From 422ca0de20734be83c5a056142bb6385d0b33cf8 Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Tue, 6 Oct 2020 12:17:32 +0200 Subject: [PATCH] update commands.md --- doc/commands.md | 1558 +++++++++++++++++++++++++---------------------- 1 file changed, 825 insertions(+), 733 deletions(-) diff --git a/doc/commands.md b/doc/commands.md index 487d91e29..94d28dfdf 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -1,913 +1,1005 @@ # Proxmark3 command dump - + Some commands are available only if a Proxmark3 is actually connected. - + Check column "offline" for their availability. - - -|command |offline |description -|------- |------- |----------- -|`help `|Y |`This help. Use ' help' for details of a particular command.` -|`auto `|N |`Automated detection process for unknown tags` -|`msleep `|Y |`Add a pause in milliseconds` -|`rem `|Y |`Add a text line in log file` -|`quit `|Y |`` -|`exit `|Y |`Exit program` - + +|command |offline |description +|------- |------- |----------- +|`auto `|N |`Automated detection process for unknown tags` +|`clear `|Y |`clear screen` +|`help `|Y |`This help. Use ' help' for details of a particular command.` +|`hints `|Y |`Turn hints on / off` +|`msleep `|Y |`Add a pause in milliseconds` +|`pref `|Y |`Edit preferences` +|`rem `|Y |`Add a text line in log file` +|`quit `|Y |`` +|`exit `|Y |`Exit program` + + ### analyse { Analyse utils... } - -|command |offline |description -|------- |------- |----------- -|`analyse help `|Y |`This help` -|`analyse lcr `|Y |`Generate final byte for XOR LRC` -|`analyse crc `|Y |`Stub method for CRC evaluations` -|`analyse chksum `|Y |`Checksum with adding, masking and one's complement` -|`analyse dates `|Y |`Look for datestamps in a given array of bytes` -|`analyse tea `|Y |`Crypto TEA test` -|`analyse lfsr `|Y |`LFSR tests` -|`analyse a `|Y |`num bits test` -|`analyse nuid `|Y |`create NUID from 7byte UID` -|`analyse demodbuff `|Y |`Load binary string to demodbuffer` - +|command |offline |description +|------- |------- |----------- +|`analyse help `|Y |`This help` +|`analyse lcr `|Y |`Generate final byte for XOR LRC` +|`analyse crc `|Y |`Stub method for CRC evaluations` +|`analyse chksum `|Y |`Checksum with adding, masking and one's complement` +|`analyse dates `|Y |`Look for datestamps in a given array of bytes` +|`analyse tea `|Y |`Crypto TEA test` +|`analyse lfsr `|Y |`LFSR tests` +|`analyse a `|Y |`num bits test` +|`analyse nuid `|Y |`create NUID from 7byte UID` +|`analyse demodbuff `|Y |`Load binary string to demodbuffer` +|`analyse freq `|Y |`Calc wave lengths` + + ### data { Plot window / data buffer manipulation... } - -|command |offline |description -|------- |------- |----------- -|`data help `|Y |`This help` -|`data askedgedetect `|Y |`[threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)` -|`data autocorr `|Y |`[window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)` -|`data biphaserawdecode `|Y |`[offset] [invert<0|1>] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0|1 bits to shift the decode start)` -|`data bin2hex `|Y |` -- Converts binary to hexadecimal` -|`data bitsamples `|N |`Get raw samples as bitstring` -|`data buffclear `|Y |`Clears bigbuff on deviceside and graph window` -|`data convertbitstream `|Y |`Convert GraphBuffer's 0/1 values to 127 / -127` -|`data dec `|Y |`Decimate samples` -|`data detectclock `|Y |`[] Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer` -|`data fsktonrz `|Y |`Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)` -|`data getbitstream `|Y |`Convert GraphBuffer's >=1 values to 1 and <1 to 0` -|`data grid `|Y |` -- overlay grid on graph window, use zero value to turn off either` -|`data hexsamples `|N |` [] -- Dump big buffer as hex bytes` -|`data hex2bin `|Y |` -- Converts hexadecimal to binary` -|`data hide `|Y |`Hide graph window` -|`data hpf `|Y |`Remove DC offset from trace` -|`data load `|Y |` -- Load trace (to graph window` -|`data ltrim `|Y |` -- Trim samples from left of trace` -|`data rtrim `|Y |` -- Trim samples from right of trace` -|`data mtrim `|Y |` -- Trim out samples from the specified start to the specified stop` -|`data manrawdecode `|Y |`[invert] [maxErr] -- Manchester decode binary stream in DemodBuffer` -|`data norm `|Y |`Normalize max/min to +/-128` -|`data plot `|Y |`Show graph window (hit 'h' in window for keystroke help)` -|`data printdemodbuffer `|Y |`[x] [o] [l] -- print the data in the DemodBuffer - 'x' for hex output` -|`data rawdemod `|Y |`[modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary` -|`data samples `|N |`[512 - 40000] -- Get raw samples for graph window (GraphBuffer)` -|`data save `|Y |`Save trace (from graph window)` -|`data setgraphmarkers `|Y |`[orange_marker] [blue_marker] (in graph window)` -|`data scale `|Y |` -- Set cursor display scale in carrier frequency expressed in kHz` -|`data setdebugmode `|Y |`<0|1|2> -- Set Debugging Level on client side` -|`data shiftgraphzero `|Y |` -- Shift 0 for Graphed wave + or - shift value` -|`data dirthreshold `|Y |` -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.` -|`data tune `|N |`Get hw tune samples for graph window` -|`data undec `|Y |`Un-decimate samples by 2` -|`data zerocrossings `|Y |`Count time between zero-crossings` -|`data iir `|Y |`apply IIR buttersworth filter on plotdata` - +|command |offline |description +|------- |------- |----------- +|`data help `|Y |`This help` +|`data askedgedetect `|Y |`[threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)` +|`data autocorr `|Y |`[window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)` +|`data biphaserawdecode `|Y |`[offset] [invert<0|1>] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0|1 bits to shift the decode start)` +|`data bin2hex `|Y |` -- Converts binary to hexadecimal` +|`data bitsamples `|N |`Get raw samples as bitstring` +|`data buffclear `|Y |`Clears bigbuff on deviceside and graph window` +|`data convertbitstream `|Y |`Convert GraphBuffer's 0/1 values to 127 / -127` +|`data dec `|Y |`Decimate samples` +|`data detectclock `|Y |`[] Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer` +|`data fsktonrz `|Y |`Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)` +|`data getbitstream `|Y |`Convert GraphBuffer's >=1 values to 1 and <1 to 0` +|`data grid `|Y |` -- overlay grid on graph window, use zero value to turn off either` +|`data hexsamples `|N |` [] -- Dump big buffer as hex bytes` +|`data hex2bin `|Y |` -- Converts hexadecimal to binary` +|`data hide `|Y |`Hide graph window` +|`data hpf `|Y |`Remove DC offset from trace` +|`data load `|Y |` -- Load trace (to graph window` +|`data ltrim `|Y |` -- Trim samples from left of trace` +|`data rtrim `|Y |` -- Trim samples from right of trace` +|`data mtrim `|Y |` -- Trim out samples from the specified start to the specified stop` +|`data manrawdecode `|Y |`[invert] [maxErr] -- Manchester decode binary stream in DemodBuffer` +|`data norm `|Y |`Normalize max/min to +/-128` +|`data plot `|Y |`Show graph window (hit 'h' in window for keystroke help)` +|`data printdemodbuffer `|Y |`[x] [o] [l] -- print the data in the DemodBuffer - 'x' for hex output` +|`data rawdemod `|Y |`[modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary` +|`data samples `|N |`[512 - 40000] -- Get raw samples for graph window (GraphBuffer)` +|`data save `|Y |`Save trace (from graph window)` +|`data setgraphmarkers `|Y |`[orange_marker] [blue_marker] (in graph window)` +|`data scale `|Y |` -- Set cursor display scale in carrier frequency expressed in kHz` +|`data setdebugmode `|Y |`<0|1|2> -- Set Debugging Level on client side` +|`data shiftgraphzero `|Y |` -- Shift 0 for Graphed wave + or - shift value` +|`data dirthreshold `|Y |` -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.` +|`data tune `|N |`Get hw tune samples for graph window` +|`data undec `|Y |`Un-decimate samples by 2` +|`data zerocrossings `|Y |`Count time between zero-crossings` +|`data iir `|Y |`apply IIR buttersworth filter on plotdata` +|`data ndef `|Y |`Decode NDEF records` + + ### emv { EMV ISO-14443 / ISO-7816... } - -|command |offline |description -|------- |------- |----------- -|`emv help `|Y |`This help` -|`emv exec `|N |`Executes EMV contactless transaction.` -|`emv pse `|N |`Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.` -|`emv search `|N |`Try to select all applets from applets list and print installed applets.` -|`emv select `|N |`Select applet.