commands

marshmellow42 edited this page Apr 18, 2017 · 23 revisions

Proxmark3 command dump

When in doubt of how to use a command try the command with an h after it to see if it has a help.

Some commands are available only if a Proxmark is actually connected. Check column "offline" for their availability.

command offline description
help Y This help. Use ' help' for details of a particular command.
quit Y Exit program
exit Y Exit program

data

{ Plot window / data buffer manipulation... }

command offline description
data help Y This help
data askedgedetect Y [threshold] Adjust Graph for manual ask demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)
data askem410xdemod Y [clock] [invert<0 or 1>] [maxErr] -- Demodulate an EM410x tag from GraphBuffer (args optional)
data askgproxiidemod Y Demodulate a G Prox II tag from GraphBuffer
data autocorr Y [window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)
data biphaserawdecode Y [offset] [invert<0 or 1>] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0 or 1 bits to shift the decode start) (when inverted it is Diphase decode)
data bitsamples N Get raw samples as bitstring
data buffclear Y Clear sample buffer and graph window
data dec Y Decimate samples
data detectclock Y [modulation] Detect clock rate of wave in GraphBuffer (options: 'a','f','n','p' for ask, fsk, nrz, psk respectively)
data fdxbdemod Y Demodulate a FDX-B ISO11784/85 Diphase tag from GraphBuffer
data fskawiddemod Y Demodulate an AWID FSK tag from GraphBuffer
data fskhiddemod Y Demodulate a HID FSK tag from GraphBuffer
data fskiodemod Y Demodulate an IO Prox FSK tag from GraphBuffer
data fskpyramiddemod Y Demodulate a Pyramid FSK tag from GraphBuffer
data fskparadoxdemod Y Demodulate a Paradox FSK tag from GraphBuffer
data getbitstream Y Convert GraphBuffer's >=1 values to 1 and <1 to 0
data grid Y -- overlay grid on graph window, use zero value to turn off either
data hexsamples N [] -- Dump big buffer as hex bytes
data hide Y Hide graph window
data hpf Y Remove DC offset from trace
data load Y -- Load trace (to graph window
data ltrim Y -- Trim samples from left of trace
data rtrim Y -- Trim samples from right of trace
data mtrim Y -- Trim out samples from the specified start to the specified stop
data manrawdecode Y [invert] [maxErr] -- Manchester decode binary stream in DemodBuffer
data norm Y Normalize max/min to +/-128
data plot Y Show graph window (hit 'h' in window for keystroke help)
data printdemodbuffer Y [x] [o ] -- print the data in the DemodBuffer - 'x' for hex output 'o' to shift binary by offset amount
data pskindalademod Y [clock] [invert<0 or 1>] -- Demodulate an indala tag (PSK1) from GraphBuffer (args optional)
data psknexwatchdemod Y Demodulate a NexWatch tag (nexkey, quadrakey) (PSK1) from GraphBuffer
data rawdemod Y [modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary
data samples N [512 - 40000] -- Get raw samples for graph window (GraphBuffer)
data save Y -- Save trace (from graph window)
data scale Y -- Set cursor display scale
data setdebugmode Y <0 or 1> -- Turn on or off Debugging Mode for demods
data shiftgraphzero Y -- Shift 0 for Graphed wave + or - shift value
data dirthreshold Y -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.
data tune N Get hw tune samples for graph window
data undec Y Un-decimate samples by 2
data zerocrossings Y Count time between zero-crossings

hf

{ HF commands... }

command offline description
hf help Y This help
hf tune N Continuously measure HF antenna tuning
hf list Y List protocol data in trace buffer
hf search Y Search for known HF tags (identifies 14443a, 14443b, 15693, iClass)

hf 14a

{ ISO14443A RFIDs... }

command offline description
hf 14a help Y This help
hf 14a list N [Deprecated] List ISO 14443a history
hf 14a reader N Act like an ISO14443 Type A reader
hf 14a cuids N Collect n>0 ISO14443 Type A UIDs in one go
hf 14a sim N -- Fake ISO 14443a tag
hf 14a snoop N Eavesdrop ISO 14443 Type A
hf 14a raw N Send raw hex data to tag

hf 14b

{ ISO14443B RFIDs... }

command offline description
hf 14b help Y This help
hf 14b list N depreciated - use hf list 14b
hf 14b info N Identify HF tag (ISO 14443B)
hf 14b reader N Read HF tag (ISO 14443B)
hf 14b sim N Fake ISO 14443B tag
hf 14b snoop N Eavesdrop ISO 14443B
hf 14b sri512read N Read contents of a SRI512 tag
hf 14b srix4kread N Read contents of a SRIX4K tag
hf 14b raw N Send raw hex data to tag
hf 14b sriwrite N Write data to a SRI512 or SRIX4K tag

