-e Updated: January 2025 help help Use ` help` for details of a command prefs { Edit client/device preferences... } -------- ----------------------- Technology ----------------------- analyse { Analyse utils... } data { Plot window / data buffer manipulation... } emv { EMV ISO-14443 / ISO-7816... } hf { High frequency commands... } hw { Hardware commands... } lf { Low frequency commands... } mem { Flash memory manipulation... } nfc { NFC commands... } piv { PIV commands... } reveng { CRC calculations from RevEng software... } smart { Smart card ISO-7816 commands... } script { Scripting commands... } trace { Trace manipulation... } wiegand { Wiegand format manipulation... } -------- ----------------------- General ----------------------- auto Automated detection process for unknown tags clear Clear screen hints Turn hints on / off msleep Add a pause in milliseconds rem Add a text line in log file quit exit Exit program --------------------------------------------------------------------------------------- prefs help This help get { Get a preference } set { Set a preference } show Show all preferences --------------------------------------------------------------------------------------- analyse help This help lrc Generate final byte for XOR LRC crc Stub method for CRC evaluations chksum Checksum with adding, masking and one's complement dates Look for datestamps in a given array of bytes lfsr LFSR tests a num bits test nuid create NUID from 7byte UID demodbuff Load binary string to DemodBuffer freq Calc wave lengths foo muxer units convert ETU <> US <> SSP_CLK (3.39MHz) --------------------------------------------------------------------------------------- data help This help ----------- ------------------------- General------------------------- clear Clears various buffers used by the graph window hide Hide the graph window load Load contents of file into graph window num Converts dec/hex/bin plot Show the graph window print Print the data in the DemodBuffer save Save signal trace data setdebugmode Set Debugging Level on client side xor Xor a input string ----------- ------------------------- Modulation------------------------- biphaserawdecode Biphase decode bin stream in DemodBuffer detectclock Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer fsktonrz Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk) manrawdecode Manchester decode binary stream in DemodBuffer modulation Identify LF signal for clock and modulation rawdemod Demodulate the data in the GraphBuffer and output binary ----------- ------------------------- Graph------------------------- askedgedetect Adjust Graph for manual ASK demod autocorr Autocorrelation over window convertbitstream Convert GraphBuffer's 0/1 values to 127 / -127 cthreshold Average out all values between dirthreshold Max rising higher up-thres/ Min falling lower down-thres decimate Decimate samples envelope Generate square envelope of samples grid overlay grid on graph window getbitstream Convert GraphBuffer's >=1 values to 1 and <1 to 0 hpf Remove DC offset from trace iir Apply IIR buttersworth filter on plot data ltrim Trim samples from left of trace mtrim Trim out samples from the specified start to the specified stop norm Normalize max/min to +/-128 rtrim Trim samples from right of trace setgraphmarkers Set the markers in the graph window shiftgraphzero Shift 0 for Graphed wave + or - shift value timescale Set cursor display timescale undecimate Un-decimate samples zerocrossings Count time between zero-crossings ----------- ------------------------- Operations------------------------- asn1 ASN1 decoder atr ATR lookup bitsamples Get raw samples as bitstring bmap Convert hex value according a binary template crypto Encrypt and decrypt data diff Diff of input files hexsamples Dump big buffer as hex bytes samples Get raw samples for graph window ( GraphBuffer ) --------------------------------------------------------------------------------------- emv ----------- ----------------------- General ----------------------- help This help list List ISO7816 history test Crypto logic selftest ----------- ---------------------- Operations --------------------- challenge Generate challenge exec Executes EMV contactless transaction genac Generate ApplicationCryptogram gpo Execute GetProcessingOptions intauth Internal authentication pse Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory reader Act like an EMV reader readrec Read files from card roca Extract public keys and run ROCA test scan Scan EMV card and save it contents to json file for emulator search Try to select all applets from applets list and print installed applets select Select applet ----------- ---------------------- simulation --------------------- smart2nfc Complete transaction as a nfc smart card, using the ISO-7816 interface for auth --------------------------------------------------------------------------------------- hf -------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } iclass { ICLASS RFIDs... } ict { ICT MFC/DESfire RFIDs... } jooki { Jooki RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } vas { Apple Value Added Service } waveshare { Waveshare NFC ePaper... } xerox { Fuji/Xerox cartridge RFIDs... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer plot Plot signal tune Continuously measure HF antenna tuning search Search for known HF tags sniff Generic HF Sniff --------------------------------------------------------------------------------------- hw help This help ------------- ----------------------- Operation ----------------------- detectreader Detect external reader field status Show runtime status information about the connected Proxmark3 tearoff Program a tearoff hook for the next command supporting tearoff timeout Set the communication timeout on the client side version Show version information about the client and Proxmark3 ------------- ----------------------- Hardware ----------------------- break Send break loop usb command bootloader Reboot into bootloader mode connect Connect to the device via serial port dbg Set device side debug level fpgaoff Turn off FPGA on device ping Test if the Proxmark3 is responsive readmem Read from MCU flash reset Reset the device setlfdivisor Drive LF antenna at 12MHz / (divisor + 1) sethfthresh Set thresholds in HF/14a mode setmux Set the ADC mux to a specific value standalone Start installed standalone mode on device tia Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider tune Measure tuning of device antenna --------------------------------------------------------------------------------------- lf help This help ----------- -------------- Low Frequency -------------- awid { AWID RFIDs... } cotag { COTAG CHIPs... } destron { FDX-A Destron RFIDs... } em { EM CHIPs & RFIDs... } fdxb { FDX-B RFIDs... } gallagher { GALLAGHER RFIDs... } gproxii { Guardall Prox II RFIDs... } hid { HID Prox RFIDs... } hitag { Hitag CHIPs... } idteck { Idteck RFIDs... } indala { Indala RFIDs... } io { ioProx RFIDs... } jablotron { Jablotron RFIDs... } keri { KERI RFIDs... } motorola { Motorola Flexpass RFIDs... } nedap { Nedap RFIDs... } nexwatch { NexWatch RFIDs... } noralsy { Noralsy RFIDs... } pac { PAC/Stanley RFIDs... } paradox { Paradox RFIDs... } pcf7931 { PCF7931 CHIPs... } presco { Presco RFIDs... } pyramid { Farpointe/Pyramid RFIDs... } securakey { Securakey RFIDs... } ti { TI CHIPs... } t55xx { T55xx CHIPs... } viking { Viking RFIDs... } visa2000 { Visa2000 RFIDs... } ----------- --------------------- General --------------------- config Get/Set config for LF sampling, bit/sample, decimation, frequency cmdread Modulate LF reader field to send command before read read Read LF tag search Read and Search for valid known tag sim Simulate LF tag from buffer simask Simulate ASK tag simfsk Simulate FSK tag simpsk Simulate PSK tag simbidir Simulate LF tag (with bidirectional data transmission between reader and tag) sniff Sniff LF traffic between reader and tag tune Continuously measure LF antenna tuning --------------------------------------------------------------------------------------- mem spiffs { SPI File system } help This help baudrate Set Flash memory Spi baudrate dump Dump data from flash memory info Flash memory information load Load data to flash memory wipe Wipe data from flash memory --------------------------------------------------------------------------------------- nfc -------- --------------------- NFC Tags -------------------- type1 { NFC Forum Tag Type 1... } type2 { NFC Forum Tag Type 2... } type4a { NFC Forum Tag Type 4 ISO14443A... } type4b { NFC Forum Tag Type 4 ISO14443B... } mf { NFC Type MIFARE Classic/Plus Tag... } barcode { NFC Barcode Tag... } -------- --------------------- General --------------------- help This help decode Decode NDEF records --------------------------------------------------------------------------------------- piv help This help select Select the PIV applet getdata Gets a container on a PIV card authsign Authenticate with the card scan Scan PIV card for known containers list List ISO7816 history --------------------------------------------------------------------------------------- reveng [=] Usage: [=] reveng [=] -cdDesvhu? [-bBfFGlLMrStVXyz] [=] [-a BITS] [-A OBITS] [-i INIT] [-k KPOLY] [-m MODEL] [-p POLY] [=] [-p POLY] [-P RPOLY] [-q QPOLY] [-w WIDTH] [-x XOROUT] [STRING...] [=] Options: [=] -a BITS bits per character (1 to 64) [=] -A OBITS bits per output character (1 to 64) [=] -i INIT initial register value [=] -k KPOLY generator in Koopman notation (implies WIDTH) [=] -m MODEL preset CRC algorithm [=] -p POLY generator or search range start polynomial [=] -P RPOLY reversed generator polynomial (implies WIDTH) [=] -q QPOLY search range end polynomial [=] -w WIDTH register size, in bits [=] -x XOROUT final register XOR value [=] Modifier switches: [=] -b big-endian CRC -B big-endian CRC output [=] -f read files named in STRINGs -F skip preset model check pass [=] -G skip brute force search pass -l little-endian CRC [=] -L little-endian CRC output -M non-augmenting algorithm [=] -r right-justified output -S print spaces between characters [=] -t left-justified output -V reverse algorithm only [=] -X print uppercase hexadecimal -y low bytes first in files [=] -z raw binary STRINGs [=] Mode switches: [=] -c calculate CRCs -d dump algorithm parameters [=] -D list preset algorithms -e echo (and reformat) input [=] -s search for algorithm -v calculate reversed CRCs [=] -g search for alg given hex+crc [=] -h | -u | -? show this help [=] Common Use Examples: [=] reveng -g 01020304e3 [=] Searches for a known/common crc preset that computes the crc [=] on the end of the given hex string [=] reveng -w 8 -s 01020304e3 010204039d [=] Searches for any possible 8 bit width crc calc that computes [=] the crc on the end of the given hex string(s) [=] reveng -m CRC-8 -c 01020304 [=] Calculates the crc-8 of the given hex string [=] reveng -D [=] Outputs a list of all known/common crc models with their [=] preset values [=] Copyright (C) [=] 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 Gregory Cook [=] This is free software; see the source for copying conditions. There is NO [=] warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [=] Version 1.6.2 --------------------------------------------------------------------------------------- smart ---------- ------------------- General ------------------- help This help list List ISO 7816 history ---------- ------------------- Operations ------------------- brute Bruteforce SFI info Tag information pcsc Turn pm3 into pcsc reader and relay to host OS via vpcd reader Act like an IS07816 reader raw Send raw hex data to tag upgrade Upgrade sim module firmware setclock Set clock speed --------------------------------------------------------------------------------------- script help This help list List available scripts run - execute a script --------------------------------------------------------------------------------------- trace help This help extract Extract authentication challenges found in trace list List protocol data in trace buffer load Load trace from file save Save trace buffer to file --------------------------------------------------------------------------------------- wiegand help This help list List available wiegand formats encode Encode to wiegand raw hex (currently for HID Prox) decode Convert raw hex to decoded wiegand format (currently for HID Prox) --------------------------------------------------------------------------------------- auto Run LF SEARCH / HF SEARCH / DATA PLOT / DATA SAVE usage: auto [-hc] options: -h, --help This help -c Continue searching even after a first hit examples/notes: auto --------------------------------------------------------------------------------------- clear Clear the Proxmark3 client terminal screen usage: clear [-hb] options: -h, --help This help -b, --back also clear the scrollback buffer examples/notes: clear -> clear the terminal screen clear -b -> clear the terminal screen and the scrollback buffer --------------------------------------------------------------------------------------- hints Turn on/off hints usage: hints [-h10] options: -h, --help This help -1, --on turn on hints -0, --off turn off hints examples/notes: hints --on hints -1 --------------------------------------------------------------------------------------- msleep Sleep for given amount of milliseconds usage: msleep [-h] [-t ] options: -h, --help This help -t, --ms time in milliseconds examples/notes: msleep -t 100 --------------------------------------------------------------------------------------- rem Add a text line in log file usage: rem [-h] []... options: -h, --help This help message line you want inserted examples/notes: rem my message -> adds a timestamp with `my message` --------------------------------------------------------------------------------------- quit Quit the Proxmark3 client terminal usage: quit [-h] options: -h, --help This help examples/notes: quit --------------------------------------------------------------------------------------- exit Quit the Proxmark3 client terminal usage: quit [-h] options: -h, --help This help examples/notes: quit --------------------------------------------------------------------------------------- prefs help This help get { Get a preference } set { Set a preference } show Show all preferences --------------------------------------------------------------------------------------- prefs get barmode Get bar mode preference client.debug Get client debug level preference client.delay Get client execution delay preference client.timeout Get client execution delay preference color Get color support preference savepaths Get file folder emoji Get emoji display preference hints Get hint display preference output Get dump output style preference plotsliders Get plot slider display preference --------------------------------------------------------------------------------------- prefs set help This help barmode Set bar mode client.debug Set client debug level client.delay Set client execution delay client.timeout Set client communication timeout color Set color support emoji Set emoji display hints Set hint display savepaths ... to be adjusted next ... output Set dump output style plotsliders Set plot slider display --------------------------------------------------------------------------------------- prefs show Show all persistent preferences usage: prefs show [-hj] options: -h, --help This help -j, --json Dump prefs as JSON examples/notes: prefs show --------------------------------------------------------------------------------------- analyse help This help lrc Generate final byte for XOR LRC crc Stub method for CRC evaluations chksum Checksum with adding, masking and one's complement dates Look for datestamps in a given array of bytes lfsr LFSR tests a num bits test nuid create NUID from 7byte UID demodbuff Load binary string to DemodBuffer freq Calc wave lengths foo muxer units convert ETU <> US <> SSP_CLK (3.39MHz) --------------------------------------------------------------------------------------- analyse lrc Specifying the bytes of a UID with a known LRC will find the last byte value needed to generate that LRC with a rolling XOR. All bytes should be specified in HEX. usage: analyse lrc [-h] -d options: -h, --help This help -d, --data bytes to calc missing XOR in a LRC examples/notes: analyse lrc -d 04008064BA -> Target (BA) requires final LRC XOR byte value: 5A --------------------------------------------------------------------------------------- analyse crc A stub method to test different crc implementations inside the PM3 sourcecode. Just because you figured out the poly, doesn't mean you get the desired output usage: analyse crc [-h] -d options: -h, --help This help -d, --data bytes to calc crc examples/notes: analyse crc -d 137AF00A0A0D --------------------------------------------------------------------------------------- analyse chksum The bytes will be added with eachother and than limited with the applied mask Finally compute ones' complement of the least significant bytes. usage: analyse chksum [-hv] -d [-m ] options: -h, --help This help -d, --data bytes to calc checksum -m, --mask bit mask to limit the output (4 hex bytes max) -v, --verbose verbose output examples/notes: analyse chksum -d 137AF00A0A0D -> expected output: 0x61 analyse chksum -d 137AF00A0A0D -m FF --------------------------------------------------------------------------------------- analyse dates Tool to look for date/time stamps in a given array of bytes usage: analyse dates [-h] options: -h, --help This help examples/notes: analyse dates --------------------------------------------------------------------------------------- analyse lfsr looks at LEGIC Prime's lfsr, iterates the first 48 values usage: analyse lfsr [-h] --iv [--find ] options: -h, --help This help --iv init vector data (1 hex byte) --find lfsr data to find (1 hex byte) examples/notes: analyse lfsr --iv 55 --------------------------------------------------------------------------------------- analyse a Iceman's personal garbage test command usage: analyse a [-h] -d options: -h, --help This help -d, --data bytes to manipulate examples/notes: analyse a -d 137AF00A0A0D --------------------------------------------------------------------------------------- analyse nuid Generate 4byte NUID from 7byte UID usage: analyse nuid [-ht] [-d ] options: -h, --help This help -d, --data bytes to send -t, --test self test examples/notes: analyse nuid -d 11223344556677 --------------------------------------------------------------------------------------- analyse demodbuff loads a binary string into DemodBuffer usage: analyse demodbuff [-h] -d options: -h, --help This help -d, --data binary string to load examples/notes: analyse demodbuff -d 0011101001001011 --------------------------------------------------------------------------------------- analyse freq calc wave lengths usage: analyse freq [-h] [-F ] [-L ] [-C ] options: -h, --help This help -F, --freq resonating frequency F in hertz (Hz) -L, --cap capacitance C in micro farads (F) -C, --ind inductance in micro henries (H) examples/notes: analyse freq --------------------------------------------------------------------------------------- analyse foo experiments of cliparse usage: analyse foo [-h] -r options: -h, --help This help -r, --raw raw bytes examples/notes: analyse foo -r a0000000a0002021 --------------------------------------------------------------------------------------- analyse units experiments of unit conversions found in HF. ETU (1/13.56mhz), US or SSP_CLK (1/3.39MHz) usage: analyse units [-ht] [--etu ] [--us ] options: -h, --help This help --etu number in ETU --us number in micro seconds (us) -t, --selftest self tests examples/notes: analyse uints --etu 10 analyse uints --us 100 --------------------------------------------------------------------------------------- data help This help ----------- ------------------------- General------------------------- clear Clears various buffers used by the graph window hide Hide the graph window load Load contents of file into graph window num Converts dec/hex/bin plot Show the graph window print Print the data in the DemodBuffer save Save signal trace data setdebugmode Set Debugging Level on client side xor Xor a input string ----------- ------------------------- Modulation------------------------- biphaserawdecode Biphase decode bin stream in DemodBuffer detectclock Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer fsktonrz Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk) manrawdecode Manchester decode binary stream in DemodBuffer modulation Identify LF signal for clock and modulation rawdemod Demodulate the data in the GraphBuffer and output binary ----------- ------------------------- Graph------------------------- askedgedetect Adjust Graph for manual ASK demod autocorr Autocorrelation over window convertbitstream Convert GraphBuffer's 0/1 values to 127 / -127 cthreshold Average out all values between dirthreshold Max rising higher up-thres/ Min falling lower down-thres decimate Decimate samples envelope Generate square envelope of samples grid overlay grid on graph window getbitstream Convert GraphBuffer's >=1 values to 1 and <1 to 0 hpf Remove DC offset from trace iir Apply IIR buttersworth filter on plot data ltrim Trim samples from left of trace mtrim Trim out samples from the specified start to the specified stop norm Normalize max/min to +/-128 rtrim Trim samples from right of trace setgraphmarkers Set the markers in the graph window shiftgraphzero Shift 0 for Graphed wave + or - shift value timescale Set cursor display timescale undecimate Un-decimate samples zerocrossings Count time between zero-crossings ----------- ------------------------- Operations------------------------- asn1 ASN1 decoder atr ATR lookup bitsamples Get raw samples as bitstring bmap Convert hex value according a binary template crypto Encrypt and decrypt data diff Diff of input files hexsamples Dump big buffer as hex bytes samples Get raw samples for graph window ( GraphBuffer ) --------------------------------------------------------------------------------------- data clear This function clears the BigBuf on device side and graph window ( graphbuffer ) usage: data clear [-h] options: -h, --help This help examples/notes: data clear --------------------------------------------------------------------------------------- data hide Show graph window usage: data hide [-h] options: -h, --help This help examples/notes: data hide --------------------------------------------------------------------------------------- data load This command loads the contents of a pm3 file into graph window usage: data load [-hbn] -f options: -h, --help This help -f, --file file to load -b, --bin binary file -n, --no-fix Load data from file without any transformations examples/notes: data load -f myfilename --------------------------------------------------------------------------------------- data num Function takes a decimal or hexdecimal number and print it in decimal/hex/binary Will print message if number is a prime number usage: data num [-hir] [--dec ] [--hex ] [--bin ] options: -h, --help This help --dec decimal value --hex hexadecimal value --bin binary value -i print inverted value -r print reversed value examples/notes: data num --dec 2023 data num --hex 2A --------------------------------------------------------------------------------------- data plot Show graph window hit 'h' in window for detail keystroke help available usage: data plot [-h] options: -h, --help This help examples/notes: data plot --------------------------------------------------------------------------------------- data print Print the data in the DemodBuffer as hex or binary. Defaults to binary output usage: data print [-hisx] [-o ] options: -h, --help This help -i, --inv invert DemodBuffer before printing -o, --offset offset in # of bits -s, --strip strip leading zeroes, i.e. set offset to first bit equal to one -x, --hex output in hex (omit for binary output) examples/notes: data print --------------------------------------------------------------------------------------- data save Save signal trace from graph window , i.e. the GraphBuffer This is a text file with number -127 to 127. With the option `w` you can save it as wave file Filename should be without file extension usage: data save [-hw] -f options: -h, --help This help -w, --wave save as wave format (.wav) -f, --file save file name examples/notes: data save -f myfilename -> save graph buffer to file data save --wave -f myfilename -> save graph buffer to wave file --------------------------------------------------------------------------------------- data setdebugmode Set debugging level on client side usage: data setdebugmode [-h012] options: -h, --help This help -0 no debug messages -1 debug -2 verbose debugging examples/notes: data setdebugmode --------------------------------------------------------------------------------------- data xor takes input string and xor string. Perform xor on it. If no xor string, try the most reoccuring value to xor against usage: data xor [-h] -d [-x ] options: -h, --help This help -d, --data input hex string -x, --xor input xor string examples/notes: data xor -d 99aabbcc8888888888 data xor -d 99aabbcc --xor 88888888 --------------------------------------------------------------------------------------- data biphaserawdecode Biphase decode binary stream in DemodBuffer Converts 10 or 01 -> 1 and 11 or 00 -> 0 - must have binary sequence in DemodBuffer (run `data rawdemod --ar` before) - invert for Conditional Dephase Encoding (CDP) AKA Differential Manchester usage: data biphaserawdecode [-hoi] [--err ] options: -h, --help This help -o, --offset set to adjust decode start position -i, --inv invert output --err set max errors tolerated (def 20) examples/notes: data biphaserawdecode -> decode biphase bitstream from the DemodBuffer data biphaserawdecode -oi -> decode biphase bitstream from the DemodBuffer, adjust offset, and invert output --------------------------------------------------------------------------------------- data detectclock Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer usage: data detectclock [-h] [--ask] [--fsk] [--nzr] [--psk] options: -h, --help This help --ask specify ASK modulation clock detection --fsk specify FSK modulation clock detection --nzr specify NZR/DIRECT modulation clock detection --psk specify PSK modulation clock detection examples/notes: data detectclock --ask data detectclock --nzr -> detect clock of an nrz/direct wave in GraphBuffer --------------------------------------------------------------------------------------- data fsktonrz Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk) Omitted values are autodetect instead usage: data fsktonrz [-h] [-c ] [--low ] [--hi ] options: -h, --help This help -c, --clk clock --low low field clock --hi high field clock examples/notes: data fsktonrz data fsktonrz -c 32 --low 8 --hi 10 --------------------------------------------------------------------------------------- data manrawdecode Manchester decode binary stream in DemodBuffer Converts 10 and 01 and converts to 0 and 1 respectively - must have binary sequence in DemodBuffer (run `data rawdemod --ar` before) usage: data manrawdecode [-hi] [--err ] options: -h, --help This help -i, --inv invert output --err set max errors tolerated (def 20) examples/notes: data manrawdecode --------------------------------------------------------------------------------------- data modulation search LF signal after clock and modulation usage: data modulation [-h] options: -h, --help This help examples/notes: data modulation --------------------------------------------------------------------------------------- data rawdemod Demodulate the data in the GraphBuffer and output binary usage: data rawdemod [-h] [--ab] [--am] [--ar] [--fs] [--nr] [--p1] [--p2] []... options: -h, --help This help --ab ASK/Biphase demodulation --am ASK/Manchester demodulation --ar ASK/Raw demodulation --fs FSK demodulation --nr NRZ/Direct demodulation --p1 PSK 1 demodulation --p2 PSK 2 demodulation params for sub command examples/notes: data rawdemod --fs -> demod FSK - autodetect data rawdemod --ab -> demod ASK/BIPHASE - autodetect data rawdemod --am -> demod ASK/MANCHESTER - autodetect data rawdemod --ar -> demod ASK/RAW - autodetect data rawdemod --nr -> demod NRZ/DIRECT - autodetect data rawdemod --p1 -> demod PSK1 - autodetect data rawdemod --p2 -> demod PSK2 - autodetect --------------------------------------------------------------------------------------- data askedgedetect Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave usage: data askedgedetect [-h] [-t ] options: -h, --help This help -t, --thres threshold, use 20 - 45 (def 25) examples/notes: data askedgedetect -t 20 --------------------------------------------------------------------------------------- data autocorr Autocorrelate over window is used to detect repeating sequences. We use it as detection of how long in bits a message inside the signal is usage: data autocorr [-hg] [-w ] options: -h, --help This help -g save back to GraphBuffer (overwrite) -w, --win window length for correlation. def 4000 examples/notes: data autocorr -w 4000 data autocorr -w 4000 -g --------------------------------------------------------------------------------------- data convertbitstream Convert GraphBuffer's 0|1 values to 127|-127 usage: data convertbitstream [-h] options: -h, --help This help examples/notes: data convertbitstream --------------------------------------------------------------------------------------- data cthreshold Inverse of dirty threshold command, all values between up and down will be average out usage: data cthreshold [-h] -d -u options: -h, --help This help -d, --down threshold down -u, --up threshold up examples/notes: data cthreshold -u 10 -d -10 --------------------------------------------------------------------------------------- data dirthreshold Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev. usage: data dirthreshold [-h] -d -u options: -h, --help This help -d, --down threshold down -u, --up threshold up examples/notes: data dirthreshold -u 10 -d -10 --------------------------------------------------------------------------------------- data decimate Performs decimation, by reducing samples N times in the grapbuf. Good for PSK usage: data decimate [-h] [-n ] options: -h, --help This help -n factor to reduce sample set (default 2) examples/notes: data decimate data decimate -n 4 --------------------------------------------------------------------------------------- data envelope Create an square envelope of the samples usage: data envelope [-h] options: -h, --help This help examples/notes: data envelope --------------------------------------------------------------------------------------- data grid This function overlay grid on graph plot window. use zero value to turn off either usage: data grid [-h] [-x ] [-y ] options: -h, --help This help -x plot grid X coord -y plot grid Y coord examples/notes: data grid -> turn off data grid -x 64 -y 50 --------------------------------------------------------------------------------------- data getbitstream Convert GraphBuffer's value accordingly - larger or equal to ONE becomes ONE - less than ONE becomes ZERO usage: data getbitstream [-h] options: -h, --help This help examples/notes: data getbitstream --------------------------------------------------------------------------------------- data hpf Remove DC offset from trace. It should centralize around 0 usage: data hpf [-h] options: -h, --help This help examples/notes: data hpf --------------------------------------------------------------------------------------- data iir Apply IIR buttersworth filter on plot data usage: data iir [-h] -n options: -h, --help This help -n factor n examples/notes: data iir -n 2 --------------------------------------------------------------------------------------- data ltrim Trim samples from left of trace usage: data ltrim [-h] -i options: -h, --help This help -i, --idx index in graph buffer examples/notes: data ltrim -i 300 -> remove from start 0 to index 300 --------------------------------------------------------------------------------------- data mtrim Trim out samples from start 0 to `-s index` AND from `-e index` to end of graph buffer usage: data mtrim [-h] -s -e options: -h, --help This help -s, --start start point -e, --end end point examples/notes: data mtrim -s 1000 -e 2000 -> keep all between index 1000 and 2000 --------------------------------------------------------------------------------------- data norm Normalize max/min to +/-128 usage: data norm [-h] options: -h, --help This help examples/notes: data norm --------------------------------------------------------------------------------------- data rtrim Trim samples from right of trace usage: data rtrim [-h] -i options: -h, --help This help -i, --idx index in graph buffer examples/notes: data rtrim -i 4000 -> remove from index 4000 to end of graph buffer --------------------------------------------------------------------------------------- data setgraphmarkers Set the locations of the markers in the graph window usage: data setgraphmarkers [-h] [--keep] [-a ] [-b ] [-c ] [-d ] options: -h, --help This help --keep keep the current values of the markers -a yellow marker -b purple marker -c orange marker -d blue marker examples/notes: data setgraphmarkers -> reset the markers data setgraphmarkers -a 64 -> set A, reset the rest data setgraphmarkers -d --keep -> set D, keep the rest --------------------------------------------------------------------------------------- data shiftgraphzero Shift 0 for Graphed wave + or - shift value usage: data shiftgraphzero [-h] -n options: -h, --help This help -n shift + or - examples/notes: data shiftgraphzero -n 10 -> shift 10 points data shiftgraphzero -n -22 -> shift negative 22 points --------------------------------------------------------------------------------------- data timescale Set cursor display timescale. Setting the timescale makes the differential `dt` reading between the yellow and purple markers meaningful. once the timescale is set, the differential reading between brackets can become a time duration. usage: data timescale [-h] --sr [-u ] options: -h, --help This help --sr sets timescale factor according to sampling rate -u, --unit time unit to display (max 10 chars) examples/notes: data timescale --sr 125 -u ms -> for LF sampled at 125 kHz. Reading will be in milliseconds data timescale --sr 1.695 -u us -> for HF sampled at 16 * fc/128. Reading will be in microseconds data timescale --sr 16 -u ETU -> for HF with 16 samples per ETU (fc/128). Reading will be in ETUs --------------------------------------------------------------------------------------- data undecimate Performs un-decimation, by repeating each sample N times in the graphbuf usage: data undecimate [-h] [-n ] options: -h, --help This help -n factor to repeat each sample (default 2) examples/notes: data undecimate data undecimate -n 4 --------------------------------------------------------------------------------------- data zerocrossings Count time between zero-crossings usage: data zerocrossings [-h] options: -h, --help This help examples/notes: data zerocrossings --------------------------------------------------------------------------------------- data asn1 Decode ASN1 bytearray usage: data asn1 [-h] [-d ] [--test] options: -h, --help This help -d ASN1 encoded byte array --test perform self tests examples/notes: data asn1 -d 303381050186922305a5020500a6088101010403030008a7188516eeee4facacf4fbde5e5c49d95e55bfbca74267b02407a9020500 --------------------------------------------------------------------------------------- data atr look up ATR record from bytearray usage: data atr [-h] [-d ] options: -h, --help This help -d ASN1 encoded byte array examples/notes: data atr -d 3B6B00000031C064BE1B0100079000 --------------------------------------------------------------------------------------- data bitsamples Get raw samples from device as bitstring usage: data bitsamples [-h] options: -h, --help This help examples/notes: data bitsamples --------------------------------------------------------------------------------------- data bmap Breaks down a hex value to binary according a template data bmap -d 16 -m 4,4 This will give two rows each with four bits usage: data bmap [-h] [-d ] [-m ] options: -h, --help This help -d hex string -m binary template examples/notes: data bmap -d 3B data bmap -d 3B -m 2,5,1 --------------------------------------------------------------------------------------- data crypto Encrypt data, right here, right now. Or decrypt. usage: data crypto [-hr] -d -k [--des] [--mac] [--iv ] options: -h, --help This help -d, --data Data to process -k, --key Key to use -r, --rev Decrypt, not encrypt --des Cipher with DES, not AES --mac Calculate AES CMAC/FeliCa Lite MAC --iv IV value if needed examples/notes: Supply data, key, IV (needed for des MAC or aes), and cryptography action. To calculate a MAC for FMCOS, supply challenge as IV, data as data, and session/line protection key as key. To calculate a MAC for FeliCa, supply first RC as IV, BLE+data as data and session key as key. data crypto -d 04D6850E06AABB80 -k FFFFFFFFFFFFFFFF --iv 9EA0401A00000000 --des -> Calculate a MAC for FMCOS chip. The result should be ED3A0133 --------------------------------------------------------------------------------------- data diff Diff takes a multitude of input data and makes a binary compare. It accepts filenames (filesystem or RDV4 flashmem SPIFFS), emulator memory, magic gen1 usage: data diff [-h] [-a ] [-b ] [--eb] [--fa ] [--fb ] [-w <4|8|16>] options: -h, --help This help -a input file name A -b input file name B --eb emulator memory --fa input spiffs file A --fb input spiffs file B -w <4|8|16> Width of data output examples/notes: data diff -w 4 -a hf-mfu-01020304.bin -b hf-mfu-04030201.bin data diff -a fileA -b fileB data diff -a fileA --eb data diff --fa fileA -b fileB data diff --fa fileA --fb fileB --------------------------------------------------------------------------------------- data hexsamples Dump big buffer as hex bytes usage: data hexsamples [-h] [-b ] [-n ] [-o ] options: -h, --help This help -b, --breaks row break, def 16 -n num of bytes to download -o, --offset offset in big buffer examples/notes: data hexsamples -n 128 -> dumps 128 bytes from offset 0 --------------------------------------------------------------------------------------- data samples Get raw samples for graph window (GraphBuffer) from device. If 0, then get whole big buffer from device. usage: data samples [-hv] [-n ] options: -h, --help This help -n num of samples (512 - 40000) -v, --verbose verbose output examples/notes: data samples data samples -n 10000 --------------------------------------------------------------------------------------- emv ----------- ----------------------- General ----------------------- help This help list List ISO7816 history test Crypto logic selftest ----------- ---------------------- Operations --------------------- challenge Generate challenge exec Executes EMV contactless transaction genac Generate ApplicationCryptogram gpo Execute GetProcessingOptions intauth Internal authentication pse Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory reader Act like an EMV reader readrec Read files from card roca Extract public keys and run ROCA test scan Scan EMV card and save it contents to json file for emulator search Try to select all applets from applets list and print installed applets select Select applet ----------- ---------------------- simulation --------------------- smart2nfc Complete transaction as a nfc smart card, using the ISO-7816 interface for auth --------------------------------------------------------------------------------------- emv list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: emv list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: emv list --frame -> show frame delay times emv list -1 -> use trace buffer --------------------------------------------------------------------------------------- emv test Executes tests usage: emv test [-hil] options: -h, --help This help -i, --ignore Ignore timing tests for VM -l, --long Run long tests too examples/notes: emv test -i emv test --long --------------------------------------------------------------------------------------- emv challenge Executes Generate Challenge command. It returns 4 or 8-byte random number from card. Needs a EMV applet to be selected and GPO to be executed. usage: emv challenge [-hkaw] options: -h, --help This help -k, --keep Keep field ON for next command -a, --apdu Show APDU requests and responses -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) examples/notes: emv challenge -> get challenge emv challenge -k -> get challenge, keep filled ON --------------------------------------------------------------------------------------- emv exec Executes EMV contactless transaction usage: emv exec [-hsatjcxgw] [--force] By default: [--qvsdc] options: -h, --help This help -s, --select Activate field and select card -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results -j, --jload Load transaction parameters from `emv_defparams.json` file --force Force search AID. Search AID instead of execute PPSE By default: Transaction type - MSD --qvsdc Transaction type - qVSDC or M/Chip -c, --qvsdccda Transaction type - qVSDC or M/Chip plus CDA (SDAD generation) -x, --vsdc Transaction type - VSDC. For test only. Not a standard behavior -g, --acgpo VISA. generate AC from GPO -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) examples/notes: emv exec -sat -> select card, execute MSD transaction, show APDU and TLV emv exec -satc -> select card, execute CDA transaction, show APDU and TLV --------------------------------------------------------------------------------------- emv genac Generate Application Cryptogram command. It returns data in TLV format. Needs a EMV applet to be selected and GPO to be executed. usage: emv genac [-hkcpmatw] [-d ] []... options: -h, --help This help -k, --keep Keep field ON for next command -c, --cda Executes CDA transaction. Needs to get SDAD in results. -d, --decision Terminal decision. aac - declined, tc - approved, arqc - online authorisation requested -p, --params Load parameters from `emv_defparams.json` file for CDOLdata making from CDOL and parameters -m, --make Make CDOLdata from CDOL (tag 8C and 8D) and parameters (def: use default parameters) -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) CDOLdata/CDOL examples/notes: emv genac -k 0102 -> generate AC with 2-byte CDOLdata and keep field ON after command emv genac -t 01020304 -> generate AC with 4-byte CDOL data, show result in TLV emv genac -Daac 01020304 -> generate AC with 4-byte CDOL data and terminal decision 'declined' emv genac -pmt 9F 37 04 -> load params from file, make CDOL data from CDOL, generate AC with CDOL, show result in TLV --------------------------------------------------------------------------------------- emv gpo Executes Get Processing Options command. It returns data in TLV format (0x77 - format2) or plain format (0x80 - format1). Needs a EMV applet to be selected. usage: emv gpo [-hkpmatw] []... options: -h, --help This help -k, --keep Keep field ON for next command -p, --params Load parameters from `emv_defparams.json` file for PDOLdata making from PDOL and parameters -m, --make Make PDOLdata from PDOL (tag 9F38) and parameters (def: uses default parameters) -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) PDOLdata/PDOL examples/notes: emv gpo -k -> execute GPO emv gpo -t 01020304 -> execute GPO with 4-byte PDOL data, show result in TLV emv gpo -pmt 9F 37 04 -> load params from file, make PDOL data from PDOL, execute GPO with PDOL, show result in TLV --------------------------------------------------------------------------------------- emv intauth Generate Internal Authenticate command. Usually needs 4-byte random number. It returns data in TLV format . Needs a EMV applet to be selected and GPO to be executed. usage: emv intauth [-hkpmatw] []... options: -h, --help This help -k, --keep Keep field ON for next command -p, --params Load parameters from `emv_defparams.json` file for DDOLdata making from DDOL and parameters -m, --make Make DDOLdata from DDOL (tag 9F49) and parameters (def: use default parameters) -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) DDOLdata/DDOL examples/notes: emv intauth -k 01020304 -> execute Internal Authenticate with 4-byte DDOLdata and keep field ON after command emv intauth -t 01020304 -> execute Internal Authenticate with 4-byte DDOL data, show result in TLV emv intauth -pmt 9F 37 04 -> load params from file, make DDOL data from DDOL, Internal Authenticate with DDOL, show result in TLV --------------------------------------------------------------------------------------- emv pse Executes PSE/PPSE select command. It returns list of applet on the card: usage: emv pse [-hsk12atw] options: -h, --help This help -s, --select Activate field and select card -k, --keep Keep field ON for next command -1, --pse PSE (1PAY.SYS.DDF01) mode -2, --ppse PPSE (2PAY.SYS.DDF01) mode (def) -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) examples/notes: emv pse -s1 -> select, get pse emv pse -st2 -> select, get ppse, show result in TLV --------------------------------------------------------------------------------------- emv reader Act as a EMV reader to identify tag. Look for EMV tags until Enter or the pm3 button is pressed In `verbose` mode it will also try to extract and decode the transaction logs stored on card in either channel. usage: emv reader [-hwv@] options: -h, --help This help -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) -v, --verbose Verbose output -@ continuous reader mode examples/notes: emv reader emv reader -v emv reader -@ -> Continuous mode --------------------------------------------------------------------------------------- emv readrec Executes Read Record command. It returns data in TLV format. Needs a bank applet to be selected and sometimes needs GPO to be executed. usage: emv readrec [-hkatw] []... options: -h, --help This help -k, --keep Keep field ON for next command -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) read file SFI=01, SFIrec=01 emv readrec -kt 0201 -> read file 0201 and show result in TLV --------------------------------------------------------------------------------------- emv roca Tries to extract public keys and run the ROCA test against them. usage: emv roca [-htaw] options: -h, --help This help -t, --selftest Self test -a, --apdu Show APDU requests and responses -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) examples/notes: emv roca -w -> select --CONTACT-- card and run test emv roca -> select --CONTACTLESS-- card and run test --------------------------------------------------------------------------------------- emv scan Scan EMV card and save it contents to a file. It executes EMV contactless transaction and saves result to a file which can be used for emulation usage: emv scan [-hatejcxgmw] By default: [--qvsdc] options: -h, --help This help -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results -e, --extract Extract TLV elements and fill Application Data -j, --jload Load transaction parameters from `emv_defparams.json` file By default: Transaction type - MSD --qvsdc Transaction type - qVSDC or M/Chip -c, --qvsdccda Transaction type - qVSDC or M/Chip plus CDA (SDAD generation) -x, --vsdc Transaction type - VSDC. For test only. Not a standard behavior -g, --acgpo VISA. generate AC from GPO -m, --merge Merge output file with card's data. (warning: the file may be corrupted!) -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) JSON output file name examples/notes: emv scan -at -> scan MSD transaction mode and show APDU and TLV emv scan -c -> scan CDA transaction mode --------------------------------------------------------------------------------------- emv search Tries to select all applets from applet list usage: emv search [-hskatw] options: -h, --help This help -s, --select Activate field and select card -k, --keep Keep field ON for next command -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results of selected applets -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) examples/notes: emv search -s -> select card and search emv search -st -> select card, search and show result in TLV --------------------------------------------------------------------------------------- emv select Executes select applet command usage: emv select [-hskatw] options: -h, --help This help -s, --select Activate field and select card -k, --keep Keep field for next command -a, --apdu Show APDU requests and responses -t, --tlv TLV decode results -w, --wired Send data via contact (iso7816) interface. (def: Contactless interface) Applet AID examples/notes: emv select -s a00000000101 -> select card, select applet emv select -st a00000000101 -> select card, select applet, show result in TLV --------------------------------------------------------------------------------------- emv smart2nfc Executes ISO14443a payment, TX using ISO7816 interface for authentication usage: emv smart2nfc [-ht] [-u ] options: -h, --help This help -t, --test test that the attached card is working (must be VISA) -u, --uid optional 7 hex bytes UID examples/notes: emv smart2nfc -t -> test that the attached card is working (must be VISA) --------------------------------------------------------------------------------------- hf -------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } iclass { ICLASS RFIDs... } ict { ICT MFC/DESfire RFIDs... } jooki { Jooki RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } vas { Apple Value Added Service } waveshare { Waveshare NFC ePaper... } xerox { Fuji/Xerox cartridge RFIDs... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer plot Plot signal tune Continuously measure HF antenna tuning search Search for known HF tags sniff Generic HF Sniff --------------------------------------------------------------------------------------- hf 14a ----------- ----------------------- General ----------------------- help This help list List ISO 14443-a history ----------- ---------------------- Operations --------------------- antifuzz Fuzzing the anticollision phase. Warning! Readers may react strange config Configure 14a settings (use with caution) cuids Collect n>0 ISO14443-a UIDs in one go info Tag information sim Simulate ISO 14443-a tag simaid Simulate ISO 14443-a AID Selection sniff sniff ISO 14443-a traffic raw Send raw hex data to tag reader Act like an ISO14443-a reader ----------- ------------------------- APDU ------------------------- apdu Send ISO 14443-4 APDU to tag apdufind Enumerate APDUs - CLA/INS/P1P2 chaining Control ISO 14443-4 input chaining ----------- ------------------------- NDEF ------------------------- ndefformat Format ISO 14443-A as NFC Type 4 tag ndefread Read an NDEF file from ISO 14443-A Type 4 tag ndefwrite Write NDEF records to ISO 14443-A tag --------------------------------------------------------------------------------------- hf 14b --------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- apdu Send ISO 14443-4 APDU to tag dump Read all memory pages of an ISO-14443-B tag, save to file info Tag information ndefread Read NDEF file on tag raw Send raw hex data to tag rdbl Read SRI512/SRIX4 block reader Act as a ISO-14443-B reader to identify a tag restore Restore from file to all memory pages of an ISO-14443-B tag sim Fake ISO ISO-14443-B tag sniff Eavesdrop ISO-14443-B wrbl Write data to a SRI512/SRIX4 tag view Display content from tag dump file valid SRIX4 checksum test --------- ------------------ Calypso / Mobib ------------------ calypso Read contents of a Calypso card mobib Read contents of a Mobib card --------- ------------------------- Magic ----------------------- setuid Set UID for magic card --------------------------------------------------------------------------------------- hf 15 ----------- ----------------------- General ----------------------- help This help list List ISO-15693 history ----------- ----------------------- Operations ----------------------- demod Demodulate ISO-15693 from tag dump Read all memory pages of an ISO-15693 tag, save to file info Tag information sniff Sniff ISO-15693 traffic raw Send raw hex data to tag rdbl Read a block rdmulti Reads multiple blocks reader Act like an ISO-15693 reader restore Restore from file to all memory pages of an ISO-15693 tag samples Acquire samples as reader (enables carrier, sends inquiry) view Display content from tag dump file wipe Wipe card to zeros wrbl Write a block ----------- --------------------- Simulation ---------------------- sim Fake an ISO-15693 tag eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory ----------- ------------------------ SLIX ------------------------- slixwritepwd Writes a password on a SLIX ISO-15693 tag slixeasdisable Disable EAS mode on SLIX ISO-15693 tag slixeasenable Enable EAS mode on SLIX ISO-15693 tag slixprivacydisable Disable privacy mode on SLIX ISO-15693 tag slixprivacyenable Enable privacy mode on SLIX ISO-15693 tag passprotectafi Password protect AFI - Cannot be undone passprotecteas Password protect EAS - Cannot be undone ----------- -------------------------- afi ------------------------ findafi Brute force AFI of an ISO-15693 tag writeafi Writes the AFI on an ISO-15693 tag writedsfid Writes the DSFID on an ISO-15693 tag ----------- ------------------------- Magic ----------------------- csetuid Set UID for magic card --------------------------------------------------------------------------------------- hf cipurse help This help. info Get info about CIPURSE tag select Select CIPURSE application or file auth Authenticate CIPURSE tag read Read binary file write Write binary file aread Read file attributes awrite Write file attributes formatall Erase all the data from chip create Create file, application, key via DGI record delete Delete file updkey Update key updakey Update key attributes default Set default key and file id for all the other commands test Regression tests --------------------------------------------------------------------------------------- hf epa help This help cnonces Acquire encrypted PACE nonces of specific size replay Perform PACE protocol by replaying given APDUs sim Simulate PACE protocol --------------------------------------------------------------------------------------- hf emrtd help This help dump Dump eMRTD files to binary files info Display info about an eMRTD list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf felica ----------- ----------------------- General ----------------------- help This help list List ISO 18092/FeliCa history ----------- ----------------------- Operations ----------------------- info Tag information raw Send raw hex data to tag rdbl read block data from authentication-not-required Service. reader Act like an ISO18092/FeliCa reader sniff Sniff ISO 18092/FeliCa traffic wrbl write block data to an authentication-not-required Service. ----------- ----------------------- FeliCa Standard ----------------------- rqservice verify the existence of Area and Service, and to acquire Key Version. rqresponse verify the existence of a card and its Mode. scsvcode acquire Area Code and Service Code. rqsyscode acquire System Code registered to the card. auth1 authenticate a card. Start mutual authentication with Auth1 auth2 allow a card to authenticate a Reader/Writer. Complete mutual authentication rqspecver acquire the version of card OS. resetmode reset Mode to Mode 0. ----------- ----------------------- FeliCa Light ----------------------- litesim Emulating ISO/18092 FeliCa Lite tag litedump Wait for and try dumping FelicaLite --------------------------------------------------------------------------------------- hf fido help This help. list List ISO 14443A history info Info about FIDO tag. reg FIDO U2F Registration Message. auth FIDO U2F Authentication Message. make FIDO2 MakeCredential command. assert FIDO2 GetAssertion command. --------------------------------------------------------------------------------------- hf fudan help This help reader Act like a fudan reader dump Dump FUDAN tag to binary file rdbl Read a fudan tag view Display content from tag dump file wrbl Write a fudan tag --------------------------------------------------------------------------------------- hf gallagher help This help reader Read & decode all Gallagher credentials on a DESFire card clone Add Gallagher credentials to a DESFire card delete Delete Gallagher credentials from a DESFire card diversifykey Diversify Gallagher key decode Decode Gallagher credential block encode Encode Gallagher credential block --------------------------------------------------------------------------------------- hf iclass help This help list List iclass history ----------- ------------------- Operations ------------------- dump Dump Picopass / iCLASS tag to file info Tag information rdbl Read Picopass / iCLASS block reader Act like a Picopass / iCLASS reader restore Restore a dump file onto a Picopass / iCLASS tag sniff Eavesdrop Picopass / iCLASS communication view Display content from tag dump file wrbl Write Picopass / iCLASS block creditepurse Credit epurse value trbl Performs tearoff attack on iClass block ----------- --------------------- Recovery -------------------- chk Check keys loclass Use loclass to perform bruteforce reader attack lookup Uses authentication trace to check for key in dictionary file legrec Recovers 24 bits of the diversified key of a legacy card provided a valid nr-mac combination legbrute Bruteforces 40 bits of a partial diversified key, provided 24 bits of the key and two valid nr-macs unhash Reverses a diversified key to retrieve hash0 pre-images after DES encryption ----------- -------------------- Simulation ------------------- sim Simulate iCLASS tag eload Upload file into emulator memory esave Save emulator memory to file esetblk Set emulator memory block data eview View emulator memory ----------- ---------------------- Utils ---------------------- configcard Reader configuration card generator calcnewkey Calc diversified keys (blocks 3 & 4) to write new keys encode Encode binary wiegand to block 7 encrypt Encrypt given block data decrypt Decrypt given block data or tag dump file managekeys Manage keys to use with iclass commands permutekey Permute function from 'heart of darkness' paper ----------- ----------------------- SAM ----------------------- sam SAM tests --------------------------------------------------------------------------------------- hf ict help This help credential Read ICT credential and decode info Tag information list List ICT history reader Act like an IS14443-a reader --------------------------------------------------------------------------------------- hf jooki help This help clone Write a Jooki token decode Decode Jooki token encode Encode Jooki token sim Simulate Jooki token --------------------------------------------------------------------------------------- hf ksx6924 help This help select Select application, and leave field up info Get info about a KS X 6924 (T-Money, Snapper+) transit card balance Get current purse balance init Perform transaction initialization with Mpda prec Send proprietary get record command (CLA=90, INS=4C) --------------------------------------------------------------------------------------- hf legic ----------- --------------------- operations --------------------- help This help dump Dump LEGIC Prime tag to binary file info Display deobfuscated and decoded LEGIC Prime tag data list List LEGIC history rdbl Read bytes from a LEGIC Prime tag reader LEGIC Prime Reader UID and tag info restore Restore a dump file onto a LEGIC Prime tag wipe Wipe a LEGIC Prime tag wrbl Write data to a LEGIC Prime tag ----------- --------------------- simulation --------------------- sim Start tag simulator eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory einfo Display deobfuscated and decoded emulator memory ----------- --------------------- utils --------------------- crc Calculate Legic CRC over given bytes view Display deobfuscated and decoded content from tag dump file --------------------------------------------------------------------------------------- hf lto help This help dump Dump LTO-CM tag to file info Tag information list List LTO-CM history rdbl Read block reader Act like a LTO-CM reader restore Restore dump file to LTO-CM tag wrbl Write block --------------------------------------------------------------------------------------- hf mf help This help list List MIFARE history ----------- ----------------------- recovery ----------------------- info mfc card Info isen mfc card Info Static Encrypted Nonces darkside Darkside attack nested Nested attack hardnested Nested attack for hardened MIFARE Classic cards staticnested Nested attack against static nonce MIFARE Classic cards brute Smart bruteforce to exploit weak key generators autopwn Automatic key recovery tool for MIFARE Classic nack Test for MIFARE NACK bug chk Check keys fchk Check keys fast, targets all keys on card decrypt Decrypt Crypto1 data from sniff or trace supercard Extract info from a `super card` ----------- ----------------------- operations ----------------------- auth4 ISO14443-4 AES authentication acl Decode and print MIFARE Classic access rights bytes dump Dump MIFARE Classic tag to binary file mad Checks and prints MAD personalize Personalize UID (MIFARE Classic EV1 only) rdbl Read MIFARE Classic block rdsc Read MIFARE Classic sector restore Restore MIFARE Classic binary file to tag setmod Set MIFARE Classic EV1 load modulation strength value Value blocks view Display content from tag dump file wipe Wipe card to zeros and default keys/acc wrbl Write MIFARE Classic block ----------- ----------------------- simulation ----------------------- sim Simulate MIFARE card ecfill Fill emulator memory with help of keys from emulator eclr Clear emulator memory egetblk Get emulator memory block egetsc Get emulator memory sector ekeyprn Print keys from emulator memory eload Upload file into emulator memory esave Save emulator memory to file esetblk Set emulator memory block eview View emulator memory ----------- ----------------------- magic gen1 ----------------------- cgetblk Read block from card cgetsc Read sector from card cload Load dump to card csave Save dump from card into file or emulator csetblk Write block to card csetuid Set UID on card cview View card cwipe Wipe card to default UID/Sectors/Keys ----------- ----------------------- magic gen3 ----------------------- gen3uid Set UID without changing manufacturer block gen3blk Overwrite manufacturer block gen3freeze Perma lock UID changes. irreversible ----------- -------------------- magic gen4 GTU -------------------------- ginfo Info about configuration of the card ggetblk Read block from card gload Load dump to card gsave Save dump from card into file or emulator gsetblk Write block to card gview View card gchpwd Change card access password. Warning! ----------- -------------------- magic gen4 GDM -------------------------- gdmcfg Read config block from card gdmsetcfg Write config block to card gdmparsecfg Parse config block to card gdmsetblk Write block to card ----------- ----------------------- ndef ----------------------- ndefformat Format MIFARE Classic Tag as NFC Tag ndefread Read and print NDEF records from card ndefwrite Write NDEF records to card encodehid Encode a HID Credential / NDEF record to card --------------------------------------------------------------------------------------- hf mfp help This help list List MIFARE Plus history ----------- ------------------- operations --------------------- auth Authentication chk Check keys dump Dump MIFARE Plus tag to binary file info Info about MIFARE Plus tag mad Check and print MAD rdbl Read blocks from card rdsc Read sectors from card wrbl Write block to card chkey Change key on card chconf Change config on card ----------- ---------------- personalization ------------------- commitp Configure security layer (SL1/SL3 mode) initp Fill all the card's keys in SL0 mode wrp Write Perso command ----------- ---------------------- ndef ------------------------ ndefformat Format MIFARE Plus Tag as NFC Tag ndefread Read and print NDEF records from card ndefwrite Write NDEF records to card --------------------------------------------------------------------------------------- hf mfu help This help list List MIFARE Ultralight / NTAG history ----------- ----------------------- recovery ------------------------- keygen Generate DES/3DES/AES MIFARE diversified keys pwdgen Generate pwd from known algos otptear Tear-off test on OTP bits ----------- ----------------------- operations ----------------------- cauth Ultralight-C - Authentication setpwd Ultralight-C - Set 3DES key dump Dump MIFARE Ultralight family tag to binary file incr Increments Ev1/NTAG counter info Tag information ndefread Prints NDEF records from card rdbl Read block restore Restore a dump file onto a tag tamper NTAG 213TT - Configure the tamper feature view Display content from tag dump file wipe Wipe card to zeros and default key wrbl Write block ----------- ----------------------- simulation ----------------------- eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory sim Simulate MIFARE Ultralight from emulator memory ----------- ----------------------- magic ---------------------------- setuid Set UID - MAGIC tags only ----------- ----------------------- amiibo ---------------------------- amiibo Amiibo tag operations --------------------------------------------------------------------------------------- hf mfdes help This help list List DESFire (ISO 14443A) history ----------- ---------------------- General ---------------------- auth MIFARE DesFire Authentication chk Check keys default Set defaults for all the commands detect Detect key type and tries to find one from the list formatpicc Format PICC freemem Get free memory size getuid Get uid from card info Tag information mad Prints MAD records / files from the card setconfig Set card configuration ----------- -------------------- Applications ------------------- lsapp Show all applications with files list getaids Get Application IDs list getappnames Get Applications list bruteaid Recover AIDs by bruteforce createapp Create Application deleteapp Delete Application selectapp Select Application ID ----------- ------------------------ Keys ----------------------- changekey Change Key chkeysettings Change Key Settings getkeysettings Get Key Settings getkeyversions Get Key Versions ----------- ----------------------- Files ----------------------- getfileids Get File IDs list getfileisoids Get File ISO IDs list lsfiles Show all files list dump Dump all files createfile Create Standard/Backup File createvaluefile Create Value File createrecordfile Create Linear/Cyclic Record File createmacfile Create Transaction MAC File deletefile Delete File getfilesettings Get file settings chfilesettings Change file settings read Read data from standard/backup/record/value/mac file write Write data to standard/backup/record/value file value Operations with value file (get/credit/limited credit/debit/clear) clearrecfile Clear record File ----------- ----------------------- System ----------------------- test Regression crypto tests --------------------------------------------------------------------------------------- hf ntag424 help This help ----------- ----------------------- operations ----------------------- info Tag information view Display content from tag dump file auth Test authentication with key read Read file write Write file getfs Get file settings changefs Change file settings changekey Change key --------------------------------------------------------------------------------------- hf seos ----------- ----------------------- General ----------------------- help This help list List SEOS history sam SAM tests ----------- ----------------------- Operations ----------------------- info Tag information pacs Extract PACS Information from card adf Read an ADF from the card gdf Read an GDF from card ----------- ----------------------- Utils ----------------------- managekeys Manage keys to use with SEOS commands --------------------------------------------------------------------------------------- hf st25ta help This help info Tag information list List ISO 14443A/7816 history ndefread read NDEF file on tag protect change protection on tag pwd change password on tag sim Fake ISO 14443A/ST tag --------------------------------------------------------------------------------------- hf tesla help This help info Tag information list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf texkom help This help reader Act like a Texkom reader sim Simulate a Texkom tag --------------------------------------------------------------------------------------- hf thinfilm help This help info Tag information list List NFC Barcode / Thinfilm history - not correct sim Fake Thinfilm tag --------------------------------------------------------------------------------------- hf topaz help This help list List Topaz history ----------- ------------------- operations --------------------- dump Dump TOPAZ family tag to file info Tag information raw Send raw hex data to tag rdbl Read block reader Act like a Topaz reader sim Simulate Topaz tag sniff Sniff Topaz reader-tag communication view Display content from tag dump file wrbl Write block ----------- ----------------------- ndef ----------------------- --------------------------------------------------------------------------------------- hf vas -------- ----------- Value Added Service ----------- help This help -------- ----------------- General ----------------- reader Read and decrypt VAS message decrypt Decrypt a previously captured VAS cryptogram --------------------------------------------------------------------------------------- hf waveshare help This help load Load image file to Waveshare NFC ePaper --------------------------------------------------------------------------------------- hf xerox help This help list List ISO-14443B history -------- ----------------------- General ----------------------- info Short info on Fuji/Xerox tag dump Read all memory pages of an Fuji/Xerox tag, save to file reader Act like a Fuji/Xerox reader view Display content from tag dump file rdbl Read Fuji/Xerox block --------------------------------------------------------------------------------------- hf list Alias of `trace list -t raw` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf list --frame -> show frame delay times hf list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf plot Plots HF signal after RF signal path and A/D conversion. usage: hf plot [-h] options: -h, --help This help examples/notes: This can be used after any hf command and will show the last few milliseconds of the HF signal. Note: If the last hf command terminated because of a timeout you will most probably see nothing. --------------------------------------------------------------------------------------- hf tune Continuously measure HF antenna tuning. Press pm3 button or to interrupt. usage: hf tune [-hv] [-n ] [--bar] [--mix] [--value] options: -h, --help This help -n, --iter number of iterations (default: 0=infinite) --bar bar style --mix mixed style --value values style -v, --verbose verbose output examples/notes: hf tune hf tune --mix --------------------------------------------------------------------------------------- hf search Will try to find a HF read out of the unknown tag. Continues to search for all different HF protocols. usage: hf search [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf search --------------------------------------------------------------------------------------- hf sniff The high frequency sniffer will assign all available memory on device for sniffed data. Use `data samples` to download from device and `data plot` to visualize it. Press button to quit the sniffing. usage: hf sniff [-h] [--sp ] [--st ] [--smode [none|drop|min|max|avg]] [--sratio ] options: -h, --help This help --sp skip sample pairs --st skip number of triggers --smode [none|drop|min|max|avg] Skip mode. It switches on the function that applies to several samples before they saved to memory --sratio Skip ratio. It applied the function above to (ratio * 2) samples. For ratio = 1 it 2 samples. examples/notes: hf sniff hf sniff --sp 1000 --st 0 -> skip 1000 pairs, skip 0 triggers --------------------------------------------------------------------------------------- hw help This help ------------- ----------------------- Operation ----------------------- detectreader Detect external reader field status Show runtime status information about the connected Proxmark3 tearoff Program a tearoff hook for the next command supporting tearoff timeout Set the communication timeout on the client side version Show version information about the client and Proxmark3 ------------- ----------------------- Hardware ----------------------- break Send break loop usb command bootloader Reboot into bootloader mode connect Connect to the device via serial port dbg Set device side debug level fpgaoff Turn off FPGA on device ping Test if the Proxmark3 is responsive readmem Read from MCU flash reset Reset the device setlfdivisor Drive LF antenna at 12MHz / (divisor + 1) sethfthresh Set thresholds in HF/14a mode setmux Set the ADC mux to a specific value standalone Start installed standalone mode on device tia Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider tune Measure tuning of device antenna --------------------------------------------------------------------------------------- hw detectreader Start to detect presences of reader field usage: hw detectreader [-hLH] options: -h, --help This help -L, --LF only detect low frequency 125/134 kHz -H, --HF only detect high frequency 13.56 MHZ examples/notes: hw detectreader hw detectreader -L --------------------------------------------------------------------------------------- hw status Show runtime status information about the connected Proxmark3 usage: hw status [-h] [-m ] options: -h, --help This help -m, --ms speed test timeout in micro seconds examples/notes: hw status hw status --ms 1000 -> Test connection speed with 1000ms timeout --------------------------------------------------------------------------------------- hw tearoff Configure a tear-off hook for the next write command supporting tear-off After having been triggered by a write command, the tear-off hook is deactivated Delay (in us) must be between 1 and 43000 (43ms). Precision is about 1/3us. usage: hw tearoff [-hs] [--delay ] [--on] [--off] options: -h, --help This help --delay Delay in us before triggering tear-off, must be between 1 and 43000 --on Activate tear-off hook --off Deactivate tear-off hook -s, --silent less verbose output examples/notes: hw tearoff --delay 1200 -> define delay of 1200us hw tearoff --on -> (re)activate a previously defined delay hw tearoff --off -> deactivate a previously activated but not yet triggered hook --------------------------------------------------------------------------------------- hw timeout Set the communication timeout on the client side usage: hw timeout [-h] [-m ] options: -h, --help This help -m, --ms timeout in micro seconds examples/notes: hw timeout -> Show current timeout hw timeout -m 20 -> Set the timeout to 20ms hw timeout --ms 500 -> Set the timeout to 500ms --------------------------------------------------------------------------------------- hw version Show version information about the client and the connected Proxmark3 usage: hw version [-h] options: -h, --help This help examples/notes: hw version --------------------------------------------------------------------------------------- hw break send break loop package usage: hw break [-h] options: -h, --help This help examples/notes: hw break --------------------------------------------------------------------------------------- hw bootloader Reboot Proxmark3 into bootloader mode usage: hw bootloader [-h] options: -h, --help This help examples/notes: hw bootloader --------------------------------------------------------------------------------------- hw connect Connects to a Proxmark3 device via specified serial port. Baudrate here is only for physical UART or UART-BT, NOT for USB-CDC or blue shark add-on usage: hw connect [-h] [-p ] [-b ] options: -h, --help This help -p, --port Serial port to connect to, else retry the last used one -b, --baud Baudrate examples/notes: hw connect -p /dev/ttyACM0 hw connect -p /dev/ttyACM0 -b 115200 --------------------------------------------------------------------------------------- hw dbg Set device side debug level output. Note: option `-4`, this option may cause malfunction itself by introducing delays in time critical functions like simulation or sniffing usage: hw dbg [-h01234] options: -h, --help This help -0 no debug messages -1 error messages -2 plus information messages -3 plus debug messages -4 print even debug messages in timing critical functions examples/notes: hw dbg -> get current log level hw dbg -1 -> set log level to _error_ --------------------------------------------------------------------------------------- hw fpgaoff Turn of fpga and antenna field usage: hw fpgaoff [-h] options: -h, --help This help examples/notes: hw fpgaoff --------------------------------------------------------------------------------------- hw ping Test if the Proxmark3 is responsive usage: hw ping [-h] [-l ] options: -h, --help This help -l, --len length of payload to send examples/notes: hw ping hw ping --len 32 --------------------------------------------------------------------------------------- hw readmem Reads processor flash memory into a file or views on console usage: hw readmem [-hr] [-a ] [-l ] [-f ] [-c ] options: -h, --help This help -a, --adr flash address to start reading from -l, --len length (default 32 or 512KB) -f, --file save to file -c, --cols column breaks -r, --raw use raw address mode: read from anywhere, not just flash examples/notes: hw readmem -f myfile -> save 512KB processor flash memory to file hw readmem -a 8192 -l 512 -> display 512 bytes from offset 8192 --------------------------------------------------------------------------------------- hw reset Reset the Proxmark3 device. usage: hw reset [-h] options: -h, --help This help examples/notes: hw reset --------------------------------------------------------------------------------------- hw setlfdivisor Drive LF antenna at 12 MHz / (divisor + 1). usage: hw setlfdivisor [-h] -d options: -h, --help This help -d, --div 19 - 255 divisor value (def 95) examples/notes: hw setlfdivisor -d 88 --------------------------------------------------------------------------------------- hw sethfthresh Set thresholds in HF/14a and Legic mode. usage: hw sethfthresh [-h] [-t ] [-i ] [-l ] options: -h, --help This help -t, --thresh threshold, used in 14a reader mode (def 7) -i, --high high threshold, used in 14a sniff mode (def 20) -l, --legic threshold used in Legic mode (def 8) examples/notes: hw sethfthresh -t 7 -i 20 -l 8 --------------------------------------------------------------------------------------- hw setmux Set the ADC mux to a specific value usage: hw setmux [-h] [--lopkd] [--loraw] [--hipkd] [--hiraw] options: -h, --help This help --lopkd low peak --loraw low raw --hipkd high peak --hiraw high raw examples/notes: hw setmux --hipkd -> set HIGH PEAK --------------------------------------------------------------------------------------- hw standalone Start standalone mode usage: hw standalone [-h] [-a ] [-b ] options: -h, --help This help -a, --arg argument byte -b UniSniff arg: 14a, 14b, 15, iclass examples/notes: hw standalone -> start hw standalone -a 1 -> start and send arg 1 --------------------------------------------------------------------------------------- hw tia Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider usage: hw tia [-h] options: -h, --help This help examples/notes: hw tia --------------------------------------------------------------------------------------- hw tune Measure tuning of device antenna. Results shown in graph window. This command doesn't actively tune your antennas, it's only informative by measuring voltage that the antennas will generate usage: hw tune [-h] options: -h, --help This help examples/notes: hw tune --------------------------------------------------------------------------------------- lf help This help ----------- -------------- Low Frequency -------------- awid { AWID RFIDs... } cotag { COTAG CHIPs... } destron { FDX-A Destron RFIDs... } em { EM CHIPs & RFIDs... } fdxb { FDX-B RFIDs... } gallagher { GALLAGHER RFIDs... } gproxii { Guardall Prox II RFIDs... } hid { HID Prox RFIDs... } hitag { Hitag CHIPs... } idteck { Idteck RFIDs... } indala { Indala RFIDs... } io { ioProx RFIDs... } jablotron { Jablotron RFIDs... } keri { KERI RFIDs... } motorola { Motorola Flexpass RFIDs... } nedap { Nedap RFIDs... } nexwatch { NexWatch RFIDs... } noralsy { Noralsy RFIDs... } pac { PAC/Stanley RFIDs... } paradox { Paradox RFIDs... } pcf7931 { PCF7931 CHIPs... } presco { Presco RFIDs... } pyramid { Farpointe/Pyramid RFIDs... } securakey { Securakey RFIDs... } ti { TI CHIPs... } t55xx { T55xx CHIPs... } viking { Viking RFIDs... } visa2000 { Visa2000 RFIDs... } ----------- --------------------- General --------------------- config Get/Set config for LF sampling, bit/sample, decimation, frequency cmdread Modulate LF reader field to send command before read read Read LF tag search Read and Search for valid known tag sim Simulate LF tag from buffer simask Simulate ASK tag simfsk Simulate FSK tag simpsk Simulate PSK tag simbidir Simulate LF tag (with bidirectional data transmission between reader and tag) sniff Sniff LF traffic between reader and tag tune Continuously measure LF antenna tuning --------------------------------------------------------------------------------------- lf awid help this help brute bruteforce card number against reader clone clone AWID tag to T55x7, Q5/T5555 or EM4305/4469 demod demodulate an AWID FSK tag from the GraphBuffer reader attempt to read and extract tag data sim simulate AWID tag brute bruteforce card number against reader watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf cotag help This help demod demodulate an COTAG tag reader attempt to read and extract tag data --------------------------------------------------------------------------------------- lf destron help This help demod demodulate an Destron tag from the GraphBuffer reader attempt to read and extract tag data clone clone Destron tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Destron tag --------------------------------------------------------------------------------------- lf em help This help 410x { EM 4102 commands... } 4x05 { EM 4205 / 4305 / 4369 / 4469 commands... } 4x50 { EM 4350 / 4450 commands... } 4x70 { EM 4070 / 4170 commands... } --------------------------------------------------------------------------------------- lf fdxb help this help demod demodulate a FDX-B ISO11784/85 tag from the GraphBuffer reader attempt to read at 134kHz and extract tag data clone clone animal ID tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Animal ID tag --------------------------------------------------------------------------------------- lf gallagher help This help demod demodulate an GALLAGHER tag from the GraphBuffer reader attempt to read and extract tag data clone clone GALLAGHER tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate GALLAGHER tag --------------------------------------------------------------------------------------- lf gproxii help this help demod demodulate a G Prox II tag from the GraphBuffer reader attempt to read and extract tag data clone clone Guardall tag to T55x7 or Q5/T5555 sim simulate Guardall tag --------------------------------------------------------------------------------------- lf hid help this help demod demodulate HID Prox tag from the GraphBuffer reader attempt to read and extract tag data clone clone HID tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate HID tag brute bruteforce facility code or card number against reader watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf hitag help This help list List Hitag trace history hts { Hitag S/8211 operations } ----------- ------------------------ General ------------------------ info Hitag 2 tag information reader Act like a Hitag 2 reader test Perform self tests ----------- ----------------------- Operations ----------------------- dump Dump Hitag 2 tag read Read Hitag memory sniff Eavesdrop Hitag communication view Display content from tag dump file wrbl Write a block (page) in Hitag memory ----------- ----------------------- Simulation ----------------------- eload Upload file into emulator memory eview View emulator memory sim Simulate Hitag transponder ----------- ----------------------- Recovery ----------------------- cc Hitag S: test all provided challenges crack2 Recover 2048bits of crypto stream chk Check keys lookup Uses authentication trace to check for key in dictionary file ta Hitag 2: test all recorded authentications --------------------------------------------------------------------------------------- lf idteck help This help demod demodulate an Idteck tag from the GraphBuffer reader attempt to read and extract tag data clone clone Idteck tag to T55x7 or Q5/T5555 sim simulate Idteck tag --------------------------------------------------------------------------------------- lf indala help This help brute Demodulate an Indala tag (PSK1) from the GraphBuffer demod Demodulate an Indala tag (PSK1) from the GraphBuffer altdemod Alternative method to demodulate samples for Indala 64 bit UID (option '224' for 224 bit) reader Read an Indala tag from the antenna clone Clone Indala tag to T55x7 or Q5/T5555 sim Simulate Indala tag --------------------------------------------------------------------------------------- lf io help this help demod demodulate an ioProx tag from the GraphBuffer reader attempt to read and extract tag data clone clone ioProx tag to T55x7 or Q5/T5555 sim simulate ioProx tag watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf jablotron help This help demod demodulate an Jablotron tag from the GraphBuffer reader attempt to read and extract tag data clone clone jablotron tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate jablotron tag --------------------------------------------------------------------------------------- lf keri help This help demod demodulate an KERI tag from the GraphBuffer reader attempt to read and extract tag data clone clone KERI tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate KERI tag --------------------------------------------------------------------------------------- lf motorola help This help demod demodulate an MOTOROLA tag from the GraphBuffer reader attempt to read and extract tag data clone clone MOTOROLA tag to T55x7 sim simulate MOTOROLA tag --------------------------------------------------------------------------------------- lf nedap help This help demod demodulate Nedap tag from the GraphBuffer reader attempt to read and extract tag data clone clone Nedap tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Nedap tag --------------------------------------------------------------------------------------- lf nexwatch help This help demod demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer reader attempt to read and extract tag data clone clone NexWatch tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate NexWatch tag --------------------------------------------------------------------------------------- lf noralsy help This help demod demodulate an Noralsy tag from the GraphBuffer reader attempt to read and extract tag data clone clone Noralsy tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Noralsy tag --------------------------------------------------------------------------------------- lf pac help This help demod demodulate a PAC tag from the GraphBuffer reader attempt to read and extract tag data clone clone PAC tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate PAC tag --------------------------------------------------------------------------------------- lf paradox help This help demod demodulate a Paradox FSK tag from the GraphBuffer reader attempt to read and extract tag data clone clone paradox tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate paradox tag --------------------------------------------------------------------------------------- lf pcf7931 help This help reader Read content of a PCF7931 transponder write Write data on a PCF7931 transponder. config Configure the password, the tags initialization delay and time offsets (optional) --------------------------------------------------------------------------------------- lf presco help This help demod demodulate Presco tag from the GraphBuffer reader attempt to read and extract tag data clone clone presco tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate presco tag --------------------------------------------------------------------------------------- lf pyramid help this help demod demodulate a Pyramid FSK tag from the GraphBuffer reader attempt to read and extract tag data clone clone pyramid tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate pyramid tag --------------------------------------------------------------------------------------- lf securakey help This help demod demodulate an Securakey tag from the GraphBuffer reader attempt to read and extract tag data clone clone Securakey tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Securakey tag --------------------------------------------------------------------------------------- lf ti help This help demod Demodulate raw bits for TI LF tag from the GraphBuffer reader Read and decode a TI 134 kHz tag write Write new data to a r/w TI 134 kHz tag --------------------------------------------------------------------------------------- lf t55xx ----------- ---------------------------- notice ----------------------------- Remember to run `lf t55xx detect` first whenever a new card is placed on the Proxmark3 or the config block changed. help This help ----------- --------------------- operations --------------------- clonehelp Shows the available clone commands config Set/Get T55XX configuration (modulation, inverted, offset, rate) dangerraw Sends raw bitstream. Dangerous, do not use!! detect Try detecting the tag modulation from reading the configuration block deviceconfig Set/Get T55XX device configuration dump Dump T55xx card Page 0 block 0-7 info Show T55x7 configuration data (page 0/ blk 0) p1detect Try detecting if this is a t55xx tag by reading page 1 read Read T55xx block data resetread Send Reset Cmd then lf read the stream to attempt to identify the start of it restore Restore T55xx card Page 0 / Page 1 blocks trace Show T55x7 traceability data (page 1/ blk 0-1) wakeup Send AOR wakeup command write Write T55xx block data ----------- --------------------- recovery --------------------- bruteforce Simple bruteforce attack to find password chk Check passwords protect Password protect tag recoverpw Try to recover from bad password write from a cloner sniff Attempt to recover T55xx commands from sample buffer special Show block changes with 64 different offsets wipe Wipe a T55xx tag and set defaults (will destroy any data on tag) --------------------------------------------------------------------------------------- lf viking help This help demod demodulate a Viking tag from the GraphBuffer reader attempt to read and extract tag data clone clone Viking tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Viking tag --------------------------------------------------------------------------------------- lf visa2000 help This help demod demodulate an VISA2000 tag from the GraphBuffer reader attempt to read and extract tag data clone clone Visa2000 tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Visa2000 tag --------------------------------------------------------------------------------------- lf config Get/Set config for LF sampling, bit/sample, decimation, frequency These changes are temporary, will be reset after a power cycle. - use `lf read` performs a read (active field) - use `lf sniff` performs a sniff (no active field) usage: lf config [-hr] [--125] [--134] [-a <0|1>] [-b <1-8>] [--dec <1-8>] [--divisor <19-255>] [-f <47-600>] [-s ] [-t <0-128>] options: -h, --help This help --125 125 kHz frequency --134 134 kHz frequency -a, --avg <0|1> averaging - if set, will average the stored sample value when decimating (default 1) -b, --bps <1-8> sets resolution of bits per sample (default 8) --dec <1-8> sets decimation. A value of N saves only 1 in N samples (default 1) --divisor <19-255> Manually set freq divisor. 88 -> 134 kHz, 95 -> 125 kHz -f, --freq <47-600> manually set frequency in kHz -r, --reset reset values to defaults -s, --skip sets a number of samples to skip before capture (default 0) -t, --trig <0-128> sets trigger threshold. 0 means no threshold examples/notes: lf config -> shows current config lf config -b 8 --125 -> samples at 125 kHz, 8 bps lf config -b 4 --134 --dec 3 -> samples at 134 kHz, averages three samples into one, stored with a resolution of 4 bits per sample lf config --trig 20 -s 10000 -> trigger sampling when above 20, skip 10 000 first samples after triggered lf config --reset -> reset back to default values --------------------------------------------------------------------------------------- lf cmdread Modulate LF reader field to send command before read. All periods in microseconds. - use `lf config` to set parameters usage: lf cmdread [-hvk@] [-d ] [-c <0|1|...>] [-e ]... [-o ] [-z ] [-s ] [--crc-ht] options: -h, --help This help -d, --duration delay OFF period, (0 for bitbang mode) -c, --cmd <0|1|...> command symbols -e, --extra Extra symbol definition and duration (up to 4) -o, --one ONE time period -z, --zero ZERO time period -s, --samples number of samples to collect -v, --verbose verbose output -k, --keep keep signal field ON after receive --crc-ht calculate and append CRC-8/HITAG (also for ZX8211) -@ continuous mode examples/notes: lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -> probing for Hitag 1/S lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W11000 -> probing for Hitag 2/S lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W11010 -> probing for Hitag S lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W11000 -s 2000 -@ -> probing for Hitag 2/S, oscilloscope style lf cmdread -d 48 -z 112 -o 176 -e W3000 -e S240 -e E336 -c W0S00000010000E -> probing for Hitag µ(micro) --------------------------------------------------------------------------------------- lf read Sniff low frequency signal. - use `lf config` to set parameters. - use `data plot` to look at it. If the number of samples is more than the device memory limit (40000 now), it will try to use the real-time sampling mode. usage: lf read [-hv@] [-s ] options: -h, --help This help -s, --samples number of samples to collect -v, --verbose verbose output -@ continuous reading mode examples/notes: lf read -v -s 12000 -> collect 12000 samples lf read -s 3000 -@ -> oscilloscope style --------------------------------------------------------------------------------------- lf search Read and search for valid known tag. For offline mode, you can `data load` first then search. usage: lf search [-h1cu] options: -h, --help This help -1 Use data from Graphbuffer to search (offline mode) -c Continue searching after successful match -u Search for unknown tags examples/notes: lf search -> try reading data from tag & search for known tag lf search -u -> try reading data from tag & search for known and unknown tag lf search -1 -> use data from the GraphBuffer & search for known tag lf search -1uc -> use data from the GraphBuffer & search for known and unknown tag --------------------------------------------------------------------------------------- lf sim Simulate low frequency tag from graphbuffer Use `lf config` to set parameters usage: lf sim [-h] [-g ] options: -h, --help This help -g, --gap start gap in microseconds examples/notes: lf sim lf sim --gap 240 -> start simulating with 240ms gap --------------------------------------------------------------------------------------- lf simask Simulate ASK tag from DemodBuffer or input usage: lf simask [-hiv] [-c ] [--bi] [--am] [--ar] [--stt] [-d ] options: -h, --help This help -i, --inv invert data -c, --clk manually set clock - can autodetect if using DemodBuffer (default 64) --bi ask/biphase encoding --am ask/manchester encoding (default) --ar ask/raw encoding --stt add t55xx Sequence Terminator gap - default: no gaps (only manchester) -d, --data data to sim - omit to use DemodBuffer -v, --verbose verbose output examples/notes: lf simask --clk 32 --am -d 0102030405 -> simulate ASK/MAN rf/32 lf simask --clk 32 --bi -d 0102030405 -> simulate ASK/BIPHASE rf/32 lf simask --clk 64 --am -d ffbd8001686f1924 -> simulate a EM410x tag lf simask --clk 64 --am --stt -d 5649533200003F340000001B -> simulate a VISA2K tag --------------------------------------------------------------------------------------- lf simfsk Simulate FSK tag from DemodBuffer or input. There are about four FSK modulations to know of. FSK1 - where fc/8 = high and fc/5 = low FSK1a - is inverted FSK1, ie: fc/5 = high and fc/8 = low FSK2 - where fc/10 = high and fc/8 = low FSK2a - is inverted FSK2, ie: fc/10 = high and fc/8 = low NOTE: if you set one clock manually set them all manually usage: lf simfsk [-hv] [-c ] [--low ] [--high ] [--stt] [-d ] options: -h, --help This help -c, --clk manually set clock - can autodetect if using DemodBuffer (default 64) --low manually set larger Field Clock --high manually set smaller Field Clock --stt TBD! - STT to enable a gap between playback repetitions (default: no gap) -d, --data data to sim - omit to use DemodBuffer -v, --verbose verbose output examples/notes: lf simfsk -c 40 --high 8 --low 5 -d 010203 -> FSK1 rf/40 data 010203 lf simfsk -c 40 --high 5 --low 8 -d 010203 -> FSK1a rf/40 data 010203 lf simfsk -c 64 --high 10 --low 8 -d 010203 -> FSK2 rf/64 data 010203 lf simfsk -c 64 --high 8 --low 10 -d 010203 -> FSK2a rf/64 data 010203 lf simfsk -c 50 --high 10 --low 8 -d 1D5559555569A9A555A59569 -> simulate HID Prox tag manually lf simfsk -c 50 --high 10 --low 8 --stt -d 011DB2487E8D811111111111 -> simulate AWID tag manually --------------------------------------------------------------------------------------- lf simpsk Simulate PSK tag from DemodBuffer or input usage: lf simpsk [-h123iv] [-c ] [--fc ] [-d ] options: -h, --help This help -1, --psk1 set PSK1 (default) -2, --psk2 set PSK2 -3, --psk3 set PSK3 -i, --inv invert data -c, --clk manually set clock - can autodetect if using DemodBuffer (default 32) --fc 2|4|8 are valid carriers (default 2) -d, --data data to sim - omit to use DemodBuffer -v, --verbose verbose output examples/notes: lf simpsk -1 --clk 40 --fc 4 -d 01020304 -> simulate PSK1 rf/40 psksub fc/4, data 01020304 lf simpsk -1 --clk 32 --fc 2 -d a0000000bd989a11 -> simulate a indala tag manually --------------------------------------------------------------------------------------- lf simbidir Simulate LF tag with bidirectional data transmission between reader and tag usage: lf simbidir [-h] options: -h, --help This help examples/notes: lf simbidir --------------------------------------------------------------------------------------- lf sniff Sniff low frequency signal. You need to configure the LF part on the Proxmark3 device manually. Usually a trigger and skip samples is a good thing to set before doing a low frequency sniff. - use `lf config` to set parameters. - use `data plot` to look at sniff signal. - use `lf search -1` to see if signal can be automatic decoded. If the number of samples is more than the device memory limit (40000 now), it will try to use the real-time sampling mode. usage: lf sniff [-hv@] [-s ] options: -h, --help This help -s, --samples number of samples to collect -v, --verbose verbose output -@ continuous sniffing mode examples/notes: lf sniff -v lf sniff -s 3000 -@ -> oscilloscope style --------------------------------------------------------------------------------------- lf tune Continuously measure LF antenna tuning. Press button or to interrupt. usage: lf tune [-hv] [-n ] [-q ] [-f ] [--bar] [--mix] [--value] options: -h, --help This help -n, --iter number of iterations (default: 0=infinite) -q, --divisor Frequency divisor. 88 -> 134 kHz, 95 -> 125 kHz -f, --freq Frequency in kHz --bar bar style --mix mixed style --value values style -v, --verbose verbose output examples/notes: lf tune lf tune --mix --------------------------------------------------------------------------------------- mem spiffs { SPI File system } help This help baudrate Set Flash memory Spi baudrate dump Dump data from flash memory info Flash memory information load Load data to flash memory wipe Wipe data from flash memory --------------------------------------------------------------------------------------- mem spiffs help This help copy Copy a file to another (destructively) in SPIFFS file system check Check/try to defrag faulty/fragmented file system dump Dump a file from SPIFFS file system info Print file system info and usage statistics mount Mount the SPIFFS file system if not already mounted remove Remove a file from SPIFFS file system rename Rename/move a file in SPIFFS file system test Test SPIFFS Operations tree Print the Flash memory file system tree unmount Un-mount the SPIFFS file system upload Upload file into SPIFFS file system view View file on SPIFFS file system wipe Wipe all files from SPIFFS file system * dangerous * --------------------------------------------------------------------------------------- mem baudrate Set the baudrate for the SPI flash memory communications. Reading Flash ID will virtually always fail under 48MHz setting. Unless you know what you are doing, please stay at 24MHz. If >= 24MHz, FASTREADS instead of READS instruction will be used. usage: mem baudrate [-h] --mhz <24|48> options: -h, --help This help --mhz <24|48> SPI baudrate in MHz examples/notes: mem baudrate --mhz 48 --------------------------------------------------------------------------------------- mem dump Dumps flash memory on device into a file or view in console usage: mem dump [-hv] [-o ] [-l ] [-f ] [-c ] options: -h, --help This help -o, --offset offset in memory -l, --len length -v, --view view dump -f, --file save filename -c, --cols column breaks (def 32) examples/notes: mem dump -f myfile -> download all flashmem to file mem dump --view -o 262015 --len 128 -> display 128 bytes from offset 262015 (RSA sig) mem dump --view -f myfile -o 241664 --len 58 -> display 58 bytes from offset 241664 and save to file --------------------------------------------------------------------------------------- mem info Collect signature and verify it from flash memory usage: mem info [-hsv] [-d ] [-p ] options: -h, --help This help -s, --sign create a signature -d flash memory id, 8 hex bytes -p, --pem key in PEM format -v, --verbose verbose output examples/notes: mem info --------------------------------------------------------------------------------------- mem load Loads binary file into flash memory on device Warning: mem area to be written must have been wiped first ( dictionaries are serviced as files in spiffs so no wipe is needed ) usage: mem load [-hmit] [-o ] -f options: -h, --help This help -o, --offset offset in memory -m, --mifare, --mfc upload 6 bytes keys (mifare key dictionary) -i, --iclass upload 8 bytes keys (iClass key dictionary) -t, --t55xx upload 4 bytes keys (password dictionary) -f, --file file name examples/notes: mem load -f myfile -> upload file myfile values at default offset 0 mem load -f myfile -o 1024 -> upload file myfile values at offset 1024 mem load -f mfc_default_keys -m -> upload MFC keys mem load -f t55xx_default_pwds -t -> upload T55XX passwords mem load -f iclass_default_keys -i -> upload iCLASS keys --------------------------------------------------------------------------------------- mem wipe Wipe flash memory on device, which fills it with 0xFF [ !!! OBS ] use with caution usage: mem wipe [-h] [-p ] options: -h, --help This help -p 0,1,2 page memory examples/notes: mem wipe -p 0 -> wipes first page --------------------------------------------------------------------------------------- nfc -------- --------------------- NFC Tags -------------------- type1 { NFC Forum Tag Type 1... } type2 { NFC Forum Tag Type 2... } type4a { NFC Forum Tag Type 4 ISO14443A... } type4b { NFC Forum Tag Type 4 ISO14443B... } mf { NFC Type MIFARE Classic/Plus Tag... } barcode { NFC Barcode Tag... } -------- --------------------- General --------------------- help This help decode Decode NDEF records --------------------------------------------------------------------------------------- nfc type1 -------- -------------- NFC Forum Tag Type 1 --------------- read read NFC Forum Tag Type 1 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type2 -------- -------------- NFC Forum Tag Type 2 --------------- read read NFC Forum Tag Type 2 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type4a -------- --------- NFC Forum Tag Type 4 ISO14443A ---------- format format ISO-14443-a tag as NFC Tag read read NFC Forum Tag Type 4 A write write NFC Forum Tag Type 4 A st25taread read ST25TA as NFC Forum Tag Type 4 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type4b -------- --------- NFC Forum Tag Type 4 ISO14443B ------------- read read NFC Forum Tag Type 4 B -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc mf -------- --------- NFC Type MIFARE Classic/Plus Tag -------- cformat format MIFARE Classic Tag as NFC Tag cread read NFC Type MIFARE Classic Tag cwrite write NFC Type MIFARE Classic Tag pread read NFC Type MIFARE Plus Tag -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc barcode -------- ------------------ NFC Barcode -------------------- read read NFC Barcode sim simulate NFC Barcode -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc decode Decode and print NFC Data Exchange Format (NDEF) You must provide either data in hex or a filename, but not both usage: nfc decode [-hv] [-d ] [-f ] options: -h, --help This help -d, --data NDEF data to decode -f, --file file to load -v, --verbose verbose output examples/notes: nfc decode -d 9101085402656e48656c6c6f5101085402656e576f726c64 nfc decode -d 0103d020240203e02c040300fe nfc decode -f myfilename --------------------------------------------------------------------------------------- piv help This help select Select the PIV applet getdata Gets a container on a PIV card authsign Authenticate with the card scan Scan PIV card for known containers list List ISO7816 history --------------------------------------------------------------------------------------- piv select Executes select applet command usage: piv select [-hskatw] [--aid ] options: -h, --help This help -s, -S, --select Activate field and select applet -k, -K, --keep Keep field for next command -a, -A, --apdu Show APDU requests and responses -t, -T, --tlv TLV decode results -w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface) --aid Applet ID to select. By default A0000003080000100 will be used examples/notes: piv select -s -> select card, select applet piv select -st --aid a00000030800001000 -> select card, select applet a00000030800001000, show result in TLV --------------------------------------------------------------------------------------- piv getdata Get a data container of a given tag usage: piv getdata [-hskatw] [--aid ] options: -h, --help This help -s, -S, --select Activate field and select applet -k, -K, --keep Keep field for next command -a, -A, --apdu Show APDU requests and responses -t, -T, --tlv TLV decode results -w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface) --aid Applet ID to select. By default A0000003080000100 will be used Tag ID to read, between 1 and 3 bytes. examples/notes: piv getdata -s 5fc102 -> select card, select applet, get card holder unique identifer piv getdata -st 5fc102 -> select card, select applet, get card holder unique identifer, show result in TLV --------------------------------------------------------------------------------------- piv authsign Send a nonce and ask the PIV card to sign it usage: piv sign [-hskatw] [--aid ] --nonce [--slot ] [--alg ] options: -h, --help This help -s, -S, --select Activate field and select applet -k, -K, --keep Keep field for next command -a, -A, --apdu Show APDU requests and responses -t, -T, --tlv TLV decode results -w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface) --aid Applet ID to select. By default A0000003080000100 will be used --nonce Nonce to sign. --slot Slot number. Default will be 0x9E (card auth cert). --alg Algorithm to use to sign. Example values: 06=RSA-1024, 07=RSA-2048, 17=ECC-P256 (default), 20=ECC-P384 examples/notes: piv sign -sk -> select card, select applet, sign a NULL nonce --------------------------------------------------------------------------------------- piv scan Scan a PIV card for known containers usage: piv scan [-hskatw] [--aid ] options: -h, --help This help -s, -S, --select Activate field and select applet -k, -K, --keep Keep field for next command -a, -A, --apdu Show APDU requests and responses -t, -T, --tlv TLV decode results -w, -W, --wired Send data via contact (iso7816) interface. (def: Contactless interface) --aid Applet ID to select. By default A0000003080000100 will be used examples/notes: piv scan -s -> select card, select applet and run scan piv scan -st --aid a00000030800001000 -> select card, select applet a00000030800001000, show result of the scan in TLV --------------------------------------------------------------------------------------- piv list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: piv list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: piv list --frame -> show frame delay times piv list -1 -> use trace buffer --------------------------------------------------------------------------------------- smart ---------- ------------------- General ------------------- help This help list List ISO 7816 history ---------- ------------------- Operations ------------------- brute Bruteforce SFI info Tag information pcsc Turn pm3 into pcsc reader and relay to host OS via vpcd reader Act like an IS07816 reader raw Send raw hex data to tag upgrade Upgrade sim module firmware setclock Set clock speed --------------------------------------------------------------------------------------- smart list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: smart list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: smart list --frame -> show frame delay times smart list -1 -> use trace buffer --------------------------------------------------------------------------------------- smart brute Tries to bruteforce SFI, using a known list of AID's usage: smart brute [-ht] options: -h, --help This help -t, --tlv executes TLV decoder if it possible examples/notes: smart brute -t --------------------------------------------------------------------------------------- smart info Extract more detailed information from smart card. usage: smart info [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: smart info -v --------------------------------------------------------------------------------------- smart pcsc Make pm3 available to host OS smartcard driver via vpcd to enable use with other software such as GlobalPlatform Pro usage: smart pcsc [-hvabc] [--host ] [-p ] options: -h, --help This help --host vpcd socket host (default: localhost) -p, --port vpcd socket port (default: 35963) -v, --verbose display APDU transactions between OS and card -a use ISO 14443A contactless interface -b use ISO 14443B contactless interface -c use ISO 7816 contact interface examples/notes: Requires the virtual smartcard daemon to be installed and running see https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html note: `-v` shows APDU transactions between OS and card --------------------------------------------------------------------------------------- smart reader Act as a smart card reader. usage: smart reader [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: smart reader --------------------------------------------------------------------------------------- smart raw Sends raw bytes to card usage: smart raw [-hrast0] [--timeout ] -d options: -h, --help This help -r do not read response -a active smartcard without select (reset sc module) -s active smartcard with select (get ATR) -t, --tlv executes TLV decoder if it possible -0 use protocol T=0 --timeout Timeout in MS waiting for SIM to respond. (def 337ms) -d, --data bytes to send examples/notes: smart raw -s -0 -d 00a404000e315041592e5359532e4444463031 -> `1PAY.SYS.DDF01` PPSE directory with get ATR smart raw -0 -d 00a404000e325041592e5359532e4444463031 -> `2PAY.SYS.DDF01` PPSE directory smart raw -0 -t -d 00a4040007a0000000041010 -> Mastercard smart raw -0 -t -d 00a4040007a0000000031010 -> Visa --------------------------------------------------------------------------------------- smart upgrade [!] WARNING - sim module firmware upgrade [!] A dangerous command, do wrong and you could brick the sim module [=] -------------------------------------------------------------------- Upgrade RDV4 sim module firmware usage: smart upgrade [-h] -f options: -h, --help This help -f, --file Specify firmware file name examples/notes: smart upgrade -f sim014.bin --------------------------------------------------------------------------------------- smart setclock Set clock speed for smart card interface. usage: smart setclock [-h] [--16mhz] [--8mhz] [--4mhz] options: -h, --help This help --16mhz 16 MHz clock speed --8mhz 8 MHz clock speed --4mhz 4 MHz clock speed examples/notes: smart setclock --4mhz smart setclock --16mhz --------------------------------------------------------------------------------------- script help This help list List available scripts run - execute a script --------------------------------------------------------------------------------------- script list List available Lua, Cmd and Python scripts usage: script list [-h] options: -h, --help This help examples/notes: script list --------------------------------------------------------------------------------------- script run Run a Lua, Cmd or Python script. If no extension it will search for lua/cmd/py extensions Use `script list` to see available scripts usage: script run [-h] []... options: -h, --help This help name of script to run script parameters examples/notes: script run my_script -h --------------------------------------------------------------------------------------- trace help This help extract Extract authentication challenges found in trace list List protocol data in trace buffer load Load trace from file save Save trace buffer to file --------------------------------------------------------------------------------------- trace extract Extracts protocol authentication challenges from trace buffer usage: trace extract [-h1] options: -h, --help This help -1, --buffer use data from trace buffer examples/notes: trace extract trace extract -1 --------------------------------------------------------------------------------------- trace list Annotate trace buffer with selected protocol data You can load a trace from file (see `trace load -h`) or it be downloaded from device by default usage: trace list [-h1crux] [--frame] [-t ] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -t, --type protocol to annotate the trace -f, --file filename of dictionary examples/notes: trace list -t raw -> just show raw data without annotations trace list -t 14a -> interpret as ISO14443-A trace list -t 14b -> interpret as ISO14443-B trace list -t 15 -> interpret as ISO15693 trace list -t 7816 -> interpret as ISO7816-4 trace list -t cryptorf -> interpret as CryptoRF trace list -t des -> interpret as MIFARE DESFire trace list -t felica -> interpret as ISO18092 / FeliCa trace list -t hitag1 -> interpret as Hitag 1 trace list -t hitag2 -> interpret as Hitag 2 trace list -t hitags -> interpret as Hitag S trace list -t iclass -> interpret as iCLASS trace list -t legic -> interpret as LEGIC trace list -t lto -> interpret as LTO-CM trace list -t mf -> interpret as MIFARE Classic and decrypt crypto1 stream trace list -t seos -> interpret as SEOS trace list -t thinfilm -> interpret as Thinfilm trace list -t topaz -> interpret as Topaz trace list -t mfp -> interpret as MIFARE Plus trace list -t fmcos20 -> interpret as FMCOS 2.0 trace list -t mf -f mfc_default_keys.dic -> use default dictionary file trace list -t 14a --frame -> show frame delay times trace list -t 14a -1 -> use trace buffer --------------------------------------------------------------------------------------- trace load Load protocol data from binary file to trace buffer File extension is <.trace> usage: trace load [-h] -f options: -h, --help This help -f, --file Specify trace file to load examples/notes: trace load -f mytracefile -> w/o file extension --------------------------------------------------------------------------------------- trace save Save protocol data from trace buffer to binary file File extension is <.trace> usage: trace save [-h] -f options: -h, --help This help -f, --file Specify trace file to save examples/notes: trace save -f mytracefile -> w/o file extension --------------------------------------------------------------------------------------- wiegand help This help list List available wiegand formats encode Encode to wiegand raw hex (currently for HID Prox) decode Convert raw hex to decoded wiegand format (currently for HID Prox) --------------------------------------------------------------------------------------- wiegand list List available wiegand formats usage: wiegand info [-h] options: -h, --help This help examples/notes: wiegand list --------------------------------------------------------------------------------------- wiegand encode Encode wiegand formatted number to raw hex usage: wiegand encode [-h] [--fc ] --cn [--issue ] [--oem ] [-w ] [--pre] options: -h, --help This help --fc facility number --cn card number --issue issue level --oem OEM code -w, --wiegand see `wiegand list` for available formats --pre add HID ProxII preamble to wiegand output examples/notes: wiegand encode --fc 101 --cn 1337 -> show all formats wiegand encode -w H10301 --fc 101 --cn 1337 -> H10301 format --------------------------------------------------------------------------------------- wiegand decode Decode raw hex or binary to wiegand format usage: wiegand decode [-h] [-r ] [-b ] options: -h, --help This help -r, --raw raw hex to be decoded -b, --bin binary string to be decoded examples/notes: wiegand decode --raw 2006f623ae --------------------------------------------------------------------------------------- prefs get barmode Get bar mode preference client.debug Get client debug level preference client.delay Get client execution delay preference client.timeout Get client execution delay preference color Get color support