diff --git a/doc/commands.md b/doc/commands.md new file mode 100644 index 000000000..22149f373 --- /dev/null +++ b/doc/commands.md @@ -0,0 +1,1027 @@ + +# Proxmark3 command dump + + +Some commands are available only if a Proxmark3 is actually connected. + +Check column "offline" for their availability. + + + +|command |offline |description +|------- |------- |----------- +|`auto `|N |`Automated detection process for unknown tags` +|`clear `|Y |`clear screen` +|`help `|Y |`This help. Use ' help' for details of a particular command.` +|`hints `|Y |`Turn hints on / off` +|`msleep `|Y |`Add a pause in milliseconds` +|`pref `|Y |`Edit preferences` +|`rem `|Y |`Add a text line in log file` +|`quit `|Y |`` +|`exit `|Y |`Exit program` + + +### analyse + + { Analyse utils... } + +|command |offline |description +|------- |------- |----------- +|`analyse help `|Y |`This help` +|`analyse lcr `|Y |`Generate final byte for XOR LRC` +|`analyse crc `|Y |`Stub method for CRC evaluations` +|`analyse chksum `|Y |`Checksum with adding, masking and one's complement` +|`analyse dates `|Y |`Look for datestamps in a given array of bytes` +|`analyse tea `|Y |`Crypto TEA test` +|`analyse lfsr `|Y |`LFSR tests` +|`analyse a `|Y |`num bits test` +|`analyse nuid `|Y |`create NUID from 7byte UID` +|`analyse demodbuff `|Y |`Load binary string to demodbuffer` +|`analyse freq `|Y |`Calc wave lengths` + + +### data + + { Plot window / data buffer manipulation... } + +|command |offline |description +|------- |------- |----------- +|`data help `|Y |`This help` +|`data biphaserawdecode `|Y |`Biphase decode bin stream in DemodBuffer` +|`data detectclock `|Y |`Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer` +|`data fsktonrz `|Y |`Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)` +|`data manrawdecode `|Y |`Manchester decode binary stream in DemodBuffer` +|`data modulation `|Y |`Identify LF signal for clock and modulation` +|`data rawdemod `|Y |`Demodulate the data in the GraphBuffer and output binary` +|`data askedgedetect `|Y |`[threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)` +|`data autocorr `|Y |`Autocorrelation over window` +|`data dirthreshold `|Y |` -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.` +|`data decimate `|Y |`Decimate samples` +|`data undecimate `|Y |`Un-decimate samples` +|`data hide `|Y |`Hide graph window` +|`data hpf `|Y |`Remove DC offset from trace` +|`data iir `|Y |`apply IIR buttersworth filter on plotdata` +|`data grid `|Y |` -- overlay grid on graph window, use zero value to turn off either` +|`data ltrim `|Y |` -- Trim samples from left of trace` +|`data mtrim `|Y |` -- Trim out samples from the specified start to the specified stop` +|`data norm `|Y |`Normalize max/min to +/-128` +|`data plot `|Y |`Show graph window (hit 'h' in window for keystroke help)` +|`data rtrim `|Y |` -- Trim samples from right of trace` +|`data setgraphmarkers `|Y |`[orange_marker] [blue_marker] (in graph window)` +|`data shiftgraphzero `|Y |` -- Shift 0 for Graphed wave + or - shift value` +|`data timescale `|Y |`Set a timescale to get a differential reading between the yellow and purple markers as time duration +` +|`data zerocrossings `|Y |`Count time between zero-crossings` +|`data convertbitstream `|Y |`Convert GraphBuffer's 0/1 values to 127 / -127` +|`data getbitstream `|Y |`Convert GraphBuffer's >=1 values to 1 and <1 to 0` +|`data bin2hex `|Y |`Converts binary to hexadecimal` +|`data bitsamples `|N |`Get raw samples as bitstring` +|`data clear `|Y |`Clears bigbuf on deviceside and graph window` +|`data hexsamples `|N |` [] -- Dump big buffer as hex bytes` +|`data hex2bin `|Y |`Converts hexadecimal to binary` +|`data load `|Y |`Load contents of file into graph window` +|`data ndef `|Y |`Decode NDEF records` +|`data print `|Y |`print the data in the DemodBuffer` +|`data samples `|N |`[512 - 40000] -- Get raw samples for graph window (GraphBuffer)` +|`data save `|Y |`Save signal trace data (from graph window)` +|`data setdebugmode `|Y |`<0|1|2> -- Set Debugging Level on client side` +|`data tune `|N |`Measure tuning of device antenna. Results shown in graph window` + + +### emv + + { EMV ISO-14443 / ISO-7816... } + +|command |offline |description +|------- |------- |----------- +|`emv help `|Y |`This help` +|`emv exec `|N |`Executes EMV contactless transaction.` +|`emv pse `|N |`Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.` +|`emv search `|N |`Try to select all applets from applets list and print installed applets.` +|`emv select `|N |`Select applet.` +|`emv gpo `|N |`Execute GetProcessingOptions.` +|`emv readrec `|N |`Read files from card.