Created
November 21, 2019 10:54
-
-
Save einyx/f79ffe5bd9c3abf50af66cfd73ee0c92 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Iceman fork is the most enhanced fork to this day for the Proxmark 3 device. Iceman has done a great job developing and maintaining the repository, please consider donating if you find his fork useful. | |
13.56MHz | |
iClass | |
Mifare | |
125 kHz | |
Indala | |
HID/ProxCard | |
Setup | |
Install | |
# install prerequisites | |
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi | |
# check out the latest revision of the official project: | |
git clone https://github.com/Proxmark/proxmark3.git | |
# Change directory to the recently cloned Proxmark3 repository | |
cd proxmark3 | |
# compile the bootrom, OS and software. | |
make clean && make all | |
Flash | |
Flash the BOOTROM | |
./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf | |
Flash the FULLIMAGE | |
./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf | |
Run | |
./client/proxmark3 /dev/ttyACM0 | |
Commands | |
Generic | |
High Frequency search | |
hf search | |
Low Frequency search | |
lf search | |
Measure antenna characteristics, LF/HF voltage should be around 20-45+ V | |
hw tune | |
Check version | |
hw version | |
iClass | |
iClass Master Key can be found from the following twitter post. | |
[Iceman] Reverse permute master key | |
# r reverse permuted key | |
Example: | |
hf iclass permute r 3F90EBF0910F7B6F | |
iClass reader | |
hf iclass reader | |
Dump iClass card | |
# k <Key> : *Access Key as 16 hex symbols or 1 hex to select key from memory | |
Example: | |
hf iclass dump k AFA785A7DAB33378 | |
Read iClass block | |
# b <Block> : The block number as 2 hex symbols | |
# k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory | |
hf iclass readblk b 7 k AFA785A7DAB33378 | |
Write iClass block | |
# b <Block> : The block number as 2 hex symbols | |
# d <data> : Set the Data to write as 16 hex symbols | |
# k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory | |
hf iclass writeblk b 07 d 6ce099fe7e614fd0 k AFA785A7DAB33378 | |
Print keystore | |
# p : print keys loaded into memory | |
hf iclass managekeys p | |
Add key to keystore [0-7] | |
# n <keynbr> : specify the keyNbr to set in memory | |
# k <key> : set a key in memory | |
hf iclass managekeys n 0 k AFA785A7DAB33378 | |
Create iclass_decryptionkey.bin | |
echo <auth_key> > key_dump | |
xxd -r -p key_dump > iclass_decryptionkey.bin | |
Encrypt Block | |
hf iclass encryptblk 0000000f2aa3dba8 | |
Load iClass tag dump into memory | |
# f <filename> : load iclass tag-dump filename | |
hf iclass eload f iclass_tagdump-db883702f8ff12e0.bin | |
iClass Simulate [0-3] | |
# 0 <CSN> simulate the given CSN | |
# 1 simulate default CSN | |
# 2 Reader-attack, gather reader responses to extract elite key | |
# 3 Full simulation using emulator memory (see 'hf iclass eload') | |
hf iclass sim 3 | |
Simulate iClass card Sequence | |
hf iclass managekeys n 0 k AFA785A7DAB33378 | |
hf iclass dump k 0 | |
hf iclass eload f iclass_tagdump-db883702f8ff12e0.bin | |
hf iclass sim 3 | |
Mifare | |
Check for default keys | |
# <block number>|<*card memory> <key type (A/B/?)> [t|d|s|ss] [<key (12 hex symbols)>] [<dic (*.dic)>] | |
# * - all sectors | |
# card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K | |
# d - write keys to binary file | |
hf mf chk *1 ? d default_keys.dic | |
Dump Mifare card | |
# [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K | |
hf mf dump 1 | |
Convert .bin to .eml | |
script run dumptoemul -i dumpdata.bin | |
Read Mifare block | |
# b <no> : block to read | |
# k <key> : (optional) key for authentication | |
hf mf rdbl b 3 k FFFFFFFF | |
Write Mifare block | |
# <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)> | |
hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016 | |
Hardnested attack | |
# <block number> <key A|B> <key (12 hex symbols)> | |
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s] | |
# w: Acquire nonces and write them to binary file nonces.bin | |
hf mf hardnested 0 A 8829da9daf76 4 A w | |
Load Mifare tag dump into memory | |
hf mf eload 353C2AA6 | |
Mifare Simulate [0-3] | |
# u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used | |
hf mf sim u 353c2aa6 | |
Simulate Mifare card Sequence | |
hf mf chk *1 ? d default_keys.dic | |
hf mf dump 1 | |
script run dumptoemul -i dumpdata.bin | |
hf mf eload 353C2AA6 | |
hf mf sim u 353c2aa6 | |
Indala | |
Read Indala card | |
lf indala read | |
Demodulate Indala card | |
lf indala demod | |
[Iceman] Simulate Indala card | |
# <uid> : 64/224 UID | |
lf indala sim a0000000c2c436c1 | |
Clone to T55x7 card | |
# <uid> : 64/224 UID | |
lf indala clone a0000000c2c436c1 | |
HID/ProxCard | |
Read ProxCard card | |
lf hid read | |
Demodulate ProxCard card | |
lf hid demod | |
[Iceman] Convert Facility code & Card number to Wiegand | |
# [OEM] [FC] [CN] | |
# OEM - OEM number / site code | |
# FC - facility code | |
# CN - card number | |
lf hid wiegand 0 56 150 | |
Simulate card | |
# <ID> | |
lf hid sim 200670012d | |
Clone to T55x7 card | |
# <ID> | |
lf hid clone 200670012d | |
T55xx | |
Detect card | |
lf t55xx detect | |
Set demodulation | |
# d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A | |
# EM is ASK | |
# HID Prox is FSK | |
# Indala is PSK | |
lf t55xx config FSK | |
Write T55xx block | |
# b <block> - block number to write. Between 0-7 | |
# d <data> - 4 bytes of data to write (8 hex characters) | |
lf t55xx wr b 0 d 00081040 | |
Wipe a T55xx tag and set defaults | |
lf t55xx wipe | |
Data | |
Get raw samples [512-40000] | |
data samples <size> | |
Save to file | |
data save <filename> | |
Load from file | |
data load <filename> | |
Lua Scripts | |
List Lua Scripts | |
script list | |
Convert .bin to .eml | |
# i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used | |
script run dumptoemul -i xxxxxxxxxxxxxx.bin | |
Format Mifare card | |
# k <key> - the current six byte key with write access | |
# n <key> - the new key that will be written to the card | |
# a <access> - the new access bytes that will be written to the card | |
# x - execute the commands aswell. | |
script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment