Updated: January 2025
Current command:
hf iclass legbrute --help
This command take sniffed trace data and partial raw key and bruteforces the remaining 40 bits of the raw key. usage: hf iclass legbrute [--index <dec>] options: -h, --help This help --epurse <hex> Specify ePurse as 8 hex bytes --macs1 <hex> MACs captured from the reader --macs2 <hex> MACs captured from the reader, different than the first set (with the same csn and epurse value) --pk <hex> Partial Key from legrec or starting key of keyblock from legbrute --index <dec> Where to start from to retrieve the key, default 0 - value in millions e.g. 1 is 1 million examples/notes: hf iclass legbrute --epurse feffffffffffffff --macs1 1306cad9b6c24466 --macs2 f0bf905e35f97923 --pk B4F12AADC5301225