25 commands
marcohald edited this page 2021-03-23 09:11:31 +01:00

Proxmark3 command dump

When in doubt of how to use a command try the command with an h after it to see if it has a help.

Some commands are available only if a Proxmark is actually connected. Check column "offline" for their availability.

command offline description
help Y This help. Use ' help' for details of a particular command.
quit Y Exit program
exit Y Exit program

data

{ Plot window / data buffer manipulation... }

command offline description
data help Y This help
data askedgedetect Y [threshold] Adjust Graph for manual ask demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)
data askem410xdemod Y [clock] [invert<0 or 1>] [maxErr] -- Demodulate an EM410x tag from GraphBuffer (args optional)
data askgproxiidemod Y Demodulate a G Prox II tag from GraphBuffer
data autocorr Y [window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)
data biphaserawdecode Y [offset] [invert<0 or 1>] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0 or 1 bits to shift the decode start) (when inverted it is Diphase decode)
data bitsamples N Get raw samples as bitstring
data buffclear Y Clear sample buffer and graph window
data dec Y Decimate samples
data detectclock Y [modulation] Detect clock rate of wave in GraphBuffer (options: 'a','f','n','p' for ask, fsk, nrz, psk respectively)
data fdxbdemod Y Demodulate a FDX-B ISO11784/85 Diphase tag from GraphBuffer
data fskawiddemod Y Demodulate an AWID FSK tag from GraphBuffer
data fskhiddemod Y Demodulate a HID FSK tag from GraphBuffer
data fskiodemod Y Demodulate an IO Prox FSK tag from GraphBuffer
data fskpyramiddemod Y Demodulate a Pyramid FSK tag from GraphBuffer
data fskparadoxdemod Y Demodulate a Paradox FSK tag from GraphBuffer
data getbitstream Y Convert GraphBuffer's >=1 values to 1 and <1 to 0
data grid Y -- overlay grid on graph window, use zero value to turn off either
data hexsamples N [] -- Dump big buffer as hex bytes
data hide Y Hide graph window
data hpf Y Remove DC offset from trace
data load Y -- Load trace (to graph window
data ltrim Y -- Trim samples from left of trace
data rtrim Y -- Trim samples from right of trace
data mtrim Y -- Trim out samples from the specified start to the specified stop
data manrawdecode Y [invert] [maxErr] -- Manchester decode binary stream in DemodBuffer
data norm Y Normalize max/min to +/-128
data plot Y Show graph window (hit 'h' in window for keystroke help)
data printdemodbuffer Y [x] [o ] -- print the data in the DemodBuffer - 'x' for hex output 'o' to shift binary by offset amount
data pskindalademod Y [clock] [invert<0 or 1>] -- Demodulate an indala tag (PSK1) from GraphBuffer (args optional)
data psknexwatchdemod Y Demodulate a NexWatch tag (nexkey, quadrakey) (PSK1) from GraphBuffer
data rawdemod Y [modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary
data samples N [512 - 40000] -- Get raw samples for graph window (GraphBuffer)
data save Y -- Save trace (from graph window)
data scale Y -- Set cursor display scale
data setdebugmode Y <0 or 1> -- Turn on or off Debugging Mode for demods
data shiftgraphzero Y -- Shift 0 for Graphed wave + or - shift value
data dirthreshold Y -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.
data tune N Get hw tune samples for graph window
data undec Y Un-decimate samples by 2
data zerocrossings Y Count time between zero-crossings

hf

{ HF commands... }

command offline description
hf help Y This help
hf tune N Continuously measure HF antenna tuning
hf list Y List protocol data in trace buffer
hf search Y Search for known HF tags (identifies 14443a, 14443b, 15693, iClass)

hf 14a

{ ISO14443A RFIDs... }

command offline description
hf 14a help Y This help
hf 14a list N [Deprecated] List ISO 14443a history
hf 14a reader N Act like an ISO14443 Type A reader
hf 14a cuids N Collect n>0 ISO14443 Type A UIDs in one go
hf 14a sim N -- Fake ISO 14443a tag
hf 14a snoop N Eavesdrop ISO 14443 Type A
hf 14a raw N Send raw hex data to tag

hf 14b

{ ISO14443B RFIDs... }

command offline description
hf 14b help Y This help
hf 14b list N depreciated - use hf list 14b
hf 14b info N Identify HF tag (ISO 14443B)
hf 14b reader N Read HF tag (ISO 14443B)
hf 14b sim N Fake ISO 14443B tag
hf 14b snoop N Eavesdrop ISO 14443B
hf 14b sri512read N Read contents of a SRI512 tag
hf 14b srix4kread N Read contents of a SRIX4K tag
hf 14b raw N Send raw hex data to tag
hf 14b sriwrite N Write data to a SRI512 or SRIX4K tag

hf 15

{ ISO15693 RFIDs... }

command offline description
hf 15 help Y This help
hf 15 demod Y Demodulate ISO15693 from tag
hf 15 read N Read HF tag (ISO 15693)
hf 15 record N Record Samples (ISO 15693)
hf 15 reader N Act like an ISO15693 reader
hf 15 sim N Fake an ISO15693 tag
hf 15 cmd N Send direct commands to ISO15693 tag
hf 15 findafi N Brute force AFI of an ISO15693 tag
hf 15 dumpmemory N Read all memory pages of an ISO15693 tag

hf epa

{ German Identification Card... }

command offline description
hf epa help Y This help
hf epa cnonces N Acquire n>0 encrypted PACE nonces of size m>0 with d sec pauses

hf legic

{ LEGIC RFIDs... }

command offline description
hf legic help Y This help
hf legic decode N Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)
hf legic reader N [offset [length]] -- read bytes from a LEGIC card
hf legic save N [] -- Store samples
hf legic load N -- Restore samples
hf legic sim N [phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)
hf legic write N -- Write sample buffer (user after load or read)
hf legic fill N -- Fill/Write tag with constant value

hf iclass

{ ICLASS RFIDs... }

command offline description
hf iclass help Y This help
hf iclass calcnewkey Y Calc Diversified keys (blocks 3 & 4) to write new keys
hf iclass clone N Authenticate and Clone from iClass bin file
hf iclass decrypt Y Decrypt tagdump
hf iclass dump N Authenticate and Dump iClass tag
hf iclass eload N Load data into iclass emulator memory
hf iclass encryptblk Y Encrypt given block data
hf iclass list N [Deprecated] List iClass history
hf iclass loclass Y Use loclass to perform bruteforce of reader attack dump
hf iclass managekeys Y Manage the keys to use with iClass
hf iclass readblk N Authenticate and Read iClass block
hf iclass reader N Read an iClass tag
hf iclass readtagfile Y Display Content from tagfile
hf iclass replay N Read an iClass tag via Reply Attack
hf iclass sim N Simulate iClass tag
hf iclass snoop N Eavesdrop iClass communication
hf iclass writeblk N Authenticate and Write iClass block

hf mf

{ MIFARE RFIDs... }

command offline description
hf mf dbg N Set default debug mode
hf mf rdbl N Read MIFARE classic block
hf mf rdsc N Read MIFARE classic sector
hf mf dump N Dump MIFARE classic tag to binary file
hf mf restore N Restore MIFARE classic binary file to BLANK tag
hf mf wrbl N Write MIFARE classic block
hf mf chk N Test block keys
hf mf mifare N Read parity error messages.
hf mf nested N Test nested authentication
hf mf sniff N Sniff card-reader communication
hf mf sim N Simulate MIFARE card
hf mf eclr N Clear simulator memory block
hf mf eget N Get simulator memory block
hf mf eset N Set simulator memory block
hf mf eload N Load from file emul dump
hf mf esave N Save to file emul dump
hf mf ecfill N Fill simulator memory with help of keys from simulator
hf mf ekeyprn N Print keys from simulator memory
hf mf csetuid N Set UID for magic Chinese card
hf mf csetblk N Write block - Magic Chinese card
hf mf cgetblk N Read block - Magic Chinese card
hf mf cgetsc N Read sector - Magic Chinese card
hf mf cload N Load dump into magic Chinese card
hf mf csave N Save dump from magic Chinese card into file or emulator

hf mfu

{ MIFARE Ultralight/NTAG + More RFIDs... }

command offline description
hf mfu help Y This help
hf mfu dbg N Set default debug mode
hf mfu info N Tag information
hf mfu dump N Dump Ultralight / Ultralight-C / NTAG tag to binary file
hf mfu rdbl N Read block
hf mfu wrbl N Write block
hf mfu cauth N Authentication - Ultralight C
hf mfu setpwd Y Set 3des password - Ultralight-C
hf mfu setuid Y Set UID - MAGIC tags only
hf mfu gen Y Generate 3des mifare diversified keys

hw

{ Hardware commands... }

command offline description
hw help Y This help
hw detectreader N ['l' or 'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
hw fpgaoff N Set FPGA off
hw lcd N -- Send command/data to LCD
hw lcdreset N Hardware reset LCD
hw readmem N [address] -- Read memory at decimal address from flash
hw reset N Reset the Proxmark3
hw setlfdivisor N <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
hw setmux N -- Set the ADC mux to a specific value
hw tune N Measure antenna tuning
hw version N Show version information about the connected Proxmark

