parity bit.",
9041 "lf em 4x70 info --par -> adds parity bit to command"
9045 "-h, --help This help",
9046 "--par Add parity bit when sending commands"
9048 "usage": "lf em 4x70 info [-h] [--par]"
9050 "lf em 4x70 recover": {
9051 "command": "lf em 4x70 recover",
9052 "description": "After obtaining key bits 95..48 (such as via 'lf em 4x70 brute'), this command will recover key bits 47..00. By default, this process does NOT require a tag to be present. By default, the potential keys are shown (typically 1-6) along with a corresponding 'lf em 4x70 auth' command that will authenticate, if that potential key is correct. The user can copy/paste these commands when the tag is present to manually check which of the potential keys is correct.",
9054 "lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
9055 "lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
9059 "-h, --help This help",
9060 "--par Add parity bit when sending commands",
9061 "-k, --key <hex> Key as 6 hex bytes",
9062 "--rnd <hex> Random 56-bit",
9063 "--frn <hex> F(RN) 28-bit as 4 hex bytes",
9064 "--grn <hex> G(RN) 20-bit as 3 hex bytes"
9066 "usage": "lf em 4x70 recover [-h] [--par] -k <hex> --rnd <hex> --frn <hex> --grn <hex>"
9068 "lf em 4x70 setkey": {
9069 "command": "lf em 4x70 setkey",
9070 "description": "Write new 96-bit key to tag",
9072 "lf em 4x70 setkey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key)",
9073 "lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)",
9074 "lf em 4x70 setkey -k 022A028C02BE000102030405 (autorecovery test key)"
9078 "-h, --help This help",
9079 "--par Add parity bit when sending commands",
9080 "-k, --key <hex> Key as 12 hex bytes"
9082 "usage": "lf em 4x70 setkey [-h] [--par] -k <hex>"
9084 "lf em 4x70 setpin": {
9085 "command": "lf em 4x70 setpin",
9086 "description": "Write new PIN",
9088 "lf em 4x70 setpin -p 11223344 -> Write new PIN",
9089 "lf em 4x70 setpin -p 11223344 --par -> Write new PIN using parity commands"
9093 "-h, --help This help",
9094 "--par Add parity bit when sending commands",
9095 "-p, --pin <hex> pin, 4 bytes"
9097 "usage": "lf em 4x70 setpin [-h] [--par] -p <hex>"
9099 "lf em 4x70 unlock": {
9100 "command": "lf em 4x70 unlock",
9101 "description": "Unlock EM4x70 by sending PIN Default pin may be: AAAAAAAA 00000000",
9103 "lf em 4x70 unlock -p 11223344 -> Unlock with PIN",
9104 "lf em 4x70 unlock -p 11223344 --par -> Unlock with PIN using parity commands"
9108 "-h, --help This help",
9109 "--par Add parity bit when sending commands",
9110 "-p, --pin <hex> pin, 4 bytes"
9112 "usage": "lf em 4x70 unlock [-h] [--par] -p <hex>"
9114 "lf em 4x70 write": {
9115 "command": "lf em 4x70 write",
9116 "description": "Write EM4x70",
9118 "lf em 4x70 write -b 15 -d c0de -> write 'c0de' to block 15",
9119 "lf em 4x70 write -b 15 -d c0de --par -> adds parity bit to commands"
9123 "-h, --help This help",
9124 "--par Add parity bit when sending commands",
9125 "-b, --block <dec> block/word address, dec",
9126 "-d, --data <hex> data, 2 bytes"
9128 "usage": "lf em 4x70 write [-h] [--par] -b <dec> -d <hex>"
9131 "command": "lf em help",
9132 "description": "help This help 410x { EM 4102 commands... } 4x05 { EM 4205 / 4305 / 4369 / 4469 commands... } 4x50 { EM 4350 / 4450 commands... } 4x70 { EM 4070 / 4170 commands... } ======================================================================================= lf em 410x { EM 4102 commands... } --------------------------------------------------------------------------------------- lf em 410x help available offline: yes help This help demod demodulate a EM410x tag from the GraphBuffer --------------------------------------------------------------------------------------- lf em 410x demod available offline: yes Try to find EM 410x preamble, if found decode / descramble data",
9134 "lf em 410x demod -> demod an EM410x Tag ID from GraphBuffer",
9135 "lf em 410x demod --clk 32 -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/32",
9136 "lf em 410x demod --clk 32 -i -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/32 and inverting data",
9137 "lf em 410x demod -i -> demod an EM410x Tag ID from GraphBuffer while inverting data",
9138 "lf em 410x demod --clk 64 -i --err 0 -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/64 and inverting data and allowing 0 demod errors"
9142 "-h, --help This help",
9143 "--clk <dec> clock (default autodetect)",
9144 "--err <dec> maximum allowed errors (default 100)",
9145 "--len <dec> maximum length",
9146 "-i, --invert invert output",
9147 "-a, --amp amplify signal",
9148 "--bin <bin> Binary string i.e 0001001001"
9150 "usage": "lf em 410x demod [-hia] [--clk <dec>] [--err <dec>] [--len <dec>] [--bin <bin>]"
9153 "command": "lf fdxb clone",
9154 "description": "clone a FDX-B tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
9156 "lf fdxb clone --country 999 --national 1337 --animal -> encode for T55x7 tag, with animal bit",
9157 "lf fdxb clone --country 999 --national 1337 --extended 016A -> encode for T55x7 tag, with extended data",
9158 "lf fdxb clone --country 999 --national 1337 --q5 -> encode for Q5/T5555 tag",
9159 "lf fdxb clone --country 999 --national 1337 --em -> encode for EM4305/4469"
9163 "-h, --help This help",
9164 "-c, --country <dec> country code",
9165 "-n, --national <dec> national code",
9166 "--extended <hex> extended data",
9167 "-a, --animal optional - set animal bit",
9168 "--q5 optional - specify writing to Q5/T5555 tag",
9169 "--em optional - specify writing to EM4305/4469 tag"
9171 "usage": "lf fdxb clone [-ha] -c <dec> -n <dec> [--extended <hex>] [--q5] [--em]"
9174 "command": "lf fdxb help",
9175 "description": "help this help demod demodulate a FDX-B ISO11784/85 tag from the GraphBuffer --------------------------------------------------------------------------------------- lf fdxb demod available offline: yes Try to find FDX-B preamble, if found decode / descramble data",
9181 "-h, --help This help"
9183 "usage": "lf fdxb demod [-h]"
9186 "command": "lf fdxb reader",
9187 "description": "read a FDX-B animal tag Note that the continuous mode is less verbose",
9189 "lf fdxb reader -@ -> continuous reader mode"
9193 "-h, --help This help",
9194 "-@ optional - continuous reader mode"
9196 "usage": "lf fdxb reader [-h@]"
9199 "command": "lf fdxb sim",
9200 "description": "Enables simulation of FDX-B animal tag. Simulation runs until the button is pressed or another USB command is issued.",
9202 "lf fdxb sim --country 999 --national 1337 --animal",
9203 "lf fdxb sim --country 999 --national 1337 --extended 016A"
9207 "-h, --help This help",
9208 "-c, --country <dec> country code",
9209 "-n, --national <dec> national code",
9210 "--extended <hex> extended data",
9211 "-a, --animal optional - set animal bit"
9213 "usage": "lf fdxb sim [-ha] -c <dec> -n <dec> [--extended <hex>]"
9215 "lf gallagher clone": {
9216 "command": "lf gallagher clone",
9217 "description": "clone a GALLAGHER tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
9219 "lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 -> encode for T55x7 tag",
9220 "lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 --q5 -> encode for Q5/T5555 tag",
9221 "lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 --em -> encode for EM4305/4469",
9222 "lf gallagher clone --rc 0 --fc 9876 --cn 1234 --il 1 -> encode for T55x7 tag from decoded data"
9226 "-h, --help This help",
9227 "-r, --raw <hex> raw hex data. 12 bytes max",
9228 "--q5 optional - specify writing to Q5/T5555 tag",
9229 "--em optional - specify writing to EM4305/4469 tag",
9230 "--rc <decimal> Region code. 4 bits max",
9231 "--fc <decimal> Facility code. 2 bytes max",
9232 "--cn <decimal> Card number. 3 bytes max",
9233 "--il <decimal> Issue level. 4 bits max"
9235 "usage": "lf gallagher clone [-h] [-r <hex>] [--q5] [--em] [--rc <decimal>] [--fc <decimal>] [--cn <decimal>] [--il <decimal>]"
9237 "lf gallagher help": {
9238 "command": "lf gallagher help",
9239 "description": "help This help demod demodulate an GALLAGHER tag from the GraphBuffer --------------------------------------------------------------------------------------- lf gallagher demod available offline: yes Try to find GALLAGHER preamble, if found decode / descramble data",
9241 "lf gallagher demod"
9245 "-h, --help This help"
9247 "usage": "lf gallagher demod [-h]"
9249 "lf gallagher reader": {
9250 "command": "lf gallagher reader",
9251 "description": "read a GALLAGHER tag",
9253 "lf gallagher reader -@ -> continuous reader mode"
9257 "-h, --help This help",
9258 "-@ optional - continuous reader mode"
9260 "usage": "lf gallagher reader [-h@]"
9262 "lf gallagher sim": {
9263 "command": "lf gallagher sim",
9264 "description": "Enables simulation of GALLAGHER card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
9266 "lf gallagher sim --raw 0FFD5461A9DA1346B2D1AC32",
9267 "lf gallagher sim --rc 0 --fc 9876 --cn 1234 --il 1"
9271 "-h, --help This help",
9272 "-r, --raw <hex> raw hex data. 12 bytes max",
9273 "--rc <decimal> Region code. 4 bits max",
9274 "--fc <decimal> Facility code. 2 bytes max",
9275 "--cn <decimal> Card number. 3 bytes max",
9276 "--il <decimal> Issue level. 4 bits max"
9278 "usage": "lf gallagher sim [-h] [-r <hex>] [--rc <decimal>] [--fc <decimal>] [--cn <decimal>] [--il <decimal>]"
9280 "lf gproxii clone": {
9281 "command": "lf gproxii clone",
9282 "description": "Clone a Guardall tag to a T55x7, Q5/T5555 or EM4305/4469 tag. The facility-code is 8-bit and the card number is 20-bit. Larger values are truncated. Currently work only on 26 | 36 bit format",
9284 "lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 -> encode for T55x7 tag",
9285 "lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 --q5 -> encode for Q5/T5555 tag",
9286 "lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 --em -> encode for EM4305/4469"
9290 "-h, --help This help",
9291 "--xor <dec> 8-bit xor value (installation dependant)",
9292 "--fmt <dec> format length 26|32|36|40",
9293 "--fc <dec> 8-bit value facility code",
9294 "--cn <dec> 16-bit value card number",
9295 "--q5 optional - specify writing to Q5/T5555 tag",
9296 "--em optional - specify writing to EM4305/4469 tag"
9298 "usage": "lf gproxii clone [-h] --xor <dec> --fmt <dec> --fc <dec> --cn <dec> [--q5] [--em]"
9300 "lf gproxii help": {
9301 "command": "lf gproxii help",
9302 "description": "help this help demod demodulate a G Prox II tag from the GraphBuffer --------------------------------------------------------------------------------------- lf gproxii demod available offline: yes Try to find Guardall Prox-II preamble, if found decode / descramble data",
9304 "lf gproxii demod -> use graphbuffer to decode",
9305 "lf gproxii demod --raw fb8ee718ee3b8cc785c11b92 ->"
9309 "-h, --help This help",
9310 "-r, --raw <hex> raw bytes"
9312 "usage": "lf gproxii demod [-h] [-r <hex>]"
9314 "lf gproxii reader": {
9315 "command": "lf gproxii reader",
9316 "description": "read a Guardall tag",
9318 "lf gproxii reader -@ -> continuous reader mode"
9322 "-h, --help This help",
9323 "-@ optional - continuous reader mode"
9325 "usage": "lf gproxii reader [-h@]"
9328 "command": "lf gproxii sim",
9329 "description": "Enables simulation of Guardall card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently work only on 26 | 36 bit format",
9331 "lf gproxii sim --xor 141 --fmt 26 --fc 123 --cn 1337"
9335 "-h, --help This help",
9336 "--xor <dec> 8-bit xor value (installation dependant)",
9337 "--fmt <dec> format length 26|32|36|40",
9338 "--fc <dec> 8-bit value facility code",
9339 "--cn <dec> 16-bit value card number"
9341 "usage": "lf gproxii sim [-h] --xor <dec> --fmt <dec> --fc <dec> --cn <dec>"
9344 "command": "lf help",
9345 "description": "help This help ----------- -------------- Low Frequency -------------- awid { AWID RFIDs... } cotag { COTAG CHIPs... } destron { FDX-A Destron RFIDs... } em { EM CHIPs & RFIDs... } fdxb { FDX-B RFIDs... } gallagher { GALLAGHER RFIDs... } gproxii { Guardall Prox II RFIDs... } hid { HID Prox RFIDs... } hitag { Hitag CHIPs... } idteck { Idteck RFIDs... } indala { Indala RFIDs... } io { ioProx RFIDs... } jablotron { Jablotron RFIDs... } keri { KERI RFIDs... } motorola { Motorola Flexpass RFIDs... } nedap { Nedap RFIDs... } nexwatch { NexWatch RFIDs... } noralsy { Noralsy RFIDs... } pac { PAC/Stanley RFIDs... } paradox { Paradox RFIDs... } pcf7931 { PCF7931 CHIPs... } presco { Presco RFIDs... } pyramid { Farpointe/Pyramid RFIDs... } securakey { Securakey RFIDs... } ti { TI CHIPs... } t55xx { T55xx CHIPs... } viking { Viking RFIDs... } visa2000 { Visa2000 RFIDs... } ----------- --------------------- General --------------------- search Read and Search for valid known tag --------------------------------------------------------------------------------------- lf config available offline: no Get/Set config for LF sampling, bit/sample, decimation, frequency These changes are temporary, will be reset after a power cycle. - use `lf read` performs a read (active field) - use `lf sniff` performs a sniff (no active field)",
9347 "lf config -> shows current config",
9348 "lf config -b 8 --125 -> samples at 125 kHz, 8 bps",
9349 "lf config -b 4 --134 --dec 3 -> samples at 134 kHz, averages three samples into one, stored with a resolution of 4 bits per sample",
9350 "lf config --trig 20 -s 10000 -> trigger sampling when above 20, skip 10 000 first samples after triggered",
9351 "lf config --reset -> reset back to default values"
9355 "-h, --help This help",
9356 "--125 125 kHz frequency",
9357 "--134 134 kHz frequency",
9358 "-a, --avg <0|1> averaging - if set, will average the stored sample value when decimating (default 1)",
9359 "-b, --bps <1-8> sets resolution of bits per sample (default 8)",
9360 "--dec <1-8> sets decimation. A value of N saves only 1 in N samples (default 1)",
9361 "--divisor <19-255> Manually set freq divisor. 88 -> 134 kHz, 95 -> 125 kHz",
9362 "-f, --freq <47-600> manually set frequency in kHz",
9363 "-r, --reset reset values to defaults",
9364 "-s, --skip <dec> sets a number of samples to skip before capture (default 0)",
9365 "-t, --trig <0-128> sets trigger threshold. 0 means no threshold"
9367 "usage": "lf config [-hr] [--125] [--134] [-a <0|1>] [-b <1-8>] [--dec <1-8>] [--divisor <19-255>] [-f <47-600>] [-s <dec>] [-t <0-128>]"
9370 "command": "lf hid brute",
9371 "description": "Enables bruteforce of HID readers with specified facility code or card number. This is an attack against the reader. If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values. If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values.",
9373 "lf hid brute -w H10301 --field fc --fc 224 --cn 6278",
9374 "lf hid brute -w H10301 --field cn --fc 21 -d 2000",
9375 "lf hid brute -v -w H10301 --field cn --fc 21 --cn 200 -d 2000",
9376 "lf hid brute -v -w H10301 --field fc --fc 21 --cn 200 -d 2000 --up"
9380 "-h, --help This help",
9381 "-v, --verbose verbose output",
9382 "-w, --wiegand <format> see `wiegand list` for available formats",
9383 "--field <fc|cn> field to bruteforce",
9384 "--fc <dec> facility code",
9385 "--cn <dec> card number",
9386 "-i, --issue <dec> issue level",
9387 "-o, --oem <dec> OEM code",
9388 "-d, --delay <dec> delay betweens attempts in ms. (def is 1000)",
9389 "--up direction to increment field value. (def is both directions)",
9390 "--down direction to decrement field value. (def is both directions)"
9392 "usage": "lf hid brute [-hv] -w <format> --field <fc|cn> [--fc <dec>] [--cn <dec>] [-i <dec>] [-o <dec>] [-d <dec>] [--up] [--down]"
9395 "command": "lf hid clone",
9396 "description": "clone a HID Prox tag to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command.",
9398 "lf hid clone -r 2006ec0c86 -> write raw value for T55x7 tag (HID 10301 26 bit)",
9399 "lf hid clone -r 2e0ec00c87 -> write raw value for T55x7 tag (HID Corporate 35 bit)",
9400 "lf hid clone -r 01f0760643c3 -> write raw value for T55x7 tag (HID P10001 40 bit)",
9401 "lf hid clone -r 01400076000c86 -> write raw value for T55x7 tag (HID Corporate 48 bit)",
9402 "lf hid clone -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit, encode for T55x7 tag",
9403 "lf hid clone -w H10301 --fc 118 --cn 1603 --q5 -> HID 10301 26 bit, encode for Q5/T5555 tag",
9404 "lf hid clone -w H10301 --fc 118 --cn 1603 --em -> HID 10301 26 bit, encode for EM4305/4469"
9408 "-h, --help This help",
9409 "-w, --wiegand <format> see `wiegand list` for available formats",
9410 "--fc <dec> facility code",
9411 "--cn <dec> card number",
9412 "-i <dec> issue level",
9413 "-o, --oem <dec> OEM code",
9414 "-r, --raw <hex> raw bytes",
9415 "--q5 optional - specify writing to Q5/T5555 tag",
9416 "--em optional - specify writing to EM4305/4469 tag",
9417 "--bin <bin> Binary string i.e 0001001001"
9419 "usage": "lf hid clone [-h] [-w <format>] [--fc <dec>] [--cn <dec>] [-i <dec>] [-o <dec>] [-r <hex>] [--q5] [--em] [--bin <bin>]"
9422 "command": "lf hid help",
9423 "description": "help this help demod demodulate HID Prox tag from the GraphBuffer --------------------------------------------------------------------------------------- lf hid demod available offline: yes Try to find HID Prox preamble, if found decode / descramble data",
9429 "-h, --help This help"
9431 "usage": "lf hid demod [-h]"
9434 "command": "lf hid reader",
9435 "description": "read a HID Prox tag",
9437 "lf hid reader -@ -> continuous reader mode"
9441 "-h, --help This help",
9442 "-@ optional - continuous reader mode"
9444 "usage": "lf hid reader [-h@]"
9447 "command": "lf hid sim",
9448 "description": "Enables simulation of HID card with card number. Simulation runs until the button is pressed or another USB command is issued.",
9450 "lf hid sim -r 2006ec0c86 -> HID 10301 26 bit",
9451 "lf hid sim -r 2e0ec00c87 -> HID Corporate 35 bit",
9452 "lf hid sim -r 01f0760643c3 -> HID P10001 40 bit",
9453 "lf hid sim -r 01400076000c86 -> HID Corporate 48 bit",
9454 "lf hid sim -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit"
9458 "-h, --help This help",
9459 "-w, --wiegand <format> see `wiegand list` for available formats",
9460 "--fc <dec> facility code",
9461 "--cn <dec> card number",
9462 "-i <dec> issue level",
9463 "-o, --oem <dec> OEM code",
9464 "-r, --raw <hex> raw bytes"
9466 "usage": "lf hid sim [-h] [-w <format>] [--fc <dec>] [--cn <dec>] [-i <dec>] [-o <dec>] [-r <hex>]"
9469 "command": "lf hid watch",
9470 "description": "Enables HID compatible reader mode printing details. By default, values are printed and logged until the button is pressed or another USB command is issued.",
9476 "-h, --help This help"
9478 "usage": "lf hid watch [-h]"
9481 "command": "lf hitag cc",
9482 "description": "Check challenges, load a file with saved hitag crypto challenges and test them all. The file should be 8 * 60 bytes long, the file extension defaults to `.cc`",
9484 "lf hitag cc -f my_hitag_challenges"
9488 "-h, --help This help",
9489 "-f, --file <fn> filename to load ( w/o ext )"
9491 "usage": "lf hitag cc [-h] -f <fn>"
9494 "command": "lf hitag chk",
9495 "description": "Run dictionary key or password recovery against Hitag card.",
9498 "-> checks for both pwd / crypto keyslf hitag chk --crypto -> use def dictionary",
9499 "lf hitag chk --pwd -f my.dic -> pwd mode, custom dictionary"
9503 "-h, --help This help",
9504 "-f, --file <fn> specify dictionary filename",
9505 "--pwd password mode",
9506 "--crypto crypto mode"
9508 "usage": "lf hitag chk [-h] [-f <fn>] [--pwd] [--crypto]"
9510 "lf hitag crack2": {
9511 "command": "lf hitag crack2",
9512 "description": "This command tries to recover 2048 bits of Hitag2 crypto stream data.",
9514 "lf hitag crack2 --nrar 73AA5A62EAB8529C"
9518 "-h, --help This help",
9519 "--nrar <hex> specify nonce / answer as 8 hex bytes"
9521 "usage": "lf hitag lookup [-h] [--nrar <hex>]"
9524 "command": "lf hitag dump",
9525 "description": "Read all Hitag 2 card memory and save to file Crypto mode key format: ISK high + ISK low, 4F4E4D494B52 (ONMIKR) Password mode, default key 4D494B52 (MIKR)",
9527 "lf hitag dump --pwd -> use def pwd",
9528 "lf hitag dump -k 4D494B52 -> pwd mode",
9529 "lf hitag dump --crypto -> use def crypto",
9530 "lf hitag dump -k 4F4E4D494B52 -> crypto mode",
9531 "lf hitag dump --nrar 0102030411223344"
9535 "-h, --help This help",
9536 "--pwd password mode",
9537 "--nrar <hex> nonce / answer reader, 8 hex bytes",
9538 "--crypto crypto mode",
9539 "-k, --key <hex> key, 4 or 6 hex bytes",
9540 "-f, --file <fn> specify file name",
9541 "--ns no save to file"
9543 "usage": "lf hitag dump [-h] [--pwd] [--nrar <hex>] [--crypto] [-k <hex>] [-f <fn>] [--ns]"
9546 "command": "lf hitag eload",
9547 "description": "Loads hitag tag dump into emulator memory on device",
9549 "lf hitag eload -2 -f lf-hitag-11223344-dump.bin"
9553 "-h, --help This help",
9554 "-f, --file <fn> Specify dump filename",
9555 "-1, --ht1 Card type Hitag 1",
9556 "-2, --ht2 Card type Hitag 2",
9557 "-s, --hts Card type Hitag S",
9558 "-m, --htm Card type Hitag \u03bc"
9560 "usage": "lf hitag eload [-h12sm] -f <fn>"
9563 "command": "lf hitag eview",
9564 "description": "It displays emulator memory",
9570 "-h, --help This help",
9571 "-v, --verbose Verbose output"
9573 "usage": "lf hitag eview [-hv]"
9576 "command": "lf hitag help",
9577 "description": "help This help list List Hitag trace history test Perform self tests view Display content from tag dump file lookup Uses authentication trace to check for key in dictionary file --------------------------------------------------------------------------------------- lf hitag list available offline: yes Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
9579 "lf hitag list --frame -> show frame delay times",
9580 "lf hitag list -1 -> use trace buffer"
9584 "-h, --help This help",
9585 "-1, --buffer use data from trace buffer",
9586 "--frame show frame delay times",
9587 "-c mark CRC bytes",
9588 "-r show relative times (gap and duration)",
9589 "-u display times in microseconds instead of clock cycles",
9590 "-x show hexdump to convert to pcap(ng)",
9591 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
9592 "-f, --file <fn> filename of dictionary"
9594 "usage": "lf hitag list [-h1crux] [--frame] [-f <fn>]"
9597 "command": "lf hitag info",
9598 "description": "Hitag2 tag information",
9604 "-h, --help This help"
9606 "usage": "lf hitag info [-h]"
9608 "lf hitag lookup": {
9609 "command": "lf hitag lookup",
9610 "description": "This command take sniffed trace data and try to recovery a Hitag2 crypto key. You can either - verify that NR/AR matches a known crypto key - verify if NR/AR matches a known 6 byte crypto key in a dictionary",
9612 "lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -k 010203040506 -> check key",
9613 "lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -> use def dictionary",
9614 "lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -f my.dic -> use custom dictionary",
9615 "lf hitag lookup --uid 11223344 --nrar 73AA5A62EAB8529C"
9619 "-h, --help This help",
9620 "-f, --file <fn> specify dictionary filename",
9621 "-k, --key <hex> specify known cryptokey as 6 bytes",
9622 "-u, --uid <hex> specify UID as 4 hex bytes",
9623 "--nr <hex> specify nonce as 4 hex bytes",
9624 "--ar <hex> specify answer as 4 hex bytes",
9625 "--nrar <hex> specify nonce / answer as 8 hex bytes"
9627 "usage": "lf hitag lookup [-h] [-f <fn>] [-k <hex>] -u <hex> [--nr <hex>] [--ar <hex>] [--nrar <hex>]"
9630 "command": "lf hitag read",
9631 "description": "Read Hitag memory. It support HitagS and Hitag 2 Password mode: - default key 4D494B52 (MIKR) Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR)",
9633 "lf hitag read --hts -> HitagS, plain mode",
9634 "lf hitag read --hts --nrar 0102030411223344 -> HitagS, challenge mode",
9635 "lf hitag read --hts --crypto -> HitagS, crypto mode, def key",
9636 "lf hitag read --hts -k 4F4E4D494B52 -> HitagS, crypto mode",
9638 "lf hitag read --ht2 --pwd -> Hitag 2, pwd mode, def key",
9639 "lf hitag read --ht2 -k 4D494B52 -> Hitag 2, pwd mode",
9640 "lf hitag read --ht2 --nrar 0102030411223344 -> Hitag 2, challenge mode",
9641 "lf hitag read --ht2 --crypto -> Hitag 2, crypto mode, def key",
9642 "lf hitag read --ht2 -k 4F4E4D494B52 -> Hitag 2, crypto mode"
9646 "-h, --help This help",
9647 "-s, --hts Hitag S",
9648 "-2, --ht2 Hitag 2",
9649 "--pwd password mode",
9650 "--nrar <hex> nonce / answer writer, 8 hex bytes",
9651 "--crypto crypto mode",
9652 "-k, --key <hex> key, 4 or 6 hex bytes"
9654 "usage": "lf hitag read [-hs2] [--pwd] [--nrar <hex>] [--crypto] [-k <hex>]"
9657 "command": "lf hitag sim",
9658 "description": "Simulate Hitag transponder You need to `lf hitag eload` first",
9664 "-h, --help This help",
9665 "-1, --ht1 simulate Hitag 1",
9666 "-2, --ht2 simulate Hitag 2",
9667 "-s, --hts simulate Hitag S"
9669 "usage": "lf hitag sim [-h12s]"
9672 "command": "lf hitag sniff",
9673 "description": "Sniff the communication between reader and tag. Use `lf hitag list` to view collected data.",
9679 "-h, --help This help"
9681 "usage": "lf hitag sniff [-h]"
9684 "command": "lf hitag test",
9685 "description": "Perform self tests of Hitag crypto engine",
9691 "-h, --help This help"
9693 "usage": "lf hitag test [-h]"
9696 "command": "lf hitag view",
9697 "description": "Print a HITAG dump file (bin/eml/json)",
9699 "lf hitag view -f lf-hitag-01020304-dump.bin"
9703 "-h, --help This help",
9704 "-f, --file <fn> Specify a filename for dump file",
9705 "-v, --verbose Verbose output"
9707 "usage": "lf hitag view [-hv] -f <fn>"
9710 "command": "lf hitag wrbl",
9711 "description": "Write a page in Hitag memory. It support HitagS and Hitag 2 Password mode: - default key 4D494B52 (MIKR) Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR)",
9713 "lf hitag wrbl --hts -p 6 -d 01020304 -> HitagS, plain mode",
9714 "lf hitag wrbl --hts -p 6 -d 01020304 --nrar 0102030411223344 -> HitagS, challenge mode",
9715 "lf hitag wrbl --hts -p 6 -d 01020304 --crypto -> HitagS, crypto mode, def key",
9716 "lf hitag wrbl --hts -p 6 -d 01020304 -k 4F4E4D494B52 -> HitagS, crypto mode",
9718 "lf hitag wrbl --ht2 -p 6 -d 01020304 --pwd -> Hitag 2, pwd mode, def key",
9719 "lf hitag wrbl --ht2 -p 6 -d 01020304 -k 4D494B52 -> Hitag 2, pwd mode",
9720 "lf hitag wrbl --ht2 -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag 2, challenge mode",
9721 "lf hitag wrbl --ht2 -p 6 -d 01020304 --crypto -> Hitag 2, crypto mode, def key",
9722 "lf hitag wrbl --ht2 -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag 2, crypto mode"
9726 "-h, --help This help",
9727 "-s, --hts Hitag S",
9728 "-2, --ht2 Hitag 2",
9729 "--pwd password mode",
9730 "--nrar <hex> nonce / answer writer, 8 hex bytes",
9731 "--crypto crypto mode",
9732 "-k, --key <hex> key, 4 or 6 hex bytes",
9733 "-p, --page <dec> page address to write to",
9734 "-d, --data <hex> data, 4 hex bytes"
9736 "usage": "lf hitag wrbl [-hs2] [--pwd] [--nrar <hex>] [--crypto] [-k <hex>] -p <dec> -d <hex>"
9738 "lf idteck clone": {
9739 "command": "lf idteck clone",
9740 "description": "clone a Idteck tag to T55x7 or Q5/T5555 tag Tag must be on the antenna when issuing this command.",
9742 "lf idteck clone --raw 4944544B351FBE4B"
9746 "-h, --help This help",
9747 "-r, --raw <hex> raw bytes",
9748 "--q5 optional - specify writing to Q5/T5555 tag",
9749 "--em optional - specify writing to EM4305/4469 tag"
9751 "usage": "lf idteck clone [-h] -r <hex> [--q5] [--em]"
9754 "command": "lf idteck help",
9755 "description": "help This help demod demodulate an Idteck tag from the GraphBuffer --------------------------------------------------------------------------------------- lf idteck demod available offline: yes Try to find Idteck preamble, if found decode / descramble data",
9758 "lf idteck demod --raw 4944544B351FBE4B"
9762 "-h, --help This help",
9763 "-r, --raw <hex> raw bytes"
9765 "usage": "lf idteck demod [-h] [-r <hex>]"
9767 "lf idteck reader": {
9768 "command": "lf idteck reader",
9769 "description": "read a Idteck tag",
9771 "lf idteck reader -@ -> continuous reader mode"
9775 "-h, --help This help",
9776 "-@ optional - continuous reader mode"
9778 "usage": "lf idteck reader [-h@]"
9781 "command": "lf idteck sim",
9782 "description": "Enables simulation of Idteck card. Simulation runs until the button is pressed or another USB command is issued.",
9784 "lf idteck sim --raw 4944544B351FBE4B"
9788 "-h, --help This help",
9789 "-r, --raw <hex> raw bytes"
9791 "usage": "lf idteck sim [-h] -r <hex>"
9793 "lf indala altdemod": {
9794 "command": "lf indala altdemod",
9795 "description": "Tries to PSK demodulate the graphbuffer as Indala This is uses a alternative way to demodulate and was used from the beginning in the Pm3 client. It's now considered obsolete but remains because it has sometimes its advantages.",
9797 "lf indala altdemod",
9798 "lf indala altdemod --long -> demod a Indala tag from the GraphBuffer as 224 bit long format"
9802 "-h, --help This help",
9803 "-l, --long optional - demod as 224b long format"
9805 "usage": "lf indala altdemod [-hl]"
9807 "lf indala clone": {
9808 "command": "lf indala clone",
9809 "description": "clone Indala UID to T55x7 or Q5/T5555 tag using different known formats Warning, encoding with FC/CN doesn't always work",
9811 "lf indala clone --heden 888",
9812 "lf indala clone --fc 123 --cn 1337",
9813 "lf indala clone --fc 123 --cn 1337 --4041x",
9814 "lf indala clone -r a0000000a0002021",
9815 "lf indala clone -r 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5"
9819 "-h, --help This help",
9820 "-r, --raw <hex> raw bytes",
9821 "--heden <decimal> Card number for Heden 2L format",
9822 "--fc <decimal> Facility code (26 bit H10301 format)",
9823 "--cn <decimal> Card number (26 bit H10301 format)",
9824 "--q5 Optional - specify writing to Q5/T5555 tag",
9825 "--em Optional - specify writing to EM4305/4469 tag",
9826 "--4041x Optional - specify Indala 4041X format, must use with fc and cn"
9828 "usage": "lf indala clone [-h] [-r <hex>] [--heden <decimal>] [--fc <decimal>] [--cn <decimal>] [--q5] [--em] [--4041x]"
9830 "lf indala demod": {
9831 "command": "lf indala demod",
9832 "description": "Tries to PSK demodulate the graphbuffer as Indala",
9835 "lf indala demod --clock 32 -> demod a Indala tag from the GraphBuffer using a clock of RF/32",
9836 "lf indala demod --clock 32 -i -> demod a Indala tag from the GraphBuffer using a clock of RF/32 and inverting data",
9837 "lf indala demod --clock 64 -i --maxerror 0 -> demod a Indala tag from the GraphBuffer using a clock of RF/64, inverting data and allowing 0 demod errors"
9841 "-h, --help This help",
9842 "--clock <dec> optional - set clock (as integer), if not set, autodetect.",
9843 "--maxerr <dec> optional - set maximum allowed errors, default = 100",
9844 "-i, --invert optional - invert output"
9846 "usage": "lf indala demod [-hi] [--clock <dec>] [--maxerr <dec>]"
9849 "command": "lf indala help",
9850 "description": "help This help demod Demodulate an Indala tag (PSK1) from the GraphBuffer altdemod Alternative method to demodulate samples for Indala 64 bit UID (option '224' for 224 bit) --------------------------------------------------------------------------------------- lf indala brute available offline: no Enables bruteforce of INDALA readers with specified facility code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535",
9852 "lf indala brute --fc 224",
9853 "lf indala brute --fc 21 -d 2000",
9854 "lf indala brute -v --fc 21 --cn 200 -d 2000",
9855 "lf indala brute -v --fc 21 --cn 200 -d 2000 --up"
9859 "-h, --help This help",
9860 "-v, --verbose verbose output",
9861 "--fc <dec> facility code",
9862 "--cn <dec> card number to start with",
9863 "-d, --delay <dec> delay betweens attempts in ms. Default 1000ms",
9864 "--up direction to increment card number. (default is both directions)",
9865 "--down direction to decrement card number. (default is both directions)",
9866 "--4041x specify Indala 4041X format"
9868 "usage": "lf indala brute [-hv] [--fc <dec>] [--cn <dec>] [-d <dec>] [--up] [--down] [--4041x]"
9870 "lf indala reader": {
9871 "command": "lf indala reader",
9872 "description": "read a Indala tag",
9874 "lf indala reader -@ -> continuous reader mode"
9878 "-h, --help This help",
9879 "--clock <dec> optional - set clock (as integer), if not set, autodetect.",
9880 "--maxerr <dec> optional - set maximum allowed errors, default = 100",
9881 "-i, --invert optional - invert output",
9882 "-@ optional - continuous reader mode"
9884 "usage": "lf indala reader [-hi@] [--clock <dec>] [--maxerr <dec>]"
9887 "command": "lf indala sim",
9888 "description": "Enables simulation of Indala card with specified facility code and card number. Simulation runs until the button is pressed or another USB command is issued.",
9890 "lf indala sim --heden 888",
9891 "lf indala sim --fc 123 --cn 1337",
9892 "lf indala sim --fc 123 --cn 1337 --4041x",
9893 "lf indala sim --raw a0000000a0002021",
9894 "lf indala sim --raw 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5"
9898 "-h, --help This help",
9899 "-r, --raw <hex> raw bytes",
9900 "--heden <decimal> Cardnumber for Heden 2L format",
9901 "--fc <decimal> Facility code (26 bit H10301 format)",
9902 "--cn <decimal> Card number (26 bit H10301 format)",
9903 "--4041x Optional - specify Indala 4041X format, must use with fc and cn"
9905 "usage": "lf indala sim [-h] [-r <hex>] [--heden <decimal>] [--fc <decimal>] [--cn <decimal>] [--4041x]"
9908 "command": "lf io clone",
9909 "description": "clone a ioProx card with specified facility-code and card number to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command.",
9911 "lf io clone --vn 1 --fc 101 --cn 1337"
9915 "-h, --help This help",
9916 "--vn <dec> 8bit version",
9917 "--fc <dec> 8bit facility code",
9918 "--cn <dec> 16bit card number",
9919 "--q5 optional - specify writing to Q5/T5555 tag",
9920 "--em optional - specify writing to EM4305/4469 tag"
9922 "usage": "lf io clone [-h] --vn <dec> --fc <dec> --cn <dec> [--q5] [--em]"
9925 "command": "lf io help",
9926 "description": "help this help demod demodulate an ioProx tag from the GraphBuffer --------------------------------------------------------------------------------------- lf io demod available offline: yes Try to find ioProx preamble, if found decode / descramble data",
9932 "-h, --help This help"
9934 "usage": "lf io demod [-h]"
9937 "command": "lf io reader",
9938 "description": "read a ioProx tag",
9940 "lf io reader -@ -> continuous reader mode"
9944 "-h, --help This help",
9945 "-@ optional - continuous reader mode"
9947 "usage": "lf io reader [-h@]"
9950 "command": "lf io sim",
9951 "description": "Enables simulation of ioProx card with specified facility-code and card number. Simulation runs until the button is pressed or another USB command is issued.",
9953 "lf io sim --vn 1 --fc 101 --cn 1337"
9957 "-h, --help This help",
9958 "--vn <dec> 8bit version",
9959 "--fc <dec> 8bit facility code",
9960 "--cn <dec> 16bit card number"
9962 "usage": "lf io sim [-h] --vn <dec> --fc <dec> --cn <dec>"
9965 "command": "lf io watch",
9966 "description": "Enables ioProx compatible reader mode printing details. By default, values are printed and logged until the button is pressed or another USB command is issued.",
9972 "-h, --help This help"
9974 "usage": "lf io watch [-h]"
9976 "lf jablotron clone": {
9977 "command": "lf jablotron clone",
9978 "description": "clone a Jablotron tag to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command.",
9980 "lf jablotron clone --cn 01b669 -> encode for T55x7 tag",
9981 "lf jablotron clone --cn 01b669 --q5 -> encode for Q5/T5555 tag",
9982 "lf jablotron clone --cn 01b669 --em -> encode for EM4305/4469"
9986 "-h, --help This help",
9987 "--cn <hex> Jablotron card ID - 5 bytes max",
9988 "--q5 optional - specify writing to Q5/T5555 tag",
9989 "--em optional - specify writing to EM4305/4469 tag"
9991 "usage": "lf jablotron clone [-h] --cn <hex> [--q5] [--em]"
9993 "lf jablotron help": {
9994 "command": "lf jablotron help",
9995 "description": "help This help demod demodulate an Jablotron tag from the GraphBuffer --------------------------------------------------------------------------------------- lf jablotron demod available offline: yes Try to find Jablotron preamble, if found decode / descramble data",
9997 "lf jablotron demod"
10001 "-h, --help This help"
10003 "usage": "lf jablotron demod [-h]"
10005 "lf jablotron reader": {
10006 "command": "lf jablotron reader",
10007 "description": "read a jablotron tag",
10009 "lf jablotron reader -@ -> continuous reader mode"
10013 "-h, --help This help",
10014 "-@ optional - continuous reader mode"
10016 "usage": "lf jablotron reader [-h@]"
10018 "lf jablotron sim": {
10019 "command": "lf jablotron sim",
10020 "description": "Enables simulation of jablotron card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10022 "lf jablotron sim --cn 01b669"
10026 "-h, --help This help",
10027 "--cn <hex> Jablotron card ID - 5 bytes max"
10029 "usage": "lf jablotron sim [-h] --cn <hex>"
10032 "command": "lf keri clone",
10033 "description": "clone a KERI tag to a T55x7, Q5/T5555 or EM4305/4469 tag",
10035 "lf keri clone -t i --cn 12345 -> Internal ID",
10036 "lf keri clone -t m --fc 6 --cn 12345 -> MS ID"
10040 "-h, --help This help",
10041 "-t, --type <m|i> Type m - MS, i - Internal ID",
10042 "--fc <dec> Facility Code",
10043 "--cn <dec> KERI card ID",
10044 "--q5 specify writing to Q5/T5555 tag",
10045 "--em specify writing to EM4305/4469 tag"
10047 "usage": "lf keri clone [-h] [-t <m|i>] [--fc <dec>] --cn <dec> [--q5] [--em]"
10050 "command": "lf keri help",
10051 "description": "help This help demod demodulate an KERI tag from the GraphBuffer --------------------------------------------------------------------------------------- lf keri demod available offline: yes Try to find KERI preamble, if found decode / descramble data",
10057 "-h, --help This help"
10059 "usage": "lf keri demod [-h]"
10061 "lf keri reader": {
10062 "command": "lf keri reader",
10063 "description": "read a keri tag",
10065 "lf keri reader -@ -> continuous reader mode"
10069 "-h, --help This help",
10070 "-@ optional - continuous reader mode"
10072 "usage": "lf keri reader [-h@]"
10075 "command": "lf keri sim",
10076 "description": "Enables simulation of KERI card with internal ID. You supply a KERI card id and it will converted to a KERI internal ID.",
10078 "lf keri sim --cn 112233"
10082 "-h, --help This help",
10083 "--id <dec> KERI card ID"
10085 "usage": "lf keri sim [-h] --id <dec>"
10087 "lf motorola clone": {
10088 "command": "lf motorola clone",
10089 "description": "clone Motorola UID to a T55x7, Q5/T5555 or EM4305/4469 tag. defaults to 64 bit format",
10091 "lf motorola clone --raw a0000000a0002021 -> encode for T55x7 tag",
10092 "lf motorola clone --raw a0000000a0002021 --q5 -> encode for Q5/T5555 tag",
10093 "lf motorola clone --raw a0000000a0002021 --em -> encode for EM4305/4469"
10097 "-h, --help This help",
10098 "-r, --raw <hex> raw hex bytes. 8 bytes",
10099 "--q5 optional - specify writing to Q5/T5555 tag",
10100 "--em optional - specify writing to EM4305/4469 tag"
10102 "usage": "lf motorola clone [-h] -r <hex> [--q5] [--em]"
10104 "lf motorola help": {
10105 "command": "lf motorola help",
10106 "description": "help This help demod demodulate an MOTOROLA tag from the GraphBuffer --------------------------------------------------------------------------------------- lf motorola demod available offline: yes Try to find Motorola Flexpass preamble, if found decode / descramble data",
10108 "lf motorola demod"
10112 "-h, --help This help"
10114 "usage": "lf motorola demod [-h]"
10116 "lf motorola reader": {
10117 "command": "lf motorola reader",
10118 "description": "read a Motorola Flexpass tag",
10120 "lf motorola reader -@ -> continuous reader mode"
10124 "-h, --help This help",
10125 "-@ optional - continuous reader mode"
10127 "usage": "lf motorola reader [-h@]"
10129 "lf motorola sim": {
10130 "command": "lf motorola sim",
10131 "description": "Enables simulation of Motorola card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10137 "-h, --help This help"
10139 "usage": "lf motorola sim [-h]"
10141 "lf nedap clone": {
10142 "command": "lf nedap clone",
10143 "description": "clone a Nedap tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10145 "lf nedap clone --st 1 --cc 101 --id 1337"
10149 "-h, --help This help",
10150 "--st <dec> optional - sub type (default 5)",
10151 "--cc <dec> customer code (0-4095)",
10152 "--id <dec> ID (0-99999)",
10153 "-l, --long optional - long (128), default to short (64)",
10154 "--q5 optional - specify writing to Q5/T5555 tag",
10155 "--em optional - specify writing to EM4305/4469 tag"
10157 "usage": "lf nedap clone [-hl] [--st <dec>] --cc <dec> --id <dec> [--q5] [--em]"
10160 "command": "lf nedap help",
10161 "description": "help This help demod demodulate Nedap tag from the GraphBuffer --------------------------------------------------------------------------------------- lf nedap demod available offline: yes Try to find Nedap preamble, if found decode / descramble data",
10167 "-h, --help This help"
10169 "usage": "lf nedap demod [-h]"
10171 "lf nedap reader": {
10172 "command": "lf nedap reader",
10173 "description": "read a Nedap tag",
10175 "lf nedap reader -@ -> continuous reader mode"
10179 "-h, --help This help",
10180 "-@ optional - continuous reader mode"
10182 "usage": "lf nedap reader [-h@]"
10185 "command": "lf nedap sim",
10186 "description": "Enables simulation of NEDAP card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10188 "lf nedap sim --st 1 --cc 101 --id 1337"
10192 "-h, --help This help",
10193 "--st <dec> optional - sub type (default 5)",
10194 "--cc <dec> customer code (0-4095)",
10195 "--id <dec> ID (0-99999)",
10196 "-l, --long optional - long (128), default to short (64)"
10198 "usage": "lf nedap sim [-hl] [--st <dec>] --cc <dec> --id <dec>"
10200 "lf nexwatch clone": {
10201 "command": "lf nexwatch clone",
10202 "description": "clone a Nexwatch tag to a T55x7, Q5/T5555 or EM4305/4469 tag. You can use raw hex values or create a credential based on id, mode and type of credential (Nexkey / Quadrakey / Russian)",
10204 "lf nexwatch clone --raw 5600000000213C9F8F150C00",
10205 "lf nexwatch clone --cn 521512301 -m 1 --nc -> Nexkey credential",
10206 "lf nexwatch clone --cn 521512301 -m 1 --qc -> Quadrakey credential",
10207 "lf nexwatch clone --cn 521512301 -m 1 --hc -> Honeywell credential"
10211 "-h, --help This help",
10212 "-r, --raw <hex> raw hex data. 12 bytes",
10213 "--cn <dec> card id",
10214 "-m, --mode <dec> mode (decimal) (0-15, defaults to 1)",
10215 "--nc Nexkey credential",
10216 "--qc Quadrakey credential",
10217 "--hc Honeywell credential",
10218 "--q5 optional - specify writing to Q5/T5555 tag",
10219 "--em optional - specify writing to EM4305/4469 tag",
10220 "--magic <hex> optional - magic hex data. 1 byte",
10221 "--psk2 optional - specify writing a tag in psk2 modulation"
10223 "usage": "lf nexwatch clone [-h] [-r <hex>] [--cn <dec>] [-m <dec>] [--nc] [--qc] [--hc] [--q5] [--em] [--magic <hex>] [--psk2]"
10225 "lf nexwatch help": {
10226 "command": "lf nexwatch help",
10227 "description": "help This help demod demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer --------------------------------------------------------------------------------------- lf nexwatch demod available offline: yes Try to find Nexwatch preamble, if found decode / descramble data",
10229 "lf nexwatch demod"
10233 "-h, --help This help"
10235 "usage": "lf nexwatch demod [-h]"
10237 "lf nexwatch reader": {
10238 "command": "lf nexwatch reader",
10239 "description": "read a Nexwatch tag",
10241 "lf nexwatch reader -@ -> continuous reader mode"
10245 "-h, --help This help",
10246 "-@ optional - continuous reader mode"
10248 "usage": "lf nexwatch reader [-h@]"
10250 "lf nexwatch sim": {
10251 "command": "lf nexwatch sim",
10252 "description": "Enables simulation of secura card with specified card number. Simulation runs until the button is pressed or another USB command is issued. You can use raw hex values or create a credential based on id, mode and type of credential (Nexkey/Quadrakey)",
10254 "lf nexwatch sim --raw 5600000000213C9F8F150C00",
10255 "lf nexwatch sim --cn 521512301 -m 1 --nc -> Nexkey credential",
10256 "lf nexwatch sim --cn 521512301 -m 1 --qc -> Quadrakey credential",
10257 "lf nexwatch sim --cn 521512301 -m 1 --hc -> Honeywell credential"
10261 "-h, --help This help",
10262 "-r, --raw <hex> raw hex data. 12 bytes",
10263 "--cn <dec> card id",
10264 "-m, --mode <dec> mode (decimal) (0-15, defaults to 1)",
10265 "--nc Nexkey credential",
10266 "--qc Quadrakey credential",
10267 "--hc Honeywell credential",
10268 "--magic <hex> optional - magic hex data. 1 byte",
10269 "--psk2 optional - specify writing a tag in psk2 modulation"
10271 "usage": "lf nexwatch sim [-h] [-r <hex>] [--cn <dec>] [-m <dec>] [--nc] [--qc] [--hc] [--magic <hex>] [--psk2]"
10273 "lf noralsy clone": {
10274 "command": "lf noralsy clone",
10275 "description": "clone a Noralsy tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10277 "lf noralsy clone --cn 112233 -> encode for T55x7 tag",
10278 "lf noralsy clone --cn 112233 --q5 -> encode for Q5/T5555 tag",
10279 "lf noralsy clone --cn 112233 --em -> encode for EM4305/4469"
10283 "-h, --help This help",
10284 "--cn <dec> Noralsy card ID",
10285 "-y, --year <dec> tag allocation year",
10286 "--q5 optional - specify writing to Q5/T5555 tag",
10287 "--em optional - specify writing to EM4305/4469 tag"
10289 "usage": "lf noralsy clone [-h] --cn <dec> [-y <dec>] [--q5] [--em]"
10291 "lf noralsy help": {
10292 "command": "lf noralsy help",
10293 "description": "help This help demod demodulate an Noralsy tag from the GraphBuffer --------------------------------------------------------------------------------------- lf noralsy demod available offline: yes Try to find Noralsy preamble, if found decode / descramble data",
10299 "-h, --help This help"
10301 "usage": "lf noralsy demod [-h]"
10303 "lf noralsy reader": {
10304 "command": "lf noralsy reader",
10305 "description": "read a Noralsy tag",
10307 "lf noralsy reader -@ -> continuous reader mode"
10311 "-h, --help This help",
10312 "-@ optional - continuous reader mode"
10314 "usage": "lf noralsy reader [-h@]"
10316 "lf noralsy sim": {
10317 "command": "lf noralsy sim",
10318 "description": "Enables simulation of Noralsy card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10320 "lf noralsy sim --cn 1337",
10321 "lf noralsy sim --cn 1337 --year 2010"
10325 "-h, --help This help",
10326 "--cn <dec> Noralsy card ID",
10327 "-y, --year <dec> tag allocation year"
10329 "usage": "lf noralsy sim [-h] --cn <dec> [-y <dec>]"
10332 "command": "lf pac clone",
10333 "description": "clone a PAC/Stanley tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10335 "lf pac clone --cn CD4F5552 -> encode for T55x7 tag",
10336 "lf pac clone --cn CD4F5552 --q5 -> encode for Q5/T5555 tag",
10337 "lf pac clone --cn CD4F5552 --em -> encode for EM4305/4469",
10338 "lf pac clone --raw FF2049906D8511C593155B56D5B2649F -> encode for T55x7 tag, raw mode"
10342 "-h, --help This help",
10343 "--cn <dec> 8 byte PAC/Stanley card ID",
10344 "-r, --raw <hex> raw hex data. 16 bytes max",
10345 "--q5 optional - specify writing to Q5/T5555 tag",
10346 "--em optional - specify writing to EM4305/4469 tag"
10348 "usage": "lf pac clone [-h] [--cn <dec>] [-r <hex>] [--q5] [--em]"
10351 "command": "lf pac help",
10352 "description": "help This help demod demodulate a PAC tag from the GraphBuffer --------------------------------------------------------------------------------------- lf pac demod available offline: yes Try to find PAC/Stanley preamble, if found decode / descramble data",
10358 "-h, --help This help"
10360 "usage": "lf pac demod [-h]"
10363 "command": "lf pac reader",
10364 "description": "read a PAC/Stanley tag",
10366 "lf pac reader -@ -> continuous reader mode"
10370 "-h, --help This help",
10371 "-@ optional - continuous reader mode"
10373 "usage": "lf pac reader [-h@]"
10376 "command": "lf pac sim",
10377 "description": "Enables simulation of PAC/Stanley card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The card ID is 8 byte number. Larger values are truncated.",
10379 "lf pac sim --cn CD4F5552",
10380 "lf pac sim --raw FF2049906D8511C593155B56D5B2649F"
10384 "-h, --help This help",
10385 "--cn <dec> 8 byte PAC/Stanley card ID",
10386 "-r, --raw <hex> raw hex data. 16 bytes max"
10388 "usage": "lf pac sim [-h] [--cn <dec>] [-r <hex>]"
10390 "lf paradox clone": {
10391 "command": "lf paradox clone",
10392 "description": "clone a paradox tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10394 "lf paradox clone --fc 96 --cn 40426 -> encode for T55x7 tag with fc and cn",
10395 "lf paradox clone --raw 0f55555695596a6a9999a59a -> encode for T55x7 tag",
10396 "lf paradox clone --raw 0f55555695596a6a9999a59a --q5 -> encode for Q5/T5555 tag",
10397 "lf paradox clone --raw 0f55555695596a6a9999a59a --em -> encode for EM4305/4469"
10401 "-h, --help This help",