preference savepaths Get file folder emoji Get emoji display preference hints Get hint display preference output Get dump output style preference plotsliders Get plot slider display preference --------------------------------------------------------------------------------------- prefs get barmode Get preference of HF/LF tune command styled output in the client usage: prefs get barmode [-h] options: -h, --help This help examples/notes: prefs get barmode --------------------------------------------------------------------------------------- prefs get client.debug Get preference of using clientside debug level usage: prefs get client.debug [-h] options: -h, --help This help examples/notes: prefs get client.debug --------------------------------------------------------------------------------------- prefs get client.delay Get preference of delay time before execution of a command in the client usage: prefs get client.delay [-h] options: -h, --help This help examples/notes: prefs get client.delay --------------------------------------------------------------------------------------- prefs get client.timeout Get preference of delay time before execution of a command in the client usage: prefs get client.timeout [-h] options: -h, --help This help examples/notes: prefs get client.timeout --------------------------------------------------------------------------------------- prefs get color Get preference of using colors in the client usage: prefs get color [-h] options: -h, --help This help examples/notes: prefs get color --------------------------------------------------------------------------------------- prefs get savepaths Get preference of file paths in the client usage: prefs get savepaths [-h] options: -h, --help This help examples/notes: prefs get savepaths --------------------------------------------------------------------------------------- prefs get emoji Get preference of using emojis in the client usage: prefs get emoji [-h] options: -h, --help This help examples/notes: prefs get emoji --------------------------------------------------------------------------------------- prefs get hints Get preference of showing hint messages in the client usage: prefs get hints [-h] options: -h, --help This help examples/notes: prefs get hints --------------------------------------------------------------------------------------- prefs get output Get preference of dump output style usage: prefs get output [-h] options: -h, --help This help examples/notes: prefs get output --------------------------------------------------------------------------------------- prefs get plotsliders Get preference of showing the plotslider control in the client usage: prefs get plotsliders [-h] options: -h, --help This help examples/notes: prefs get plotsliders --------------------------------------------------------------------------------------- prefs set help This help barmode Set bar mode client.debug Set client debug level client.delay Set client execution delay client.timeout Set client communication timeout color Set color support emoji Set emoji display hints Set hint display savepaths ... to be adjusted next ... output Set dump output style plotsliders Set plot slider display --------------------------------------------------------------------------------------- prefs set barmode Set persistent preference of HF/LF tune command styled output in the client usage: prefs set barmode [-h] [--bar] [--mix] [--val] options: -h, --help This help --bar measured values as bar only --mix measured values as numbers and bar --val measured values only examples/notes: prefs set barmode --mix --------------------------------------------------------------------------------------- prefs set client.debug Set persistent preference of using clientside debug level usage: prefs set client.debug [-h] [--off] [--simple] [--full] options: -h, --help This help --off no debug messages --simple simple debug messages --full full debug messages examples/notes: prefs set client.debug --simple --------------------------------------------------------------------------------------- prefs set client.delay Set persistent preference of delay before executing a command in the client usage: prefs set client.delay [-h] [--ms ] options: -h, --help This help --ms delay in micro seconds examples/notes: prefs set client.delay --ms 0 -> unsets any delay prefs set client.delay --ms 1000 -> sets 1000ms delay --------------------------------------------------------------------------------------- prefs set client.timeout Set persistent preference of client communication timeout usage: prefs set client.timeout [-h] [-m ] options: -h, --help This help -m, --ms timeout in micro seconds examples/notes: prefs set client.timeout --ms 0 -> unsets any timeout prefs set client.timeout -m 20 -> Set the timeout to 20ms prefs set client.timeout --ms 500 -> Set the timeout to 500ms --------------------------------------------------------------------------------------- prefs set color Set persistent preference of using colors in the client usage: prefs set color [-h] [--ansi] [--off] options: -h, --help This help --ansi use ANSI colors --off don't use colors examples/notes: prefs set color --ansi --------------------------------------------------------------------------------------- prefs set emoji Set persistent preference of using emojis in the client usage: prefs set emoji [-h] [--alias] [--emoji] [--alttext] [--none] options: -h, --help This help --alias show alias for emoji --emoji show emoji --alttext show alt text for emoji --none don't show emoji or text examples/notes: prefs set emoji --alias --------------------------------------------------------------------------------------- prefs set hints Set persistent preference of showing hint messages in the client usage: prefs set hints [-h] [--off] [--on] options: -h, --help This help --off hide hints --on show hints examples/notes: prefs set hints --on --------------------------------------------------------------------------------------- prefs set savepaths Set persistent preference of file paths in the client usage: prefs set savepaths [-hc] [--def ] [--dump ] [--trace ] options: -h, --help This help -c, --create create directory if it does not exist --def default path --dump dump file path --trace trace path examples/notes: prefs set savepaths --dump /home/mydumpfolder -> all dump files will be saved into this folder prefs set savepaths --def /home/myfolder -c -> create if needed, all files will be saved into this folder --------------------------------------------------------------------------------------- prefs set output Set dump output style to condense consecutive repeated data usage: prefs set output [-h] [--normal] [--dense] options: -h, --help This help --normal normal output --dense dense output examples/notes: prefs set output --normal -> sets the output style to normal prefs set output --dense -> sets the output style to dense --------------------------------------------------------------------------------------- prefs set plotsliders Set persistent preference of showing the plotslider control in the client usage: prefs set plotsliders [-h] [--off] [--on] options: -h, --help This help --off hide plot slider controls --on show plot slider controls examples/notes: prefs set plotsliders --on --------------------------------------------------------------------------------------- hf 14a ----------- ----------------------- General ----------------------- help This help list List ISO 14443-a history ----------- ---------------------- Operations --------------------- antifuzz Fuzzing the anticollision phase. Warning! Readers may react strange config Configure 14a settings (use with caution) cuids Collect n>0 ISO14443-a UIDs in one go info Tag information sim Simulate ISO 14443-a tag simaid Simulate ISO 14443-a AID Selection sniff sniff ISO 14443-a traffic raw Send raw hex data to tag reader Act like an ISO14443-a reader ----------- ------------------------- APDU ------------------------- apdu Send ISO 14443-4 APDU to tag apdufind Enumerate APDUs - CLA/INS/P1P2 chaining Control ISO 14443-4 input chaining ----------- ------------------------- NDEF ------------------------- ndefformat Format ISO 14443-A as NFC Type 4 tag ndefread Read an NDEF file from ISO 14443-A Type 4 tag ndefwrite Write NDEF records to ISO 14443-A tag --------------------------------------------------------------------------------------- hf 14a list Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf 14a list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf 14a list --frame -> show frame delay times hf 14a list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf 14a antifuzz Tries to fuzz the ISO14443a anticollision phase usage: hf 14a antifuzz [-h47] [--10] options: -h, --help This help -4 4 byte uid -7 7 byte uid --10 10 byte uid examples/notes: hf 14a antifuzz -4 --------------------------------------------------------------------------------------- hf 14a config Configure 14a settings (use with caution) `-v` also prints examples for reviving Gen2 cards usage: hf 14a config [-hv] [--atqa ] [--bcc ] [--cl2 ] [--cl3 ] [--rats ] [--std] options: -h, --help This help --atqa Configure ATQA<>anticollision behavior --bcc Configure BCC behavior --cl2 Configure SAK<>CL2 behavior --cl3 Configure SAK<>CL3 behavior --rats Configure RATS behavior --std Reset default configuration: follow all standard -v, --verbose verbose output examples/notes: hf 14a config -> Print current configuration hf 14a config --std -> Reset default configuration (follow standard) hf 14a config --atqa std -> Follow standard hf 14a config --atqa force -> Force execution of anticollision hf 14a config --atqa skip -> Skip anticollision hf 14a config --bcc std -> Follow standard hf 14a config --bcc fix -> Fix bad BCC in anticollision hf 14a config --bcc ignore -> Ignore bad BCC and use it as such hf 14a config --cl2 std -> Follow standard hf 14a config --cl2 force -> Execute CL2 hf 14a config --cl2 skip -> Skip CL2 hf 14a config --cl3 std -> Follow standard hf 14a config --cl3 force -> Execute CL3 hf 14a config --cl3 skip -> Skip CL3 hf 14a config --rats std -> Follow standard hf 14a config --rats force -> Execute RATS hf 14a config --rats skip -> Skip RATS --------------------------------------------------------------------------------------- hf 14a cuids Collect n>0 ISO14443-a UIDs in one go usage: hf 14a cuids [-h] [-n ] options: -h, --help This help -n, --num Number of UIDs to collect examples/notes: hf 14a cuids -n 5 -> Collect 5 UIDs --------------------------------------------------------------------------------------- hf 14a info This command makes more extensive tests against a ISO14443a tag in order to collect information usage: hf 14a info [-hvns] options: -h, --help This help -v, --verbose verbose output -n, --nacktest test for nack bug -s, --aidsearch checks if AIDs from aidlist.json is present on the card and prints information about found AIDs examples/notes: hf 14a info -nsv -> shows full information about the card --------------------------------------------------------------------------------------- hf 14a sim Simulate ISO/IEC 14443 type A tag with 4,7 or 10 byte UID Use type 7 for Mifare Ultralight EV1, Amiibo (NTAG215 pack 0x8080) usage: hf 14a sim [-hxv] -t <1-12> [-u ] [-n ] [--sk] options: -h, --help This help -t, --type <1-12> Simulation type to use -u, --uid <4|7|10> hex bytes UID -n, --num Exit simulation after blocks have been read by reader. 0 = infinite -x Performs the 'reader attack', nr/ar attack against a reader --sk Fill simulator keys from found keys -v, --verbose verbose output examples/notes: hf 14a sim -t 1 --uid 11223344 -> MIFARE Classic 1k hf 14a sim -t 2 -> MIFARE Ultralight hf 14a sim -t 3 -> MIFARE Desfire hf 14a sim -t 4 -> ISO/IEC 14443-4 hf 14a sim -t 5 -> MIFARE Tnp3xxx hf 14a sim -t 6 -> MIFARE Mini hf 14a sim -t 7 -> MFU EV1 / NTAG 215 Amiibo hf 14a sim -t 8 -> MIFARE Classic 4k hf 14a sim -t 9 -> FM11RF005SH Shanghai Metro hf 14a sim -t 10 -> ST25TA IKEA Rothult hf 14a sim -t 11 -> Javacard (JCOP) hf 14a sim -t 12 -> 4K Seos card --------------------------------------------------------------------------------------- hf 14a simaid Simulate ISO/IEC 14443 type A tag with 4,7 or 10 byte UID, and filter for AID Values These AID Values can be responded to and include extra APDU commands on GetData after response usage: hf 14a simaid [-hx] -t <1-12> [-u ] [-r ] [-a ] [-e ] [-p ] options: -h, --help This help -t, --type <1-12> Simulation type to use -u, --uid <4|7|10> hex bytes UID -r, --rats <0-20> hex bytes RATS -a, --aid <0-100> hex bytes for AID to respond to (Default: A000000000000000000000) -e, --response <0-100> hex bytes for APDU Response to AID Select (Default: 9000) -p, --apdu <0-100> hex bytes for APDU Response to Get Data request after AID (Default: 9000) -x, --enumerate Enumerate all AID values via returning Not Found and print them to console examples/notes: hf 14a simaid -t 3 -> MIFARE Desfire hf 14a simaid -t 4 -> ISO/IEC 14443-4 hf 14a simaid -t 11 -> Javacard (JCOP) hf 14a simaid -t 3 --aid a000000000000000000000 --response 9000 --apdu 9000 -> AID, Response and APDU hf 14a simaid -t 3 --rats 05788172220101 --response 01009000 --apdu 86009000 -> Custom RATS Added hf 14a simaid -t 3 --rats 05788172220101 -x -> Enumerate AID Values --------------------------------------------------------------------------------------- hf 14a sniff Sniff the communication between reader and tag Use `hf 14a list` to view collected data. usage: hf 14a sniff [-hcri] options: -h, --help This help -c, --card triggered by first data from card -r, --reader triggered by first 7-bit request from reader (REQ, WUP) -i, --interactive Console will not be returned until sniff finishes or is aborted examples/notes: hf 14a sniff -c -r --------------------------------------------------------------------------------------- hf 14a raw Sends raw bytes over ISO14443a. With option to use TOPAZ 14a mode. usage: hf 14a raw [-hack3rsv] [-t ] [-b ] [--ecp] [--mag] [--topaz] [--crypto1] []... options: -h, --help This help -a Active signal field ON without select -c Calculate and append CRC -k Keep signal field ON after receive -3 ISO14443-3 select only (skip RATS) -r Do not read response -s Active signal field ON with select -t, --timeout Timeout in milliseconds -b Number of bits to send. Useful for send partial byte -v, --verbose Verbose output --ecp Use enhanced contactless polling --mag Use Apple magsafe polling --topaz Use Topaz protocol to send command --crypto1 Use crypto1 session Raw bytes to send examples/notes: hf 14a raw -sc 3000 -> select, crc, where 3000 == 'read block 00' hf 14a raw -ak -b 7 40 -> send 7 bit byte 0x40 hf 14a raw --ecp -s -> send ECP before select Crypto1 session example, with special auth shortcut 6xxx: hf 14a raw --crypto1 -skc 6000FFFFFFFFFFFF hf 14a raw --crypto1 -kc 3000 hf 14a raw --crypto1 -kc 6007FFFFFFFFFFFF hf 14a raw --crypto1 -c 3007 --------------------------------------------------------------------------------------- hf 14a reader Act as a ISO-14443a reader to identify tag. Look for ISO-14443a tags until Enter or the pm3 button is pressed usage: hf 14a reader [-hks@w] [--drop] [--skip] [--ecp] [--mag] options: -h, --help This help -k, --keep keep the field active after command executed -s, --silent silent (no messages) --drop just drop the signal field --skip ISO14443-3 select only (skip RATS) --ecp Use enhanced contactless polling --mag Use Apple magsafe polling -@ continuous reader mode -w, --wait wait for card examples/notes: hf 14a reader hf 14a reader -@ -> Continuous mode hf 14a reader --ecp -> trigger apple enhanced contactless polling hf 14a reader --mag -> trigger apple magsafe polling --------------------------------------------------------------------------------------- hf 14a apdu Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). Works with all APDU types from ISO 7816-4:2013 note: `-m` and `-d` goes hand in hand -m -d 325041592E5359532E4444463031 OR use `-d` with complete APDU data -d 00A404000E325041592E5359532E444446303100 usage: hf 14a apdu [-hskte] [--decode] [-m ] [-l ] -d [-d ]... options: -h, --help This help -s, --select activate field and select card -k, --keep keep signal field ON after receive -t, --tlv decode TLV --decode decode APDU request -m, --make APDU header, 4 bytes -e, --extended make extended length apdu if `m` parameter included -l, --le Le APDU parameter if `m` parameter included -d, --data full APDU package or data if `m` parameter included examples/notes: hf 14a apdu -st -d 00A404000E325041592E5359532E444446303100 hf 14a apdu -sd -d 00A404000E325041592E5359532E444446303100 -> decode apdu hf 14a apdu -sm 00A40400 -d 325041592E5359532E4444463031 -l 256 -> encode standard apdu hf 14a apdu -sm 00A40400 -d 325041592E5359532E4444463031 -el 65536 -> encode extended apdu --------------------------------------------------------------------------------------- hf 14a apdufind Enumerate APDU's of ISO7816 protocol to find valid CLS/INS/P1/P2 commands. It loops all 256 possible values for each byte. The loop oder is INS -> P1/P2 (alternating) -> CLA. Tag must be on antenna before running. usage: hf 14a apdufind [-hlv] [-c ] [-i ] [--p1 ] [--p2 ] [-r ] [-e ] [-s ]... options: -h, --help This help -c, --cla Start value of CLASS (1 hex byte) -i, --ins Start value of INSTRUCTION (1 hex byte) --p1 Start value of P1 (1 hex byte) --p2 Start value of P2 (1 hex byte) -r, --reset Minimum secondes before resetting the tag (to prevent timeout issues). Default is 5 minutes -e, --error-limit Maximum times an status word other than 0x9000 or 0x6D00 is shown. Default is 512. -s, --skip-ins Do not test an instruction (can be specified multiple times) -l, --with-le Search for APDUs with Le=0 (case 2S) as well -v, --verbose Verbose output examples/notes: hf 14a apdufind hf 14a apdufind --cla 80 hf 14a apdufind --cla 80 --error-limit 20 --skip-ins a4 --skip-ins b0 --with-le --------------------------------------------------------------------------------------- hf 14a chaining Enable/Disable ISO14443a input chaining. Maximum input length goes from ATS. usage: hf 14a chaining [-h10] options: -h, --help This help -1, --on enabled chaining -0, --off disable chaining examples/notes: hf 14a chaining -> show chaining enable/disable state hf 14a chaining --off -> disable chaining --------------------------------------------------------------------------------------- hf 14a ndefformat Format ISO14443-a Tag as a NFC tag with Data Exchange Format (NDEF) usage: hf 14a ndefformat [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf 14a ndefformat --------------------------------------------------------------------------------------- hf 14a ndefread Read NFC Data Exchange Format (NDEF) file on Type 4 NDEF tag usage: hf 14a ndefread [-hv] [-f ] options: -h, --help This help -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf 14a ndefread hf 14a ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf 14a ndefwrite Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted. usage: hf 14a ndefwrite [-hpv] [-d ] [-f ] options: -h, --help This help -d raw NDEF hex bytes -f, --file write raw NDEF file to tag -p fix NDEF record headers / terminator block if missing -v, --verbose verbose output examples/notes: hf 14a ndefwrite -d 0300FE -> write empty record to tag hf 14a ndefwrite -f myfilename hf 14a ndefwrite -d 003fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031 --------------------------------------------------------------------------------------- hf 14b --------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- apdu Send ISO 14443-4 APDU to tag dump Read all memory pages of an ISO-14443-B tag, save to file info Tag information ndefread Read NDEF file on tag raw Send raw hex data to tag rdbl Read SRI512/SRIX4 block reader Act as a ISO-14443-B reader to identify a tag restore Restore from file to all memory pages of an ISO-14443-B tag sim Fake ISO ISO-14443-B tag sniff Eavesdrop ISO-14443-B wrbl Write data to a SRI512/SRIX4 tag view Display content from tag dump file valid SRIX4 checksum test --------- ------------------ Calypso / Mobib ------------------ calypso Read contents of a Calypso card mobib Read contents of a Mobib card --------- ------------------------- Magic ----------------------- setuid Set UID for magic card --------------------------------------------------------------------------------------- hf 14b list Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf 14b list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf 14b list --frame -> show frame delay times hf 14b list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf 14b apdu Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). works with all apdu types from ISO 7816-4:2013 usage: hf 14b apdu [-hskte] [--decode] [-m ] [-l ] -d [--timeout ] options: -h, --help This help -s, --select activate field and select card -k, --keep leave the signal field ON after receive response -t, --tlv executes TLV decoder if it possible --decode decode apdu request if it possible -m, --make make apdu with head from this field and data from data field. must be 4 bytes: -e, --extended make extended length apdu if `m` parameter included -l, --le Le apdu parameter if `m` parameter included -d, --data if `m` parameter included --timeout timeout in ms examples/notes: hf 14b apdu -s -d 94a40800043f000002 hf 14b apdu -s --decode -d 00A404000E325041592E5359532E444446303100 -> decode apdu hf 14b apdu -sm 00A40400 -l 256 -d 325041592E5359532E4444463031 -> encode standard apdu hf 14b apdu -sm 00A40400 -el 65536 -d 325041592E5359532E4444463031 -> encode extended apdu --------------------------------------------------------------------------------------- hf 14b dump This command dumps the contents of a ISO-14443-B tag and save it to file Tries to autodetect cardtype, memory size defaults to SRI4K usage: hf 14b dump [-hz] [-f ] [--ns] options: -h, --help This help -f, --file (optional) filename, if no UID will be used as filename --ns no save to file -z, --dense dense dump output style examples/notes: hf 14b dump hf 14b dump -f myfilename --------------------------------------------------------------------------------------- hf 14b info Tag information for ISO/IEC 14443 type B based tags usage: hf 14b info [-hsv] options: -h, --help This help -s, --aidsearch checks if AIDs from aidlist.json is present on the card and prints information about found AIDs -v, --verbose verbose output examples/notes: hf 14b info --------------------------------------------------------------------------------------- hf 14b ndefread Print NFC Data Exchange Format (NDEF) usage: hf 14b ndefread [-hv] [-f ] options: -h, --help This help -f, --file Save raw NDEF to file -v, --verbose Verbose output examples/notes: hf 14b ndefread hf 14b ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf 14b raw Sends raw bytes to card. Activates field by default usage: hf 14b raw [-hackrsv] [-d ] [-t ] [--sr] [--cts] [--xrx] [--pico] options: -h, --help This help -a active signal field ON without select -c, --crc calculate and append CRC -k, --keep leave the signal field ON after receive response -d, --data data, bytes to send -r do not read response from card -t, --timeout timeout in ms -s, --std use ISO14B select --sr use SRx ST select --cts use ASK C-ticket select --xrx use Fuji/Xerox select --pico use Picopass select -v, --verbose verbose output examples/notes: hf 14b raw -cks --data 0200a40400 -> standard select, apdu 0200a4000 (7816) hf 14b raw -ck --sr --data 0200a40400 -> SRx select hf 14b raw -ck --cts --data 0200a40400 -> C-ticket select --------------------------------------------------------------------------------------- hf 14b rdbl Read SRI512 | SRIX4K block usage: hf 14b rdbl [-h] [-b ] options: -h, --help This help -b, --block block number examples/notes: hf 14b rdbl -b 06 --------------------------------------------------------------------------------------- hf 14b reader Act as a 14443B reader to identify a tag usage: hf 14b reader [-hv@] [--plot] options: -h, --help This help --plot show anticollision signal trace in plot window -v, --verbose verbose output -@ optional - continuous reader mode examples/notes: hf 14b reader hf 14b reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- hf 14b restore Restore data from (bin/eml/json) dump file to tag If the dump file includes the special block at the end it will be ignored usage: hf 14b restore [-h] [-f ] [--512] [--4k] options: -h, --help This help -f, --file (optional) filename, if no UID will be used as filename --512 target SRI 512 tag --4k target SRIX 4k tag (def) examples/notes: hf 14b restore --4k -f myfilename hf 14b restore --512 -f myfilename --------------------------------------------------------------------------------------- hf 14b sim Simulate a ISO/IEC 14443 type B tag with 4 byte UID / PUPI usage: hf 14b sim [-h] -u hex options: -h, --help This help -u, --uid hex 4byte UID/PUPI examples/notes: hf 14b sim -u 11AA33BB --------------------------------------------------------------------------------------- hf 14b sniff Sniff the communication between reader and tag Use `hf 14b list` to view collected data. usage: hf 14b sniff [-h] options: -h, --help This help examples/notes: hf 14b sniff --------------------------------------------------------------------------------------- hf 14b wrbl Write data to a SRI512 or SRIX4K block If writing to a block out-of-range, use `--force` to override checks Special block at end denots OTP and lock bits among others usage: hf 14b wrbl [-h] [-b ] -d [--512] [--4k] [--sb] [--force] options: -h, --help This help -b, --block block number -d, --data 4 hex bytes --512 target SRI 512 tag --4k target SRIX 4k tag (def) --sb special block write at end of memory (0xFF) --force overrides block range checks examples/notes: hf 14b wrbl --4k -b 100 -d 11223344 hf 14b wrbl --4k --sb -d 11223344 -> special block write hf 14b wrbl --512 -b 15 -d 11223344 hf 14b wrbl --512 --sb -d 11223344 -> special block write --------------------------------------------------------------------------------------- hf 14b view Print a ISO14443-B dump file (bin/eml/json) note: - command expects the filename to contain a UID which is needed to determine card memory type usage: hf 14b view [-hvz] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf 14b view -f hf-14b-01020304-dump.bin --------------------------------------------------------------------------------------- hf 14b valid SRIX checksum test usage: hf 14b valid [-h] options: -h, --help This help examples/notes: hf 14b valid --------------------------------------------------------------------------------------- hf 14b calypso Reads out the contents of a ISO14443B Calypso card usage: hf 14b calypso [-h] options: -h, --help This help examples/notes: hf 14b calypso --------------------------------------------------------------------------------------- hf 14b mobib Reads out the contents of a ISO14443B Mobib card usage: hf 14b mobib [-h] options: -h, --help This help examples/notes: hf 14b mobib --------------------------------------------------------------------------------------- hf 14b setuid Set UID for magic card (only works with such cards) usage: hf 14b setuid [-h] -u options: -h, --help This help -u, --uid UID, 4 hex bytes examples/notes: hf 14b setuid -u 11223344 --------------------------------------------------------------------------------------- hf 15 ----------- ----------------------- General ----------------------- help This help list List ISO-15693 history ----------- ----------------------- Operations ----------------------- demod Demodulate ISO-15693 from tag dump Read all memory pages of an ISO-15693 tag, save to file info Tag information sniff Sniff ISO-15693 traffic raw Send raw hex data to tag rdbl Read a block rdmulti Reads multiple blocks reader Act like an ISO-15693 reader restore Restore from file to all memory pages of an ISO-15693 tag samples Acquire samples as reader (enables carrier, sends inquiry) view Display content from tag dump file wipe Wipe card to zeros wrbl Write a block ----------- --------------------- Simulation ---------------------- sim Fake an ISO-15693 tag eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory ----------- ------------------------ SLIX ------------------------- slixwritepwd Writes a password on a SLIX ISO-15693 tag slixeasdisable Disable EAS mode on SLIX ISO-15693 tag slixeasenable Enable EAS mode on SLIX ISO-15693 tag slixprivacydisable Disable privacy mode on SLIX ISO-15693 tag slixprivacyenable Enable privacy mode on SLIX ISO-15693 tag passprotectafi Password protect AFI - Cannot be undone passprotecteas Password protect EAS - Cannot be undone ----------- -------------------------- afi ------------------------ findafi Brute force AFI of an ISO-15693 tag writeafi Writes the AFI on an ISO-15693 tag writedsfid Writes the DSFID on an ISO-15693 tag ----------- ------------------------- Magic ----------------------- csetuid Set UID for magic card --------------------------------------------------------------------------------------- hf 15 list Alias of `trace list -t 15 -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf 15 list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf 15 list --frame -> show frame delay times hf 15 list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf 15 demod Tries to demodulate / decode ISO-15693, from downloaded samples. Gather samples with 'hf 15 samples' / 'hf 15 sniff' usage: hf 15 demod [-h] options: -h, --help This help examples/notes: hf 15 demod --------------------------------------------------------------------------------------- hf 15 dump This command dumps the contents of a ISO-15693 tag and save to file (bin/json) usage: hf 15 dump [-h*2ovz] [-u ] [--ua] [-f ] [--bs ] [--ns] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) -f, --file Specify a filename for dump file --bs block size (def 4) --ns no save to file -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf 15 dump hf 15 dump -* hf 15 dump -u E011223344556677 -f hf-15-my-dump.bin --------------------------------------------------------------------------------------- hf 15 info Uses the optional command `get_systeminfo` 0x2B to try and extract information usage: hf 15 info [-h*2o] [-u ] [--ua] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) examples/notes: hf 15 info hf 15 info -* hf 15 info -u E011223344556677 --------------------------------------------------------------------------------------- hf 15 sniff Sniff activity without enabling carrier usage: hf 15 sniff [-h] options: -h, --help This help examples/notes: hf 15 sniff --------------------------------------------------------------------------------------- hf 15 raw Sends raw bytes over ISO-15693 to card usage: hf 15 raw [-hack2rw] -d options: -h, --help This help -a activate field -c, --crc calculate and append CRC -k keep signal field ON after receive -2 use slower '1 out of 256' mode -r do not read response -d, --data raw bytes to send -w, --wait wait longer for response. For writes etc. examples/notes: hf 15 raw -ac -d 260100 -> activate, add crc hf 15 raw -akrc -d 260100 -> activate, add crc, keep field on, skip response --------------------------------------------------------------------------------------- hf 15 rdbl Read page on ISO-15693 tag usage: hf 15 rdbl [-h*2ov] [-u ] [--ua] -b [--bs ] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) -b, --blk page number (0-255) --bs block size (def 4) -v, --verbose verbose output examples/notes: hf 15 rdbl -* -b 12 hf 15 rdbl -u E011223344556677 -b 12 --------------------------------------------------------------------------------------- hf 15 rdmulti Read multiple pages on a ISO-15693 tag usage: hf 15 rdmulti [-h*2ov] [-u ] [--ua] -b --cnt [--bs ] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) -b first page number (0-255) --cnt number of pages (1-6) --bs block size (def 4) -v, --verbose verbose output examples/notes: hf 15 rdmulti -* -b 1 --cnt 6 -> read 6 blocks hf 15 rdmulti -u E011223344556677 -b 12 --cnt 3 -> read three blocks --------------------------------------------------------------------------------------- hf 15 reader Act as a ISO-15693 reader. Look for ISO-15693 tags until Enter or the pm3 button is pressed usage: hf 15 reader [-h@] options: -h, --help This help -@ continuous reader mode examples/notes: hf 15 reader hf 15 reader -@ -> Continuous mode --------------------------------------------------------------------------------------- hf 15 restore This command restore the contents of a dump file (bin/eml/json) onto a ISO-15693 tag usage: hf 15 restore [-h*2ov] [-u ] [--ua] [-f ] [-r ] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) -f, --file Specify a filename for dump file -r, --retry number of retries (def 3) -v, --verbose verbose output examples/notes: hf 15 restore hf 15 restore -* hf 15 restore -u E011223344556677 -f hf-15-my-dump.bin --------------------------------------------------------------------------------------- hf 15 samples Acquire samples as Reader (enables carrier, send inquiry and download it to graphbuffer. Try 'hf 15 demod' to try to demodulate/decode signal usage: hf 15 samples [-h] options: -h, --help This help examples/notes: hf 15 samples --------------------------------------------------------------------------------------- hf 15 view Print a ISO-15693 tag dump file (bin/eml/json) usage: hf 15 view [-hz] -f options: -h, --help This help -f, --file Specify a filename for dump file -z, --dense dense dump output style examples/notes: hf 15 view -f hf-15-1122334455667788-dump.bin --------------------------------------------------------------------------------------- hf 15 wipe Wipe a ISO-15693 tag by filled memory with zeros usage: hf 15 wipe [-h*2ov] [-u ] [--ua] [--bs ] options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) --bs block size (def 4) -v, --verbose verbose output examples/notes: hf 15 wipe --------------------------------------------------------------------------------------- hf 15 wrbl Write block on ISO-15693 tag usage: hf 15 wrbl [-h*2ov] [-u ] [--ua] -b -d options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) -b, --blk page number (0-255) -d, --data data, 4 bytes -v, --verbose verbose output examples/notes: hf 15 wrbl -* -b 12 -d AABBCCDD hf 15 wrbl -u E011223344556677 -b 12 -d AABBCCDD --------------------------------------------------------------------------------------- hf 15 sim Simulate a ISO-15693 tag usage: hf 15 sim [-h] [-u ] [-b ] options: -h, --help This help -u, --uid UID, 8 hex bytes -b, --blocksize block size (def 4) examples/notes: hf 15 sim hf 15 sim -u E011223344556677 --------------------------------------------------------------------------------------- hf 15 eload Load memory dump from file to be used with 'hf 15 sim' usage: hf 15 eload [-h] -f options: -h, --help This help -f, --file filename of dump examples/notes: hf 15 eload -f hf-15-01020304.bin --------------------------------------------------------------------------------------- hf 15 esave Save emulator memory into two files (bin/json) usage: hf 15 esave [-h] -f options: -h, --help This help -f, --file Specify a filename for dump file examples/notes: hf 15 esave -f hf-15-01020304 --------------------------------------------------------------------------------------- hf 15 eview It displays emulator memory usage: hf 15 eview [-hz] options: -h, --help This help -z, --dense dense dump output style examples/notes: hf 15 eview hf 15 eview -z --------------------------------------------------------------------------------------- hf 15 slixwritepwd Write a password on a SLIX family ISO-15693 tag.nSome tags do not support all different password types. usage: hf 15 slixwritepwd [-h] -t [-o ] -n options: -h, --help This help -t, --type which password field to write to -o, --old old password (if present), 4 hex bytes -n, --new new password, 4 hex bytes examples/notes: hf 15 slixwritepwd -t READ -o 00000000 -n 12131415 --------------------------------------------------------------------------------------- hf 15 slixeasdisable Disable EAS mode on SLIX ISO-15693 tag usage: hf 15 slixeasdisable [-h] [-p ] options: -h, --help This help -p, --pwd optional password, 4 hex bytes examples/notes: hf 15 slixeasdisable -p 0F0F0F0F --------------------------------------------------------------------------------------- hf 15 slixeasenable Enable EAS mode on SLIX ISO-15693 tag usage: hf 15 slixeasenable [-h] [-p ] options: -h, --help This help -p, --pwd optional password, 4 hex bytes examples/notes: hf 15 slixeasenable -p 0F0F0F0F --------------------------------------------------------------------------------------- hf 15 slixprivacydisable Disable privacy mode on SLIX ISO-15693 tag usage: hf 15 slixprivacydisable [-h] -p options: -h, --help This help -p, --pwd password, 4 hex bytes examples/notes: hf 15 slixprivacydisable -p 0F0F0F0F --------------------------------------------------------------------------------------- hf 15 slixprivacyenable Enable privacy mode on SLIX ISO-15693 tag usage: hf 15 slixprivacyenable [-h] -p options: -h, --help This help -p, --pwd password, 4 hex bytes examples/notes: hf 15 slixprivacyenable -p 0F0F0F0F --------------------------------------------------------------------------------------- hf 15 passprotectafi This command enables the password protect of AFI. *** OBS! This action can not be undone! *** usage: hf 15 passprotectafi [-h] -p [--force] options: -h, --help This help -p, --pwd EAS/AFI password, 4 hex bytes --force Force execution of command (irreversible) examples/notes: hf 15 passprotectafi -p 00000000 --force --------------------------------------------------------------------------------------- hf 15 passprotecteas This command enables the password protect of EAS. *** OBS! This action can not be undone! *** usage: hf 15 passprotecteas [-h] -p [--force] options: -h, --help This help -p, --pwd EAS/AFI password, 4 hex bytes --force Force execution of command (irreversible) examples/notes: hf 15 passprotecteas -p 00000000 --force --------------------------------------------------------------------------------------- hf 15 findafi This command attempts to brute force AFI of an ISO-15693 tag Estimated execution time is around 2 minutes usage: hf 15 findafi [-h2] options: -h, --help This help -2 use slower '1 out of 256' mode examples/notes: hf 15 findafi --------------------------------------------------------------------------------------- hf 15 writeafi Write AFI on card usage: hf 15 writeafi [-h] [-u ] --afi [-p ] options: -h, --help This help -u, --uid full UID, 8 hex bytes --afi AFI number (0-255) -p, --pwd optional AFI/EAS password examples/notes: hf 15 writeafi -* --afi 12 hf 15 writeafi -u E011223344556677 --afi 12 -p 0F0F0F0F --------------------------------------------------------------------------------------- hf 15 writedsfid Write DSFID on card usage: hf 15 writedsfid [-h*2ov] [-u ] [--ua] --dsfid options: -h, --help This help -u, --uid full UID (8 hex bytes) --ua unaddressed mode -* scan for tag -2 use slower '1 out of 256' mode -o, --opt set OPTION Flag (needed for TI) --dsfid DSFID number (0-255) -v, --verbose verbose output examples/notes: hf 15 writedsfid -* --dsfid 12 hf 15 writedsfid -u E011223344556677 --dsfid 12 --------------------------------------------------------------------------------------- hf 15 csetuid Set UID for magic Chinese card (only works with such cards) usage: hf 15 csetuid [-h2] -u options: -h, --help This help -u, --uid UID, 8 hex bytes -2, --v2 Use gen2 magic command examples/notes: hf 15 csetuid -u E011223344556677 -> use gen1 command hf 15 csetuid -u E011223344556677 --v2 -> use gen2 command --------------------------------------------------------------------------------------- hf cipurse help This help. info Get info about CIPURSE tag select Select CIPURSE application or file auth Authenticate CIPURSE tag read Read binary file write Write binary file aread Read file attributes awrite Write file attributes formatall Erase all the data from chip create Create file, application, key via DGI record delete Delete file updkey Update key updakey Update key attributes default Set default key and file id for all the other commands test Regression tests --------------------------------------------------------------------------------------- hf cipurse info Get info from CIPURSE tags usage: hf cipurse info [-h] options: -h, --help This help examples/notes: hf cipurse info --------------------------------------------------------------------------------------- hf cipurse select Select application or file usage: hf cipurse select [-havt] [--aid ] [--fid ] [--mfd] [--chfid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -t, --tlv TLV decode returned data --aid Application ID (AID) 1..16 bytes --fid Top level file (or application) ID (FID) 2 bytes --mfd Select masterfile by empty id --chfid Child file ID (EF under application/master file) 2 bytes examples/notes: hf cipurse select --aid A0000005070100 -> Select PTSE application by AID hf cipurse select --fid 3f00 -> Select master file by FID 3f00 hf cipurse select --fid 2ff7 -> Select attribute file by FID 2ff7 hf cipurse select --mfd -vt -> Select default file by empty FID and show response data in plain and TLV decoded format --------------------------------------------------------------------------------------- hf cipurse auth Authenticate with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse auth [-hav] [--aid ] [--fid ] [--mfd] [-n ] [-k ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode --aid Application ID (AID) ( 1..16 bytes ) --fid Top file/application ID (FID) ( 2 bytes ) --mfd Select masterfile by empty id -n Key ID -k, --key Auth key examples/notes: hf cipurse auth -> Authenticate with keyID 1, default key hf cipurse auth -n 2 -k 65656565656565656565656565656565 -> Authenticate keyID 2 with key --------------------------------------------------------------------------------------- hf cipurse read Read file in the application by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse read [-hav] [-n ] [-k ] [--aid ] [--fid ] [-o ] [--noauth] [--sreq ] [--sresp ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --aid Application ID (AID) ( 1..16 bytes ) --fid File ID -o, --offset Offset for reading data from file --noauth Read file without authentication --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) examples/notes: hf cipurse read --fid 2ff7 -> Authenticate with keyID 1, read file with id 2ff7 hf cipurse read -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and read file hf cipurse read --aid 4144204631 --fid 0102 -> read file with id 0102 from application 4144204631 --------------------------------------------------------------------------------------- hf cipurse write Write file in the application by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse write [-hav] [-n ] [-k ] [--aid ] [--fid ] [-o ] [--noauth] [--sreq ] [--sresp ] [-d ] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --aid Application ID (AID) ( 1..16 bytes ) --fid File ID -o, --offset Offset for reading data from file --noauth Read file without authentication --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) -d, --data Data to write to new file --commit Commit after write examples/notes: hf cipurse write --fid 2ff7 -d aabb -> Authenticate with keyID 1, write file with id 2ff7 hf cipurse write -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -d aabb -> Authenticate keyID 2 and write file hf cipurse write --aid 4144204631 --fid 0102 -d aabb -> write file with id 0102 in the 4144204631 application hf cipurse write --fid 0102 -d aabb --commit -> write file with id 0102 and perform commit after write --------------------------------------------------------------------------------------- hf cipurse aread Read file attributes by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse aread [-hav] [-n ] [-k ] [--mfd] [--aid ] [--fid ] [--chfid ] [--noauth] [--sreq ] [--sresp ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --mfd Show info about master file --aid Select application ID (AID) ( 1..16 bytes ) --fid File ID --chfid Child file ID (EF under application/master file) ( 2 bytes ) --noauth Read file attributes without authentication --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) examples/notes: hf cipurse aread --fid 2ff7 -> Select MF, Authenticate with keyID 1, read file attributes with id 2ff7 hf cipurse aread --mfd -> read file attributes for master file (MF) hf cipurse aread --chfid 0102 -> read file 0102 attributes in the default application hf cipurse aread --aid 4144204632 --chfid 0102 -> read file 0102 attributes in the 4144204632 application hf cipurse aread -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2, read file attributes --------------------------------------------------------------------------------------- hf cipurse awrite Write file attributes by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse awrite [-hav] [-n ] [-k ] [--mfd] [--aid ] [--fid ] [--chfid ] [--noauth] [--sreq ] [--sresp ] [-d ] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --mfd Show info about master file --aid Select application ID (AID) ( 1..16 bytes ) --fid File ID --chfid Child file ID (EF under application/master file) ( 2 bytes ) --noauth Read file attributes without authentication --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) -d, --data File attributes --commit Commit after write examples/notes: hf cipurse awrite --fid 2ff7 -d 080000C1C1C1C1C1C1C1C1C1 -> write default file attributes with id 2ff7 hf cipurse awrite --mfd -d 080000FFFFFFFFFFFFFFFFFF86023232 --commit -> write file attributes for master file (MF) hf cipurse awrite --chfid 0102 -d 020000ffffff -> write file 0102 attributes in the default application to full access hf cipurse awrite --chfid 0102 -d 02000040ffff -> write file 0102 attributes in the default application to full access with keys 1 and 2 --------------------------------------------------------------------------------------- hf cipurse formatall Format card. Erases all the data at the card level! usage: hf cipurse formatall [-hav] [-n ] [-k ] [--sreq ] [--sresp ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) --no-auth Execute without authentication examples/notes: hf cipurse formatall -> Format card with default key hf cipurse formatall -n 2 -k 65656565656565656565656565656565 -> Format card with keyID 2 hf cipurse formatall --no-auth -> Format card without authentication. Works for card in perso state --------------------------------------------------------------------------------------- hf cipurse create Create application/file/key by provide appropriate DGI. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse create [-hav] [-n ] [-k ] [--aid ] [--fid ] [--mfd] [-d ] [--sreq ] [--sresp ] [--no-auth] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --aid Application ID (AID) ( 1..16 bytes ) --fid File ID (FID) ( 2 bytes ) --mfd Select masterfile by empty id -d, --data Data with DGI for create --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) --no-auth Execute without authentication --commit Commit after create examples/notes: hf cipurse create -d 9200123F00200008000062098407A0000005070100 -> create PTSE file with FID 0x2000 and space for 8 AIDs hf cipurse create -d 92002438613F010A050200004040FF021009021009621084054144204631D407A0000005070100A00F2873737373737373737373737373737373015FD67B000102030405060708090A0B0C0D0E0F01C6A13B -> create default file with FID 3F01 and 2 keys hf cipurse create --aid 4144204631 -d 92010C010001020030020000FFFFFF -> create 0x0102 binary data EF under application 4144204631 --------------------------------------------------------------------------------------- hf cipurse delete Delete file by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used usage: hf cipurse delete [-hav] [-n ] [-k ] [--fid ] [--aid ] [--chfid ] [--sreq ] [--sresp ] [--no-auth] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose mode -n Key ID -k, --key Auth key --fid File/application ID under MF for delete --aid Application ID (AID) for delete ( 1..16 bytes ) --chfid Child file ID (EF under application/master file) ( 2 bytes ) --sreq Communication reader-PICC security level (def: mac) --sresp Communication PICC-reader security level (def: mac) --no-auth Execute without authentication --commit commit after delete examples/notes: hf cipurse delete --fid 2ff7 -> Authenticate with keyID 1, delete file with id 2ff7 at top level hf cipurse delete -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and delete file hf cipurse delete --aid A0000005070100 --no-auth -> delete PTSE file with AID A0000005070100 without authentication hf cipurse delete --aid 4144204631 --chfid 0102 -> delete EF with FID 0x0102 under default application --------------------------------------------------------------------------------------- hf cipurse updkey Update key usage: hf cipurse updkey [-hav] [-n ] [-k ] [--aid ] [--fid ] [--mfd] [--newkeyn ] [--newkey ] [--newkeya ] [--enckeyn ] [--enckey ] [--sreq ] [--sresp ] [--no-auth] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Show technical data -n Key ID for authentication -k, --key Auth key --aid Application ID (AID) --fid File ID (FID) --mfd Select masterfile by empty id --newkeyn Target key ID --newkey New key --newkeya New key additional info (def: 0x00) --enckeyn Encrypt key ID (must be equal to the key on the card) --enckey Encrypt key (must be equal to the key on the card) --sreq Communication reader-PICC security level --sresp Communication PICC-reader security level --no-auth Execute without authentication --commit Commit examples/notes: hf cipurse updkey --aid 4144204631 --newkeyn 2 --newkeya 00 --newkey 73737373737373737373737373737373 -> update default application key 2 with default value 73..73 hf cipurse updkey --newkeyn 1 --newkeya 00 --newkey 0102030405060708090a0b0c0d0e0f10 --commit -> for key 1 --------------------------------------------------------------------------------------- hf cipurse updakey Update key attributes. Factory default - 0x02. b0 - Update right - 1 self b1 - Change key and rights - 0 frozen b2 - Use as key encryption key - 1 blocked b8 - Key validity - 0 valid usage: hf cipurse updakey [-hav] [-n ] [-k ] [--aid ] [--fid ] [--mfd] [--trgkeyn ] [--attr ] [--sreq ] [--sresp ] [--no-auth] [--commit] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Show technical data -n Key ID for authentication -k, --key Auth key --aid Application ID (AID) --fid File ID (FID) --mfd Select masterfile by empty id --trgkeyn Target key ID --attr Key attributes 1 byte --sreq Communication reader-PICC security level --sresp Communication PICC-reader security level --no-auth Execute without authentication --commit Commit examples/notes: hf cipurse updakey --trgkeyn 2 --attr 80 -> block key 2 for lifetime (WARNING!) hf cipurse updakey --trgkeyn 1 --attr 02 --commit -> for key 1 --------------------------------------------------------------------------------------- hf cipurse default Set default parameters for access to cipurse card usage: hf cipurse default [-h] [--clear] [-n ] [-k ] [--aid ] [--fid ] options: -h, --help This help --clear Resets to defaults -n Key ID -k, --key Authentication key --aid Application ID (AID) ( 1..16 bytes ) --fid File ID ( 2 bytes ) examples/notes: hf cipurse default --reset -> reset parameters to default hf cipurse default -n 1 -k 65656565656565656565656565656565 --fid 2ff7 -> Set key, key id and file id hf cipurse default --aid 4144204632 -> set default application id --------------------------------------------------------------------------------------- hf cipurse test Regression tests usage: hf cipurse test [-h] options: -h, --help This help examples/notes: hf cipurse test --------------------------------------------------------------------------------------- hf epa help This help cnonces Acquire encrypted PACE nonces of specific size replay Perform PACE protocol by replaying given APDUs sim Simulate PACE protocol --------------------------------------------------------------------------------------- hf epa cnonces Tries to collect nonces when doing part of PACE protocol. usage: hf epa cnonces [-h] --size --num -d options: -h, --help This help --size nonce size --num number of nonces to collect -d, --delay delay between attempts examples/notes: hf epa cnonces --size 4 --num 4 --delay 1 --------------------------------------------------------------------------------------- hf epa replay Perform PACE protocol by replaying given APDUs usage: hf epa replay [-h] --mse --get --map --pka --ma options: -h, --help This help --mse msesa APDU --get gn APDU --map map APDU --pka pka APDU --ma ma APDU examples/notes: hf epa replay --mse 0022C1A4 --get 1068000000 --map 1086000002 --pka 1234ABCDEF --ma 1A2B3C4D --------------------------------------------------------------------------------------- hf epa sim Simulate PACE protocol with given password pwd of type pty. The crypto is performed on pc or proxmark usage: hf epa sim [-h] --pc --pty -p options: -h, --help This help --pc perform crypto on PC --pty type of password -p, --pwd password examples/notes: hf epa sim --pwd 112233445566 hf epa sim --pc --pty 1 --pwd 112233445566 --------------------------------------------------------------------------------------- hf emrtd help This help dump Dump eMRTD files to binary files info Display info about an eMRTD list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf emrtd dump Dump all files on an eMRTD usage: hf emrtd dump [-h] [-n ] [-d ] [-e ] [-m <[0-9A-Z<]>] [--dir ] options: -h, --help This help -n, --doc document number, up to 9 chars -d, --date date of birth in YYMMDD format -e, --expiry expiry in YYMMDD format -m, --mrz <[0-9A-Z<]> 2nd line of MRZ, 44 chars --dir save dump to the given dirpath examples/notes: hf emrtd dump hf emrtd dump --dir ../dump hf emrtd dump -n 123456789 -d 890101 -e 250401 --------------------------------------------------------------------------------------- hf emrtd info Display info about an eMRTD usage: hf emrtd info [-hi] [-n ] [-d ] [-e ] [-m <[0-9A-Z<]>] [--dir ] options: -h, --help This help -n, --doc document number, up to 9 chars -d, --date date of birth in YYMMDD format -e, --expiry expiry in YYMMDD format -m, --mrz <[0-9A-Z<]> 2nd line of MRZ, 44 chars (passports only) --dir display info from offline dump stored in dirpath -i, --images show images examples/notes: hf emrtd info hf emrtd info --dir ../dumps hf emrtd info -n 123456789 -d 890101 -e 250401 hf emrtd info -n 123456789 -d 890101 -e 250401 -i --------------------------------------------------------------------------------------- hf emrtd list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf emrtd list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf emrtd list --frame -> show frame delay times hf emrtd list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf felica ----------- ----------------------- General ----------------------- help This help list List ISO 18092/FeliCa history ----------- ----------------------- Operations ----------------------- info Tag information raw Send raw hex data to tag rdbl read block data from authentication-not-required Service. reader Act like an ISO18092/FeliCa reader sniff Sniff ISO 18092/FeliCa traffic wrbl write block data to an authentication-not-required Service. ----------- ----------------------- FeliCa Standard ----------------------- rqservice verify the existence of Area and Service, and to acquire Key Version. rqresponse verify the existence of a card and its Mode. scsvcode acquire Area Code and Service Code. rqsyscode acquire System Code registered to the card. auth1 authenticate a card. Start mutual authentication with Auth1 auth2 allow a card to authenticate a Reader/Writer. Complete mutual authentication rqspecver acquire the version of card OS. resetmode reset Mode to Mode 0. ----------- ----------------------- FeliCa Light ----------------------- litesim Emulating ISO/18092 FeliCa Lite tag litedump Wait for and try dumping FelicaLite --------------------------------------------------------------------------------------- hf felica list Alias of `trace list -t felica` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf felica list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf felica list --frame -> show frame delay times hf felica list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf felica info Reader for FeliCa based tags usage: hf felica info [-h] options: -h, --help This help examples/notes: hf felica info --------------------------------------------------------------------------------------- hf felica raw Send raw hex data to tag usage: hf felica raw [-hackrs] [-n ] options: -h, --help This help -a active signal field ON without select -c calculate and append CRC -k keep signal field ON after receive -n number of bits -r do not read response -s active signal field ON with select raw bytes to send examples/notes: hf felica raw -cs 20 hf felica raw -cs 2008 --------------------------------------------------------------------------------------- hf felica rdbl Use this command to read block data from authentication-not-required Service. - Mode shall be Mode0. - Successful == block data - Unsuccessful == Status Flag1 and Flag2 usage: hf felica rdbl [-hblv] [-i ] [--sn ] [--scl ] [--bn ] [--ble ] options: -h, --help This help -b get all block list elements 00 -> FF -i set custom IDm -l, --long use 3 byte block list element block number --sn number of service --scl service code list --bn number of block --ble block list element (def 2|3 bytes) -v, --verbose verbose output examples/notes: hf felica rdbl --sn 01 --scl 8B00 --bn 01 --ble 8000 hf felica rdbl --sn 01 --scl 4B18 --bn 01 --ble 8000 -b hf felica rdbl -i 01100910c11bc407 --sn 01 --scl 8B00 --bn 01 --ble 8000 --------------------------------------------------------------------------------------- hf felica reader Act as a ISO 18092 / FeliCa reader. Look for FeliCa tags until Enter or the pm3 button is pressed usage: hf felica reader [-hs@] options: -h, --help This help -s, --silent silent (no messages) -@ optional - continuous reader mode examples/notes: hf felica reader -@ -> Continuous mode --------------------------------------------------------------------------------------- hf felica sniff Collect data from the field and save into command buffer. Buffer accessible from `hf felica list` usage: hf felica sniff [-h] [-s ] [-t ] options: -h, --help This help -s, --samples samples to skip -t, --trig triggers to skip examples/notes: hf felica sniff hf felica sniff -s 10 -t 19 --------------------------------------------------------------------------------------- hf felica wrbl Use this command to write block data to authentication-not-required Service. - Mode shall be Mode0. - Un-/Ssuccessful == Status Flag1 and Flag2 usage: hf felica wrbl [-hv] [-d ] [-i ] [--sn ] [--scl ] [--bn ] [--ble ] options: -h, --help This help -d, --data data, 16 hex bytes -i set custom IDm --sn number of service --scl service code list --bn number of block --ble block list element (def 2|3 bytes) -v, --verbose verbose output examples/notes: hf felica wrbl --sn 01 --scl CB10 --bn 01 --ble 8001 -d 0102030405060708090A0B0C0D0E0F10 hf felica wrbl -i 01100910c11bc407 --sn 01 --scl CB10 --bn 01 --ble 8001 -d 0102030405060708090A0B0C0D0E0F10 --------------------------------------------------------------------------------------- hf felica rqservice Use this command to verify the existence of Area and Service, and to acquire Key Version: - When the specified Area or Service exists, the card returns Key Version. - When the specified Area or Service does not exist, the card returns FFFFh as Key Version. For Node Code List of a