CLONING - Proxmark How To 🤓

PROXMARK3 RDV4

The Proxmark is a powerful :nerd_face: but not particularly user-friendly :beginner: device.
This Wiki has been put together to provide an easy to read and understand HOW TO.
The commands have been thinned out to the more relevant.

image

Proxmark3 RDV4

FIRMWARE UPGRADE

FIRMWARE UPGRADE * Ensure your proxmark is flashed to the latest Firmware

GENERIC HARDWARE COMMANDS

hw

When in doubt of how to use a command, try the command with an h after it to see if it has a help. :question:

Some commands are available only if a Proxmark is actually connected. Check column “offline” for their availability.

command offline description
hw tune Y Tunes the antenna and should be performed every time the Proxmark is flashed
hw help Y This help
hw reset N Reset the Proxmark3
hw version N Show version information about the connected Proxmark
help Y This help. Use ’ help’ for details of a particular command.
quit Y Exit program
exit Y Exit program

LOW FREQUENCY

lf

.

Dangerous Things lf Antenna

Dangerous things Low-Frequency Antenna
image
Designed exclusively for use with the proxmark3 rdv4, this 125kHz “LF” antenna is so powerful, it can talk to our 125kHz implants like the xEM and NExT from 2cm away! It’s even so powerful it can even talk to the xEM while it is still inside the injection assembly needle! GET IT!

.

lf generic commands
command offline description
lf help Y This help
lf config N Set config for LF sampling, bit/sample, decimation, frequency
lf read N [‘s’ silent] Read 125/134 kHz LF ID-only tag. Do ‘lf read h’ for help
lf search Y [offline 1 or 0] [‘u’] Read and Search for valid known tag (in offline mode it you can load first then search) - ‘u’ to search for unknown tags

.

t55XX ( xEM, NExT )
command offline description
lf t55xx help Y This help
lf t55xx bruteforce Y [i <*.dic>] Simple bruteforce attack to find password
lf t55xx config Y Set/Get T55XX configuration (modulation, inverted, offset, rate)
lf t55xx detect N [1] Try detecting the tag modulation from reading the configuration block.
lf t55xx p1detect N [1] Try detecting if this is a t55xx tag by reading page 1
lf t55xx read N [password] – Read T55xx block data (page 0) [optional password]
lf t55xx write N b d p [password] [t] [1] – Write T55xx block data ([1] for page 1)
lf t55xx trace N [1] Show T55xx traceability data (page 1/ blk 0-1)
lf t55xx info N [1] Show T55xx configuration data (page 0/ blk 0)
lf t55xx dump N [password] Dump T55xx card block 0-7. [optional password]
lf t55xx wipe N [q] Wipe a T55xx tag and set defaults (will destroy any data on tag)

.

EM4X ( xEM, NExT )
command offline description
lf em help Y This help
lf em 410xread N [clock rate] – Extract ID from EM410x tag in GraphBuffer
lf em 410xdemod Y [findone] – Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)
lf em 410xsim N – Simulate EM410x tag
lf em 410xwatch N [‘h’] – Watches for EM410x 125/134 kHz tags (option ‘h’ for 134)
lf em 410xspoof N [‘h’] — Watches for EM410x 125/134 kHz tags, and replays them. (option ‘h’ for 134)
lf em 410xwrite N <‘0’ T5555> <‘1’ T55x7> [clock rate] – Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate
lf em 4x05dump N – Read all EM4x05/EM4x69 words
lf em 4x05info N – Read and output EM4x05/EM4x69 chip info
lf em 4x50read Y Extract data from EM4x50 tag

.

HITAG (xHT)
command offline description
lf hitag help Y This help
lf hitag list N List Hitag trace history
lf hitag reader N Act like a Hitag Reader
lf hitag sim N Simulate Hitag transponder
lf hitag snoop N Eavesdrop Hitag communication
lf hitag writer N Act like a Hitag Writer
lf hitag simS N <hitagS.hts> Simulate HitagS transponder
lf hitag checkCallenges Y <challenges.cc> test all challenges

.

HID
command offline description
lf hid help Y This help
lf hid demod Y Demodulate HID Prox from GraphBuffer
lf hid read N [‘1’] Realtime HID FSK demodulator (option ‘1’ for one tag only)
lf hid sim N – HID tag simulator
lf hid clone N [‘l’] – Clone HID to T55x7 (tag must be in antenna)(option ‘l’ for 84bit ID)

.

