Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2016-08-08 13:17:34

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

legic reader PRL5A

Z0iZy0w.jpg
If long pulse "1" and short "0" every time the reader generates a new request. The trace is recorded in the absence of the card. Where can I find information about this request?
1110000
1111101
1110111
1010000
1010110
1000001
1111000
1110101
1111000
1000011
1010111
1010101
1011101
1011110
1001111
1101000
1010110
1001001
1011100
1001100
1000000

Offline

#2 2016-08-08 13:56:55

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

If its legic,  try chap 3 "Legic prime protocol" in https://sar.informatik.hu-berlin.de/res … 11-03_.pdf

It looks like the initialization frame with RAND (7bits in LSB-order) and LSB=1


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2016-09-12 11:51:10

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

nN9V4EY.jpg
@iceman: Thank you very much for your answer!
Part of the table of requests and responses:
53 3F
55 3B (on the image)
59 20
5B 26
5D 1A
5F 1C
61 28
63 28
65 20
67 30
69 02
6B 22
6D 22
6F 32
71 19
73 28
75 31
77 38
Do I understand correctly, respons card XOR of special function Legic?

Offline

#4 2016-09-12 12:28:01

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

Hm,  lets assume your first colum is the RAND (IV for LSFR).
Reader sends IV (0x55) 7bits (sample from your post)
tag answers obsfuscated of tag type.   

plain text tag type:

 0x0D == mim22
 0x1D == mim256
 0x3D == mim1024
53 ^ 3F = 6C
55 ^ 3B = 6E
59 ^ 20 = 79
5B ^ 26 = 7D
5D ^ 1A = 47
5F ^ 1C = 43

Your list doesn't "decrypt" to valid tag types...


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2016-09-12 12:36:28

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

may be modulation 212 kHz in card response - a log 0?

Offline

#6 2016-09-12 12:38:11

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

for a MIM 256 tag,  you should have gotten the following answers..

53 ^ 22
55 ^ 26
59 ^ 3d
5B ^ 3B

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2016-09-12 12:40:17

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

and the next question about secret  functions Legic
Dh7OPAm.jpg
nothing is said about the inputs of the multiplexer

Offline

#8 2016-09-12 12:53:53

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

Good question lets see,   I haven't found anything either in the available documents.   You should ask the authors?

legic_prng_forward function deals with Operation A, B
legic_prng_get_bit function should be your multiplexer

the A part gives a shift index,  to be used on B >> (shift A) = 1bit out.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2016-09-12 13:20:04

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

@iceman: Thank you very much for the quick response! learn more : )

Offline

#10 2016-09-12 13:36:00

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

I know the feeling when you have questions and noone ask. 

Been trying to make the legic code better,  got some the tracelog out with stuff which helps in understanding this very simple protocol.  I still don't get it when the prng skips forward,   when sending its bit-period (100us/60us) and when not sending is (100us well 99.1us according to documents).  But is "not sending" the pause between frames?!?

pastebin.com/btXN9dvH


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2016-09-12 14:56:08

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

0 |        770 | Rdr |01  00  07  00  07
       1314 |       2216 | Tag |1d! 00! 06! 04  00! 02  08

If I understand You correctly, the transmit 0x01 - response 0x1d  ?

VPPgUpP.jpg
zerobased RAND, receive 0x19  sad

Offline

#12 2016-09-12 16:42:36

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

well, yes,   but I print the deobsfuscated data.  Your sample says 0x19,  which ( 1D ^ 04  == 0x19)  is correct..

19 = obsfuscated
04 = lsfr xor (legic prng)
1D = plain text


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2016-09-13 00:50:12

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

Would you mind getting a trace from direct after the setup phase  (7-6-6) and a read byte 0  command on your oscilloiscope?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2016-09-13 05:39:53

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

PRL5A:   sendspace.com  file  34ggcp
Soft:      saleae.com  downloads

Offline

#15 2016-09-13 06:00:08

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

I recorded only the signal Tx (5 channel)
How does the non-connected 6 channel appeared Rx signal, I do not understand until now!
I repeat again and again record, but Rx signal does not appear
maybe the capacitance between the wires 5 and 6 are so affected

Offline

#16 2016-09-13 06:13:30

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

XkKmDot.jpg

Offline

#17 2016-09-13 09:05:25

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

Thanks for the trace,  much appreciated.
Trying to see all the frame timings in it, especially how long pauses between frame (reader to tag) and how long a reader / tag frame is.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2016-09-13 16:34:12

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

If smoothly change the time from 200mkS to 500mkS between the 7-6-6 (Setup fase) and 9 bit page request - first response cards disappear (300mkS) and then changes (500mkS) !

Offline

#19 2016-09-13 16:46:14

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

Am3gdGg.jpg

Offline

#20 2016-09-13 20:19:27

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

RTFM  neutral  "The obfuscation stream generator is !continously! running"

Offline

#21 2016-09-13 22:19:30

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

well,  yes... smile
When carefully reading the available documentation, they say about PRNG

1) normal iteration is 99.1us 
2) when sending, it follows bit frames, ie  100us (ONE) 60us (ZERO)


this is my problem at the moment,  to verify this claims in the paper...
I just can't get your trace to match up with these statements from the papers


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#22 2016-09-14 11:05:46

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

@iceman: looking in the sourse code CRC4 func to 12 bits card responce, and CRC8 for card UID. Little hint can be smile?

Offline

#23 2016-09-14 11:15:54

Sentinel
Contributor
Registered: 2012-11-26
Posts: 128

Re: legic reader PRL5A

Another trace from the reader base on MFRC530, times between sending copied from the reader PRL5A
Channel 3 - bit internal parser of receive bits
sendspace.com file 2cpso2

Offline

#24 2016-09-14 12:36:26

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: legic reader PRL5A

No, my timing issue is with tx/rx frame and which step in time the prng is.

The crc4 from the "read byte" response is a later problem.  As it is now, the crc doesn't work anymore in  my fork.

But one problem at the time.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB