| blob | 0dd86c2a0f1b2a78aee7b23cfba78365537c0bb2 |
1 <a id="Top"></a>
2 # Command Cheat Sheet
4 |Generic|Low Frequency 125 kHz|High Frequency 13.56 MHz|
5 |---|---|---|
6 |[Generic](#Generic)|[T55XX](#T55XX)|[MIFARE](#MIFARE)|
7 |[Data](#Data)|[HID Prox](#HID-Prox)|[iCLASS](#iCLASS)|
8 |[Memory](#Memory)|[Indala](#Indala)||
9 |[Sim Module](#Sim-Module)|[Hitag](#Hitag)||
10 |[Lua Scripts](#Lua-Scripts)|||
11 |[Smart Card](#Smart-Card)|||
12 |[Wiegand convertion](#Wiegand-manipulation)|||
14 ## Generic
15 ^[Top](#top)
17 Identify High Frequency cards
18 ```
19 pm3 --> hf search
20 ```
22 Identify Low Frequency cards
23 ```
24 pm3 --> lf search
25 ```
27 Measure antenna characteristics, LF/HF voltage should be around 20-45+ V
28 ```
29 pm3 --> hw tune
30 ```
32 Check versioning
33 ```
34 pm3 --> hw version
35 ```
37 Check overall status
38 ```
39 pm3 --> hw status
40 ```
42 ## iCLASS
43 ^[Top](#top)
45 Reverse permute iCLASS master key
46 ```
47 Options
48 ---
49 -r --reverse : reverse permuted key
50 --key <bytes> : input key
52 pm3 --> hf iclass permute --reverse --key 3F90EBF0910F7B6F
53 ```
55 iCLASS Reader
57 ```
58 pm3 --> hf iclass reader
59 ```
61 Dump iCLASS card contents
62 ```
63 Options
64 ---
65 -f, --file <filename> filename to save dump to
66 -k, --key <hex> debit key as 16 hex symbols OR NR/MAC for replay
67 --ki <dec> debit key index to select key from memory 'hf iclass managekeys'
68 --credit <hex> credit key as 16 hex symbols
69 --ci <dec> credit key index to select key from memory 'hf iclass managekeys'
70 --elite elite computations applied to key
71 --raw raw, the key is interpreted as raw block 3/4
72 --nr replay of NR/MAC
74 pm3 --> hf iclass dump --ki 0
75 ```
77 Read iCLASS Block
78 ```
79 Options
80 ---
81 -k, --key <hex> Access key as 16 hex symbols
82 --blk <dec> The block number to read as an integer
83 --ki <dec> Key index to select key from memory 'hf iclass managekeys'
84 --credit key is assumed to be the credit key
85 --elite elite computations applied to key
86 --raw no computations applied to key (raw)
87 --nr replay of NR/MAC
89 pm3 --> hf iclass rdbl -b 7 --ki 0
90 ```
92 Write to iCLASS Block
93 ```
94 Options
95 ---
96 -k, --key <hex> Access key as 16 hex symbols
97 --blk <dec> The block number to read as an integer
98 -d, --data <hex> data to write as 16 hex symbols
99 --ki <dec> Key index to select key from memory 'hf iclass managekeys'
100 --credit key is assumed to be the credit key
101 --elite elite computations applied to key
102 --raw no computations applied to key (raw)
103 --nr replay of NR/MAC
105 pm3 --> hf iclass wrbl -b 7 -d 6ce099fe7e614fd0 --ki 0
106 ```
108 Print keystore
109 ```
110 Options
111 ---
112 -p, --print Print keys loaded into memory
115 pm3 --> hf iclass managekeys -p
116 ```
118 Add key to keystore [0-7]
119 ```
120 Options
121 ---
122 -f, --file <filename> Specify a filename to use with load or save operations
123 --ki <dec> Specify key index to set key in memory
125 pm3 --> hf iclass managekeys --ki 3 -k AFA785A7DAB33378
126 ```
128 Encrypt iCLASS Block
129 ```
130 Options
131 ---
132 -d, --data <hex> data to encrypt
