Updated: January 2025
Current command:
hf mf sim --help
Simulate MIFARE Classic family type based upon ISO/IEC 14443 type A tag with 4,7 or 10 byte UID from emulator memory. See `hf mf eload` first. The UID from emulator memory will be used if not specified. usage: hf mf sim [--allowkeyb] options: -h, --help This help -u, --uid <hex> <4|7|10> hex bytes UID --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --atqa <hex> Provide explicit ATQA (2 bytes) --sak <hex> Provide explicit SAK (1 bytes) -n, --num <dec> Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite -i, --interactive Console will not be returned until simulation finishes or is aborted -x Performs the 'reader attack', nr/ar attack against a reader. -y Performs the nested 'reader attack'. This requires preloading nt & nt_enc in emulator memory. Implies -x. -e, --emukeys Fill simulator keys from found keys. Requires -x or -y. Implies -i. Simulation will restart automatically. --allowkeyb Allow key B even if readable -v, --verbose Verbose output --cve Trigger CVE 2021_0430 examples/notes: hf mf sim --mini -> MIFARE Mini hf mf sim --1k -> MIFARE Classic 1k (default) hf mf sim --1k -u 0a0a0a0a -> MIFARE Classic 1k with 4b UID hf mf sim --1k -u 11223344556677 -> MIFARE Classic 1k with 7b UID hf mf sim --1k -u 11223344 -i -x -> Perform reader attack in interactive mode hf mf sim --2k -> MIFARE 2k hf mf sim --4k -> MIFARE 4khf mf sim --1k -x -e --> Keep simulation running and populate with found reader keys