10402 "-r, --raw <hex> raw hex data. 12 bytes max",
10403 "--fc <dec> facility code",
10404 "--cn <dec> card number",
10405 "--q5 optional - specify writing to Q5/T5555 tag",
10406 "--em optional - specify writing to EM4305/4469 tag"
10408 "usage": "lf paradox clone [-h] [-r <hex>] [--fc <dec>] [--cn <dec>] [--q5] [--em]"
10410 "lf paradox help": {
10411 "command": "lf paradox help",
10412 "description": "help This help demod demodulate a Paradox FSK tag from the GraphBuffer --------------------------------------------------------------------------------------- lf paradox demod available offline: yes Try to find Paradox preamble, if found decode / descramble data",
10414 "lf paradox demod --old -> Display previous checksum version"
10418 "-h, --help This help",
10419 "--old optional - Display previous checksum version"
10421 "usage": "lf paradox demod [-h] [--old]"
10423 "lf paradox reader": {
10424 "command": "lf paradox reader",
10425 "description": "read a Paradox tag",
10427 "lf paradox reader -@ -> continuous reader mode",
10428 "lf paradox reader --old -> Display previous checksum version"
10432 "-h, --help This help",
10433 "-@ optional - continuous reader mode",
10434 "--old optional - Display previous checksum version"
10436 "usage": "lf paradox reader [-h@] [--old]"
10438 "lf paradox sim": {
10439 "command": "lf paradox sim",
10440 "description": "Enables simulation of paradox card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10442 "lf paradox sim --raw 0f55555695596a6a9999a59a -> simulate tag",
10443 "lf paradox sim --fc 96 --cn 40426 -> simulate tag with fc and cn"
10447 "-h, --help This help",
10448 "-r, --raw <hex> raw hex data. 12 bytes",
10449 "--fc <dec> facility code",
10450 "--cn <dec> card number"
10452 "usage": "lf paradox sim [-h] [-r <hex>] [--fc <dec>] [--cn <dec>]"
10454 "lf pcf7931 config": {
10455 "command": "lf pcf7931 config",
10456 "description": "This command tries to set the configuration used with PCF7931 commands The time offsets could be useful to correct slew rate generated by the antenna Caling without some parameter will print the current configuration.",
10458 "lf pcf7931 config --reset",
10459 "lf pcf7931 config --pwd 11223344556677 -d 20000",
10460 "lf pcf7931 config --pwd 11223344556677 -d 17500 --lw -10 --lp 30"
10464 "-h, --help This help",
10465 "-r, --reset Reset configuration to default values",
10466 "-p, --pwd <hex> Password, 7bytes, LSB-order",
10467 "-d, --delay <dec> Tag initialization delay (in us)",
10468 "--lw <dec> offset, low pulses width (in us)",
10469 "--lp <dec> offset, low pulses position (in us)"
10471 "usage": "lf pcf7931 config [-hr] [-p <hex>] [-d <dec>] [--lw <dec>] [--lp <dec>]"
10473 "lf pcf7931 help": {
10474 "command": "lf pcf7931 help",
10475 "description": "help This help config Configure the password, the tags initialization delay and time offsets (optional) --------------------------------------------------------------------------------------- lf pcf7931 reader available offline: no read a PCF7931 tag",
10477 "lf pcf7931 reader -@ -> continuous reader mode"
10481 "-h, --help This help",
10482 "-@ optional - continuous reader mode"
10484 "usage": "lf pcf7931 reader [-h@]"
10486 "lf pcf7931 write": {
10487 "command": "lf pcf7931 write",
10488 "description": "This command tries to write a PCF7931 tag.",
10490 "lf pcf7931 write --blk 2 --idx 1 -d FF -> Write 0xFF to block 2, index 1"
10494 "-h, --help This help",
10495 "-b, --blk <dec> [0-7] block number",
10496 "-i, --idx <dec> [0-15] index of byte inside block",
10497 "-d, --data <hex> one byte to be written"
10499 "usage": "lf pcf7931 write [-h] -b <dec> -i <dec> -d <hex>"
10501 "lf presco clone": {
10502 "command": "lf presco clone",
10503 "description": "clone a presco tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10505 "lf presco clone -d 018363467 -> encode for T55x7 tag",
10506 "lf presco clone -d 018363467 --q5 -> encode for Q5/T5555 tag",
10507 "lf presco clone -d 018363467 --em -> encode for EM4305/4469"
10511 "-h, --help This help",
10512 "-c <hex> 8 digit hex card number",
10513 "-d <digits> 9 digit presco card ID",
10514 "--q5 optional - specify writing to Q5/T5555 tag",
10515 "--em optional - specify writing to EM4305/4469 tag"
10517 "usage": "lf presco clone [-h] [-c <hex>] [-d <digits>] [--q5] [--em]"
10519 "lf presco help": {
10520 "command": "lf presco help",
10521 "description": "help This help demod demodulate Presco tag from the GraphBuffer --------------------------------------------------------------------------------------- lf presco demod available offline: yes Try to find presco preamble, if found decode / descramble data",
10527 "-h, --help This help"
10529 "usage": "lf presco demod [-h]"
10531 "lf presco reader": {
10532 "command": "lf presco reader",
10533 "description": "read a presco tag",
10535 "lf presco reader -@ -> continuous reader mode"
10539 "-h, --help This help",
10540 "-@ optional - continuous reader mode"
10542 "usage": "lf presco reader [-h@]"
10545 "command": "lf presco sim",
10546 "description": "Enables simulation of presco card with specified card number. Simulation runs until the button is pressed or another USB command is issued. Per presco format, the card number is 9 digit number and can contain *# chars. Larger values are truncated.",
10548 "lf presco sim -d 018363467"
10552 "-h, --help This help",
10553 "-c <hex> 8 digit hex card number",
10554 "-d <digits> 9 digit presco card ID"
10556 "usage": "lf presco sim [-h] [-c <hex>] [-d <digits>]"
10558 "lf pyramid clone": {
10559 "command": "lf pyramid clone",
10560 "description": "clone a Farpointe/Pyramid tag to a T55x7, Q5/T5555 or EM4305/4469 tag. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently only works on 26bit",
10562 "lf pyramid clone --fc 123 --cn 11223 -> encode for T55x7 tag",
10563 "lf pyramid clone --raw 0001010101010101010440013223921c -> idem, raw mode",
10564 "lf pyramid clone --fc 123 --cn 11223 --q5 -> encode for Q5/T5555 tag",
10565 "lf pyramid clone --fc 123 --cn 11223 --em -> encode for EM4305/4469"
10569 "-h, --help This help",
10570 "--fc <dec> 8-bit value facility code",
10571 "--cn <dec> 16-bit value card number",
10572 "--q5 optional - specify writing to Q5/T5555 tag",
10573 "--em optional - specify writing to EM4305/4469 tag",
10574 "-r, --raw <hex> raw hex data. 16 bytes"
10576 "usage": "lf pyramid clone [-h] [--fc <dec>] [--cn <dec>] [--q5] [--em] [-r <hex>]"
10578 "lf pyramid help": {
10579 "command": "lf pyramid help",
10580 "description": "help this help demod demodulate a Pyramid FSK tag from the GraphBuffer --------------------------------------------------------------------------------------- lf pyramid demod available offline: yes Try to find Farpoint/Pyramid preamble, if found decode / descramble data",
10586 "-h, --help This help"
10588 "usage": "lf pyramid demod [-h]"
10590 "lf pyramid reader": {
10591 "command": "lf pyramid reader",
10592 "description": "read a Farpointe/Pyramid tag",
10594 "lf pyramid reader -@ -> continuous reader mode"
10598 "-h, --help This help",
10599 "-@ optional - continuous reader mode"
10601 "usage": "lf pyramid reader [-h@]"
10603 "lf pyramid sim": {
10604 "command": "lf pyramid sim",
10605 "description": "Enables simulation of Farpointe/Pyramid card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently work only on 26bit",
10607 "lf pyramid sim --fc 123 --cn 1337",
10608 "lf pyramid sim --raw 0001010101010101010440013223921c"
10612 "-h, --help This help",
10613 "--fc <dec> 8-bit value facility code",
10614 "--cn <dec> 16-bit value card number",
10615 "-r, --raw <hex> raw hex data. 16 bytes"
10617 "usage": "lf pyramid sim [-h] [--fc <dec>] [--cn <dec>] [-r <hex>]"
10620 "command": "lf read",
10621 "description": "Sniff low frequency signal. - use `lf config` to set parameters. - use `data plot` to look at it. If the number of samples is more than the device memory limit (40000 now), it will try to use the real-time sampling mode.",
10623 "lf read -v -s 12000 -> collect 12000 samples",
10624 "lf read -s 3000 -@ -> oscilloscope style"
10628 "-h, --help This help",
10629 "-s, --samples <dec> number of samples to collect",
10630 "-v, --verbose verbose output",
10631 "-@ continuous reading mode"
10633 "usage": "lf read [-hv@] [-s <dec>]"
10636 "command": "lf search",
10637 "description": "Read and search for valid known tag. For offline mode, you can `data load` first then search.",
10639 "lf search -> try reading data from tag & search for known tag",
10640 "lf search -u -> try reading data from tag & search for known and unknown tag",
10641 "lf search -1 -> use data from the GraphBuffer & search for known tag",
10642 "lf search -1uc -> use data from the GraphBuffer & search for known and unknown tag"
10646 "-h, --help This help",
10647 "-1 Use data from Graphbuffer to search (offline mode)",
10648 "-c Continue searching after successful match",
10649 "-u Search for unknown tags"
10651 "usage": "lf search [-h1cu]"
10653 "lf securakey clone": {
10654 "command": "lf securakey clone",
10655 "description": "clone a Securakey tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
10657 "lf securakey clone --raw 7FCB400001ADEA5344300000 -> encode for T55x7 tag",
10658 "lf securakey clone --raw 7FCB400001ADEA5344300000 --q5 -> encode for Q5/T5555 tag",
10659 "lf securakey clone --raw 7FCB400001ADEA5344300000 --em -> encode for EM4305/4469"
10663 "-h, --help This help",
10664 "-r, --raw <hex> raw hex data. 12 bytes",
10665 "--q5 optional - specify writing to Q5/T5555 tag",
10666 "--em optional - specify writing to EM4305/4469 tag"
10668 "usage": "lf securakey clone [-h] -r <hex> [--q5] [--em]"
10670 "lf securakey help": {
10671 "command": "lf securakey help",
10672 "description": "help This help demod demodulate an Securakey tag from the GraphBuffer --------------------------------------------------------------------------------------- lf securakey demod available offline: yes Try to find Securakey preamble, if found decode / descramble data",
10674 "lf securakey demod"
10678 "-h, --help This help"
10680 "usage": "lf securakey demod [-h]"
10682 "lf securakey reader": {
10683 "command": "lf securakey reader",
10684 "description": "read a Securakey tag",
10686 "lf securakey reader -@ -> continuous reader mode"
10690 "-h, --help This help",
10691 "-@ optional - continuous reader mode"
10693 "usage": "lf securakey reader [-h@]"
10695 "lf securakey sim": {
10696 "command": "lf securakey sim",
10697 "description": "Enables simulation of secura card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
10699 "lf securakey sim --raw 7FCB400001ADEA5344300000"
10703 "-h, --help This help",
10704 "-r, --raw <hex> raw hex data. 12 bytes"
10706 "usage": "lf securakey sim [-h] [-r <hex>]"
10709 "command": "lf sim",
10710 "description": "Simulate low frequency tag from graphbuffer Use `lf config` to set parameters",
10713 "lf sim --gap 240 -> start simulating with 240ms gap"
10717 "-h, --help This help",
10718 "-g, --gap <ms> start gap in microseconds"
10720 "usage": "lf sim [-h] [-g <ms>]"
10723 "command": "lf simask",
10724 "description": "Simulate ASK tag from DemodBuffer or input",
10726 "lf simask --clk 32 --am -d 0102030405 -> simulate ASK/MAN rf/32",
10727 "lf simask --clk 32 --bi -d 0102030405 -> simulate ASK/BIPHASE rf/32",
10729 "lf simask --clk 64 --am -d ffbd8001686f1924 -> simulate a EM410x tag",
10730 "lf simask --clk 64 --am --stt -d 5649533200003F340000001B -> simulate a VISA2K tag"
10734 "-h, --help This help",
10735 "-i, --inv invert data",
10736 "-c, --clk <dec> manually set clock - can autodetect if using DemodBuffer (default 64)",
10737 "--bi ask/biphase encoding",
10738 "--am ask/manchester encoding (default)",
10739 "--ar ask/raw encoding",
10740 "--stt add t55xx Sequence Terminator gap - default: no gaps (only manchester)",
10741 "-d, --data <hex> data to sim - omit to use DemodBuffer",
10742 "-v, --verbose verbose output"
10744 "usage": "lf simask [-hiv] [-c <dec>] [--bi] [--am] [--ar] [--stt] [-d <hex>]"
10747 "command": "lf simbidir",
10748 "description": "Simulate LF tag with bidirectional data transmission between reader and tag",
10754 "-h, --help This help"
10756 "usage": "lf simbidir [-h]"
10759 "command": "lf simfsk",
10760 "description": "Simulate FSK tag from DemodBuffer or input. There are about four FSK modulations to know of. FSK1 - where fc/8 = high and fc/5 = low FSK1a - is inverted FSK1, ie: fc/5 = high and fc/8 = low FSK2 - where fc/10 = high and fc/8 = low FSK2a - is inverted FSK2, ie: fc/10 = high and fc/8 = low NOTE: if you set one clock manually set them all manually",
10762 "lf simfsk -c 40 --high 8 --low 5 -d 010203 -> FSK1 rf/40 data 010203",
10763 "lf simfsk -c 40 --high 5 --low 8 -d 010203 -> FSK1a rf/40 data 010203",
10764 "lf simfsk -c 64 --high 10 --low 8 -d 010203 -> FSK2 rf/64 data 010203",
10765 "lf simfsk -c 64 --high 8 --low 10 -d 010203 -> FSK2a rf/64 data 010203",
10767 "lf simfsk -c 50 --high 10 --low 8 -d 1D5559555569A9A555A59569 -> simulate HID Prox tag manually",
10768 "lf simfsk -c 50 --high 10 --low 8 --stt -d 011DB2487E8D811111111111 -> simulate AWID tag manually"
10772 "-h, --help This help",
10773 "-c, --clk <dec> manually set clock - can autodetect if using DemodBuffer (default 64)",
10774 "--low <dec> manually set larger Field Clock",
10775 "--high <dec> manually set smaller Field Clock",
10776 "--stt TBD! - STT to enable a gap between playback repetitions (default: no gap)",
10777 "-d, --data <hex> data to sim - omit to use DemodBuffer",
10778 "-v, --verbose verbose output"
10780 "usage": "lf simfsk [-hv] [-c <dec>] [--low <dec>] [--high <dec>] [--stt] [-d <hex>]"
10783 "command": "lf simpsk",
10784 "description": "Simulate PSK tag from DemodBuffer or input",
10786 "lf simpsk -1 --clk 40 --fc 4 -d 01020304 -> simulate PSK1 rf/40 psksub fc/4, data 01020304",
10788 "lf simpsk -1 --clk 32 --fc 2 -d a0000000bd989a11 -> simulate a indala tag manually"
10792 "-h, --help This help",
10793 "-1, --psk1 set PSK1 (default)",
10794 "-2, --psk2 set PSK2",
10795 "-3, --psk3 set PSK3",
10796 "-i, --inv invert data",
10797 "-c, --clk <dec> manually set clock - can autodetect if using DemodBuffer (default 32)",
10798 "--fc <dec> 2|4|8 are valid carriers (default 2)",
10799 "-d, --data <hex> data to sim - omit to use DemodBuffer",
10800 "-v, --verbose verbose output"
10802 "usage": "lf simpsk [-h123iv] [-c <dec>] [--fc <dec>] [-d <hex>]"
10805 "command": "lf sniff",
10806 "description": "Sniff low frequency signal. You need to configure the LF part on the Proxmark3 device manually. Usually a trigger and skip samples is a good thing to set before doing a low frequency sniff. - use `lf config` to set parameters. - use `data plot` to look at sniff signal. - use `lf search -1` to see if signal can be automatic decoded. If the number of samples is more than the device memory limit (40000 now), it will try to use the real-time sampling mode.",
10809 "lf sniff -s 3000 -@ -> oscilloscope style"
10813 "-h, --help This help",
10814 "-s, --samples <dec> number of samples to collect",
10815 "-v, --verbose verbose output",
10816 "-@ continuous sniffing mode"
10818 "usage": "lf sniff [-hv@] [-s <dec>]"
10820 "lf t55xx bruteforce": {
10821 "command": "lf t55xx bruteforce",
10822 "description": "This command uses bruteforce to scan a number range. Try reading Page 0, block 7 before. WARNING this may brick non-password protected chips!",
10824 "lf t55xx bruteforce --r2 -s aaaaaa77 -e aaaaaa99"
10828 "-h, --help This help",
10829 "-s, --start <hex> search start password (4 hex bytes)",
10830 "-e, --end <hex> search end password (4 hex bytes)",
10831 "--r0 downlink - fixed bit length",
10832 "--r1 downlink - long leading reference",
10833 "--r2 downlink - leading zero",
10834 "--r3 downlink - 1 of 4 coding reference",
10835 "--all try all downlink modes (def)"
10837 "usage": "lf t55xx bruteforce [-h] -s <hex> -e <hex> [--r0] [--r1] [--r2] [--r3] [--all]"
10840 "command": "lf t55xx chk",
10841 "description": "This command uses a dictionary attack. For some cloners, try '--em' for known pwdgen algo. Try to reading Page 0 block 7 before. WARNING: this may brick non-password protected chips!",
10843 "lf t55xx chk -m -> use dictionary from flash memory (RDV4)",
10844 "lf t55xx chk -f my_dictionary_pwds -> loads a default keys dictionary file",
10845 "lf t55xx chk --em aa11223344 -> try known pwdgen algo from some cloners based on EM4100 ID"
10849 "-h, --help This help",
10850 "-m, --fm use dictionary from flash memory (RDV4)",
10851 "-f, --file <fn> file name",
10852 "--em <hex> EM4100 ID (5 hex bytes)",
10853 "--r0 downlink - fixed bit length",
10854 "--r1 downlink - long leading reference",
10855 "--r2 downlink - leading zero",
10856 "--r3 downlink - 1 of 4 coding reference",
10857 "--all try all downlink modes (def)"
10859 "usage": "lf t55xx chk [-hm] [-f <fn>] [--em <hex>] [--r0] [--r1] [--r2] [--r3] [--all]"
10861 "lf t55xx config": {
10862 "command": "lf t55xx config",
10863 "description": "Set/Get T55XX configuration of the pm3 client. Like modulation, inverted, offset, rate etc. Offset is start position to decode data.",
10865 "lf t55xx config --FSK -> FSK demodulation",
10866 "lf t55xx config --FSK -i -> FSK demodulation, inverse data",
10867 "lf t55xx config --FSK -i -o 3 -> FSK demodulation, inverse data, offset 3"
10871 "-h, --help This help",
10872 "--FSK set demodulation FSK",
10873 "--FSK1 set demodulation FSK 1",
10874 "--FSK1A set demodulation FSK 1a (inv)",
10875 "--FSK2 set demodulation FSK 2",
10876 "--FSK2A set demodulation FSK 2a (inv)",
10877 "--ASK set demodulation ASK",
10878 "--PSK1 set demodulation PSK 1",
10879 "--PSK2 set demodulation PSK 2",
10880 "--PSK3 set demodulation PSK 3",
10881 "--NRZ set demodulation NRZ",
10882 "--BI set demodulation Biphase",
10883 "--BIA set demodulation Diphase (inverted biphase)",
10884 "-i, --inv set/reset data signal inversion",
10885 "--q5 set/reset as Q5/T5555 chip instead of T55x7",
10886 "--st set/reset Sequence Terminator on",
10887 "--rate <dec> set bitrate <8|16|32|40|50|64|100|128>",
10888 "-c, --blk0 <hex> set configuration from a block0 (4 hex bytes)",
10889 "-o, --offset <0-255> set offset, where data should start decode in bitstream",
10890 "--r0 downlink - fixed bit length (detected def)",
10891 "--r1 downlink - long leading reference",
10892 "--r2 downlink - leading zero",
10893 "--r3 downlink - 1 of 4 coding reference"
10895 "usage": "lf t55xx config [-hi] [--FSK] [--FSK1] [--FSK1A] [--FSK2] [--FSK2A] [--ASK] [--PSK1] [--PSK2] [--PSK3] [--NRZ] [--BI] [--BIA] [--q5] [--st] [--rate <dec>] [-c <hex>] [-o <0-255>] [--r0] [--r1] [--r2] [--r3]"
10897 "lf t55xx dangerraw": {
10898 "command": "lf t55xx dangerraw",
10899 "description": "This command allows to emit arbitrary raw commands on T5577 and cut the field after arbitrary duration. Uncontrolled usage can easily write an invalid configuration, activate lock bits, OTP bit, password protection bit, deactivate test-mode, lock your card forever. WARNING: this may lock definitively the tag in an unusable state!",
10901 "lf t55xx dangerraw -d 01000000000000010000100000000100000000 -t 3200"
10905 "-h, --help This help",
10906 "-d, --data <string> raw bit string",
10907 "-t, --time <us> <0 - 200000> time in microseconds before dropping the field"
10909 "usage": "lf t55xx dangerraw [-h] -d <string> -t <us>"
10911 "lf t55xx detect": {
10912 "command": "lf t55xx detect",
10913 "description": "Try detecting the tag modulation from reading the configuration block",
10916 "lf t55xx detect -1",
10917 "lf t55xx detect -p 11223344"
10921 "-h, --help This help",
10922 "-1 extract using data from graphbuffer",
10923 "-p, --pwd <hex> password (4 hex bytes)",
10924 "--r0 downlink - fixed bit length (detected def)",
10925 "--r1 downlink - long leading reference",
10926 "--r2 downlink - leading zero",
10927 "--r3 downlink - 1 of 4 coding reference",
10928 "--all try all downlink modes"
10930 "usage": "lf t55xx detect [-h1] [-p <hex>] [--r0] [--r1] [--r2] [--r3] [--all]"
10932 "lf t55xx deviceconfig": {
10933 "command": "lf t55xx deviceconfig",
10934 "description": "Sets t55x7 timings for direct commands. The timings are set here in Field Clocks (FC) which is converted to (US) on device.",
10936 "lf t55xx deviceconfig -a 29 -b 17 -c 15 -d 47 -e 15 -> default T55XX",
10937 "lf t55xx deviceconfig -a 55 -b 14 -c 21 -d 30 -> default EM4305"
10941 "-h, --help This help",
10942 "-a <8..255> Set start gap",
10943 "-b <8..255> Set write gap",
10944 "-c <8..255> Set write ZERO gap",
10945 "-d <8..255> Set write ONE gap",
10946 "-e <8..255> Set read gap",
10947 "-f <8..255> Set write TWO gap (1 of 4 only)",
10948 "-g <8..255> Set write THREE gap (1 of 4 only)",
10949 "-p, --persist persist to flash memory (RDV4)",
10950 "-z Set default t55x7 timings (use `-p` to save if required)",
10951 "--r0 downlink - fixed bit length (detected def)",
10952 "--r1 downlink - long leading reference",
10953 "--r2 downlink - leading zero",
10954 "--r3 downlink - 1 of 4 coding reference"
10956 "usage": "lf t55xx deviceconfig [-hpz] [-a <8..255>] [-b <8..255>] [-c <8..255>] [-d <8..255>] [-e <8..255>] [-f <8..255>] [-g <8..255>] [--r0] [--r1] [--r2] [--r3]"
10959 "command": "lf t55xx dump",
10960 "description": "This command dumps a T55xx card Page 0 block 0-7. It will create two files (bin/json)",
10963 "lf t55xx dump -p aabbccdd --override",
10964 "lf t55xx dump -f my_lf_dump"
10968 "-h, --help This help",
10969 "-f, --file <fn> filename (default is generated on blk 0)",
10970 "-o, --override override, force pwd read despite danger to card",
10971 "-p, --pwd <hex> password (4 hex bytes)",
10973 "--r0 downlink - fixed bit length",
10974 "--r1 downlink - long leading reference",
10975 "--r2 downlink - leading zero",
10976 "--r3 downlink - 1 of 4 coding reference"
10978 "usage": "lf t55xx dump [-ho] [-f <fn>] [-p <hex>] [--ns] [--r0] [--r1] [--r2] [--r3]"
10981 "command": "lf t55xx help",
10982 "description": "----------- ---------------------------- notice ----------------------------- Remember to run `lf t55xx detect` first whenever a new card is placed on the Proxmark3 or the config block changed. help This help ----------- --------------------- operations --------------------- config Set/Get T55XX configuration (modulation, inverted, offset, rate) detect Try detecting the tag modulation from reading the configuration block info Show T55x7 configuration data (page 0/ blk 0) trace Show T55x7 traceability data (page 1/ blk 0-1) ----------- --------------------- recovery --------------------- sniff Attempt to recover T55xx commands from sample buffer --------------------------------------------------------------------------------------- lf t55xx clonehelp available offline: no Display a list of available commands for cloning specific techs on T5xx tags",
10984 "lf t55xx clonehelp"
10988 "-h, --help This help"
10990 "usage": "lf t55xx clonehelp [-h]"
10993 "command": "lf t55xx info",
10994 "description": "Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block from tag. Use `-c` to specify a config block data to be used instead of reading tag.",
10997 "lf t55xx info -1",
10998 "lf t55xx info -p 11223344",
10999 "lf t55xx info -c 00083040",
11000 "lf t55xx info -c 6001805A --q5"
11004 "-h, --help This help",
11005 "-1 extract using data from graphbuffer",
11006 "-p, --pwd <hex> password (4 hex bytes)",
11007 "-c, --blk0 <hex> use these data instead (4 hex bytes)",
11008 "--q5 interprete provided data as T5555/Q5 config",
11009 "--r0 downlink - fixed bit length (detected def)",
11010 "--r1 downlink - long leading reference",
11011 "--r2 downlink - leading zero",
11012 "--r3 downlink - 1 of 4 coding reference"
11014 "usage": "lf t55xx info [-h1] [-p <hex>] [-c <hex>] [--q5] [--r0] [--r1] [--r2] [--r3]"
11016 "lf t55xx p1detect": {
11017 "command": "lf t55xx p1detect",
11018 "description": "Detect Page 1 of a T55xx chip",
11020 "lf t55xx p1detect",
11021 "lf t55xx p1detect -1",
11022 "lf t55xx p1detect -p 11223344 --r3"
11026 "-h, --help This help",
11027 "-1 extract using data from graphbuffer",
11028 "-p, --pwd <hex> password (4 hex bytes)",
11029 "--r0 downlink - fixed bit length (detected def)",
11030 "--r1 downlink - long leading reference",
11031 "--r2 downlink - leading zero",
11032 "--r3 downlink - 1 of 4 coding reference"
11034 "usage": "lf t55xx p1detect [-h1] [-p <hex>] [--r0] [--r1] [--r2] [--r3]"
11036 "lf t55xx protect": {
11037 "command": "lf t55xx protect",
11038 "description": "This command sets the pwd bit on T5577. WARNING this locks the tag!",
11040 "lf t55xx protect -n 01020304 -> sets new pwd 01020304",
11041 "lf t55xx protect -p 11223344 -n 00000000 -> use pwd 11223344, sets new pwd 00000000"
11045 "-h, --help This help",
11046 "-o, --override override safety check",
11047 "-p, --pwd <hex> password (4 hex bytes)",
11048 "-n, --new <hex> new password (4 hex bytes)",
11049 "--r0 downlink - fixed bit length (detected def)",
11050 "--r1 downlink - long leading reference",
11051 "--r2 downlink - leading zero",
11052 "--r3 downlink - 1 of 4 coding reference"
11054 "usage": "lf t55xx protect [-ho] [-p <hex>] -n <hex> [--r0] [--r1] [--r2] [--r3]"
11057 "command": "lf t55xx read",
11058 "description": "Read T55xx block data. This commands defaults to page 0. * * * WARNING * * * Use of read with password on a tag not configured for a password can damage the tag * * * * * * * * * *",
11060 "lf t55xx read -b 0 -> read data from block 0",
11061 "lf t55xx read -b 0 --pwd 01020304 -> read data from block 0, pwd 01020304",
11062 "lf t55xx read -b 0 --pwd 01020304 -o -> read data from block 0, pwd 01020304, override"
11066 "-h, --help This help",
11067 "-b, --blk <0-7> block number to read",
11068 "-p, --pwd <hex> password (4 hex bytes)",
11069 "-o, --override override safety check",
11070 "--pg1 read page 1",
11071 "--r0 downlink - fixed bit length (detected def)",
11072 "--r1 downlink - long leading reference",
11073 "--r2 downlink - leading zero",
11074 "--r3 downlink - 1 of 4 coding reference"
11076 "usage": "lf t55xx read [-ho] -b <0-7> [-p <hex>] [--pg1] [--r0] [--r1] [--r2] [--r3]"
11078 "lf t55xx recoverpw": {
11079 "command": "lf t55xx recoverpw",
11080 "description": "This command uses a few tricks to try to recover mangled password. Try reading Page 0, block 7 before. WARNING this may brick non-password protected chips!",
11082 "lf t55xx recoverpw",
11083 "lf t55xx recoverpw -p 11223344",
11084 "lf t55xx recoverpw -p 11223344 --r3"
11088 "-h, --help This help",
11089 "-p, --pwd <hex> password (4 hex bytes)",
11090 "--r0 downlink - fixed bit length",
11091 "--r1 downlink - long leading reference",
11092 "--r2 downlink - leading zero",
11093 "--r3 downlink - 1 of 4 coding reference",
11094 "--all try all downlink modes (def)"
11096 "usage": "lf t55xx recoverpw [-h] [-p <hex>] [--r0] [--r1] [--r2] [--r3] [--all]"
11098 "lf t55xx resetread": {
11099 "command": "lf t55xx resetread",
11100 "description": "Send Reset Cmd then `lf read` the stream to attempt to identify the start of it (needs a demod and/or plot after)",
11102 "lf t55xx resetread"
11106 "-h, --help This help",
11107 "-1 extract using data from graphbuffer",
11108 "--r0 downlink - fixed bit length (detected def)",
11109 "--r1 downlink - long leading reference",
11110 "--r2 downlink - leading zero",
11111 "--r3 downlink - 1 of 4 coding reference"
11113 "usage": "lf t55xx resetread [-h1] [--r0] [--r1] [--r2] [--r3]"
11115 "lf t55xx restore": {
11116 "command": "lf t55xx restore",
11117 "description": "Restore T55xx card page 0/1 n blocks from (bin/eml/json) dump file",
11119 "lf t55xx restore -f lf-t55xx-00148040-dump.bin"
11123 "-h, --help This help",
11124 "-f, --file <fn> Specify a filename for dump file",
11125 "-p, --pwd <hex> password if target card has password set (4 hex bytes)"
11127 "usage": "lf t55xx restore [-h] [-f <fn>] [-p <hex>]"
11129 "lf t55xx sniff": {
11130 "command": "lf t55xx sniff",
11131 "description": "Sniff LF t55xx based trafic and decode possible cmd / blocks. Lower tolerance means tighter pulses.",
11134 "lf t55xx sniff -1 -t 2 -> use buffer with tolerance of 2",
11135 "lf t55xx sniff -1 --zero 7 --one 14 -> use buffer, zero pulse width 7, one pulse width 15"
11139 "-h, --help This help",
11140 "-1 extract using data from graphbuffer",
11141 "-t, --tol <dec> set tolerance level (default 5)",
11142 "-o, --one <dec> set samples width for ONE pulse (default auto)",
11143 "-z, --zero <dec> set samples width for ZERO pulse (default auto)"
11145 "usage": "lf t55xx sniff [-h1] [-t <dec>] [-o <dec>] [-z <dec>]"
11147 "lf t55xx special": {
11148 "command": "lf t55xx special",
11149 "description": "Show block changes with 64 different offsets, data taken from DemodBuffer.",
11155 "-h, --help This help"
11157 "usage": "lf t55xx special [-h]"
11159 "lf t55xx trace": {
11160 "command": "lf t55xx trace",
11161 "description": "Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block",
11164 "lf t55xx trace -1"
11168 "-h, --help This help",
11169 "-1 extract using data from graphbuffer",
11170 "--r0 downlink - fixed bit length (detected def)",
11171 "--r1 downlink - long leading reference",
11172 "--r2 downlink - leading zero",
11173 "--r3 downlink - 1 of 4 coding reference"
11175 "usage": "lf t55xx trace [-h1] [--r0] [--r1] [--r2] [--r3]"
11177 "lf t55xx wakeup": {
11178 "command": "lf t55xx wakeup",
11179 "description": "This commands sends the Answer-On-Request command and leaves the readerfield ON afterwards",
11181 "lf t55xx wakeup -p 11223344 -> send wakeup with password"
11185 "-h, --help This help",
11186 "-p, --pwd <hex> password (4 hex bytes)",
11187 "-v, --verbose verbose output",
11188 "--r0 downlink - fixed bit length (detected def)",
11189 "--r1 downlink - long leading reference",
11190 "--r2 downlink - leading zero",
11191 "--r3 downlink - 1 of 4 coding reference"
11193 "usage": "lf t55xx wakeup [-hv] [-p <hex>] [--r0] [--r1] [--r2] [--r3]"
11196 "command": "lf t55xx wipe",
11197 "description": "This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block",
11199 "lf t55xx wipe -> wipes a T55x7 tag, config block 0x000880E0",
11200 "lf t55xx wipe --q5 -> wipes a Q5/T5555 tag, config block 0x6001F004",
11201 "lf t55xx wipe -p 11223344 -> wipes a T55x7 tag, config block 0x000880E0, using pwd"
11205 "-h, --help This help",
11206 "-c, --cfg <hex> configuration block0 (4 hex bytes)",
11207 "-p, --pwd <hex> password (4 hex bytes)",
11208 "--q5 specify writing to Q5/T5555 tag using dedicated config block",
11209 "--r0 downlink - fixed bit length (detected def)",
11210 "--r1 downlink - long leading reference",
11211 "--r2 downlink - leading zero",
11212 "--r3 downlink - 1 of 4 coding reference"
11214 "usage": "lf t55xx wipe [-h] [-c <hex>] [-p <hex>] [--q5] [--r0] [--r1] [--r2] [--r3]"
11216 "lf t55xx write": {
11217 "command": "lf t55xx write",
11218 "description": "Write T55xx block data",
11220 "lf t55xx write -b 3 -d 11223344 -> write 11223344 to block 3",
11221 "lf t55xx write -b 3 -d 11223344 --pwd 01020304 -> write 11223344 to block 3, pwd 01020304",
11222 "lf t55xx write -b 3 -d 11223344 --pwd 01020304 --verify -> write 11223344 to block 3 and try validating write"
11226 "-h, --help This help",
11227 "-b, --blk <0-7> block number to write",
11228 "-d, --data <hex> data to write (4 hex bytes)",
11229 "-p, --pwd <hex> password (4 hex bytes)",
11230 "-t, --tm test mode write ( danger )",
11231 "--pg1 write page 1",
11232 "--verify try validate data afterward",
11233 "--r0 downlink - fixed bit length (detected def)",
11234 "--r1 downlink - long leading reference",
11235 "--r2 downlink - leading zero",
11236 "--r3 downlink - 1 of 4 coding reference"
11238 "usage": "lf t55xx write [-ht] -b <0-7> [-d <hex>] [-p <hex>] [--pg1] [--verify] [--r0] [--r1] [--r2] [--r3]"
11241 "command": "lf ti help",
11242 "description": "help This help demod Demodulate raw bits for TI LF tag from the GraphBuffer --------------------------------------------------------------------------------------- lf ti demod available offline: yes Try to find TI preamble, if found decode / descramble data",
11248 "-h, --help This help"
11250 "usage": "lf ti demod [-h]"
11253 "command": "lf ti reader",
11254 "description": "read a TI tag",
11256 "lf ti reader -@ -> continuous reader mode"
11260 "-h, --help This help",
11261 "-@ optional - continuous reader mode"
11263 "usage": "lf ti reader [-h@]"
11266 "command": "lf ti write",
11267 "description": "write to a r/w TI tag.",
11269 "lf ti write --raw 1122334455667788",
11270 "lf ti write --raw 1122334455667788 --crc 1122"
11274 "-h, --help This help",
11275 "-r, --raw <hex> raw hex data. 8 bytes max",
11276 "--crc <hex> optional - crc"
11278 "usage": "lf ti write [-h] -r <hex> [--crc <hex>]"