` +|`emv genac `|N |`Generate ApplicationCryptogram.` +|`emv challenge `|N |`Generate challenge.` +|`emv intauth `|N |`Internal authentication.` +|`emv scan `|N |`Scan EMV card and save it contents to json file for emulator.` +|`emv test `|Y |`Crypto logic test.` +|`emv list `|Y |`List ISO7816 history` +|`emv roca `|N |`Extract public keys and run ROCA test` + + +### hf + + { High frequency commands... } + +|command |offline |description +|------- |------- |----------- +|`hf help `|Y |`This help` +|`hf list `|Y |`List protocol data in trace buffer` +|`hf plot `|N |`Plot signal` +|`hf tune `|N |`Continuously measure HF antenna tuning` +|`hf search `|Y |`Search for known HF tags` +|`hf sniff `|N |` Generic HF Sniff` + + +### hf 14a + + { ISO14443A RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf 14a help `|Y |`This help` +|`hf 14a list `|Y |`List ISO 14443-a history` +|`hf 14a info `|N |`Tag information` +|`hf 14a reader `|N |`Act like an ISO14443-a reader` +|`hf 14a cuids `|N |` Collect n>0 ISO14443-a UIDs in one go` +|`hf 14a sim `|N |` -- Simulate ISO 14443-a tag` +|`hf 14a sniff `|N |`sniff ISO 14443-a traffic` +|`hf 14a apdu `|N |`Send ISO 14443-4 APDU to tag` +|`hf 14a chaining `|N |`Control ISO 14443-4 input chaining` +|`hf 14a raw `|N |`Send raw hex data to tag` +|`hf 14a antifuzz `|N |`Fuzzing the anticollision phase. Warning! Readers may react strange` +|`hf 14a config `|N |`Configure 14a settings (use with caution)` + + +### hf 14b + + { ISO14443B RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf 14b help `|Y |`This help` +|`hf 14b apdu `|N |`Send ISO 14443-4 APDU to tag` +|`hf 14b dump `|N |`Read all memory pages of an ISO14443-B tag, save to file` +|`hf 14b info `|N |`Tag information` +|`hf 14b list `|Y |`List ISO 14443B history` +|`hf 14b ndef `|N |`Read NDEF file on tag` +|`hf 14b raw `|N |`Send raw hex data to tag` +|`hf 14b reader `|N |`Act as a 14443B reader to identify a tag` +|`hf 14b sim `|N |`Fake ISO 14443B tag` +|`hf 14b sniff `|N |`Eavesdrop ISO 14443B` +|`hf 14b rdbl `|N |`Read SRI512/SRIX4x block` +|`hf 14b sriwrite `|N |`Write data to a SRI512 | SRIX4K tag` + + +### hf 15 + + { ISO15693 RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf 15 help `|Y |`This help` +|`hf 15 list `|Y |`List ISO15693 history` +|`hf 15 demod `|Y |`Demodulate ISO15693 from tag` +|`hf 15 dump `|N |`Read all memory pages of an ISO15693 tag, save to file` +|`hf 15 info `|N |`Tag information` +|`hf 15 sniff `|N |`Sniff ISO15693 traffic` +|`hf 15 raw `|N |`Send raw hex data to tag` +|`hf 15 rdbl `|N |`Read a block` +|`hf 15 reader `|N |`Act like an ISO15693 reader` +|`hf 15 readmulti `|N |`Reads multiple Blocks` +|`hf 15 restore `|N |`Restore from file to all memory pages of an ISO15693 tag` +|`hf 15 samples `|N |`Acquire Samples as Reader (enables carrier, sends inquiry)` +|`hf 15 sim `|N |`Fake an ISO15693 tag` +|`hf 15 wrbl `|N |`Write a block` +|`hf 15 findafi `|N |`Brute force AFI of an ISO15693 tag` +|`hf 15 writeafi `|N |`Writes the AFI on an ISO15693 tag` +|`hf 15 writedsfid `|N |`Writes the DSFID on an ISO15693 tag` +|`hf 15 csetuid `|N |`Set UID for magic Chinese card` + + +### hf epa + + { German Identification Card... } + +|command |offline |description +|------- |------- |----------- +|`hf epa help `|Y |`This help` +|`hf epa cnonces `|N |` Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses` +|`hf epa preplay `|N |` Perform PACE protocol by replaying given APDUs` + + +### hf felica + + { ISO18092 / FeliCa RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf felica help `|Y |`This help` +|`hf felica list `|Y |`List ISO 18092/FeliCa history` +|`hf felica reader `|N |`Act like an ISO18092/FeliCa reader` +|`hf felica sniff `|N |`Sniff ISO 18092/FeliCa traffic` +|`hf felica raw `|N |`Send raw hex data to tag` +|`hf felica rdunencrypted`|N |`read Block Data from authentication-not-required Service.` +|`hf felica wrunencrypted`|N |`write Block Data to an authentication-not-required Service.` +|`hf felica rqservice `|N |`verify the existence of Area and Service, and to acquire Key Version.` +|`hf felica rqresponse `|N |`verify the existence of a card and its Mode.` +|`hf felica scsvcode `|N |`acquire Area Code and Service Code.` +|`hf felica rqsyscode `|N |`acquire System Code registered to the card.` +|`hf felica auth1 `|N |`authenticate a card. Start mutual authentication with Auth1` +|`hf felica auth2 `|N |`allow a card to authenticate a Reader/Writer. Complete mutual authentication` +|`hf felica rqspecver `|N |`acquire the version of card OS.` +|`hf felica resetmode `|N |`reset Mode to Mode 0.