After that I tried to understand how Mosci's "legic_clone" script works, which could do the xor(ing) with the unique MCC Byte on my blank card.
Unfortunately as can seen, the legic_clone script has a problem in its function "getInputBytes". It only reads the first two bytes of the dump and is not able to go further in the process of re-xor(ing) the data.
pm3 --> script run legic_clone -i 410174E5.hex -w
script run legic_clone -i 410174E5.hex -w
[+] Executing: legic_clone.lua, args '-i 410174E5.hex -w'
read 2 bytes from 410174E5.hex
...\iceman-64-20180921\win64\scripts/legic_clone.lua:220: bad argument #1 to 'sub' (string expected, got nil)
[+] Finished
Maybe Mosci or anyone else has an idea what's going wrong at this point. My knowledge about LUA and the low-level read/write bytes from a token is more or less 0.
]]>I have a Legic Prime 1024 with a Legic-Cash on segment 02 and some other data in the other segments.
My goal is the clone the complete card or at least to manipulate certain information stored on it.
So, I first got the latest iceman version and started my tests....
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-16 16:04:18
os: iceman/master/ice_v3.1.0-1057-g2a6a727d 2018-09-21 14:15:30
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S256 Rev D
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 256K bytes, Used: 237342 bytes (91%) Free: 24802 bytes ( 9%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
That is the source card looks like...
pm3 --> hf legic info
hf legic info
Reading tag memory 1024 b...
CDF: System Area
------------------------------------------------------
MCD: 41, MSN: 01 74 e5, MCC: fe OK
DCF: 60000 (60 ea), Token Type=IM-S (OLE=0)
WRP=15, WRC=1, RD=1, SSC=ff
Remaining Header Area
00 00 00 11 02 21 C0 08 70 F4 0F 00 00
ADF: User Area
------------------------------------------------------
Segment 01
raw header | 0x15 0x40 0x08 0x40
Segment len: 21, Flag: 0x4 (valid:1, last:0), WRP: 08, WRC: 04, RD: 0, CRC: 0x16 (OK)
WRC protected area: (I 27 | K 0| WRC 4)
row | data
-----+------------------------------------------------
[00] | 2C 2D 00 05
Remaining write protected area: (I 31 | K 31 | WRC 4 | WRP 8 WRP_LEN 4)
row | data
-----+------------------------------------------------
[00] | 48 68 84 60
Remaining segment payload: (I 35 | K 35 | Remain LEN 8)
row | data
-----+------------------------------------------------
[00] | 00 00 00 00 00 00 00 00
-----+------------------------------------------------
Segment 02
raw header | 0x21 0x40 0x08 0x70
Segment len: 33, Flag: 0x4 (valid:1, last:0), WRP: 08, WRC: 07, RD: 0, CRC: 0xD6 (OK)
WRC protected area: (I 48 | K 43| WRC 7)
row | data
-----+------------------------------------------------
[00] | 0C 01 01 31 01 00 2C
Remaining write protected area: (I 55 | K 55 | WRC 7 | WRP 8 WRP_LEN 1)
row | data
-----+------------------------------------------------
[00] | 01
Remaining segment payload: (I 56 | K 56 | Remain LEN 20)
row | data
-----+------------------------------------------------
[00] | 02 01 00 1A E4 00 00 00 00 01 00 0C 02 01 31 01
[01] | 00 2C 42 6B
-----+------------------------------------------------
Segment 03
raw header | 0x25 0xC0 0x08 0x70
Segment len: 37, Flag: 0xC (valid:1, last:1), WRP: 08, WRC: 07, RD: 0, CRC: 0xF9 (OK)
WRC protected area: (I 81 | K 76| WRC 7)
row | data
-----+------------------------------------------------
[00] | 0C 02 01 31 01 00 2C
Remaining write protected area: (I 88 | K 88 | WRC 7 | WRP 8 WRP_LEN 1)
row | data
-----+------------------------------------------------
[00] | 01
Remaining segment payload: (I 89 | K 89 | Remain LEN 24)
row | data
-----+------------------------------------------------
[00] | 03 D2 01 38 7F 7E D8 00 00 00 10 00 01 BE 8B 00
[01] | 00 00 10 00 01 EB 84 A5
-----+------------------------------------------------
After a successful dump of the card I first tried to write the complete dump on a new and empty card which looks like this.
pm3 --> hf legic info
hf legic info
Reading tag memory 1024 b...