hf 15

{ ISO15693 RFIDs... }

command offline description
hf 15 help Y This help
hf 15 demod Y Demodulate ISO15693 from tag
hf 15 read N Read HF tag (ISO 15693)
hf 15 record N Record Samples (ISO 15693)
hf 15 reader N Act like an ISO15693 reader
hf 15 sim N Fake an ISO15693 tag
hf 15 cmd N Send direct commands to ISO15693 tag
hf 15 findafi N Brute force AFI of an ISO15693 tag
hf 15 dumpmemory N Read all memory pages of an ISO15693 tag

hf epa

{ German Identification Card... }

command offline description
hf epa help Y This help
hf epa cnonces N Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses

hf legic

{ LEGIC RFIDs... }

command offline description
hf legic help Y This help
hf legic decode N Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)
hf legic reader N [offset [length]] -- read bytes from a LEGIC card
hf legic save N [] -- Store samples
hf legic load N -- Restore samples
hf legic sim N [phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)
hf legic write N -- Write sample buffer (user after load or read)
hf legic fill N -- Fill/Write tag with constant value

hf iclass

{ ICLASS RFIDs... }

command offline description
hf iclass help Y This help
hf iclass calcnewkey Y Calc Diversified keys (blocks 3 & 4) to write new keys
hf iclass clone N Authenticate and Clone from iClass bin file
hf iclass decrypt Y Decrypt tagdump
hf iclass dump N Authenticate and Dump iClass tag
hf iclass eload N Load data into iclass emulator memory
hf iclass encryptblk Y Encrypt given block data
hf iclass list N [Deprecated] List iClass history
hf iclass loclass Y Use loclass to perform bruteforce of reader attack dump
hf iclass managekeys Y Manage the keys to use with iClass
hf iclass readblk N Authenticate and Read iClass block
hf iclass reader N Read an iClass tag
hf iclass readtagfile Y Display Content from tagfile
hf iclass replay N Read an iClass tag via Reply Attack
hf iclass sim N Simulate iClass tag
hf iclass snoop N Eavesdrop iClass communication
hf iclass writeblk N Authenticate and Write iClass block

hf mf

{ MIFARE RFIDs... }

command offline description
hf mf dbg N Set default debug mode
hf mf rdbl N Read MIFARE classic block
hf mf rdsc N Read MIFARE classic sector
hf mf dump N Dump MIFARE classic tag to binary file
hf mf restore N Restore MIFARE classic binary file to BLANK tag
hf mf wrbl N Write MIFARE classic block
hf mf chk N Test block keys
hf mf mifare N Read parity error messages.
hf mf nested N Test nested authentication
hf mf sniff N Sniff card-reader communication
hf mf sim N Simulate MIFARE card
hf mf eclr N Clear simulator memory block
hf mf eget N Get simulator memory block
hf mf eset N Set simulator memory block
hf mf eload N Load from file emul dump
hf mf esave N Save to file emul dump
hf mf ecfill N Fill simulator memory with help of keys from simulator
hf mf ekeyprn N Print keys from simulator memory
hf mf csetuid N Set UID for magic Chinese card
hf mf csetblk N Write block - Magic Chinese card
hf mf cgetblk N Read block - Magic Chinese card
hf mf cgetsc N Read sector - Magic Chinese card
hf mf cload N Load dump into magic Chinese card
hf mf csave N Save dump from magic Chinese card into file or emulator

hf mfu

{ MIFARE Ultralight/NTAG + More RFIDs... }

command offline description
hf mfu help Y This help
hf mfu dbg N Set default debug mode
hf mfu info N Tag information
hf mfu dump N Dump Ultralight / Ultralight-C / NTAG tag to binary file
hf mfu rdbl N Read block
hf mfu wrbl N Write block
hf mfu cauth N Authentication - Ultralight C
hf mfu setpwd Y Set 3des password - Ultralight-C
hf mfu setuid Y Set UID - MAGIC tags only
hf mfu gen Y Generate 3des mifare diversified keys

hw

{ Hardware commands... }

command offline description
hw help Y This help
hw detectreader N ['l' or 'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
hw fpgaoff N Set FPGA off
hw lcd N -- Send command/data to LCD
hw lcdreset N Hardware reset LCD
hw readmem N [address] -- Read memory at decimal address from flash
hw reset N Reset the Proxmark3
hw setlfdivisor N <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
hw setmux N -- Set the ADC mux to a specific value
hw tune N Measure antenna tuning
hw version N Show version information about the connected Proxmark