` +|`hf felica litesim `|N |` - only reply to poll request` +|`hf felica litedump `|N |`Wait for and try dumping FelicaLite` + + +### hf fido + + { FIDO and FIDO2 authenticators... } + +|command |offline |description +|------- |------- |----------- +|`hf fido help `|Y |`This help.` +|`hf fido list `|N |`List ISO 14443A history` +|`hf fido info `|N |`Info about FIDO tag.` +|`hf fido reg `|N |`FIDO U2F Registration Message.` +|`hf fido auth `|N |`FIDO U2F Authentication Message.` +|`hf fido make `|N |`FIDO2 MakeCredential command.` +|`hf fido assert `|N |`FIDO2 GetAssertion command.` + + +### hf iclass + + { ICLASS RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf iclass help `|Y |`This help` +|`hf iclass dump `|N |`[options..] Dump Picopass / iCLASS tag to file` +|`hf iclass info `|Y |` Tag information` +|`hf iclass list `|Y |` List iclass history` +|`hf iclass rdbl `|N |`[options..] Read Picopass / iCLASS block` +|`hf iclass reader `|N |` Act like an Picopass / iCLASS reader` +|`hf iclass restore `|N |`[options..] Restore a dump file onto a Picopass / iCLASS tag` +|`hf iclass sniff `|N |` Eavesdrop Picopass / iCLASS communication` +|`hf iclass wrbl `|N |`[options..] Write Picopass / iCLASS block` +|`hf iclass autopwn `|N |`[options..] Automatic key recovery tool for iCLASS` +|`hf iclass chk `|N |`[options..] Check keys` +|`hf iclass loclass `|Y |`[options..] Use loclass to perform bruteforce reader attack` +|`hf iclass lookup `|Y |`[options..] Uses authentication trace to check for key in dictionary file` +|`hf iclass sim `|N |`[options..] Simulate iCLASS tag` +|`hf iclass eload `|N |`[f ] Load Picopass / iCLASS dump file into emulator memory` +|`hf iclass esave `|N |`[f ] Save emulator memory to file` +|`hf iclass eview `|N |`[options..] View emulator memory` +|`hf iclass calcnewkey `|Y |`[options..] Calc diversified keys (blocks 3 & 4) to write new keys` +|`hf iclass encrypt `|Y |`[options..] Encrypt given block data` +|`hf iclass decrypt `|Y |`[options..] Decrypt given block data or tag dump file` +|`hf iclass managekeys `|Y |`[options..] Manage keys to use with iclass commands` +|`hf iclass permute `|N |` Permute function from 'heart of darkness' paper` +|`hf iclass view `|Y |`[options..] Display content from tag dump file` + + +### hf legic + + { LEGIC RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf legic help `|Y |`This help` +|`hf legic list `|Y |`List LEGIC history` +|`hf legic reader `|N |`LEGIC Prime Reader UID and tag info` +|`hf legic info `|N |`Display deobfuscated and decoded LEGIC Prime tag data` +|`hf legic dump `|N |`Dump LEGIC Prime tag to binary file` +|`hf legic restore `|N |`Restore a dump file onto a LEGIC Prime tag` +|`hf legic rdbl `|N |`Read bytes from a LEGIC Prime tag` +|`hf legic sim `|N |`Start tag simulator` +|`hf legic wrbl `|N |`Write data to a LEGIC Prime tag` +|`hf legic crc `|Y |`Calculate Legic CRC over given bytes` +|`hf legic eload `|Y |`Load binary dump to emulator memory` +|`hf legic esave `|Y |`Save emulator memory to binary file` +|`hf legic wipe `|N |`Wipe a LEGIC Prime tag` + + +### hf lto + + { LTO Cartridge Memory RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf lto help `|Y |`This help` +|`hf lto dump `|N |`Dump LTO-CM tag to file` +|`hf lto restore `|N |`Restore dump file to LTO-CM tag` +|`hf lto info `|N |`Tag information` +|`hf lto rdbl `|N |`Read block` +|`hf lto wrbl `|N |`Write block` +|`hf lto list `|Y |`List LTO-CM history` + + +### hf mf + + { MIFARE RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mf help `|Y |`This help` +|`hf mf list `|Y |`List MIFARE history` +|`hf mf darkside `|N |`Darkside attack` +|`hf mf nested `|N |`Nested attack` +|`hf mf hardnested `|Y |`Nested attack for hardened MIFARE Classic cards` +|`hf mf staticnested `|N |`Nested attack against static nonce MIFARE Classic cards` +|`hf mf autopwn `|N |`Automatic key recovery tool for MIFARE Classic` +|`hf mf nack `|N |`Test for MIFARE NACK bug` +|`hf mf chk `|N |`Check keys` +|`hf mf fchk `|N |`Check keys fast, targets all keys on card` +|`hf mf decrypt `|Y |`[nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace` +|`hf mf supercard `|N |`Extract info from a `super card`` +|`hf mf auth4 `|N |`ISO14443-4 AES authentication` +|`hf mf dump `|N |`Dump MIFARE Classic tag to binary file` +|`hf mf mad `|N |`Checks and prints MAD` +|`hf mf ndef `|N |`Prints NDEF records from card` +|`hf mf personalize `|N |`Personalize UID (MIFARE Classic EV1 only)` +|`hf mf rdbl `|N |`Read MIFARE Classic block` +|`hf mf rdsc `|N |`Read MIFARE Classic sector` +|`hf mf restore `|N |`Restore MIFARE Classic binary file to BLANK tag` +|`hf mf setmod `|N |`Set MIFARE Classic EV1 load modulation strength` +|`hf mf wrbl `|N |`Write MIFARE Classic block` +|`hf mf sim `|N |`Simulate MIFARE card` +|`hf mf ecfill `|N |`Fill simulator memory with help of keys from simulator` +|`hf mf eclr `|N |`Clear simulator memory` +|`hf mf egetblk `|N |`Get simulator memory block` +|`hf mf egetsc `|N |`Get simulator memory sector` +|`hf mf ekeyprn `|N |`Print keys from simulator memory` +|`hf mf eload `|N |`Load from file emul dump` +|`hf mf esave `|N |`Save to file emul dump` +|`hf mf eset `|N |`Set simulator memory block` +|`hf mf eview `|N |`View emul memory` +|`hf mf cgetblk `|N |`Read block` +|`hf mf cgetsc `|N |`Read sector` +|`hf mf cload `|N |`Load dump` +|`hf mf csave `|N |`Save dump from card into file or emulator` +|`hf mf csetblk `|N |`Write block` +|`hf mf csetuid `|N |`Set UID` +|`hf mf cview `|N |`view card` +|`hf mf cwipe `|N |`Wipe card to default UID/Sectors/Keys` +|`hf mf gen3uid `|N |`Set UID without manufacturer block` +|`hf mf gen3blk `|N |`Overwrite full manufacturer block` +|`hf mf gen3freeze `|N |`Perma lock further UID changes` +|`hf mf ice `|N |`collect MIFARE Classic nonces to file` + + +### hf mfp + + { MIFARE Plus RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfp help `|Y |`This help` +|`hf mfp info `|N |`Info about Mifare Plus tag` +|`hf mfp wrp `|N |`Write Perso command` +|`hf mfp initp `|N |`Fills all the card's keys` +|`hf mfp commitp `|N |`Move card to SL1 or SL3 mode` +|`hf mfp auth `|N |`Authentication` +|`hf mfp rdbl `|N |`Read blocks` +|`hf mfp rdsc `|N |`Read sectors` +|`hf mfp wrbl `|N |`Write blocks` +|`hf mfp chk `|N |`Check keys` +|`hf mfp mad `|N |`Checks and prints MAD` +|`hf mfp ndef `|N |`Prints NDEF records from card` + + +### hf mfu + + { MIFARE Ultralight RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfu help `|Y |`This help` +|`hf mfu info `|N |`Tag information` +|`hf mfu dump `|N |`Dump Ultralight / Ultralight-C / NTAG tag to binary file` +|`hf mfu restore `|N |`Restore a dump onto a MFU MAGIC tag` +|`hf mfu eload `|N |`load Ultralight .eml dump file into emulator memory` +|`hf mfu rdbl `|N |`Read block` +|`hf mfu wrbl `|N |`Write block` +|`hf mfu cauth `|N |`Authentication - Ultralight C` +|`hf mfu setpwd `|N |`Set 3des password - Ultralight-C` +|`hf mfu setuid `|N |`Set UID - MAGIC tags only` +|`hf mfu sim `|N |`Simulate Ultralight from emulator memory` +|`hf mfu gen `|Y |`Generate 3des mifare diversified keys` +|`hf mfu pwdgen `|Y |`Generate pwd from known algos` +|`hf mfu otptear `|N |`Tear-off test on OTP bits` +|`hf mfu ndef `|N |`Prints NDEF records from card` + + +### hf mfdes + + { MIFARE Desfire RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf mfdes help `|Y |`This help` +|`hf mfdes info `|N |`Tag information` +|`hf mfdes list `|Y |`List DESFire (ISO 14443A) history` +|`hf mfdes enum `|N |`Tries enumerate all applications` +|`hf mfdes auth `|N |`Tries a MIFARE DesFire Authentication` +|`hf mfdes getuid `|N |`Get random uid` +|`hf mfdes selectaid `|N |`Select Application ID` +|`hf mfdes createaid `|N |`Create Application ID` +|`hf mfdes deleteaid `|N |`Delete Application ID` +|`hf mfdes createfile `|N |`Create Standard/Backup File` +|`hf mfdes createvaluefile`|N |`Create Value File` +|`hf mfdes createrecordfile`|N |`Create Linear/Cyclic Record File` +|`hf mfdes deletefile `|N |`Create Delete File` +|`hf mfdes clearfile `|N |`Clear record File` +|`hf mfdes readdata `|N |`Read data from standard/backup/record file` +|`hf mfdes writedata `|N |`Write data to standard/backup/record file` +|`hf mfdes getvalue `|N |`Get value of file` +|`hf mfdes changevalue `|N |`Write value of a value file (credit/debit/clear)` +|`hf mfdes changekey `|N |`Change Key` +|`hf mfdes formatpicc `|N |`Format PICC` +|`hf mfdes dump `|N |`Dump all files` +|`hf mfdes chk `|N |`Check keys` + + +### hf st + + { ST Rothult RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf st help `|Y |`This help` +|`hf st info `|N |`Tag information` +|`hf st list `|Y |`List ISO 14443A/7816 history` +|`hf st ndef `|Y |`read NDEF file on tag` +|`hf st protect `|N |`change protection on tag` +|`hf st pwd `|N |`change password on tag` +|`hf st sim `|N |`Fake ISO 14443A/ST tag` + + +### hf thinfilm + + { Thinfilm RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf thinfilm help `|Y |`This help` +|`hf thinfilm info `|N |`Tag information` +|`hf thinfilm list `|Y |`List NFC Barcode / Thinfilm history - not correct` +|`hf thinfilm sim `|N |`Fake Thinfilm tag` + + +### hf topaz + + { TOPAZ (NFC Type 1) RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`hf topaz help `|Y |`This help` +|`hf topaz list `|Y |`List Topaz history` +|`hf topaz info `|N |`Tag information` +|`hf topaz reader `|N |`Act like a Topaz reader` +|`hf topaz sim `|N |` -- Simulate Topaz tag` +|`hf topaz sniff `|N |`Sniff Topaz reader-tag communication` +|`hf topaz raw `|N |`Send raw hex data to tag` + + +### hf waveshare + + { Waveshare NFC ePaper... } + +|command |offline |description +|------- |------- |----------- +|`hf waveshare help `|Y |`This help` +|`hf waveshare loadbmp `|N |`Load BMP file to Waveshare NFC ePaper` + + +### hw + + { Hardware commands... } + +|command |offline |description +|------- |------- |----------- +|`hw help `|Y |`This help` +|`hw connect `|Y |`connect Proxmark3 to serial port` +|`hw dbg `|N |`Set Proxmark3 debug level` +|`hw detectreader `|N |`['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)` +|`hw fpgaoff `|N |`Set FPGA off` +|`hw lcd `|N |` -- Send command/data to LCD` +|`hw lcdreset `|N |`Hardware reset LCD` +|`hw ping `|N |`Test if the Proxmark3 is responsive` +|`hw readmem `|N |`[address] -- Read memory at decimal address from flash` +|`hw reset `|N |`Reset the Proxmark3` +|`hw setlfdivisor `|N |`<19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)` +|`hw setmux `|N |`Set the ADC mux to a specific value` +|`hw standalone `|N |`Jump to the standalone mode` +|`hw status `|N |`Show runtime status information about the connected Proxmark3` +|`hw tearoff `|N |`Program a tearoff hook for the next command supporting tearoff` +|`hw tia `|N |`Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider` +|`hw tune `|N |`Measure antenna tuning` +|`hw version `|N |`Show version information about the connected Proxmark3` + + +### lf + + { Low frequency commands... } + +|command |offline |description +|------- |------- |----------- +|`lf help `|Y |`This help` +|`lf config `|N |`Get/Set config for LF sampling, bit/sample, decimation, frequency` +|`lf cmdread `|N |`Modulate LF reader field to send command before read (all periods in microseconds)` +|`lf read `|N |`Read LF tag` +|`lf search `|Y |`Read and Search for valid known tag (in offline mode it you can load first then search)` +|`lf sim `|N |`Simulate LF tag from buffer with optional GAP (in microseconds)` +|`lf simask `|N |`Simulate LF ASK tag from demodbuffer or input` +|`lf simfsk `|N |`Simulate LF FSK tag from demodbuffer or input` +|`lf simpsk `|N |`Simulate LF PSK tag from demodbuffer or input` +|`lf simbidir `|N |`Simulate LF tag (with bidirectional data transmission between reader and tag)` +|`lf sniff `|N |`Sniff LF traffic between reader and tag` +|`lf tune `|N |`Continuously measure LF antenna tuning` + + +### lf awid + + { AWID RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf awid help `|Y |`this help` +|`lf awid demod `|Y |`demodulate an AWID FSK tag from the GraphBuffer` +|`lf awid read `|N |`attempt to read and extract tag data` +|`lf awid clone `|N |`clone AWID tag to T55x7 or Q5/T5555` +|`lf awid sim `|N |`simulate AWID tag` +|`lf awid brute `|N |`Bruteforce card number against reader` +|`lf awid watch `|N |`continuously watch for cards. Reader mode` + + +### lf cotag + + { COTAG CHIPs... } + +|command |offline |description +|------- |------- |----------- +|`lf cotag help `|Y |`This help` +|`lf cotag demod `|Y |`Tries to decode a COTAG signal` +|`lf cotag read `|N |`Attempt to read and extract tag data` + + +### lf destron + + { FDX-A Destron RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf destron help `|Y |`This help` +|`lf destron demod `|Y |`Demodulate an Destron tag from the GraphBuffer` +|`lf destron read `|N |`Attempt to read and extract tag data from the antenna` +|`lf destron clone `|N |`Clone Destron tag to T55x7` +|`lf destron sim `|N |`Simulate Destron tag` + + +### lf em + + { EM4X CHIPs & RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf em help `|Y |`This help` +|`lf em 410x_demod `|Y |`demodulate a EM410x tag from the GraphBuffer` +|`lf em 410x_read `|N |`attempt to read and extract tag data` +|`lf em 410x_sim `|N |`simulate EM410x tag` +|`lf em 410x_brute `|N |`reader bruteforce attack by simulating EM410x tags` +|`lf em 410x_watch `|N |`watches for EM410x 125/134 kHz tags (option 'h' for 134)` +|`lf em 410x_spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)` +|`lf em 410x_clone `|N |`write EM410x UID to T55x7 or Q5/T5555 tag` +|`lf em 4x05_chk `|N |`Check passwords from dictionary` +|`lf em 4x05_demod `|Y |`demodulate a EM4x05/EM4x69 tag from the GraphBuffer` +|`lf em 4x05_dump `|N |`dump EM4x05/EM4x69 tag` +|`lf em 4x05_wipe `|N |`wipe EM4x05/EM4x69 tag` +|`lf em 4x05_info `|N |`tag information EM4x05/EM4x69` +|`lf em 4x05_read `|N |`read word data from EM4x05/EM4x69` +|`lf em 4x05_write `|N |`write word data to EM4x05/EM4x69` +|`lf em 4x05_unlock `|N |`execute tear off against EM4x05/EM4x69` +|`lf em 4x05_sniff `|Y |`Attempt to recover em4x05 commands from sample buffer` +|`lf em 4x05_brute `|N |`Bruteforce password` +|`lf em 4x50_dump `|N |`dump EM4x50 tag` +|`lf em 4x50_info `|N |`tag information EM4x50` +|`lf em 4x50_write `|N |`write word data to EM4x50` +|`lf em 4x50_write_password`|N |`change password of EM4x50 tag` +|`lf em 4x50_read `|N |`read word data from EM4x50` +|`lf em 4x50_wipe `|N |`wipe data from EM4x50` + + +### lf fdxb + + { FDX-B RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf fdxb help `|Y |`this help` +|`lf fdxb demod `|Y |`demodulate a FDX-B ISO11784/85 tag from the GraphBuffer` +|`lf fdxb read `|N |`attempt to read at 134kHz and extract tag data` +|`lf fdxb clone `|N |`clone animal ID tag to T55x7 or Q5/T5555` +|`lf fdxb sim `|N |`simulate Animal ID tag` + + +### lf gallagher + + { GALLAGHER RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf gallagher help `|Y |`This help` +|`lf gallagher demod `|Y |`Demodulate an GALLAGHER tag from the GraphBuffer` +|`lf gallagher read `|N |`Attempt to read and extract tag data from the antenna` +|`lf gallagher clone `|N |`clone GALLAGHER tag to T55x7` +|`lf gallagher sim `|N |`simulate GALLAGHER tag` + + +### lf gproxii + + { Guardall Prox II RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf gproxii help `|Y |`this help` +|`lf gproxii demod `|Y |`demodulate a G Prox II tag from the GraphBuffer` +|`lf gproxii read `|N |`attempt to read and extract tag data from the antenna` +|`lf gproxii clone `|N |`clone Guardall tag to T55x7 or Q5/T5555` +|`lf gproxii sim `|N |`simulate Guardall tag` + + +### lf hid + + { HID Prox RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf hid help `|Y |`this help` +|`lf hid demod `|Y |`demodulate HID Prox tag from the GraphBuffer` +|`lf hid read `|N |`attempt to read and extract tag data` +|`lf hid clone `|N |`clone HID tag to T55x7` +|`lf hid sim `|N |`simulate HID tag` +|`lf hid brute `|N |`bruteforce card number against reader` +|`lf hid watch `|N |`continuously watch for cards. Reader mode` + + +### lf hitag + + { Hitag CHIPs... } + +|command |offline |description +|------- |------- |----------- +|`lf hitag help `|Y |`This help` +|`lf hitag list `|N |`List Hitag trace history` +|`lf hitag info `|N |`Tag information` +|`lf hitag reader `|N |`Act like a Hitag Reader` +|`lf hitag sim `|N |`Simulate Hitag transponder` +|`lf hitag sniff `|N |`Eavesdrop Hitag communication` +|`lf hitag writer `|N |`Act like a Hitag Writer` +|`lf hitag dump `|N |`Dump Hitag2 tag` +|`lf hitag cc `|N |`Test all challenges` + + +### lf idteck + + { Idteck RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf idteck help `|Y |`This help` +|`lf idteck demod `|Y |`Demodulate an Idteck tag from the GraphBuffer` +|`lf idteck read `|N |`Attempt to read and Extract tag data from the antenna` + + +### lf indala + + { Indala RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf indala help `|Y |`this help` +|`lf indala demod `|Y |`demodulate an indala tag (PSK1) from GraphBuffer` +|`lf indala altdemod `|Y |`alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)` +|`lf indala read `|N |`read an Indala Prox tag from the antenna` +|`lf indala clone `|N |`clone Indala tag to T55x7 or Q5/T5555` +|`lf indala sim `|N |`simulate Indala tag` + + +### lf io + + { ioProx RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf io help `|Y |`this help` +|`lf io demod `|Y |`demodulate an IOProx tag from the GraphBuffer` +|`lf io read `|N |`attempt to read and extract tag data` +|`lf io clone `|N |`clone IOProx tag to T55x7 or Q5/T5555` +|`lf io sim `|N |`simulate IOProx tag` +|`lf io watch `|N |`continuously watch for cards. Reader mode` + + +### lf jablotron + + { Jablotron RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf jablotron help `|Y |`This help` +|`lf jablotron demod `|Y |`Demodulate an Jablotron tag from the GraphBuffer` +|`lf jablotron read `|N |`Attempt to read and extract tag data from the antenna` +|`lf jablotron clone `|N |`clone jablotron tag to T55x7 or Q5/T5555` +|`lf jablotron sim `|N |`simulate jablotron tag` + + +### lf keri + + { KERI RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf keri help `|Y |`This help` +|`lf keri demod `|Y |`Demodulate an KERI tag from the GraphBuffer` +|`lf keri read `|N |`Attempt to read and extract tag data from the antenna` +|`lf keri clone `|N |`clone KERI tag to T55x7 or Q5/T5555` +|`lf keri sim `|N |`simulate KERI tag` + + +### lf motorola + + { Motorola RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf motorola help `|Y |`This help` +|`lf motorola demod `|Y |`Demodulate an MOTOROLA tag from the GraphBuffer` +|`lf motorola read `|N |`Attempt to read and extract tag data from the antenna` +|`lf motorola clone `|N |`clone MOTOROLA tag to T55x7` +|`lf motorola sim `|N |`simulate MOTOROLA tag` + + +### lf nedap + + { Nedap RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf nedap help `|Y |`This help` +|`lf nedap demod `|Y |`Demodulate Nedap tag from the GraphBuffer` +|`lf nedap generate `|Y |`Generate Nedap bitstream in DemodBuffer` +|`lf nedap read `|N |`Attempt to read and extract tag data from the antenna` +|`lf nedap clone `|N |`Clone Nedap tag to T55x7 or Q5/T5555` +|`lf nedap sim `|N |`Simulate Nedap tag` + + +### lf nexwatch + + { NexWatch RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf nexwatch help `|Y |`This help` +|`lf nexwatch demod `|Y |`Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer` +|`lf nexwatch read `|N |`Attempt to Read and Extract tag data from the antenna` +|`lf nexwatch clone `|N |`clone NexWatch tag to T55x7` +|`lf nexwatch sim `|N |`simulate NexWatch tag` + + +### lf noralsy + + { Noralsy RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf noralsy help `|Y |`This help` +|`lf noralsy demod `|Y |`Demodulate an Noralsy tag from the GraphBuffer` +|`lf noralsy read `|N |`Attempt to read and extract tag data from the antenna` +|`lf noralsy clone `|N |`clone Noralsy tag to T55x7 or Q5/T5555` +|`lf noralsy sim `|N |`simulate Noralsy tag` + + +### lf pac + + { PAC/Stanley RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf pac help `|Y |`This help` +|`lf pac demod `|Y |`Demodulate a PAC tag from the GraphBuffer` +|`lf pac read `|N |`Attempt to read and extract tag data from the antenna` +|`lf pac clone `|N |`clone PAC tag to T55x7` +|`lf pac sim `|N |`simulate PAC tag` + + +### lf paradox + + { Paradox RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf paradox help `|Y |`This help` +|`lf paradox demod `|Y |`Demodulate a Paradox FSK tag from the GraphBuffer` +|`lf paradox read `|N |`Attempt to read and Extract tag data from the antenna` +|`lf paradox clone `|N |`clone paradox tag to T55x7` +|`lf paradox sim `|N |`simulate paradox tag` + + +### lf pcf7931 + + { PCF7931 CHIPs... } + +|command |offline |description +|------- |------- |----------- +|`lf pcf7931 help `|Y |`This help` +|`lf pcf7931 read `|N |`Read content of a PCF7931 transponder` +|`lf pcf7931 write `|N |`Write data on a PCF7931 transponder.` +|`lf pcf7931 config `|Y |`Configure the password, the tags initialization delay and time offsets (optional)` + + +### lf presco + + { Presco RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf presco help `|Y |`This help` +|`lf presco demod `|Y |`demodulate Presco tag from the GraphBuffer` +|`lf presco read `|N |`Attempt to read and Extract tag data` +|`lf presco clone `|N |`clone presco tag to T55x7 or Q5/T5555` +|`lf presco sim `|N |`simulate presco tag` + + +### lf pyramid + + { Farpointe/Pyramid RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf pyramid help `|Y |`this help` +|`lf pyramid demod `|Y |`demodulate a Pyramid FSK tag from the GraphBuffer` +|`lf pyramid read `|N |`attempt to read and extract tag data` +|`lf pyramid clone `|N |`clone pyramid tag to T55x7 or Q5/T5555` +|`lf pyramid sim `|N |`simulate pyramid tag` + + +### lf securakey + + { Securakey RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf securakey help `|Y |`This help` +|`lf securakey demod `|Y |`Demodulate an Securakey tag from the GraphBuffer` +|`lf securakey read `|N |`Attempt to read and extract tag data from the antenna` +|`lf securakey clone `|N |`clone Securakey tag to T55x7` +|`lf securakey sim `|N |`simulate Securakey tag` + + +### lf ti + + { TI CHIPs... } + +|command |offline |description +|------- |------- |----------- +|`lf ti help `|Y |`This help` +|`lf ti demod `|Y |`Demodulate raw bits for TI-type LF tag from the GraphBuffer` +|`lf ti read `|N |`Read and decode a TI 134 kHz tag` +|`lf ti write `|N |`Write new data to a r/w TI 134 kHz tag` + + +### lf t55xx + + { T55xx CHIPs... } + +|command |offline |description +|------- |------- |----------- +|`lf t55xx help `|Y |`This help` +|`lf t55xx clonehelp `|N |`Shows the available clone commands` +|`lf t55xx config `|Y |`Set/Get T55XX configuration (modulation, inverted, offset, rate)` +|`lf t55xx dangerraw `|N |`Sends raw bitstream. Dangerous, do not use!! b t ` +|`lf t55xx detect `|Y |`[1] Try detecting the tag modulation from reading the configuration block.` +|`lf t55xx deviceconfig `|N |`Set/Get T55XX device configuration (startgap, writegap, write0, write1, readgap` +|`lf t55xx dump `|N |`[password] [o] Dump T55xx card Page 0 block 0-7. Optional [password], [override]` +|`lf t55xx info `|Y |`[1] Show T55x7 configuration data (page 0/ blk 0)` +|`lf t55xx p1detect `|N |`[1] Try detecting if this is a t55xx tag by reading page 1` +|`lf t55xx read `|N |`b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]` +|`lf t55xx resetread `|N |`Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)` +|`lf t55xx restore `|N |`f [p ] Restore T55xx card Page 0 / Page 1 blocks` +|`lf t55xx trace `|Y |`[1] Show T55x7 traceability data (page 1/ blk 0-1)` +|`lf t55xx wakeup `|N |`Send AOR wakeup command` +|`lf t55xx write `|N |`b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]` +|`lf t55xx bruteforce `|N |` Simple bruteforce attack to find password` +|`lf t55xx chk `|N |`Check passwords from dictionary/flash` +|`lf t55xx protect `|N |`Password protect tag` +|`lf t55xx recoverpw `|N |`[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!` +|`lf t55xx sniff `|Y |`Attempt to recover T55xx commands from sample buffer` +|`lf t55xx special `|N |`Show block changes with 64 different offsets` +|`lf t55xx wipe `|N |`[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)` + + +### lf viking + + { Viking RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf viking help `|Y |`This help` +|`lf viking demod `|Y |`Demodulate a Viking tag from the GraphBuffer` +|`lf viking read `|N |`Attempt to read and Extract tag data from the antenna` +|`lf viking clone `|N |`clone Viking tag to T55x7 or Q5/T5555` +|`lf viking sim `|N |`simulate Viking tag` + + +### lf visa2000 + + { Visa2000 RFIDs... } + +|command |offline |description +|------- |------- |----------- +|`lf visa2000 help `|Y |`This help` +|`lf visa2000 demod `|Y |`demodulate an VISA2000 tag from the GraphBuffer` +|`lf visa2000 read `|N |`attempt to read and extract tag data from the antenna` +|`lf visa2000 clone `|N |`clone Visa2000 tag to T55x7 or Q5/T5555` +|`lf visa2000 sim `|N |`simulate Visa2000 tag` + + +### mem + + { Flash Memory manipulation... } + +|command |offline |description +|------- |------- |----------- +|`mem help `|Y |`This help` +|`mem baudrate `|N |`Set Flash memory Spi baudrate` +|`mem spiffs `|N |`High level SPI FileSystem Flash manipulation` +|`mem info `|N |`Flash memory information` +|`mem load `|N |`Load data into flash memory` +|`mem dump `|N |`Dump data from flash memory` +|`mem wipe `|N |`Wipe data from flash memory` + + +### reveng + + { CRC calculations from RevEng software } + +[=] reveng: no mode switch specified. Use reveng -h for help. + +### smart + + { Smart card ISO-7816 commands... } + +|command |offline |description +|------- |------- |----------- +|`smart help `|Y |`This help` +|`smart list `|N |`List ISO 7816 history` +|`smart info `|N |`Tag information` +|`smart reader `|N |`Act like an IS07816 reader` +|`smart raw `|N |`Send raw hex data to tag` +|`smart upgrade `|Y |`Upgrade sim module firmware` +|`smart setclock `|N |`Set clock speed` +|`smart brute `|N |`Bruteforce SFI` + + +### script + + { Scripting commands } + +|command |offline |description +|------- |------- |----------- +|`script help `|Y |`Usage info` +|`script list `|Y |`List available scripts` +|`script run `|Y |` -- execute a script` + + +### trace + + { Trace manipulation... } + +|command |offline |description +|------- |------- |----------- +|`trace help `|Y |`This help` +|`trace list `|Y |`List protocol data in trace buffer` +|`trace load `|Y |`Load trace from file` +|`trace save `|Y |`Save trace buffer to file` + + +### usart + + { USART commands... } + +|command |offline |description +|------- |------- |----------- +|`usart help `|Y |`This help` +|`usart btpin `|N |`Change BT add-on PIN` +|`usart btfactory `|N |`Reset BT add-on to factory settings` +|`usart tx `|N |`Send string over USART` +|`usart rx `|N |`Receive string over USART` +|`usart txrx `|N |`Send string over USART and wait for response` +|`usart txhex `|N |`Send bytes over USART` +|`usart rxhex `|N |`Receive bytes over USART` +|`usart config `|N |`Configure USART` + + +### wiegand + + { Wiegand format manipulation... } + +|command |offline |description +|------- |------- |----------- +|`wiegand help `|Y |`This help` +|`wiegand list `|Y |`List available wiegand formats` +|`wiegand encode `|Y |`Encode to wiegand raw hex` +|`wiegand decode `|Y |`Convert raw hex to decoded wiegand format` + +