CDF: System Area
------------------------------------------------------
MCD: 77, MSN: 4b 61 45, MCC: 4b OK
DCF: 65535 (ff ff), Token Type=NM (New Media)
I tried the restore and on the first glance it showed success.
pm3 --> hf legic restore i 410174E5
hf legic restore i 410174E5
TYPE : MIM1024 card (1002 bytes)
Restoring to card
Wrote chunk [offset 7 | len 512 | total 519
Wrote chunk [offset 519 | len 505 | total 1024
Wrote 1024 bytes to card from file 410174E5.bin
But on the new card nothing was written.
pm3 --> hf legic info
hf legic info
Reading tag memory 1024 b...
CDF: System Area
------------------------------------------------------
MCD: 77, MSN: 4b 61 45, MCC: 4b OK
DCF: 65535 (ff ff), Token Type=NM (New Media)
After this not successful first step I tried to get some more success with the scripts legic and legic_clone.
I tried to read the Tag and it showed success.
pm3 --> script run legic
script run legic
[+] Executing: legic.lua, args ''
Legic command? ('h' for help - 'q' for quit) (default: h )
> rt
UID : 41 01 74 E5
TYPE : MIM1024 card (1002 bytes)
Reading emulator memory...
Saved 256 bytes from emulator memory to file: legic.temp.bin
[36m
256 bytes from legic.temp.bin loaded
create virtual tag from 256 bytes
[0m
[32mTag-Type: IAM[0m
[36m256 bytes for Tag processed[0m
Legic command? ('h' for help - 'q' for quit) (default: h )
Unfortunately the written file "legic.temp.bin" is only filled with 0x00.
Nonetheless I tried to write the new and empty token.
> wt
[31m
place the (empty) Tag onto the PM3
and confirm writing to this Tag: [0m [y/n] ?y
UID : 77 4B 61 45
TYPE : MIM1024 card (1002 bytes)
Reading emulator memory...
Saved 256 bytes from emulator memory to file: legic.temp.bin
[36m
256 bytes from legic.temp.bin loaded
create virtual tag from 256 bytes
[0m
[32mTag-Type: IAM[0m
[36m256 bytes for Tag processed[0m
write temp-file 'MylegicClone.hex'
[36m
wrote 1024 bytes to MylegicClone.hex
[0m
[33menter number of bytes to write?[0m (default: 22 )
I tried to read the new token but it still remained empty.
pm3 --> hf legic info
hf legic info
Reading tag memory 1024 b...
CDF: System Area
------------------------------------------------------
MCD: 77, MSN: 4b 61 45, MCC: 4b OK
DCF: 65535 (ff ff), Token Type=NM (New Media)
My next step was to use the legic_clone script and therefore I first dumped my source card
pm3 --> hf legic dump
hf legic dump
TYPE : MIM1024 card (1002 bytes)
Reading tag memory 1024 b...
Wrote 1024 bytes to 410174E5.bin
A look in the created file and it showed at least data.....
xxd 410174E5.bin
00000000: 4101 74e5 fe60 ea9f ff00 0000 1102 21c0 A.t..`........!.
00000010: 0870 f40f 0000 ebbe f6be e8d2 d3fe fbb6 .p..............
00000020: 967a 9efe fefe fefe fefe fedf bef6 8e28 .z.............(
00000030: f2ff ffcf fffe d2ff fcff fee4 1afe fefe ................
00000040: feff fef2 fcff cfff fed2 bc95 db3e f68e .............>..
00000050: 07f2 fcff cfff fed2 fffd 2cff c681 8026 ..........,....&
00000060: fefe feee feff 4075 fefe feee feff 157a ......@u.......z
00000070: 5b00 0000 0000 0000 0000 0000 0000 0000 [...............
Next step was this......and it ended in an error....
pm3 --> script run legic_clone -i 410174E5.hex -w
script run legic_clone -i 410174E5.hex -w
[+] Executing: legic_clone.lua, args '-i 410174E5.hex -w'
read 2 bytes from 410174E5.hex
...\iceman-64-20180921\win64\scripts/legic_clone.lua:220: bad argument #1 to 'sub' (string expected, got nil)
[+] Finished
Do I have completely wrong assumptions or is playing around with legic prime cards still a big mess?
Thanks upfront for some hints to get me on the right way. :-)
]]>