11281 "command": "lf tune",
11282 "description": "Continuously measure LF antenna tuning. Press button or <Enter> to interrupt.",
11289 "-h, --help This help",
11290 "-n, --iter <dec> number of iterations (default: 0=infinite)",
11291 "-q, --divisor <dec> Frequency divisor. 88 -> 134 kHz, 95 -> 125 kHz",
11292 "-f, --freq <float> Frequency in kHz",
11294 "--mix mixed style",
11295 "--value values style",
11296 "-v, --verbose verbose output"
11298 "usage": "lf tune [-hv] [-n <dec>] [-q <dec>] [-f <float>] [--bar] [--mix] [--value]"
11300 "lf viking clone": {
11301 "command": "lf viking clone",
11302 "description": "clone a Viking AM tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
11304 "lf viking clone --cn 01A337 -> encode for T55x7 tag",
11305 "lf viking clone --cn 01A337 --q5 -> encode for Q5/T5555 tag",
11306 "lf viking clone --cn 112233 --em -> encode for EM4305/4469"
11310 "-h, --help This help",
11311 "--cn <hex> 8 digit hex viking card number",
11312 "--q5 optional - specify writing to Q5/T5555 tag",
11313 "--em optional - specify writing to EM4305/4469 tag"
11315 "usage": "lf viking clone [-h] --cn <hex> [--q5] [--em]"
11317 "lf viking help": {
11318 "command": "lf viking help",
11319 "description": "help This help demod demodulate a Viking tag from the GraphBuffer --------------------------------------------------------------------------------------- lf viking demod available offline: yes Try to find Viking AM preamble, if found decode / descramble data",
11325 "-h, --help This help"
11327 "usage": "lf viking demod [-h]"
11329 "lf viking reader": {
11330 "command": "lf viking reader",
11331 "description": "read a Viking AM tag",
11333 "lf viking reader -@ -> continuous reader mode"
11337 "-h, --help This help",
11338 "-@ optional - continuous reader mode"
11340 "usage": "lf viking reader [-h@]"
11343 "command": "lf viking sim",
11344 "description": "Enables simulation of viking card with specified card number. Simulation runs until the button is pressed or another USB command is issued. Per viking format, the card number is 8 digit hex number. Larger values are truncated.",
11346 "lf viking sim --cn 01A337"
11350 "-h, --help This help",
11351 "--cn <hex> 8 digit hex viking card number"
11353 "usage": "lf viking sim [-h] --cn <hex>"
11355 "lf visa2000 clone": {
11356 "command": "lf visa2000 clone",
11357 "description": "clone a Visa2000 tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
11359 "lf visa2000 clone --cn 112233 -> encode for T55x7 tag",
11360 "lf visa2000 clone --cn 112233 --q5 -> encode for Q5/T5555 tag",
11361 "lf visa2000 clone --cn 112233 --em -> encode for EM4305/4469"
11365 "-h, --help This help",
11366 "--cn <dec> Visa2k card ID",
11367 "--q5 optional - specify writing to Q5/T5555 tag",
11368 "--em optional - specify writing to EM4305/4469 tag"
11370 "usage": "lf visa2000 clone [-h] --cn <dec> [--q5] [--em]"
11372 "lf visa2000 help": {
11373 "command": "lf visa2000 help",
11374 "description": "help This help demod demodulate an VISA2000 tag from the GraphBuffer --------------------------------------------------------------------------------------- lf visa2000 demod available offline: yes Try to find visa2000 preamble, if found decode / descramble data",
11376 "lf visa2000 demod"
11380 "-h, --help This help"
11382 "usage": "lf visa2000 demod [-h]"
11384 "lf visa2000 reader": {
11385 "command": "lf visa2000 reader",
11386 "description": "read a visa2000 tag",
11388 "lf visa2000 reader -@ -> continuous reader mode"
11392 "-h, --help This help",
11393 "-@ optional - continuous reader mode"
11395 "usage": "lf visa2000 reader [-h@]"
11397 "lf visa2000 sim": {
11398 "command": "lf visa2000 sim",
11399 "description": "Enables simulation of visa2k card with specified card number. Simulation runs until the button is pressed or another USB command is issued.",
11401 "lf visa2000 sim --cn 1337"
11405 "-h, --help This help",
11406 "--cn <dec> Visa2k card ID"
11408 "usage": "lf visa2000 sim [-h] --cn <dec>"
11411 "command": "mem dump",
11412 "description": "Dumps flash memory on device into a file or view in console",
11414 "mem dump -f myfile -> download all flashmem to file",
11415 "mem dump --view -o 262015 --len 128 -> display 128 bytes from offset 262015 (RSA sig)",
11416 "mem dump --view -f myfile -o 241664 --len 58 -> display 58 bytes from offset 241664 and save to file"
11420 "-h, --help This help",
11421 "-o, --offset <dec> offset in memory",
11422 "-l, --len <dec> length",
11423 "-v, --view view dump",
11424 "-f, --file <fn> save filename",
11425 "-c, --cols <dec> column breaks (def 32)"
11427 "usage": "mem dump [-hv] [-o <dec>] [-l <dec>] [-f <fn>] [-c <dec>]"
11430 "command": "mem help",
11431 "description": "help This help --------------------------------------------------------------------------------------- mem baudrate available offline: no Set the baudrate for the SPI flash memory communications. Reading Flash ID will virtually always fail under 48MHz setting. Unless you know what you are doing, please stay at 24MHz. If >= 24MHz, FASTREADS instead of READS instruction will be used.",
11433 "mem baudrate --mhz 48"
11437 "-h, --help This help",
11438 "--mhz <24|48> SPI baudrate in MHz"
11440 "usage": "mem baudrate [-h] --mhz <24|48>"
11443 "command": "mem info",
11444 "description": "Collect signature and verify it from flash memory",
11450 "-h, --help This help",
11451 "-s, --sign create a signature",
11452 "-d <hex> flash memory id, 8 hex bytes",
11453 "-p, --pem <fn> key in PEM format",
11454 "-v, --verbose verbose output"
11456 "usage": "mem info [-hsv] [-d <hex>] [-p <fn>]"
11459 "command": "mem load",
11460 "description": "Loads binary file into flash memory on device Warning: mem area to be written must have been wiped first ( this is already taken care when loading dictionaries )",
11462 "mem load -f myfile -> upload file myfile values at default offset 0",
11463 "mem load -f myfile -o 1024 -> upload file myfile values at offset 1024",
11464 "mem load -f mfc_default_keys -m -> upload MFC keys",
11465 "mem load -f t55xx_default_pwds -t -> upload T55XX passwords",
11466 "mem load -f iclass_default_keys -i -> upload iCLASS keys"
11470 "-h, --help This help",
11471 "-o, --offset <dec> offset in memory",
11472 "-m, --mifare, --mfc upload 6 bytes keys (mifare key dictionary)",
11473 "-i, --iclass upload 8 bytes keys (iClass key dictionary)",
11474 "-t, --t55xx upload 4 bytes keys (password dictionary)",
11475 "-f, --file <fn> file name"
11477 "usage": "mem load [-hmit] [-o <dec>] -f <fn>"
11479 "mem spiffs check": {
11480 "command": "mem spiffs check",
11481 "description": "Check/try to defrag faulty/fragmented SPIFFS file system",
11487 "-h, --help This help"
11489 "usage": "mem spiffs check [-h]"
11491 "mem spiffs dump": {
11492 "command": "mem spiffs dump",
11493 "description": "Dumps device SPIFFS file to a local file Size is handled by first sending a STAT command against file to verify existence",
11495 "mem spiffs dump -s tag.bin -> download binary file from device, saved as `tag.bin`",
11496 "mem spiffs dump -s tag.bin -d a001 -> download tag.bin, save as `a001.bin`",
11497 "mem spiffs dump -s tag.bin -t -> download tag.bin into trace buffer"
11501 "-h, --help This help",
11502 "-s, --src <fn> SPIFFS file to save",
11503 "-d, --dest <fn> file name to save to <w/o .bin>",
11504 "-t, --trace download into trace buffer"
11506 "usage": "mem spiffs dump [-ht] -s <fn> [-d <fn>]"
11508 "mem spiffs help": {
11509 "command": "mem spiffs help",
11510 "description": "help This help --------------------------------------------------------------------------------------- mem spiffs copy available offline: no Copy a file to another (destructively) in SPIFFS file system",
11512 "mem spiffs copy -s aaa.bin -d aaa_cpy.bin"
11516 "-h, --help This help",
11517 "-s, --src <fn> source file name",
11518 "-d, --dest <fn> destination file name"
11520 "usage": "mem spiffs copy [-h] -s <fn> -d <fn>"
11522 "mem spiffs info": {
11523 "command": "mem spiffs info",
11524 "description": "Print file system info and usage statistics",
11530 "-h, --help This help"
11532 "usage": "mem spiffs info [-h]"
11534 "mem spiffs mount": {
11535 "command": "mem spiffs mount",
11536 "description": "Mount the SPIFFS file system if not already mounted",
11542 "-h, --help This help"
11544 "usage": "mem spiffs mount [-h]"
11546 "mem spiffs remove": {
11547 "command": "mem spiffs remove",
11548 "description": "Remove a file from SPIFFS filesystem",
11550 "mem spiffs remove -f lasttag.bin"
11554 "-h, --help This help",
11555 "-f, --file <fn> file to remove"
11557 "usage": "mem spiffs remove [-h] -f <fn>"
11559 "mem spiffs rename": {
11560 "command": "mem spiffs rename",
11561 "description": "Rename/move a file from SPIFFS filesystem.",
11563 "mem spiffs rename -s aaa.bin -d bbb.bin"
11567 "-h, --help This help",
11568 "-s, --src <fn> source file name",
11569 "-d, --dest <fn> destination file name"
11571 "usage": "mem spiffs rename [-h] -s <fn> -d <fn>"
11573 "mem spiffs test": {
11574 "command": "mem spiffs test",
11575 "description": "Test SPIFFS Operations, require wiping pages 0 and 1",
11581 "-h, --help This help"
11583 "usage": "mem spiffs test [-h]"
11585 "mem spiffs tree": {
11586 "command": "mem spiffs tree",
11587 "description": "Print the Flash memory file system tree",
11593 "-h, --help This help"
11595 "usage": "mem spiffs tree [-h]"
11597 "mem spiffs unmount": {
11598 "command": "mem spiffs unmount",
11599 "description": "Un-mount the SPIFFS file system",
11601 "mem spiffs unmount"
11605 "-h, --help This help"
11607 "usage": "mem spiffs unmount [-h]"
11609 "mem spiffs upload": {
11610 "command": "mem spiffs upload",
11611 "description": "Uploads binary-wise file into device file system Warning: mem area to be written must have been wiped first. This is already taken care when loading dictionaries. File names can only be 32 bytes long on device SPIFFS",
11613 "mem spiffs upload -s local.bin -d dest.bin"
11617 "-h, --help This help",
11618 "-s, --src <fn> source file name",
11619 "-d, --dest <fn> destination file name"
11621 "usage": "mem spiffs upload [-h] -s <fn> -d <fn>"
11623 "mem spiffs view": {
11624 "command": "mem spiffs view",
11625 "description": "View a file on flash memory on device in console",
11627 "mem spiffs view -f tag.bin"
11631 "-h, --help This help",
11632 "-f, --file <fn> SPIFFS file to view",
11633 "-c, --cols <dec> column breaks (def 16)"
11635 "usage": "mem spiffs view [-h] -f <fn> [-c <dec>]"
11637 "mem spiffs wipe": {
11638 "command": "mem spiffs wipe",
11639 "description": "* * * Warning * * * This command wipes all files on the device SPIFFS file system",
11645 "-h, --help This help"
11647 "usage": "mem spiffs wipe [-h]"
11650 "command": "mem wipe",
11651 "description": "Wipe flash memory on device, which fills it with 0xFF [ !!! OBS ] use with caution",
11653 "mem wipe -p 0 -> wipes first page"
11657 "-h, --help This help",
11658 "-p <dec> 0,1,2 page memory"
11660 "usage": "mem wipe [-h] [-p <dec>]"
11663 "command": "msleep",
11664 "description": "Sleep for given amount of milliseconds",
11670 "-h, --help This help",
11671 "-t, --ms <ms> time in milliseconds"
11673 "usage": "msleep [-h] [-t <ms>]"
11675 "nfc barcode help": {
11676 "command": "nfc barcode help",
11677 "description": "-------- ------------------ NFC Barcode -------------------- -------- --------------------- General --------------------- help This help ======================================================================================= piv { PIV commands... } --------------------------------------------------------------------------------------- piv help available offline: yes help This help list List ISO7816 history --------------------------------------------------------------------------------------- piv select available offline: no Executes select applet command",
11679 "piv select -s -> select card, select applet",
11680 "piv select -st --aid a00000030800001000 -> select card, select applet a00000030800001000, show result in TLV"
11684 "-h, --help This help",
11685 "-s, -S, --select Activate field and select applet",
11686 "-k, -K, --keep Keep field for next command",
11687 "-a, -A, --apdu Show APDU requests and responses",
11688 "-t, -T, --tlv TLV decode results",
11689 "-w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
11690 "--aid <hex> Applet ID to select. By default A0000003080000100 will be used"
11692 "usage": "piv select [-hskatw] [--aid <hex>]"
11694 "nfc barcode sim": {
11695 "command": "nfc barcode sim",
11696 "description": "Simulate Thinfilm tag",
11698 "hf thinfilm sim -d B70470726f786d61726b2e636f6d"
11702 "-h, --help This help",
11703 "-d, --data <hex> bytes to send",
11704 "--raw raw, provided bytes should include CRC"
11706 "usage": "hf thinfilm sim [-h] -d <hex> [--raw]"
11709 "command": "nfc help",
11710 "description": "-------- --------------------- NFC Tags -------------------- type1 { NFC Forum Tag Type 1... } type2 { NFC Forum Tag Type 2... } type4a { NFC Forum Tag Type 4 ISO14443A... } type4b { NFC Forum Tag Type 4 ISO14443B... } mf { NFC Type MIFARE Classic/Plus Tag... } barcode { NFC Barcode Tag... } -------- --------------------- General --------------------- help This help decode Decode NDEF records --------------------------------------------------------------------------------------- nfc decode available offline: yes Decode and print NFC Data Exchange Format (NDEF) You must provide either data in hex or a filename, but not both",
11712 "nfc decode -d 9101085402656e48656c6c6f5101085402656e576f726c64",
11713 "nfc decode -d 0103d020240203e02c040300fe",
11714 "nfc decode -f myfilename"
11718 "-h, --help This help",
11719 "-d, --data <hex> NDEF data to decode",
11720 "-f, --file <fn> file to load",
11721 "-v, --verbose verbose output"
11723 "usage": "nfc decode [-hv] [-d <hex>] [-f <fn>]"
11726 "command": "nfc mf cread",
11727 "description": "Prints NFC Data Exchange Format (NDEF)",
11729 "hf mf ndefread -> shows NDEF parsed data",
11730 "hf mf ndefread -vv -> shows NDEF parsed and raw data",
11731 "hf mf ndefread --aid e103 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B",
11732 "hf mf ndefread -f myfilename -> save raw NDEF to file"
11736 "-h, --help This help",
11737 "-v, --verbose Verbose output",
11738 "--aid <aid> replace default aid for NDEF",
11739 "-k, --key <key> replace default key for NDEF",
11740 "-b, --keyb use key B for access sectors (by default: key A)",
11741 "-f, --file <fn> save raw NDEF to file"
11743 "usage": "hf mf ndefread [-hvb] [--aid <aid>] [-k <key>] [-f <fn>]"
11746 "command": "nfc mf cwrite",
11747 "description": "Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted.",
11749 "hf mf ndefwrite -d 0300FE -> write empty record to tag",
11750 "hf mf ndefwrite -f myfilename",
11751 "hf mf ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031"
11755 "-h, --help This help",
11756 "-d <hex> raw NDEF hex bytes",
11757 "-f, --file <fn> write raw NDEF file to tag",
11758 "-p fix NDEF record headers / terminator block if missing",
11759 "--mini MIFARE Classic Mini / S20",
11760 "--1k MIFARE Classic 1k / S50 (def)",
11761 "--2k MIFARE Classic/Plus 2k",
11762 "--4k MIFARE Classic 4k / S70",
11763 "-v, --verbose verbose output"
11765 "usage": "hf mf ndefwrite [-hpv] [-d <hex>] [-f <fn>] [--mini] [--1k] [--2k] [--4k]"
11768 "command": "nfc mf help",
11769 "description": "-------- --------- NFC Type MIFARE Classic/Plus Tag -------- -------- --------------------- General --------------------- help This help ======================================================================================= nfc barcode { NFC Barcode Tag... } --------------------------------------------------------------------------------------- nfc barcode read available offline: no Get info from Thinfilm tags",
11775 "-h, --help This help"
11777 "usage": "hf thinfilm info [-h]"
11780 "command": "nfc mf pread",
11781 "description": "Prints NFC Data Exchange Format (NDEF)",
11784 "hf mfp ndefread -vv -> shows NDEF parsed and raw data",
11785 "hf mfp ndefread --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key",
11786 "hf mfp ndefread -f myfilename -> save raw NDEF to file"
11790 "-h, --help This help",
11791 "-v, --verbose verbose output",
11792 "--aid <aid> replace default aid for NDEF",
11793 "-k, --key <key> replace default key for NDEF",
11794 "-b, --keyb use key B for access sectors (by default: key A)",
11795 "-f, --file <fn> save raw NDEF to file"
11797 "usage": "hf mfp ndefread [-hvb] [--aid <aid>] [-k <key>] [-f <fn>]"
11799 "nfc type1 help": {
11800 "command": "nfc type1 help",
11801 "description": "-------- -------------- NFC Forum Tag Type 1 --------------- -------- --------------------- General --------------------- help This help ======================================================================================= nfc type2 { NFC Forum Tag Type 2... } --------------------------------------------------------------------------------------- nfc type2 read available offline: no Prints NFC Data Exchange Format (NDEF)",
11803 "hf mfu ndefread -> shows NDEF data",
11804 "hf mfu ndefread -k ffffffff -> shows NDEF data with key",
11805 "hf mfu ndefread -f myfilename -> save raw NDEF to file"
11809 "-h, --help This help",
11810 "-l Swap entered key's endianness",
11811 "-f, --file <fn> Save raw NDEF to file",
11812 "-v, --verbose Verbose output"
11814 "usage": "hf mfu ndefread [-hlv] [-k Replace default key for NDEF] [-f <fn>]"
11816 "nfc type1 read": {
11817 "command": "nfc type1 read",
11818 "description": "Get info from Topaz tags",
11821 "hf topaz info -f myfilename -> save raw NDEF to file"
11825 "-h, --help This help",
11826 "-f, --file <fn> save raw NDEF to file",
11827 "-v, --verbose verbose output"
11829 "usage": "hf topaz info [-hv] [-f <fn>]"
11831 "nfc type2 help": {
11832 "command": "nfc type2 help",
11833 "description": "-------- -------------- NFC Forum Tag Type 2 --------------- -------- --------------------- General --------------------- help This help ======================================================================================= nfc type4a { NFC Forum Tag Type 4 ISO14443A... } --------------------------------------------------------------------------------------- nfc type4a format available offline: no Format ISO14443-a Tag as a NFC tag with Data Exchange Format (NDEF)",
11835 "hf 14a ndefformat"
11839 "-h, --help This help",
11840 "-v, --verbose verbose output"
11842 "usage": "hf 14a ndefformat [-hv]"
11844 "nfc type4a help": {
11845 "command": "nfc type4a help",
11846 "description": "-------- --------- NFC Forum Tag Type 4 ISO14443A ---------- -------- --------------------- General --------------------- help This help ======================================================================================= nfc type4b { NFC Forum Tag Type 4 ISO14443B... } --------------------------------------------------------------------------------------- nfc type4b read available offline: no Print NFC Data Exchange Format (NDEF)",
11849 "hf 14b ndefread -f myfilename -> save raw NDEF to file"
11853 "-h, --help This help",
11854 "-f, --file <fn> Save raw NDEF to file",
11855 "-v, --verbose Verbose output"
11857 "usage": "hf 14b ndefread [-hv] [-f <fn>]"
11859 "nfc type4a read": {
11860 "command": "nfc type4a read",
11861 "description": "Read NFC Data Exchange Format (NDEF) file on Type 4 NDEF tag",
11864 "hf 14a ndefread -f myfilename -> save raw NDEF to file"
11868 "-h, --help This help",
11869 "-f, --file <fn> save raw NDEF to file",
11870 "-v, --verbose verbose output"
11872 "usage": "hf 14a ndefread [-hv] [-f <fn>]"
11874 "nfc type4a st25taread": {
11875 "command": "nfc type4a st25taread",
11876 "description": "Read NFC Data Exchange Format (NDEF) file on ST25TA",
11878 "hf st25ta ndefread -p 82E80053D4CA5C0B656D852CC696C8A1",
11879 "hf st25ta ndefread -f myfilename -> save raw NDEF to file"
11883 "-h, --help This help",
11884 "-p, --pwd <hex> 16 byte read password",
11885 "-f, --file <fn> save raw NDEF to file",
11886 "-v, --verbose verbose output"
11888 "usage": "hf st25ta ndefread [-hv] [-p <hex>] [-f <fn>]"
11890 "nfc type4a write": {
11891 "command": "nfc type4a write",
11892 "description": "Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted.",
11894 "hf 14a ndefwrite -d 0300FE -> write empty record to tag",
11895 "hf 14a ndefwrite -f myfilename",
11896 "hf 14a ndefwrite -d 003fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031"
11900 "-h, --help This help",
11901 "-d <hex> raw NDEF hex bytes",
11902 "-f, --file <fn> write raw NDEF file to tag",
11903 "-p fix NDEF record headers / terminator block if missing",
11904 "-v, --verbose verbose output"
11906 "usage": "hf 14a ndefwrite [-hpv] [-d <hex>] [-f <fn>]"
11908 "nfc type4b help": {
11909 "command": "nfc type4b help",
11910 "description": "-------- --------- NFC Forum Tag Type 4 ISO14443B ------------- -------- --------------------- General --------------------- help This help ======================================================================================= nfc mf { NFC Type MIFARE Classic/Plus Tag... } --------------------------------------------------------------------------------------- nfc mf cformat available offline: no format MIFARE Classic Tag as a NFC tag with Data Exchange Format (NDEF) If no <name> given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before",
11912 "hf mf ndefformat",
11913 "hf mf ndefformat --1k -> MIFARE Classic 1k",
11914 "hf mf ndefformat --keys hf-mf-01020304-key.bin -> MIFARE 1k with keys from specified file"
11918 "-h, --help This help",
11919 "-k, --keys <fn> filename of keys",
11920 "--mini MIFARE Classic Mini / S20",
11921 "--1k MIFARE Classic 1k / S50 (def)",
11922 "--2k MIFARE Classic/Plus 2k",
11923 "--4k MIFARE Classic 4k / S70"
11925 "usage": "hf mf ndefformat [-h] [-k <fn>] [--mini] [--1k] [--2k] [--4k]"
11928 "command": "piv authsign",
11929 "description": "Send a nonce and ask the PIV card to sign it",
11931 "piv sign -sk -> select card, select applet, sign a NULL nonce"
11935 "-h, --help This help",
11936 "-s, -S, --select Activate field and select applet",
11937 "-k, -K, --keep Keep field for next command",
11938 "-a, -A, --apdu Show APDU requests and responses",
11939 "-t, -T, --tlv TLV decode results",
11940 "-w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
11941 "--aid <hex> Applet ID to select. By default A0000003080000100 will be used",
11942 "--nonce <hex> Nonce to sign.",
11943 "--slot <dec id> Slot number. Default will be 0x9E (card auth cert).",
11944 "--alg <dec> Algorithm to use to sign. Example values: 06=RSA-1024, 07=RSA-2048, 11=ECC-P256 (default), 14=ECC-P384"
11946 "usage": "piv sign [-hskatw] [--aid <hex>] --nonce <hex> [--slot <dec id>] [--alg <dec>]"
11949 "command": "piv getdata",
11950 "description": "Get a data container of a given tag",
11952 "piv getdata -s 5fc102 -> select card, select applet, get card holder unique identifer",
11953 "piv getdata -st 5fc102 -> select card, select applet, get card holder unique identifer, show result in TLV"
11957 "-h, --help This help",
11958 "-s, -S, --select Activate field and select applet",
11959 "-k, -K, --keep Keep field for next command",
11960 "-a, -A, --apdu Show APDU requests and responses",
11961 "-t, -T, --tlv TLV decode results",
11962 "-w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
11963 "--aid <hex> Applet ID to select. By default A0000003080000100 will be used",
11964 "<hex> Tag ID to read, between 1 and 3 bytes."
11966 "usage": "piv getdata [-hskatw] [--aid <hex>] <hex>"
11969 "command": "piv list",
11970 "description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
11972 "piv list --frame -> show frame delay times",
11973 "piv list -1 -> use trace buffer"
11977 "-h, --help This help",
11978 "-1, --buffer use data from trace buffer",
11979 "--frame show frame delay times",
11980 "-c mark CRC bytes",
11981 "-r show relative times (gap and duration)",
11982 "-u display times in microseconds instead of clock cycles",
11983 "-x show hexdump to convert to pcap(ng)",
11984 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
11985 "-f, --file <fn> filename of dictionary"
11987 "usage": "piv list [-h1crux] [--frame] [-f <fn>]"
11990 "command": "piv scan",
11991 "description": "Scan a PIV card for known containers",
11993 "piv scan -s -> select card, select applet and run scan",
11994 "piv scan -st --aid a00000030800001000 -> select card, select applet a00000030800001000, show result of the scan in TLV"
11998 "-h, --help This help",
11999 "-s, -S, --select Activate field and select applet",
12000 "-k, -K, --keep Keep field for next command",
12001 "-a, -A, --apdu Show APDU requests and responses",
12002 "-t, -T, --tlv TLV decode results",
12003 "-w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface)",
12004 "--aid <hex> Applet ID to select. By default A0000003080000100 will be used"
12006 "usage": "piv scan [-hskatw] [--aid <hex>]"
12008 "prefs get barmode": {
12009 "command": "prefs get barmode",
12010 "description": "Get preference of HF/LF tune command styled output in the client",
12012 "prefs get barmode"
12016 "-h, --help This help"
12018 "usage": "prefs get barmode [-h]"
12020 "prefs get client.debug": {
12021 "command": "prefs get client.debug",
12022 "description": "Get preference of using clientside debug level",
12024 "prefs get client.debug"
12028 "-h, --help This help"
12030 "usage": "prefs get client.debug [-h]"
12032 "prefs get client.delay": {
12033 "command": "prefs get client.delay",
12034 "description": "Get preference of delay time before execution of a command in the client",
12036 "prefs get client.delay"
12040 "-h, --help This help"
12042 "usage": "prefs get client.delay [-h]"
12044 "prefs get client.timeout": {
12045 "command": "prefs get client.timeout",
12046 "description": "Get preference of delay time before execution of a command in the client",
12048 "prefs get client.timeout"
12052 "-h, --help This help"
12054 "usage": "prefs get client.timeout [-h]"
12056 "prefs get color": {
12057 "command": "prefs get color",
12058 "description": "Get preference of using colors in the client",
12064 "-h, --help This help"
12066 "usage": "prefs get color [-h]"
12068 "prefs get emoji": {
12069 "command": "prefs get emoji",
12070 "description": "Get preference of using emojis in the client",
12076 "-h, --help This help"
12078 "usage": "prefs get emoji [-h]"
12080 "prefs get hints": {
12081 "command": "prefs get hints",
12082 "description": "Get preference of showing hint messages in the client",
12088 "-h, --help This help"
12090 "usage": "prefs get hints [-h]"
12092 "prefs get output": {
12093 "command": "prefs get output",
12094 "description": "Get preference of dump output style",
12100 "-h, --help This help"
12102 "usage": "prefs get output [-h]"
12104 "prefs get plotsliders": {
12105 "command": "prefs get plotsliders",
12106 "description": "Get preference of showing the plotslider control in the client",
12108 "prefs get plotsliders"
12112 "-h, --help This help"
12114 "usage": "prefs get plotsliders [-h]"
12116 "prefs get savepaths": {
12117 "command": "prefs get savepaths",
12118 "description": "Get preference of file paths in the client",
12120 "prefs get savepaths"
12124 "-h, --help This help"
12126 "usage": "prefs get savepaths [-h]"
12129 "command": "prefs help",
12130 "description": "help This help get { Get a preference } set { Set a preference } show Show all preferences --------------------------------------------------------------------------------------- prefs show available offline: yes Show all persistent preferences",
12136 "-h, --help This help"
12138 "usage": "prefs show [-h]"
12140 "prefs set client.debug": {
12141 "command": "prefs set client.debug",
12142 "description": "Set persistent preference of using clientside debug level",
12144 "prefs set client.debug --simple"
12148 "-h, --help This help",
12149 "--off no debug messages",
12150 "--simple simple debug messages",
12151 "--full full debug messages"
12153 "usage": "prefs set client.debug [-h] [--off] [--simple] [--full]"
12155 "prefs set client.delay": {
12156 "command": "prefs set client.delay",
12157 "description": "Set persistent preference of delay before executing a command in the client",
12159 "prefs set client.delay --ms 0 -> unsets any delay",
12160 "prefs set client.delay --ms 1000 -> sets 1000ms delay"
12164 "-h, --help This help",
12165 "--ms <ms> delay in micro seconds"
12167 "usage": "prefs set client.delay [-h] [--ms <ms>]"
12169 "prefs set client.timeout": {
12170 "command": "prefs set client.timeout",
12171 "description": "Set persistent preference of client communication timeout",
12173 "prefs set client.timeout --ms 0 -> unsets any timeout",
12174 "prefs set client.timeout -m 20 -> Set the timeout to 20ms",
12175 "prefs set client.timeout --ms 500 -> Set the timeout to 500ms"
12179 "-h, --help This help",
12180 "-m, --ms <ms> timeout in micro seconds"
12182 "usage": "prefs set client.timeout [-h] [-m <ms>]"
12184 "prefs set color": {
12185 "command": "prefs set color",
12186 "description": "Set persistent preference of using colors in the client",
12188 "prefs set color --ansi"
12192 "-h, --help This help",
12193 "--ansi use ANSI colors",
12194 "--off don't use colors"
12196 "usage": "prefs set color [-h] [--ansi] [--off]"
12198 "prefs set emoji": {
12199 "command": "prefs set emoji",
12200 "description": "Set persistent preference of using emojis in the client",
12202 "prefs set emoji --alias"
12206 "-h, --help This help",
12207 "--alias show alias for emoji",
12208 "--emoji show emoji",
12209 "--alttext show alt text for emoji",
12210 "--none don't show emoji or text"
12212 "usage": "prefs set emoji [-h] [--alias] [--emoji] [--alttext] [--none]"
12214 "prefs set help": {
12215 "command": "prefs set help",
12216 "description": "help This help barmode Set bar mode client.debug Set client debug level client.delay Set client execution delay client.timeout Set client communication timeout color Set color support emoji Set emoji display hints Set hint display savepaths ... to be adjusted next ... output Set dump output style plotsliders Set plot slider display --------------------------------------------------------------------------------------- prefs set barmode available offline: yes Set persistent preference of HF/LF tune command styled output in the client",
12218 "prefs set barmode --mix"
12222 "-h, --help This help",
12223 "--bar measured values as bar only",
12224 "--mix measured values as numbers and bar",
12225 "--val measured values only"
12227 "usage": "prefs set barmode [-h] [--bar] [--mix] [--val]"
12229 "prefs set hints": {
12230 "command": "prefs set hints",
12231 "description": "Set persistent preference of showing hint messages in the client",
12233 "prefs set hints --on"
12237 "-h, --help This help",
12238 "--off hide hints",
12241 "usage": "prefs set hints [-h] [--off] [--on]"
12243 "prefs set output": {
12244 "command": "prefs set output",
12245 "description": "Set dump output style to condense consecutive repeated data",
12247 "prefs set output --normal -> sets the output style to normal",
12248 "prefs set output --dense -> sets the output style to dense"
12252 "-h, --help This help",
12253 "--normal normal output",
12254 "--dense dense output"
12256 "usage": "prefs set output [-h] [--normal] [--dense]"
12258 "prefs set plotsliders": {
12259 "command": "prefs set plotsliders",
12260 "description": "Set persistent preference of showing the plotslider control in the client",
12262 "prefs set plotsliders --on"
12266 "-h, --help This help",
12267 "--off hide plot slider controls",
12268 "--on show plot slider controls"
12270 "usage": "prefs set plotsliders [-h] [--off] [--on]"
12272 "prefs set savepaths": {
12273 "command": "prefs set savepaths",
12274 "description": "Set persistent preference of file paths in the client",
12276 "prefs set savepaths --dump /home/mydumpfolder -> all dump files will be saved into this folder",
12277 "prefs set savepaths --def /home/myfolder -c -> create if needed, all files will be saved into this folder"
12281 "-h, --help This help",
12282 "-c, --create create directory if it does not exist",
12283 "--def <path> default path",
12284 "--dump <path> dump file path",
12285 "--trace <path> trace path"
12287 "usage": "prefs set savepaths [-hc] [--def <path>] [--dump <path>] [--trace <path>]"
12291 "description": "Quit the Proxmark3 client terminal",
12297 "-h, --help This help"
12299 "usage": "quit [-h]"
12303 "description": "Add a text line in log file",
12305 "rem my message -> adds a timestamp with `my message`"
12309 "-h, --help This help",
12310 "<string> message line you want inserted"
12312 "usage": "rem [-h] <string> [<string>]..."