` -|`emv gpo `|N |`Execute GetProcessingOptions.` -|`emv readrec `|N |`Read files from card.` -|`emv genac `|N |`Generate ApplicationCryptogram.` -|`emv challenge `|N |`Generate challenge.` -|`emv intauth `|N |`Internal authentication.` -|`emv scan `|N |`Scan EMV card and save it contents to json file for emulator.` -|`emv test `|Y |`Crypto logic test.` -|`emv list `|Y |`List ISO7816 history` -|`emv roca `|N |`Extract public keys and run ROCA test` - +|command |offline |description +|------- |------- |----------- +|`emv help `|Y |`This help` +|`emv exec `|N |`Executes EMV contactless transaction.` +|`emv pse `|N |`Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.` +|`emv search `|N |`Try to select all applets from applets list and print installed applets.` +|`emv select `|N |`Select applet.` +|`emv gpo `|N |`Execute GetProcessingOptions.` +|`emv readrec `|N |`Read files from card.` +|`emv genac `|N |`Generate ApplicationCryptogram.` +|`emv challenge `|N |`Generate challenge.` +|`emv intauth `|N |`Internal authentication.` +|`emv scan `|N |`Scan EMV card and save it contents to json file for emulator.` +|`emv test `|Y |`Crypto logic test.` +|`emv list `|Y |`List ISO7816 history` +|`emv roca `|N |`Extract public keys and run ROCA test` + + ### hf { High frequency commands... } - -|command |offline |description -|------- |------- |----------- -|`hf help `|Y |`This help` -|`hf list `|Y |`List protocol data in trace buffer` -|`hf tune `|N |`Continuously measure HF antenna tuning` -|`hf search `|Y |`Search for known HF tags` -|`hf sniff `|N |` Generic HF Sniff` - +|command |offline |description +|------- |------- |----------- +|`hf help `|Y |`This help` +|`hf list `|Y |`List protocol data in trace buffer` +|`hf plot `|N |`Plot signal` +|`hf tune `|N |`Continuously measure HF antenna tuning` +|`hf search `|Y |`Search for known HF tags` +|`hf sniff `|N |` Generic HF Sniff` + + ### hf 14a { ISO14443A RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf 14a help `|Y |`This help` -|`hf 14a list `|Y |`List ISO 14443-a history` -|`hf 14a info `|N |`Tag information` -|`hf 14a reader `|N |`Act like an ISO14443-a reader` -|`hf 14a cuids `|N |` Collect n>0 ISO14443-a UIDs in one go` -|`hf 14a sim `|N |` -- Simulate ISO 14443-a tag` -|`hf 14a sniff `|N |`sniff ISO 14443-a traffic` -|`hf 14a apdu `|N |`Send ISO 14443-4 APDU to tag` -|`hf 14a chaining `|N |`Control ISO 14443-4 input chaining` -|`hf 14a raw `|N |`Send raw hex data to tag` -|`hf 14a antifuzz `|N |`Fuzzing the anticollision phase. Warning! Readers may react strange` - +|command |offline |description +|------- |------- |----------- +|`hf 14a help `|Y |`This help` +|`hf 14a list `|Y |`List ISO 14443-a history` +|`hf 14a info `|N |`Tag information` +|`hf 14a reader `|N |`Act like an ISO14443-a reader` +|`hf 14a cuids `|N |` Collect n>0 ISO14443-a UIDs in one go` +|`hf 14a sim `|N |` -- Simulate ISO 14443-a tag` +|`hf 14a sniff `|N |`sniff ISO 14443-a traffic` +|`hf 14a apdu `|N |`Send ISO 14443-4 APDU to tag` +|`hf 14a chaining `|N |`Control ISO 14443-4 input chaining` +|`hf 14a raw `|N |`Send raw hex data to tag` +|`hf 14a antifuzz `|N |`Fuzzing the anticollision phase. Warning! Readers may react strange` +|`hf 14a config `|N |`Configure 14a settings (use with caution)` + + ### hf 14b { ISO14443B RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf 14b help `|Y |`This help` -|`hf 14b dump `|N |`Read all memory pages of an ISO14443-B tag, save to file` -|`hf 14b info `|N |`Tag information` -|`hf 14b list `|Y |`List ISO 14443B history` -|`hf 14b raw `|N |`Send raw hex data to tag` -|`hf 14b reader `|N |`Act as a 14443B reader to identify a tag` -|`hf 14b sim `|N |`Fake ISO 14443B tag` -|`hf 14b sniff `|N |`Eavesdrop ISO 14443B` -|`hf 14b sriread `|N |`Read contents of a SRI512 | SRIX4K tag` -|`hf 14b sriwrite `|N |`Write data to a SRI512 | SRIX4K tag` - +|command |offline |description +|------- |------- |----------- +|`hf 14b help `|Y |`This help` +|`hf 14b apdu `|N |`Send ISO 14443-4 APDU to tag` +|`hf 14b dump `|N |`Read all memory pages of an ISO14443-B tag, save to file` +|`hf 14b info `|N |`Tag information` +|`hf 14b list `|Y |`List ISO 14443B history` +|`hf 14b ndef `|N |`Read NDEF file on tag` +|`hf 14b raw `|N |`Send raw hex data to tag` +|`hf 14b reader `|N |`Act as a 14443B reader to identify a tag` +|`hf 14b sim `|N |`Fake ISO 14443B tag` +|`hf 14b sniff `|N |`Eavesdrop ISO 14443B` +|`hf 14b sriread `|N |`Read contents of a SRI512 | SRIX4K tag` +|`hf 14b sriwrite `|N |`Write data to a SRI512 | SRIX4K tag` + + ### hf 15 { ISO15693 RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf 15 help `|Y |`This help` -|`hf 15 demod `|Y |`Demodulate ISO15693 from tag` -|`hf 15 dump `|N |`Read all memory pages of an ISO15693 tag, save to file` -|`hf 15 findafi `|N |`Brute force AFI of an ISO15693 tag` -|`hf 15 writeafi `|N |`Writes the AFI on an ISO15693 tag` -|`hf 15 writedsfid `|N |`Writes the DSFID on an ISO15693 tag` -|`hf 15 info `|N |`Tag information` -|`hf 15 list `|Y |`List ISO15693 history` -|`hf 15 raw `|N |`Send raw hex data to tag` -|`hf 15 reader `|N |`Act like an ISO15693 reader` -|`hf 15 record `|N |`Record Samples (ISO15693)` -|`hf 15 restore `|N |`Restore from file to all memory pages of an ISO15693 tag` -|`hf 15 sim `|N |`Fake an ISO15693 tag` -|`hf 15 samples `|N |`Acquire Samples as Reader (enables carrier, sends inquiry)` -|`hf 15 read `|N |`Read a block` -|`hf 15 write `|N |`Write a block` -|`hf 15 readmulti `|N |`Reads multiple Blocks` -|`hf 15 csetuid `|N |`Set UID for magic Chinese card` - +|command |offline |description +|------- |------- |----------- +|`hf 15 help `|Y |`This help` +|`hf 15 list `|Y |`List ISO15693 history` +|`hf 15 demod `|Y |`Demodulate ISO15693 from tag` +|`hf 15 dump `|N |`Read all memory pages of an ISO15693 tag, save to file` +|`hf 15 info `|N |`Tag information` +|`hf 15 sniff `|N |`Sniff ISO15693 traffic` +|`hf 15 raw `|N |`Send raw hex data to tag` +|`hf 15 read `|N |`Read a block` +|`hf 15 reader `|N |`Act like an ISO15693 reader` +|`hf 15 readmulti `|N |`Reads multiple Blocks` +|`hf 15 restore `|N |`Restore from file to all memory pages of an ISO15693 tag` +|`hf 15 samples `|N |`Acquire Samples as Reader (enables carrier, sends inquiry)` +|`hf 15 sim `|N |`Fake an ISO15693 tag` +|`hf 15 write `|N |`Write a block` +|`hf 15 findafi `|N |`Brute force AFI of an ISO15693 tag` +|`hf 15 writeafi `|N |`Writes the AFI on an ISO15693 tag` +|`hf 15 writedsfid `|N |`Writes the DSFID on an ISO15693 tag` +|`hf 15 csetuid `|N |`Set UID for magic Chinese card` + + ### hf epa { German Identification Card... } - -|command |offline |description -|------- |------- |----------- -|`hf epa help `|Y |`This help` -|`hf epa cnonces `|N |` Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses` -|`hf epa preplay `|N |` Perform PACE protocol by replaying given APDUs` - +|command |offline |description +|------- |------- |----------- +|`hf epa help `|Y |`This help` +|`hf epa cnonces `|N |` Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses` +|`hf epa preplay `|N |` Perform PACE protocol by replaying given APDUs` + + ### hf felica { ISO18092 / Felica RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf felica help `|Y |`This help` -|`hf felica list `|Y |`List ISO 18092/FeliCa history` -|`hf felica reader `|N |`Act like an ISO18092/FeliCa reader` -|`hf felica sniff `|N |`Sniff ISO 18092/FeliCa traffic` -|`hf felica raw `|N |`Send raw hex data to tag` -|`hf felica rqservice `|N |`verify the existence of Area and Service, and to acquire Key Version.` -|`hf felica rqresponse `|N |`verify the existence of a card and its Mode.` -|`hf felica rdunencrypted`|N |`read Block Data from authentication-not-required Service.` -|`hf felica wrunencrypted`|N |`write Block Data to an authentication-not-required Service.` -|`hf felica scsvcode `|N |`acquire Area Code and Service Code.` -|`hf felica rqsyscode `|N |`acquire System Code registered to the card.` -|`hf felica auth1 `|N |`authenticate a card. Start mutual authentication with Auth1` -|`hf felica auth2 `|N |`allow a card to authenticate a Reader/Writer. Complete mutual authentication` -|`hf felica read `|N |`read Block Data from authentication-required Service.` -|`hf felica rqspecver `|N |`acquire the version of card OS.` -|`hf felica resetmode `|N |`reset Mode to Mode 0.` -|`hf felica litesim `|N |` - only reply to poll request` -|`hf felica litedump `|N |`Wait for and try dumping FelicaLite` - -### hf legic +|command |offline |description +|------- |------- |----------- +|`hf felica help `|Y |`This help` +|`hf felica list `|Y |`List ISO 18092/FeliCa history` +|`hf felica reader `|N |`Act like an ISO18092/FeliCa reader` +|`hf felica sniff `|N |`Sniff ISO 18092/FeliCa traffic` +|`hf felica raw `|N |`Send raw hex data to tag` +|`hf felica rdunencrypted`|N |`read Block Data from authentication-not-required Service.` +|`hf felica wrunencrypted`|N |`write Block Data to an authentication-not-required Service.` +|`hf felica rqservice `|N |`verify the existence of Area and Service, and to acquire Key Version.` +|`hf felica rqresponse `|N |`verify the existence of a card and its Mode.` +|`hf felica scsvcode `|N |`acquire Area Code and Service Code.` +|`hf felica rqsyscode `|N |`acquire System Code registered to the card.` +|`hf felica auth1 `|N |`authenticate a card. Start mutual authentication with Auth1` +|`hf felica auth2 `|N |`allow a card to authenticate a Reader/Writer. Complete mutual authentication` +|`hf felica rqspecver `|N |`acquire the version of card OS.` +|`hf felica resetmode `|N |`reset Mode to Mode 0.` +|`hf felica litesim `|N |` - only reply to poll request` +|`hf felica litedump `|N |`Wait for and try dumping FelicaLite` - { LEGIC RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf legic help `|Y |`This help` -|`hf legic reader `|N |`LEGIC Prime Reader UID and tag info` -|`hf legic info `|N |`Display deobfuscated and decoded LEGIC Prime tag data` -|`hf legic dump `|N |`Dump LEGIC Prime tag to binary file` -|`hf legic restore `|N |`Restore a dump file onto a LEGIC Prime tag` -|`hf legic rdmem `|N |`Read bytes from a LEGIC Prime tag` -|`hf legic sim `|N |`Start tag simulator` -|`hf legic write `|N |`Write data to a LEGIC Prime tag` -|`hf legic crc `|Y |`Calculate Legic CRC over given bytes` -|`hf legic eload `|N |`Load binary dump to emulator memory` -|`hf legic esave `|N |`Save emulator memory to binary file` -|`hf legic list `|Y |`List LEGIC history` -|`hf legic wipe `|N |`Wipe a LEGIC Prime tag` - -### hf iclass - - { ICLASS RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf iclass help `|Y |`This help` -|`hf iclass calcnewkey `|Y |`[options..] Calc diversified keys (blocks 3 & 4) to write new keys` -|`hf iclass chk `|Y |`[options..] Check keys` -|`hf iclass clone `|N |`[options..] Restore a dump file onto a iClass tag` -|`hf iclass decrypt `|Y |`[options..] Decrypt given block data or tag dump file` -|`hf iclass dump `|N |`[options..] Dump iClass tag to file` -|`hf iclass eload `|N |`[f ] Load iClass dump file into emulator memory` -|`hf iclass encrypt `|Y |`[options..] Encrypt given block data` -|`hf iclass info `|Y |` Tag information` -|`hf iclass list `|Y |` List iClass history` -|`hf iclass loclass `|Y |`[options..] Use loclass to perform bruteforce reader attack` -|`hf iclass lookup `|Y |`[options..] Uses authentication trace to check for key in dictionary file` -|`hf iclass managekeys `|Y |`[options..] Manage keys to use with iClass` -|`hf iclass permutekey `|N |` Permute function from 'heart of darkness' paper` -|`hf iclass rdbl `|N |`[options..] Read iClass block` -|`hf iclass reader `|N |` Act like an iClass reader` -|`hf iclass readtagfile `|Y |`[options..] Display content from tag dump file` -|`hf iclass replay `|N |` Read iClass tag via replay attack` -|`hf iclass sim `|N |`[options..] Simulate iClass tag` -|`hf iclass sniff `|N |` Eavesdrop iClass communication` -|`hf iclass wrbl `|N |`[options..] Write iClass block` - - -### hf mf - - { MIFARE RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf mf help `|Y |`This help` -|`hf mf list `|Y |`List MIFARE history` -|`hf mf darkside `|N |`Darkside attack` -|`hf mf nested `|N |`Nested attack` -|`hf mf hardnested `|Y |`Nested attack for hardened MIFARE Classic cards` -|`hf mf autopwn `|N |`Automatic key recovery tool for MIFARE Classic` -|`hf mf nack `|N |`Test for MIFARE NACK bug` -|`hf mf chk `|N |`Check keys` -|`hf mf fchk `|N |`Check keys fast, targets all keys on card` -|`hf mf decrypt `|Y |`[nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace` -|`hf mf rdbl `|N |`Read MIFARE classic block` -|`hf mf rdsc `|N |`Read MIFARE classic sector` -|`hf mf dump `|N |`Dump MIFARE classic tag to binary file` -|`hf mf restore `|N |`Restore MIFARE classic binary file to BLANK tag` -|`hf mf wrbl `|N |`Write MIFARE classic block` -|`hf mf setmod `|N |`Set MIFARE Classic EV1 load modulation strength` -|`hf mf auth4 `|N |`ISO14443-4 AES authentication` -|`hf mf sim `|N |`Simulate MIFARE card` -|`hf mf eclr `|N |`Clear simulator memory` -|`hf mf egetblk `|N |`Get simulator memory block` -|`hf mf egetsc `|N |`Get simulator memory sector` -|`hf mf eset `|N |`Set simulator memory block` -|`hf mf eload `|N |`Load from file emul dump` -|`hf mf esave `|N |`Save to file emul dump` -|`hf mf ecfill `|N |`Fill simulator memory with help of keys from simulator` -|`hf mf ekeyprn `|N |`Print keys from simulator memory` -|`hf mf eview `|N |`View simulator memory` -|`hf mf csetuid `|N |`Set UID (magic chinese card)` -|`hf mf cwipe `|N |`Wipe card to default UID/Sectors/Keys` -|`hf mf csetblk `|N |`Write block (magic chinese card)` -|`hf mf cgetblk `|N |`Read block (magic chinese card)` -|`hf mf cgetsc `|N |`Read sector (magic chinese card)` -|`hf mf cload `|N |`Load dump (magic chinese card)` -|`hf mf csave `|N |`Save dump from magic chinese card into file or emulator` -|`hf mf cview `|N |`View card memory (magic chinese card)` -|`hf mf mad `|N |`Checks and prints MAD` -|`hf mf ndef `|N |`Prints NDEF records from card` -|`hf mf ice `|N |`collect MIFARE Classic nonces to file` - - -### hf mfp - - { MIFARE Plus RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf mfp help `|Y |`This help` -|`hf mfp info `|N |`Info about Mifare Plus tag` -|`hf mfp wrp `|N |`Write Perso command` -|`hf mfp initp `|N |`Fills all the card's keys` -|`hf mfp commitp `|N |`Move card to SL1 or SL3 mode` -|`hf mfp auth `|N |`Authentication` -|`hf mfp rdbl `|N |`Read blocks` -|`hf mfp rdsc `|N |`Read sectors` -|`hf mfp wrbl `|N |`Write blocks` -|`hf mfp chk `|N |`Check keys` -|`hf mfp mad `|N |`Checks and prints MAD` -|`hf mfp ndef `|N |`Prints NDEF records from card` - - -### hf mfu - - { MIFARE Ultralight RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf mfu help `|Y |`This help` -|`hf mfu info `|N |`Tag information` -|`hf mfu dump `|N |`Dump Ultralight / Ultralight-C / NTAG tag to binary file` -|`hf mfu restore `|N |`Restore a dump onto a MFU MAGIC tag` -|`hf mfu eload `|N |`load Ultralight .eml dump file into emulator memory` -|`hf mfu rdbl `|N |`Read block` -|`hf mfu wrbl `|N |`Write block` -|`hf mfu cauth `|N |`Authentication - Ultralight C` -|`hf mfu setpwd `|N |`Set 3des password - Ultralight-C` -|`hf mfu setuid `|N |`Set UID - MAGIC tags only` -|`hf mfu sim `|N |`Simulate Ultralight from emulator memory` -|`hf mfu gen `|Y |`Generate 3des mifare diversified keys` -|`hf mfu pwdgen `|Y |`Generate pwd from known algos` -|`hf mfu otptear `|N |`Tear-off test on OTP bits` - - -### hf mfdes - - { MIFARE Desfire RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf mfdes help `|Y |`This help` -|`hf mfdes info `|N |`Tag information` -|`hf mfdes enum `|N |`Tries enumerate all applications` -|`hf mfdes auth `|N |`Tries a MIFARE DesFire Authentication` - - -### hf topaz - - { TOPAZ (NFC Type 1) RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf topaz help `|Y |`This help` -|`hf topaz reader `|N |`Act like a Topaz reader` -|`hf topaz sim `|N |` -- Simulate Topaz tag` -|`hf topaz sniff `|N |`Sniff Topaz reader-tag communication` -|`hf topaz raw `|N |`Send raw hex data to tag` -|`hf topaz list `|Y |`List Topaz history` - - ### hf fido { FIDO and FIDO2 authenticators... } - -|command |offline |description -|------- |------- |----------- -|`hf fido help `|Y |`This help.` -|`hf fido info `|N |`Info about FIDO tag.` -|`hf fido reg `|N |`FIDO U2F Registration Message.` -|`hf fido auth `|N |`FIDO U2F Authentication Message.` -|`hf fido make `|N |`FIDO2 MakeCredential command.` -|`hf fido assert `|N |`FIDO2 GetAssertion command.` - +|command |offline |description +|------- |------- |----------- +|`hf fido help `|Y |`This help.` +|`hf fido info `|N |`Info about FIDO tag.` +|`hf fido reg `|N |`FIDO U2F Registration Message.` +|`hf fido auth `|N |`FIDO U2F Authentication Message.