lf

{ LF commands... }

command offline description
lf help Y This help
lf cmdread N <'0' period> <'1' period> ['h'] -- Modulate LF reader field to send command before read (all periods in microseconds) (option 'h' for 134)
lf config N Set config for LF sampling, bit/sample, decimation, frequency
lf flexdemod Y Demodulate samples for FlexPass
lf indalademod Y ['224'] -- Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)
lf indalaclone N ['l']-- Clone Indala to T55x7 (tag must be in antenna)(UID in HEX)(option 'l' for 224 UID
lf read N ['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help
lf search Y [offline 1 or 0] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) - 'u' to search for unknown tags
lf sim N [GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)
lf simask N [clock] [invert <1 or 0>] [manchester/raw <'m' or 'r'>] [msg separator 's'] [d ] -- Simulate LF ASK tag from demodbuffer or input
lf simfsk N [c ] [i] [H ] [L ] [d ] -- Simulate LF FSK tag from demodbuffer or input
lf simpsk N [1 or 2 or 3] [c ] [i] [r ] [d ] -- Simulate LF PSK tag from demodbuffer or input
lf simbidir N Simulate LF tag (with bidirectional data transmission between reader and tag)
lf snoop N Snoop LF (use lf config to set parameters) (needs a demod and/or plot after)
lf vchdemod Y ['clone'] -- Demodulate samples for VeriChip (decimate first)

lf awid

{ AWID RFIDs... }

command offline description
lf awid help Y This help
lf awid demod Y Demodulate an AWID FSK tag from the GraphBuffer
lf awid read N ['1'] Realtime AWID FSK read from the antenna (option '1' for one tag only)
lf awid sim N -- AWID tag simulator
lf awid clone N -- Clone AWID to T55x7 (tag must be in range of antenna)

lf cotag

{ COTAG CHIPs... }

command offline description
lf cotag help Y This help
lf cotag demod Y Tries to decode a COTAG signal
lf cotag read N Attempt to read and extract tag data

lf em

{ EM4X CHIPs & RFIDs... }

command offline description
lf em help Y This help
lf em 410xread N [clock rate] -- Extract ID from EM410x tag in GraphBuffer
lf em 410xdemod Y [findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)
lf em 410xsim N -- Simulate EM410x tag
lf em 410xwatch N ['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)
lf em 410xspoof N ['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)
lf em 410xwrite N <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate
lf em 4x05dump N -- Read all EM4x05/EM4x69 words
lf em 4x05info N -- Read and output EM4x05/EM4x69 chip info
lf em 4x05readword N -- Read EM4x05/EM4x69 word data
lf em 4x05writeword N -- Write EM4x05/EM4x69 word data
lf em 4x50read Y Extract data from EM4x50 tag

lf fdx

{ FDX-B RFIDs... }

command offline description
lf fdx help Y This help
lf fdx demod Y Attempt to extract FDX-B ISO11784/85 data from the GraphBuffer
lf fdx read N Attempt to read and extract FDX-B ISO11784/85 data
lf fdx sim N Animal ID tag simulator
lf fdx clone N Clone animal ID tag to T55x7 (or to q5/T5555)

lf gproxii

{ G Prox II RFIDs... }

command offline description
lf gproxii help Y This help
lf gproxii demod Y Demodulate a G Prox II tag from the GraphBuffer
lf gproxii read N Attempt to read and Extract tag data from the antenna

lf hid

{ HID RFIDs... }

command offline description
lf hid help Y This help
lf hid demod Y Demodulate HID Prox from GraphBuffer
lf hid read N ['1'] Realtime HID FSK demodulator (option '1' for one tag only)
lf hid sim N -- HID tag simulator
lf hid clone N ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)

lf hitag

{ Hitag tags and transponders... }

command offline description
lf hitag help Y This help
lf hitag list N List Hitag trace history
lf hitag reader N Act like a Hitag Reader
lf hitag sim N Simulate Hitag transponder
lf hitag snoop N Eavesdrop Hitag communication
lf hitag writer N Act like a Hitag Writer
lf hitag simS N <hitagS.hts> Simulate HitagS transponder
lf hitag checkChallenges Y <challenges.cc> test all challenges

lf io

{ ioProx RFIDs... }

command offline description
lf io help Y This help
lf io demod Y Demodulate IO Prox tag from the GraphBuffer
lf io read N ['1'] Realtime IO FSK demodulator (option '1' for one tag only)
lf io clone N Clone ioProx Tag

lf indala

{ INDALA RFIDs... }

command offline description
lf indala help Y This help
lf indala demod Y [clock] [invert<0
lf indala read N Read an Indala Prox tag from the antenna
lf indala clone N ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)
lf indala altdemod T ['224'] -- Alternative method to Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)