command packet, Area Code or Service Code of the target of acquisition of Key Version shall be enumerated in Little Endian format. If Key Version of System is the target of acquisition, FFFFh shall be specified in the command packet. usage: hf felica rqservice [-ha] [-n ] [-c ] [-i ] options: -h, --help This help -a, --all auto node number mode, iterates through all nodes 1 < n < 32 -n, --node Number of Node -c, --code Node Code List (little endian) -i, --idm use custom IDm examples/notes: hf felcia rqservice --node 01 --code FFFF hf felcia rqservice -a --code FFFF hf felica rqservice -i 011204126417E405 --node 01 --code FFFF --------------------------------------------------------------------------------------- hf felica rqresponse Use this command to verify the existence of a card and its Mode. - current mode of the card is returned usage: hf felica rqresponse [-h] [-i ] options: -h, --help This help -i set custom IDm examples/notes: hf felica rqresponse -i 11100910C11BC407 --------------------------------------------------------------------------------------- hf felica scsvcode Feature not implemented yet. Feel free to contribute! usage: hf felica scsvcode [-h] options: -h, --help This help examples/notes: hf felica scsvcode --------------------------------------------------------------------------------------- hf felica rqsyscode Use this command to acquire System Code registered to the card. - if a card is divided into more than one System, this command acquires System Code of each System existing in the card. usage: hf felica rqsyscode [-h] [-i ] options: -h, --help This help -i set custom IDm examples/notes: hf felica rqsyscode hf felica rqsyscode -i 11100910C11BC407 --------------------------------------------------------------------------------------- hf felica auth1 Initiate mutual authentication. This command must always be executed before Auth2 command and mutual authentication is achieve only after Auth2 command has succeeded. INCOMPLETE / EXPERIMENTAL COMMAND!!! usage: hf felica auth1 [-hv] [--an ] [--acl ] [-i ] [--sn ] [--scl ] [-k ] options: -h, --help This help --an number of areas, 1 byte --acl area code list, 2 bytes -i set custom IDm --sn number of service, 1 byte --scl service code list, 2 bytes -k, --key 3des key, 16 bytes -v, --verbose verbose output examples/notes: hf felica auth1 --an 01 --acl 0000 --sn 01 --scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB hf felica auth1 --an 01 --acl 0000 --sn 01 --scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAA hf felica auth1 -i 11100910C11BC407 --an 01 --acl 0000 --sn 01 ..scl 8B00 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB --------------------------------------------------------------------------------------- hf felica auth2 Complete mutual authentication. This command can only be executed subsquent to Auth1 INCOMPLETE / EXPERIMENTAL COMMAND!!! EXPERIMENTAL COMMAND - M2c/P2c will be not checked usage: hf felica auth2 [-hv] [-i ] [-c ] [-k ] options: -h, --help This help -i set custom IDm -c, --cc M3c card challenge, 8 bytes -k, --key 3des M3c decryption key, 16 bytes -v, --verbose verbose output examples/notes: hf felica auth2 --cc 0102030405060708 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB hf felica auth2 -i 11100910C11BC407 --cc 0102030405060708 --key AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB --------------------------------------------------------------------------------------- hf felica rqspecver Use this command to acquire the version of card OS. Response: - Format version: Fixed value 00h. Provided only if Status Flag1 = 00h - Basic version: Each value of version is expressed in BCD notation. Provided only if Status Flag1 = 00h - Number of Option: value = 0: AES card, value = 1: AES/DES card. Provided only if Status Flag1 = 00h - Option version list: Provided only if Status Flag1 = 00h - AES card: not added - AES/DES card: DES option version is added - BCD notation usage: hf felica rqspecver [-hv] [-i ] [-r ] options: -h, --help This help -i set custom IDm -r set custom reserve -v, --verbose verbose output examples/notes: hf felica rqspecver hf felica rqspecver -r 0001 hf felica rqspecver -i 11100910C11BC407 --------------------------------------------------------------------------------------- hf felica resetmode Use this command to reset Mode to Mode 0. usage: hf felica resetmode [-hv] [-i ] [-r ] options: -h, --help This help -i set custom IDm -r set custom reserve -v, --verbose verbose output examples/notes: hf felica resetmode hf felica resetmode -r 0001 hf felica resetmode -i 11100910C11BC407 --------------------------------------------------------------------------------------- hf felica litesim Emulating ISO/18092 FeliCa Lite tag usage: hf felica litesim [-h] -u options: -h, --help This help -u, --uid UID/NDEF2 8 hex bytes examples/notes: hf felica litesim -u 1122334455667788 --------------------------------------------------------------------------------------- hf felica litedump Dump ISO/18092 FeliCa Lite tag. It will timeout after 200sec usage: hf felica litedump [-h] options: -h, --help This help examples/notes: hf felica litedump --------------------------------------------------------------------------------------- hf fido help This help. list List ISO 14443A history info Info about FIDO tag. reg FIDO U2F Registration Message. auth FIDO U2F Authentication Message. make FIDO2 MakeCredential command. assert FIDO2 GetAssertion command. --------------------------------------------------------------------------------------- hf fido list Alias of `trace list -t 14a` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf fido list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf fido list --frame -> show frame delay times hf fido list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf fido info Get info from Fido tags usage: hf fido info [-h] options: -h, --help This help examples/notes: hf fido info --------------------------------------------------------------------------------------- hf fido reg Initiate a U2F token registration. Needs two 32-byte hash numbers. challenge parameter (32b) and application parameter (32b). The default config filename is `fido2_defparams.json` note: `-vv` shows full certificates data usage: hf fido reg [-havt] [-f ] [--cp ] [--ap ] [--cpx ] [--apx ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -t, --tlv Show DER certificate contents in TLV representation -f, --file JSON input file name for parameters --cp Challenge parameter (1..16 chars) --ap Application parameter (1..16 chars) --cpx Challenge parameter (32 bytes hex) --apx Application parameter (32 bytes hex) examples/notes: hf fido reg -> execute command with 2 parameters, filled 0x00 hf fido reg --cp s0 --ap s1 -> execute command with plain parameters hf fido reg --cpx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f --apx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f hf fido reg -f fido2-params -> execute command with custom config file --------------------------------------------------------------------------------------- hf fido auth Initiate a U2F token authentication. Needs key handle and two 32-byte hash numbers. key handle(var 0..255), challenge parameter (32b) and application parameter (32b) The default config filename is `fido2_defparams.json` usage: hf fido auth [-havuc] default mode: [-f ] [-k ] [--kh ] [--cp ] [--ap ] [--cpx ] [--apx ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output default mode: dont-enforce-user-presence-and-sign -u, --user mode: enforce-user-presence-and-sign -c, --check mode: check-only -f, --file JSON file name for parameters -k, --key Public key to verify signature --kh Key handle (var 0..255b) --cp Challenge parameter (1..16 chars) --ap Application parameter (1..16 chars) --cpx Challenge parameter (32 bytes hex) --apx Application parameter (32 bytes hex) examples/notes: hf fido auth --kh 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with 2 parameters, filled 0x00 and key handle hf fido auth --kh 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f --cpx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f --apx 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f -> execute command with parameters --------------------------------------------------------------------------------------- hf fido make Execute a FIDO2 Make Credential command. Needs json file with parameters. Sample file `fido2_defparams.json` in `client/resources/`. - for yubikey there must be only one option `"rk": true` or false note: `-vv` shows full certificates data usage: hf fido make [-havtc] [-f ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -t, --tlv Show DER certificate contents in TLV representation -c, --cbor Show CBOR decoded data -f, --file Parameter JSON file name examples/notes: hf fido make -> use default parameters file `fido2_defparams.json` hf fido make -f test.json -> use parameters file `text.json` --------------------------------------------------------------------------------------- hf fido assert Execute a FIDO2 Get Assertion command. Needs json file with parameters. Sample file `fido2_defparams.json` in `client/resources/`. - Needs if `rk` option is `false` (authenticator doesn't store credential to its memory) - for yubikey there must be only one option `"up": true` or false note: `-vv` shows full certificates data usage: hf fido assert [-havcl] [-f ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -c, --cbor Show CBOR decoded data -l, --list Add CredentialId from json to allowList -f, --file Parameter JSON file name examples/notes: hf fido assert -> default parameters file `fido2_defparams.json` hf fido assert -f test.json -l -> use parameters file `text.json` and add to request CredentialId --------------------------------------------------------------------------------------- hf fudan help This help reader Act like a fudan reader dump Dump FUDAN tag to binary file rdbl Read a fudan tag view Display content from tag dump file wrbl Write a fudan tag --------------------------------------------------------------------------------------- hf fudan reader Read a fudan tag usage: hf fudan reader [-hv@] options: -h, --help This help -v, --verbose verbose output -@ optional - continuous reader mode examples/notes: hf fudan reader hf fudan reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- hf fudan dump Dump FUDAN tag to file (bin/json) If no given, UID will be used as filename usage: hf fudan dump [-h] [-f ] [--ns] options: -h, --help This help -f, --file Specify a filename for dump file --ns no save to file examples/notes: hf fudan dump -f mydump -> dump using filename --------------------------------------------------------------------------------------- hf fudan rdbl Read fudan block usage: hf fudan rdbl [-hv] --blk [-k ] options: -h, --help This help --blk block number -k, --key key, 6 hex bytes -v, --verbose verbose output examples/notes: hf fudan rdbl --blk 0 -k FFFFFFFFFFFF hf fudan rdbl --blk 3 -v --------------------------------------------------------------------------------------- hf fudan view Print a FUDAN dump file (bin/eml/json) usage: hf fudan view [-h] -f options: -h, --help This help -f, --file Specify a filename for dump file examples/notes: hf fudan view -f hf-fudan-01020304-dump.bin --------------------------------------------------------------------------------------- hf fudan wrbl Write fudan block with 4 hex bytes of data usage: hf fudan wrbl [-h] --blk [-k ] [-d ] options: -h, --help This help --blk block number -k, --key key, 6 hex bytes -d, --data bytes to write, 4 hex bytes examples/notes: hf fudan wrbl --blk 1 -k FFFFFFFFFFFF -d 01020304 --------------------------------------------------------------------------------------- hf gallagher help This help reader Read & decode all Gallagher credentials on a DESFire card clone Add Gallagher credentials to a DESFire card delete Delete Gallagher credentials from a DESFire card diversifykey Diversify Gallagher key decode Decode Gallagher credential block encode Encode Gallagher credential block --------------------------------------------------------------------------------------- hf gallagher reader Read a Gallagher DESFire tag from the Card Application Directory, CAD Specify site key is required if using non-default key usage: hf gallagher reader [-h@v] [--aid ] [--sitekey ] [--apdu] options: -h, --help This help --aid Application ID to read (3 bytes). If specified, the CAD is not used --sitekey Site key to compute diversified keys (16 bytes) -@, --continuous Continuous reader mode --apdu Show APDU requests and responses -v, --verbose Verbose output examples/notes: hf gallagher reader -@ -> continuous reader mode hf gallagher reader --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff -> skip CAD --------------------------------------------------------------------------------------- hf gallagher clone Clone Gallagher credentials to a writable DESFire card Specify site key is required if using non-default key Key, lengths for the different crypto: DES 8 bytes 2TDEA or AES 16 bytes 3TDEA 24 bytes AID, default finds lowest available in range 0x??81F4, where ?? >= 0x20. usage: hf gallagher clone [-hv] [-n ] [-t ] [-k ] --rc --fc --cn --il [--aid ] [--sitekey ] [--cadkey ] [--nocadupdate] [--noappcreate] [--apdu] options: -h, --help This help -n, --keynum PICC key number [default = 0] -t, --algo PICC crypt algo: DES, 2TDEA, 3TDEA, AES -k, --key Key for authentication to the PICC to create applications --rc Region code. 4 bits max --fc Facility code. 2 bytes max --cn Card number. 3 bytes max --il Issue level. 4 bits max --aid Application ID to write (3 bytes) [default automatically chooses] --sitekey Site key to compute diversified keys (16 bytes) --cadkey Custom AES key 0 to modify the Card Application Directory (16 bytes) --nocadupdate Don't modify the Card Application Directory (only creates the app) --noappcreate Don't create the application (only modifies the CAD) --apdu Show APDU requests and responses -v, --verbose Verbose output examples/notes: hf gallagher clone --rc 1 --fc 22 --cn 3333 --il 4 --sitekey 00112233445566778899aabbccddeeff --------------------------------------------------------------------------------------- hf gallagher delete Delete Gallagher application from a DESFire card Specify site key is required if using non-default key usage: hf gallagher delete [-hv] --aid [--sitekey ] [--cadkey ] [--nocadupdate] [--noappdelete] [--apdu] options: -h, --help This help --aid Application ID to delete (3 bytes) --sitekey Site key to compute diversified keys (16 bytes) --cadkey Custom AES key 0 to modify the Card Application Directory (16 bytes) --nocadupdate Don't modify the Card Application Directory (only deletes the app) --noappdelete Don't delete the application (only modifies the CAD) --apdu Show APDU requests and responses -v, --verbose Verbose output examples/notes: hf gallagher delete --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff --------------------------------------------------------------------------------------- hf gallagher diversifykey Diversify Gallagher key Specify site key is required if using non-default key usage: hf gallagher diversify [-h] --aid [--keynum ] [--uid ] [--sitekey ] [--apdu] options: -h, --help This help --aid Application ID for diversification (3 bytes) --keynum Key number [default = 0] --uid Card UID to delete (4 or 7 bytes) --sitekey Site key to compute diversified keys (16 bytes) --apdu Show APDU requests and responses examples/notes: hf gallagher diversify --uid 11223344556677 --aid 2081f4 --------------------------------------------------------------------------------------- hf gallagher decode Decode Gallagher credential block Credential block can be specified with or without the bitwise inverse. usage: hf gallagher decode [-h] --data options: -h, --help This help --data Credential block (8 or 16 bytes) examples/notes: hf gallagher decode --data A3B4B0C151B0A31B --------------------------------------------------------------------------------------- hf gallagher encode Encode a Gallagher credential block Credential block can be specified with or without the bitwise inverse. usage: hf gallagher encode [-h] -r -f -c -i options: -h, --help This help -r, --rc Region code. 4 bits max -f, --fc Facility code. 2 bytes max -c, --cn Card number. 3 bytes max -i, --il Issue level. 4 bits max examples/notes: hf gallagher encode --rc 1 --fc 22153 --cn 1253518 --il 1 --------------------------------------------------------------------------------------- hf iclass help This help list List iclass history ----------- ------------------- Operations ------------------- dump Dump Picopass / iCLASS tag to file info Tag information rdbl Read Picopass / iCLASS block reader Act like a Picopass / iCLASS reader restore Restore a dump file onto a Picopass / iCLASS tag sniff Eavesdrop Picopass / iCLASS communication view Display content from tag dump file wrbl Write Picopass / iCLASS block creditepurse Credit epurse value trbl Performs tearoff attack on iClass block ----------- --------------------- Recovery -------------------- chk Check keys loclass Use loclass to perform bruteforce reader attack lookup Uses authentication trace to check for key in dictionary file legrec Recovers 24 bits of the diversified key of a legacy card provided a valid nr-mac combination legbrute Bruteforces 40 bits of a partial diversified key, provided 24 bits of the key and two valid nr-macs unhash Reverses a diversified key to retrieve hash0 pre-images after DES encryption ----------- -------------------- Simulation ------------------- sim Simulate iCLASS tag eload Upload file into emulator memory esave Save emulator memory to file esetblk Set emulator memory block data eview View emulator memory ----------- ---------------------- Utils ---------------------- configcard Reader configuration card generator calcnewkey Calc diversified keys (blocks 3 & 4) to write new keys encode Encode binary wiegand to block 7 encrypt Encrypt given block data decrypt Decrypt given block data or tag dump file managekeys Manage keys to use with iclass commands permutekey Permute function from 'heart of darkness' paper ----------- ----------------------- SAM ----------------------- sam SAM tests --------------------------------------------------------------------------------------- hf iclass list Alias of `trace list -t iclass -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf iclass list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf iclass list --frame -> show frame delay times hf iclass list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf iclass dump Dump all memory from a iCLASS tag usage: hf iclass dump [-hz] [-f ] [-k ] [--ki ] [--credit ] [--ci ] [--elite] [--raw] [--nr] [--force] [--shallow] [--ns] options: -h, --help This help -f, --file save filename -k, --key debit key or NR/MAC for replay as 8 hex bytes --ki debit key index to select key from memory 'hf iclass managekeys' --credit credit key as 8 hex bytes --ci credit key index to select key from memory 'hf iclass managekeys' --elite elite computations applied to key --raw raw, the key is interpreted as raw block 3/4 --nr replay of NR/MAC -z, --dense dense dump output style --force force unsecure card read --shallow use shallow (ASK) reader modulation instead of OOK --ns no save to file examples/notes: hf iclass dump -k 001122334455667B hf iclass dump -k AAAAAAAAAAAAAAAA --credit 001122334455667B hf iclass dump -k AAAAAAAAAAAAAAAA --elite hf iclass dump --ki 0 hf iclass dump --ki 0 --ci 2 --------------------------------------------------------------------------------------- hf iclass info Act as a iCLASS reader. Reads / fingerprints a iCLASS tag. usage: hf iclass info [-h] [--shallow] options: -h, --help This help --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass info --------------------------------------------------------------------------------------- hf iclass rdbl Read a iCLASS block from tag usage: hf iclass rdbl [-hv] [-k ] [--ki ] --blk [--credit] [--elite] [--raw] [--nr] [--shallow] options: -h, --help This help -k, --key Access key as 8 hex bytes --ki Key index to select key from memory 'hf iclass managekeys' --blk Block number --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key --nr replay of NR/MAC -v, --verbose verbose output --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass rdbl --blk 6 -k 0011223344556677 hf iclass rdbl --blk 27 -k 0011223344556677 --credit hf iclass rdbl --blk 10 --ki 0 --------------------------------------------------------------------------------------- hf iclass reader Act as a iCLASS reader. Look for iCLASS tags until Enter or the pm3 button is pressed usage: hf iclass reader [-h@] [--shallow] options: -h, --help This help -@ optional - continuous reader mode --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- hf iclass restore Restore data from dumpfile (bin/eml/json) onto a iCLASS tag usage: hf iclass restore [-hv] -f [-k ] [--ki ] --first --last [--credit] [--elite] [--raw] [--shallow] options: -h, --help This help -f, --file specify a filename to restore -k, --key Access key as 8 hex bytes --ki Key index to select key from memory 'hf iclass managekeys' --first The first block number to restore --last The last block number to restore --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key -v, --verbose verbose output --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 --ki 0 hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 --ki 0 --elite hf iclass restore -f hf-iclass-AA162D30F8FF12F1-dump.bin --first 6 --last 18 -k 1122334455667788 --elite --------------------------------------------------------------------------------------- hf iclass sniff Sniff the communication between reader and tag usage: hf iclass sniff [-hj] options: -h, --help This help -j, --jam Jam (prevent) e-purse updates examples/notes: hf iclass sniff hf iclass sniff -j -> jam e-purse updates --------------------------------------------------------------------------------------- hf iclass view Print a iCLASS tag dump file (bin/eml/json) usage: hf iclass view [-hvz] -f [--first ] [--last ] options: -h, --help This help -f, --file Specify a filename for dump file --first Begin printing from this block (default first user block) --last End printing at this block (default 0, ALL) -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf iclass view -f hf-iclass-AA162D30F8FF12F1-dump.bin hf iclass view --first 1 -f hf-iclass-AA162D30F8FF12F1-dump.bin If --first is not specified it will default to the first user block which is block 6 for secured chips or block 3 for non-secured chips --------------------------------------------------------------------------------------- hf iclass wrbl Write data to an iCLASS tag usage: hf iclass wrbl [-hv] [-k ] [--ki ] --blk -d [-m ] [--credit] [--elite] [--raw] [--nr] [--shallow] options: -h, --help This help -k, --key Access key as 8 hex bytes --ki Key index to select key from memory 'hf iclass managekeys' --blk block number -d, --data data to write as 8 hex bytes -m, --mac replay mac data (4 hex bytes) --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key --nr replay of NR/MAC -v, --verbose verbose output --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B --credit hf iclass wrbl --blk 10 -d AAAAAAAAAAAAAAAA --ki 0 --------------------------------------------------------------------------------------- hf iclass creditepurse Credit the epurse on an iCLASS tag. The provided key must be the credit key. The first two bytes of the epurse are the debit value (big endian) and may be any value except FFFF. The remaining two bytes of the epurse are the credit value and must be smaller than the previous value. usage: hf iclass creditepurse [-hv] [-k ] [--ki ] -d [--elite] [--raw] [--shallow] options: -h, --help This help -k, --key Credit key as 8 hex bytes --ki Key index to select key from memory 'hf iclass managekeys' -d, --data data to write as 8 hex bytes --elite elite computations applied to key --raw no computations applied to key -v, --verbose verbose output --shallow use shallow (ASK) reader modulation instead of OOK examples/notes: hf iclass creditepurse -d FEFFFFFF -k 001122334455667B hf iclass creditepurse -d FEFFFFFF --ki 0 --------------------------------------------------------------------------------------- hf iclass trbl Tear off an iCLASS tag block usage: hf iclass trbl [-hv] [-k ] [--ki ] --blk -d [-m ] [--credit] [--elite] [--raw] [--nr] [--shallow] --tdb --tde options: -h, --help This help -k, --key Access key as 8 hex bytes --ki Key index to select key from memory 'hf iclass managekeys' --blk block number -d, --data data to write as 8 hex bytes -m, --mac replay mac data (4 hex bytes) --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key --nr replay of NR/MAC -v, --verbose verbose output --shallow use shallow (ASK) reader modulation instead of OOK --tdb tearoff delay start in ms --tde tearoff delay end in ms examples/notes: hf iclass trbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B --tdb 100 --tde 150 hf iclass trbl --blk 10 -d AAAAAAAAAAAAAAAA --ki 0 --tdb 100 --tde 150 --------------------------------------------------------------------------------------- hf iclass chk Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag usage: hf iclass chk [-h] [-f ] [--credit] [--elite] [--raw] [--shallow] [--vb6kdf] options: -h, --help This help -f, --file Dictionary file with default iclass keys --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key (raw) --shallow use shallow (ASK) reader modulation instead of OOK --vb6kdf use the VB6 elite KDF instead of a file examples/notes: hf iclass chk -f iclass_default_keys.dic hf iclass chk -f iclass_elite_keys.dic --elite hf iclass chk --vb6kdf --------------------------------------------------------------------------------------- hf iclass loclass Execute the offline part of loclass attack An iclass dumpfile is assumed to consist of an arbitrary number of malicious CSNs, and their protocol responses The binary format of the file is expected to be as follows: <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> ... totalling N*24 bytes usage: hf iclass loclass [-h] [-f ] [--test] [--long] options: -h, --help This help -f, --file filename with nr/mac data from `hf iclass sim -t 2` --test Perform self test --long Perform self test, including long ones examples/notes: hf iclass loclass -f iclass_dump.bin hf iclass loclass --test --------------------------------------------------------------------------------------- hf iclass lookup This command take sniffed trace data and try to recovery a iCLASS Standard or iCLASS Elite key. usage: hf iclass lookup [-h] [-f ] --csn --epurse --macs [--elite] [--raw] [--vb6rng] options: -h, --help This help -f, --file Dictionary file with default iclass keys --csn Specify CSN as 8 hex bytes --epurse Specify ePurse as 8 hex bytes --macs MACs --elite Elite computations applied to key --raw no computations applied to key --vb6rng use the VB6 rng for elite keys instead of a dictionary file examples/notes: hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b --vb6rng --------------------------------------------------------------------------------------- hf iclass legrec Attempts to recover the diversified key of a specific iClass card. This may take a long time. The Card must remain be on the PM3 antenna during the whole process! This process may brick the card! usage: hf iclass legrec [-h] --macs [--index ] [--loop ] [--debug] [--notest] [--allnight] [--est] options: -h, --help This help --macs AA1 Authentication MACs --index Where to start from to retrieve the key, default 0 --loop The number of key retrieval cycles to perform, max 10000, default 100 --debug Re-enables tracing for debugging. Limits cycles to 1. --notest Perform real writes on the card! --allnight Loops the loop for 10 times, recommended loop value of 5000. --est Estimates the key updates based on the card's CSN assuming standard key. examples/notes: hf iclass legrec --macs 0000000089cb984b hf iclass legrec --macs 0000000089cb984b --index 0 --loop 100 --notest --------------------------------------------------------------------------------------- hf iclass legbrute This command take sniffed trace data and partial raw key and bruteforces the remaining 40 bits of the raw key. usage: hf iclass legbrute [-h] --epurse --macs1 --macs2 --pk [--index ] options: -h, --help This help --epurse Specify ePurse as 8 hex bytes --macs1 MACs captured from the reader --macs2 MACs captured from the reader, different than the first set (with the same csn and epurse value) --pk Partial Key from legrec or starting key of keyblock from legbrute --index Where to start from to retrieve the key, default 0 - value in millions e.g. 1 is 1 million examples/notes: hf iclass legbrute --epurse feffffffffffffff --macs1 1306cad9b6c24466 --macs2 f0bf905e35f97923 --pk B4F12AADC5301225 --------------------------------------------------------------------------------------- hf iclass unhash Reverses the hash0 function used generate iclass diversified keys after DES encryption, Function returns the DES crypted CSN. Next step bruteforcing. usage: hf iclass unhash [-h] -k options: -h, --help This help -k, --divkey Card diversified key examples/notes: hf iclass unhash -k B4F12AADC5301A2D --------------------------------------------------------------------------------------- hf iclass sim Simulate a iCLASS legacy/standard tag usage: hf iclass sim [-h] -t <0-4> [--csn ] options: -h, --help This help -t, --type <0-4> Simulation type to use --csn Specify CSN as 8 hex bytes to use with sim type 0 examples/notes: hf iclass sim -t 0 --csn 031FEC8AF7FF12E0 -> simulate with specified CSN hf iclass sim -t 1 -> simulate with default CSN hf iclass sim -t 2 -> execute loclass attack online part hf iclass sim -t 3 -> simulate full iCLASS 2k tag hf iclass sim -t 4 -> Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key --------------------------------------------------------------------------------------- hf iclass eload Load emulator memory with data from (bin/json) iCLASS dump file usage: hf iclass eload [-hmv] -f options: -h, --help This help -f, --file Specify a filename for dump file -m, --mem use RDV4 spiffs -v, --verbose verbose output examples/notes: hf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.json hf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.bin -m --------------------------------------------------------------------------------------- hf iclass esave Save emulator memory to file (bin/json) if filename is not supplied, CSN will be used. usage: hf iclass esave [-h] [-f ] [-s <256|2048>] options: -h, --help This help -f, --file Specify a filename for dump file -s, --size <256|2048> number of bytes to save (default 256) examples/notes: hf iclass esave hf iclass esave -f hf-iclass-dump hf iclass esave -s 2048 -f hf-iclass-dump --------------------------------------------------------------------------------------- hf iclass esetblk Sets an individual block in emulator memory. usage: hf iclass esetblk [-h] --blk [-d ] options: -h, --help This help --blk block number -d, --data bytes to write, 8 hex bytes examples/notes: hf iclass esetblk --blk 7 -d 0000000000000000 --------------------------------------------------------------------------------------- hf iclass eview Display emulator memory. Number of bytes to download defaults to 256. Other value is 2048. usage: hf iclass eview [-hvz] [-s <256|2048>] options: -h, --help This help -s, --size <256|2048> number of bytes to save (default 256) -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf iclass eview hf iclass eview -s 2048 hf iclass eview -s 2048 -v --------------------------------------------------------------------------------------- hf iclass configcard Manage reader configuration card via Cardhelper or internal database, The generated config card will be uploaded to device emulator memory. You can start simulating `hf iclass sim -t 3` or use the emul commands usage: hf iclass configcard [-hp] [--g ] [--ki ] [--eki ] [--mrki ] [--elite] options: -h, --help This help --g use config option --ki Card Key - index to select key from memory 'hf iclass managekeys' --eki Elite Key - index to select key from memory 'hf iclass managekeys' --mrki Standard Master Key - index to select key from memory 'hf iclass managekeys' --elite Use elite key for the the Card Key ki -p print available cards examples/notes: hf iclass configcard -p -> print all config cards in the database hf iclass configcard --g 0 -> generate config file with option 0 --------------------------------------------------------------------------------------- hf iclass calcnewkey Calculate new keys for updating (blocks 3 & 4) usage: hf iclass calcnewkey [-h] [--old ] [--oki ] [--new ] [--nki ] [--csn ] [--elite] [--elite2] [--oldelite] options: -h, --help This help --old Specify key as 8 hex bytes --oki Old key index to select key from memory 'hf iclass managekeys' --new Specify key as 8 hex bytes --nki New key index to select key from memory 'hf iclass managekeys' --csn Specify a Card Serial Number (CSN) to diversify the key (if omitted will attempt to read a CSN) --elite Elite computations applied to new key --elite2 Elite computations applied to both old and new key --oldelite Elite computations applied only to old key examples/notes: hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 --csn deadbeafdeadbeaf --elite2 -> e key to e key given csn hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 --elite -> std key to e key read csn hf iclass calcnewkey --old 1122334455667788 --new 2233445566778899 -> std to std read csn --------------------------------------------------------------------------------------- hf iclass encode Encode binary wiegand to block 7,8,9 Use either --bin or --wiegand/--fc/--cn usage: hf iclass encode [-hv] [--bin ] [--ki ] [--credit] [--elite] [--raw] [--enckey ] [--fc ] [--cn ] [--issue ] [-w ] [--emu] [--shallow] options: -h, --help This help --bin Binary string i.e 0001001001 --ki Key index to select key from memory 'hf iclass managekeys' --credit key is assumed to be the credit key --elite elite computations applied to key --raw no computations applied to key --enckey 3DES transport key, 16 hex bytes --fc facility code --cn card number --issue issue level -w, --wiegand see `wiegand list` for available formats --emu Write to emulation memory instead of card --shallow use shallow (ASK) reader modulation instead of OOK -v verbose (print encoded blocks) examples/notes: hf iclass encode --bin 10001111100000001010100011 --ki 0 -> FC 31 CN 337 (H10301) hf iclass encode -w H10301 --fc 31 --cn 337 --ki 0 -> FC 31 CN 337 (H10301) hf iclass encode --bin 10001111100000001010100011 --ki 0 --elite -> FC 31 CN 337 (H10301), writing w elite key hf iclass encode -w H10301 --fc 31 --cn 337 --emu -> Writes the ecoded data to emulator memory When using emulator you have to first load a credential into emulator memory --------------------------------------------------------------------------------------- hf iclass encrypt 3DES encrypt data OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside in the resources directory. The file should be 16 hex bytes of binary data usage: hf iclass encrypt [-hv] -d [-k ] options: -h, --help This help -d, --data data to encrypt -k, --key 3DES transport key -v, --verbose verbose output examples/notes: hf iclass encrypt -d 0102030405060708 hf iclass encrypt -d 0102030405060708 -k 00112233445566778899AABBCCDDEEFF --------------------------------------------------------------------------------------- hf iclass decrypt 3DES decrypt data This is a naive implementation, it tries to decrypt every block after block 6. Correct behaviour would be to decrypt only the application areas where the key is valid, which is defined by the configuration block. OBS! In order to use this function, the file `iclass_decryptionkey.bin` must reside in the resources directory. The file must be 16 bytes binary data or... make sure your cardhelper is placed in the sim module usage: hf iclass decrypt [-hvz] [-f ] [-d ] [-k ] [--d6] [--ns] options: -h, --help This help -f, --file Specify a filename for dump file -d, --data 3DES encrypted data -k, --key 3DES transport key -v, --verbose verbose output --d6 decode as block 6 -z, --dense dense dump output style --ns no save to file examples/notes: hf iclass decrypt -f hf-iclass-AA162D30F8FF12F1-dump.bin hf iclass decrypt -f hf-iclass-AA162D30F8FF12F1-dump.bin -k 000102030405060708090a0b0c0d0e0f hf iclass decrypt -d 1122334455667788 -k 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf iclass managekeys Manage iCLASS Keys in client memory usage: hf iclass managekeys [-hp] [-f ] [-k ] [--ki ] [--save] [--load] options: -h, --help This help -f, --file Specify a filename for load / save operations -k, --key Access key as 8 hex bytes --ki Specify key index to set key in memory --save Save keys in memory to file specified by filename --load Load keys to memory from file specified by filename -p, --print Print keys loaded into memory examples/notes: hf iclass managekeys --ki 0 -k 1122334455667788 -> set key 1122334455667788 at index 0 hf iclass managekeys -f mykeys.bin --save -> save key file hf iclass managekeys -f mykeys.bin --load -> load key file hf iclass managekeys -p -> print keys --------------------------------------------------------------------------------------- hf iclass permutekey Permute function from 'heart of darkness' paper. usage: hf iclass permutekey [-hr] --key options: -h, --help This help -r, --reverse reverse permuted key --key input key, 8 hex bytes examples/notes: hf iclass permutekey --reverse --key 0123456789abcdef hf iclass permutekey --key ff55330f0055330f --------------------------------------------------------------------------------------- hf iclass sam Extract PACS via a HID SAM usage: hf iclass sam [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf iclass sam --------------------------------------------------------------------------------------- hf ict help This help credential Read ICT credential and decode info Tag information list List ICT history reader Act like an IS14443-a reader --------------------------------------------------------------------------------------- hf ict credential Read ICT sector from tag and decode usage: hf ict credential [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf ict credential --------------------------------------------------------------------------------------- hf ict info Get info from ICT encoded credential tags (MIFARE Classic / DESfire) usage: hf ict info [-h] options: -h, --help This help examples/notes: hf ict info --------------------------------------------------------------------------------------- hf ict list Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf ict list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf ict list --frame -> show frame delay times hf ict list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf ict reader Act as a reader usage: hf ict reader [-h] options: -h, --help This help examples/notes: hf ict reader --------------------------------------------------------------------------------------- hf jooki help This help clone Write a Jooki token decode Decode Jooki token encode Encode Jooki token sim Simulate Jooki token --------------------------------------------------------------------------------------- hf jooki clone Write a Jooki token to a Ultralight or NTAG tag usage: hf jooki clone [-h] [-b ] [-d ] [-p ] options: -h, --help This help -b, --b64 base64 url parameter -d, --data raw NDEF bytes -p, --pwd password for authentication (EV1/NTAG 4 bytes) examples/notes: hf jooki clone -d -> where hex is raw NDEF hf jooki clone --b64 7WzlgEzqLgwTnWNy -> using base64 url parameter --------------------------------------------------------------------------------------- hf jooki decode Decode a base64-encode Jooki token in NDEF URI format usage: hf jooki decode [-hv] -d options: -h, --help This help -d, --data base64 url parameter -v, --verbose verbose output examples/notes: hf jooki decode -d 7WzlgEzqLgwTnWNy --------------------------------------------------------------------------------------- hf jooki encode Encode a Jooki token to base64 NDEF URI format usage: hf jooki encode [-hrv] [-u ] [--test] [--dragon] [--fox] [--ghost] [--knight] [--whale] [--blackdragon] [--blackfox] [--blackknight] [--blackwhale] [--whitedragon] [--whitefox] [--whiteknight] [--whitewhale] [--tid ] [--fid ] options: -h, --help This help -u, --uid uid bytes -r read uid from tag instead --test self test -v, --verbose verbose output --dragon figurine type --fox figurine type --ghost figurine type --knight figurine type --whale figurine type --blackdragon figurine type --blackfox figurine type --blackknight figurine type --blackwhale figurine type --whitedragon figurine type --whitefox figurine type --whiteknight figurine type --whitewhale figurine type --tid figurine type id --fid figurine id examples/notes: hf jooki encode --test -> self tests hf jooki encode -r --dragon -> read uid from tag and use for encoding hf jooki encode --uid 04010203040506 --dragon hf jooki encode --uid 04010203040506 --tid 1 --fid 1 --------------------------------------------------------------------------------------- hf jooki sim Simulate a Jooki token. Either `hf mfu eload` before or use `-d` param usage: hf jooki sim [-h] [-b ] options: -h, --help This help -b, --b64 base64 url parameter examples/notes: hf jooki sim -> use token in emulator memory hf jooki sim -b 7WzlgEzqLgwTnWNy -> using base64 url parameter --------------------------------------------------------------------------------------- hf ksx6924 help This help select Select application, and leave field up info Get info about a KS X 6924 (T-Money, Snapper+) transit card balance Get current purse balance init Perform transaction initialization with Mpda prec Send proprietary get record command (CLA=90, INS=4C) --------------------------------------------------------------------------------------- hf ksx6924 select Selects KS X 6924 application, and leaves field up usage: hf ksx6924 select [-ha] options: -h, --help This help -a, --apdu Show APDU requests and responses examples/notes: hf ksx6924 select --------------------------------------------------------------------------------------- hf ksx6924 info Get info about a KS X 6924 transit card. This application is used by T-Money (South Korea) and Snapper+ (Wellington, New Zealand). usage: hf ksx6924 info [-hka] options: -h, --help This help -k, --keep keep field ON for next command -a, --apdu Show APDU requests and responses examples/notes: hf ksx6924 info --------------------------------------------------------------------------------------- hf ksx6924 balance Gets the current purse balance usage: hf ksx6924 balance [-hka] options: -h, --help This help -k, --keep keep field ON for next command -a, --apdu Show APDU requests and responses examples/notes: hf ksx6924 balance --------------------------------------------------------------------------------------- hf ksx6924 init Perform transaction initialization with Mpda (Money of Purchase Transaction) usage: hf ksx6924 init [-hka] options: -h, --help This help -k, --keep keep field ON for next command -a, --apdu Show APDU requests and responses examples/notes: hf ksx6924 init 000003e8 -> Mpda --------------------------------------------------------------------------------------- hf ksx6924 prec Executes proprietary read record command. Data format is unknown. Other records are available with 'emv getrec'. usage: hf ksx6924 prec [-hka] options: -h, --help This help -k, --keep keep field ON for next command -a, --apdu Show APDU requests and responses examples/notes: hf ksx6924 prec 0b -> read proprietary record 0x0b --------------------------------------------------------------------------------------- hf legic ----------- --------------------- operations --------------------- help This help dump Dump LEGIC Prime tag to binary file info Display deobfuscated and decoded LEGIC Prime tag data list List LEGIC history rdbl Read bytes from a LEGIC Prime tag reader LEGIC Prime Reader UID and tag info restore Restore a dump file onto a LEGIC Prime tag wipe Wipe a LEGIC Prime tag wrbl Write data to a LEGIC Prime tag ----------- --------------------- simulation --------------------- sim Start tag simulator eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory einfo Display deobfuscated and decoded emulator memory ----------- --------------------- utils --------------------- crc Calculate Legic CRC over given bytes view Display deobfuscated and decoded content from tag dump file --------------------------------------------------------------------------------------- hf legic dump Read all memory from LEGIC Prime tags and saves to (bin/json) dump file It autodetects card type (MIM22, MIM256, MIM1024) usage: hf legic dump [-h] [-f ] [--de] options: -h, --help This help -f, --file Dump filename --de deobfuscate dump data (xor with MCC) examples/notes: hf legic dump -> use UID as filename hf legic dump -f myfile hf legic dump --de -> use UID as filename and deobfuscate data --------------------------------------------------------------------------------------- hf legic info Gets information from a LEGIC Prime tag like systemarea, user areas, etc usage: hf legic info [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf legic info --------------------------------------------------------------------------------------- hf legic list Alias of `trace list -t legic` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf legic list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf legic list --frame -> show frame delay times hf legic list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf legic rdbl Read data from a LEGIC Prime tag usage: hf legic rdbl [-h] [-o ] [-l ] [--iv ] options: -h, --help This help -o, --offset offset in data array to start download from -l, --length number of bytes to read --iv Initialization vector to use. Must be odd and 7bits max examples/notes: hf legic rdbl -o 0 -l 16 -> read 16 bytes from offset 0 (system header) hf legic rdbl -o 0 -l 4 --iv 55 -> read 4 bytes from offset 0 hf legic rdbl -o 0 -l 256 --iv 55 -> read 256 bytes from offset 0 --------------------------------------------------------------------------------------- hf legic reader Read UID and type information from a LEGIC Prime tag usage: hf legic reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: hf legic reader --------------------------------------------------------------------------------------- hf legic restore Reads (bin/eml/json) file and it autodetects card type and verifies that the file has the same size Then write the data back to card. All bytes except the first 7bytes [UID(4) MCC(1) DCF(2)] usage: hf legic restore [-h] -f [--ob] options: -h, --help This help -f, --file Specify a filename to restore --ob obfuscate dump data (xor with MCC) examples/notes: hf legic restore -f myfile -> use user specified filename hf legic restore -f myfile --ob -> use UID as filename and obfuscate data --------------------------------------------------------------------------------------- hf legic wipe Fills a LEGIC Prime tags memory with zeros. From byte7 and to the end It autodetects card type usage: hf legic wipe [-h] options: -h, --help This help examples/notes: hf legic wipe --------------------------------------------------------------------------------------- hf legic wrbl Write data to a LEGIC Prime tag. It autodetects tagsize to ensure proper write usage: hf legic wrbl [-h] -o -d [--danger] options: -h, --help This help -o, --offset offset in data array to start writing -d, --data data to write --danger Auto-confirm dangerous operations examples/notes: hf legic wrbl -o 0 -d 11223344 -> Write 0x11223344 starting from offset 0) hf legic wrbl -o 10 -d DEADBEEF -> Write 0xdeadbeef starting from offset 10 --------------------------------------------------------------------------------------- hf legic sim Simulates a LEGIC Prime tag. Following types supported (MIM22, MIM256, MIM1024) usage: hf legic sim [-h] [--22] [--256] [--1024] options: -h, --help This help --22 LEGIC Prime MIM22 --256 LEGIC Prime MIM256 (def) --1024 LEGIC Prime MIM1024 examples/notes: hf legic sim --22 --------------------------------------------------------------------------------------- hf legic eload Loads a LEGIC Prime dump file into emulator memory usage: hf legic eload [-h] -f [--obfuscate] options: -h, --help This help -f, --file Filename to load --obfuscate Obfuscate dump data (xor with MCC) examples/notes: hf legic eload -f myfile hf legic eload -f myfile --obfuscate --------------------------------------------------------------------------------------- hf legic esave Saves a (bin/json) dump file of emulator memory usage: hf legic esave [-h] [-f ] [--22] [--256] [--1024] [--de] options: -h, --help This help -f, --file Filename to save --22 LEGIC Prime MIM22 --256 LEGIC Prime MIM256 (def) --1024 LEGIC Prime MIM1024 --de De-obfuscate dump data (xor with MCC) examples/notes: hf legic esave -> uses UID as filename hf legic esave -f myfile --22 hf legic esave -f myfile --22 --de --------------------------------------------------------------------------------------- hf legic eview It displays emulator memory usage: hf legic eview [-hv] [--22] [--256] [--1024] options: -h, --help This help --22 LEGIC Prime MIM22 --256 LEGIC Prime MIM256 (def) --1024 LEGIC Prime MIM1024 -v, --verbose verbose output examples/notes: hf legic eview hf legic eview --22 --------------------------------------------------------------------------------------- hf legic einfo It decodes and displays emulator memory usage: hf legic einfo [-h] [--22] [--256] [--1024] options: -h, --help This help --22 LEGIC Prime MIM22 --256 LEGIC Prime MIM256 (def) --1024 LEGIC Prime MIM1024 examples/notes: hf legic einfo hf legic eview --22 --------------------------------------------------------------------------------------- hf legic crc Calculates the legic crc8/crc16 on the given data usage: hf legic crc [-h] -d [--mcc ] [-t ] options: -h, --help This help -d, --data bytes to calculate crc over --mcc MCC hex byte (UID CRC) -t, --type CRC Type (default: 8) examples/notes: hf legic crc -d deadbeef1122 hf legic crc -d deadbeef1122 --mcc 9A -t 16 -> CRC Type 16 --------------------------------------------------------------------------------------- hf legic view Print a LEGIC Prime dump file (bin/eml/json) usage: hf legic view [-hv] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose verbose output examples/notes: hf legic view -f hf-legic-01020304-dump.bin --------------------------------------------------------------------------------------- hf lto help This help dump Dump LTO-CM tag to file info Tag information list List LTO-CM history rdbl Read block reader Act like a LTO-CM reader restore Restore dump file to LTO-CM tag wrbl Write block --------------------------------------------------------------------------------------- hf lto dump Dump data from LTO tag usage: hf lto dump [-h] [-f ] options: -h, --help This help -f, --file specify a filename for dumpfile examples/notes: hf lto dump -f myfile --------------------------------------------------------------------------------------- hf lto info Get info from LTO tags usage: hf lto info [-h] options: -h, --help This help examples/notes: hf lto info --------------------------------------------------------------------------------------- hf lto list Alias of `trace list -t lto -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf lto list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf lto list --frame -> show frame delay times hf lto list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf lto rdbl Reead blocks from LTO tag usage: hf lto rdbl [-h] [--first ] [--last ] options: -h, --help This help --first The first block number to read as an integer --last The last block number to read as an integer examples/notes: hf lto rdbl --first 0 --last 254 --------------------------------------------------------------------------------------- hf lto reader Act as a LTO-CM reader. Look for LTO-CM tags until Enter or the pm3 button is pressed usage: hf lto reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: hf lto reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- hf lto restore Restore data from dumpfile to LTO tag usage: hf lto restore [-h] -f options: -h, --help This help -f, --file specify a filename for dumpfile examples/notes: hf lto restore -f hf-lto-92C7842CFF.bin|.eml --------------------------------------------------------------------------------------- hf lto wrbl Write data to block on LTO tag usage: hf lto wrbl [-h] -d --blk options: -h, --help This help -d, --data 32 bytes of data to write (64 hex symbols, no spaces) --blk The block number to write to as an integer examples/notes: hf lto wrbl --blk 128 -d 0001020304050607080910111213141516171819202122232425262728293031 --------------------------------------------------------------------------------------- hf mf help This help list List MIFARE history ----------- ----------------------- recovery ----------------------- info mfc card Info isen mfc card Info Static Encrypted Nonces darkside Darkside attack nested Nested attack hardnested Nested attack for hardened MIFARE Classic cards staticnested Nested attack against static nonce MIFARE Classic cards brute Smart bruteforce to exploit weak key generators autopwn Automatic key recovery tool for MIFARE Classic nack Test for MIFARE NACK bug chk Check keys fchk Check keys fast, targets all keys on card decrypt Decrypt Crypto1 data from sniff or trace supercard Extract info from a `super card` ----------- ----------------------- operations ----------------------- auth4 ISO14443-4 AES authentication acl Decode and print MIFARE Classic access rights bytes dump Dump MIFARE Classic tag to binary file mad Checks and prints MAD personalize Personalize UID (MIFARE Classic EV1 only) rdbl Read MIFARE Classic block rdsc Read MIFARE Classic sector restore Restore MIFARE Classic binary file to tag setmod Set MIFARE Classic EV1 load modulation strength value Value blocks view Display content from tag dump file wipe Wipe card to zeros and default keys/acc wrbl Write MIFARE Classic block ----------- ----------------------- simulation ----------------------- sim Simulate MIFARE card ecfill Fill emulator memory with help of keys from emulator eclr Clear emulator memory egetblk Get emulator memory block egetsc Get emulator memory sector ekeyprn Print keys from emulator memory eload Upload file into emulator memory esave Save emulator memory to file esetblk Set emulator memory block eview View emulator memory ----------- ----------------------- magic gen1 ----------------------- cgetblk Read block from card cgetsc Read sector from card cload Load dump to card csave Save dump from card into file or emulator csetblk Write block to card csetuid Set UID on card cview View card cwipe Wipe card to default UID/Sectors/Keys ----------- ----------------------- magic gen3 ----------------------- gen3uid Set UID without changing manufacturer block gen3blk Overwrite manufacturer block gen3freeze Perma lock UID changes. irreversible ----------- -------------------- magic gen4 GTU -------------------------- ginfo Info about configuration of the card ggetblk Read block from card gload Load dump to card gsave Save dump from card into file or emulator gsetblk Write block to card gview View card gchpwd Change card access password. Warning! ----------- -------------------- magic gen4 GDM -------------------------- gdmcfg Read config block from card gdmsetcfg Write config block to card gdmparsecfg Parse config block to card gdmsetblk Write block to card ----------- ----------------------- ndef ----------------------- ndefformat Format MIFARE Classic Tag as NFC Tag ndefread Read and print NDEF records from card ndefwrite Write NDEF records to card encodehid Encode a HID Credential / NDEF record to card --------------------------------------------------------------------------------------- hf mf list Alias of `trace list -t mf -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf mf list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf mf list --frame -> show frame delay times hf mf list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf mf info Information and check vulnerabilities in a MIFARE Classic card Some cards in order to extract information you need to specify key and/or specific keys in the command line usage: hf mf info [-habnv] [--blk ] [-k ] options: -h, --help This help --blk block number -a input key type is key A (def) -b input key type is key B -k, --key key, 6 hex bytes -n, --nack do nack test -v, --verbose verbose output examples/notes: hf mf info hf mf info -k FFFFFFFFFFFF -n -v --------------------------------------------------------------------------------------- hf mf isen Information about Static Encrypted Nonce properties in a MIFARE Classic card usage: hf mf isen [-hab] [--blk ] [-c ] [-k ] [--blk2 ] [--a2] [--b2] [--c2 ] [--key2 ] [-n ] [--reset] [--hardreset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity] FM11RF08S specific options: [--collect_fm11rf08s] [--collect_fm11rf08s_with_data] [--collect_fm11rf08s_without_backdoor] [-f ] options: -h, --help This help --blk block number -a input key type is key A (def) -b input key type is key B -c input key type is key A + offset -k, --key key, 6 hex bytes --blk2 nested block number (default=same) --a2 nested input key type is key A (default=same) --b2 nested input key type is key B (default=same) --c2 nested input key type is key A + offset --key2 nested key, 6 hex bytes (default=same) -n number of nonces (default=2) --reset reset between attempts, even if auth was successful --hardreset hard reset (RF off/on) between attempts, even if auth was successful --addread auth(blk)-read(blk)-auth(blk2) --addauth auth(blk)-auth(blk)-auth(blk2) --incblk2 auth(blk)-auth(blk2)-auth(blk2+4)-... --corruptnrar corrupt {nR}{aR}, but with correct parity --corruptnrarparity correct {nR}{aR}, but with corrupted parity FM11RF08S specific options: Incompatible with above options, except -k; output in JSON --collect_fm11rf08s collect all nT/{nT}/par_err. --collect_fm11rf08s_with_data collect all nT/{nT}/par_err and data blocks. --collect_fm11rf08s_without_backdoor collect all nT/{nT}/par_err without backdoor. Requires first auth keytype and block -f, --file Specify a filename for collected data examples/notes: hf mf isen Default behavior: auth(blk)-auth(blk2)-auth(blk2)-... Default behavior when wrong key2: auth(blk)-auth(blk2) auth(blk)-auth(blk2) ... --------------------------------------------------------------------------------------- hf mf darkside Darkside attack usage: hf mf darkside [-hb] [--blk ] [-c ] options: -h, --help This help --blk Target block -b Target key B instead of default key A -c Target key type is key A + offset examples/notes: hf mf darkside hf mf darkside --blk 16 hf mf darkside --blk 16 -b --------------------------------------------------------------------------------------- hf mf nested Execute Nested attack against MIFARE Classic card for key recovery usage: hf mf nested [-habi] [-k ] [--mini] [--1k] [--2k] [--4k] [--blk ] [-c ] [--tblk ] [--ta] [--tb] [--tc ] [--emu] [--dump] [--mem] options: -h, --help This help -k, --key Key specified as 12 hex symbols --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --blk Input block number -a Input key specified is A key (default) -b Input key specified is B key -c input key type is key A + offset --tblk Target block number --ta Target A key (default) --tb Target B key --tc Nested input key type is key A + offset (you must specify a single block as well!) --emu Fill simulator keys from found keys --dump Dump found keys to file --mem Use dictionary from flashmemory -i Ignore static encrypted nonces examples/notes: hf mf nested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -> Use block 0 Key A to find block 4 Key A (single sector key recovery) hf mf nested --mini --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE Mini hf mf nested --1k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE Classic 1k hf mf nested --2k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE 2k hf mf nested --4k --blk 0 -a -k FFFFFFFFFFFF -> Key recovery against MIFARE 4k --------------------------------------------------------------------------------------- hf mf hardnested Nested attack for hardened MIFARE Classic cards. if card is EV1, command can detect and use known key see example below `--i` set type of SIMD instructions. Without this flag programs autodetect it. or hf mf hardnested -r --tk [known target key] Add the known target key to check if it is present in the remaining key space hf mf hardnested --blk 0 -a -k A0A1A2A3A4A5 --tblk 4 --ta --tk FFFFFFFFFFFF usage: hf mf hardnested [-habrstw] [-k ] [--blk ] [--tblk ] [--ta] [--tb] [--tk ] [-u ] [-f ] [--in] [--im] [--is] [--ia] [--i2] [--i5] options: -h, --help This help -k, --key Key, 12 hex bytes --blk Input block number -a Input key A (def) -b Input key B --tblk Target block number --ta Target key A --tb Target key B --tk Target key, 12 hex bytes -u, --uid R/W `hf-mf--nonces.bin` instead of default name -f, --file R/W instead of default name -r, --read Read `hf-mf--nonces.bin` if tag present, otherwise `nonces.bin`, and start attack -s, --slow Slower acquisition (required by some non standard cards) -t, --tests Run tests -w, --wr Acquire nonces and UID, and write them to file `hf-mf--nonces.bin` --in None (use CPU regular instruction set) --im MMX --is SSE2 --ia AVX --i2 AVX2 --i5 AVX512 examples/notes: hf mf hardnested --tblk 4 --ta -> works for MFC EV1 hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -w hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -f nonces.bin -w -s hf mf hardnested -r hf mf hardnested -r --tk a0a1a2a3a4a5 hf mf hardnested -t --tk a0a1a2a3a4a5 hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --ta --tk FFFFFFFFFFFF --------------------------------------------------------------------------------------- hf mf staticnested Execute static nested attack against MIFARE Classic card with static nonce for key recovery. Supply a known key from one block to recover all keys usage: hf mf staticnested [-habe] [-k ] [--mini] [--1k] [--2k] [--4k] [--blk ] [--dumpkeys] options: -h, --help This help -k, --key Known key (12 hex symbols) --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --blk Input block number -a Input key specified is keyA (def) -b Input key specified is keyB -e, --emukeys Fill simulator keys from found keys --dumpkeys Dump found keys to file examples/notes: hf mf staticnested --mini --blk 0 -a -k FFFFFFFFFFFF hf mf staticnested --1k --blk 0 -a -k FFFFFFFFFFFF hf mf staticnested --2k --blk 0 -a -k FFFFFFFFFFFF hf mf staticnested --4k --blk 0 -a -k FFFFFFFFFFFF --------------------------------------------------------------------------------------- hf mf brute This is a smart bruteforce, exploiting common patterns, bugs and bad designs in key generators. usage: hf mf brute [-h] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (default) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --emu Fill simulator keys from found keys --dump Dump found keys to binary file examples/notes: hf mf brute --mini -> Key recovery against MIFARE Mini hf mf brute --1k -> Key recovery against MIFARE Classic 1k hf mf brute --2k -> Key recovery against MIFARE 2k hf mf brute --4k -> Key recovery against MIFARE 4k hf mf brute --1k --emu -> Target 1K, write keys to emulator memory hf mf brute --1k --dump -> Target 1K, write keys to file --------------------------------------------------------------------------------------- hf mf autopwn This command automates the key recovery process on MIFARE Classic cards. It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys. If all keys are found, it try dumping card content both to file and emulator memory. default file name template is `hf-mf--.