` +|`hf fido make `|N |`FIDO2 MakeCredential command.` +|`hf fido assert `|N |`FIDO2 GetAssertion command.` + + +### hf iclass + + { ICLASS RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf iclass help `|Y |`This help` +|`hf iclass dump `|N |`[options..] Dump Picopass / iCLASS tag to file` +|`hf iclass info `|Y |` Tag information` +|`hf iclass list `|Y |` List iclass history` +|`hf iclass rdbl `|N |`[options..] Read Picopass / iCLASS block` +|`hf iclass reader `|N |` Act like an Picopass / iCLASS reader` +|`hf iclass restore `|N |`[options..] Restore a dump file onto a Picopass / iCLASS tag` +|`hf iclass sniff `|N |` Eavesdrop Picopass / iCLASS communication` +|`hf iclass wrbl `|N |`[options..] Write Picopass / iCLASS block` +|`hf iclass chk `|Y |`[options..] Check keys` +|`hf iclass loclass `|Y |`[options..] Use loclass to perform bruteforce reader attack` +|`hf iclass lookup `|Y |`[options..] Uses authentication trace to check for key in dictionary file` +|`hf iclass replay `|N |` Read Picopass / iCLASS tag via replay attack` +|`hf iclass sim `|N |`[options..] Simulate iCLASS tag` +|`hf iclass eload `|N |`[f ] Load Picopass / iCLASS dump file into emulator memory` +|`hf iclass esave `|N |`[f ] Save emulator memory to file` +|`hf iclass eview `|N |`[options..] View emulator memory` +|`hf iclass calcnewkey `|Y |`[options..] Calc diversified keys (blocks 3 & 4) to write new keys` +|`hf iclass encrypt `|Y |`[options..] Encrypt given block data` +|`hf iclass decrypt `|Y |`[options..] Decrypt given block data or tag dump file` +|`hf iclass managekeys `|Y |`[options..] Manage keys to use with iclass commands` +|`hf iclass permutekey `|N |` Permute function from 'heart of darkness' paper` +|`hf iclass view `|Y |`[options..] Display content from tag dump file` + + +### hf legic + + { LEGIC RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf legic help `|Y |`This help` +|`hf legic list `|Y |`List LEGIC history` +|`hf legic reader `|N |`LEGIC Prime Reader UID and tag info` +|`hf legic info `|N |`Display deobfuscated and decoded LEGIC Prime tag data` +|`hf legic dump `|N |`Dump LEGIC Prime tag to binary file` +|`hf legic restore `|N |`Restore a dump file onto a LEGIC Prime tag` +|`hf legic rdbl `|N |`Read bytes from a LEGIC Prime tag` +|`hf legic sim `|N |`Start tag simulator` +|`hf legic wrbl `|N |`Write data to a LEGIC Prime tag` +|`hf legic crc `|Y |`Calculate Legic CRC over given bytes` +|`hf legic eload `|Y |`Load binary dump to emulator memory` +|`hf legic esave `|Y |`Save emulator memory to binary file` +|`hf legic wipe `|N |`Wipe a LEGIC Prime tag` + + +### hf lto + + { LTO Cartridge Memory RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf lto help `|Y |`This help` +|`hf lto dump `|N |`Dump LTO-CM tag to file` +|`hf lto restore `|N |`Restore dump file to LTO-CM tag` +|`hf lto info `|N |`Tag information` +|`hf lto rdbl `|N |`Read block` +|`hf lto wrbl `|N |`Write block` +|`hf lto list `|Y |`List LTO-CM history` + + +### hf mf + + { MIFARE RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mf help `|Y |`This help` +|`hf mf list `|Y |`List MIFARE history` +|`hf mf darkside `|N |`Darkside attack` +|`hf mf nested `|N |`Nested attack` +|`hf mf hardnested `|Y |`Nested attack for hardened MIFARE Classic cards` +|`hf mf staticnested `|N |`Nested attack against static nonce MIFARE Classic cards` +|`hf mf autopwn `|N |`Automatic key recovery tool for MIFARE Classic` +|`hf mf nack `|N |`Test for MIFARE NACK bug` +|`hf mf chk `|N |`Check keys` +|`hf mf fchk `|N |`Check keys fast, targets all keys on card` +|`hf mf decrypt `|Y |`[nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace` +|`hf mf auth4 `|N |`ISO14443-4 AES authentication` +|`hf mf dump `|N |`Dump MIFARE Classic tag to binary file` +|`hf mf mad `|N |`Checks and prints MAD` +|`hf mf ndef `|N |`Prints NDEF records from card` +|`hf mf personalize `|N |`Personalize UID (MIFARE Classic EV1 only)` +|`hf mf rdbl `|N |`Read MIFARE Classic block` +|`hf mf rdsc `|N |`Read MIFARE Classic sector` +|`hf mf restore `|N |`Restore MIFARE Classic binary file to BLANK tag` +|`hf mf setmod `|N |`Set MIFARE Classic EV1 load modulation strength` +|`hf mf wrbl `|N |`Write MIFARE Classic block` +|`hf mf sim `|N |`Simulate MIFARE card` +|`hf mf ecfill `|N |`Fill simulator memory with help of keys from simulator` +|`hf mf eclr `|N |`Clear simulator memory` +|`hf mf egetblk `|N |`Get simulator memory block` +|`hf mf egetsc `|N |`Get simulator memory sector` +|`hf mf ekeyprn `|N |`Print keys from simulator memory` +|`hf mf eload `|N |`Load from file emul dump` +|`hf mf esave `|N |`Save to file emul dump` +|`hf mf eset `|N |`Set simulator memory block` +|`hf mf eview `|N |`View emul memory` +|`hf mf cgetblk `|N |`Read block` +|`hf mf cgetsc `|N |`Read sector` +|`hf mf cload `|N |`Load dump` +|`hf mf csave `|N |`Save dump from card into file or emulator` +|`hf mf csetblk `|N |`Write block` +|`hf mf csetuid `|N |`Set UID` +|`hf mf cview `|N |`view card` +|`hf mf cwipe `|N |`Wipe card to default UID/Sectors/Keys` +|`hf mf gen3uid `|N |`Set UID without manufacturer block` +|`hf mf gen3blk `|N |`Overwrite full manufacturer block` +|`hf mf gen3freeze `|N |`Perma lock further UID changes` +|`hf mf ice `|N |`collect MIFARE Classic nonces to file` + + +### hf mfp + + { MIFARE Plus RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfp help `|Y |`This help` +|`hf mfp info `|N |`Info about Mifare Plus tag` +|`hf mfp wrp `|N |`Write Perso command` +|`hf mfp initp `|N |`Fills all the card's keys` +|`hf mfp commitp `|N |`Move card to SL1 or SL3 mode` +|`hf mfp auth `|N |`Authentication` +|`hf mfp rdbl `|N |`Read blocks` +|`hf mfp rdsc `|N |`Read sectors` +|`hf mfp wrbl `|N |`Write blocks` +|`hf mfp chk `|N |`Check keys` +|`hf mfp mad `|N |`Checks and prints MAD` +|`hf mfp ndef `|N |`Prints NDEF records from card` + + +### hf mfu + + { MIFARE Ultralight RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfu help `|Y |`This help` +|`hf mfu info `|N |`Tag information` +|`hf mfu dump `|N |`Dump Ultralight / Ultralight-C / NTAG tag to binary file` +|`hf mfu restore `|N |`Restore a dump onto a MFU MAGIC tag` +|`hf mfu eload `|N |`load Ultralight .eml dump file into emulator memory` +|`hf mfu rdbl `|N |`Read block` +|`hf mfu wrbl `|N |`Write block` +|`hf mfu cauth `|N |`Authentication - Ultralight C` +|`hf mfu setpwd `|N |`Set 3des password - Ultralight-C` +|`hf mfu setuid `|N |`Set UID - MAGIC tags only` +|`hf mfu sim `|N |`Simulate Ultralight from emulator memory` +|`hf mfu gen `|Y |`Generate 3des mifare diversified keys` +|`hf mfu pwdgen `|Y |`Generate pwd from known algos` +|`hf mfu otptear `|N |`Tear-off test on OTP bits` +|`hf mfu ndef `|N |`Prints NDEF records from card` + + +### hf mfdes + + { MIFARE Desfire RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfdes help `|Y |`This help` +|`hf mfdes info `|N |`Tag information` +|`hf mfdes list `|Y |`List DESFire (ISO 14443A) history` +|`hf mfdes enum `|N |`Tries enumerate all applications` +|`hf mfdes auth `|N |`Tries a MIFARE DesFire Authentication` +|`hf mfdes getuid `|N |`Get random uid` +|`hf mfdes selectaid `|N |`Select Application ID` +|`hf mfdes createaid `|N |`Create Application ID` +|`hf mfdes deleteaid `|N |`Delete Application ID` +|`hf mfdes createfile `|N |`Create Standard/Backup File` +|`hf mfdes createvaluefile`|N |`Create Value File` +|`hf mfdes createrecordfile`|N |`Create Linear/Cyclic Record File` +|`hf mfdes deletefile `|N |`Create Delete File` +|`hf mfdes clearfile `|N |`Clear record File` +|`hf mfdes readdata `|N |`Read data from standard/backup/record file` +|`hf mfdes writedata `|N |`Write data to standard/backup/record file` +|`hf mfdes getvalue `|N |`Get value of file` +|`hf mfdes changevalue `|N |`Write value of a value file (credit/debit/clear)` +|`hf mfdes changekey `|N |`Change Key` +|`hf mfdes formatpicc `|N |`Format PICC` +|`hf mfdes dump `|N |`Dump all files` +|`hf mfdes chk `|N |`Check keys` + + +### hf st + + { ST Rothult RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf st help `|Y |`This help` +|`hf st info `|N |`Tag information` +|`hf st list `|Y |`List ISO 14443A/7816 history` +|`hf st ndef `|Y |`read NDEF file on tag` +|`hf st protect `|N |`change protection on tag` +|`hf st pwd `|N |`change password on tag` +|`hf st sim `|N |`Fake ISO 14443A/ST tag` + + ### hf thinfilm { Thinfilm RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`hf thinfilm help `|Y |`This help` -|`hf thinfilm info `|N |`Tag information` -|`hf thinfilm list `|Y |`List NFC Barcode / Thinfilm history - not correct` -|`hf thinfilm sim `|N |`Fake Thinfilm tag` - +|command |offline |description +|------- |------- |----------- +|`hf thinfilm help `|Y |`This help` +|`hf thinfilm info `|N |`Tag information` +|`hf thinfilm list `|Y |`List NFC Barcode / Thinfilm history - not correct` +|`hf thinfilm sim `|N |`Fake Thinfilm tag` + + +### hf topaz + + { TOPAZ (NFC Type 1) RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf topaz help `|Y |`This help` +|`hf topaz list `|Y |`List Topaz history` +|`hf topaz info `|N |`Tag information` +|`hf topaz reader `|N |`Act like a Topaz reader` +|`hf topaz sim `|N |` -- Simulate Topaz tag` +|`hf topaz sniff `|N |`Sniff Topaz reader-tag communication` +|`hf topaz raw `|N |`Send raw hex data to tag` + + +### hf waveshare + + { Waveshare NFC ePaper... } + +|command |offline |description +|------- |------- |----------- +|`hf waveshare help `|Y |`This help` +|`hf waveshare loadbmp `|N |`Load BMP file to Waveshare NFC ePaper` + + ### hw { Hardware commands... } - -|command |offline |description -|------- |------- |----------- -|`hw help `|Y |`This help` -|`hw connect `|Y |`connect Proxmark3 to serial port` -|`hw dbg `|N |`Set Proxmark3 debug level` -|`hw detectreader `|N |`['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)` -|`hw fpgaoff `|N |`Set FPGA off` -|`hw lcd `|N |` -- Send command/data to LCD` -|`hw lcdreset `|N |`Hardware reset LCD` -|`hw ping `|N |`Test if the Proxmark3 is responsive` -|`hw readmem `|N |`[address] -- Read memory at decimal address from flash` -|`hw reset `|N |`Reset the Proxmark3` -|`hw setlfdivisor `|N |`<19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)` -|`hw setmux `|N |`Set the ADC mux to a specific value` -|`hw standalone `|N |`Jump to the standalone mode` -|`hw status `|N |`Show runtime status information about the connected Proxmark3` -|`hw tia `|N |`Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider` -|`hw tune `|N |`Measure antenna tuning` -|`hw version `|N |`Show version information about the connected Proxmark3` - +|command |offline |description +|------- |------- |----------- +|`hw help `|Y |`This help` +|`hw connect `|Y |`connect Proxmark3 to serial port` +|`hw dbg `|N |`Set Proxmark3 debug level` +|`hw detectreader `|N |`['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)` +|`hw fpgaoff `|N |`Set FPGA off` +|`hw lcd `|N |` -- Send command/data to LCD` +|`hw lcdreset `|N |`Hardware reset LCD` +|`hw ping `|N |`Test if the Proxmark3 is responsive` +|`hw readmem `|N |`[address] -- Read memory at decimal address from flash` +|`hw reset `|N |`Reset the Proxmark3` +|`hw setlfdivisor `|N |`<19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)` +|`hw setmux `|N |`Set the ADC mux to a specific value` +|`hw standalone `|N |`Jump to the standalone mode` +|`hw status `|N |`Show runtime status information about the connected Proxmark3` +|`hw tia `|N |`Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider` +|`hw tune `|N |`Measure antenna tuning` +|`hw version `|N |`Show version information about the connected Proxmark3` + + ### lf { Low frequency commands... } - -|command |offline |description -|------- |------- |----------- -|`lf help `|Y |`This help` -|`lf config `|N |`Get/Set config for LF sampling, bit/sample, decimation, frequency` -|`lf cmdread `|N |`Modulate LF reader field to send command before read (all periods in microseconds)` -|`lf read `|N |`Read LF tag` -|`lf search `|Y |`Read and Search for valid known tag (in offline mode it you can load first then search)` -|`lf sim `|N |`Simulate LF tag from buffer with optional GAP (in microseconds)` -|`lf simask `|N |`Simulate LF ASK tag from demodbuffer or input` -|`lf simfsk `|N |`Simulate LF FSK tag from demodbuffer or input` -|`lf simpsk `|N |`Simulate LF PSK tag from demodbuffer or input` -|`lf simbidir `|N |`Simulate LF tag (with bidirectional data transmission between reader and tag)` -|`lf sniff `|N |`Sniff LF traffic between reader and tag` -|`lf tune `|N |`Continuously measure LF antenna tuning` - +|command |offline |description +|------- |------- |----------- +|`lf help `|Y |`This help` +|`lf config `|N |`Get/Set config for LF sampling, bit/sample, decimation, frequency` +|`lf cmdread `|N |`Modulate LF reader field to send command before read (all periods in microseconds)` +|`lf read `|N |`Read LF tag` +|`lf search `|Y |`Read and Search for valid known tag (in offline mode it you can load first then search)` +|`lf sim `|N |`Simulate LF tag from buffer with optional GAP (in microseconds)` +|`lf simask `|N |`Simulate LF ASK tag from demodbuffer or input` +|`lf simfsk `|N |`Simulate LF FSK tag from demodbuffer or input` +|`lf simpsk `|N |`Simulate LF PSK tag from demodbuffer or input` +|`lf simbidir `|N |`Simulate LF tag (with bidirectional data transmission between reader and tag)` +|`lf sniff `|N |`Sniff LF traffic between reader and tag` +|`lf tune `|N |`Continuously measure LF antenna tuning` + + ### lf awid { AWID RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf awid help `|Y |`this help` -|`lf awid demod `|Y |`demodulate an AWID FSK tag from the GraphBuffer` -|`lf awid read `|N |`attempt to read and extract tag data` -|`lf awid clone `|N |`clone AWID tag to T55x7 (or to q5/T5555)` -|`lf awid sim `|N |`simulate AWID tag` -|`lf awid brute `|N |`Bruteforce card number against reader` -|`lf awid watch `|N |`continuously watch for cards. Reader mode` - +|command |offline |description +|------- |------- |----------- +|`lf awid help `|Y |`this help` +|`lf awid demod `|Y |`demodulate an AWID FSK tag from the GraphBuffer` +|`lf awid read `|N |`attempt to read and extract tag data` +|`lf awid clone `|N |`clone AWID tag to T55x7 or Q5/T5555` +|`lf awid sim `|N |`simulate AWID tag` +|`lf awid brute `|N |`Bruteforce card number against reader` +|`lf awid watch `|N |`continuously watch for cards. Reader mode` + + ### lf cotag { COTAG CHIPs... } - -|command |offline |description -|------- |------- |----------- -|`lf cotag help `|Y |`This help` -|`lf cotag demod `|Y |`Tries to decode a COTAG signal` -|`lf cotag read `|N |`Attempt to read and extract tag data` - +|command |offline |description +|------- |------- |----------- +|`lf cotag help `|Y |`This help` +|`lf cotag demod `|Y |`Tries to decode a COTAG signal` +|`lf cotag read `|N |`Attempt to read and extract tag data` + + ### lf em { EM4X CHIPs & RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf em help `|Y |`This help` -|`lf em 410x_demod `|Y |`demodulate a EM410x tag from the GraphBuffer` -|`lf em 410x_read `|N |`attempt to read and extract tag data` -|`lf em 410x_sim `|N |`simulate EM410x tag` -|`lf em 410x_brute `|N |`reader bruteforce attack by simulating EM410x tags` -|`lf em 410x_watch `|N |`watches for EM410x 125/134 kHz tags (option 'h' for 134)` -|`lf em 410x_spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)` -|`lf em 410x_clone `|N |`write EM410x UID to T5555(Q5) or T55x7 tag` -|`lf em 4x05_demod `|Y |`demodulate a EM4x05/EM4x69 tag from the GraphBuffer` -|`lf em 4x05_dump `|N |`dump EM4x05/EM4x69 tag` -|`lf em 4x05_wipe `|N |`wipe EM4x05/EM4x69 tag` -|`lf em 4x05_info `|N |`tag information EM4x05/EM4x69` -|`lf em 4x05_read `|N |`read word data from EM4x05/EM4x69` -|`lf em 4x05_write `|N |`write word data to EM4x05/EM4x69` -|`lf em 4x50_demod `|Y |`demodulate a EM4x50 tag from the GraphBuffer` -|`lf em 4x50_dump `|N |`dump EM4x50 tag` -|`lf em 4x50_read `|N |`read word data from EM4x50` -|`lf em 4x50_write `|N |`write word data to EM4x50` - +|command |offline |description +|------- |------- |----------- +|`lf em help `|Y |`This help` +|`lf em 410x_demod `|Y |`demodulate a EM410x tag from the GraphBuffer` +|`lf em 410x_read `|N |`attempt to read and extract tag data` +|`lf em 410x_sim `|N |`simulate EM410x tag` +|`lf em 410x_brute `|N |`reader bruteforce attack by simulating EM410x tags` +|`lf em 410x_watch `|N |`watches for EM410x 125/134 kHz tags (option 'h' for 134)` +|`lf em 410x_spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)` +|`lf em 410x_clone `|N |`write EM410x UID to T55x7 or Q5/T5555 tag` +|`lf em 4x05_demod `|Y |`demodulate a EM4x05/EM4x69 tag from the GraphBuffer` +|`lf em 4x05_dump `|N |`dump EM4x05/EM4x69 tag` +|`lf em 4x05_wipe `|N |`wipe EM4x05/EM4x69 tag` +|`lf em 4x05_info `|N |`tag information EM4x05/EM4x69` +|`lf em 4x05_read `|N |`read word data from EM4x05/EM4x69` +|`lf em 4x05_write `|N |`write word data to EM4x05/EM4x69` +|`lf em 4x50_dump `|N |`dump EM4x50 tag` +|`lf em 4x50_info `|N |`tag information EM4x50` +|`lf em 4x50_write `|N |`write word data to EM4x50` +|`lf em 4x50_write_password`|N |`change passwword of EM4x50 tag` +|`lf em 4x50_read `|N |`read word data from EM4x50` +|`lf em 4x50_wipe `|N |`wipe data from EM4x50` + + ### lf fdx { FDX-B RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf fdx help `|Y |`this help` -|`lf fdx demod `|Y |`demodulate a FDX-B ISO11784/85 tag from the GraphBuffer` -|`lf fdx read `|N |`attempt to read and extract tag data` -|`lf fdx clone `|N |`clone animal ID tag to T55x7 (or to q5/T5555)` -|`lf fdx sim `|N |`simulate Animal ID tag` - +|command |offline |description +|------- |------- |----------- +|`lf fdx help `|Y |`this help` +|`lf fdx demod `|Y |`demodulate a FDX-B ISO11784/85 tag from the GraphBuffer` +|`lf fdx read `|N |`attempt to read at 134kHz and extract tag data` +|`lf fdx clone `|N |`clone animal ID tag to T55x7 or Q5/T5555` +|`lf fdx sim `|N |`simulate Animal ID tag` + + ### lf gallagher { GALLAGHER RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf gallagher help `|Y |`This help` -|`lf gallagher demod `|Y |`Demodulate an GALLAGHER tag from the GraphBuffer` -|`lf gallagher read `|N |`Attempt to read and extract tag data from the antenna` -|`lf gallagher clone `|N |`clone GALLAGHER tag to T55x7` -|`lf gallagher sim `|N |`simulate GALLAGHER tag` - +|command |offline |description +|------- |------- |----------- +|`lf gallagher help `|Y |`This help` +|`lf gallagher demod `|Y |`Demodulate an GALLAGHER tag from the GraphBuffer` +|`lf gallagher read `|N |`Attempt to read and extract tag data from the antenna` +|`lf gallagher clone `|N |`clone GALLAGHER tag to T55x7` +|`lf gallagher sim `|N |`simulate GALLAGHER tag` + + ### lf gproxii { Guardall Prox II RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf gproxii help `|Y |`this help` -|`lf gproxii demod `|Y |`demodulate a G Prox II tag from the GraphBuffer` -|`lf gproxii read `|N |`attempt to read and extract tag data from the antenna` -|`lf gproxii clone `|N |`clone Guardall tag to T55x7` -|`lf gproxii sim `|N |`simulate Guardall tag` - +|command |offline |description +|------- |------- |----------- +|`lf gproxii help `|Y |`this help` +|`lf gproxii demod `|Y |`demodulate a G Prox II tag from the GraphBuffer` +|`lf gproxii read `|N |`attempt to read and extract tag data from the antenna` +|`lf gproxii clone `|N |`clone Guardall tag to T55x7 or Q5/T5555` +|`lf gproxii sim `|N |`simulate Guardall tag` + + ### lf hid - { HID RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf hid help `|Y |`this help` -|`lf hid demod `|Y |`demodulate HID Prox tag from the GraphBuffer` -|`lf hid read `|N |`attempt to read and extract tag data` -|`lf hid clone `|N |`clone HID tag to T55x7` -|`lf hid sim `|N |`simulate HID tag` -|`lf hid brute `|N |`bruteforce card number against reader` -|`lf hid watch `|N |`continuously watch for cards. Reader mode` + { HID Prox RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf hid help `|Y |`this help` +|`lf hid demod `|Y |`demodulate HID Prox tag from the GraphBuffer` +|`lf hid read `|N |`attempt to read and extract tag data` +|`lf hid clone `|N |`clone HID tag to T55x7` +|`lf hid sim `|N |`simulate HID tag` +|`lf hid brute `|N |`bruteforce card number against reader` +|`lf hid watch `|N |`continuously watch for cards. Reader mode` + - ### lf hitag { Hitag CHIPs... } - -|command |offline |description -|------- |------- |----------- -|`lf hitag help `|Y |`This help` -|`lf hitag list `|N |`List Hitag trace history` -|`lf hitag info `|N |`Tag information` -|`lf hitag reader `|N |`Act like a Hitag Reader` -|`lf hitag sim `|N |`Simulate Hitag transponder` -|`lf hitag sniff `|N |`Eavesdrop Hitag communication` -|`lf hitag writer `|N |`Act like a Hitag Writer` -|`lf hitag cc `|N |`Test all challenges` - +|command |offline |description +|------- |------- |----------- +|`lf hitag help `|Y |`This help` +|`lf hitag list `|N |`List Hitag trace history` +|`lf hitag info `|N |`Tag information` +|`lf hitag reader `|N |`Act like a Hitag Reader` +|`lf hitag sim `|N |`Simulate Hitag transponder` +|`lf hitag sniff `|N |`Eavesdrop Hitag communication` +|`lf hitag writer `|N |`Act like a Hitag Writer` +|`lf hitag dump `|N |`Dump Hitag2 tag` +|`lf hitag cc `|N |`Test all challenges` + + +### lf idteck + + { Idteck RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf idteck help `|Y |`This help` +|`lf idteck demod `|Y |`Demodulate an Idteck tag from the GraphBuffer` +|`lf idteck read `|N |`Attempt to read and Extract tag data from the antenna` + + ### lf indala { Indala RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf indala help `|Y |`this help` -|`lf indala demod `|Y |`demodulate an indala tag (PSK1) from GraphBuffer` -|`lf indala altdemod `|Y |`alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)` -|`lf indala read `|N |`read an Indala Prox tag from the antenna` -|`lf indala clone `|N |`clone Indala tag to T55x7` -|`lf indala sim `|N |`simulate Indala tag` - +|command |offline |description +|------- |------- |----------- +|`lf indala help `|Y |`this help` +|`lf indala demod `|Y |`demodulate an indala tag (PSK1) from GraphBuffer` +|`lf indala altdemod `|Y |`alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)` +|`lf indala read `|N |`read an Indala Prox tag from the antenna` +|`lf indala clone `|N |`clone Indala tag to T55x7 or Q5/T5555` +|`lf indala sim `|N |`simulate Indala tag` + + ### lf io { ioProx RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf io help `|Y |`this help` -|`lf io demod `|Y |`demodulate an IOProx tag from the GraphBuffer` -|`lf io read `|N |`attempt to read and extract tag data` -|`lf io clone `|N |`clone IOProx tag to T55x7 (or to q5/T5555)` -|`lf io sim `|N |`simulate IOProx tag` -|`lf io watch `|N |`continuously watch for cards. Reader mode` - +|command |offline |description +|------- |------- |----------- +|`lf io help `|Y |`this help` +|`lf io demod `|Y |`demodulate an IOProx tag from the GraphBuffer` +|`lf io read `|N |`attempt to read and extract tag data` +|`lf io clone `|N |`clone IOProx tag to T55x7 or Q5/T5555` +|`lf io sim `|N |`simulate IOProx tag` +|`lf io watch `|N |`continuously watch for cards. Reader mode` + + ### lf jablotron { Jablotron RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf jablotron help `|Y |`This help` -|`lf jablotron demod `|Y |`Demodulate an Jablotron tag from the GraphBuffer` -|`lf jablotron read `|N |`Attempt to read and extract tag data from the antenna` -|`lf jablotron clone `|N |`clone jablotron tag to T55x7 (or to q5/T5555)` -|`lf jablotron sim `|N |`simulate jablotron tag` - +|command |offline |description +|------- |------- |----------- +|`lf jablotron help `|Y |`This help` +|`lf jablotron demod `|Y |`Demodulate an Jablotron tag from the GraphBuffer` +|`lf jablotron read `|N |`Attempt to read and extract tag data from the antenna` +|`lf jablotron clone `|N |`clone jablotron tag to T55x7 or Q5/T5555` +|`lf jablotron sim `|N |`simulate jablotron tag` + + ### lf keri { KERI RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf keri help `|Y |`This help` -|`lf keri demod `|Y |`Demodulate an KERI tag from the GraphBuffer` -|`lf keri read `|N |`Attempt to read and extract tag data from the antenna` -|`lf keri clone `|N |`clone KERI tag to T55x7 (or to q5/T5555)` -|`lf keri sim `|N |`simulate KERI tag` - -### lf nedap +|command |offline |description +|------- |------- |----------- +|`lf keri help `|Y |`This help` +|`lf keri demod `|Y |`Demodulate an KERI tag from the GraphBuffer` +|`lf keri read `|N |`Attempt to read and extract tag data from the antenna` +|`lf keri clone `|N |`clone KERI tag to T55x7 or Q5/T5555` +|`lf keri sim `|N |`simulate KERI tag` - { Nedap RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf nedap help `|Y |`This help` -|`lf nedap demod `|Y |`Demodulate Nedap tag from the GraphBuffer` -|`lf nedap generate `|Y |`Generate Nedap bitstream in DemodBuffer` -|`lf nedap read `|N |`Attempt to read and extract tag data from the antenna` -|`lf nedap clone `|N |`Clone Nedap tag to T55x7` -|`lf nedap sim `|N |`Simulate Nedap tag` - -### lf nexwatch - - { NexWatch RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf nexwatch help `|Y |`This help` -|`lf nexwatch demod `|Y |`Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer` -|`lf nexwatch read `|N |`Attempt to Read and Extract tag data from the antenna` -|`lf nexwatch clone `|N |`clone NexWatch tag to T55x7` -|`lf nexwatch sim `|N |`simulate NexWatch tag` - - -### lf noralsy - - { Noralsy RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf noralsy help `|Y |`This help` -|`lf noralsy demod `|Y |`Demodulate an Noralsy tag from the GraphBuffer` -|`lf noralsy read `|N |`Attempt to read and extract tag data from the antenna` -|`lf noralsy clone `|N |`clone Noralsy tag to T55x7 (or to q5/T5555)` -|`lf noralsy sim `|N |`simulate Noralsy tag` - - ### lf motorola { Motorola RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf motorola help `|Y |`This help` -|`lf motorola demod `|Y |`Demodulate an MOTOROLA tag from the GraphBuffer` -|`lf motorola read `|N |`Attempt to read and extract tag data from the antenna` -|`lf motorola clone `|N |`clone MOTOROLA tag to T55x7` -|`lf motorola sim `|N |`simulate MOTOROLA tag` - +|command |offline |description +|------- |------- |----------- +|`lf motorola help `|Y |`This help` +|`lf motorola demod `|Y |`Demodulate an MOTOROLA tag from the GraphBuffer` +|`lf motorola read `|N |`Attempt to read and extract tag data from the antenna` +|`lf motorola clone `|N |`clone MOTOROLA tag to T55x7` +|`lf motorola sim `|N |`simulate MOTOROLA tag` + + +### lf nedap + + { Nedap RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf nedap help `|Y |`This help` +|`lf nedap demod `|Y |`Demodulate Nedap tag from the GraphBuffer` +|`lf nedap generate `|Y |`Generate Nedap bitstream in DemodBuffer` +|`lf nedap read `|N |`Attempt to read and extract tag data from the antenna` +|`lf nedap clone `|N |`Clone Nedap tag to T55x7 or Q5/T5555` +|`lf nedap sim `|N |`Simulate Nedap tag` + + +### lf nexwatch + + { NexWatch RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf nexwatch help `|Y |`This help` +|`lf nexwatch demod `|Y |`Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer` +|`lf nexwatch read `|N |`Attempt to Read and Extract tag data from the antenna` +|`lf nexwatch clone `|N |`clone NexWatch tag to T55x7` +|`lf nexwatch sim `|N |`simulate NexWatch tag` + + +### lf noralsy + + { Noralsy RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf noralsy help `|Y |`This help` +|`lf noralsy demod `|Y |`Demodulate an Noralsy tag from the GraphBuffer` +|`lf noralsy read `|N |`Attempt to read and extract tag data from the antenna` +|`lf noralsy clone `|N |`clone Noralsy tag to T55x7 or Q5/T5555` +|`lf noralsy sim `|N |`simulate Noralsy tag` + + ### lf pac { PAC/Stanley RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf pac help `|Y |`This help` -|`lf pac demod `|Y |`Demodulate a PAC tag from the GraphBuffer` -|`lf pac read `|N |`Attempt to read and extract tag data from the antenna` -|`lf pac clone `|N |`clone PAC tag to T55x7` -|`lf pac sim `|N |`simulate PAC tag` - +|command |offline |description +|------- |------- |----------- +|`lf pac help `|Y |`This help` +|`lf pac demod `|Y |`Demodulate a PAC tag from the GraphBuffer` +|`lf pac read `|N |`Attempt to read and extract tag data from the antenna` +|`lf pac clone `|N |`clone PAC tag to T55x7` +|`lf pac sim `|N |`simulate PAC tag` + + ### lf paradox { Paradox RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf paradox help `|Y |`This help` -|`lf paradox demod `|Y |`Demodulate a Paradox FSK tag from the GraphBuffer` -|`lf paradox read `|N |`Attempt to read and Extract tag data from the antenna` -|`lf paradox clone `|N |`clone paradox tag to T55x7` -|`lf paradox sim `|N |`simulate paradox tag` - +|command |offline |description +|------- |------- |----------- +|`lf paradox help `|Y |`This help` +|`lf paradox demod `|Y |`Demodulate a Paradox FSK tag from the GraphBuffer` +|`lf paradox read `|N |`Attempt to read and Extract tag data from the antenna` +|`lf paradox clone `|N |`clone paradox tag to T55x7` +|`lf paradox sim `|N |`simulate paradox tag` + + ### lf pcf7931 { PCF7931 CHIPs... } - -|command |offline |description -|------- |------- |----------- -|`lf pcf7931 help `|Y |`This help` -|`lf pcf7931 read `|N |`Read content of a PCF7931 transponder` -|`lf pcf7931 write `|N |`Write data on a PCF7931 transponder.` -|`lf pcf7931 config `|Y |`Configure the password, the tags initialization delay and time offsets (optional)` - +|command |offline |description +|------- |------- |----------- +|`lf pcf7931 help `|Y |`This help` +|`lf pcf7931 read `|N |`Read content of a PCF7931 transponder` +|`lf pcf7931 write `|N |`Write data on a PCF7931 transponder.` +|`lf pcf7931 config `|Y |`Configure the password, the tags initialization delay and time offsets (optional)` + + ### lf presco { Presco RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf presco help `|Y |`This help` -|`lf presco read `|N |`Attempt to read and Extract tag data` -|`lf presco clone `|N |`clone presco tag to T55x7 (or to q5/T5555)` -|`lf presco sim `|N |`simulate presco tag` - +|command |offline |description +|------- |------- |----------- +|`lf presco help `|Y |`This help` +|`lf presco demod `|Y |`demodulate Presco tag from the GraphBuffer` +|`lf presco read `|N |`Attempt to read and Extract tag data` +|`lf presco clone `|N |`clone presco tag to T55x7 or Q5/T5555` +|`lf presco sim `|N |`simulate presco tag` + + ### lf pyramid { Farpointe/Pyramid RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf pyramid help `|Y |`this help` -|`lf pyramid demod `|Y |`demodulate a Pyramid FSK tag from the GraphBuffer` -|`lf pyramid read `|N |`attempt to read and extract tag data` -|`lf pyramid clone `|N |`clone pyramid tag to T55x7 (or to q5/T5555)` -|`lf pyramid sim `|N |`simulate pyramid tag` - +|command |offline |description +|------- |------- |----------- +|`lf pyramid help `|Y |`this help` +|`lf pyramid demod `|Y |`demodulate a Pyramid FSK tag from the GraphBuffer` +|`lf pyramid read `|N |`attempt to read and extract tag data` +|`lf pyramid clone `|N |`clone pyramid tag to T55x7 or Q5/T5555` +|`lf pyramid sim `|N |`simulate pyramid tag` + + ### lf securakey { Securakey RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf securakey help `|Y |`This help` -|`lf securakey demod `|Y |`Demodulate an Securakey tag from the GraphBuffer` -|`lf securakey read `|N |`Attempt to read and extract tag data from the antenna` -|`lf securakey clone `|N |`clone Securakey tag to T55x7` -|`lf securakey sim `|N |`simulate Securakey tag` - +|command |offline |description +|------- |------- |----------- +|`lf securakey help `|Y |`This help` +|`lf securakey demod `|Y |`Demodulate an Securakey tag from the GraphBuffer` +|`lf securakey read `|N |`Attempt to read and extract tag data from the antenna` +|`lf securakey clone `|N |`clone Securakey tag to T55x7` +|`lf securakey sim `|N |`simulate Securakey tag` + + ### lf ti { TI CHIPs... } - -|command |offline |description -|------- |------- |----------- -|`lf ti help `|Y |`This help` -|`lf ti demod `|Y |`Demodulate raw bits for TI-type LF tag from the GraphBuffer` -|`lf ti read `|N |`Read and decode a TI 134 kHz tag` -|`lf ti write `|N |`Write new data to a r/w TI 134 kHz tag` - +|command |offline |description +|------- |------- |----------- +|`lf ti help `|Y |`This help` +|`lf ti demod `|Y |`Demodulate raw bits for TI-type LF tag from the GraphBuffer` +|`lf ti read `|N |`Read and decode a TI 134 kHz tag` +|`lf ti write `|N |`Write new data to a r/w TI 134 kHz tag` + + ### lf t55xx { T55xx CHIPs... } - -|command |offline |description -|------- |------- |----------- -|`lf t55xx help `|Y |`This help` -|`lf t55xx bruteforce `|N |` Simple bruteforce attack to find password` -|`lf t55xx config `|Y |`Set/Get T55XX configuration (modulation, inverted, offset, rate)` -|`lf t55xx chk `|N |`Check passwords from dictionary/flash` -|`lf t55xx clonehelp `|N |`Shows the available clone commands` -|`lf t55xx dangerraw `|N |`Sends raw bitstream. Dangerous, do not use!! b t ` -|`lf t55xx detect `|Y |`[1] Try detecting the tag modulation from reading the configuration block.