INDALA
command offline description
lf indala help Y This help
lf indala demod Y [clock] [invert<0
lf indala read N Read an Indala Prox tag from the antenna
lf indala clone N [‘l’] – Clone HID to T55x7 (tag must be in antenna)(option ‘l’ for 84bit ID)
lf indala altdemod T [‘224’] – Alternative method to Demodulate samples for Indala 64 bit UID (option ‘224’ for 224 bit)

HIGH FREQUENCY

hf

.

hf Generic commands...
command offline description
hf help Y This help
hf tune N Continuously measure HF antenna tuning
hf list Y List protocol data in trace buffer
hf search Y Search for known HF tags (identifies 14443a, 14443b, 15693, iClass)

.

NTAG 203, 213, 215, 216

NTAG 203, 213, 215, 216

command offline description
hf mfu help Y This help
hf mfu dbg N Set default debug mode
hf mfu info N Tag information
hf mfu dump N Dump Ultralight / Ultralight-C / NTAG tag to binary file
hf mfu rdbl N Read block
hf mfu wrbl N Write block
hf mfu setuid Y Set UID - MAGIC tags only

.

Mifare ( xM1 )

I recommend you follow this guide

command offline description
hf help Y This help
hf mf csetuid N Set UID for magic Chinese card
hf mf csetblk N Write block - Magic Chinese card
hf mf cgetblk N Read block - Magic Chinese card
hf mf cgetsc N Read sector - Magic Chinese card
hf mf cload N Load dump into magic Chinese card
hf mf csave N Save dump from magic Chinese card into file or emulator
Mifare WIKI

How can I read a card contents?

  • hf mf rdbl 0 a ffffffffffff
    • 0 : block number
    • a : key type
    • ffffffffffff : key
  • hf mf rdsc 0 a ffffffffffff
    • 0 : sector number
    • a : key type
    • ffffffffffff : key

How can I write a block into a card?

  • ‘hf mf wrbl 0 a ffffffffffff 000102030405060708090a0b0c0d0e0f’, where 0 - block number, a - key type, ffffffffffff - key,
    000102030405060708090a0b0c0d0e0f - block data.

How can I break a card?

  • ‘hf mf mifare’
    if it doesn’t found a key: ‘hf mf mifare XXXXXXXX’ , where XXXXXXXX - Nt from previous run
    ‘hf mf nested 1 0 a FFFFFFFFFFFF’, where 1 - card type MIFARE CLASSIC 1k, FFFFFFFFFFFF - key that found at previous step.

How to save emulator dump from a card

  • ‘hf mf mifare’
  • if it doesn’t found a key: ‘hf mf mifare XXXXXXXX’ , where XXXXXXXX - Nt from previous run
  • ‘hf mf nested 1 0 a FFFFFFFFFFFF t’, where 1 - card type MIFARE CLASSIC 1k, FFFFFFFFFFFF - key that found at previous step.
  • ‘hf mf efill a FFFFFFFFFFFF’
  • ‘hf mf esave filename’

How to emulate a card

  • ‘hf mf mifare’
  • if it doesn’t found a key: ‘hf mf mifare XXXXXXXX’ , where XXXXXXXX - Nt from previous run
  • ‘hf mf nested 1 0 a FFFFFFFFFFFF t’, where 1 - card type MIFARE CLASSIC 1k, FFFFFFFFFFFF - key that found at previous step.
  • ‘hf mf efill a FFFFFFFFFFFF’
  • ‘hf mf sim’

How to emulate a new card

  • ‘hf mf eclr’
  • ‘hf mf sim’

How to emulate a card with help of dump from file

  • ‘hf mf eload filename’, where filename - dump’s file name (.eml)
  • ‘hf mf sim’

How to have look at the emulator memory

  • ‘hf mf eget 00’, where 00 - block number from 0 to 0x63. Each block contains 16 bytes of memory.

How to make changes into the emulator memory

  • ‘hf mf eset 01 000102030405060708090a0b0c0d0e0f’,
    where:
  • 00 - block number from 0 to 0x63. Each block contains 16 bytes of memory.
  • 000102030405060708090a0b0c0d0e0f - block data.

.

.

References

References

GitHub

Proxmark Wiki

Low Frequency (125-134kHz)

High Frequency (13.56MHz)

5 Likes