133 -k, --key <hex> 3DES transport key
134 -v, --verbose verbose output
136 pm3 --> hf iclass encrypt -d 0000000f2aa3dba8
137 ```
139 Decrypt iCLASS Block / file
140 ```
141 Options
142 ---
143 -f, --file <filename> Specify a filename for dump file
144 -d, --data <hex> 3DES encrypted data
145 -k, --key <hex> 3DES transport key
146 -v, --verbose verbose output
148 pm3 --> hf iclass decrypt -d 2AD4C8211F996871
149 pm3 --> hf iclass decrypt -f hf-iclass-db883702f8ff12e0.bin
150 ```
152 Load iCLASS dump into memory for simulation
153 ```
154 Options
155 ---
156 -f, --file <filename> Specify a filename for dump file
157 --json load JSON type dump
158 --eml load EML type dump
160 pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
161 ```
163 Clone iCLASS Legacy Sequence
164 ```
165 pm3 --> hf iclass rdbl -b 7 --ki 0
166 pm3 --> hf iclass wrbl -b 7 -d 6ce099fe7e614fd0 --ki 0
167 ```
169 Simulate iCLASS
170 ```
171 Options
172 ---
173 -t, --type <int> Simulation type to use
174 --csn <hex> Specify CSN as 8 bytes (16 hex symbols) to use with sim type 0
175 Types:
176 0 simulate the given CSN
177 1 simulate default CSN
178 2 runs online part of LOCLASS attack
179 3 full simulation using emulator memory (see 'hf iclass eload')
180 4 runs online part of LOCLASS attack against reader in keyroll mode
182 pm3 --> hf iclass sim -t 3
183 ```
185 Simulate iCLASS Sequence
186 ```
187 pm3 --> hf iclass dump --ki 0
188 pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
189 pm3 --> hf iclass sim -t 3
190 ```
192 Extract custom iCLASS key (loclass attack)
193 ```
194 Options
195 ---
196 -f <filename> specify a filename to clone from
197 -k <key> Access Key as 16 hex symbols or 1 hex to select key from memory
198 --elite Elite computations applied to key
200 pm3 --> hf iclass sim -t 2
201 pm3 --> hf iclass loclass -f iclass_mac_attack.bin
202 pm3 --> hf iclass managekeys --ki 7 -k <Kcus>
203 pm3 --> hf iclass dump --ki 7 --elite
204 ```
206 Verify custom iCLASS key
207 ```
208 options
209 ---
210 -f, --file <filename> Dictionary file with default iclass keys
211 --csn <hex> Specify CSN as 8 bytes (16 hex symbols)
212 --epurse <hex> Specify ePurse as 8 bytes (16 hex symbols)
213 --macs <hex> MACs
214 --raw no computations applied to key (raw)
215 --elite Elite computations applied to key
217 pm3 --> hf iclass lookup --csn 010a0ffff7ff12e0 --epurse feffffffffffffff --macs 66348979153c41b9 -f iclass_default_keys --elite
218 ```
220 ## MIFARE
221 ^[Top](#top)
223 Check for default keys
224 ```
225 options
226 ---
227 -k, --key <hex> Key specified as 12 hex symbols
228 --blk <dec> Input block number
229 -a Target Key A, if found also check Key B for duplicate
230 -b Target Key B
231 -*, --all Target both key A & B (default)
232 --mini MIFARE Classic Mini / S20
233 --1k MIFARE Classic 1k / S50 (default)
234 --2k MIFARE Classic/Plus 2k
235 --4k MIFARE Classic 4k / S70
236 --emu Fill simulator keys from found keys
237 --dump Dump found keys to binary file
238 -f, --file <filename> filename of dictionary
240 pm3 --> hf mf chk --1k -f mfc_default_keys
241 ```
243 Check for default keys from local memory