` -|`lf t55xx deviceconfig `|N |`Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap` -|`lf t55xx dump `|N |`[password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]` -|`lf t55xx restore `|N |`f [p ] Restore T55xx card Page 0 / Page 1 blocks` -|`lf t55xx info `|Y |`[1] Show T55x7 configuration data (page 0/ blk 0)` -|`lf t55xx p1detect `|N |`[1] Try detecting if this is a t55xx tag by reading page 1` -|`lf t55xx protect `|N |`Password protect tag` -|`lf t55xx read `|N |`b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]` -|`lf t55xx resetread `|N |`Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)` -|`lf t55xx recoverpw `|N |`[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!` -|`lf t55xx sniff `|N |`Attempt to recover T55xx commands from sample buffer` -|`lf t55xx special `|N |`Show block changes with 64 different offsets` -|`lf t55xx trace `|Y |`[1] Show T55x7 traceability data (page 1/ blk 0-1)` -|`lf t55xx wakeup `|N |`Send AOR wakeup command` -|`lf t55xx wipe `|N |`[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)` -|`lf t55xx write `|N |`b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]` - +|command |offline |description +|------- |------- |----------- +|`lf t55xx help `|Y |`This help` +|`lf t55xx clonehelp `|N |`Shows the available clone commands` +|`lf t55xx config `|Y |`Set/Get T55XX configuration (modulation, inverted, offset, rate)` +|`lf t55xx dangerraw `|N |`Sends raw bitstream. Dangerous, do not use!! b t ` +|`lf t55xx detect `|Y |`[1] Try detecting the tag modulation from reading the configuration block.` +|`lf t55xx deviceconfig `|N |`Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap` +|`lf t55xx dump `|N |`[password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]` +|`lf t55xx info `|Y |`[1] Show T55x7 configuration data (page 0/ blk 0)` +|`lf t55xx p1detect `|N |`[1] Try detecting if this is a t55xx tag by reading page 1` +|`lf t55xx read `|N |`b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]` +|`lf t55xx resetread `|N |`Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)` +|`lf t55xx restore `|N |`f [p ] Restore T55xx card Page 0 / Page 1 blocks` +|`lf t55xx trace `|Y |`[1] Show T55x7 traceability data (page 1/ blk 0-1)` +|`lf t55xx wakeup `|N |`Send AOR wakeup command` +|`lf t55xx write `|N |`b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]` +|`lf t55xx bruteforce `|N |` Simple bruteforce attack to find password` +|`lf t55xx chk `|N |`Check passwords from dictionary/flash` +|`lf t55xx protect `|N |`Password protect tag` +|`lf t55xx recoverpw `|N |`[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!` +|`lf t55xx sniff `|Y |`Attempt to recover T55xx commands from sample buffer` +|`lf t55xx special `|N |`Show block changes with 64 different offsets` +|`lf t55xx wipe `|N |`[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)` + + ### lf viking { Viking RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf viking help `|Y |`This help` -|`lf viking demod `|Y |`Demodulate a Viking tag from the GraphBuffer` -|`lf viking read `|N |`Attempt to read and Extract tag data from the antenna` -|`lf viking clone `|N |`clone Viking tag to T55x7 (or to q5/T5555)` -|`lf viking sim `|N |`simulate Viking tag` - +|command |offline |description +|------- |------- |----------- +|`lf viking help `|Y |`This help` +|`lf viking demod `|Y |`Demodulate a Viking tag from the GraphBuffer` +|`lf viking read `|N |`Attempt to read and Extract tag data from the antenna` +|`lf viking clone `|N |`clone Viking tag to T55x7 or Q5/T5555` +|`lf viking sim `|N |`simulate Viking tag` + + ### lf visa2000 { Visa2000 RFIDs... } - -|command |offline |description -|------- |------- |----------- -|`lf visa2000 help `|Y |`This help` -|`lf visa2000 demod `|Y |`demodulate an VISA2000 tag from the GraphBuffer` -|`lf visa2000 read `|N |`attempt to read and extract tag data from the antenna` -|`lf visa2000 clone `|N |`clone Visa2000 tag to T55x7 (or to q5/T5555)` -|`lf visa2000 sim `|N |`simulate Visa2000 tag` - +|command |offline |description +|------- |------- |----------- +|`lf visa2000 help `|Y |`This help` +|`lf visa2000 demod `|Y |`demodulate an VISA2000 tag from the GraphBuffer` +|`lf visa2000 read `|N |`attempt to read and extract tag data from the antenna` +|`lf visa2000 clone `|N |`clone Visa2000 tag to T55x7 or Q5/T5555` +|`lf visa2000 sim `|N |`simulate Visa2000 tag` + + ### mem { Flash Memory manipulation... } - -|command |offline |description -|------- |------- |----------- -|`mem help `|Y |`This help` -|`mem spiffs `|N |`High level SPI FileSystem Flash manipulation [rdv40]` -|`mem spibaud `|N |`Set Flash memory Spi baudrate [rdv40]` -|`mem info `|N |`Flash memory information [rdv40]` -|`mem load `|N |`Load data into flash memory [rdv40]` -|`mem dump `|N |`Dump data from flash memory [rdv40]` -|`mem wipe `|N |`Wipe data from flash memory [rdv40]` - +|command |offline |description +|------- |------- |----------- +|`mem help `|Y |`This help` +|`mem baudrate `|N |`Set Flash memory Spi baudrate` +|`mem spiffs `|N |`High level SPI FileSystem Flash manipulation` +|`mem info `|N |`Flash memory information` +|`mem load `|N |`Load data into flash memory` +|`mem dump `|N |`Dump data from flash memory` +|`mem wipe `|N |`Wipe data from flash memory` + + ### reveng { CRC calculations from RevEng software } - -### sc + +[=] reveng: no mode switch specified. Use reveng -h for help. + +### smart { Smart card ISO-7816 commands... } - -|command |offline |description -|------- |------- |----------- -|`smart help `|Y |`This help` -|`smart list `|N |`List ISO 7816 history` -|`smart info `|N |`Tag information` -|`smart reader `|N |`Act like an IS07816 reader` -|`smart raw `|N |`Send raw hex data to tag` -|`smart upgrade `|Y |`Upgrade sim module firmware` -|`smart setclock `|N |`Set clock speed` -|`smart brute `|N |`Bruteforce SFI` - +|command |offline |description +|------- |------- |----------- +|`smart help `|Y |`This help` +|`smart list `|N |`List ISO 7816 history` +|`smart info `|N |`Tag information` +|`smart reader `|N |`Act like an IS07816 reader` +|`smart raw `|N |`Send raw hex data to tag` +|`smart upgrade `|Y |`Upgrade sim module firmware` +|`smart setclock `|N |`Set clock speed` +|`smart brute `|N |`Bruteforce SFI` + + ### script { Scripting commands } - -|command |offline |description -|------- |------- |----------- -|`script help `|Y |`This help` -|`script list `|Y |`List available scripts` -|`script run `|Y |` -- Execute a script` - +|command |offline |description +|------- |------- |----------- +|`script help `|Y |`Usage info` +|`script list `|Y |`List available scripts` +|`script run `|Y |` -- execute a script` + + ### trace { Trace manipulation... } - -|command |offline |description -|------- |------- |----------- -|`trace help `|Y |`This help` -|`trace list `|Y |`List protocol data in trace buffer` -|`trace load `|Y |`Load trace from file` -|`trace save `|Y |`Save trace buffer to file` - +|command |offline |description +|------- |------- |----------- +|`trace help `|Y |`This help` +|`trace list `|Y |`List protocol data in trace buffer` +|`trace load `|Y |`Load trace from file` +|`trace save `|Y |`Save trace buffer to file` + + ### usart { USART commands... } - -|command |offline |description -|------- |------- |----------- -|`usart help `|Y |`This help` -|`usart btpin `|N |`Change BT add-on PIN` -|`usart btfactory `|N |`Reset BT add-on to factory settings` -|`usart tx `|N |`Send string over USART` -|`usart rx `|N |`Receive string over USART` -|`usart txrx `|N |`Send string over USART and wait for response` -|`usart txhex `|N |`Send bytes over USART` -|`usart rxhex `|N |`Receive bytes over USART` -|`usart config `|N |`Configure USART` - +|command |offline |description +|------- |------- |----------- +|`usart help `|Y |`This help` +|`usart btpin `|N |`Change BT add-on PIN` +|`usart btfactory `|N |`Reset BT add-on to factory settings` +|`usart tx `|N |`Send string over USART` +|`usart rx `|N |`Receive string over USART` +|`usart txrx `|N |`Send string over USART and wait for response` +|`usart txhex `|N |`Send bytes over USART` +|`usart rxhex `|N |`Receive bytes over USART` +|`usart config `|N |`Configure USART` + + ### wiegand { Wiegand format manipulation... } - -|command |offline |description -|------- |------- |----------- -|`wiegand help `|Y |`This help` -|`wiegand list `|Y |`List available wiegand formats` -|`wiegand encode `|Y |`Convert ` -|`wiegand decode `|Y |`Convert raw hex to wiegand format` - +|command |offline |description +|------- |------- |----------- +|`wiegand help `|Y |`This help` +|`wiegand list `|Y |`List available wiegand formats` +|`wiegand encode `|Y |`Encode to wiegand raw hex` +|`wiegand decode `|Y |`Convert raw hex to decoded wiegand format` + +