Proxmark3 Card Reading and Cloning
Get Card Info - General
Use these commands if you want to discover what type of card you are working with.
Low Frequency (LF - 125 KHz)
1
lf search
High Frequency (HF - 13.56 MHz)
1
hf search
Working with Specific Cards
If you know the type of card you are working with you can use specific commands to interact with it and perform operations.
EM4100
Get Card Info:
1
lf em 410x read
Example:
1
2
[usb] pm3 --> lf em 410x read
[+] EM 410x ID 520011F5D4
Simulate Card:
1
lf em 410x sim --id 520011F5D4
HID 125 KHz
Get Card Info:
1
lf hid read
Simulate Card:
1
lf hid sim
- Extra details will be printed for how to select card type and ID
T5577
Use the general low-frequency search command to find out the type of tag the card is emulating.
1
lf search
Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 520011F5D4
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 4A0088AF2B
[=] HoneyWell IdentKey
[+] DEZ 8 : 01177044
[+] DEZ 10 : 0001177044
[+] DEZ 5.5 : 00017.62932
[+] DEZ 3.5A : 082.62932
[+] DEZ 3.5B : 000.62932
[+] DEZ 3.5C : 017.62932
[+] DEZ 14/IK2 : 00352188495316
[+] DEZ 15/IK3 : 000317836537643
[+] DEZ 20/ZK : 04100000080810150211
[=]
[+] Other : 62932_017_01177044
[+] Pattern Paxton : 1378235348 [0x522633D4]
[+] Pattern 1 : 4387103 [0x42F11F]
[+] Pattern Sebury : 62932 17 1177044 [0xF5D4 0x11 0x11F5D4]
[+] VD / ID : 082 / 0001177044
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
Wipe a T5577 Card and Restore to Blank:
1
lf t55xx wipe
MIFARE Classic
Get Card Info:
1
hf 14a info
See the following post for more information regarding MIFARE Classic cards:
MIFARE Ultralight
Get Card Info:
1
hf mfu info
Dump Card Data to File:
1
hf mfu dump
Emulate Card from Dump File:
1
2
hf mfu eload -f DUMP_FILE
hf mfu sim -t 2 --uid 11223344556677
-t 2means type = MIFARE Ultralight
MIFARE DESFire
Get Card Info:
1
hf mfdes info
HID IClass Cards
Get Card Info:
1
hf iclass info
Cloning
EM4100 => T5577
- Get EM4100 Card Details
Place the card to be cloned on the Proxmark.
1
lf em 410x read
- Output should be something like
[+] EM 410x ID 520011F5D4. - If you already know the card ID Step 1 can be skipped.
- Write the ID to a T5577 Card
Place the T5577 card on the Proxmark.
1
lf em 410x clone --id 520011F5D4
- Verify
1
lf em 410x read
HID => T55xx
Step 1: Scan Target Card
1
lf hid read
Take Note of either the Raw value, or the Card Type, FC and CN.
1
[+] [H10301 ] HID H10301 26-bit FC: 12 CN: 1234 parity ( ok )
Step 2: Clone Card
Using a Raw value:
1
lf hid clone -r 2006ec0c86
Using a Card Type, FC, and CN:
1
lf hid clone -w ind26 --fc 12 --cn 1234
T55xx => T55xx
Step 1: Dump Card Info
1
lf t55xx dump
Step 2: Restore Card Info to New Card
1
lf t55xx restore -f <FILE_NAME>
Other
EM4100 FC, CN, & Full Card Number
Printed on many EM4100 cards there will be three numbers:
1
[Full Card Number] [FC],[CN]
Example Card:
1
0014076183 214,51479
Above numbers represented in HEX:
- Full Card Number: D6C917
- Facility Code (FC): D6
- Card Number (CN): C917
The full card number is concatenation of the FC and CN. To calculate the Full Card Number without converting to hex the following formula can be used (all numbers are in decimal):
CN + (FN << 16)orCN + (FN * 2**16)
For the above card example:
CN + (FN << 16)51479 + (214 << 16)51479 + (14024704)14076183
Going the other way:
14076183CN = 14076183 & 65535orCN = 14076183 & (2**16 - 1)CN = 51479FN = 14076183 >> 16FN = 214