244 ```
245 Options
246 ---
247 -k, --key <hex> Key specified as 12 hex symbols
248 --mini MIFARE Classic Mini / S20
249 --1k MIFARE Classic 1k / S50 (default)
250 --2k MIFARE Classic/Plus 2k
251 --4k MIFARE Classic 4k / S70
252 --emu Fill simulator keys from found keys
253 --dump Dump found keys to binary file
254 --mem Use dictionary from flashmemory
255 -f, --file <filename> filename of dictionary
257 pm3 --> hf mf fchk --1k --mem
258 ```
260 Dump MIFARE Classic card contents
261 ```
262 Options:
263 ---
264 -f, --file <filename> Specify a filename for dump file
265 -k, --keys <filename> Specify a filename for keys file
266 --mini MIFARE Classic Mini / S20
267 --1k MIFARE Classic 1k / S50 (default)
268 --2k MIFARE Classic/Plus 2k
269 --4k MIFARE Classic 4k / S70
271 pm3 --> hf mf dump
272 pm3 --> hf mf dump --1k -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin
273 ```
275 Write to MIFARE Classic block
276 ```
277 Options:
278 ---
279 --blk <dec> block number
280 -a input key type is key A (def)
281 -b input key type is key B
282 -k, --key <hex> key, 6 hex bytes
283 -d, --data <hex> bytes to write, 16 hex bytes
285 pm3 --> hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d d3a2859f6b880400c801002000000016
286 ```
288 Run autopwn, to extract all keys and backup a MIFARE Classic tag
289 ```
290 Options:
291 ---
292 -k, --key <hex> Known key, 12 hex bytes
293 -s, --sector <dec> Input sector number
294 -a Input key A (def)
295 -b Input key B
296 -f, --file <fn> filename of dictionary
297 -s, --slow Slower acquisition (required by some non standard cards)
298 -l, --legacy legacy mode (use the slow `hf mf chk`)
299 -v, --verbose verbose output (statistics)
300 --mini MIFARE Classic Mini / S20
301 --1k MIFARE Classic 1k / S50 (default)
302 --2k MIFARE Classic/Plus 2k
303 --4k MIFARE Classic 4k / S70
305 pm3 --> hf mf autopwn
307 // target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'
308 pm3 --> hf mf autopwn -s 0 -a -k FFFFFFFFFFFF
310 // target MFC 1K card, default dictionary
311 pm3 --> hf mf autopwn --1k -f mfc_default_keys
312 ```
314 Run hardnested attack
315 ```
316 Options
317 ---
318 -k, --key <hex> Key, 12 hex bytes
319 --blk <dec> Input block number
320 -a Input key A (def)
321 -b Input key B
322 --tblk <dec> Target block number
323 --ta Target key A
324 --tb Target key B
325 --tk <hex> Target key, 12 hex bytes
326 -f, --file <fn> R/W <name> instead of default name
327 -s, --slow Slower acquisition (required by some non standard cards)
328 -w, --wr Acquire nonces and UID, and write them to file `hf-mf-<UID>-nonces.bin`
330 pm3 --> hf mf hardnested --blk 0 -a -k 8829da9daf76 --tblk 4 --ta -w
331 ```
333 Load MIFARE Classic dump file into emulator memory for simulation
334 Accepts (BIN/EML/JSON)
335 ```
336 Options
337 ---
338 -f, --file <fn> Specify a filename for dump file
339 --mini MIFARE Classic Mini / S20
340 --1k MIFARE Classic 1k / S50 (def)
341 --2k MIFARE Classic/Plus 2k
342 --4k MIFARE Classic 4k / S70
343 --ul MIFARE Ultralight family
344 -q, --qty <dec> manually set number of blocks (overrides)
346 pm3 --> hf mf eload -f hf-mf-353C2AA6-dump.bin
347 pm3 --> hf mf eload --1k -f hf-mf-353C2AA6-dump.bin
348 ```
350 Simulate MIFARE
351 ```
352 u : (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used
354 pm3 --> hf mf sim -u 353c2aa6
355 ```
357 Simulate MIFARE Sequence
358 ```
359 pm3 --> hf mf fchk --1k -f mfc_default_keys.dic
360 pm3 --> hf mf dump
361 pm3 --> hf mf eload -f hf-mf-<UID>-dump.bin
362 pm3 --> hf mf sim -u 353c2aa6
363 ```
365 Clone MIFARE 1K Sequence
366 ```
367 pm3 --> hf mf fchk --1k -f mfc_default_keys.dic
368 pm3 --> hf mf dump
369 pm3 --> hf mf restore --1k --uid 4A6CE843 -k hf-mf-A29558E4-key.bin -f hf-mf-A29558E4-dump.bin
370 ```
372 Read MIFARE Ultralight EV1
373 ```
374 pm3 --> hf mfu info
375 ```
377 Clone MIFARE Ultralight EV1 Sequence
378 ```
379 pm3 --> hf mfu dump -k FFFFFFFF
380 pm3 --> hf mfu eload -f hf-mfu-XXXX-dump.bin
381 pm3 --> hf mfu sim -t 7
382 ```
384 Bruteforce MIFARE Classic card numbers from 11223344 to 11223346
385 ```
386 pm3 --> script run hf_mf_uidbruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
387 ```
389 Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679
390 ```
391 pm3 --> script run hf_mf_uidbruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
392 ```
394 ## Wiegand manipulation
395 ^[Top](#top)
397 List all available wiegand formats in client
398 ```
399 pm3 --> wiegand list
400 ```
402 Convert Site & Facility code to Wiegand raw hex
403 ```
404 Options
405 ---
406 --fc <dec> facility number
407 --cn <dec> card number
408 --issue <dec> issue level
409 --oem <dec> OEM code
410 -w, --wiegand <format> see `wiegand list` for available formats
411 --pre add HID ProxII preamble to wiegand output
413 pm3 --> wiegand encode -w H10301 --oem 0 --fc 101 --cn 1337
414 pm3 --> wiegand encode --fc 101 --cn 1337
415 ```
417 Convert Site & Facility code from Wiegand raw hex to numbers
418 ```
419 Options
420 ---
421 -p, --parity ignore invalid parity
422 -r, --raw <hex> raw hex to be decoded
423 -b, --bin <bin> binary string to be decoded
425 pm3 --> wiegand decode --raw 2006f623ae
426 ```
428 ## HID Prox
429 ^[Top](#top)
431 Read HID Prox card
432 ```
433 pm3 --> lf hid read
434 ```
436 Demodulate HID Prox card
437 ```
438 pm3 --> lf hid demod
439 ```
441 Simulate Prox card
442 ```
444 pm3 --> lf hid sim -r 200670012d
445 pm3 --> lf hid sim -w H10301 --fc 10 --cn 1337
446 ```
448 Clone Prox to T5577 card
449 ```
450 pm3 --> lf hid clone -r 200670012d
451 pm3 --> lf hid clone -w H10301 --fc 10 --cn 1337
452 ```
454 Brute force HID reader
455 ```
456 Options
457 ---
458 -v, --verbose verbose logging, show all tries
459 -w, --wiegand format see `wiegand list` for available formats
460 -f, --fn dec facility code
461 -c, --cn dec card number to start with
462 -i dec issue level
463 -o, --oem dec OEM code
464 -d, --delay dec delay betweens attempts in ms. Default 1000ms
465 --up direction to increment card number. (default is both directions)
466 --down direction to decrement card number. (default is both directions)
468 pm3 --> lf hid brute -w H10301 -f 224
469 pm3 --> lf hid brute -v -w H10301 -f 21 -c 200 -d 2000
470 ```
472 ## Indala
473 ^[Top](#top)
475 Read Indala card
476 ```
477 pm3 --> lf indala read
478 ```
480 Demodulate Indala card
481 ```
482 pm3 --> lf indala demod
483 ```
485 Simulate Indala card
486 ```
487 Options
488 ---
489 -r, --raw <hex> raw bytes
490 --heden <decimal> Cardnumber for Heden 2L format
492 pm3 --> lf indala sim -r a0000000c2c436c1
493 ```
495 Clone to T55x7 card
496 ```
497 Options
498 ---
499 -r, --raw <hex> raw bytes
500 --heden <decimal> Cardnumber for Heden 2L format
501 --fc <decimal> Facility Code (26 bit H10301 format)
502 --cn <decimal> Cardnumber (26 bit H10301 format)
503 --q5 specify writing to Q5/T5555 tag
504 --em specify writing to EM4305/4469 tag
506 pm3 --> lf indala clone -r a0000000c2c436c1
507 ```
509 ## Hitag
510 ^[Top](#top)
512 Read Hitag information
513 ```
514 pm3 --> lf hitag info
515 ```
517 Read Hitag memory
518 Crypto mode key format: ISK high + ISK low
519 ```
520 Options
521 ---
522 -h, --help This help
523 -s, --hts Hitag S
524 -2, --ht2 Hitag 2
525 --pwd password mode
526 --nrar <hex> nonce / answer writer, 8 hex bytes
527 --crypto crypto mode
528 -k, --key <hex> key, 4 or 6 hex bytes
530 pm3 --> lf hitag read --ht2
531 pm3 --> lf hitag read --ht2 -k 4D494B52
532 pm3 --> lf hitag read --ht2 -k 4F4E4D494B52
533 ```
535 Sniff Hitag traffic
536 ```
537 pm3 --> lf hitag sniff
538 pm3 --> lf hitag list
539 ```
541 Simulate Hitag2
542 ```
543 pm3 --> lf hitag sim -2
544 ```
546 Write a page in Hitag memory
547 Crypto mode key format: ISK high + ISK low
548 ```
549 Options
550 ---
551 -h, --help This help
552 -s, --hts Hitag S
553 -2, --ht2 Hitag 2
554 --pwd password mode
555 --nrar <hex> nonce / answer writer, 8 hex bytes
556 --crypto crypto mode
557 -k, --key <hex> key, 4 or 6 hex bytes
558 -p, --page <dec> page address to write to
559 -d, --data <hex> data, 4 hex bytes
561 pm3 --> lf hitag wrbl --ht2 -k 499602D2 -p 1 -d 00000000
562 ```
564 Simulate Hitag2 sequence
565 ```
566 pm3 --> lf hitag read --ht2 -k 56713368
567 pm3 --> lf hitag sim -2
568 ```
570 ## T55XX
571 ^[Top](#top)
573 Detect T55XX card
574 ```
575 pm3 --> lf t55xx detect
576 ```
578 Configure modulation
579 ```
580 Options
581 ---
582 --FSK set demodulation FSK
583 --FSK1 set demodulation FSK 1
584 --FSK1A set demodulation FSK 1a (inv)
585 --FSK2 set demodulation FSK 2
586 --FSK2A set demodulation FSK 2a (inv)
587 --ASK set demodulation ASK
588 --PSK1 set demodulation PSK 1
589 --PSK2 set demodulation PSK 2
590 --PSK3 set demodulation PSK 3
591 --NRZ set demodulation NRZ
592 --BI set demodulation Biphase
593 --BIA set demodulation Diphase (inverted biphase)
595 EM is ASK
596 HID Prox is FSK
597 Indala is PSK
599 pm3 --> lf t55xx config --FSK
600 ```
602 Set timings to default
603 ```
604 Options
605 ---
607 -p, --persist persist to flash memory (RDV4)
608 -z Set default t55x7 timings (use `-p` to save if required)
609 pm3 --> lf t55xx deviceconfig -zp
610 ```
612 Write to T55xx block
613 ```
614 -b, --blk <0-7> block number to write
615 -d, --data <hex> data to write (4 hex bytes)
616 -p, --pwd <hex> password (4 hex bytes)
618 pm3 --> lf t55xx write -b 0 -d 00081040
619 ```
621 Wipe a T55xx tag and set defaults
622 ```
623 pm3 --> lf t55xx wipe
624 ```
626 ## Data
627 ^[Top](#top)
629 Get raw samples [512-40000]
630 ```
631 pm3 --> data samples -n <size>
632 ```
634 Save samples to file
635 ```
636 pm3 --> data save -f <filename>
637 ```
639 Load samples from file
640 ```
641 pm3 --> data load -f <filename>
642 ```
644 ## Lua Scripts
645 ^[Top](#top)
647 List lua Scripts
649 ```
650 pm3 --> script list
651 ```
653 View lua helptext
655 ```
656 pm3 --> script run <nameofscript> -h
657 ```
660 Convert .bin to .eml
661 ```
662 Options
663 ---
664 -i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
665 -o <filename> Specifies the output file. If omitted, <uid>.eml is used
667 pm3 --> script run data_mf_bin2eml -i xxxxxxxxxxxxxx.bin
668 ```
670 Convert .eml to .bin
671 ```
672 Options
673 ---
674 -i <filename> Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used
675 -o <filename> Specifies the output file. If omitted, <currdate>.bin is used
677 pm3 --> script run data_mf_eml2bin -i myfile.eml -o myfile.bin
678 ```
680 Format Mifare card
681 ```
682 Options
683 ---
684 -k <key> The current six byte key with write access
685 -n <key> The new key that will be written to the card
686 -a <access> The new access bytes that will be written to the card
687 -x Execute the commands as well
689 pm3 --> script run hf_mf_format -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
690 ```
692 ## Memory
693 ^[Top](#top)
695 Load default keys into flash memory (RDV4 only)
696 ```
697 Options
698 ---
699 -o <offset> offset in memory
700 -f <filename> file name
701 --mfc upload 6 bytes keys (mifare key dictionary)
702 --iclass upload 8 bytes keys (iClass key dictionary)
703 --t55xx upload 4 bytes keys (pwd dictionary)
705 pm3 --> mem load -f mfc_default_keys --mfc
706 pm3 --> mem load -f t55xx_default_pwds --t5xx
707 pm3 --> mem load -f iclass_default_keys --iclass
708 ```
710 ## Sim Module
711 ^[Top](#top)
713 Upgrade Sim Module firmware
714 ```
715 pm3 --> smart upgrade -f sim014.bin
716 ```
718 ## Smart Card
719 ^[Top](#top)
721 Get Smart Card Information
722 ```
723 pm3 --> smart info
724 ```
726 Act like an IS07816 reader
727 ```
728 pm3 --> smart reader
729 ```
731 Set clock speed for smart card interface
732 ```
733 Options
734 ---
735 --16mhz 16 MHz clock speed
736 --8mhz 8 MHz clock speed
737 --4mhz 4 MHz clock speed
740 pm3 --> smart setclock --8mhz
741 ```
743 Send raw hex data
744 ```
745 Options
746 ---
747 -r do not read response
748 -a active smartcard without select (reset sc module)
749 -s active smartcard with select (get ATR)
750 -t, --tlv executes TLV decoder if it possible
751 -0 use protocol T=0
752 -d, --data <hex> bytes to send
754 pm3 --> smart raw -s -0 -d 00a404000e315041592e5359532e4444463031
755 pm3 --> smart raw -0 -d 00a404000e325041592e5359532e4444463031
756 pm3 --> smart raw -0 -t -d 00a4040007a0000000041010
757 pm3 --> smart raw -0 -t -d 00a4040007a0000000031010
758 ````
760 Bruteforce SPI
761 ```
762 Options
763 ---
764 -t, --tlv executes TLV decoder if it possible
766 pm3 --> smart brute
767 pm3 --> smart brute --tlv
768 ```