lf jablotron

{ JABLOTRON RFIDs... }

command offline description
lf jablotron help Y This help
lf jablotron demod Y Attempt to read and extract tag data from the GraphBuffer
lf jablotron read N Attempt to read and extract tag data from the antenna
lf jablotron clone N clone jablotron tag
lf jablotron sim N simulate jablotron tag

lf nexwatch

{ NexWatch RFIDs... }

command offline description
lf nexwatch help Y This help
lf nexwatch demod Y Demodulate a NexWatch tag (nexkey, quadrakey) from the GraphBuffer
lf nexwatch read N Attempt to read and extract tag data from the antenna

lf noralsy

{ Noralsy RFIDs... }

command offline description
lf noralsy help Y This help
lf noralsy demod Y Attempt to read and extract tag data from the GraphBuffer
lf noralsy read N Attempt to read and extract tag data from the antenna
lf noralsy clone N clone Noralsy tag
lf noralsy sim N simulate Noralsy tag

lf paradox

{ Paradox RFIDs... }

command offline description
lf paradox help Y This help
lf paradox demod Y Attempt to read and extract tag data from the GraphBuffer
lf paradox read N Attempt to read and extract tag data from the antenna
lf paradox clone N -- Clone Paradox to T55x7 (tag must be in antenna)

lf pcf7931

{PCF7931 CHIPs...}

command offline description
lf pcf7931 help Y This help
lf pcf7931 read N Read content of a PCF7931 transponder
lf pcf7931 write N Write data on a PCF7931 transponder.
lf pcf7931 config N Configure the password, the tags initialization delay and time offsets (optional)

lf presco

{ Presco RFIDs... }

command offline description
lf presco help Y This help
lf presco read N Attempt to read and extract tag data from the antenna
lf presco clone Y d <9 digit ID> or h [Q5] clone presco tag
lf presco sim Y d <9 digit ID> or h simulate presco tag

lf pyramid

{ Pyramid RFIDs... }

command offline description
lf pyramid help Y This help
lf pyramid demod Y Attempt to read and extract tag data from the GraphBuffer
lf pyramid read N Attempt to read and extract tag data from the antenna
lf pyramid clone N clone pyramid tag
lf pyramid sim N simulate pyramid tag

lf securakey

{ Securakey RFIDs... }

command offline description
lf securakey help Y This help
lf securakey demod Y Attempt to read and extract tag data from the GraphBuffer
lf securakey read N Attempt to read and extract tag data from the antenna

lf t55xx

{ T55xx RFIDs... }

command offline description
lf t55xx help Y This help
lf t55xx bruteforce Y [i <*.dic>] Simple bruteforce attack to find password
lf t55xx config Y Set/Get T55XX configuration (modulation, inverted, offset, rate)
lf t55xx detect N [1] Try detecting the tag modulation from reading the configuration block.
lf t55xx p1detect N [1] Try detecting if this is a t55xx tag by reading page 1
lf t55xx read N [password] -- Read T55xx block data (page 0) [optional password]
lf t55xx resetread N Send Reset chip Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)
lf t55xx write N b d p [password] [t] [1] -- Write T55xx block data ([1] for page 1)
lf t55xx trace N [1] Show T55xx traceability data (page 1/ blk 0-1)
lf t55xx info N [1] Show T55xx configuration data (page 0/ blk 0)
lf t55xx dump N [password] Dump T55xx card block 0-7. [optional password]
lf t55xx special N Show block changes with 64 different offsets
lf t55xx wakeup N Send AOR wakeup command
lf t55xx wipe N [q] Wipe a T55xx tag and set defaults (will destroy any data on tag)

lf ti

{ TI RFIDs... }

command offline description
lf ti help Y This help
lf ti demod Y Demodulate raw bits for TI-type LF tag
lf ti read N Read and decode a TI 134 kHz tag
lf ti write N Write new data to a r/w TI 134 kHz tag

lf viking

{ Pyramid RFIDs... }

command offline description
lf viking help Y This help
lf viking demod Y Attempt to read and extract tag data from the GraphBuffer
lf viking read N Attempt to read and extract tag data from the antenna
lf viking clone N <8 digit ID number> clone viking tag
lf viking sim N <8 digit ID number> simulate viking tag

lf visa2000

{ Visa2000 RFIDs... }

command offline description
lf visa2000 help Y This help
lf visa2000 demod Y Attempt to read and extract tag data from the GraphBuffer
lf visa2000 read N Attempt to read and extract tag data from the antenna
lf visa2000 clone N clone Visa2000 tag
lf visa2000 sim N simulate Visa2000 tag

script

{ Scripting commands }

command offline description
script help Y This help
script list Y List available scripts
script run Y -- Execute a script