` using suffix the template becomes `hf-mf---.` usage: hf mf autopwn [-hablv] [-k ]... [-s ] [-f ] [--suffix ] [--slow] [--ns] [--mini] [--1k] [--2k] [--4k] [--in] [--im] [--is] [--ia] [--i2] [--i5] options: -h, --help This help -k, --key Known key, 12 hex bytes -s, --sector Input sector number -a Input key A (def) -b Input key B -f, --file filename of dictionary --suffix Add this suffix to generated files --slow Slower acquisition (required by some non standard cards) -l, --legacy legacy mode (use the slow `hf mf chk`) -v, --verbose verbose output --ns No save to file --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (default) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --in None (use CPU regular instruction set) --im MMX --is SSE2 --ia AVX --i2 AVX2 --i5 AVX512 examples/notes: hf mf autopwn hf mf autopwn -s 0 -a -k FFFFFFFFFFFF -> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF' hf mf autopwn --1k -f mfc_default_keys -> target MFC 1K card, default dictionary hf mf autopwn --1k -s 0 -a -k FFFFFFFFFFFF -f mfc_default_keys -> combo of the two above samples hf mf autopwn --1k -s 0 -a -k FFFFFFFFFFFF -k a0a1a2a3a4a5 -> multiple user supplied keys --------------------------------------------------------------------------------------- hf mf nack Test a MIFARE Classic based card for the NACK bug usage: hf mf nack [-hv] options: -h, --help This help -v, --verbose verbose output` examples/notes: hf mf nack --------------------------------------------------------------------------------------- hf mf chk Check keys on MIFARE Classic card usage: hf mf chk [-hab*] [-k ]... [--tblk ] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [-f ] [--no-default] options: -h, --help This help -k, --key Key specified as 12 hex symbols --tblk Target block number -a Target Key A -b Target Key B -*, --all Target both key A & B (default) --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (default) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --emu Fill simulator keys from found keys --dump Dump found keys to binary file -f, --file Filename of dictionary --no-default Skip check default keys examples/notes: hf mf chk --mini -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE Mini hf mf chk --1k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE Classic 1k hf mf chk --2k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE 2k hf mf chk --4k -k FFFFFFFFFFFF -> Check all sectors, all keys against MIFARE 4k hf mf chk --1k --emu -> Check all sectors, all keys, 1K, and write to emulator memory hf mf chk --1k --dump -> Check all sectors, all keys, 1K, and write to file hf mf chk -a --tblk 0 -f mfc_default_keys.dic -> Check dictionary against block 0, key A --------------------------------------------------------------------------------------- hf mf fchk This is a improved checkkeys method speedwise. It checks MIFARE Classic tags sector keys against a dictionary file with keys usage: hf mf fchk [-hab] [-k ]... [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [--mem] [-f ] [--blk ] [--no-default] options: -h, --help This help -k, --key Key specified as 12 hex symbols --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (default) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --emu Fill simulator keys from found keys --dump Dump found keys to binary file --mem Use dictionary from flashmemory -f, --file filename of dictionary --blk block number (single block recovery mode) -a single block recovery key A -b single block recovery key B --no-default Skip check default keys examples/notes: hf mf fchk --mini -k FFFFFFFFFFFF -> Key recovery against MIFARE Mini hf mf fchk --1k -k FFFFFFFFFFFF -> Key recovery against MIFARE Classic 1k hf mf fchk --2k -k FFFFFFFFFFFF -> Key recovery against MIFARE 2k hf mf fchk --4k -k FFFFFFFFFFFF -> Key recovery against MIFARE 4k hf mf fchk --1k -f mfc_default_keys.dic -> Target 1K using default dictionary file hf mf fchk --1k --emu -> Target 1K, write keys to emulator memory hf mf fchk --1k --dump -> Target 1K, write keys to file hf mf fchk --1k --mem -> Target 1K, use dictionary from flash memory --------------------------------------------------------------------------------------- hf mf decrypt Decrypt Crypto-1 encrypted bytes given some known state of crypto. See tracelog to gather needed values usage: hf mf decrypt [-h] --nt --ar --at -d options: -h, --help This help --nt tag nonce --ar ar_enc, encrypted reader response --at at_enc, encrypted tag response -d, --data encrypted data, taken directly after at_enc and forward examples/notes: hf mf decrypt --nt b830049b --ar 9248314a --at 9280e203 -d 41e586f9 -> 41e586f9 becomes 3003999a -> which annotates 30 03 [99 9a] read block 3 [crc] --------------------------------------------------------------------------------------- hf mf supercard Extract info from a `super card` usage: hf mf supercard [-hr] [-u ] [--furui] options: -h, --help This help -r, --reset Reset card -u, --uid New UID (4 hex bytes) --furui Furui detection card examples/notes: hf mf supercard -> recover key hf mf supercard -r -> reset card hf mf supercard -u 11223344 -> change UID --------------------------------------------------------------------------------------- hf mf auth4 Executes AES authentication command in ISO14443-4 usage: hf mf auth4 [-h] -n -k options: -h, --help This help -n key num, 2 hex bytes -k, --key key, 16 hex bytes examples/notes: hf mf auth4 -n 4000 -k 000102030405060708090a0b0c0d0e0f -> executes authentication hf mf auth4 -n 9003 -k FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication --------------------------------------------------------------------------------------- hf mf acl Print decoded MIFARE access rights (ACL), A = key A B = key B AB = both key A and B ACCESS = access bytes inside sector trailer block Increment, decrement, transfer, restore is for value blocks usage: hf mf acl [-h] -d options: -h, --help This help -d, --data ACL bytes specified as 3 hex bytes examples/notes: hf mf acl hf mf acl -d FF0780 --------------------------------------------------------------------------------------- hf mf dump Dump MIFARE Classic tag to file (bin/json) If no given, UID will be used as filename usage: hf mf dump [-hv] [-f ] [-k ] [--mini] [--1k] [--2k] [--4k] [--ns] options: -h, --help This help -f, --file Specify a filename for dump file -k, --keys filename of keys --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --ns no save to file -v, --verbose verbose output examples/notes: hf mf dump --mini -> MIFARE Mini hf mf dump --1k -> MIFARE Classic 1k hf mf dump --2k -> MIFARE 2k hf mf dump --4k -> MIFARE 4k hf mf dump --keys hf-mf-066C8B78-key.bin -> MIFARE 1k with keys from specified file --------------------------------------------------------------------------------------- hf mf mad Checks and prints MIFARE Application Directory (MAD) usage: hf mf mad [-hvb] [--aid ] [-k ] [--be] [--dch] [-f ] [--force] options: -h, --help This help -v, --verbose verbose output --aid print all sectors with specified aid -k, --key key for printing sectors -b, --keyb use key B for access printing sectors (by default: key A) --be (optional, BigEndian) --dch decode Card Holder information -f, --file load dump file and decode MAD --force force decode (skip key check) examples/notes: hf mf mad -> shows MAD if exists hf mf mad --aid e103 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B hf mf mad --dch -k ffffffffffff -> decode CardHolder information --------------------------------------------------------------------------------------- hf mf personalize Personalize the UID of a MIFARE Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized. usage: hf mf personalize [-hab] [-k ] [--f0] [--f1] [--f2] [--f3] options: -h, --help This help -a use key A to authenticate sector 0 (def) -b use key B to authenticate sector 0 -k, --key key (def FFFFFFFFFFFF) --f0 UIDFO, double size UID --f1 UIDF1, double size UID, optional usage of selection process shortcut --f2 UIDF2, single size random ID --f3 UIDF3, single size NUID examples/notes: hf mf personalize --f0 -> double size UID hf mf personalize --f1 -> double size UID, optional usage of selection process shortcut hf mf personalize --f2 -> single size random ID hf mf personalize --f3 -> single size NUID hf mf personalize -b -k B0B1B2B3B4B5 --f3 -> use key B = 0xB0B1B2B3B4B5 --------------------------------------------------------------------------------------- hf mf rdbl Read MIFARE Classic block usage: hf mf rdbl [-habv] --blk [-c ] [-k ] options: -h, --help This help --blk block number -a input key type is key A (def) -b input key type is key B -c input key type is key A + offset -k, --key key, 6 hex bytes -v, --verbose verbose output examples/notes: hf mf rdbl --blk 0 hf mf rdbl --blk 0 -k A0A1A2A3A4A5 hf mf rdbl --blk 3 -v -> get block 3, decode sector trailer --------------------------------------------------------------------------------------- hf mf rdsc Read MIFARE Classic sector usage: hf mf rdsc [-habv] [-c ] [-k ] -s options: -h, --help This help -a input key specified is A key (def) -b input key specified is B key -c input key type is key A + offset -k, --key key specified as 6 hex bytes -s, --sec sector number -v, --verbose verbose output examples/notes: hf mf rdsc -s 0 hf mf rdsc -s 0 -k A0A1A2A3A4A5 --------------------------------------------------------------------------------------- hf mf restore Restore MIFARE Classic dump file to tag. The key file and dump file will program the card sector trailers. By default we authenticate to card with key 0xFFFFFFFFFFFF. If access rights in dump file is all zeros, it will be replaced with default values `--uid` param is used for filename templates `hf-mf--dump.bin` and `hf-mf--key.bin. if not specified, it will read the card uid instead. `--ka` param you can indicate that the key file should be used for authentication instead. if so we also try both B/A keys `--force` param is used to override warnings and allow bad ACL block writes. if not specified, it will skip blocks with bad ACL. usage: hf mf restore [-h] [--mini] [--1k] [--2k] [--4k] [-u ] [-f ] [-k ] [--ka] [--force] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -u, --uid uid, (4|7|10 hex bytes) -f, --file specify a filename for dump file -k, --kfn key filename --ka use specified keyfile to authenticate --force override warnings examples/notes: hf mf restore hf mf restore --1k --uid 04010203 hf mf restore --1k --uid 04010203 -k hf-mf-AABBCCDD-key.bin hf mf restore --4k --------------------------------------------------------------------------------------- hf mf setmod Sets the load modulation strength of a MIFARE Classic EV1 card usage: hf mf setmod [-h01] [-k ] options: -h, --help This help -0 normal modulation -1 strong modulation (def) -k, --key key A, Sector 0, 6 hex bytes examples/notes: hf mf setmod -k ffffffffffff -0 --------------------------------------------------------------------------------------- hf mf value MIFARE Classic value data commands usage: hf mf value [-hab] [-k ] [--inc ] [--dec ] [--set ] [--transfer ] [--tkey ] [--ta] [--tb] [--get] [--res] [--blk ] [-d ] options: -h, --help This help -k, --key key, 6 hex bytes -a input key type is key A (def) -b input key type is key B --inc Increment value by X (0 - 2147483647) --dec Decrement value by X (0 - 2147483647) --set Set value to X (-2147483647 - 2147483647) --transfer Transfer value to other block (after inc/dec/restore) --tkey transfer key, 6 hex bytes (if transfer is preformed to other sector) --ta transfer key type is key A (def) --tb transfer key type is key B --get Get value from block --res Restore (copy value to card buffer, should be used with --transfer) --blk block number -d, --data block data to extract values from (16 hex bytes) examples/notes: hf mf value --blk 16 -k FFFFFFFFFFFF --set 1000 hf mf value --blk 16 -k FFFFFFFFFFFF --inc 10 hf mf value --blk 16 -k FFFFFFFFFFFF -b --dec 10 hf mf value --blk 16 -k FFFFFFFFFFFF -b --get hf mf value --blk 16 -k FFFFFFFFFFFF --res --transfer 30 --tk FFFFFFFFFFFF -> transfer block 16 value to block 30 (even if block can't be incremented by ACL) hf mf value --get -d 87D612007829EDFF87D6120011EE11EE --------------------------------------------------------------------------------------- hf mf view Print a MIFARE Classic dump file (bin/eml/json) usage: hf mf view [-hv] -f [--sk] options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose verbose output --sk Save extracted keys to binary file examples/notes: hf mf view -f hf-mf-01020304-dump.bin --------------------------------------------------------------------------------------- hf mf wipe Wipe card to zeros and default keys/acc. This command takes a key file to wipe card Will use UID from card to generate keyfile name if not specified. New A/B keys..... FF FF FF FF FF FF New acc rights... FF 07 80 New GPB.......... 69 usage: hf mf wipe [-h] [-f ] [--gen2] options: -h, --help This help -f, --file key filename --gen2 force write to Sector 0, block 0 (GEN2) examples/notes: hf mf wipe -> reads card uid to generate file name hf mf wipe --gen2 -> force write to S0, B0 manufacture block hf mf wipe -f mykey.bin -> use mykey.bin --------------------------------------------------------------------------------------- hf mf wrbl Write MIFARE Classic block with 16 hex bytes of data Sector 0 / Block 0 - Manufacturer block When writing to block 0 you must use a VALID block 0 data (UID, BCC, SAK, ATQA) Writing an invalid block 0 means rendering your Magic GEN2 card undetectable. Look in the magic_cards_notes.md file for help to resolve it. `--force` param is used to override warnings like bad ACL and BLOCK 0 writes. if not specified, it will exit if detected usage: hf mf wrbl [-hab] --blk [-c ] [--force] [-k ] [-d ] options: -h, --help This help --blk block number -a input key type is key A (def) -b input key type is key B -c input key type is key A + offset --force override warnings -k, --key key, 6 hex bytes -d, --data bytes to write, 16 hex bytes examples/notes: hf mf wrbl --blk 1 -d 000102030405060708090a0b0c0d0e0f hf mf wrbl --blk 1 -k A0A1A2A3A4A5 -d 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mf sim Simulate MIFARE Classic family type based upon ISO/IEC 14443 type A tag with 4,7 or 10 byte UID from emulator memory. See `hf mf eload` first. The UID from emulator memory will be used if not specified. usage: hf mf sim [-hixyev] [-u ] [--mini] [--1k] [--2k] [--4k] [--atqa ] [--sak ] [-n ] [--allowkeyb] [--cve] options: -h, --help This help -u, --uid <4|7|10> hex bytes UID --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --atqa Provide explicit ATQA (2 bytes) --sak Provide explicit SAK (1 bytes) -n, --num Automatically exit simulation after blocks have been read by reader. 0 = infinite -i, --interactive Console will not be returned until simulation finishes or is aborted -x Performs the 'reader attack', nr/ar attack against a reader. -y Performs the nested 'reader attack'. This requires preloading nt & nt_enc in emulator memory. Implies -x. -e, --emukeys Fill simulator keys from found keys. Requires -x or -y. Implies -i. Simulation will restart automatically. --allowkeyb Allow key B even if readable -v, --verbose Verbose output --cve Trigger CVE 2021_0430 examples/notes: hf mf sim --mini -> MIFARE Mini hf mf sim --1k -> MIFARE Classic 1k (default) hf mf sim --1k -u 0a0a0a0a -> MIFARE Classic 1k with 4b UID hf mf sim --1k -u 11223344556677 -> MIFARE Classic 1k with 7b UID hf mf sim --1k -u 11223344 -i -x -> Perform reader attack in interactive mode hf mf sim --2k -> MIFARE 2k hf mf sim --4k -> MIFARE 4khf mf sim --1k -x -e --> Keep simulation running and populate with found reader keys --------------------------------------------------------------------------------------- hf mf ecfill Dump card and transfer the data to emulator memory. Keys must be in the emulator memory usage: hf mf ecfill [-hab] [-c ] [-k ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -a input key type is key A(def) -b input key type is key B -c input key type is key A + offset -k, --key key, 6 hex bytes, only for option -c --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 examples/notes: hf mf ecfill -> use key type A hf mf ecfill --4k -b -> target 4K card with key type B --------------------------------------------------------------------------------------- hf mf eclr It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF usage: hf mf eclr [-h] options: -h, --help This help examples/notes: hf mf eclr --------------------------------------------------------------------------------------- hf mf egetblk Get emulator memory block usage: hf mf egetblk [-hv] -b options: -h, --help This help -b, --blk block number -v, --verbose verbose output examples/notes: hf mf egetblk --blk 0 -> get block 0 (manufacturer) hf mf egetblk --blk 3 -v -> get block 3, decode sector trailer --------------------------------------------------------------------------------------- hf mf egetsc Get emulator memory sector usage: hf mf egetsc [-hv] -s options: -h, --help This help -s, --sec sector number -v, --verbose verbose output examples/notes: hf mf egetsc -s 0 --------------------------------------------------------------------------------------- hf mf ekeyprn Download and print the keys from emulator memory usage: hf mf ekeyprn [-hw] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -w, --write write keys to binary file `hf-mf--key.bin` --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 examples/notes: hf mf ekeyprn --1k -> print MFC 1K keyset hf mf ekeyprn -w -> write keys to binary file --------------------------------------------------------------------------------------- hf mf eload Load emulator memory with data from (bin/eml/json) dump file usage: hf mf eload [-hmv] -f [--mini] [--1k] [--2k] [--4k] [--ul] [-q ] options: -h, --help This help -f, --file Specify a filename for dump file --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --ul MIFARE Ultralight family -m, --mem use RDV4 spiffs -q, --qty manually set number of blocks (overrides) -v, --verbose verbose output examples/notes: hf mf eload -f hf-mf-01020304.bin hf mf eload --4k -f hf-mf-01020304.eml --------------------------------------------------------------------------------------- hf mf esave Save emulator memory to file (bin/json) usage: hf mf esave [-h] [-f ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -f, --file Specify a filename for dump file --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 examples/notes: hf mf esave hf mf esave --4k hf mf esave --4k -f hf-mf-01020304.eml --------------------------------------------------------------------------------------- hf mf esetblk Set emulator memory block usage: hf mf esetblk [-h] -b [-d ] options: -h, --help This help -b, --blk block number -d, --data bytes to write, 16 hex bytes examples/notes: hf mf esetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mf eview It displays emulator memory usage: hf mf eview [-hv] [--mini] [--1k] [--2k] [--4k] [--sk] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -v, --verbose verbose output --sk Save extracted keys to binary file examples/notes: hf mf eview hf mf eview --4k --------------------------------------------------------------------------------------- hf mf cgetblk Get block data from magic Chinese card. Only works with magic gen1a cards usage: hf mf cgetblk [-hv] -b [--gdm] options: -h, --help This help -b, --blk block number -v, --verbose verbose output --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf cgetblk --blk 0 -> get block 0 (manufacturer) hf mf cgetblk --blk 3 -v -> get block 3, decode sector trailer --------------------------------------------------------------------------------------- hf mf cgetsc Get sector data from magic Chinese card. Only works with magic gen1a cards usage: hf mf cgetsc [-hv] -s [--gdm] options: -h, --help This help -s, --sec sector number -v, --verbose verbose output --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf cgetsc -s 0 --------------------------------------------------------------------------------------- hf mf cload Load magic gen1a card with data from (bin/eml/json) dump file or from emulator memory. usage: hf mf cload [-h] [-f ] [--mini] [--1k] [--1k+] [--2k] [--4k] [--emu] [--gdm] options: -h, --help This help -f, --file Specify a filename for dump file --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --1k+ MIFARE Classic Ev1 1k / S50 --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --emu from emulator memory --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf cload --emu hf mf cload -f hf-mf-01020304.eml --------------------------------------------------------------------------------------- hf mf csave Save magic gen1a card memory to file (bin/json)or into emulator memory usage: hf mf csave [-h] [-f ] [--mini] [--1k] [--2k] [--4k] [--emu] [--gdm] options: -h, --help This help -f, --file Specify a filename for dump file --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 --emu to emulator memory --gdm to emulator memory examples/notes: hf mf csave hf mf csave --4k --------------------------------------------------------------------------------------- hf mf csetblk Set block data on a magic gen1a card usage: hf mf csetblk [-hw] -b [-d ] [--gdm] options: -h, --help This help -b, --blk block number -d, --data bytes to write, 16 hex bytes -w, --wipe wipes card with backdoor cmd before writing --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf csetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mf csetuid Set UID, ATQA, and SAK for magic gen1a card usage: hf mf csetuid [-hw] [-u ] [-a ] [-s ] [--gdm] options: -h, --help This help -w, --wipe wipes card with backdoor cmd` -u, --uid UID, 4/7 hex bytes -a, --atqa ATQA, 2 hex bytes -s, --sak SAK, 1 hex byte --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf csetuid -u 01020304 hf mf csetuid -w -u 01020304 --atqa 0004 --sak 08 --------------------------------------------------------------------------------------- hf mf cview View `magic gen1a` card memory usage: hf mf cview [-hv] [--mini] [--1k] [--2k] [--4k] [--gdm] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -v, --verbose verbose output --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf cview hf mf cview --4k --------------------------------------------------------------------------------------- hf mf cwipe Wipe gen1 magic chinese card. Set UID / ATQA / SAK / Data / Keys / Access to default values usage: hf mf cwipe [-h] [-u ] [-a ] [-s ] [--gdm] options: -h, --help This help -u, --uid UID, 4 hex bytes -a, --atqa ATQA, 2 hex bytes -s, --sak SAK, 1 hex byte --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf cwipe hf mf cwipe -u 09080706 -a 0004 -s 18 -> set UID, ATQA and SAK and wipe card --------------------------------------------------------------------------------------- hf mf gen3uid Set UID for magic Gen3 card _without_ changes to manufacturer block 0 usage: hf mf gen3uid [-h] [-u ] options: -h, --help This help -u, --uid UID 4/7 hex bytes examples/notes: hf mf gen3uid --uid 01020304 -> set 4 byte uid hf mf gen3uid --uid 01020304050607 -> set 7 byte uid --------------------------------------------------------------------------------------- hf mf gen3blk Overwrite full manufacturer block for magic Gen3 card - You can specify part of manufacturer block as 4/7-bytes for UID change only NOTE: BCC and ATQA will be calculated automatically SAK will be automatically set to default values if not specified usage: hf mf gen3blk [-h] [-d ] options: -h, --help This help -d, --data manufacturer block data up to 16 hex bytes examples/notes: hf mf gen3blk -> print current data hf mf gen3blk -d 01020304 -> set 4 byte uid hf mf gen3blk -d 01020304050607 -> set 7 byte uid hf mf gen3blk -d 01020304FFFFFFFF0102030405060708 --------------------------------------------------------------------------------------- hf mf gen3freeze Perma lock further UID changes. No more UID changes available after operation completed Note: operation is ! irreversible ! usage: hf mf gen3freeze -y[h] options: -h, --help This help -y, --yes confirm UID lock operation examples/notes: hf mf gen3freeze -y --------------------------------------------------------------------------------------- hf mf ginfo Read info about magic gen4 GTU card. usage: hf mf ginfo [-hv] [-p ] [-d ] options: -h, --help This help -v, --verbose verbose output -p, --pwd password 4 bytes -d, --data config bytes 32 bytes examples/notes: hf mf ginfo -> get info with default password 00000000 hf mf ginfo --pwd 01020304 -> get info with password hf mf ginfo -d 00000000000002090978009102BDAC19131011121314151604001800FF0002FD -v -> decode config block --------------------------------------------------------------------------------------- hf mf ggetblk Get block data from magic gen4 GTU card. usage: hf mf ggetblk [-hv] -b [-p ] options: -h, --help This help -b, --blk block number -v, --verbose verbose output -p, --pwd password 4bytes examples/notes: hf mf ggetblk --blk 0 -> get block 0 (manufacturer) hf mf ggetblk --blk 3 -v -> get block 3, decode sector trailer --------------------------------------------------------------------------------------- hf mf gload Load magic gen4 gtu card with data from (bin/eml/json) dump file or from emulator memory. usage: hf mf gload [-hv] [--mini] [--1k] [--2k] [--4k] [-p ] [-f ] [--emu] [--start ] [--end ] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -p, --pwd password 4bytes -v, --verbose verbose output -f, --file Specify a filename for dump file --emu from emulator memory --start index of block to start writing (default 0) --end index of block to end writing (default last block) examples/notes: hf mf gload --emu hf mf gload -f hf-mf-01020304.eml hf mf gload -p AABBCCDD --4k -v -f hf-mf-01020304-dump.bin Card must be configured beforehand with `script run hf_mf_ultimatecard`. Blocks are 16 bytes long. --------------------------------------------------------------------------------------- hf mf gsave Save `magic gen4 gtu` card memory to file (bin/json)or into emulator memory usage: hf mf gsave [-h] [--mini] [--1k] [--2k] [--4k] [-p ] [-f ] [--emu] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -p, --pwd password 4 bytes -f, --file Specify a filename for dump file --emu to emulator memory examples/notes: hf mf gsave hf mf gsave --4k hf mf gsave -p DEADBEEF -f hf-mf-01020304.json --------------------------------------------------------------------------------------- hf mf gsetblk Set block data on a magic gen4 GTU card usage: hf mf gsetblk [-h] -b [-d ] [-p ] options: -h, --help This help -b, --blk block number -d, --data bytes to write, 16 hex bytes -p, --pwd password 4bytes examples/notes: hf mf gsetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mf gview View `magic gen4 gtu` card memory usage: hf mf gview [-hv] [--mini] [--1k] [--2k] [--4k] [-p ] options: -h, --help This help --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -p, --pwd password 4bytes -v, --verbose verbose output examples/notes: hf mf gview hf mf gview --4k --------------------------------------------------------------------------------------- hf mf gchpwd Change access password for Gen4 GTU card. WARNING! If you dont KNOW the password - you CAN'T access it!!! usage: hf mf gchpwd [-hv] [-p ] [-n ] options: -h, --help This help -p, --pwd password 4 bytes -n, --newpwd new password 4 bytes -v, --verbose verbose output examples/notes: hf mf gchpwd --pwd 00000000 --newpwd 01020304 --------------------------------------------------------------------------------------- hf mf gdmcfg Get configuration data from magic gen4 GDM card. usage: hf mf gdmcfg [-h] [-k ] [--gen1a] [--gdm] options: -h, --help This help -k, --key key 6 bytes (only for regular wakeup) --gen1a use gen1a (40/43) magic wakeup --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf gdmcfg --------------------------------------------------------------------------------------- hf mf gdmsetcfg Set configuration data on a magic gen4 GDM card usage: hf mf gdmsetcfg [-h] -d [-k ] [--gen1a] [--gdm] options: -h, --help This help -d, --data bytes to write, 16 hex bytes -k, --key key 6 bytes (only for regular wakeup) --gen1a use gen1a (40/43) magic wakeup --gdm use gdm alt (20/23) magic wakeup examples/notes: hf mf gdmsetcfg -d 850000000000000000005A5A00000008 --------------------------------------------------------------------------------------- hf mf gdmparsecfg Parse configuration data on a magic gen4 GDM card usage: hf mf gdmparsecfg [-h] -d options: -h, --help This help -d, --data bytes to write, 16 hex bytes examples/notes: hf mf gdmparsecfg -d 850000000000000000005A5A00000008 --------------------------------------------------------------------------------------- hf mf gdmsetblk Set block data on a magic gen4 GDM card `--force` param is used to override warnings like bad ACL writes. if not specified, it will exit if detected usage: hf mf gdmsetblk [-h] --blk [-d ] [-k ] [--force] options: -h, --help This help --blk block number -d, --data bytes to write, 16 hex bytes -k, --key key, 6 hex bytes --force override warnings examples/notes: hf mf gdmsetblk --blk 1 -d 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mf ndefformat format MIFARE Classic Tag as a NFC tag with Data Exchange Format (NDEF) If no given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before usage: hf mf ndefformat [-h] [-k ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -k, --keys filename of keys --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 examples/notes: hf mf ndefformat hf mf ndefformat --1k -> MIFARE Classic 1k hf mf ndefformat --keys hf-mf-01020304-key.bin -> MIFARE 1k with keys from specified file --------------------------------------------------------------------------------------- hf mf ndefread Prints NFC Data Exchange Format (NDEF) usage: hf mf ndefread [-hvb] [--aid ] [-k ] [-f ] options: -h, --help This help -v, --verbose Verbose output --aid replace default aid for NDEF -k, --key replace default key for NDEF -b, --keyb use key B for access sectors (by default: key A) -f, --file save raw NDEF to file examples/notes: hf mf ndefread -> shows NDEF parsed data hf mf ndefread -vv -> shows NDEF parsed and raw data hf mf ndefread --aid e103 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B hf mf ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf mf ndefwrite Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted. usage: hf mf ndefwrite [-hpv] [-d ] [-f ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -d raw NDEF hex bytes -f, --file write raw NDEF file to tag -p fix NDEF record headers / terminator block if missing --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -v, --verbose verbose output examples/notes: hf mf ndefwrite -d 0300FE -> write empty record to tag hf mf ndefwrite -f myfilename hf mf ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031 --------------------------------------------------------------------------------------- hf mf encodehid Encode binary wiegand to card Use either --bin or --wiegand/--fc/--cn usage: hf mf encodehid [-hv] [--bin ] [--fc ] [--cn ] [-w ] options: -h, --help This help --bin Binary string i.e 0001001001 --fc facility code --cn card number -w, --wiegand see `wiegand list` for available formats -v, --verbose verbose output examples/notes: hf mf encodehid --bin 10001111100000001010100011 -> FC 31 CN 337 (H10301) hf mf encodehid -w H10301 --fc 31 --cn 337 --------------------------------------------------------------------------------------- hf mfp help This help list List MIFARE Plus history ----------- ------------------- operations --------------------- auth Authentication chk Check keys dump Dump MIFARE Plus tag to binary file info Info about MIFARE Plus tag mad Check and print MAD rdbl Read blocks from card rdsc Read sectors from card wrbl Write block to card chkey Change key on card chconf Change config on card ----------- ---------------- personalization ------------------- commitp Configure security layer (SL1/SL3 mode) initp Fill all the card's keys in SL0 mode wrp Write Perso command ----------- ---------------------- ndef ------------------------ ndefformat Format MIFARE Plus Tag as NFC Tag ndefread Read and print NDEF records from card ndefwrite Write NDEF records to card --------------------------------------------------------------------------------------- hf mfp list Alias of `trace list -t mfp -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf mfp list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf mfp list --frame -> show frame delay times hf mfp list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf mfp auth Executes AES authentication command for MIFARE Plus card usage: hf mfp auth [-hv] --ki --key options: -h, --help This help -v, --verbose Verbose output --ki Key number, 2 hex bytes --key Key, 16 hex bytes examples/notes: hf mfp auth --ki 4000 --key 000102030405060708090a0b0c0d0e0f -> executes authentication hf mfp auth --ki 9003 --key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -v -> executes authentication and shows all the system data --------------------------------------------------------------------------------------- hf mfp chk Checks keys on MIFARE Plus card usage: hf mfp chk [-habv] [-s <0..255>] [-e <0..255>] [-k ] [-d ] [--pattern1b] [--pattern2b] [--startp2b ] [--dump] options: -h, --help This help -a, --keya Check only key A (def: check all keys) -b, --keyb Check only key B (def: check all keys) -s, --startsec <0..255> Start sector number -e, --endsec <0..255> End sector number -k, --key Key for checking (HEX 16 bytes) -d, --dict Dictionary file with keys --pattern1b Check all 1-byte combinations of key (0000...0000, 0101...0101, 0202...0202, ...) --pattern2b Check all 2-byte combinations of key (0000...0000, 0001...0001, 0002...0002, ...) --startp2b Start key (2-byte HEX) for 2-byte search (use with `--pattern2b`) --dump Dump found keys to JSON file -v, --verbose Verbose output examples/notes: hf mfp chk -k 000102030405060708090a0b0c0d0e0f -> check key on sector 0 as key A and B hf mfp chk -s 2 -a -> check default key list on sector 2, only key A hf mfp chk -d mfp_default_keys -s0 -e6 -> check keys from dictionary against sectors 0-6 hf mfp chk --pattern1b --dump -> check all 1-byte keys pattern and save found keys to file hf mfp chk --pattern2b --startp2b FA00 -> check all 2-byte keys pattern. Start from key FA00FA00...FA00 --------------------------------------------------------------------------------------- hf mfp dump Dump MIFARE Plus tag to file (bin/json) If no given, UID will be used as filename usage: hf mfp dump [-h] [-f ] [-k ] options: -h, --help This help -f, --file Specify a filename for dump file -k, --keys Specify a filename for keys file examples/notes: hf mfp dump hf mfp dump --keys hf-mf-066C8B78-key.bin -> MIFARE Plus with keys from specified file --------------------------------------------------------------------------------------- hf mfp info Get info from MIFARE Plus tags usage: hf mfp info [-h] options: -h, --help This help examples/notes: hf mfp info --------------------------------------------------------------------------------------- hf mfp mad Checks and prints MIFARE Application Directory (MAD) usage: hf mfp mad [-hvb] [--aid ] [-k ] [--be] [--dch] options: -h, --help This help -v, --verbose Verbose output --aid Print all sectors with aid -k, --key Key for printing sectors -b, --keyb Use key B for access printing sectors (def: key A) --be (optional: BigEndian) --dch Decode Card Holder information examples/notes: hf mfp mad hf mfp mad --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> read and print NDEF data from MAD aid --------------------------------------------------------------------------------------- hf mfp rdbl Reads blocks from MIFARE Plus card usage: hf mfp rdbl [-hvbp] [-n ] [--nmc] [--nmr] --blk <0..255> [-k ] options: -h, --help This help -v, --verbose Verbose output -n, --count Blocks count (def: 1) -b, --keyb Use key B (def: keyA) -p, --plain Do not use encrypted communication mode between reader and card --nmc Do not append MAC to command --nmr Do not expect MAC in reply --blk <0..255> Block number -k, --key Key, 16 hex bytes examples/notes: hf mfp rdbl --blk 0 --key 000102030405060708090a0b0c0d0e0f -> executes authentication and read block 0 data hf mfp rdbl --blk 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF --------------------------------------------------------------------------------------- hf mfp rdsc Reads one sector from MIFARE Plus card usage: hf mfp rdsc [-hvbp] [--nmc] [--nmr] -s <0..255> [-k ] options: -h, --help This help -v, --verbose Verbose output -b, --keyb Use key B (def: keyA) -p, --plain Do not use encrypted communication mode between reader and card --nmc Do not append MAC to command --nmr Do not expect MAC in reply -s, --sn <0..255> Sector number -k, --key Key, 16 hex bytes examples/notes: hf mfp rdsc -s 0 --key 000102030405060708090a0b0c0d0e0f -> executes authentication and read sector 0 data hf mfp rdsc -s 1 -v -> executes authentication and shows sector 1 data with default key --------------------------------------------------------------------------------------- hf mfp wrbl Writes one block to MIFARE Plus card usage: hf mfp wrbl [-hvbp] --blk <0..255> [--nmr] -d [-k ] options: -h, --help This help -v, --verbose Verbose output -b, --keyb Use key B (def: keyA) --blk <0..255> Block number -p, --plain Do not use encrypted transmission --nmr Do not expect MAC in response -d, --data Data, 16 hex bytes -k, --key Key, 16 hex bytes examples/notes: hf mfp wrbl --blk 1 -d ff0000000000000000000000000000ff --key 000102030405060708090a0b0c0d0e0f -> write block 1 data hf mfp wrbl --blk 2 -d ff0000000000000000000000000000ff -v -> write block 2 data with default key 0xFF..0xFF --------------------------------------------------------------------------------------- hf mfp chkey Change the keys on a Mifare Plus tag usage: hf mfp chkey [-hvb] [--nmr] --ki [-k ] -d options: -h, --help This help -v, --verbose Verbose output --nmr Do not expect MAC in response --ki Key Index, 2 hex bytes -k, --key Current sector key, 16 hex bytes -b, --typeb Sector key is key B -d, --data New key, 16 hex bytes examples/notes: This requires the key that can update the key that you are trying to update. hf mfp chkey --ki 401f -d FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --key A0A1A2A3A4A5A6A7A0A1A2A3A4A5A6A7 -> Change key B for Sector 15 from MAD to default hf mfp chkey --ki 9000 -d 32F9351A1C02B35FF97E0CA943F814F6 --key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> Change card master key to custom from default --------------------------------------------------------------------------------------- hf mfp chconf Change the configuration on a Mifare Plus tag. DANGER! usage: hf mfp chconf [-hv] [--nmr] -c [-k ] [--cck] -d options: -h, --help This help -v, --verbose Verbose output --nmr Do not expect MAC in response -c, --conf Config block number, 0-3 -k, --key Card key, 16 hex bytes --cck Auth as Card Configuration key instead of Card Master Key -d, --data New configuration data, 16 hex bytes examples/notes: This requires Card Master Key (9000) or Card Configuration Key (9001). Configuration block info can be found below. * Block B000 (00; CMK): Max amount of commands without MAC (byte 0), as well as plain mode access (unknown). * Block B001 (01; CCK): Installation identifier for Virtual Card. Please consult NXP for data. * Block B002 (02; CCK): ATS data. * Block B003 (03; CCK): Use Random ID in SL3, decide whether proximity check is mandatory. * DO NOT WRITE THIS BLOCK UNDER ANY CIRCUMSTANCES! Risk of bricking. More configuration tips to follow. Check JMY600 Series IC Card Module. hf mfp chconf -c 00 -d 10ffffffffffffffffffffffffffffff --key A0A1A2A3A4A5A6A7A0A1A2A3A4A5A6A7 -> Allow 16 commands without MAC in a single transaction. --------------------------------------------------------------------------------------- hf mfp commitp Executes Commit Perso command. Can be used in SL0 mode only. OBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written. usage: hf mfp commitp [-hv] options: -h, --help This help -v, --verbose Verbose output examples/notes: hf mfp commitp --------------------------------------------------------------------------------------- hf mfp initp Executes Write Perso command for all card's keys. Can be used in SL0 mode only. usage: hf mfp initp [-hv] [-k ] options: -h, --help This help -v, --verbose Verbose output -k, --key Key, 16 hex bytes examples/notes: hf mfp initp --key 000102030405060708090a0b0c0d0e0f -> fill all the keys with key (00..0f) hf mfp initp -vv -> fill all the keys with default key(0xff..0xff) and show all the data exchange --------------------------------------------------------------------------------------- hf mfp wrp Executes Write Perso command. Can be used in SL0 mode only. usage: hf mfp wrp [-hv] -a [-d ] options: -h, --help This help -v, --verbose Verbose output -a, --adr Address, 2 hex bytes -d, --data Data, 16 hex bytes examples/notes: Use this command to program AES keys, as well as personalize other data on the tag. You can program: * Address 00 [00-FF]: Memory blocks (as well as ACLs and Crypto1 keys) * Address 40 [00-40]: AES sector keys * Address 90 [00-04]: AES administrative keys * Address A0 [00, 01, 80, 81]: Virtual Card keys * Address B0 [00-03]: Configuration data (DO NOT TOUCH B003) Examples: hf mfp wrp --adr 4000 --data 000102030405060708090a0b0c0d0e0f -> write key (00..0f) to key number 4000 hf mfp wrp --adr 4000 -> write default key(0xff..0xff) to key number 4000 hf mfp wrp --adr b000 -d FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> allow 255 commands without MAC in configuration block (B000) hf mfp wrp --adr 0003 -d 1234561234567F078869B0B1B2B3B4B5 -> write crypto1 keys A: 123456123456 and B: B0B1B2B3B4B5 to block 3 --------------------------------------------------------------------------------------- hf mfp ndefformat format MIFARE Plus Tag as a NFC tag with Data Exchange Format (NDEF) If no given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before usage: hf mfp ndefformat [-h] [-k ] options: -h, --help This help -k, --keys filename of keys examples/notes: hf mfp ndefformat hf mfp ndefformat --keys hf-mf-01020304-key.bin -> with keys from specified file --------------------------------------------------------------------------------------- hf mfp ndefread Prints NFC Data Exchange Format (NDEF) usage: hf mfp ndefread [-hvb] [--aid ] [-k ] [-f ] options: -h, --help This help -v, --verbose verbose output --aid replace default aid for NDEF -k, --key replace default key for NDEF -b, --keyb use key B for access sectors (by default: key A) -f, --file save raw NDEF to file examples/notes: hf mfp ndefread hf mfp ndefread -vv -> shows NDEF parsed and raw data hf mfp ndefread --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key hf mfp ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf mfp ndefwrite Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted. usage: hf mfp ndefwrite [-hpv] [-d ] [-f ] options: -h, --help This help -d raw NDEF hex bytes -f, --file write raw NDEF file to tag -p fix NDEF record headers / terminator block if missing -v, --verbose verbose output examples/notes: hf mfp ndefwrite -d 0300FE -> write empty record to tag hf mfp ndefwrite -f myfilename hf mfp ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031 --------------------------------------------------------------------------------------- hf mfu help This help list List MIFARE Ultralight / NTAG history ----------- ----------------------- recovery ------------------------- keygen Generate DES/3DES/AES MIFARE diversified keys pwdgen Generate pwd from known algos otptear Tear-off test on OTP bits ----------- ----------------------- operations ----------------------- cauth Ultralight-C - Authentication setpwd Ultralight-C - Set 3DES key dump Dump MIFARE Ultralight family tag to binary file incr Increments Ev1/NTAG counter info Tag information ndefread Prints NDEF records from card rdbl Read block restore Restore a dump file onto a tag tamper NTAG 213TT - Configure the tamper feature view Display content from tag dump file wipe Wipe card to zeros and default key wrbl Write block ----------- ----------------------- simulation ----------------------- eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory sim Simulate MIFARE Ultralight from emulator memory ----------- ----------------------- magic ---------------------------- setuid Set UID - MAGIC tags only ----------- ----------------------- amiibo ---------------------------- amiibo Amiibo tag operations --------------------------------------------------------------------------------------- hf mfu list Alias of `trace list -t 14a -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf 14a list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf 14a list --frame -> show frame delay times hf 14a list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf mfu keygen Calculate MFC keys based usage: hf mfu keygen [-hr] [-u ] [-b ] options: -h, --help This help -u, --uid <4|7> hex byte UID -r Read UID from tag -b, --blk Block number examples/notes: hf mfu keygen -r hf mfu keygen --uid 11223344556677 --------------------------------------------------------------------------------------- hf mfu pwdgen Generate different passwords from known pwdgen algos usage: hf mfu pwdgen [-hr] [-u ] [--test] options: -h, --help This help -u, --uid UID (7 hex bytes) -r Read UID from tag --test self test examples/notes: hf mfu pwdgen -r hf mfu pwdgen --uid 11223344556677 hf mfu pwdgen --test --------------------------------------------------------------------------------------- hf mfu otptear Tear-off test against OTP block usage: hf mfu otptear [-h] [-b ] [-i ] [-e ] [-s ] [-d ] [-t ] [-m ] options: -h, --help This help -b, --blk target block (def 8) -i, --inc increase time steps (def 500 us) -e, --end end time (def 3000 us) -s, --start start time (def 0 us) -d, --data initialise data before run (4 bytes) -t, --test test write data (4 bytes, 00000000 by default) -m, --match exit criteria, if block matches this value (4 bytes) examples/notes: hf mfu otptear -b 3 hf mfu otptear -b 3 -i 100 -s 1000 hf mfu otptear -b 3 -i 1 -e 200 hf mfu otptear -b 3 -i 100 -s 200 -e 2500 -d FFFFFFFF -t EEEEEEEE hf mfu otptear -b 3 -i 100 -s 200 -e 2500 -d FFFFFFFF -t EEEEEEEE -m 00000000 -> quit when OTP is reset --------------------------------------------------------------------------------------- hf mfu cauth Tests 3DES password on Mifare Ultralight-C tag. If password is not specified, a set of known defaults will be tested. usage: hf mfu cauth [-hlk] [--key ] options: -h, --help This help --key Authentication key (UL-C 16 hex bytes) -l Swap entered key's endianness -k Keep field on (only if a password is provided) examples/notes: hf mfu cauth hf mfu cauth --key 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mfu setpwd Set the 3DES key on MIFARE Ultralight-C tag. usage: hf mfu setpwd [-h] [-k ] options: -h, --help This help -k, --key New key (16 hex bytes) examples/notes: hf mfu setpwd --key 000102030405060708090a0b0c0d0e0f --------------------------------------------------------------------------------------- hf mfu dump Dump MIFARE Ultralight/NTAG tag to files (bin/json) It autodetects card type.Supports: Ultralight, Ultralight-C, Ultralight EV1 NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216 usage: hf mfu dump [-hlz] [-f ] [-k ] [-p ] [-q ] [--ns] options: -h, --help This help -f, --file Specify a filename for dump file -k, --key Key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes) -l Swap entered key's endianness -p, --page Manually set start page number to start from -q, --qty Manually set number of pages to dump --ns no save to file -z, --dense dense dump output style examples/notes: hf mfu dump -f myfile hf mfu dump -k AABBCCDD -> dump whole tag using pwd AABBCCDD hf mfu dump -p 10 -> start at page 10 and dump rest of blocks hf mfu dump -p 10 -q 2 -> start at page 10 and dump two blocks hf mfu dump --key 00112233445566778899AABBCCDDEEFF --------------------------------------------------------------------------------------- hf mfu incr Increment a MIFARE Ultralight Ev1 counter Will read but not increment counter if NTAG is detected usage: hf mfu incr [-h] -c -v [-p ] options: -h, --help This help -c, --cnt Counter index from 0 -v, --val Value to increment by (0-16777215) -p, --pwd PWD to authenticate with examples/notes: hf mfu incr -c 0 -v 1337 hf mfu incr -c 2 -v 0 -p FFFFFFFF --------------------------------------------------------------------------------------- hf mfu info Get info about MIFARE Ultralight Family styled tag. Sometimes the tags are locked down, and you may need a key to be able to read the information usage: hf mfu info [-hl] [-k ] [--force] options: -h, --help This help -k, --key Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes) -l Swap entered key's endianness --force override `hw dbg` settings examples/notes: hf mfu info hf mfu info -k AABBCCDD hf mfu info --key 00112233445566778899AABBCCDDEEFF --------------------------------------------------------------------------------------- hf mfu ndefread Prints NFC Data Exchange Format (NDEF) usage: hf mfu ndefread [-hlv] [-k Replace default key for NDEF] [-f ] options: -h, --help This help -l Swap entered key's endianness -f, --file Save raw NDEF to file -v, --verbose Verbose output examples/notes: hf mfu ndefread -> shows NDEF data hf mfu ndefread -k ffffffff -> shows NDEF data with key hf mfu ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf mfu rdbl Read a block and print. It autodetects card type. usage: hf mfu rdbl [-hl] [-k ] -b [--force] options: -h, --help This help -k, --key Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes) -l Swap entered key's endianness -b, --block Block number to read --force Force operation even if address is out of range examples/notes: hf mfu rdbl -b 0 hf mfu rdbl -b 0 -k AABBCCDD hf mfu rdbl -b 0 --key 00112233445566778899AABBCCDDEEFF --------------------------------------------------------------------------------------- hf mfu restore Restore MIFARE Ultralight/NTAG dump file (bin/eml/json) to tag. usage: hf mfu restore [-hlservz] -f [-k ] options: -h, --help This help -f, --file Specify a filename for dump file -k, --key key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes) -l swap entered key's endianness -s enable special write UID -MAGIC TAG ONLY- -e enable special write version/signature -MAGIC NTAG 21* ONLY- -r use password found in dumpfile to configure tag. Requires '-e' parameter to work -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf mfu restore -f myfile -s -> special write hf mfu restore -f myfile -k AABBCCDD -s -> special write, use key hf mfu restore -f myfile -k AABBCCDD -ser -> special write, use key, write dump pwd, ... --------------------------------------------------------------------------------------- hf mfu tamper Set the configuration of the NTAG 213TT tamper feature Supports: NTAG 213TT usage: hf mfu tamper [-hed] [-m ] [--lockmessage] options: -h, --help This help -e, --enable Enable the tamper feature -d, --disable Disable the tamper feature -m, --message Set the tamper message (4 bytes) --lockmessage Permanently lock the tamper message and mask it from memory (does not lock tamper feature itself) examples/notes: hf mfu tamper -e -> enable tamper feature hf mfu tamper -d -> disable tamper feature hf mfu tamper -m 0A0A0A0A -> set the tamper message to 0A0A0A0A hf mfu tamper --lockmessage -> permanently lock the tamper message and mask it from memory --------------------------------------------------------------------------------------- hf mfu view Print a MIFARE Ultralight/NTAG dump file (bin/eml/json) usage: hf mfu view [-hvz] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose Verbose output -z, --dense dense dump output style examples/notes: hf mfu view -f hf-mfu-01020304-dump.bin --------------------------------------------------------------------------------------- hf mfu wipe Wipe card to zeros. It will ignore block0,1,2,3 you will need to call it with password in order to wipe the config and sett default pwd/pack Abort by pressing a key New password.... FFFFFFFF New 3-DES key... 49454D4B41455242214E4143554F5946 usage: hf mfu wipe [-hl] [-k ] options: -h, --help This help -k, --key Key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes) -l Swap entered key's endianness examples/notes: hf mfu wipe hf mfu wipe -k 49454D4B41455242214E4143554F5946 --------------------------------------------------------------------------------------- hf mfu wrbl Write a block. It autodetects card type. usage: hf mfu wrbl [-hl] [-k ] -b -d [--force] options: -h, --help This help -k, --key Authentication key (UL-C 16 bytes, EV1/NTAG 4 bytes) -l Swap entered key's endianness -b, --block Block number to write -d, --data Block data (4 or 16 hex bytes, 16 hex bytes will do a compatibility write) --force Force operation even if address is out of range examples/notes: hf mfu wrbl -b 0 -d 01234567 hf mfu wrbl -b 0 -d 01234567 -k AABBCCDD hf mfu wrbl -b 0 -d 01234567 -k 00112233445566778899AABBCCDDEEFF --------------------------------------------------------------------------------------- hf mfu eload Load emulator memory with data from (bin/eml/json) dump file usage: hf mfu eload [-hv] -f [-q ] options: -h, --help This help -f, --file Specify a filename for dump file -q, --qty Number of blocks to load from eml file -v, --verbose verbose output examples/notes: hf mfu eload -f hf-mfu-04010203040506.bin hf mfu eload -f hf-mfu-04010203040506.bin -q 57 -> load 57 blocks from myfile --------------------------------------------------------------------------------------- hf mfu esave Saves emulator memory to a MIFARE Ultralight/NTAG dump file (bin/json) By default number of pages saved depends on defined tag type. You can override this with option --end. usage: hf mfu esave [-h] [-e ] [-f ] options: -h, --help This help -e, --end index of last block -f, --file Specify a filename for dump file examples/notes: hf mfu esave hf mfu esave --end 255 -> saves whole memory hf mfu esave -f hf-mfu-04010203040506-dump --------------------------------------------------------------------------------------- hf mfu eview Displays emulator memory By default number of pages shown depends on defined tag type. You can override this with option --end. usage: hf mfu eview [-hz] [-e ] options: -h, --help This help -e, --end index of last block -z, --dense dense dump output style examples/notes: hf mfu eview hf mfu eview --end 255 -> dumps whole memory --------------------------------------------------------------------------------------- hf mfu sim Simulate MIFARE Ultralight family type based upon ISO/IEC 14443 type A tag with 4,7 or 10 byte UID from emulator memory. See `hf mfu eload` first. The UID from emulator memory will be used if not specified. See `hf 14a sim -h` to see available types. You want 2 or 7 usually. usage: hf mfu sim [-hv] -t <1..12> [-u ] [-n ] options: -h, --help This help -t, --type <1..12> Simulation type to use -u, --uid <4|7|10> hex bytes UID -n, --num Exit simulation after blocks. 