Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2016-04-17 14:24:18

Registered: 2016-04-17
Posts: 1

Legic reader (SMS05)

(Sorry for my enlish)

Hello everybody,

at my company i'm developing a system based on Legic cards. When an employee arrives and enter the door with his/her card I would like to read the card's UID. Then I could join the card's UID with our database which contains some information about the user. I can't read out the UID simply from the card reader's log table because the system writes that log last and it's too slow for me.
I have a test environment with Raspberry PI connected to the door opener (card reader). With piscope I can analyse the traffic between the reader and the server.
The piscope output format is like this:


This format means:
FROM 1140541785023 TO 1140541785388 the sign was LOW (0).
FROM 1140541785388 TO 1140541785438 the sign was HIGH (1).
And so on.

It's hard to read so I wrote a little program which can parse the piscope output in this format:

0    160
1    50
0    50
1    55
0    50
1    55

This format means the following:
The sign was LOW for 160 microseconds.
The sign was HIGH for 50 microseconds.
And so on.

OK, now I can decompile the signs into bits. It's time to partition that.
I read that the baud rate is 19200 or something like that, so 1/19200 = 52.08 microseconds. This is the smallest unit of the sign.

0    160 / 52 ~= 3
1    50   / 52 ~= 1
0    50   / 52 ~= 1
1    55   / 52 ~= 1
0    50   / 52 ~= 1
1    55   / 52 ~= 1

So this means: "00010101"

I read lots of different cards with the reader and save the dump to compare it with each other. I think I found the UID's place in the bit stream but I just can't decode it to decimal card number (e.g. 1234).
From this point I can't go forward.
I took apart the reader and try to identify the parts. It uses RS-485 standard, but this standard is only defining the electrical characteristics of drivers and receivers not the protocol (or maybe the encryption) of the bit stream.
The legic chip in the reader is SMS05.
I tried to decode the bit stream as Manchester code (it's a type of line code), but I'm failed. It maybe not encoded with that...

Could anybody help me please? I would happy with just an idea or something...

Thank you very mutch!


Board footer

Powered by FluxBB