Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-04-22 14:55:29

testlegic
Contributor
Registered: 2020-04-16
Posts: 2

legic access segment

Hello,

i was requested by my company to have a look our company cards. so I got myself a proxmark and started to analyse the cards. Thanks to all the good information provided here I was able dump and simulate my card quite easily. however when trying to clone it to another card bought from the internet I was not lucky. I assume there is a CRC was not able to reproduce, so maybe someone has already seen the following segment structure:

[+]  CDF: System Area
------------------------------------------------------
[+] MCD: XX  MSN: XX XX XX   MCC: 1B  ( OK )
[+] DCF: 60000 (60 ea), Token Type = IM-S (OLE = 0)
[+] WRP = 15, WRC = 1, RD = 1, SSC = FF
[+] Remaining Header Area
[+] 00 00 00 11 02 53 C0 08 C0 69 97 00 00
------------------------------------------------------
[+] ADF: User Area
------------------------------------------------------
[+] Segment     | 01
[+] raw header  | 0x18 0x40 0x0B 0x00
[+] Segment len | 24,  Flag: 0x4 (valid:1, last:0)
[+]             | WRP: 11, WRC: 00, RD: 0, CRC: 0x54 ( OK )
[+] Remaining write protected area:  (I 27 | K 0 | WRC 0 | WRP 11  WRP_LEN 11)

row  | data
-----+------------------------------------------------
[00] | 20 00 YY YY 00 00 ZZ ZZ ZZ D2 10
-----+------------------------------------------------

[+] Remaining segment payload:  (I 38 | K 38 | Remain LEN 8)

row  | data
-----+------------------------------------------------
[00] | 00 00 00 00 00 00 00 00
-----+------------------------------------------------

 

I have XX out the UID, YY should be our company code from the provider, ZZ is the number printed on the card.

What I assume is some sort of CRC in the D2 10. I tried it with the KGH information from the forum and also tried to brute force it with the crc function of the proxmark, but all the results I got failed when applied on the second valid card that I have.

So maybe someone here has an idea what else i could try.

Thanks in advance

Offline

#2 2020-05-25 17:31:25

Jason
Contributor
Registered: 2016-07-21
Posts: 49

Re: legic access segment

This is an Interflex access segment.
If I remember correctly they don't use the standard KGH layout. I think it was a 16 bit CRC, but in any case not standard KGH.
D2 and 10 in your dump is the CRC, if I remember correctly.

Offline

Board footer

Powered by FluxBB