0 = infinite -v, --verbose Verbose output examples/notes: hf mfu sim -t 2 --uid 11223344556677 -> MIFARE Ultralight hf mfu sim -t 7 --uid 11223344556677 -n 5 -> MFU EV1 / NTAG 215 Amiibo hf mfu sim -t 7 -> MFU EV1 / NTAG 215 Amiibo --------------------------------------------------------------------------------------- hf mfu setuid Set UID on MIFARE Ultralight tag. This only works for `magic Ultralight` tags. usage: hf mfu setuid [-h] [-u ] options: -h, --help This help -u, --uid New UID (7 hex bytes) examples/notes: hf mfu setuid --uid 11223344556677 --------------------------------------------------------------------------------------- hf mfu amiibo Tries to read all memory from amiibo tag and decrypt it usage: hf mfu amiibo [-hv] [--dec] [--enc] [-i ] [-o ] options: -h, --help This help --dec Decrypt memory --enc Encrypt memory -i, --in Specify a filename for input dump file -o, --out Specify a filename for output dump file -v, --verbose Verbose output examples/notes: hf mfu amiiboo --dec -f hf-mfu-04579DB27C4880-dump.bin -> decrypt file hf mfu amiiboo -v --dec -> decrypt tag --------------------------------------------------------------------------------------- hf mfdes help This help list List DESFire (ISO 14443A) history ----------- ---------------------- General ---------------------- auth MIFARE DesFire Authentication chk Check keys default Set defaults for all the commands detect Detect key type and tries to find one from the list formatpicc Format PICC freemem Get free memory size getuid Get uid from card info Tag information mad Prints MAD records / files from the card setconfig Set card configuration ----------- -------------------- Applications ------------------- lsapp Show all applications with files list getaids Get Application IDs list getappnames Get Applications list bruteaid Recover AIDs by bruteforce createapp Create Application deleteapp Delete Application selectapp Select Application ID ----------- ------------------------ Keys ----------------------- changekey Change Key chkeysettings Change Key Settings getkeysettings Get Key Settings getkeyversions Get Key Versions ----------- ----------------------- Files ----------------------- getfileids Get File IDs list getfileisoids Get File ISO IDs list lsfiles Show all files list dump Dump all files createfile Create Standard/Backup File createvaluefile Create Value File createrecordfile Create Linear/Cyclic Record File createmacfile Create Transaction MAC File deletefile Delete File getfilesettings Get file settings chfilesettings Change file settings read Read data from standard/backup/record/value/mac file write Write data to standard/backup/record/value file value Operations with value file (get/credit/limited credit/debit/clear) clearrecfile Clear record File ----------- ----------------------- System ----------------------- test Regression crypto tests --------------------------------------------------------------------------------------- hf mfdes list Alias of `trace list -t des -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf mfdes list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf mfdes list --frame -> show frame delay times hf mfdes list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf mfdes auth Select application on the card. It selects app if it is a valid one or returns an error. usage: hf mfdes auth [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--save] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of application for some parameters (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --save saves channels parameters to defaults if authentication succeeds examples/notes: hf mfdes auth -n 0 -t des -k 0000000000000000 --kdf none -> select PICC level and authenticate with key num=0, key type=des, key=00..00 and key derivation = none hf mfdes auth -n 0 -t aes -k 00000000000000000000000000000000 -> select PICC level and authenticate with key num=0, key type=aes, key=00..00 and key derivation = none hf mfdes auth -n 0 -t des -k 0000000000000000 --save -> select PICC level and authenticate and in case of successful authentication - save channel parameters to defaults hf mfdes auth --aid 123456 -> select application 123456 and authenticate via parameters from `default` command --------------------------------------------------------------------------------------- hf mfdes chk Checks keys with MIFARE DESFire card. usage: hf mfdes chk [-hva] [--aid ] [-k ] [-d ] [--pattern1b] [--pattern2b] [--startp2b ] [-j ] [--kdf <0|1|2>] [-i ] options: -h, --help This help --aid Use specific AID (3 hex bytes, big endian) -k, --key Key for checking (HEX 16 bytes) -d, --dict Dictionary file with keys --pattern1b Check all 1-byte combinations of key (0000...0000, 0101...0101, 0202...0202, ...) --pattern2b Check all 2-byte combinations of key (0000...0000, 0001...0001, 0002...0002, ...) --startp2b Start key (2-byte HEX) for 2-byte search (use with `--pattern2b`) -j, --json Json file name to save keys -v, --verbose Verbose output --kdf <0|1|2> Key Derivation Function (KDF) (0=None, 1=AN10922, 2=Gallagher) -i, --kdfi KDF input (1-31 hex bytes) -a, --apdu Show APDU requests and responses examples/notes: hf mfdes chk --aid 123456 -k 000102030405060708090a0b0c0d0e0f -> check key on aid 0x123456 hf mfdes chk -d mfdes_default_keys -> check keys against all existing aid on card hf mfdes chk -d mfdes_default_keys --aid 123456 -> check keys against aid 0x123456 hf mfdes chk --aid 123456 --pattern1b -j keys -> check all 1-byte keys pattern on aid 0x123456 and save found keys to `keys.json` hf mfdes chk --aid 123456 --pattern2b --startp2b FA00 -> check all 2-byte keys pattern on aid 0x123456. Start from key FA00FA00...FA00 --------------------------------------------------------------------------------------- hf mfdes default Set default parameters for access to MIFARE DESfire card. usage: hf mfdes default [-h] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] options: -h, --help This help -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel examples/notes: hf mfdes default -n 0 -t des -k 0000000000000000 --kdf none -> save to the default parameters --------------------------------------------------------------------------------------- hf mfdes detect Detect key type and tries to find one from the list. usage: hf mfdes detect [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--dict ] [--save] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). --dict Dictionary file name with keys --save Save found key and parameters to defaults examples/notes: hf mfdes detect -> detect key 0 from PICC level hf mfdes detect --schann d40 -> detect key 0 from PICC level via secure channel D40 hf mfdes detect --dict mfdes_default_keys -> detect key 0 from PICC level with help of the standard dictionary hf mfdes detect --aid 123456 -n 2 --save -> detect key 2 from app 123456 and if succeed - save params to defaults (`default` command) hf mfdes detect --isoid df01 --save -> detect key 0 and save to defaults with card in the LRP mode --------------------------------------------------------------------------------------- hf mfdes formatpicc Format card. Can be done only if enabled in the configuration. Master key needs to be provided. usage: hf mfdes formatpicc [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of delegated application (3 hex bytes, big endian) examples/notes: hf mfdes formatpicc -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes freemem Get card's free memory. Can be done with or without authentication. Master key may be provided. usage: hf mfdes getfreemem [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --no-auth Execute without authentication examples/notes: hf mfdes getfreemem -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes getuid Get UID from card. Get the real UID if the random UID bit is on and get the same UID as in anticollision if not. Any card's key needs to be provided. usage: hf mfdes getuid [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) examples/notes: hf mfdes getuid -> execute with default factory setup hf mfdes getuid --isoid df01 -t aes --schan lrp -> for desfire lights default settings --------------------------------------------------------------------------------------- hf mfdes info Get info from MIFARE DESfire tags usage: hf mfdes info [-h] options: -h, --help This help examples/notes: hf mfdes info --------------------------------------------------------------------------------------- hf mfdes mad Reads and prints MIFARE Application directory (MAD). usage: hf mfdes mad [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of issuer info file, (3 hex bytes, big endian), (non-standard feature!) --auth Authenticate to get info from GetApplicationIDs command (non-standard feature!) examples/notes: MAD consists of one file with issuer info (AID ffffff) and several files with AID in the special format `faaaav` (a - MAD ID, v - multiple AID over one MAD ID) The MIFARE DESFire Card Master Key settings have to allow the MIFARE DESFire command GetApplicationIDs without authentication (from datasheet) hf mfdes mad -> shows MAD data hf mfdes mad -v -> shows MAD parsed and raw data hf mfdes mad -a e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows MAD data with custom AID and key --------------------------------------------------------------------------------------- hf mfdes setconfig Set card configuration. WARNING! Danger zone! Needs to provide card's master key and works if not blocked by config. usage: hf mfdes setconfig [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [-p ] [-d ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of application for some parameters (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). -p, --param Parameter id (1 hex byte) -d, --data Data for parameter (1..30 hex bytes) examples/notes: More about options MF2DLHX0.pdf. Options list: 00h PICC configuration. 02h ATS update. 03h SAK update 04h Secure Messaging Configuration. 05h Capability data. (here change for LRP in the Desfire Light [enable 00000000010000000000]) 06h DF Name renaming (one-time) 08h File renaming (one-time) 09h Value file configuration (one-time) 0Ah Failed authentication counter setting [disable 00ffffffff] 0Bh HW configuration hf mfdes setconfig --param 03 --data 0428 -> set SAK hf mfdes setconfig --param 02 --data 0875778102637264 -> set ATS (first byte - length) hf mfdes setconfig --isoid df01 -t aes --schann ev2 --param 05 --data 00000000020000000000 -> set LRP mode enable for Desfire Light hf mfdes setconfig --isoid df01 -t aes --schann ev2 --param 0a --data 00ffffffff -> Disable failed auth counters for Desfire Light hf mfdes setconfig --isoid df01 -t aes --schann lrp --param 0a --data 00ffffffff -> Disable failed auth counters for Desfire Light via lrp --------------------------------------------------------------------------------------- hf mfdes lsapp Show application list. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes lsapp [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--no-auth] [--no-deep] [--files] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --no-auth Execute without authentication --no-deep not to check authentication commands that avail for any application --files scan files and print file settings examples/notes: hf mfdes lsapp -> show application list with defaults from `default` command hf mfdes lsapp --files -> show application list and show each file type/settings/etc --------------------------------------------------------------------------------------- hf mfdes getaids Get Application IDs list from card. Master key needs to be provided or flag --no-auth set. usage: hf mfdes getaids [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --no-auth Execute without authentication examples/notes: hf mfdes getaids -n 0 -t des -k 0000000000000000 --kdf none -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes getappnames Get Application IDs, ISO IDs and DF names from card. Master key needs to be provided or flag --no-auth set. usage: hf mfdes getappnames [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --no-auth Execute without authentication examples/notes: hf mfdes getappnames -n 0 -t des -k 0000000000000000 --kdf none -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes bruteaid Recover AIDs by bruteforce. WARNING: This command takes a loooong time usage: hf mfdes bruteaid [-hm] [--start ] [--end ] [-i ] options: -h, --help This help --start Starting App ID as hex bytes (3 bytes, big endian) --end Last App ID as hex bytes (3 bytes, big endian) -i, --step Increment step when bruteforcing -m, --mad Only bruteforce the MAD range examples/notes: hf mfdes bruteaid -> Search all apps hf mfdes bruteaid --start F0000F -i 16 -> Search MAD range manually --------------------------------------------------------------------------------------- hf mfdes createapp Create application. Master key needs to be provided. usage: hf mfdes createapp [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--rawdata ] [--aid ] [--fid ] [--dfname ] [--dfhex ] [--ks1 ] [--ks2 ] [--dstalgo ] [--numkeys ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --rawdata Raw data that sends to command --aid Application ID for create. Mandatory. (3 hex bytes, big endian) --fid ISO file ID. Forbidden values: 0000 3F00, 3FFF, FFFF. (2 hex bytes, big endian) --dfname ISO DF Name (1..16 chars) --dfhex ISO DF Name as hex (1..16 bytes) --ks1 Key settings 1 (1 hex byte). Application Master Key Settings (def: 0x0F) --ks2 Key settings 2 (1 hex byte). (def: 0x0E) --dstalgo Application key crypt algo (def: DES) --numkeys Number of keys 0x00..0x0e (def: 0x0E) --no-auth Execute without authentication examples/notes: option rawdata have priority over the rest settings, and options ks1 and ks2 have priority over corresponded key settings KeySetting 1 (AMK Setting, ks1): 0: Allow change master key. 1 - allow, 0 - frozen 1: Free Directory list access without master key 0: AMK auth needed for GetFileSettings and GetKeySettings 1: No AMK auth needed for GetFileIDs, GetISOFileIDs, GetFileSettings, GetKeySettings 2: Free create/delete without master key 0: CreateFile/DeleteFile only with AMK auth 1: CreateFile/DeleteFile always 3: Configuration changeable 0: Configuration frozen 1: Configuration changeable if authenticated with AMK (default) 4-7: ChangeKey Access Rights 0: Application master key needed (default) 0x1..0xD: Auth with specific key needed to change any key 0xE: Auth with the key to be changed (same KeyNo) is necessary to change a key 0xF: All Keys within this application are frozen KeySetting 2 (ks2): 0..3: Number of keys stored within the application (max. 14 keys) 4: ks3 is present 5: Use of 2 byte ISO FID, 0: No, 1: Yes 6..7: Crypto Method 00: DES|2TDEA, 01: 3TDEA, 10: AES, 11: RFU Example: 2E = with FID, DES|2TDEA, 14 keys 6E = with FID, 3TDEA, 14 keys AE = with FID, AES, 14 keys hf mfdes createapp --rawdata 5634122F2E4523616964313233343536 -> execute create by rawdata hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 -> app aid, iso file id, and iso df name is specified hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes -> with algorithm for key AES --------------------------------------------------------------------------------------- hf mfdes deleteapp Delete application by its 3-byte AID. Master key needs to be provided. usage: hf mfdes deleteapp [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID to delete (3 hex bytes, big endian) examples/notes: hf mfdes deleteapp --aid 123456 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes selectapp Select application on the card. It selects app if it is a valid one or returns an error. usage: hf mfdes selectapp [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--dfname ] [--mf] [--isoid ] [--fileisoid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of application for some parameters (3 hex bytes, big endian) --dfname Application DF Name (string, max 16 chars). Selects application via ISO SELECT command --mf Select MF (master file) via ISO channel --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fileisoid Select file inside application by ISO ID (ISO DF ID) (2 hex bytes, big endian). examples/notes: hf mfdes selectapp --aid 123456 -> select application 123456 hf mfdes selectapp --mf -> select master file (PICC level) hf mfdes selectapp --dfname aid123456 -> select application aid123456 by DF name hf mfdes selectapp --isoid 1111 -> select application 1111 by ISO ID hf mfdes selectapp --isoid 1111 --fileisoid 2222 -> select application 1111 file 2222 by ISO ID hf mfdes selectapp --isoid 01df --fileisoid 00ef -> select file 00 on the Desfire Light --------------------------------------------------------------------------------------- hf mfdes changekey Change PICC/Application key. Needs to provide keynum/key for a valid authentication (may get from default parameters). usage: hf mfdes changekey [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--oldalgo ] [--oldkey ] [--newkeyno ] [--newalgo ] [--newkey ] [--newver ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID of application (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). --oldalgo Old key crypto algorithm --oldkey Old key (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --newkeyno Key number for change --newalgo New key crypto algorithm --newkey New key (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --newver Version of new key (1 hex byte) examples/notes: Change crypto algorithm for PICC key is possible, but for APP keys crypto algorithm is set by createapp command and can't be changed wo application delete hf mfdes changekey --aid 123456 -> execute with default factory setup. change des key 0 in the app 123456 from 00..00 to 00..00 hf mfdes changekey --isoid df01 -t aes --schann lrp --newkeyno 01 -> change key 01 via lrp channelhf mfdes changekey -t des --newalgo aes --newkey 11223344556677889900112233445566 --newver a5 -> change card master key to AES one hf mfdes changekey --aid 123456 -t aes --key 00000000000000000000000000000000 --newkey 11223344556677889900112233445566 -> change app master key hf mfdes changekey --aid 123456 -t des -n 0 --newkeyno 1 --oldkey 5555555555555555 --newkey 1122334455667788 -> change key 1 with auth from key 0 hf mfdes changekey --aid 123456 -t 3tdea --newkey 112233445566778899001122334455667788990011223344 -> change 3tdea key 0 from default 00..00 to provided --------------------------------------------------------------------------------------- hf mfdes chkeysettings Change key settings for card level or application level. WARNING: card level changes may block the card! usage: hf mfdes chkeysettings [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [-d ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) -d, --data Key settings (1 hex byte) examples/notes: hf mfdes chkeysettings -d 0f -> set picc key settings with default key/channel setup hf mfdes chkeysettings --aid 123456 -d 0f -> set app 123456 key settings with default key/channel setup --------------------------------------------------------------------------------------- hf mfdes getkeysettings Get key settings for card level or application level. usage: hf mfdes getkeysettings [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) examples/notes: hf mfdes getkeysettings -> get picc key settings with default key/channel setup hf mfdes getkeysettings --aid 123456 -> get app 123456 key settings with default key/channel setup --------------------------------------------------------------------------------------- hf mfdes getkeyversions Get key versions for card level or application level. usage: hf mfdes getkeyversions [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--keynum ] [--keyset ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number for authentication -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). --keynum Key number/count (1 hex byte). (def: 0x00) --keyset Keyset number (1 hex byte) --no-auth Execute without authentication examples/notes: --keynum parameter: App level: key number. PICC level: 00..0d - keys count, 21..23 vc keys, default 0x00. hf mfdes getkeyversions --keynum 00 -> get picc master key version with default key/channel setup hf mfdes getkeyversions --aid 123456 --keynum 0d -> get app 123456 all key versions with default key/channel setup hf mfdes getkeyversions --aid 123456 --keynum 0d --no-auth -> get key version without authentication --------------------------------------------------------------------------------------- hf mfdes getfileids Get File IDs list from card. Master key needs to be provided or flag --no-auth set. usage: hf mfdes getfileids [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). --no-auth Execute without authentication examples/notes: hf mfdes getfileids --aid 123456 -> execute with defaults from `default` command hf mfdes getfileids -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes getfileisoids Get File IDs list from card. Master key needs to be provided or flag --no-auth set. usage: hf mfdes getfileisoids [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian). --no-auth Execute without authentication examples/notes: hf mfdes getfileisoids --aid 123456 -> execute with defaults from `default` command hf mfdes getfileisoids -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 -> execute with default factory setup hf mfdes getfileisoids --isoid df01 -> get iso file ids from Desfire Light with factory card settings hf mfdes getfileisoids --isoid df01 --schann lrp -t aes -> get iso file ids from Desfire Light via lrp channel with default key authentication --------------------------------------------------------------------------------------- hf mfdes lsfiles This commands List files inside application AID / ISOID. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes lsfiles [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --no-auth Execute without authentication examples/notes: hf mfdes lsfiles --aid 123456 -> AID 123456, list files using `default` command creds hf mfdes lsfiles --isoid df01 --no-auth -> list files for DESFire light --------------------------------------------------------------------------------------- hf mfdes dump For each application show fil list and then file content. Key needs to be provided for authentication or flag --no-auth set (depend on cards settings). usage: hf mfdes dump [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [-l ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) -l, --length Maximum length for read data files (3 hex bytes, big endian) --no-auth Execute without authentication examples/notes: hf mfdes dump --aid 123456 -> show file dump for: app=123456 with channel defaults from `default` command/nhf mfdes dump --isoid df01 --schann lrp -t aes --length 000090 -> lrp default settings with length limit --------------------------------------------------------------------------------------- hf mfdes createfile Create Standard/Backup file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings). usage: hf mfdes createfile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--fid ] [--isofid ] [--rawtype ] [--rawdata ] [--amode ] [--rawrights ] [--rrights ] [--wrights ] [--rwrights ] [--chrights ] [--no-auth] [--size ] [--backup] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --fid File ID (1 hex byte) --isofid ISO File ID (2 hex bytes) --rawtype Raw file type (1 hex byte) --rawdata Raw file settings (hex > 5 bytes) --amode File access mode --rawrights Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied --rrights Read file access mode: the specified key, free, deny --wrights Write file access mode: the specified key, free, deny --rwrights Read/Write file access mode: the specified key, free, deny --chrights Change file settings access mode: the specified key, free, deny --no-auth Execute without authentication --size File size (3 hex bytes, big endian) --backup Create backupfile instead of standard file examples/notes: --rawtype/--rawdata have priority over the other settings. and with these parameters you can create any file. file id comes from parameters, all the rest data must be in the --rawdata parameter --rawrights have priority over the separate rights settings. Key/mode/etc of the authentication depends on application settings hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 -> create file with iso id. Authentication with defaults from `default` command hf mfdes createfile --aid 123456 --fid 01 --rawtype 01 --rawdata 000100EEEE000100 -> create file via sending rawdata to the card. Can be used to create any type of file. Authentication with defaults from `default` command hf mfdes createfile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> create file app=123456, file=01 and mentioned rights with defaults from `default` command hf mfdes createfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --rawtype 00 --rawdata 00EEEE000100 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes createvaluefile Create Value file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings). usage: hf mfdes createvaluefile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--fid ] [--amode ] [--rawrights ] [--rrights ] [--wrights ] [--rwrights ] [--chrights ] [--no-auth] [--lower ] [--upper ] [--value ] [--lcredit ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --fid File ID (1 hex byte) --amode File access mode --rawrights Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied --rrights Read file access mode: the specified key, free, deny --wrights Write file access mode: the specified key, free, deny --rwrights Read/Write file access mode: the specified key, free, deny --chrights Change file settings access mode: the specified key, free, deny --no-auth Execute without authentication --lower Lower limit (4 hex bytes, big endian) --upper Upper limit (4 hex bytes, big endian) --value Value (4 hex bytes, big endian) --lcredit Limited Credit enabled (Bit 0 = Limited Credit, 1 = FreeValue) examples/notes: --rawrights have priority over the separate rights settings. Key/mode/etc of the authentication depends on application settings hf mfdes createvaluefile --aid 123456 --fid 01 --lower 00000010 --upper 00010000 --value 00000100 -> create file with parameters. Rights from default. Authentication with defaults from `default` command hf mfdes createvaluefile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> create file app=123456, file=01 and mentioned rights with defaults from `default` command hf mfdes createvaluefile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes createrecordfile Create Linear/Cyclic Record file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings). usage: hf mfdes createrecordfile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--fid ] [--isofid ] [--amode ] [--rawrights ] [--rrights ] [--wrights ] [--rwrights ] [--chrights ] [--no-auth] [--size ] [--maxrecord ] [--cyclic] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --fid File ID (1 hex byte) --isofid ISO File ID (2 hex bytes) --amode File access mode --rawrights Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied --rrights Read file access mode: the specified key, free, deny --wrights Write file access mode: the specified key, free, deny --rwrights Read/Write file access mode: the specified key, free, deny --chrights Change file settings access mode: the specified key, free, deny --no-auth Execute without authentication --size Record size (3 hex bytes, big endian, 000001 to FFFFFF) --maxrecord Max. Number of Records (3 hex bytes, big endian) --cyclic Create cyclic record file instead of linear record file examples/notes: --rawrights have priority over the separate rights settings. Key/mode/etc of the authentication depends on application settings hf mfdes createrecordfile --aid 123456 --fid 01 --size 000010 --maxrecord 000010 --cyclic -> create cyclic record file with parameters. Rights from default. Authentication with defaults from `default` command hf mfdes createrecordfile --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 --size 000010 --maxrecord 000010 -> create linear record file app=123456, file=01 and mentioned rights with defaults from `default` command hf mfdes createrecordfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --size 000010 --maxrecord 000010 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes createmacfile Create Transaction MAC file in the application. Application master key needs to be provided or flag --no-auth set (depend on application settings). usage: hf mfdes createmacfile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [--amode ] [--rawrights ] [--rrights ] [--wrights ] [--rwrights ] [--chrights ] [--no-auth] [--mackey ] [--mackeyver ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID (1 hex byte) --amode File access mode --rawrights Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied --rrights Read file access mode: the specified key, free, deny --wrights Write file access mode: the specified key, free, deny --rwrights Read/Write file access mode: the specified key, free, deny --chrights Change file settings access mode: the specified key, free, deny --no-auth Execute without authentication --mackey AES-128 key for MAC (16 hex bytes, big endian). (def: all zeros) --mackeyver AES key version for MAC (1 hex byte). (def: 0x0) examples/notes: --rawrights have priority over the separate rights settings. Key/mode/etc of the authentication depends on application settings Write right should be always 0xF. Read-write right should be 0xF if you not need to submit CommitReaderID command each time transaction starts hf mfdes createmacfile --aid 123456 --fid 01 --rawrights 0FF0 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file with parameters. Rights from default. Authentication with defaults from `default` command hf mfdes createmacfile --aid 123456 --fid 01 --amode plain --rrights free --wrights deny --rwrights free --chrights key0 --mackey 00112233445566778899aabbccddeeff -> create file app=123456, file=01, with key, and mentioned rights with defaults from `default` command hf mfdes createmacfile -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup. key and keyver == 0x00..00 hf mfdes createmacfile --isoid df01 --fid 0f --schann lrp -t aes --rawrights 0FF0 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file via lrp channel hf mfdes createmacfile --isoid df01 --fid 0f --schann lrp -t aes --rawrights 0F10 --mackey 00112233445566778899aabbccddeeff --mackeyver 01 -> create transaction mac file via lrp channel with CommitReaderID command enable --------------------------------------------------------------------------------------- hf mfdes deletefile Delete file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes deletefile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID (1 hex byte) --no-auth Execute without authentication examples/notes: hf mfdes deletefile --aid 123456 --fid 01 -> delete file for: app=123456, file=01 with defaults from `default` command hf mfdes deletefile --isoid df01 --fid 0f --schann lrp -t aes -> delete file for lrp channel --------------------------------------------------------------------------------------- hf mfdes getfilesettings Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes getfilesettings [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID (1 hex byte). (def: 1) --no-auth Execute without authentication examples/notes: hf mfdes getfilesettings --aid 123456 --fid 01 -> execute with defaults from `default` command hf mfdes getfilesettings --isoid df01 --fid 00 --no-auth -> get file settings with select by iso id hf mfdes getfilesettings -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> execute with default factory setup --------------------------------------------------------------------------------------- hf mfdes chfilesettings Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes chfilesettings [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [--rawdata ] [--amode ] [--rawrights ] [--rrights ] [--wrights ] [--rwrights ] [--chrights ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID (1 hex byte) --rawdata File settings (HEX > 5 bytes). Have priority over the other settings --amode File access mode --rawrights Access rights for file (2 hex bytes) R/W/RW/Chg, 0x0 - 0xD Key, 0xE Free, 0xF Denied --rrights Read file access mode: the specified key, free, deny --wrights Write file access mode: the specified key, free, deny --rwrights Read/Write file access mode: the specified key, free, deny --chrights Change file settings access mode: the specified key, free, deny --no-auth Execute without authentication examples/notes: hf mfdes chfilesettings --aid 123456 --fid 01 --amode plain --rrights free --wrights free --rwrights free --chrights key0 -> change file settings app=123456, file=01 with defaults from `default` command hf mfdes chfilesettings -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 --rawdata 00EEEE -> execute with default factory setup hf mfdes chfilesettings --aid 123456 --fid 01 --rawdata 810000021f112f22 -> change file settings with additional rights for keys 1 and 2 hf mfdes chfilesettings --isoid df01 --fid 00 --amode plain --rawrights eee0 --schann lrp -t aes -> change file settings via lrp channel --------------------------------------------------------------------------------------- hf mfdes read Read data from file. Key needs to be provided or flag --no-auth set (depend on file settings). usage: hf mfdes read [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--fid ] [--no-auth] [--type ] [-o ] [-l ] [--isoid ] [--fileisoid ] [--isochain] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --fid File ID (1 hex byte) --no-auth Execute without authentication --type File Type, Auto - check file settings and then read. (def: auto) -o, --offset File Offset (3 hex bytes, big endian). For records - record number (0 - lastest record). (def: 0) -l, --length Length to read (3 hex bytes, big endian -> 000000 = Read all data). For records - records count (0 - all). (def: 0) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fileisoid File ISO ID (ISO DF ID) (2 hex bytes, big endian). Works only for ISO read commands --isochain use iso chaining commands. Switched on by default if secure channel = lrp examples/notes: It reads file via all command sets. For ISO command set it can be read by specifying full 2-byte iso id or 1-byte short iso id (first byte of the full iso id). ISO id lays in the data in BIG ENDIAN format. ISO record commands: offset - record number (0-current, 1..ff-number, 1-lastest), length - if 0 - all records, if 1 - one hf mfdes read --aid 123456 --fid 01 -> read file: app=123456, file=01, offset=0, all the data. use default channel settings from `default` command hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 -> read one last record from record file. use default channel settings from `default` command hf mfdes read --aid 123456 --fid 10 --type data -c iso -> read file via ISO channel: app=123456, short iso id=10, offset=0. hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso -> read file via ISO channel: app=123456, iso id=1000, offset=0. Select via native ISO wrapper hf mfdes read --isoid 0102 --fileisoid 1000 --type data -c iso -> read file via ISO channel: app iso id=0102, iso id=1000, offset=0. Select via ISO commands hf mfdes read --isoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 -> get one record (number 5) from file 1100 via iso commands hf mfdes read --isoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 -> get all record (from 5 to 1) from file 1100 via iso commands hf mfdes read --isoid df01 --fid 00 --schann lrp -t aes --length 000010 -> read via lrp channel hf mfdes read --isoid df01 --fid 00 --schann ev2 -t aes --length 000010 --isochain -> read Desfire Light via ev2 channel --------------------------------------------------------------------------------------- hf mfdes write Write data from file. Key needs to be provided or flag --no-auth set (depend on file settings). usage: hf mfdes write [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--fid ] [--no-auth] [--type ] [-o ] [-d ] [--debit] [--commit] [--updaterec ] [--isoid ] [--fileisoid ] [--readerid ] [--trkey ] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --fid File ID (1 hex byte) --no-auth Execute without authentication --type File Type, Auto - check file settings and then write. (def: auto) -o, --offset File Offset (3 hex bytes, big endian). For records - record number (0 - lastest record). (def: 0) -d, --data data for write (data/record file), credit/debit(value file) --debit use for value file debit operation instead of credit --commit commit needs for backup file only. For the other file types and in the `auto` mode - command set it automatically --updaterec Record number for update record command. Updates record instead of write. Lastest record - 0 --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fileisoid File ISO ID (ISO DF ID) (2 hex bytes, big endian). Works only for ISO write commands --readerid reader id for CommitReaderID command. If present - the command issued before write command --trkey key for decode previous reader id examples/notes: In the mode with CommitReaderID to decode previous reader id command needs to read transaction counter via dump/read command and specify --trkey hf mfdes write --aid 123456 --fid 01 -d 01020304 -> AID 123456, file=01, offset=0, get file type from card. use default channel settings from `default` command hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --0ffset 000100 -> write data to std file with offset 0x100 hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit -> write data to backup file with commit hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 -> increment value file hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit -> decrement value file hf mfdes write --aid 123456 --fid 01 -d 01020304 -> write data to file with `auto` type hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 -> write data to record file hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 -> update record in the record file. record 0 - lastest record. hf mfdes write --aid 123456 --fid 01 --type record --offset 000000 -d 11223344 -> write record to record file. use default channel settings from `default` command hf mfdes write --isoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 -> write data to std/backup file via iso commandset hf mfdes write --isoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 -> send record to record file via iso commandset hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write hf mfdes write --isoid df01 --fid 04 -d 01020304 --trkey 00112233445566778899aabbccddeeff --readerid 5532 -t aes --schann lrp -> advanced CommitReaderID via lrp channel sample --------------------------------------------------------------------------------------- hf mfdes value Get File Settings from file from application. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes value [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [-o ] [-d ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID (1 hex byte) -o, --op Operation: get(default)/credit/limcredit(limited credit)/debit/clear. Operation clear: get-getopt-debit to min value -d, --data Value for operation (HEX 4 bytes) --no-auth Execute without authentication examples/notes: hf mfdes value --aid 123456 --fid 01 -> get value app=123456, file=01 with defaults from `default` command hf mfdes value --aid 123456 --fid 01 --op credit -d 00000001 -> credit value app=123456, file=01 with defaults from `default` command hf mfdes value -n 0 -t des -k 0000000000000000 --kdf none --aid 123456 --fid 01 -> get value with default factory setup hf mfdes val --isoid df01 --fid 03 --schann lrp -t aes -n 1 --op credit --d 00000001 -m encrypt -> credit value in the lrp encrypted mode hf mfdes val --isoid df01 --fid 03 --schann lrp -t aes -n 1 --op get -m plain -> get value in plain (nevertheless of mode) works for desfire light (look SetConfiguration option 0x09) --------------------------------------------------------------------------------------- hf mfdes clearrecfile Clear record file. Master key needs to be provided or flag --no-auth set (depend on cards settings). usage: hf mfdes clearrecfile [-hav] [-n ] [-t ] [-k ] [--kdf ] [-i ] [-m ] [-c ] [--schann ] [--aid ] [--isoid ] [--fid ] [--no-auth] options: -h, --help This help -a, --apdu Show APDU requests and responses -v, --verbose Verbose output -n, --keyno Key number -t, --algo Crypt algo -k, --key Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes) --kdf Key Derivation Function (KDF) -i, --kdfi KDF input (1-31 hex bytes) -m, --cmode Communicaton mode -c, --ccset Communicaton command set --schann Secure channel --aid Application ID (3 hex bytes, big endian) --isoid Application ISO ID (ISO DF ID) (2 hex bytes, big endian) --fid File ID for clearing (1 hex byte) --no-auth Execute without authentication examples/notes: hf mfdes clearrecfile --aid 123456 --fid 01 -> clear record file for: app=123456, file=01 with defaults from `default` command hf mfdes clearrecfile --isoid df01 --fid 01 --schann lrp -t aes -n 3 -> clear record file for lrp channel with key number 3 --------------------------------------------------------------------------------------- hf mfdes test Regression crypto tests usage: hf mfdes test [-h] options: -h, --help This help examples/notes: hf mfdes test --------------------------------------------------------------------------------------- hf ntag424 help This help ----------- ----------------------- operations ----------------------- info Tag information view Display content from tag dump file auth Test authentication with key read Read file write Write file getfs Get file settings changefs Change file settings changekey Change key --------------------------------------------------------------------------------------- hf ntag424 info Get info about NXP NTAG424 DNA Family styled tag. usage: hf ntag424 info [-h] options: -h, --help This help examples/notes: hf ntag424 info --------------------------------------------------------------------------------------- hf ntag424 view Print a NTAG 424 DNA dump file (bin/eml/json) usage: hf ntag424 view [-hv] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose Verbose output examples/notes: hf ntag424 view -f hf-ntag424-01020304-dump.bin --------------------------------------------------------------------------------------- hf ntag424 auth Authenticate with selected key against NTAG424. usage: hf ntag424 auth [-h] --keyno -k options: -h, --help This help --keyno Key number -k, --key Key for authenticate (HEX 16 bytes) examples/notes: hf ntag424 auth --keyno 0 -k 00000000000000000000000000000000 --------------------------------------------------------------------------------------- hf ntag424 read Read and print data from file on NTAG424 tag. Will authenticate if key information is provided. usage: hf ntag424 read [-h] --fileno <1|2|3> [--keyno ] [-k ] [-o ] -l [-m ] options: -h, --help This help --fileno <1|2|3> File number --keyno Key number -k, --key Key for authentication (HEX 16 bytes) -o, --offset Offset to read in file (def 0) -l, --length Number of bytes to read -m, --cmode Communication mode examples/notes: hf ntag424 read --fileno 1 --keyno 0 -k 00000000000000000000000000000000 -o 0 -l 32 hf ntag424 read --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 0 -l 256 hf ntag424 read --fileno 3 --keyno 3 -k 00000000000000000000000000000000 -o 0 -l 128 -m encrypt --------------------------------------------------------------------------------------- hf ntag424 write Write data to file on NTAG424 tag. Will authenticate if key information is provided. usage: hf ntag424 write [-h] --fileno <1|2|3> [--keyno ] [-k ] [-o ] -d [-m ] options: -h, --help This help --fileno <1|2|3> File number (def 2) --keyno Key number -k, --key Key for authentication (HEX 16 bytes) -o, --offset Offset to write in file (def 0) -d, --data Data to write -m, --cmode Communication mode examples/notes: hf ntag424 write --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 0 -d 1122334455667788 hf ntag424 write --fileno 3 --keyno 3 -k 00000000000000000000000000000000 -o 0 -d 1122334455667788 -m encrypt --------------------------------------------------------------------------------------- hf ntag424 getfs Read and print file settings for file usage: hf ntag424 getfs [-h] --fileno options: -h, --help This help --fileno File number examples/notes: hf ntag424 getfs --fileno 2 --------------------------------------------------------------------------------------- hf ntag424 changefs Updates file settings for file, must be authenticated. This is a short explanation of the settings. See AN12196 for more information: options: byte with bit flags Bit: Setting: 6 Enable SDM and mirroring access: two byte access rights. Each nibble is a key number, or E for free access. Order is key for readwrite, change, read and write sdmoptions: byte with bit flags Bit: Setting: 0 ASCII encoding 4 SDMEncFileData 5 SDMReadCtrLimit 6 SDMReadCtr 7 SDMOptionsUID sdmaccess: two byte access rights. Each nibble is a key, or E for plain mirror and F for no mirroring Order is Reserved, SDMCtrRet, SDMMetaRead and SDMFileRead sdm_data: Three bytes of data used to control SDM settings. Can be specified multiple times. Data means different things depending on settings. Note: Not all of these settings will be written. It depends on the option byte, and the keys set. See AN12196 for more information. You must also start with sdmdata1, then sdmdata2, up to the number of sdm_data you want to write usage: hf ntag424 changefs [-h] --fileno --keyno -k [-o ] [-a ] [-s ] [-c ] [--data1 ] [--data2 ] [--data3 ] [--data4 ] [--data5 ] [--data6 ] [--data7 ] [--data8 ] options: -h, --help This help --fileno File number --keyno Key number -k, --key Key for authentication (HEX 16 bytes) -o, --options File options byte (HEX 1 byte) -a, --access File access settings (HEX 2 bytes) -s, --sdmoptions SDM options (HEX 1 byte) -c, --sdmaccess SDM access settings (HEX 2 bytes) --data1 SDM data (HEX 3 bytes) --data2 SDM data (HEX 3 bytes) --data3 SDM data (HEX 3 bytes) --data4 SDM data (HEX 3 bytes) --data5 SDM data (HEX 3 bytes) --data6 SDM data (HEX 3 bytes) --data7 SDM data (HEX 3 bytes) --data8 SDM data (HEX 3 bytes) examples/notes: hf ntag424 changefs --fileno 2 --keyno 0 -k 00000000000000000000000000000000 -o 40 -a 00E0 -s C1 -c F000 --data1 000020 --data2 000043 --data3 000043 --------------------------------------------------------------------------------------- hf ntag424 changekey Change a key. Authentication key must currently be different to the one we want to change. usage: hf ntag424 changekey [-h] --keyno [--oldkey ] --newkey --key0 --kv options: -h, --help This help --keyno Key number to change --oldkey Old key (only needed when changing key 1-4, HEX 16 bytes) --newkey New key (HEX 16 bytes) --key0 Authentication key (must be key 0, HEX 16 bytes) --kv New key version number examples/notes: hf ntag424 changekey --keyno 1 --oldkey 00000000000000000000000000000000 --newkey 11111111111111111111111111111111 --key0 00000000000000000000000000000000 --kv 1 hf ntag424 changekey --keyno 0 --newkey 11111111111111111111111111111111 --key0 00000000000000000000000000000000 --kv 1 --------------------------------------------------------------------------------------- hf seos ----------- ----------------------- General ----------------------- help This help list List SEOS history ----------- ----------------------- Operations ----------------------- info Tag information pacs Extract PACS Information from card adf Read an ADF from the card gdf Read an GDF from card ----------- ----------------------- Utils ----------------------- managekeys Manage keys to use with SEOS commands --------------------------------------------------------------------------------------- hf seos list Alias of `trace list -t seos -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf seos list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf seos list --frame -> show frame delay times hf seos list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf seos info Requests the unauthenticated information from the default ADF of a SEOS card - If the card is a SEOS card - Are static RND.ICC keys used (can detect SEOS default keyset) - What encryption and hashing algorithm is use usage: hf seos info [-h] options: -h, --help This help examples/notes: hf seos info --------------------------------------------------------------------------------------- hf seos pacs Make a GET DATA request to an ADF of a SEOS card By default: - ADF OID : 2B0601040181E438010102011801010202 - Key Index: 0 usage: hf seos pacs [-h] [-o ] [--ki ] options: -h, --help This help -o, --oid <0-100> hex bytes for OID (Default: 2B0601040181E438010102011801010202) --ki Specify key index to set key in memory examples/notes: hf seos pacs hf seos pacs --ki 1 hf seos pacs -o 2B0601040181E438010102011801010202 --ki 0 --------------------------------------------------------------------------------------- hf seos adf Make a GET DATA request to an Application Data File (ADF) of a SEOS Tag The ADF is meant to be read by an application You still need the valid authentication keys to read a card By default: - ADF OID : 2B0601040181E438010102011801010202 - Key Index: 0 - Tag List : 5c02ff00 usage: hf seos adf [-h] [-c ] [-o ] [--ki ] options: -h, --help This help -c, --getdata <0-100> hex bytes for the tag list to Get Data request (Default: 5c02ff00) -o, --oid <0-100> hex bytes for OID (Default: 2B0601040181E438010102011801010202) --ki Specify key index to set key in memory examples/notes: hf seos adf hf seos adf -o 2B0601040181E438010102011801010202 hf seos adf -o 2B0601040181E438010102011801010202 --ki 0 hf seos adf -o 2B0601040181E438010102011801010202 -c 5c02ff41 --------------------------------------------------------------------------------------- hf seos gdf Get Global Data File (GDF) from SEOS card By default: - Key Index: 0 usage: hf seos gdf [-h] [--ki ] options: -h, --help This help --ki Specify key index to set key in memory examples/notes: hf seos gdfhf seos gdf --ki 0 --------------------------------------------------------------------------------------- hf seos managekeys Manage SEOS Keys in client memory, keys are required to authenticate with SEOS cards usage: hf seos managekeys [-hpv] [--ki ] [--nonce ] [--privenc ] [--privmac ] [--read ] [--write ] [--admin ] [-f ] [--save] [--load] options: -h, --help This help --ki Specify key index to set key in memory --nonce Nonce value as 8 hex bytes --privenc Privacy Encryption key as 16 hex bytes --privmac Privacy MAC key as 16 hex bytes --read Undiversified Read key as 16 hex bytes --write Undiversified Write key as 16 hex bytes --admin Undiversified Admin key as 16 hex bytes -f, --file Specify a filename for load / save operations --save Save keys in memory to file specified by filename --load Load keys to memory from file specified by filename -p, --print Print keys loaded into memory -v, --verbose verbose (print all key info) examples/notes: hf seos managekeys -p hf seos managekeys -p -v hf seos managekeys --ki 0 --nonce 0102030405060708 -> Set nonce value at key index 0 hf seos managekeys --load -f mykeys.bin -p -> load from file and prints keys hf seos managekeys --save -f mykeys.bin -> saves keys to file --------------------------------------------------------------------------------------- hf st25ta help This help info Tag information list List ISO 14443A/7816 history ndefread read NDEF file on tag protect change protection on tag pwd change password on tag sim Fake ISO 14443A/ST tag --------------------------------------------------------------------------------------- hf st25ta info Get info about ST25TA tag usage: hf st25ta info [-h] options: -h, --help This help examples/notes: hf st25ta info --------------------------------------------------------------------------------------- hf st25ta list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf st25ta list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf st25ta list --frame -> show frame delay times hf st25ta list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf st25ta ndefread Read NFC Data Exchange Format (NDEF) file on ST25TA usage: hf st25ta ndefread [-hv] [-p ] [-f ] options: -h, --help This help -p, --pwd 16 byte read password -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf st25ta ndefread -p 82E80053D4CA5C0B656D852CC696C8A1 hf st25ta ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf st25ta protect Change read or write protection for NFC Data Exchange Format (NDEF) file on ST25TA usage: hf st25ta protect [-hedrw] -p options: -h, --help This help -e, --enable enable protection -d, --disable disable protection (default) -r, --read change read protection -w, --write change write protection (default) -p, --password 16 byte write password examples/notes: hf st25ta protect -p 82E80053D4CA5C0B656D852CC696C8A1 -r -e -> enable read protection hf st25ta protect -p 82E80053D4CA5C0B656D852CC696C8A1 -w -d -> disable write protection --------------------------------------------------------------------------------------- hf st25ta pwd Change read or write password for NFC Data Exchange Format (NDEF) file on ST25TA usage: hf st25ta pwd [-hrw] -p -n options: -h, --help This help -r, --read change the read password (default) -w, --write change the write password -p, --password current 16 byte write password -n, --new new 16 byte password examples/notes: hf st25ta pwd -p 82E80053D4CA5C0B656D852CC696C8A1 -r -n 00000000000000000000000000000000 -> change read password hf st25ta pwd -p 82E80053D4CA5C0B656D852CC696C8A1 -w -n 00000000000000000000000000000000 -> change write password --------------------------------------------------------------------------------------- hf st25ta sim Emulating ST25TA512B tag with 7 byte UID usage: hf st25ta sim [-h] -u options: -h, --help This help -u, --uid 7 byte UID examples/notes: hf st25ta sim -u 02E2007D0FCA4C --------------------------------------------------------------------------------------- hf tesla help This help info Tag information list List ISO 14443A/7816 history --------------------------------------------------------------------------------------- hf tesla info Get info about TESLA Key tag usage: hf telsa info [-h] options: -h, --help This help examples/notes: hf tesla info --------------------------------------------------------------------------------------- hf tesla list Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf tesla list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf tesla list --frame -> show frame delay times hf tesla list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf texkom help This help reader Act like a Texkom reader sim Simulate a Texkom tag --------------------------------------------------------------------------------------- hf texkom reader Read a texkom tag usage: hf texkom reader [-h1v@] options: -h, --help This help -1 Use data from Graphbuffer (offline mode) -v, --verbose Verbose output -@ optional - continuous reader mode examples/notes: hf texkom reader hf texkom reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- hf texkom sim Simulate a texkom tag usage: hf texkom sim [-hvt] [--raw ] [--id ] [--timeout ] options: -h, --help This help -v, --verbose Verbose output -t, --tk17 Use TK-17 modulation (TK-13 by default) --raw Raw data for texkom card, 8 bytes. Manual modulation select. --id Raw data for texkom card, 8 bytes. Manual modulation select. --timeout Simulation timeout in the ms. If not specified or 0 - infinite. Command can be skipped by pressing the button examples/notes: hf texkom sim hf texkom sim --raw FFFF638C7DC45553 -> simulate TK13 tag with id 8C7DC455 hf texkom sim --tk17 --raw FFFFCA17F31EC512 -> simulate TK17 tag with id 17F31EC5 hf texkom sim --id 8C7DC455 -> simulate TK13 tag with id 8C7DC455 hf texkom sim --id 8C7DC455 --tk17 -> simulate TK17 tag with id 17F31EC5 --------------------------------------------------------------------------------------- hf thinfilm help This help info Tag information list List NFC Barcode / Thinfilm history - not correct sim Fake Thinfilm tag --------------------------------------------------------------------------------------- hf thinfilm info Get info from Thinfilm tags usage: hf thinfilm info [-h] options: -h, --help This help examples/notes: hf thinfilm info --------------------------------------------------------------------------------------- hf thinfilm list Alias of `trace list -t thinfilm` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf thinfilm list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf thinfilm list --frame -> show frame delay times hf thinfilm list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf thinfilm sim Simulate Thinfilm tag usage: hf thinfilm sim [-h] -d [--raw] options: -h, --help This help -d, --data bytes to send --raw raw, provided bytes should include CRC examples/notes: hf thinfilm sim -d B70470726f786d61726b2e636f6d --------------------------------------------------------------------------------------- hf topaz help This help list List Topaz history ----------- ------------------- operations --------------------- dump Dump TOPAZ family tag to file info Tag information raw Send raw hex data to tag rdbl Read block reader Act like a Topaz reader sim Simulate Topaz tag sniff Sniff Topaz reader-tag communication view Display content from tag dump file wrbl Write block ----------- ----------------------- ndef ----------------------- --------------------------------------------------------------------------------------- hf topaz list Alias of `trace list -t topaz -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf topaz list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf topaz list --frame -> show frame delay times hf topaz list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf topaz dump Dump TOPAZ tag to file (bin/json) If no given, UID will be used as filename usage: hf topaz dump [-h] [-f ] [--ns] options: -h, --help This help -f, --file Specify a filename for dump file --ns no save to file examples/notes: hf topaz dump --------------------------------------------------------------------------------------- hf topaz info Get info from Topaz tags usage: hf topaz info [-hv] [-f ] options: -h, --help This help -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf topaz info hf topaz info -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- hf topaz raw Send raw hex data to Topaz tags usage: hf topaz raw [-h] options: -h, --help This help examples/notes: hf topaz raw --------------------------------------------------------------------------------------- hf topaz rdbl Read Topaz block usage: hf topaz rdbl [-h] --blk options: -h, --help This help --blk Block number examples/notes: hf topaz rdbl --blk 7 --------------------------------------------------------------------------------------- hf topaz reader Read UID from Topaz tags usage: hf topaz reader [-hv@] options: -h, --help This help -v, --verbose verbose output -@ optional - continuous reader mode examples/notes: hf topaz reader hf topaz reader -@ -> Continuous mode --------------------------------------------------------------------------------------- hf topaz sim Simulate a Topaz tag usage: hf topaz sim [-h] options: -h, --help This help examples/notes: hf topaz sim -> Not yet implemented --------------------------------------------------------------------------------------- hf topaz sniff Sniff Topaz reader-tag communication usage: hf topaz sniff [-h] options: -h, --help This help examples/notes: hf topaz sniff --------------------------------------------------------------------------------------- hf topaz view Print a Topaz tag dump file (bin/eml/json) usage: hf topaz view [-h] -f options: -h, --help This help -f, --file Specify a filename for dump file examples/notes: hf topaz view -f hf-topaz-04010203-dump.bin --------------------------------------------------------------------------------------- hf topaz wrbl Write Topaz block with 8 hex bytes of data usage: hf topaz wrbl [-h] --blk -d options: -h, --help This help --blk Block number -d, --data Block data (8 hex bytes) examples/notes: hf topaz wrbl --blk 7 -d 1122334455667788 --------------------------------------------------------------------------------------- hf vas -------- ----------- Value Added Service ----------- help This help -------- ----------------- General ----------------- reader Read and decrypt VAS message decrypt Decrypt a previously captured VAS cryptogram --------------------------------------------------------------------------------------- hf vas reader Read and decrypt Value Added Services (VAS) message usage: hf vas reader [-h@v] [--pid ] [-f ] [--url ] options: -h, --help This help --pid PID, pass type id -f, --file path to terminal private key file --url a URL to provide to the mobile device -@ continuous mode -v, --verbose Verbose output examples/notes: hf vas reader --url https://example.com -> URL Only mode hf vas reader --pid pass.com.passkit.pksamples.nfcdemo -f vas_privkey.der -@ --------------------------------------------------------------------------------------- hf vas decrypt Decrypt a previously captured cryptogram usage: hf vas decrypt [-h] [--pid ] [-f ] [-d ] options: -h, --help This help --pid PID, pass type id -f, --file path to terminal private key file -d, --data cryptogram to decrypt examples/notes: hf vas decrypt --pid pass.com.passkit.pksamples.nfcdemo -f vas_privkey.der -d c0b77375eae416b79449347f9fe838c05cdb57dc7470b97b93b806cb348771d9bfbe29d58538c7c7d7c3d015fa205b68bfccd726058a62f7f44085ac98dbf877120fd9059f1507b956e0a6d56d0a --------------------------------------------------------------------------------------- hf waveshare help This help load Load image file to Waveshare NFC ePaper --------------------------------------------------------------------------------------- hf waveshare load Load image file to Waveshare NFC ePaper usage: hf waveshare load [-h] -m -f [-s ] options: -h, --help This help -m model number [0 - 7] of your tag -f, --file specify image to upload to tag -s, --save save paletized version in file examples/notes: hf waveshare load -f myfile -m 0 -> 2.13 inch e-paper ( 122, 250 ) hf waveshare load -f myfile -m 1 -> 2.9 inch e-paper ( 296, 128 ) hf waveshare load -f myfile -m 2 -> 4.2 inch e-paper ( 400, 300 ) hf waveshare load -f myfile -m 3 -> 7.5 inch e-paper ( 800, 480 ) hf waveshare load -f myfile -m 4 -> 2.7 inch e-paper ( 176, 276 ) hf waveshare load -f myfile -m 5 -> 2.13 inch e-paper B (with red) ( 104, 212 ) hf waveshare load -f myfile -m 6 -> 1.54 inch e-paper B (with red) ( 200, 200 ) hf waveshare load -f myfile -m 7 -> 7.5 inch e-paper HD ( 880, 528 ) --------------------------------------------------------------------------------------- hf xerox help This help list List ISO-14443B history -------- ----------------------- General ----------------------- info Short info on Fuji/Xerox tag dump Read all memory pages of an Fuji/Xerox tag, save to file reader Act like a Fuji/Xerox reader view Display content from tag dump file rdbl Read Fuji/Xerox block --------------------------------------------------------------------------------------- hf xerox list Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: hf 14b list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: hf 14b list --frame -> show frame delay times hf 14b list -1 -> use trace buffer --------------------------------------------------------------------------------------- hf xerox info Tag information for Fuji Xerox based tags ISO/IEC 14443 type B based communications usage: hf xerox info [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf xerox info --------------------------------------------------------------------------------------- hf xerox dump Dump all memory from a Fuji/Xerox tag ISO/IEC 14443 type B based communications usage: hf xerox dump [-hdvz] [-f ] [--ns] options: -h, --help This help -f, --file filename to save dump to -d, --decrypt decrypt secret blocks --ns no save to file -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf xerox dump --------------------------------------------------------------------------------------- hf xerox reader Act as a 14443B reader to identify a Fuji Xerox based tag ISO/IEC 14443 type B based communications usage: hf xerox reader [-hv@] options: -h, --help This help -v, --verbose verbose output -@ optional - continuous reader mode examples/notes: hf xerox reader hf xerox reader -@ --------------------------------------------------------------------------------------- hf xerox view Print a Fuji/Xerox dump file (bin/eml/json) note: - command expects the filename to contain a UID which is needed to determine card memory type usage: hf xerox view [-hvz] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose verbose output -z, --dense dense dump output style examples/notes: hf xerox view -f hf-xerox-0102030405060708-dump.bin --------------------------------------------------------------------------------------- hf xerox rdbl Read a Fuji/Xerox tag block usage: hf xerox rdbl [-h] -b options: -h, --help This help -b, --blk page number (0-255) examples/notes: hf xerox rdbl -b 1 --------------------------------------------------------------------------------------- lf awid help this help brute bruteforce card number against reader clone clone AWID tag to T55x7, Q5/T5555 or EM4305/4469 demod demodulate an AWID FSK tag from the GraphBuffer reader attempt to read and extract tag data sim simulate AWID tag brute bruteforce card number against reader watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf awid brute Enables bruteforce of AWID reader with specified facility-code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535 usage: lf awid brute [-hv] --fmt --fc [--cn ] [--delay ] options: -h, --help This help --fmt format length 26|50 --fc 8|16bit value facility code --cn optional - card number to start with, max 65535 --delay optional - delay betweens attempts in ms. Default 1000ms -v, --verbose verbose output examples/notes: lf awid brute --fmt 26 --fc 224 lf awid brute --fmt 50 --fc 2001 --delay 2000 lf awid brute --fmt 50 --fc 2001 --cn 200 --delay 2000 -v --------------------------------------------------------------------------------------- lf awid clone clone a AWID Prox tag to a T55x7, Q5/T5555 or EM4305/4469 tag usage: lf awid clone [-h] --fmt --fc --cn [--q5] [--em] options: -h, --help This help --fmt format length 26|34|37|50 --fc 8|16bit value facility code --cn 16|32-bit value card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf awid clone --fmt 26 --fc 123 --cn 1337 -> encode for T55x7 tag lf awid clone --fmt 50 --fc 2001 --cn 13371337 -> encode long fmt for T55x7 tag lf awid clone --fmt 26 --fc 123 --cn 1337 --q5 -> encode for Q5/T5555 tag lf awid clone --fmt 26 --fc 123 --cn 1337 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf awid demod Try to find AWID Prox preamble, if found decode / descramble data usage: lf awid demod [-h] options: -h, --help This help examples/notes: lf awid demod lf awid demod --raw --------------------------------------------------------------------------------------- lf awid reader read a AWID Prox tag usage: lf awid reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf awid reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf awid sim Enables simulation of AWID card with specified facility-code and card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf awid sim [-h] --fmt --fc --cn options: -h, --help This help --fmt format length 26|32|36|40 --fc 8-bit value facility code --cn 16-bit value card number examples/notes: lf awid sim --fmt 26 --fc 123 --cn 1337 lf awid sim --fmt 50 --fc 2001 --cn 13371337 --------------------------------------------------------------------------------------- lf awid brute Enables bruteforce of AWID reader with specified facility-code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535 usage: lf awid brute [-hv] --fmt --fc [--cn ] [--delay ] options: -h, --help This help --fmt format length 26|50 --fc 8|16bit value facility code --cn optional - card number to start with, max 65535 --delay optional - delay betweens attempts in ms. Default 1000ms -v, --verbose verbose output examples/notes: lf awid brute --fmt 26 --fc 224 lf awid brute --fmt 50 --fc 2001 --delay 2000 lf awid brute --fmt 50 --fc 2001 --cn 200 --delay 2000 -v --------------------------------------------------------------------------------------- lf awid watch Enables AWID compatible reader mode printing details of scanned AWID26 or AWID50 tags. Run until the button is pressed or another USB command is issued. usage: lf awid watch [-h] options: -h, --help This help examples/notes: lf awid watch --------------------------------------------------------------------------------------- lf cotag help This help demod demodulate an COTAG tag reader attempt to read and extract tag data --------------------------------------------------------------------------------------- lf cotag demod Try to find COTAG preamble, if found decode / descramble data usage: lf cotag demod [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: lf cotag demod --------------------------------------------------------------------------------------- lf cotag reader read a COTAG tag, the current support for COTAG is limited. usage: lf cotag reader [-h123] options: -h, --help This help -1 HIGH/LOW signal; maxlength bigbuff -2 translation of HIGH/LOW into bytes with manchester 0,1 -3 raw signal; maxlength bigbuff examples/notes: lf cotag reader -2 --------------------------------------------------------------------------------------- lf destron help This help demod demodulate an Destron tag from the GraphBuffer reader attempt to read and extract tag data clone clone Destron tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Destron tag --------------------------------------------------------------------------------------- lf destron demod Try to find Destron preamble, if found decode / descramble data usage: lf destron demod [-h] options: -h, --help This help examples/notes: lf destron demod --------------------------------------------------------------------------------------- lf destron reader read a Destron tag usage: lf destron reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf destron reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf destron clone clone a Destron tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf destron clone [-h] -u [--q5] [--em] options: -h, --help This help -u, --uid 5 bytes max --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf destron clone --uid 1A2B3C4D5E lf destron clone --q5 --uid 1A2B3C4D5E -> encode for Q5/T5555 tag lf destron clone --em --uid 1A2B3C4D5E -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf destron sim Try to find Destron preamble, if found decode / descramble data usage: lf destron sim [-h] options: -h, --help This help examples/notes: lf destron sim --------------------------------------------------------------------------------------- lf em help This help 410x { EM 4102 commands... } 4x05 { EM 4205 / 4305 / 4369 / 4469 commands... } 4x50 { EM 4350 / 4450 commands... } 4x70 { EM 4070 / 4170 commands... } --------------------------------------------------------------------------------------- lf em 410x help This help demod demodulate a EM410x tag from the GraphBuffer reader attempt to read and extract tag data sim simulate EM410x tag brute reader bruteforce attack by simulating EM410x tags watch watches for EM410x 125/134 kHz tags spoof watches for EM410x 125/134 kHz tags, and replays them clone clone EM410x Tag ID to T55x7, Q5/T5555 or EM4305/4469 --------------------------------------------------------------------------------------- lf em 4x05 ----------- ----------------------- General ----------------------- help This help ----------- ----------------------- Operations ----------------------- clonehelp Shows the available clone commands brute Bruteforce password chk Check passwords config Create common configuration words demod Demodulate a EM4x05/EM4x69 tag from the GraphBuffer dump Dump EM4x05/EM4x69 tag info Tag information read Read word data from EM4x05/EM4x69 sniff Attempt to recover em4x05 commands from sample buffer unlock Execute tear off against EM4x05/EM4x69 view Display content from tag dump file wipe Wipe EM4x05/EM4x69 tag write Write word data to EM4x05/EM4x69 --------------------------------------------------------------------------------------- lf em 4x50 help This help ----------- --------------------- operations --------------------- brute Bruteforce attack to find password chk Check passwords dump Dump EM4x50 tag info Tag information login Login into EM4x50 tag rdbl Read EM4x50 word data reader Show standard read mode data restore Restore EM4x50 dump to tag view Display content from tag dump file wipe Wipe EM4x50 tag wrbl Write EM4x50 word data wrpwd Change EM4x50 password ----------- --------------------- simulation --------------------- eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory sim Simulate EM4x50 tag --------------------------------------------------------------------------------------- lf em 4x70 help This help brute Bruteforce EM4X70 to find partial key info Tag information EM4x70 write Write EM4x70 unlock Unlock EM4x70 for writing auth Authenticate EM4x70 setpin Write PIN setkey Write key calc Calculate EM4x70 challenge and response recover Recover remaining key from partial key autorecover Recover entire key from writable tag --------------------------------------------------------------------------------------- lf fdxb help this help demod demodulate a FDX-B ISO11784/85 tag from the GraphBuffer reader attempt to read at 134kHz and extract tag data clone clone animal ID tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Animal ID tag --------------------------------------------------------------------------------------- lf fdxb demod Try to find FDX-B preamble, if found decode / descramble data usage: lf fdxb demod [-h] options: -h, --help This help examples/notes: lf fdxb demod --------------------------------------------------------------------------------------- lf fdxb reader read a FDX-B animal tag Note that the continuous mode is less verbose usage: lf fdxb reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf fdxb reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf fdxb clone clone a FDX-B tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf fdxb clone [-ha] -c -n [--extended ] [--q5] [--em] options: -h, --help This help -c, --country country code -n, --national national code --extended extended data -a, --animal optional - set animal bit --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf fdxb clone --country 999 --national 1337 --animal -> encode for T55x7 tag, with animal bit lf fdxb clone --country 999 --national 1337 --extended 016A -> encode for T55x7 tag, with extended data lf fdxb clone --country 999 --national 1337 --q5 -> encode for Q5/T5555 tag lf fdxb clone --country 999 --national 1337 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf fdxb sim Enables simulation of FDX-B animal tag. Simulation runs until the button is pressed or another USB command is issued. usage: lf fdxb sim [-ha] -c -n [--extended ] options: -h, --help This help -c, --country country code -n, --national national code --extended extended data -a, --animal optional - set animal bit examples/notes: lf fdxb sim --country 999 --national 1337 --animal lf fdxb sim --country 999 --national 1337 --extended 016A --------------------------------------------------------------------------------------- lf gallagher help This help demod demodulate an GALLAGHER tag from the GraphBuffer reader attempt to read and extract tag data clone clone GALLAGHER tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate GALLAGHER tag --------------------------------------------------------------------------------------- lf gallagher demod Try to find GALLAGHER preamble, if found decode / descramble data usage: lf gallagher demod [-h] options: -h, --help This help examples/notes: lf gallagher demod --------------------------------------------------------------------------------------- lf gallagher reader read a GALLAGHER tag usage: lf gallagher reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf gallagher reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf gallagher clone clone a GALLAGHER tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf gallagher clone [-h] [-r ] [--q5] [--em] [--rc ] [--fc ] [--cn ] [--il ] options: -h, --help This help -r, --raw raw hex data. 12 bytes max --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag --rc Region code. 4 bits max --fc Facility code. 2 bytes max --cn Card number. 3 bytes max --il Issue level. 4 bits max examples/notes: lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 -> encode for T55x7 tag lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 --q5 -> encode for Q5/T5555 tag lf gallagher clone --raw 0FFD5461A9DA1346B2D1AC32 --em -> encode for EM4305/4469 lf gallagher clone --rc 0 --fc 9876 --cn 1234 --il 1 -> encode for T55x7 tag from decoded data --------------------------------------------------------------------------------------- lf gallagher sim Enables simulation of GALLAGHER card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf gallagher sim [-h] [-r ] [--rc ] [--fc ] [--cn ] [--il ] options: -h, --help This help -r, --raw raw hex data. 12 bytes max --rc Region code. 4 bits max --fc Facility code. 2 bytes max --cn Card number. 3 bytes max --il Issue level. 4 bits max examples/notes: lf gallagher sim --raw 0FFD5461A9DA1346B2D1AC32 lf gallagher sim --rc 0 --fc 9876 --cn 1234 --il 1 --------------------------------------------------------------------------------------- lf gproxii help this help demod demodulate a G Prox II tag from the GraphBuffer reader attempt to read and extract tag data clone clone Guardall tag to T55x7 or Q5/T5555 sim simulate Guardall tag --------------------------------------------------------------------------------------- lf gproxii demod Try to find Guardall Prox-II preamble, if found decode / descramble data usage: lf gproxii demod [-h] [-r ] options: -h, --help This help -r, --raw raw bytes examples/notes: lf gproxii demod -> use graphbuffer to decode lf gproxii demod --raw fb8ee718ee3b8cc785c11b92 -> --------------------------------------------------------------------------------------- lf gproxii reader read a Guardall tag usage: lf gproxii reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf gproxii reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf gproxii clone Clone a Guardall tag to a T55x7, Q5/T5555 or EM4305/4469 tag. The facility-code is 8-bit and the card number is 20-bit. Larger values are truncated. Currently work only on 26 | 36 bit format usage: lf gproxii clone [-h] --xor --fmt --fc --cn [--q5] [--em] options: -h, --help This help --xor 8-bit xor value (installation dependant) --fmt format length 26|32|36|40 --fc 8-bit value facility code --cn 16-bit value card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 -> encode for T55x7 tag lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 --q5 -> encode for Q5/T5555 tag lf gproxii clone --xor 141 --fmt 26 --fc 123 --cn 1337 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf gproxii sim Enables simulation of Guardall card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently work only on 26 | 36 bit format usage: lf gproxii sim [-h] --xor --fmt --fc --cn options: -h, --help This help --xor 8-bit xor value (installation dependant) --fmt format length 26|32|36|40 --fc 8-bit value facility code --cn 16-bit value card number examples/notes: lf gproxii sim --xor 141 --fmt 26 --fc 123 --cn 1337 --------------------------------------------------------------------------------------- lf hid help this help demod demodulate HID Prox tag from the GraphBuffer reader attempt to read and extract tag data clone clone HID tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate HID tag brute bruteforce facility code or card number against reader watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf hid demod Try to find HID Prox preamble, if found decode / descramble data usage: lf hid demod [-h] options: -h, --help This help examples/notes: lf hid demod --------------------------------------------------------------------------------------- lf hid reader read a HID Prox tag usage: lf hid reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf hid reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf hid clone clone a HID Prox tag to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command. usage: lf hid clone [-h] [-w ] [--fc ] [--cn ] [-i ] [-o ] [-r ] [--q5] [--em] [--bin ] options: -h, --help This help -w, --wiegand see `wiegand list` for available formats --fc facility code --cn card number -i issue level -o, --oem OEM code -r, --raw raw bytes --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag --bin Binary string i.e 0001001001 examples/notes: lf hid clone -r 2006ec0c86 -> write raw value for T55x7 tag (HID 10301 26 bit) lf hid clone -r 2e0ec00c87 -> write raw value for T55x7 tag (HID Corporate 35 bit) lf hid clone -r 01f0760643c3 -> write raw value for T55x7 tag (HID P10001 40 bit) lf hid clone -r 01400076000c86 -> write raw value for T55x7 tag (HID Corporate 48 bit) lf hid clone -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit, encode for T55x7 tag lf hid clone -w H10301 --fc 118 --cn 1603 --q5 -> HID 10301 26 bit, encode for Q5/T5555 tag lf hid clone -w H10301 --fc 118 --cn 1603 --em -> HID 10301 26 bit, encode for EM4305/4469 --------------------------------------------------------------------------------------- lf hid sim Enables simulation of HID card with card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf hid sim [-h] [-w ] [--fc ] [--cn ] [-i ] [-o ] [-r ] options: -h, --help This help -w, --wiegand see `wiegand list` for available formats --fc facility code --cn card number -i issue level -o, --oem OEM code -r, --raw raw bytes examples/notes: lf hid sim -r 2006ec0c86 -> HID 10301 26 bit lf hid sim -r 2e0ec00c87 -> HID Corporate 35 bit lf hid sim -r 01f0760643c3 -> HID P10001 40 bit lf hid sim -r 01400076000c86 -> HID Corporate 48 bit lf hid sim -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit --------------------------------------------------------------------------------------- lf hid brute Enables bruteforce of HID readers with specified facility code or card number. This is an attack against the reader. If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values. If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values. usage: lf hid brute [-hv] -w --field [--fc ] [--cn ] [-i ] [-o ] [-d ] [--up] [--down] options: -h, --help This help -v, --verbose verbose output -w, --wiegand see `wiegand list` for available formats --field field to bruteforce --fc facility code --cn card number -i, --issue issue level -o, --oem OEM code -d, --delay delay betweens attempts in ms. (def is 1000) --up direction to increment field value. (def is both directions) --down direction to decrement field value. (def is both directions) examples/notes: lf hid brute -w H10301 --field fc --fc 224 --cn 6278 lf hid brute -w H10301 --field cn --fc 21 -d 2000 lf hid brute -v -w H10301 --field cn --fc 21 --cn 200 -d 2000 lf hid brute -v -w H10301 --field fc --fc 21 --cn 200 -d 2000 --up --------------------------------------------------------------------------------------- lf hid watch Enables HID compatible reader mode printing details. By default, values are printed and logged until the button is pressed or another USB command is issued. usage: lf hid watch [-h] options: -h, --help This help examples/notes: lf hid watch --------------------------------------------------------------------------------------- lf hitag help This help list List Hitag trace history hts { Hitag S/8211 operations } ----------- ------------------------ General ------------------------ info Hitag 2 tag information reader Act like a Hitag 2 reader test Perform self tests ----------- ----------------------- Operations ----------------------- dump Dump Hitag 2 tag read Read Hitag memory sniff Eavesdrop Hitag communication view Display content from tag dump file wrbl Write a block (page) in Hitag memory ----------- ----------------------- Simulation ----------------------- eload Upload file into emulator memory eview View emulator memory sim Simulate Hitag transponder ----------- ----------------------- Recovery ----------------------- cc Hitag S: test all provided challenges crack2 Recover 2048bits of crypto stream chk Check keys lookup Uses authentication trace to check for key in dictionary file ta Hitag 2: test all recorded authentications --------------------------------------------------------------------------------------- lf hitag list Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: lf hitag list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: lf hitag list --frame -> show frame delay times lf hitag list -1 -> use trace buffer --------------------------------------------------------------------------------------- lf hitag hts help This help list List Hitag S trace history ----------- ----------------------- General ------------------------ reader Act like a Hitag S reader rdbl Read Hitag S page dump Dump Hitag S pages to a file restore Restore Hitag S memory from dump file wrbl Write Hitag S page ----------- ----------------------- Simulation ----------------------- sim Simulate Hitag S transponder --------------------------------------------------------------------------------------- lf hitag info Hitag 2 tag information usage: lf hitag info [-h] options: -h, --help This help examples/notes: lf hitag info --------------------------------------------------------------------------------------- lf hitag reader Act as a Hitag 2 reader. Look for Hitag 2 tags until Enter or the pm3 button is pressed usage: lf hitag reader [-h@] options: -h, --help This help -@ continuous reader mode examples/notes: lf hitag reader lf hitag reader -@ -> Continuous mode --------------------------------------------------------------------------------------- lf hitag test Perform self tests of Hitag crypto engine usage: lf hitag test [-h] options: -h, --help This help examples/notes: lf hitag test --------------------------------------------------------------------------------------- lf hitag dump Read all Hitag 2 card memory and save to file Crypto mode key format: ISK high + ISK low, 4F4E4D494B52 (ONMIKR) Password mode, default key 4D494B52 (MIKR) usage: lf hitag dump [-h] [--pwd] [--nrar ] [--crypto] [-k ] [-f ] [--ns] options: -h, --help This help --pwd password mode --nrar nonce / answer reader, 8 hex bytes --crypto crypto mode -k, --key key, 4 or 6 hex bytes -f, --file specify file name --ns no save to file examples/notes: lf hitag dump --pwd -> use def pwd lf hitag dump -k 4D494B52 -> pwd mode lf hitag dump --crypto -> use def crypto lf hitag dump -k 4F4E4D494B52 -> crypto mode lf hitag dump --nrar 0102030411223344 --------------------------------------------------------------------------------------- lf hitag read Read Hitag memory. It support Hitag 2 Password mode: - default key 4D494B52 (MIKR) Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) usage: lf hitag read [-h2] [--pwd] [--nrar ] [--crypto] [-k ] options: -h, --help This help -2, --ht2 Hitag 2 --pwd password mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key key, 4 or 6 hex bytes examples/notes: lf hitag read --ht2 --pwd -> Hitag 2, pwd mode, def key lf hitag read --ht2 -k 4D494B52 -> Hitag 2, pwd mode lf hitag read --ht2 --nrar 0102030411223344 -> Hitag 2, challenge mode lf hitag read --ht2 --crypto -> Hitag 2, crypto mode, def key lf hitag read --ht2 -k 4F4E4D494B52 -> Hitag 2, crypto mode --------------------------------------------------------------------------------------- lf hitag sniff Sniff the communication between reader and tag Use `lf hitag list` to view collected data. usage: lf hitag sniff [-h] options: -h, --help This help examples/notes: lf hitag sniff --------------------------------------------------------------------------------------- lf hitag view Print a HITAG dump file (bin/eml/json) usage: lf hitag view [-hv] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose Verbose output examples/notes: lf hitag view -f lf-hitag-01020304-dump.bin --------------------------------------------------------------------------------------- lf hitag wrbl Write a page in Hitag memory. It support Hitag 2 Password mode: - default key 4D494B52 (MIKR) Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) usage: lf hitag wrbl [-h2] [--pwd] [--nrar ] [--crypto] [-k ] -p -d options: -h, --help This help -2, --ht2 Hitag 2 --pwd password mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key key, 4 or 6 hex bytes -p, --page page address to write to -d, --data data, 4 hex bytes examples/notes: lf hitag wrbl --ht2 -p 6 -d 01020304 --pwd -> Hitag 2, pwd mode, def key lf hitag wrbl --ht2 -p 6 -d 01020304 -k 4D494B52 -> Hitag 2, pwd mode lf hitag wrbl --ht2 -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag 2, challenge mode lf hitag wrbl --ht2 -p 6 -d 01020304 --crypto -> Hitag 2, crypto mode, def key lf hitag wrbl --ht2 -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag 2, crypto mode --------------------------------------------------------------------------------------- lf hitag eload Loads hitag tag dump into emulator memory on device usage: lf hitag eload [-h12sm] -f options: -h, --help This help -f, --file Specify dump filename -1, --ht1 Card type Hitag 1 -2, --ht2 Card type Hitag 2 -s, --hts Card type Hitag S -m, --htm Card type Hitag μ examples/notes: lf hitag eload -2 -f lf-hitag-11223344-dump.bin --------------------------------------------------------------------------------------- lf hitag eview It displays emulator memory usage: lf hitag eview [-hv] options: -h, --help This help -v, --verbose Verbose output examples/notes: lf hitag eview --------------------------------------------------------------------------------------- lf hitag sim Simulate Hitag transponder You need to `lf hitag eload` first usage: lf hitag sim [-h12] options: -h, --help This help -1, --ht1 simulate Hitag 1 -2, --ht2 simulate Hitag 2 examples/notes: lf hitag sim -2 --------------------------------------------------------------------------------------- lf hitag cc Check challenges, load a file with saved hitag crypto challenges and test them all. The file should be 8 * 60 bytes long, the file extension defaults to `.cc` usage: lf hitag cc [-h] -f options: -h, --help This help -f, --file filename to load ( w/o ext ) examples/notes: lf hitag cc -f my_hitag_challenges --------------------------------------------------------------------------------------- lf hitag crack2 This command tries to recover 2048 bits of Hitag 2 crypto stream data. usage: lf hitag crack2 [-h] [--nrar ] options: -h, --help This help --nrar specify nonce / answer as 8 hex bytes examples/notes: lf hitag crack2 --nrar 73AA5A62EAB8529C --------------------------------------------------------------------------------------- lf hitag chk Run dictionary key or password recovery against Hitag card. usage: lf hitag chk [-h] [-f ] [--pwd] [--crypto] options: -h, --help This help -f, --file specify dictionary filename --pwd password mode --crypto crypto mode examples/notes: lf hitag chk -> checks for both pwd / crypto keyslf hitag chk --crypto -> use def dictionary lf hitag chk --pwd -f my.dic -> pwd mode, custom dictionary --------------------------------------------------------------------------------------- lf hitag lookup This command take sniffed trace data and try to recovery a Hitag 2 crypto key. You can either - verify that NR/AR matches a known crypto key - verify if NR/AR matches a known 6 byte crypto key in a dictionary usage: lf hitag lookup [-h] [-f ] [-k ] -u [--nr ] [--ar ] [--nrar ] options: -h, --help This help -f, --file specify dictionary filename -k, --key specify known cryptokey as 6 bytes -u, --uid specify UID as 4 hex bytes --nr specify nonce as 4 hex bytes --ar specify answer as 4 hex bytes --nrar specify nonce / answer as 8 hex bytes examples/notes: lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -k 010203040506 -> check key lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -> use def dictionary lf hitag lookup --uid 11223344 --nr 73AA5A62 --ar EAB8529C -f my.dic -> use custom dictionary lf hitag lookup --uid 11223344 --nrar 73AA5A62EAB8529C --------------------------------------------------------------------------------------- lf idteck help This help demod demodulate an Idteck tag from the GraphBuffer reader attempt to read and extract tag data clone clone Idteck tag to T55x7 or Q5/T5555 sim simulate Idteck tag --------------------------------------------------------------------------------------- lf idteck demod Try to find Idteck preamble, if found decode / descramble data usage: lf idteck demod [-h] [-r ] options: -h, --help This help -r, --raw raw bytes examples/notes: lf idteck demod lf idteck demod --raw 4944544B351FBE4B --------------------------------------------------------------------------------------- lf idteck reader read a Idteck tag usage: lf idteck reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf idteck reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf idteck clone clone a Idteck tag to T55x7 or Q5/T5555 tag Tag must be on the antenna when issuing this command. usage: lf idteck clone [-h] -r [--q5] [--em] options: -h, --help This help -r, --raw raw bytes --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf idteck clone --raw 4944544B351FBE4B --------------------------------------------------------------------------------------- lf idteck sim Enables simulation of Idteck card. Simulation runs until the button is pressed or another USB command is issued. usage: lf idteck sim [-h] -r options: -h, --help This help -r, --raw raw bytes examples/notes: lf idteck sim --raw 4944544B351FBE4B --------------------------------------------------------------------------------------- lf indala help This help brute Demodulate an Indala tag (PSK1) from the GraphBuffer demod Demodulate an Indala tag (PSK1) from the GraphBuffer altdemod Alternative method to demodulate samples for Indala 64 bit UID (option '224' for 224 bit) reader Read an Indala tag from the antenna clone Clone Indala tag to T55x7 or Q5/T5555 sim Simulate Indala tag --------------------------------------------------------------------------------------- lf indala brute Enables bruteforce of INDALA readers with specified facility code. This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step if cardnumber is not given, it starts with 1 and goes up to 65535 usage: lf indala brute [-hv] [--fc ] [--cn ] [-d ] [--up] [--down] [--4041x] options: -h, --help This help -v, --verbose verbose output --fc facility code --cn card number to start with -d, --delay delay betweens attempts in ms. Default 1000ms --up direction to increment card number. (default is both directions) --down direction to decrement card number. (default is both directions) --4041x specify Indala 4041X format examples/notes: lf indala brute --fc 224 lf indala brute --fc 21 -d 2000 lf indala brute -v --fc 21 --cn 200 -d 2000 lf indala brute -v --fc 21 --cn 200 -d 2000 --up --------------------------------------------------------------------------------------- lf indala demod Tries to PSK demodulate the graphbuffer as Indala usage: lf indala demod [-hi] [--clock ] [--maxerr ] options: -h, --help This help --clock optional - set clock (as integer), if not set, autodetect. --maxerr optional - set maximum allowed errors, default = 100 -i, --invert optional - invert output examples/notes: lf indala demod lf indala demod --clock 32 -> demod a Indala tag from the GraphBuffer using a clock of RF/32 lf indala demod --clock 32 -i -> demod a Indala tag from the GraphBuffer using a clock of RF/32 and inverting data lf indala demod --clock 64 -i --maxerror 0 -> demod a Indala tag from the GraphBuffer using a clock of RF/64, inverting data and allowing 0 demod errors --------------------------------------------------------------------------------------- lf indala altdemod Tries to PSK demodulate the graphbuffer as Indala This is uses a alternative way to demodulate and was used from the beginning in the Pm3 client. It's now considered obsolete but remains because it has sometimes its advantages. usage: lf indala altdemod [-hl] options: -h, --help This help -l, --long optional - demod as 224b long format examples/notes: lf indala altdemod lf indala altdemod --long -> demod a Indala tag from the GraphBuffer as 224 bit long format --------------------------------------------------------------------------------------- lf indala reader read a Indala tag usage: lf indala reader [-hi@] [--clock ] [--maxerr ] options: -h, --help This help --clock optional - set clock (as integer), if not set, autodetect. --maxerr optional - set maximum allowed errors, default = 100 -i, --invert optional - invert output -@ optional - continuous reader mode examples/notes: lf indala reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf indala clone clone Indala UID to T55x7 or Q5/T5555 tag using different known formats Warning, encoding with FC/CN doesn't always work usage: lf indala clone [-h] [-r ] [--heden ] [--fc ] [--cn ] [--q5] [--em] [--4041x] options: -h, --help This help -r, --raw raw bytes --heden Card number for Heden 2L format --fc Facility code (26 bit H10301 format) --cn Card number (26 bit H10301 format) --q5 Optional - specify writing to Q5/T5555 tag --em Optional - specify writing to EM4305/4469 tag --4041x Optional - specify Indala 4041X format, must use with fc and cn examples/notes: lf indala clone --heden 888 lf indala clone --fc 123 --cn 1337 lf indala clone --fc 123 --cn 1337 --4041x lf indala clone -r a0000000a0002021 lf indala clone -r 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5 --------------------------------------------------------------------------------------- lf indala sim Enables simulation of Indala card with specified facility code and card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf indala sim [-h] [-r ] [--heden ] [--fc ] [--cn ] [--4041x] options: -h, --help This help -r, --raw raw bytes --heden Cardnumber for Heden 2L format --fc Facility code (26 bit H10301 format) --cn Card number (26 bit H10301 format) --4041x Optional - specify Indala 4041X format, must use with fc and cn examples/notes: lf indala sim --heden 888 lf indala sim --fc 123 --cn 1337 lf indala sim --fc 123 --cn 1337 --4041x lf indala sim --raw a0000000a0002021 lf indala sim --raw 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5 --------------------------------------------------------------------------------------- lf io help this help demod demodulate an ioProx tag from the GraphBuffer reader attempt to read and extract tag data clone clone ioProx tag to T55x7 or Q5/T5555 sim simulate ioProx tag watch continuously watch for cards. Reader mode --------------------------------------------------------------------------------------- lf io demod Try to find ioProx preamble, if found decode / descramble data usage: lf io demod [-h] options: -h, --help This help examples/notes: lf io demod --------------------------------------------------------------------------------------- lf io reader read a ioProx tag usage: lf io reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf io reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf io clone clone a ioProx card with specified facility-code and card number to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command. usage: lf io clone [-h] --vn --fc --cn [--q5] [--em] options: -h, --help This help --vn 8bit version --fc 8bit facility code --cn 16bit card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf io clone --vn 1 --fc 101 --cn 1337 --------------------------------------------------------------------------------------- lf io sim Enables simulation of ioProx card with specified facility-code and card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf io sim [-h] --vn --fc --cn options: -h, --help This help --vn 8bit version --fc 8bit facility code --cn 16bit card number examples/notes: lf io sim --vn 1 --fc 101 --cn 1337 --------------------------------------------------------------------------------------- lf io watch Enables ioProx compatible reader mode printing details. By default, values are printed and logged until the button is pressed or another USB command is issued. usage: lf io watch [-h] options: -h, --help This help examples/notes: lf io watch --------------------------------------------------------------------------------------- lf jablotron help This help demod demodulate an Jablotron tag from the GraphBuffer reader attempt to read and extract tag data clone clone jablotron tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate jablotron tag --------------------------------------------------------------------------------------- lf jablotron demod Try to find Jablotron preamble, if found decode / descramble data usage: lf jablotron demod [-h] options: -h, --help This help examples/notes: lf jablotron demod --------------------------------------------------------------------------------------- lf jablotron reader read a jablotron tag usage: lf jablotron reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf jablotron reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf jablotron clone clone a Jablotron tag to a T55x7, Q5/T5555 or EM4305/4469 tag. Tag must be on the antenna when issuing this command. usage: lf jablotron clone [-h] --cn [--q5] [--em] options: -h, --help This help --cn Jablotron card ID - 5 bytes max --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf jablotron clone --cn 01b669 -> encode for T55x7 tag lf jablotron clone --cn 01b669 --q5 -> encode for Q5/T5555 tag lf jablotron clone --cn 01b669 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf jablotron sim Enables simulation of jablotron card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf jablotron sim [-h] --cn options: -h, --help This help --cn Jablotron card ID - 5 bytes max examples/notes: lf jablotron sim --cn 01b669 --------------------------------------------------------------------------------------- lf keri help This help demod demodulate an KERI tag from the GraphBuffer reader attempt to read and extract tag data clone clone KERI tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate KERI tag --------------------------------------------------------------------------------------- lf keri demod Try to find KERI preamble, if found decode / descramble data usage: lf keri demod [-h] options: -h, --help This help examples/notes: lf keri demod --------------------------------------------------------------------------------------- lf keri reader read a keri tag usage: lf keri reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf keri reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf keri clone clone a KERI tag to a T55x7, Q5/T5555 or EM4305/4469 tag usage: lf keri clone [-h] [-t ] [--fc ] --cn [--q5] [--em] options: -h, --help This help -t, --type Type m - MS, i - Internal ID --fc Facility Code --cn KERI card ID --q5 specify writing to Q5/T5555 tag --em specify writing to EM4305/4469 tag examples/notes: lf keri clone -t i --cn 12345 -> Internal ID lf keri clone -t m --fc 6 --cn 12345 -> MS ID --------------------------------------------------------------------------------------- lf keri sim Enables simulation of KERI card with internal ID. You supply a KERI card id and it will converted to a KERI internal ID. usage: lf keri sim [-h] --id options: -h, --help This help --id KERI card ID examples/notes: lf keri sim --cn 112233 --------------------------------------------------------------------------------------- lf motorola help This help demod demodulate an MOTOROLA tag from the GraphBuffer reader attempt to read and extract tag data clone clone MOTOROLA tag to T55x7 sim simulate MOTOROLA tag --------------------------------------------------------------------------------------- lf motorola demod Try to find Motorola Flexpass preamble, if found decode / descramble data usage: lf motorola demod [-h] options: -h, --help This help examples/notes: lf motorola demod --------------------------------------------------------------------------------------- lf motorola reader read a Motorola Flexpass tag usage: lf motorola reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf motorola reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf motorola clone clone Motorola UID to a T55x7, Q5/T5555 or EM4305/4469 tag. defaults to 64 bit format usage: lf motorola clone [-h] -r [--q5] [--em] options: -h, --help This help -r, --raw raw hex bytes. 8 bytes --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf motorola clone --raw a0000000a0002021 -> encode for T55x7 tag lf motorola clone --raw a0000000a0002021 --q5 -> encode for Q5/T5555 tag lf motorola clone --raw a0000000a0002021 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf motorola sim Enables simulation of Motorola card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf motorola sim [-h] options: -h, --help This help examples/notes: lf motorola sim --------------------------------------------------------------------------------------- lf nedap help This help demod demodulate Nedap tag from the GraphBuffer reader attempt to read and extract tag data clone clone Nedap tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Nedap tag --------------------------------------------------------------------------------------- lf nedap demod Try to find Nedap preamble, if found decode / descramble data usage: lf nedap demod [-h] options: -h, --help This help examples/notes: lf nedap demod --------------------------------------------------------------------------------------- lf nedap reader read a Nedap tag usage: lf nedap reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf nedap reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf nedap clone clone a Nedap tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf nedap clone [-hl] [--st ] --cc --id [--q5] [--em] options: -h, --help This help --st optional - sub type (default 5) --cc customer code (0-4095) --id ID (0-99999) -l, --long optional - long (128), default to short (64) --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf nedap clone --st 1 --cc 101 --id 1337 --------------------------------------------------------------------------------------- lf nedap sim Enables simulation of NEDAP card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf nedap sim [-hl] [--st ] --cc --id options: -h, --help This help --st optional - sub type (default 5) --cc customer code (0-4095) --id ID (0-99999) -l, --long optional - long (128), default to short (64) examples/notes: lf nedap sim --st 1 --cc 101 --id 1337 --------------------------------------------------------------------------------------- lf nexwatch help This help demod demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer reader attempt to read and extract tag data clone clone NexWatch tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate NexWatch tag --------------------------------------------------------------------------------------- lf nexwatch demod Try to find Nexwatch preamble, if found decode / descramble data usage: lf nexwatch demod [-h] options: -h, --help This help examples/notes: lf nexwatch demod --------------------------------------------------------------------------------------- lf nexwatch reader read a Nexwatch tag usage: lf nexwatch reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf nexwatch reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf nexwatch clone clone a Nexwatch tag to a T55x7, Q5/T5555 or EM4305/4469 tag. You can use raw hex values or create a credential based on id, mode and type of credential (Nexkey / Quadrakey / Russian) usage: lf nexwatch clone [-h] [-r ] [--cn ] [-m ] [--nc] [--qc] [--hc] [--q5] [--em] [--magic ] [--psk2] options: -h, --help This help -r, --raw raw hex data. 12 bytes --cn card id -m, --mode mode (decimal) (0-15, defaults to 1) --nc Nexkey credential --qc Quadrakey credential --hc Honeywell credential --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag --magic optional - magic hex data. 1 byte --psk2 optional - specify writing a tag in psk2 modulation examples/notes: lf nexwatch clone --raw 5600000000213C9F8F150C00 lf nexwatch clone --cn 521512301 -m 1 --nc -> Nexkey credential lf nexwatch clone --cn 521512301 -m 1 --qc -> Quadrakey credential lf nexwatch clone --cn 521512301 -m 1 --hc -> Honeywell credential --------------------------------------------------------------------------------------- lf nexwatch sim Enables simulation of secura card with specified card number. Simulation runs until the button is pressed or another USB command is issued. You can use raw hex values or create a credential based on id, mode and type of credential (Nexkey/Quadrakey) usage: lf nexwatch sim [-h] [-r ] [--cn ] [-m ] [--nc] [--qc] [--hc] [--magic ] [--psk2] options: -h, --help This help -r, --raw raw hex data. 12 bytes --cn card id -m, --mode mode (decimal) (0-15, defaults to 1) --nc Nexkey credential --qc Quadrakey credential --hc Honeywell credential --magic optional - magic hex data. 1 byte --psk2 optional - specify writing a tag in psk2 modulation examples/notes: lf nexwatch sim --raw 5600000000213C9F8F150C00 lf nexwatch sim --cn 521512301 -m 1 --nc -> Nexkey credential lf nexwatch sim --cn 521512301 -m 1 --qc -> Quadrakey credential lf nexwatch sim --cn 521512301 -m 1 --hc -> Honeywell credential --------------------------------------------------------------------------------------- lf noralsy help This help demod demodulate an Noralsy tag from the GraphBuffer reader attempt to read and extract tag data clone clone Noralsy tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Noralsy tag --------------------------------------------------------------------------------------- lf noralsy demod Try to find Noralsy preamble, if found decode / descramble data usage: lf noralsy demod [-h] options: -h, --help This help examples/notes: lf noralsy demod --------------------------------------------------------------------------------------- lf noralsy reader read a Noralsy tag usage: lf noralsy reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf noralsy reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf noralsy clone clone a Noralsy tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf noralsy clone [-h] --cn [-y ] [--q5] [--em] options: -h, --help This help --cn Noralsy card ID -y, --year tag allocation year --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf noralsy clone --cn 112233 -> encode for T55x7 tag lf noralsy clone --cn 112233 --q5 -> encode for Q5/T5555 tag lf noralsy clone --cn 112233 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf noralsy sim Enables simulation of Noralsy card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf noralsy sim [-h] --cn [-y ] options: -h, --help This help --cn Noralsy card ID -y, --year tag allocation year examples/notes: lf noralsy sim --cn 1337 lf noralsy sim --cn 1337 --year 2010 --------------------------------------------------------------------------------------- lf pac help This help demod demodulate a PAC tag from the GraphBuffer reader attempt to read and extract tag data clone clone PAC tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate PAC tag --------------------------------------------------------------------------------------- lf pac demod Try to find PAC/Stanley preamble, if found decode / descramble data usage: lf pac demod [-h] options: -h, --help This help examples/notes: lf pac demod --------------------------------------------------------------------------------------- lf pac reader read a PAC/Stanley tag usage: lf pac reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf pac reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf pac clone clone a PAC/Stanley tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf pac clone [-h] [--cn ] [-r ] [--q5] [--em] options: -h, --help This help --cn 8 byte PAC/Stanley card ID -r, --raw raw hex data. 16 bytes max --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf pac clone --cn CD4F5552 -> encode for T55x7 tag lf pac clone --cn CD4F5552 --q5 -> encode for Q5/T5555 tag lf pac clone --cn CD4F5552 --em -> encode for EM4305/4469 lf pac clone --raw FF2049906D8511C593155B56D5B2649F -> encode for T55x7 tag, raw mode --------------------------------------------------------------------------------------- lf pac sim Enables simulation of PAC/Stanley card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The card ID is 8 byte number. Larger values are truncated. usage: lf pac sim [-h] [--cn ] [-r ] options: -h, --help This help --cn 8 byte PAC/Stanley card ID -r, --raw raw hex data. 16 bytes max examples/notes: lf pac sim --cn CD4F5552 lf pac sim --raw FF2049906D8511C593155B56D5B2649F --------------------------------------------------------------------------------------- lf paradox help This help demod demodulate a Paradox FSK tag from the GraphBuffer reader attempt to read and extract tag data clone clone paradox tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate paradox tag --------------------------------------------------------------------------------------- lf paradox demod Try to find Paradox preamble, if found decode / descramble data usage: lf paradox demod [-h] [--old] options: -h, --help This help --old optional - Display previous checksum version examples/notes: lf paradox demod --old -> Display previous checksum version --------------------------------------------------------------------------------------- lf paradox reader read a Paradox tag usage: lf paradox reader [-h@] [--old] options: -h, --help This help -@ optional - continuous reader mode --old optional - Display previous checksum version examples/notes: lf paradox reader -@ -> continuous reader mode lf paradox reader --old -> Display previous checksum version --------------------------------------------------------------------------------------- lf paradox clone clone a paradox tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf paradox clone [-h] [-r ] [--fc ] [--cn ] [--q5] [--em] options: -h, --help This help -r, --raw raw hex data. 12 bytes max --fc facility code --cn card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf paradox clone --fc 96 --cn 40426 -> encode for T55x7 tag with fc and cn lf paradox clone --raw 0f55555695596a6a9999a59a -> encode for T55x7 tag lf paradox clone --raw 0f55555695596a6a9999a59a --q5 -> encode for Q5/T5555 tag lf paradox clone --raw 0f55555695596a6a9999a59a --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf paradox sim Enables simulation of paradox card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf paradox sim [-h] [-r ] [--fc ] [--cn ] options: -h, --help This help -r, --raw raw hex data. 12 bytes --fc facility code --cn card number examples/notes: lf paradox sim --raw 0f55555695596a6a9999a59a -> simulate tag lf paradox sim --fc 96 --cn 40426 -> simulate tag with fc and cn --------------------------------------------------------------------------------------- lf pcf7931 help This help reader Read content of a PCF7931 transponder write Write data on a PCF7931 transponder. config Configure the password, the tags initialization delay and time offsets (optional) --------------------------------------------------------------------------------------- lf pcf7931 reader read a PCF7931 tag usage: lf pcf7931 reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf pcf7931 reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf pcf7931 write This command tries to write a PCF7931 tag. usage: lf pcf7931 write [-h] -b -i -d options: -h, --help This help -b, --blk [0-7] block number -i, --idx [0-15] index of byte inside block -d, --data one byte to be written examples/notes: lf pcf7931 write --blk 2 --idx 1 -d FF -> Write 0xFF to block 2, index 1 --------------------------------------------------------------------------------------- lf pcf7931 config This command tries to set the configuration used with PCF7931 commands The time offsets could be useful to correct slew rate generated by the antenna Caling without some parameter will print the current configuration. usage: lf pcf7931 config [-hr] [-p ] [-d ] [--lw ] [--lp ] options: -h, --help This help -r, --reset Reset configuration to default values -p, --pwd Password, 7bytes, LSB-order -d, --delay Tag initialization delay (in us) --lw offset, low pulses width (in us) --lp offset, low pulses position (in us) examples/notes: lf pcf7931 config --reset lf pcf7931 config --pwd 11223344556677 -d 20000 lf pcf7931 config --pwd 11223344556677 -d 17500 --lw -10 --lp 30 --------------------------------------------------------------------------------------- lf presco help This help demod demodulate Presco tag from the GraphBuffer reader attempt to read and extract tag data clone clone presco tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate presco tag --------------------------------------------------------------------------------------- lf presco demod Try to find presco preamble, if found decode / descramble data usage: lf presco demod [-h] options: -h, --help This help examples/notes: lf presco demod --------------------------------------------------------------------------------------- lf presco reader read a presco tag usage: lf presco reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf presco reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf presco clone clone a presco tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf presco clone [-h] [-c ] [-d ] [--q5] [--em] options: -h, --help This help -c 8 digit hex card number -d 9 digit presco card ID --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf presco clone -d 018363467 -> encode for T55x7 tag lf presco clone -d 018363467 --q5 -> encode for Q5/T5555 tag lf presco clone -d 018363467 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf presco sim Enables simulation of presco card with specified card number. Simulation runs until the button is pressed or another USB command is issued. Per presco format, the card number is 9 digit number and can contain *# chars. Larger values are truncated. usage: lf presco sim [-h] [-c ] [-d ] options: -h, --help This help -c 8 digit hex card number -d 9 digit presco card ID examples/notes: lf presco sim -d 018363467 --------------------------------------------------------------------------------------- lf pyramid help this help demod demodulate a Pyramid FSK tag from the GraphBuffer reader attempt to read and extract tag data clone clone pyramid tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate pyramid tag --------------------------------------------------------------------------------------- lf pyramid demod Try to find Farpoint/Pyramid preamble, if found decode / descramble data usage: lf pyramid demod [-h] options: -h, --help This help examples/notes: lf pyramid demod --------------------------------------------------------------------------------------- lf pyramid reader read a Farpointe/Pyramid tag usage: lf pyramid reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf pyramid reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf pyramid clone clone a Farpointe/Pyramid tag to a T55x7, Q5/T5555 or EM4305/4469 tag. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently only works on 26bit usage: lf pyramid clone [-h] [--fc ] [--cn ] [--q5] [--em] [-r ] options: -h, --help This help --fc 8-bit value facility code --cn 16-bit value card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag -r, --raw raw hex data. 16 bytes examples/notes: lf pyramid clone --fc 123 --cn 11223 -> encode for T55x7 tag lf pyramid clone --raw 0001010101010101010440013223921c -> idem, raw mode lf pyramid clone --fc 123 --cn 11223 --q5 -> encode for Q5/T5555 tag lf pyramid clone --fc 123 --cn 11223 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf pyramid sim Enables simulation of Farpointe/Pyramid card with specified card number. Simulation runs until the button is pressed or another USB command is issued. The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. Currently work only on 26bit usage: lf pyramid sim [-h] [--fc ] [--cn ] [-r ] options: -h, --help This help --fc 8-bit value facility code --cn 16-bit value card number -r, --raw raw hex data. 16 bytes examples/notes: lf pyramid sim --fc 123 --cn 1337 lf pyramid sim --raw 0001010101010101010440013223921c --------------------------------------------------------------------------------------- lf securakey help This help demod demodulate an Securakey tag from the GraphBuffer reader attempt to read and extract tag data clone clone Securakey tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Securakey tag --------------------------------------------------------------------------------------- lf securakey demod Try to find Securakey preamble, if found decode / descramble data usage: lf securakey demod [-h] options: -h, --help This help examples/notes: lf securakey demod --------------------------------------------------------------------------------------- lf securakey reader read a Securakey tag usage: lf securakey reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf securakey reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf securakey clone clone a Securakey tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf securakey clone [-h] -r [--q5] [--em] options: -h, --help This help -r, --raw raw hex data. 12 bytes --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf securakey clone --raw 7FCB400001ADEA5344300000 -> encode for T55x7 tag lf securakey clone --raw 7FCB400001ADEA5344300000 --q5 -> encode for Q5/T5555 tag lf securakey clone --raw 7FCB400001ADEA5344300000 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf securakey sim Enables simulation of secura card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf securakey sim [-h] [-r ] options: -h, --help This help -r, --raw raw hex data. 12 bytes examples/notes: lf securakey sim --raw 7FCB400001ADEA5344300000 --------------------------------------------------------------------------------------- lf ti help This help demod Demodulate raw bits for TI LF tag from the GraphBuffer reader Read and decode a TI 134 kHz tag write Write new data to a r/w TI 134 kHz tag --------------------------------------------------------------------------------------- lf ti demod Try to find TI preamble, if found decode / descramble data usage: lf ti demod [-h] options: -h, --help This help examples/notes: lf ti demod --------------------------------------------------------------------------------------- lf ti reader read a TI tag usage: lf ti reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf ti reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf ti write write to a r/w TI tag. usage: lf ti write [-h] -r [--crc ] options: -h, --help This help -r, --raw raw hex data. 8 bytes max --crc optional - crc examples/notes: lf ti write --raw 1122334455667788 lf ti write --raw 1122334455667788 --crc 1122 --------------------------------------------------------------------------------------- lf t55xx ----------- ---------------------------- notice ----------------------------- Remember to run `lf t55xx detect` first whenever a new card is placed on the Proxmark3 or the config block changed. help This help ----------- --------------------- operations --------------------- clonehelp Shows the available clone commands config Set/Get T55XX configuration (modulation, inverted, offset, rate) dangerraw Sends raw bitstream. Dangerous, do not use!! detect Try detecting the tag modulation from reading the configuration block deviceconfig Set/Get T55XX device configuration dump Dump T55xx card Page 0 block 0-7 info Show T55x7 configuration data (page 0/ blk 0) p1detect Try detecting if this is a t55xx tag by reading page 1 read Read T55xx block data resetread Send Reset Cmd then lf read the stream to attempt to identify the start of it restore Restore T55xx card Page 0 / Page 1 blocks trace Show T55x7 traceability data (page 1/ blk 0-1) wakeup Send AOR wakeup command write Write T55xx block data ----------- --------------------- recovery --------------------- bruteforce Simple bruteforce attack to find password chk Check passwords protect Password protect tag recoverpw Try to recover from bad password write from a cloner sniff Attempt to recover T55xx commands from sample buffer special Show block changes with 64 different offsets wipe Wipe a T55xx tag and set defaults (will destroy any data on tag) --------------------------------------------------------------------------------------- lf t55xx clonehelp Display a list of available commands for cloning specific techs on T5xx tags usage: lf t55xx clonehelp [-h] options: -h, --help This help examples/notes: lf t55xx clonehelp --------------------------------------------------------------------------------------- lf t55xx config Set/Get T55XX configuration of the pm3 client. Like modulation, inverted, offset, rate etc. Offset is start position to decode data. usage: lf t55xx config [-hi] [--FSK] [--FSK1] [--FSK1A] [--FSK2] [--FSK2A] [--ASK] [--PSK1] [--PSK2] [--PSK3] [--NRZ] [--BI] [--BIA] [--q5] [--st] [--rate ] [-c ] [-o <0-255>] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help --FSK set demodulation FSK --FSK1 set demodulation FSK 1 --FSK1A set demodulation FSK 1a (inv) --FSK2 set demodulation FSK 2 --FSK2A set demodulation FSK 2a (inv) --ASK set demodulation ASK --PSK1 set demodulation PSK 1 --PSK2 set demodulation PSK 2 --PSK3 set demodulation PSK 3 --NRZ set demodulation NRZ --BI set demodulation Biphase --BIA set demodulation Diphase (inverted biphase) -i, --inv set/reset data signal inversion --q5 set/reset as Q5/T5555 chip instead of T55x7 --st set/reset Sequence Terminator on --rate set bitrate <8|16|32|40|50|64|100|128> -c, --blk0 set configuration from a block0 (4 hex bytes) -o, --offset <0-255> set offset, where data should start decode in bitstream --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx config --FSK -> FSK demodulation lf t55xx config --FSK -i -> FSK demodulation, inverse data lf t55xx config --FSK -i -o 3 -> FSK demodulation, inverse data, offset 3 --------------------------------------------------------------------------------------- lf t55xx dangerraw This command allows to emit arbitrary raw commands on T5577 and cut the field after arbitrary duration. Uncontrolled usage can easily write an invalid configuration, activate lock bits, OTP bit, password protection bit, deactivate test-mode, lock your card forever. WARNING: this may lock definitively the tag in an unusable state! usage: lf t55xx dangerraw [-h] -d -t options: -h, --help This help -d, --data raw bit string -t, --time <0 - 200000> time in microseconds before dropping the field examples/notes: lf t55xx dangerraw -d 01000000000000010000100000000100000000 -t 3200 --------------------------------------------------------------------------------------- lf t55xx detect Try detecting the tag modulation from reading the configuration block usage: lf t55xx detect [-h1] [-p ] [--r0] [--r1] [--r2] [--r3] [--all] options: -h, --help This help -1 extract using data from graphbuffer -p, --pwd password (4 hex bytes) --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference --all try all downlink modes examples/notes: lf t55xx detect lf t55xx detect -1 lf t55xx detect -p 11223344 --------------------------------------------------------------------------------------- lf t55xx deviceconfig Sets t55x7 timings for direct commands. The timings are set here in Field Clocks (FC) which is converted to (US) on device. usage: lf t55xx deviceconfig [-hpz] [-a <8..255>] [-b <8..255>] [-c <8..255>] [-d <8..255>] [-e <8..255>] [-f <8..255>] [-g <8..255>] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -a <8..255> Set start gap -b <8..255> Set write gap -c <8..255> Set write ZERO gap -d <8..255> Set write ONE gap -e <8..255> Set read gap -f <8..255> Set write TWO gap (1 of 4 only) -g <8..255> Set write THREE gap (1 of 4 only) -p, --persist persist to flash memory (RDV4) -z Set default t55x7 timings (use `-p` to save if required) --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx deviceconfig -a 29 -b 17 -c 15 -d 47 -e 15 -> default T55XX lf t55xx deviceconfig -a 55 -b 14 -c 21 -d 30 -> default EM4305 --------------------------------------------------------------------------------------- lf t55xx dump This command dumps a T55xx card Page 0 block 0-7. It will create two files (bin/json) usage: lf t55xx dump [-ho] [-f ] [-p ] [--ns] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -f, --file filename (default is generated on blk 0) -o, --override override, force pwd read despite danger to card -p, --pwd password (4 hex bytes) --ns no save to file --r0 downlink - fixed bit length --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx dump lf t55xx dump -p aabbccdd --override lf t55xx dump -f my_lf_dump --------------------------------------------------------------------------------------- lf t55xx info Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block from tag. Use `-c` to specify a config block data to be used instead of reading tag. usage: lf t55xx info [-h1] [-p ] [-c ] [--q5] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -1 extract using data from graphbuffer -p, --pwd password (4 hex bytes) -c, --blk0 use these data instead (4 hex bytes) --q5 interprete provided data as T5555/Q5 config --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx info lf t55xx info -1 lf t55xx info -p 11223344 lf t55xx info -c 00083040 lf t55xx info -c 6001805A --q5 --------------------------------------------------------------------------------------- lf t55xx p1detect Detect Page 1 of a T55xx chip usage: lf t55xx p1detect [-h1] [-p ] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -1 extract using data from graphbuffer -p, --pwd password (4 hex bytes) --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx p1detect lf t55xx p1detect -1 lf t55xx p1detect -p 11223344 --r3 --------------------------------------------------------------------------------------- lf t55xx read Read T55xx block data. This commands defaults to page 0. * * * WARNING * * * Use of read with password on a tag not configured for a password can damage the tag * * * * * * * * * * usage: lf t55xx read [-ho] -b <0-7> [-p ] [--pg1] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -b, --blk <0-7> block number to read -p, --pwd password (4 hex bytes) -o, --override override safety check --pg1 read page 1 --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx read -b 0 -> read data from block 0 lf t55xx read -b 0 --pwd 01020304 -> read data from block 0, pwd 01020304 lf t55xx read -b 0 --pwd 01020304 -o -> read data from block 0, pwd 01020304, override --------------------------------------------------------------------------------------- lf t55xx resetread Send Reset Cmd then `lf read` the stream to attempt to identify the start of it (needs a demod and/or plot after) usage: lf t55xx resetread [-h1] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -1 extract using data from graphbuffer --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx resetread --------------------------------------------------------------------------------------- lf t55xx restore Restore T55xx card page 0/1 n blocks from (bin/eml/json) dump file usage: lf t55xx restore [-h] [-f ] [-p ] options: -h, --help This help -f, --file Specify a filename for dump file -p, --pwd password if target card has password set (4 hex bytes) examples/notes: lf t55xx restore -f lf-t55xx-00148040-dump.bin --------------------------------------------------------------------------------------- lf t55xx trace Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block usage: lf t55xx trace [-h1] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -1 extract using data from graphbuffer --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx trace lf t55xx trace -1 --------------------------------------------------------------------------------------- lf t55xx wakeup This commands sends the Answer-On-Request command and leaves the readerfield ON afterwards usage: lf t55xx wakeup [-hv] [-p ] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -p, --pwd password (4 hex bytes) -v, --verbose verbose output --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx wakeup -p 11223344 -> send wakeup with password --------------------------------------------------------------------------------------- lf t55xx write Write T55xx block data usage: lf t55xx write [-ht] -b <0-7> [-d ] [-p ] [--pg1] [--verify] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -b, --blk <0-7> block number to write -d, --data data to write (4 hex bytes) -p, --pwd password (4 hex bytes) -t, --tm test mode write ( danger ) --pg1 write page 1 --verify try validate data afterward --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx write -b 3 -d 11223344 -> write 11223344 to block 3 lf t55xx write -b 3 -d 11223344 --pwd 01020304 -> write 11223344 to block 3, pwd 01020304 lf t55xx write -b 3 -d 11223344 --pwd 01020304 --verify -> write 11223344 to block 3 and try validating write --------------------------------------------------------------------------------------- lf t55xx bruteforce This command uses bruteforce to scan a number range. Try reading Page 0, block 7 before. WARNING this may brick non-password protected chips! usage: lf t55xx bruteforce [-h] -s -e [--r0] [--r1] [--r2] [--r3] [--all] options: -h, --help This help -s, --start search start password (4 hex bytes) -e, --end search end password (4 hex bytes) --r0 downlink - fixed bit length --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference --all try all downlink modes (def) examples/notes: lf t55xx bruteforce --r2 -s aaaaaa77 -e aaaaaa99 --------------------------------------------------------------------------------------- lf t55xx chk This command uses a dictionary attack. For some cloners, try '--em' for known pwdgen algo. Try to reading Page 0 block 7 before. WARNING: this may brick non-password protected chips! usage: lf t55xx chk [-hm] [-f ] [--em ] [--r0] [--r1] [--r2] [--r3] [--all] options: -h, --help This help -m, --fm use dictionary from flash memory (RDV4) -f, --file file name --em EM4100 ID (5 hex bytes) --r0 downlink - fixed bit length --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference --all try all downlink modes (def) examples/notes: lf t55xx chk -m -> use dictionary from flash memory (RDV4) lf t55xx chk -f my_dictionary_pwds -> loads a default keys dictionary file lf t55xx chk --em aa11223344 -> try known pwdgen algo from some cloners based on EM4100 ID --------------------------------------------------------------------------------------- lf t55xx protect This command sets the pwd bit on T5577. WARNING this locks the tag! usage: lf t55xx protect [-ho] [-p ] -n [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -o, --override override safety check -p, --pwd password (4 hex bytes) -n, --new new password (4 hex bytes) --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx protect -n 01020304 -> sets new pwd 01020304 lf t55xx protect -p 11223344 -n 00000000 -> use pwd 11223344, sets new pwd 00000000 --------------------------------------------------------------------------------------- lf t55xx recoverpw This command uses a few tricks to try to recover mangled password. Try reading Page 0, block 7 before. WARNING this may brick non-password protected chips! usage: lf t55xx recoverpw [-h] [-p ] [--r0] [--r1] [--r2] [--r3] [--all] options: -h, --help This help -p, --pwd password (4 hex bytes) --r0 downlink - fixed bit length --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference --all try all downlink modes (def) examples/notes: lf t55xx recoverpw lf t55xx recoverpw -p 11223344 lf t55xx recoverpw -p 11223344 --r3 --------------------------------------------------------------------------------------- lf t55xx sniff Sniff LF t55xx based trafic and decode possible cmd / blocks. Lower tolerance means tighter pulses. usage: lf t55xx sniff [-h1] [-t ] [-o ] [-z ] options: -h, --help This help -1 extract using data from graphbuffer -t, --tol set tolerance level (default 5) -o, --one set samples width for ONE pulse (default auto) -z, --zero set samples width for ZERO pulse (default auto) examples/notes: lf t55xx sniff lf t55xx sniff -1 -t 2 -> use buffer with tolerance of 2 lf t55xx sniff -1 --zero 7 --one 14 -> use buffer, zero pulse width 7, one pulse width 15 --------------------------------------------------------------------------------------- lf t55xx special Show block changes with 64 different offsets, data taken from DemodBuffer. usage: lf t55xx special [-h] options: -h, --help This help examples/notes: lf t55xx special --------------------------------------------------------------------------------------- lf t55xx wipe This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block usage: lf t55xx wipe [-h] [-c ] [-p ] [--q5] [--r0] [--r1] [--r2] [--r3] options: -h, --help This help -c, --cfg configuration block0 (4 hex bytes) -p, --pwd password (4 hex bytes) --q5 specify writing to Q5/T5555 tag using dedicated config block --r0 downlink - fixed bit length (detected def) --r1 downlink - long leading reference --r2 downlink - leading zero --r3 downlink - 1 of 4 coding reference examples/notes: lf t55xx wipe -> wipes a T55x7 tag, config block 0x000880E0 lf t55xx wipe --q5 -> wipes a Q5/T5555 tag, config block 0x6001F004 lf t55xx wipe -p 11223344 -> wipes a T55x7 tag, config block 0x000880E0, using pwd --------------------------------------------------------------------------------------- lf viking help This help demod demodulate a Viking tag from the GraphBuffer reader attempt to read and extract tag data clone clone Viking tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Viking tag --------------------------------------------------------------------------------------- lf viking demod Try to find Viking AM preamble, if found decode / descramble data usage: lf viking demod [-h] options: -h, --help This help examples/notes: lf viking demod --------------------------------------------------------------------------------------- lf viking reader read a Viking AM tag usage: lf viking reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf viking reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf viking clone clone a Viking AM tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf viking clone [-h] --cn [--q5] [--em] options: -h, --help This help --cn 8 digit hex viking card number --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf viking clone --cn 01A337 -> encode for T55x7 tag lf viking clone --cn 01A337 --q5 -> encode for Q5/T5555 tag lf viking clone --cn 112233 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf viking sim Enables simulation of viking card with specified card number. Simulation runs until the button is pressed or another USB command is issued. Per viking format, the card number is 8 digit hex number. Larger values are truncated. usage: lf viking sim [-h] --cn options: -h, --help This help --cn 8 digit hex viking card number examples/notes: lf viking sim --cn 01A337 --------------------------------------------------------------------------------------- lf visa2000 help This help demod demodulate an VISA2000 tag from the GraphBuffer reader attempt to read and extract tag data clone clone Visa2000 tag to T55x7, Q5/T5555 or EM4305/4469 sim simulate Visa2000 tag --------------------------------------------------------------------------------------- lf visa2000 demod Try to find visa2000 preamble, if found decode / descramble data usage: lf visa2000 demod [-h] options: -h, --help This help examples/notes: lf visa2000 demod --------------------------------------------------------------------------------------- lf visa2000 reader read a visa2000 tag usage: lf visa2000 reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf visa2000 reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf visa2000 clone clone a Visa2000 tag to a T55x7, Q5/T5555 or EM4305/4469 tag. usage: lf visa2000 clone [-h] --cn [--q5] [--em] options: -h, --help This help --cn Visa2k card ID --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag examples/notes: lf visa2000 clone --cn 112233 -> encode for T55x7 tag lf visa2000 clone --cn 112233 --q5 -> encode for Q5/T5555 tag lf visa2000 clone --cn 112233 --em -> encode for EM4305/4469 --------------------------------------------------------------------------------------- lf visa2000 sim Enables simulation of visa2k card with specified card number. Simulation runs until the button is pressed or another USB command is issued. usage: lf visa2000 sim [-h] --cn options: -h, --help This help --cn Visa2k card ID examples/notes: lf visa2000 sim --cn 1337 --------------------------------------------------------------------------------------- nfc type1 -------- -------------- NFC Forum Tag Type 1 --------------- read read NFC Forum Tag Type 1 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type1 read Get info from Topaz tags usage: hf topaz info [-hv] [-f ] options: -h, --help This help -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf topaz info hf topaz info -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc type2 -------- -------------- NFC Forum Tag Type 2 --------------- read read NFC Forum Tag Type 2 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type2 read Prints NFC Data Exchange Format (NDEF) usage: hf mfu ndefread [-hlv] [-k Replace default key for NDEF] [-f ] options: -h, --help This help -l Swap entered key's endianness -f, --file Save raw NDEF to file -v, --verbose Verbose output examples/notes: hf mfu ndefread -> shows NDEF data hf mfu ndefread -k ffffffff -> shows NDEF data with key hf mfu ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc type4a -------- --------- NFC Forum Tag Type 4 ISO14443A ---------- format format ISO-14443-a tag as NFC Tag read read NFC Forum Tag Type 4 A write write NFC Forum Tag Type 4 A st25taread read ST25TA as NFC Forum Tag Type 4 -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type4a format Format ISO14443-a Tag as a NFC tag with Data Exchange Format (NDEF) usage: hf 14a ndefformat [-hv] options: -h, --help This help -v, --verbose verbose output examples/notes: hf 14a ndefformat --------------------------------------------------------------------------------------- nfc type4a read Read NFC Data Exchange Format (NDEF) file on Type 4 NDEF tag usage: hf 14a ndefread [-hv] [-f ] options: -h, --help This help -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf 14a ndefread hf 14a ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc type4a write Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted. usage: hf 14a ndefwrite [-hpv] [-d ] [-f ] options: -h, --help This help -d raw NDEF hex bytes -f, --file write raw NDEF file to tag -p fix NDEF record headers / terminator block if missing -v, --verbose verbose output examples/notes: hf 14a ndefwrite -d 0300FE -> write empty record to tag hf 14a ndefwrite -f myfilename hf 14a ndefwrite -d 003fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031 --------------------------------------------------------------------------------------- nfc type4a st25taread Read NFC Data Exchange Format (NDEF) file on ST25TA usage: hf st25ta ndefread [-hv] [-p ] [-f ] options: -h, --help This help -p, --pwd 16 byte read password -f, --file save raw NDEF to file -v, --verbose verbose output examples/notes: hf st25ta ndefread -p 82E80053D4CA5C0B656D852CC696C8A1 hf st25ta ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc type4b -------- --------- NFC Forum Tag Type 4 ISO14443B ------------- read read NFC Forum Tag Type 4 B -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc type4b read Print NFC Data Exchange Format (NDEF) usage: hf 14b ndefread [-hv] [-f ] options: -h, --help This help -f, --file Save raw NDEF to file -v, --verbose Verbose output examples/notes: hf 14b ndefread hf 14b ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc mf -------- --------- NFC Type MIFARE Classic/Plus Tag -------- cformat format MIFARE Classic Tag as NFC Tag cread read NFC Type MIFARE Classic Tag cwrite write NFC Type MIFARE Classic Tag pread read NFC Type MIFARE Plus Tag -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc mf cformat format MIFARE Classic Tag as a NFC tag with Data Exchange Format (NDEF) If no given, UID will be used as filename. It will try default keys and MAD keys to detect if tag is already formatted in order to write. If not, it will try finding a key file based on your UID. ie, if you ran autopwn before usage: hf mf ndefformat [-h] [-k ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -k, --keys filename of keys --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 examples/notes: hf mf ndefformat hf mf ndefformat --1k -> MIFARE Classic 1k hf mf ndefformat --keys hf-mf-01020304-key.bin -> MIFARE 1k with keys from specified file --------------------------------------------------------------------------------------- nfc mf cread Prints NFC Data Exchange Format (NDEF) usage: hf mf ndefread [-hvb] [--aid ] [-k ] [-f ] options: -h, --help This help -v, --verbose Verbose output --aid replace default aid for NDEF -k, --key replace default key for NDEF -b, --keyb use key B for access sectors (by default: key A) -f, --file save raw NDEF to file examples/notes: hf mf ndefread -> shows NDEF parsed data hf mf ndefread -vv -> shows NDEF parsed and raw data hf mf ndefread --aid e103 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B hf mf ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc mf cwrite Write raw NDEF hex bytes to tag. This commands assumes tag already been NFC/NDEF formatted. usage: hf mf ndefwrite [-hpv] [-d ] [-f ] [--mini] [--1k] [--2k] [--4k] options: -h, --help This help -d raw NDEF hex bytes -f, --file write raw NDEF file to tag -p fix NDEF record headers / terminator block if missing --mini MIFARE Classic Mini / S20 --1k MIFARE Classic 1k / S50 (def) --2k MIFARE Classic/Plus 2k --4k MIFARE Classic 4k / S70 -v, --verbose verbose output examples/notes: hf mf ndefwrite -d 0300FE -> write empty record to tag hf mf ndefwrite -f myfilename hf mf ndefwrite -d 033fd1023a53709101195405656e2d55534963656d616e2054776974746572206c696e6b5101195502747769747465722e636f6d2f686572726d616e6e31303031 --------------------------------------------------------------------------------------- nfc mf pread Prints NFC Data Exchange Format (NDEF) usage: hf mfp ndefread [-hvb] [--aid ] [-k ] [-f ] options: -h, --help This help -v, --verbose verbose output --aid replace default aid for NDEF -k, --key replace default key for NDEF -b, --keyb use key B for access sectors (by default: key A) -f, --file save raw NDEF to file examples/notes: hf mfp ndefread hf mfp ndefread -vv -> shows NDEF parsed and raw data hf mfp ndefread --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key hf mfp ndefread -f myfilename -> save raw NDEF to file --------------------------------------------------------------------------------------- nfc barcode -------- ------------------ NFC Barcode -------------------- read read NFC Barcode sim simulate NFC Barcode -------- --------------------- General --------------------- help This help --------------------------------------------------------------------------------------- nfc barcode read Get info from Thinfilm tags usage: hf thinfilm info [-h] options: -h, --help This help examples/notes: hf thinfilm info --------------------------------------------------------------------------------------- nfc barcode sim Simulate Thinfilm tag usage: hf thinfilm sim [-h] -d [--raw] options: -h, --help This help -d, --data bytes to send --raw raw, provided bytes should include CRC examples/notes: hf thinfilm sim -d B70470726f786d61726b2e636f6d --------------------------------------------------------------------------------------- lf em 410x help This help demod demodulate a EM410x tag from the GraphBuffer reader attempt to read and extract tag data sim simulate EM410x tag brute reader bruteforce attack by simulating EM410x tags watch watches for EM410x 125/134 kHz tags spoof watches for EM410x 125/134 kHz tags, and replays them clone clone EM410x Tag ID to T55x7, Q5/T5555 or EM4305/4469 --------------------------------------------------------------------------------------- lf em 410x demod Try to find EM 410x preamble, if found decode / descramble data usage: lf em 410x demod [-hia] [--clk ] [--err ] [--len ] [--bin ] options: -h, --help This help --clk clock (default autodetect) --err maximum allowed errors (default 100) --len maximum length -i, --invert invert output -a, --amp amplify signal --bin Binary string i.e 0001001001 examples/notes: lf em 410x demod -> demod an EM410x Tag ID from GraphBuffer lf em 410x demod --clk 32 -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/32 lf em 410x demod --clk 32 -i -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/32 and inverting data lf em 410x demod -i -> demod an EM410x Tag ID from GraphBuffer while inverting data lf em 410x demod --clk 64 -i --err 0 -> demod an EM410x Tag ID from GraphBuffer using a clock of RF/64 and inverting data and allowing 0 demod errors --------------------------------------------------------------------------------------- lf em 410x reader read EM 410x tag usage: lf em 410x reader [-hiab@v] [--clk ] [--err ] [--len ] options: -h, --help This help --clk clock (default autodetect) --err maximum allowed errors (default 100) --len maximum length -i, --invert invert output -a, --amp amplify signal -b break on first found -@ continuous reader mode -v, --verbose verbose output examples/notes: lf em 410x reader lf em 410x reader -@ -> continuous reader mode lf em 410x reader --clk 32 -> using a clock of RF/32 lf em 410x reader --clk 32 -i -> using a clock of RF/32 and inverting data lf em 410x reader -i -> inverting data lf em 410x reader --clk 64 -i --err 0 -> using a clock of RF/64 and inverting data and allowing 0 demod errors --------------------------------------------------------------------------------------- lf em 410x sim Enables simulation of EM 410x card. Simulation runs until the button is pressed or another USB command is issued. Most common readers expects the code to be sent in loop without a break (i.e. --gap 0). For other, more advanced readers there might be a need to set a non-zero gap value. usage: lf em 410x sim [-h] [--clk ] --id [--gap ] options: -h, --help This help --clk <32|64> clock (default 64) --id EM Tag ID number (5 hex bytes) --gap gap (0's) between ID repeats (default 0) examples/notes: lf em 410x sim --id 0F0368568B lf em 410x sim --id 0F0368568B --clk 32 lf em 410x sim --id 0F0368568B --gap 20 --------------------------------------------------------------------------------------- lf em 410x brute bruteforcing by emulating EM 410x tag usage: lf em 410x brute [-h] [--clk ] [--delay ] -f [--gap ] options: -h, --help This help --clk <32|64> clock (default 64) --delay pause delay in milliseconds between UIDs simulation (default 1000ms) -f, --file file with EM Tag IDs, one id per line --gap gap (0's) between ID repeats (default 20) examples/notes: lf em 410x brute -f ids.txt lf em 410x brute -f ids.txt --clk 32 lf em 410x brute -f ids.txt --delay 3000 lf em 410x brute -f ids.txt --delay 3000 --clk 32 --------------------------------------------------------------------------------------- lf em 410x watch Enables Electro Marine (EM) compatible reader mode printing details of scanned tags. Run until the button is pressed or another USB command is issued. usage: lf em 410x watch [-h] options: -h, --help This help examples/notes: lf em 410x watch --------------------------------------------------------------------------------------- lf em 410x spoof Watch 'nd Spoof, activates reader Waits until a EM 410x tag gets presented then Proxmark3 starts simulating the found EM Tag ID usage: lf em 410x spoof [-h] options: -h, --help This help examples/notes: lf em 410x spoof --------------------------------------------------------------------------------------- lf em 410x clone clone a EM410x ID to a T55x7, Q5/T5555, EM4305/4469 or Hitag S/8211/8268/8310 tag. usage: lf em 410x clone [-h] [--clk ] --id [--q5] [--em] [--hts] [--electra] options: -h, --help This help --clk <16|32|40|64> clock (default 64) --id EM Tag ID number (5 hex bytes) --q5 optional - specify writing to Q5/T5555 tag --em optional - specify writing to EM4305/4469 tag --hts optional - specify writing to Hitag S/8211/8268/8310 tag --electra optional - add Electra blocks to tag examples/notes: lf em 410x clone --id 0F0368568B -> encode for T55x7 tag lf em 410x clone --id 0F0368568B --q5 -> encode for Q5/T5555 tag lf em 410x clone --id 0F0368568B --em -> encode for EM4305/4469 lf em 410x clone --id 0F0368568B --hts -> encode for Hitag S/8211/8268/8310 --------------------------------------------------------------------------------------- lf em 4x05 ----------- ----------------------- General ----------------------- help This help ----------- ----------------------- Operations ----------------------- clonehelp Shows the available clone commands brute Bruteforce password chk Check passwords config Create common configuration words demod Demodulate a EM4x05/EM4x69 tag from the GraphBuffer dump Dump EM4x05/EM4x69 tag info Tag information read Read word data from EM4x05/EM4x69 sniff Attempt to recover em4x05 commands from sample buffer unlock Execute tear off against EM4x05/EM4x69 view Display content from tag dump file wipe Wipe EM4x05/EM4x69 tag write Write word data to EM4x05/EM4x69 --------------------------------------------------------------------------------------- lf em 4x05 clonehelp Display a list of available commands for cloning specific techs on EM4305/4469 tags usage: lf em 4x05 clonehelp [-h] options: -h, --help This help examples/notes: lf em 4x05 clonehelp --------------------------------------------------------------------------------------- lf em 4x05 brute This command tries to bruteforce the password of a EM4205/4305/4469/4569 The loop is running on device side, press Proxmark3 button to abort usage: lf em 4x05 brute [-h] [-s ] [-n ] options: -h, --help This help -s, --start Start bruteforce enumeration from this password value -n Stop after having found n candidates. Default: 0 (infinite) examples/notes: Note: if you get many false positives, change position on the antennalf em 4x05 brute lf em 4x05 brute -n 1 -> stop after first candidate found lf em 4x05 brute -s 000022AA -> start at 000022AA --------------------------------------------------------------------------------------- lf em 4x05 chk This command uses a dictionary attack against EM4205/4305/4469/4569 usage: lf em 4x05 chk [-h] [-f ] [-e ] options: -h, --help This help -f, --file loads a default keys dictionary file <*.dic> -e, --em try the calculated password from some cloners based on EM4100 ID examples/notes: lf em 4x05 chk lf em 4x05 chk -e 000022B8 -> check password 000022B8 lf em 4x05 chk -f t55xx_default_pwds -> use T55xx default dictionary --------------------------------------------------------------------------------------- lf em 4x05 config Create common configuration blocks usage: lf em 4x05 config [-h] options: -h, --help This help examples/notes: lf em 4x05 config --------------------------------------------------------------------------------------- lf em 4x05 demod Try to find EM 4x05 preamble, if found decode / descramble data usage: lf em 4x05 demod [-h] options: -h, --help This help examples/notes: lf em 4x05 demod --------------------------------------------------------------------------------------- lf em 4x05 dump Dump EM4x05/EM4x69. Tag must be on antenna. usage: lf em 4x05 dump [-h] [-p ] [-f ] [--ns] options: -h, --help This help -p, --pwd password (00000000) -f, --file override filename prefix (optional). Default is based on UID --ns no save to file examples/notes: lf em 4x05 dump lf em 4x05 dump -p 11223344 lf em 4x05 dump -f myfile -p 11223344 --------------------------------------------------------------------------------------- lf em 4x05 info Tag information EM4205/4305/4469//4569 tags. Tag must be on antenna. usage: lf em 4x05 info [-hv] [-p ] options: -h, --help This help -p, --pwd optional - password, 4 hex bytes -v, --verbose Verbose output examples/notes: lf em 4x05 info lf em 4x05 info -p 11223344 --------------------------------------------------------------------------------------- lf em 4x05 read Read EM4x05/EM4x69. Tag must be on antenna. usage: lf em 4x05 read [-h] -a [-p ] options: -h, --help This help -a, --addr memory address to read. (0-15) -p, --pwd optional - password, 4 bytes hex examples/notes: lf em 4x05 read -a 1 lf em 4x05 read --addr 1 --pwd 11223344 --------------------------------------------------------------------------------------- lf em 4x05 sniff Sniff EM4x05 commands sent from a programmer usage: lf em 4x05 sniff [-h1r] options: -h, --help This help -1, --buf Use the data in the buffer -r, --rev Reverse the bit order for data blocks examples/notes: lf em 4x05 sniff -> sniff via lf sniff lf em 4x05 sniff -1 -> sniff from data loaded into the buffer lf em 4x05 sniff -r -> reverse the bit order when showing block data --------------------------------------------------------------------------------------- lf em 4x05 unlock execute tear off against EM4205/4305/4469/4569 usage: lf em 4x05 unlock [-hv] [-n ] [-s ] [-e ] [-p ] options: -h, --help This help -n steps to skip -s, --start start scan from delay (us) -e, --end end scan at delay (us) -p, --pwd password (def 00000000) -v, --verbose verbose output examples/notes: lf em 4x05 unlock lf em 4x05 unlock -s 4100 -e 4100 -> lock on and autotune at 4100us lf em 4x05 unlock -n 10 -s 3000 -e 4400 -> scan delays 3000us -> 4400us --------------------------------------------------------------------------------------- lf em 4x05 view Print a EM4205/4305/4369/4469 dump file note: We don't track if password is known in current dump file formats. All zeros password block might be filler data usage: lf em 4x05 view [-hv] -f options: -h, --help This help -f, --file Specify a filename for dump file -v, --verbose Verbose output examples/notes: lf em 4x05 view -f lf-4x05-01020304-dump.json --------------------------------------------------------------------------------------- lf em 4x05 wipe Wipe EM4x05/EM4x69. Tag must be on antenna. usage: lf em 4x05 wipe [-h] [--4205] [--4305] [--4369] [--4469] [-p ] options: -h, --help This help --4205 target chip type EM 4205 --4305 target chip type EM 4305 (default) --4369 target chip type EM 4369 --4469 target chip type EM 4469 -p, --pwd optional - password, 4 bytes hex examples/notes: lf em 4x05 wipe --4305 -p 11223344 -> wipe EM 4305 w pwd lf em 4x05 wipe --4205 -> wipe EM 4205 lf em 4x05 wipe --4369 -> wipe EM 4369 --------------------------------------------------------------------------------------- lf em 4x05 write Write EM4x05/EM4x69. Tag must be on antenna. usage: lf em 4x05 write [-h] [-a ] -d [-p ] [--po] options: -h, --help This help -a, --addr memory address to write to. (0-13) -d, --data data to write (4 hex bytes) -p, --pwd password (4 hex bytes) --po protect operation examples/notes: lf em 4x05 write -a 1 -d deadc0de lf em 4x05 write --addr 1 --pwd 11223344 --data deadc0de lf em 4x05 write --po --pwd 11223344 --data deadc0de --------------------------------------------------------------------------------------- lf em 4x50 help This help ----------- --------------------- operations --------------------- brute Bruteforce attack to find password chk Check passwords dump Dump EM4x50 tag info Tag information login Login into EM4x50 tag rdbl Read EM4x50 word data reader Show standard read mode data restore Restore EM4x50 dump to tag view Display content from tag dump file wipe Wipe EM4x50 tag wrbl Write EM4x50 word data wrpwd Change EM4x50 password ----------- --------------------- simulation --------------------- eload Upload file into emulator memory esave Save emulator memory to file eview View emulator memory sim Simulate EM4x50 tag --------------------------------------------------------------------------------------- lf em 4x50 brute Tries to bruteforce the password of a EM4x50 card. Function can be stopped by pressing pm3 button. usage: lf em 4x50 brute [-h] --mode [--begin ] [--end ] [--digits] [--uppercase] options: -h, --help This help --mode Bruteforce mode (range|charset|smart) --begin Range mode - start of the key range --end Range mode - end of the key range --digits Charset mode - include ASCII codes for digits --uppercase Charset mode - include ASCII codes for uppercase letters examples/notes: lf em 4x50 brute --mode range --begin 12330000 --end 12340000 -> tries pwds from 0x12330000 to 0x12340000 lf em 4x50 brute --mode charset --digits --uppercase -> tries all combinations of ASCII codes for digits and uppercase letters lf em 4x50 brute --mode smart -> enable 'smart' pattern key cracking --------------------------------------------------------------------------------------- lf em 4x50 chk Run dictionary key recovery against EM4x50 card. usage: lf em 4x50 chk [-h] [-f ] options: -h, --help This help -f, --file specify dictionary filename examples/notes: lf em 4x50 chk -> uses T55xx default dictionary lf em 4x50 chk -f my.dic --------------------------------------------------------------------------------------- lf em 4x50 dump Reads all blocks/words from EM4x50 tag and saves dump in (bin/json) format usage: lf em 4x50 dump [-h] [-f ] [-p ] [--ns] options: -h, --help This help -f, --file specify dump filename -p, --pwd password, 4 hex bytes, lsb --ns no save to file examples/notes: lf em 4x50 dump lf em 4x50 dump -f mydump lf em 4x50 dump -p 12345678 lf em 4x50 dump -f mydump -p 12345678 --------------------------------------------------------------------------------------- lf em 4x50 info Tag information EM4x50. usage: lf em 4x50 info [-hv] [-p ] options: -h, --help This help -p, --pwd password, 4 hex bytes, lsb -v, --verbose verbose output examples/notes: lf em 4x50 info lf em 4x50 info -v -> show data section lf em 4x50 info -p 12345678 -> uses pwd 0x12345678 --------------------------------------------------------------------------------------- lf em 4x50 login Login into EM4x50 tag. usage: lf em 4x50 login [-h] -p options: -h, --help This help -p, --passsword password, 4 bytes, lsb examples/notes: lf em 4x50 login -p 12345678 -> login with password 12345678 --------------------------------------------------------------------------------------- lf em 4x50 rdbl Reads single EM4x50 block/word. usage: lf em 4x50 rdbl [-h] -b [-p ] options: -h, --help This help -b, --block block/word address -p, --pwd password, 4 hex bytes, lsb examples/notes: lf em 4x50 rdbl -b 3 lf em 4x50 rdbl -b 32 -p 12345678 -> reads block 32 with pwd 0x12345678 --------------------------------------------------------------------------------------- lf em 4x50 reader Shows standard read data of EM4x50 tag. usage: lf em 4x50 reader [-h@] options: -h, --help This help -@ optional - continuous reader mode examples/notes: lf em 4x50 reader lf em 4x50 reader -@ -> continuous reader mode --------------------------------------------------------------------------------------- lf em 4x50 restore Restores data from dumpfile (bin/eml/json) onto a EM4x50 tag. if used with -u, the filetemplate `lf-4x50-UID-dump.bin` is used as filename usage: lf em 4x50 restore [-h] [-u ] [-f ] [-p ] options: -h, --help This help -u, --uid uid, 4 hex bytes, msb -f, --file specify a filename for dump file -p, --pwd password, 4 hex bytes, lsb examples/notes: lf em 4x50 restore -u 1b5aff5c -> uses lf-4x50-1B5AFF5C-dump.bin lf em 4x50 restore -f mydump.eml lf em 4x50 restore -u 1b5aff5c -p 12345678 lf em 4x50 restore -f mydump.eml -p 12345678 --------------------------------------------------------------------------------------- lf em 4x50 view Print a EM4x50 dump file usage: lf em 4x50 view [-h] [-f ] options: -h, --help This help -f, --file specify a filename for dump file examples/notes: lf em 4x50 view -f lf-4x50-01020304-dump.json --------------------------------------------------------------------------------------- lf em 4x50 wipe Wipes EM4x50 tag by filling it with zeros, including the new password Must give a password. usage: lf em 4x50 wipe [-h] -p options: -h, --help This help -p, --passsword password, 4 bytes, lsb examples/notes: lf em 4x50 wipe -p 12345678 --------------------------------------------------------------------------------------- lf em 4x50 wrbl Writes single block/word to EM4x50 tag. usage: lf em 4x50 wrbl [-h] -b -d [-p ] options: -h, --help This help -b, --block block/word address, dec -d, --data data, 4 bytes, lsb -p, --pwd password, 4 bytes, lsb examples/notes: lf em 4x50 wrbl -b 3 -d 4f22e7ff lf em 4x50 wrbl -b 3 -d 4f22e7ff -p 12345678 --------------------------------------------------------------------------------------- lf em 4x50 wrpwd Writes EM4x50 password. usage: lf em 4x50 wrpwd [-h] -p -n options: -h, --help This help -p, --pwd password, 4 hex bytes, lsb -n, --new new password, 4 hex bytes, lsb examples/notes: lf em 4x50 wrpwd -p 4f22e7ff -n 12345678 --------------------------------------------------------------------------------------- lf em 4x50 eload Loads EM4x50 tag dump (bin/eml/json) into emulator memory on device usage: lf em 4x50 eload [-h] -f options: -h, --help This help -f, --file Specify a filename for dump file examples/notes: lf em 4x50 eload -f mydump.bin --------------------------------------------------------------------------------------- lf em 4x50 esave Saves bin/json dump file of emulator memory. usage: lf em 4x50 esave [-h] [-f ] options: -h, --help This help -f, --file specifiy filename examples/notes: lf em 4x50 esave -> use UID as filename lf em 4x50 esave -f mydump --------------------------------------------------------------------------------------- lf em 4x50 eview Displays em4x50 content of emulator memory. usage: lf em 4x50 eview [-h] options: -h, --help This help examples/notes: lf em 4x50 eview --------------------------------------------------------------------------------------- lf em 4x50 sim Simulates a EM4x50 tag First upload to device using `lf em 4x50 eload` usage: lf em 4x50 sim [-h] [-p ] options: -h, --help This help -p, --passsword password, 4 bytes, lsb examples/notes: lf em 4x50 sim lf em 4x50 sim -p 27182818 -> uses password for eload data --------------------------------------------------------------------------------------- lf em 4x70 help This help brute Bruteforce EM4X70 to find partial key info Tag information EM4x70 write Write EM4x70 unlock Unlock EM4x70 for writing auth Authenticate EM4x70 setpin Write PIN setkey Write key calc Calculate EM4x70 challenge and response recover Recover remaining key from partial key autorecover Recover entire key from writable tag --------------------------------------------------------------------------------------- lf em 4x70 brute Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de' usage: lf em 4x70 brute [-h] [--par] -b --rnd --frn [-s ] options: -h, --help This help --par Add parity bit when sending commands -b, --block block/word address, dec --rnd Random 56-bit --frn F(RN) 28-bit as 4 hex bytes -s, --start Start bruteforce enumeration from this key value examples/notes: lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80 (pm3 test key) lf em 4x70 brute -b 8 --rnd 3FFE1FB6CC513F --frn F355F1A0 -> bruteforcing key bits k79...k64 (research paper key) lf em 4x70 brute -b 7 --rnd 7D5167003571F8 --frn 982DBCC0 -> bruteforcing key bits k63...k48 (autorecovery test key) --------------------------------------------------------------------------------------- lf em 4x70 info Tag Information EM4x70 Tag variants include ID48 automotive transponder. ID48 does not use command parity (default). V4070 and EM4170 do require parity bit. usage: lf em 4x70 info [-h] [--par] options: -h, --help This help --par Add parity bit when sending commands examples/notes: lf em 4x70 info lf em 4x70 info --par -> adds parity bit to command --------------------------------------------------------------------------------------- lf em 4x70 write Write EM4x70 usage: lf em 4x70 write [-h] [--par] -b -d options: -h, --help This help --par Add parity bit when sending commands -b, --block block/word address, dec -d, --data data, 2 bytes examples/notes: lf em 4x70 write -b 15 -d c0de -> write 'c0de' to block 15 lf em 4x70 write -b 15 -d c0de --par -> adds parity bit to commands --------------------------------------------------------------------------------------- lf em 4x70 unlock Unlock EM4x70 by sending PIN Default pin may be: AAAAAAAA 00000000 usage: lf em 4x70 unlock [-h] [--par] -p options: -h, --help This help --par Add parity bit when sending commands -p, --pin pin, 4 bytes examples/notes: lf em 4x70 unlock -p 11223344 -> Unlock with PIN lf em 4x70 unlock -p 11223344 --par -> Unlock with PIN using parity commands --------------------------------------------------------------------------------------- lf em 4x70 auth Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag key, the tag will not respond If F(RN) is correct based on the tag key, the tag will give a 20-bit response usage: lf em 4x70 auth [-h] [--par] --rnd --frn options: -h, --help This help --par Add parity bit when sending commands --rnd Random 56-bit --frn F(RN) 28-bit as 4 hex bytes examples/notes: lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> (using pm3 test key) lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key) lf em 4x70 auth --rnd 7D5167003571F8 --frn 982DBCC0 -> (autorecovery test key) --------------------------------------------------------------------------------------- lf em 4x70 setpin Write new PIN usage: lf em 4x70 setpin [-h] [--par] -p options: -h, --help This help --par Add parity bit when sending commands -p, --pin pin, 4 bytes examples/notes: lf em 4x70 setpin -p 11223344 -> Write new PIN lf em 4x70 setpin -p 11223344 --par -> Write new PIN using parity commands --------------------------------------------------------------------------------------- lf em 4x70 setkey Write new 96-bit key to tag usage: lf em 4x70 setkey [-h] [--par] -k options: -h, --help This help --par Add parity bit when sending commands -k, --key Key as 12 hex bytes examples/notes: lf em 4x70 setkey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key) lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key) lf em 4x70 setkey -k 022A028C02BE000102030405 (autorecovery test key) --------------------------------------------------------------------------------------- lf em 4x70 calc Calculates both the reader and tag challenge for a user-provided key and rnd. usage: lf em 4x70 calc [-h] --key --rnd options: -h, --help This help --key Key 96-bit as 12 hex bytes --rnd 56-bit random value sent to tag for authentication examples/notes: lf em 4x70 calc --key F32AA98CF5BE4ADFA6D3480B --rnd 45F54ADA252AAC (pm3 test key) lf em 4x70 calc --key A090A0A02080000000000000 --rnd 3FFE1FB6CC513F (research paper key) lf em 4x70 calc --key 022A028C02BE000102030405 --rnd 7D5167003571F8 (autorecovery test key) --------------------------------------------------------------------------------------- lf em 4x70 recover After obtaining key bits 95..48 (such as via 'lf em 4x70 brute'), this command will recover key bits 47..00. By default, this process does NOT require a tag to be present. By default, the potential keys are shown (typically 1-6) along with a corresponding 'lf em 4x70 auth' command that will authenticate, if that potential key is correct. The user can copy/paste these commands when the tag is present to manually check which of the potential keys is correct. usage: lf em 4x70 recover [-h] [--par] -k --rnd --frn --grn options: -h, --help This help --par Add parity bit when sending commands -k, --key Key as 6 hex bytes --rnd Random 56-bit --frn F(RN) 28-bit as 4 hex bytes --grn G(RN) 20-bit as 3 hex bytes examples/notes: lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key) lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key) lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key) --------------------------------------------------------------------------------------- lf em 4x70 autorecover This command will perform automatic recovery of the key from a writable tag. All steps are possible to do manually. The corresponding sequence, if done manually, is as follows: 1. Verify passed parameters authenticate with the tag (safety check) lf em 4x70 auth --rnd --frn 2. Brute force the key bits in block 9 lf em 4x70 write -b 9 -d 0000 lf em 4x70 recover -b 9 --rnd --frn lf em 4x70 write -b 9 -d 3. Brute force the key bits in block 8 lf em 4x70 write -b 8 -d 0000 lf em 4x70 recover -b 8 --rnd --frn lf em 4x70 write -b 8 -d 4. Brute force the key bits in block 7 lf em 4x70 write -b 7 -d 0000) lf em 4x70 recover -b 7 --rnd --frn lf em 4x70 write -b 7 -d 5. Recover potential values of the lower 48 bits of the key lf em 4x70 recover --key --rnd --frn 6. Verify which potential key is actually on the tag (using a different rnd/frn combination) lf em 4x70 auth --rnd --frn 7. Print the validated key This command simply requires the rnd/frn/grn from a single known-good authentication. usage: lf em 4x70 autorecover [-h] [--par] --rnd --frn --grn options: -h, --help This help --par Add parity bit when sending commands --rnd Random 56-bit from known-good authentication --frn F(RN) 28-bit as 4 hex bytes from known-good authentication --grn G(RN) 20-bit as 3 hex bytes from known-good authentication examples/notes: lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key) lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key) lf em 4x70 autorecover --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key) --------------------------------------------------------------------------------------- lf hitag hts help This help list List Hitag S trace history ----------- ----------------------- General ------------------------ reader Act like a Hitag S reader rdbl Read Hitag S page dump Dump Hitag S pages to a file restore Restore Hitag S memory from dump file wrbl Write Hitag S page ----------- ----------------------- Simulation ----------------------- sim Simulate Hitag S transponder --------------------------------------------------------------------------------------- lf hitag hts list Alias of `trace list -t hitags` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol usage: lf hitag hts list [-h1crux] [--frame] [-f ] options: -h, --help This help -1, --buffer use data from trace buffer --frame show frame delay times -c mark CRC bytes -r show relative times (gap and duration) -u display times in microseconds instead of clock cycles -x show hexdump to convert to pcap(ng) or to import into Wireshark using encapsulation type "ISO 14443" -f, --file filename of dictionary examples/notes: lf hitag hts list --frame -> show frame delay times lf hitag hts list -1 -> use trace buffer --------------------------------------------------------------------------------------- lf hitag hts reader Act as a Hitag S reader. Look for Hitag S tags until Enter or the pm3 button is pressed usage: lf hitag hts reader [-h@] options: -h, --help This help -@ continuous reader mode examples/notes: lf hitag hts reader lf hitag hts reader -@ -> Continuous mode --------------------------------------------------------------------------------------- lf hitag hts rdbl Read Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399 usage: lf hitag hts rdbl [-h8] [--nrar ] [--crypto] [-k ] [-m ] [-p ] [-c ] options: -h, --help This help -8, --82xx 8268/8310 mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key pwd or key, 4 or 6 hex bytes -m, --mode response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3) -p, --page page address to read from -c, --count how many pages to read. '0' reads all pages up to the end page (def: 1) examples/notes: lf hitag hts rdbl -p 1 -> Hitag S/8211, plain mode lf hitag hts rdbl -p 1 --82xx -k BBDD3399 -> 8268/8310, password mode lf hitag hts rdbl -p 1 --nrar 0102030411223344 -> Hitag S, challenge mode lf hitag hts rdbl -p 1 --crypto -> Hitag S, crypto mode, def key lf hitag hts rdbl -p 1 -k 4F4E4D494B52 -> Hitag S, crypto mode --------------------------------------------------------------------------------------- lf hitag hts dump Read all Hitag S memory and save to file Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399 usage: lf hitag hts dump [-h8] [--nrar ] [--crypto] [-k ] [-m ] [-f ] [--ns] options: -h, --help This help -8, --82xx 8268/8310 mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key pwd or key, 4 or 6 hex bytes -m, --mode response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3) -f, --file specify file name --ns no save to file examples/notes: lf hitag hts dump --82xx -> use def pwd lf hitag hts dump --82xx -k BBDD3399 -> pwd mode lf hitag hts dump --crypto -> use def crypto lf hitag hts dump -k 4F4E4D494B52 -> crypto mode lf hitag hts dump --nrar 0102030411223344 --------------------------------------------------------------------------------------- lf hitag hts restore Restore a dump file onto Hitag S tag Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399 usage: lf hitag hts restore [-h8] [--nrar ] [--crypto] [-k ] [-m ] [-f ] options: -h, --help This help -8, --82xx 8268/8310 mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key pwd or key, 4 or 6 hex bytes -m, --mode response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3) -f, --file specify file name examples/notes: lf hitag hts restore -f myfile --82xx -> use def pwd lf hitag hts restore -f myfile --82xx -k BBDD3399 -> pwd mode lf hitag hts restore -f myfile --crypto -> use def crypto lf hitag hts restore -f myfile -k 4F4E4D494B52 -> crypto mode lf hitag hts restore -f myfile --nrar 0102030411223344 --------------------------------------------------------------------------------------- lf hitag hts wrbl Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399 usage: lf hitag hts wrbl [-h8] [--nrar ] [--crypto] [-k ] [-m ] -p -d options: -h, --help This help -8, --82xx 8268/8310 mode --nrar nonce / answer writer, 8 hex bytes --crypto crypto mode -k, --key pwd or key, 4 or 6 hex bytes -m, --mode response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3) -p, --page page address to write to -d, --data data, 4 hex bytes examples/notes: lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode lf hitag hts wrbl -p 6 -d 01020304 --82xx -> use def pwd lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key lf hitag hts wrbl -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag S, crypto mode --------------------------------------------------------------------------------------- lf hitag hts sim Simulate Hitag S transponder You need to `lf hitag hts eload` first usage: lf hitag hts sim [-h8] options: -h, --help This help -8, --82xx simulate 8268/8310 examples/notes: lf hitag hts sim lf hitag hts sim --82xx ---------------------------------------------------------------------------------------