12315 "command": "script list",
12316 "description": "List available Lua, Cmd and Python scripts",
12322 "-h, --help This help"
12324 "usage": "script list [-h]"
12327 "command": "script run",
12328 "description": "Run a Lua, Cmd or Python script. If no extension it will search for lua/cmd/py extensions Use `script list` to see available scripts",
12330 "script run my_script -h"
12334 "-h, --help This help",
12335 "<filename> name of script to run",
12336 "<params> script parameters"
12338 "usage": "script run [-h] <filename> [<params>]..."
12341 "command": "smart brute",
12342 "description": "Tries to bruteforce SFI, using a known list of AID's",
12348 "-h, --help This help",
12349 "-t, --tlv executes TLV decoder if it possible"
12351 "usage": "smart brute [-ht]"
12354 "command": "smart help",
12355 "description": "help This help list List ISO 7816 history pcsc Turn pm3 into pcsc reader and relay to host OS via vpcd upgrade Upgrade sim module firmware --------------------------------------------------------------------------------------- smart list available offline: yes Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
12357 "smart list --frame -> show frame delay times",
12358 "smart list -1 -> use trace buffer"
12362 "-h, --help This help",
12363 "-1, --buffer use data from trace buffer",
12364 "--frame show frame delay times",
12365 "-c mark CRC bytes",
12366 "-r show relative times (gap and duration)",
12367 "-u display times in microseconds instead of clock cycles",
12368 "-x show hexdump to convert to pcap(ng)",
12369 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
12370 "-f, --file <fn> filename of dictionary"
12372 "usage": "smart list [-h1crux] [--frame] [-f <fn>]"
12375 "command": "smart info",
12376 "description": "Extract more detailed information from smart card.",
12382 "-h, --help This help",
12383 "-v, --verbose verbose output"
12385 "usage": "smart info [-hv]"
12388 "command": "smart pcsc",
12389 "description": "Make pm3 available to host OS smartcard driver via vpcd to enable use with other software such as GlobalPlatform Pro",
12391 "Requires the virtual smartcard daemon to be installed and running",
12392 "see https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html",
12394 "`-v` shows APDU transactions between OS and card"
12398 "-h, --help This help",
12399 "--host <str> vpcd socket host (default: localhost)",
12400 "-p, --port <int> vpcd socket port (default: 35963)",
12401 "-v, --verbose display APDU transactions between OS and card",
12402 "-a use ISO 14443A contactless interface",
12403 "-b use ISO 14443B contactless interface",
12404 "-c use ISO 7816 contact interface"
12406 "usage": "smart pcsc [-hvabc] [--host <str>] [-p <int>]"
12409 "command": "smart raw",
12410 "description": "Sends raw bytes to card",
12412 "smart raw -s -0 -d 00a404000e315041592e5359532e4444463031 -> `1PAY.SYS.DDF01` PPSE directory with get ATR",
12413 "smart raw -0 -d 00a404000e325041592e5359532e4444463031 -> `2PAY.SYS.DDF01` PPSE directory",
12414 "smart raw -0 -t -d 00a4040007a0000000041010 -> Mastercard",
12415 "smart raw -0 -t -d 00a4040007a0000000031010 -> Visa"
12419 "-h, --help This help",
12420 "-r do not read response",
12421 "-a active smartcard without select (reset sc module)",
12422 "-s active smartcard with select (get ATR)",
12423 "-t, --tlv executes TLV decoder if it possible",
12424 "-0 use protocol T=0",
12425 "--timeout <ms> Timeout in MS waiting for SIM to respond. (def 337ms)",
12426 "-d, --data <hex> bytes to send"
12428 "usage": "smart raw [-hrast0] [--timeout <ms>] -d <hex>"
12431 "command": "smart reader",
12432 "description": "Act as a smart card reader.",
12438 "-h, --help This help",
12439 "-v, --verbose verbose output"
12441 "usage": "smart reader [-hv]"
12443 "smart setclock": {
12444 "command": "smart setclock",
12445 "description": "Set clock speed for smart card interface.",
12447 "smart setclock --4mhz",
12448 "smart setclock --16mhz"
12452 "-h, --help This help",
12453 "--16mhz 16 MHz clock speed",
12454 "--8mhz 8 MHz clock speed",
12455 "--4mhz 4 MHz clock speed"
12457 "usage": "smart setclock [-h] [--16mhz] [--8mhz] [--4mhz]"
12460 "command": "trace help",
12461 "description": "help This help extract Extract authentication challenges found in trace list List protocol data in trace buffer load Load trace from file save Save trace buffer to file --------------------------------------------------------------------------------------- trace extract available offline: yes Extracts protocol authentication challenges from trace buffer",
12468 "-h, --help This help",
12469 "-1, --buffer use data from trace buffer"
12471 "usage": "trace extract [-h1]"
12474 "command": "trace list",
12475 "description": "Annotate trace buffer with selected protocol data You can load a trace from file (see `trace load -h`) or it be downloaded from device by default",
12477 "trace list -t raw -> just show raw data without annotations",
12479 "trace list -t 14a -> interpret as ISO14443-A",
12480 "trace list -t 14b -> interpret as ISO14443-B",
12481 "trace list -t 15 -> interpret as ISO15693",
12482 "trace list -t 7816 -> interpret as ISO7816-4",
12483 "trace list -t cryptorf -> interpret as CryptoRF",
12485 "trace list -t des -> interpret as MIFARE DESFire",
12486 "trace list -t felica -> interpret as ISO18092 / FeliCa",
12487 "trace list -t hitag1 -> interpret as Hitag1",
12488 "trace list -t hitag2 -> interpret as Hitag2",
12489 "trace list -t hitags -> interpret as HitagS",
12490 "trace list -t iclass -> interpret as iCLASS",
12491 "trace list -t legic -> interpret as LEGIC",
12492 "trace list -t lto -> interpret as LTO-CM",
12493 "trace list -t mf -> interpret as MIFARE Classic and decrypt crypto1 stream",
12494 "trace list -t seos -> interpret as SEOS",
12495 "trace list -t thinfilm -> interpret as Thinfilm",
12496 "trace list -t topaz -> interpret as Topaz",
12497 "trace list -t mfp -> interpret as MIFARE Plus",
12499 "trace list -t mf -f mfc_default_keys.dic -> use default dictionary file",
12500 "trace list -t 14a --frame -> show frame delay times",
12501 "trace list -t 14a -1 -> use trace buffer"
12505 "-h, --help This help",
12506 "-1, --buffer use data from trace buffer",
12507 "--frame show frame delay times",
12508 "-c mark CRC bytes",
12509 "-r show relative times (gap and duration)",
12510 "-u display times in microseconds instead of clock cycles",
12511 "-x show hexdump to convert to pcap(ng)",
12512 "or to import into Wireshark using encapsulation type \"ISO 14443\"",
12513 "-t, --type <string> protocol to annotate the trace",
12514 "-f, --file <fn> filename of dictionary"
12516 "usage": "trace list [-h1crux] [--frame] [-t <string>] [-f <fn>]"
12519 "command": "trace load",
12520 "description": "Load protocol data from binary file to trace buffer File extension is <.trace>",
12522 "trace load -f mytracefile -> w/o file extension"
12526 "-h, --help This help",
12527 "-f, --file <fn> Specify trace file to load"
12529 "usage": "trace load [-h] -f <fn>"
12532 "command": "trace save",
12533 "description": "Save protocol data from trace buffer to binary file File extension is <.trace>",
12535 "trace save -f mytracefile -> w/o file extension"
12539 "-h, --help This help",
12540 "-f, --file <fn> Specify trace file to save"
12542 "usage": "trace save [-h] -f <fn>"
12544 "usart btfactory": {
12545 "command": "usart btfactory",
12546 "description": "Reset BT add-on to factory settings This requires 1) BTpower to be turned ON 2) BT add-on to NOT be connected => the add-on blue LED must blink WARNING: process only if strictly needed!",
12552 "-h, --help This help"
12554 "usage": "usart btfactory [-h]"
12557 "command": "usart config",
12558 "description": "Configure USART. WARNING: it will have side-effects if used in USART HOST mode! The changes are not permanent, restart Proxmark3 to get default settings back.",
12560 "usart config -b 9600",
12561 "usart config -b 9600 --none",
12566 "-h, --help This help",
12567 "-b, --baud <dec> baudrate",
12568 "-N, --none mone parity",
12569 "-E, --even even parity",
12570 "-O, --odd odd parity"
12572 "usage": "usart config [-hNEO] [-b <dec>]"
12575 "command": "usart help",
12576 "description": "help This help --------------------------------------------------------------------------------------- usart btpin available offline: no Change BT add-on PIN. WARNING: this requires 1) BTpower to be turned ON 2) BT add-on to NOT be connected => the add-on blue LED must blink",
12578 "usart btpin -p 1234"
12582 "-h, --help This help",
12583 "-p, --pin <dec> Desired PIN number (4 digits)"
12585 "usage": "usart btpin [-h] -p <dec>"
12588 "command": "usart rx",
12589 "description": "Receive string over USART. WARNING: it will have side-effects if used in USART HOST mode!",
12591 "usart rx -t 2000 -> 2 second timeout"
12595 "-h, --help This help",
12596 "-t, --timeout <dec> timeout in ms, default is 0ms"
12598 "usage": "usart rx [-h] [-t <dec>]"
12601 "command": "usart rxhex",
12602 "description": "Receive bytes over USART. WARNING: it will have side-effects if used in USART HOST mode!",
12604 "usart rxhex -t 2000 -> 2 second timeout"
12608 "-h, --help This help",
12609 "-t, --timeout <dec> timeout in ms, default is 0ms"
12611 "usage": "usart rxhex [-h] [-t <dec>]"
12614 "command": "usart tx",
12615 "description": "Send string over USART. WARNING: it will have side-effects if used in USART HOST mode!",
12617 "usart tx -d \"AT+VERSION\"",
12618 "usart tx -d \"AT+VERSION\\r\\n\""
12622 "-h, --help This help",
12623 "-d, --data <string> string to send"
12625 "usage": "usart tx [-h] -d <string>"
12628 "command": "usart txhex",
12629 "description": "Send bytes over USART. WARNING: it will have side-effects if used in USART HOST mode!",
12631 "usart txhex -d 504d33620a80000000010100f09f988ef09fa5b36233"
12635 "-h, --help This help",
12636 "-d, --data <hex> bytes to send"
12638 "usage": "usart txhex [-h] -d <hex>"
12641 "command": "usart txrx",
12642 "description": "Send string over USART and wait for response. WARNING: if used in USART HOST mode, you can only send AT commands to add-on when BT connection is not established (LED needs to be blinking) Any other usage in USART HOST mode will have side-effects!",
12644 "usart txrx -d \"AT+VERSION\" -> Talking to BT add-on (when no connection)",
12645 "usart txrx -t 2000 -d \"AT+SOMESTUFF\\r\\n\" -> Talking to a target requiring longer time and end-of-line chars"
12649 "-h, --help This help",
12650 "-t, --timeout <dec> timeout in ms, default is 1000 ms",
12651 "-d, --data <string> string to send"
12653 "usage": "usart txrx [-h] [-t <dec>] -d <string>"
12655 "wiegand decode": {
12656 "command": "wiegand decode",
12657 "description": "Decode raw hex or binary to wiegand format",
12659 "wiegand decode --raw 2006f623ae"
12663 "-h, --help This help",
12664 "-r, --raw <hex> raw hex to be decoded",
12665 "-b, --bin <bin> binary string to be decoded"
12667 "usage": "wiegand decode [-h] [-r <hex>] [-b <bin>]"
12669 "wiegand encode": {
12670 "command": "wiegand encode",
12671 "description": "Encode wiegand formatted number to raw hex",
12673 "wiegand encode --fc 101 --cn 1337 -> show all formats",
12674 "wiegand encode -w H10301 --fc 101 --cn 1337 -> H10301 format"
12678 "-h, --help This help",
12679 "--fc <dec> facility number",
12680 "--cn <dec> card number",
12681 "--issue <dec> issue level",
12682 "--oem <dec> OEM code",
12683 "-w, --wiegand <format> see `wiegand list` for available formats",
12684 "--pre add HID ProxII preamble to wiegand output"
12686 "usage": "wiegand encode [-h] [--fc <dec>] --cn <dec> [--issue <dec>] [--oem <dec>] [-w <format>] [--pre]"
12689 "command": "wiegand help",
12690 "description": "help This help list List available wiegand formats encode Encode to wiegand raw hex (currently for HID Prox) decode Convert raw hex to decoded wiegand format (currently for HID Prox) --------------------------------------------------------------------------------------- wiegand list available offline: yes List available wiegand formats",
12696 "-h, --help This help"
12698 "usage": "wiegand info [-h]"
12702 "commands_extracted": 735,
12703 "extracted_by": "PM3Help2JSON v1.00",
12704 "extracted_on": "2024-05-14T08:02:41"