lf

{ LF commands... }

command offline description
lf help Y This help
lf cmdread N <'0' period> <'1' period> ['h'] -- Modulate LF reader field to send command before read (all periods in microseconds) (option 'h' for 134)
lf config N Set config for LF sampling, bit/sample, decimation, frequency
lf flexdemod Y Demodulate samples for FlexPass
lf indalademod Y ['224'] -- Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)
lf indalaclone N ['l']-- Clone Indala to T55x7 (tag must be in antenna)(UID in HEX)(option 'l' for 224 UID
lf read N ['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help
lf search Y [offline 1 or 0] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) - 'u' to search for unknown tags
lf sim N [GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)
lf simask N [clock] [invert <1 or 0>] [manchester/raw <'m' or 'r'>] [msg separator 's'] [d ] -- Simulate LF ASK tag from demodbuffer or input
lf simfsk N [c ] [i] [H ] [L ] [d ] -- Simulate LF FSK tag from demodbuffer or input
lf simpsk N [1 or 2 or 3] [c ] [i] [r ] [d ] -- Simulate LF PSK tag from demodbuffer or input
lf simbidir N Simulate LF tag (with bidirectional data transmission between reader and tag)
lf snoop N Snoop LF (use lf config to set parameters) (needs a demod and/or plot after)
lf vchdemod Y ['clone'] -- Demodulate samples for VeriChip (decimate first)

lf awid

{ AWID RFIDs... }

command offline description
lf awid help Y This help
lf awid demod Y Demodulate an AWID FSK tag from the GraphBuffer
lf awid read N ['1'] Realtime AWID FSK read from the antenna (option '1' for one tag only)
lf awid sim N -- AWID tag simulator
lf awid clone N -- Clone AWID to T55x7 (tag must be in range of antenna)

lf cotag

{ COTAG CHIPs... }

command offline description
lf cotag help Y This help
lf cotag demod Y Tries to decode a COTAG signal
lf cotag read N Attempt to read and extract tag data

lf em

{ EM4X CHIPs & RFIDs... }

command offline description
lf em help Y This help
lf em 410xread N [clock rate] -- Extract ID from EM410x tag in GraphBuffer
lf em 410xdemod Y [findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)
lf em 410xsim N -- Simulate EM410x tag
lf em 410xwatch N ['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)
lf em 410xspoof N ['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)
lf em 410xwrite N <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate
lf em 4x05dump N -- Read all EM4x05/EM4x69 words
lf em 4x05info N -- Read and output EM4x05/EM4x69 chip info
lf em 4x05readword N -- Read EM4x05/EM4x69 word data
lf em 4x05writeword N -- Write EM4x05/EM4x69 word data
lf em 4x50read Y Extract data from EM4x50 tag

lf fdx

{ FDX-B RFIDs... }

command offline description
lf fdx help Y This help
lf fdx demod Y Attempt to extract FDX-B ISO11784/85 data from the GraphBuffer
lf fdx read N Attempt to read and extract FDX-B ISO11784/85 data
lf fdx sim N Animal ID tag simulator
lf fdx clone N Clone animal ID tag to T55x7 (or to q5/T5555)

lf gproxii

{ G Prox II RFIDs... }

command offline description
lf gproxii help Y This help
lf gproxii demod Y Demodulate a G Prox II tag from the GraphBuffer
lf gproxii read N Attempt to read and Extract tag data from the antenna

lf hid

{ HID RFIDs... }

command offline description
lf hid help Y This help
lf hid demod Y Demodulate HID Prox from GraphBuffer
lf hid read N ['1'] Realtime HID FSK demodulator (option '1' for one tag only)
lf hid sim N -- HID tag simulator
lf hid clone N ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)

lf hitag

{ Hitag tags and transponders... }

command offline description
lf hitag help Y This help
lf hitag list N List Hitag trace history
lf hitag reader N Act like a Hitag Reader
lf hitag sim N Simulate Hitag transponder
lf hitag snoop N Eavesdrop Hitag communication
lf hitag writer N Act like a Hitag Writer
lf hitag simS N <hitagS.hts> Simulate HitagS transponder
lf hitag checkCallenges Y <challenges.cc> test all challenges

lf io

{ ioProx RFIDs... }

command offline description
lf io help Y This help
lf io demod Y Demodulate IO Prox tag from the GraphBuffer
lf io read N ['1'] Realtime IO FSK demodulator (option '1' for one tag only)
lf io clone N Clone ioProx Tag

lf indala

{ INDALA RFIDs... }

command offline description
lf indala help Y This help
lf indala demod Y [clock] [invert<0
lf indala read N Read an Indala Prox tag from the antenna
lf indala clone N ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)
lf indala altdemod T ['224'] -- Alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)

lf jablotron

{ JABLOTRON RFIDs... }

command offline description
lf jablotron help Y This help
lf jablotron demod Y Attempt to read and extract tag data from the GraphBuffer
lf jablotron read N Attempt to read and extract tag data from the antenna
lf jablotron clone N clone jablotron tag
lf jablotron sim N simulate jablotron tag

lf nexwatch

{ NexWatch RFIDs... }

command offline description
lf nexwatch help Y This help
lf nexwatch demod Y Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer
lf nexwatch read N Attempt to read and extract tag data from the antenna

lf noralsy

{ Noralsy RFIDs... }

command offline description
lf noralsy help Y This help
lf noralsy demod Y Attempt to read and extract tag data from the GraphBuffer
lf noralsy read N Attempt to read and extract tag data from the antenna
lf noralsy clone N clone Noralsy tag
lf noralsy sim N simulate Noralsy tag

lf paradox

{ Paradox RFIDs... }

command offline description
lf paradox help Y This help
lf paradox demod Y Attempt to read and extract tag data from the GraphBuffer
lf paradox read N Attempt to read and extract tag data from the antenna

lf pcf7931

{PCF7931 CHIPs...}

command offline description
lf pcf7931 help Y This help
lf pcf7931 read N Read content of a PCF7931 transponder
lf pcf7931 write N Write data on a PCF7931 transponder.
lf pcf7931 config N Configure the password, the tags initialization delay and time offsets (optional)

lf presco

{ Presco RFIDs... }

command offline description
lf presco help Y This help
lf presco read N Attempt to read and extract tag data from the antenna
lf presco clone Y d <9 digit ID> or h [Q5] clone presco tag
lf presco sim Y d <9 digit ID> or h simulate presco tag

lf pyramid

{ Pyramid RFIDs... }

command offline description
lf pyramid help Y This help
lf pyramid demod Y Attempt to read and extract tag data from the GraphBuffer
lf pyramid read N Attempt to read and extract tag data from the antenna
lf pyramid clone N clone pyramid tag
lf pyramid sim N simulate pyramid tag

lf securakey

{ Securakey RFIDs... }

command offline description
lf securakey help Y This help
lf securakey demod Y Attempt to read and extract tag data from the GraphBuffer
lf securakey read N Attempt to read and extract tag data from the antenna

lf t55xx

{ T55xx RFIDs... }

command offline description
lf t55xx help Y This help
lf t55xx bruteforce Y [i <*.dic>] Simple bruteforce attack to find password
lf t55xx config Y Set/Get T55XX configuration (modulation, inverted, offset, rate)
lf t55xx detect N [1] Try detecting the tag modulation from reading the configuration block.
lf t55xx p1detect N [1] Try detecting if this is a t55xx tag by reading page 1
lf t55xx read N [password] -- Read T55xx block data (page 0) [optional password]
lf t55xx resetread N Send Reset chip Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)
lf t55xx write N b d p [password] [t] [1] -- Write T55xx block data ([1] for page 1)
lf t55xx trace N [1] Show T55xx traceability data (page 1/ blk 0-1)
lf t55xx info N [1] Show T55xx configuration data (page 0/ blk 0)
lf t55xx dump N [password] Dump T55xx card block 0-7. [optional password]
lf t55xx special N Show block changes with 64 different offsets
lf t55xx wakeup N Send AOR wakeup command
lf t55xx wipe N [q] Wipe a T55xx tag and set defaults (will destroy any data on tag)

lf ti

{ TI RFIDs... }

command offline description
lf ti help Y This help
lf ti demod Y Demodulate raw bits for TI-type LF tag
lf ti read N Read and decode a TI 134 kHz tag
lf ti write N Write new data to a r/w TI 134 kHz tag

lf viking

{ Pyramid RFIDs... }

command offline description
lf viking help Y This help
lf viking demod Y Attempt to read and extract tag data from the GraphBuffer
lf viking read N Attempt to read and extract tag data from the antenna
lf viking clone N <8 digit ID number> clone viking tag
lf viking sim N <8 digit ID number> simulate viking tag

lf visa2000

{ Visa2000 RFIDs... }

command offline description
lf visa2000 help Y This help
lf visa2000 demod Y Attempt to read and extract tag data from the GraphBuffer
lf visa2000 read N Attempt to read and extract tag data from the antenna
lf visa2000 clone N clone Visa2000 tag
lf visa2000 sim N simulate Visa2000 tag

script

{ Scripting commands }

command offline description
script help Y This help
script list Y List available scripts
script run Y -- Execute a script
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.