PM3 Framework – Iceman’s Fork
Generic commands
analyse { Analyse utils… }
data { Plot window / data buffer manipulation… }
emv { EMV iso14443 and iso7816… }
hf { High Frequency commands… }
hw { Hardware commands… }
lf { Low Frequency commands… }
mem { Flash Memory manipulation… }
msleep Add a pause in milliseconds
rem Add text to row in log file
reveng { Crc calculations from the RevEng software }
sc { Smart card ISO7816 commands… }
script { Scripting commands }
trace { Trace manipulation… }
usart { USART commands… }
HW – Hardware commands
dbg Set Proxmark3 debug level
connect connect Proxmark3 to serial port
detectreader ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
fpgaoff Set FPGA off
ping Test if the Proxmark3 is responsive
readmem [address] -- Read memory at decimal address from flash
reset Reset the Proxmark3
setlfdivisor <19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)
setmux Set the ADC mux to a specific value
standalone Jump to the standalone mode
status Show runtime status information about the connected Proxmark3
tune Measure antenna tuning
version Show version information about the connected Proxmark3
Mem – Memory commands
spiffs High level SPI FileSystem Flash manipulation [rdv40]
spibaud Set Flash memory Spi baudrate [rdv40]
info Flash memory information [rdv40]
load Load data into flash memory [rdv40]
dump Dump data from flash memory [rdv40]
wipe Wipe data from flash memory [rdv40]
Data
askedgedetect [threshold] Adjust Graph for manual ASK demod using the length of sample differences to detect the edge of a wave (use 20-45, def:25)
autocorr [window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)
biphaserawdecode [offset] [invert<0|1>] [maxErr] -- Biphase decode bin stream in DemodBuffer (offset = 0|1 bits to shift the decode start)
bin2hex -- Converts binary to hexadecimal
bitsamples Get raw samples as bitstring
buffclear Clears bigbuff on deviceside and graph window
convertbitstream Convert GraphBuffer's 0/1 values to 127 / -127
dec Decimate samples
detectclock [] Detect ASK, FSK, NRZ, PSK clock rate of wave in GraphBuffer
fsktonrz Convert fsk2 to nrz wave for alternate fsk demodulating (for weak fsk)
getbitstream Convert GraphBuffer's >=1 values to 1 and <1 to 0 grid -- overlay grid on graph window, use zero value to turn off either
hexsamples [] -- Dump big buffer as hex bytes
hex2bin -- Converts hexadecimal to binary
hide Hide graph window
hpf Remove DC offset from trace
load -- Load trace (to graph window
ltrim -- Trim samples from left of trace
rtrim -- Trim samples from right of trace
mtrim -- Trim out samples from the specified start to the specified stop
manrawdecode [invert] [maxErr] -- Manchester decode binary stream in DemodBuffer
norm Normalize max/min to +/-128
plot Show graph window (hit 'h' in window for keystroke help)
printdemodbuffer [x] [o] [l] -- print the data in the DemodBuffer - 'x' for hex output
rawdemod [modulation] … -see help (h option) -- Demodulate the data in the GraphBuffer and output binary
samples [512 - 40000] -- Get raw samples for graph window (GraphBuffer)
save -- Save trace (from graph window)
setgraphmarkers [orange_marker] [blue_marker] (in graph window)
scale -- Set cursor display scale
setdebugmode <0|1|2> -- Set Debugging Level on client side
shiftgraphzero -- Shift 0 for Graphed wave + or - shift value
dirthreshold -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev.
tune Get hw tune samples for graph window
undec Un-decimate samples by 2
zerocrossings Count time between zero-crossings
iir apply IIR buttersworth filter on plotdata
HF – High frequency
14a { ISO14443A RFIDs… }
14b { ISO14443B RFIDs… }
15 { ISO15693 RFIDs… }
epa { German Identification Card… }
felica { ISO18092 / Felica RFIDs… }
legic { LEGIC RFIDs… }
iclass { ICLASS RFIDs… }
mf { MIFARE RFIDs… }
mfp { MIFARE Plus RFIDs… }
mfu { MIFARE Ultralight RFIDs… }
mfdes { MIFARE Desfire RFIDs… }
topaz { TOPAZ (NFC Type 1) RFIDs… }
fido { FIDO and FIDO2 authenticators… }
thinfilm { Thinfilm RFIDs… }
list List protocol data in trace buffer
tune Continuously measure HF antenna tuning
search Search for known HF tags [preliminary]
sniff Generic HF Sniff
LF – Low frequency
awid { AWID RFIDs… }
cotag { COTAG CHIPs… }
em { EM4X CHIPs & RFIDs… }
fdx { FDX-B RFIDs… }
gproxii { Guardall Prox II RFIDs… }
hid { HID RFIDs… }
hitag { Hitag CHIPs… }
indala { Indala RFIDs… }
io { ioProx RFIDs… }
jablotron { Jablotron RFIDs… }
keri { KERI RFIDs… }
nedap { Nedap RFIDs… }
nexwatch { NexWatch RFIDs… }
noralsy { Noralsy RFIDs… }
pac { PAC/Stanley RFIDs… }
paradox { Paradox RFIDs… }
pcf7931 { PCF7931 CHIPs… }
presco { Presco RFIDs… }
pyramid { Farpointe/Pyramid RFIDs… }
securakey { Securakey RFIDs… }
ti { TI CHIPs… }
t55xx { T55xx CHIPs… }
viking { Viking RFIDs… }
visa2000 { Visa2000 RFIDs… }
config Set config for LF sampling, bit/sample, decimation, frequency
cmdread <'0' period> <'1' period> ['h' 134]
-- Modulate LF reader field to send command before read (all periods in microseconds)
flexdemod Demodulate samples for FlexPass
read ['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help
search [offline] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search)
-- 'u' to search for unknown tags
sim [GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)
simask [clock] [invert <1|0>] [biphase/manchester/raw <'b'|'m'|'r'>] [msg separator 's'] [d ]
-- Simulate LF ASK tag from demodbuffer or input
simfsk [c ] [i] [H ] [L ] [d ]
-- Simulate LF FSK tag from demodbuffer or input
simpsk [1|2|3] [c ] [i] [r ] [d ]
-- Simulate LF PSK tag from demodbuffer or input
simbidir Simulate LF tag (with bidirectional data transmission between reader and tag)
sniff Sniff LF traffic between reader and tag
vchdemod ['clone'] -- Demodulate samples for VeriChip
Script – List of useful scripts
list List available scripts
run -- Execute a script
14araw.lua
amiibo.lua
brutesim.lua
calc_di.lua
calc_ev1_it.lua
calc_mizip.lua
calypso.lua
cmdline.lua
didump.lua
dumptoemul.lua
dumptoemul-mfu.lua
e.lua
emul2dump.lua
emul2html.lua
formatMifare.lua
hard_autopwn.lua
hf_read.lua
htmldump.lua
iso15_magic.lua
legic_buffer2card.lua
Legic_clone.lua
legic.lua
lf_bulk.lua
mfkeys.lua
mifare_access.lua
mifare_autopwn.lua
mifareplus.lua
ndef_dump.lua
ntag_3d.lua
parameters.lua
read_pwd_mem.lua
remagic.lua
test_t55x7_ask.lua
test_t55x7_bi.lua
test_t55x7_fsk.lua
test_t55x7.lua
test_t55x7_psk.lua
tnp3clone.lua
tnp3dump.lua
tnp3sim.lua
tracetest.lua
ufodump.lua
ul_uid.lua
EMV – Europay, Mastercard & Visa
exec Executes EMV contactless transaction.
pse Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.
search Try to select all applets from applets list and print installed applets.
select Select applet.
gpo Execute GetProcessingOptions.
readrec Read files from card.
genac Generate ApplicationCryptogram.
challenge Generate challenge.
intauth Internal authentication.
scan Scan EMV card and save it contents to json file for emulator.
test Crypto logic test.
list List ISO7816 history
roca Extract public keys and run ROCA test