Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-27 09:29:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

[request] data from a Legic Advant tag

Hi everybody,

I've been fiddling with the CRC implementations and got back to the CRC16 for Legic Advant. I would like to have data samples from a Legic Advant tag to be able to verify the CRC.

- bytes with a crc in the end.
- the uid from tag where the data came from.

The uid is needed to calc the uidCRC,  which is used as initial_value for the Legic CRC16 algo.

Offline

#2 2016-07-27 14:53:34

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: [request] data from a Legic Advant tag

since they are encrypted, I guess we need to have some empty tags, on which we can apply a (for us) know key
as far as I know they support 3 different types of encryption 3des, des and legic (legic-encrytion is well known from the prime - so it's no encryption at all)
AES 128 & AES 256 are also mentioned, but have not found them on the description about legic-advant-tags (for now)
but they are mentiond in the cmd-reference for sm-4500 ( which I do not have completely )

thus I have ordered me 5 Legic Advant ( ATC2048 ) cards/tags to play a little with them ...
we will see what we can do with it ... once they have arrived

Last edited by mosci (2016-07-27 15:36:22)

Offline

#3 2016-07-27 18:13:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

Perfect!

One question that arises is if the crc is calculated before crypto is applied or after.  If after then we can analyse a valid advant tag for this.

Offline

#4 2016-07-27 19:08:56

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: [request] data from a Legic Advant tag

I guess pm3 is not able to read advant tags now and not able to sniff also (even not prime) - so, I have to fiddle around with twn4 and raw commands of the sm-4500 - and since nobody has ever posted some valid segments or other stuff about the advant here - don't expect too much ;-)
If there is a uidCRC  like on prime  - I suppose that the uidCRC is also not writable but present from beginning on - like it is on prime tags - but without advant-support within pm3 it will be hard to dump a tag (to get the uidCRC)
the sm (security-module) doesn't have a 'dump function' (as far as I know) ... but, it has a 'makeCRC' and 'checkCRC' function ...
but to use that, you must have a valid tag before ... so again ... don't expect too much - I guess it will be a long way to get into the advant stuff - as long as we don't get some help ;-)
anyway - we have to start somewhere - and why not on a empty tag. perhaps pm3 is able to read a empty tag - then we will have a good chance to get a uidCRC.
If I could create a valid tag, then we should be able to make and check a crc also.
as far as I know the MasterToken don't has to be a advant-tag - it just has to valid - which is no problem - I've create some of them already - so ... I hope that pm3 can read at least the first 10 bytes which should be uid (8 byte) and uidCRC (2 bytes - if crc16)
I'm curious  what pm3 can do with advant 'out of the box'  maybe we can sniff/spoof with ordinary 14443A functions

there are serval 'types' of advant tags available

ATC1024-MV - ISO 15693
ATC2048-MP - ISO 14443 A (I will get that one)

the above only support
Legic encryption
des 56bit
3des 112bit

the blow will also support
aes 128 & 256 bit

ATC256- MV410 - ISO 15693
CTC4096-MP - ISO 14443 A
ATC4096- MP31 - ISO 14443 A
AFS4096-JP - ISO 14443 A (micro controller smartcard)

the security should raise from from top to bottom
so MIM256/1024 (Prime) is less secure than ATC1024-MV
ATC1024-MV is less secure than AFS4096-JP
(from a legic perspective ;-) - as we know already -> prime isn't secure at all)

Last edited by mosci (2016-07-27 19:17:37)

Offline

#5 2016-07-27 19:33:46

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: [request] data from a Legic Advant tag

I still guess that people with more rfid-knowledge than me, can do much more with the twn4
but unfortunately no one here want's to buy it from me roll
so we have to deal with the circumstance that a rfid-noob tries to investigate on a unknown tag lol
but it can be fun for me , if there will be some progress over time cool

Offline

#6 2016-07-27 19:35:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

We all are beginners once,  what a great challenge you have now.   And I do say that you have become very good at Legic Prime.

Offline

#7 2016-07-27 19:43:40

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: [request] data from a Legic Advant tag

legic prime was easy - because pm3 could at least read/write & decode the tag-content
and many of the 'layout' was already known ... and the crc8-function was the last piece that was missing
to create a valid tag - all other was just 'separate the data and the crc's'
hopefully advant has many in common with prime - but if I was Mr. Legic
I would have made the second attempt much different from the first wink
... we will see ...
maybe Jason can/will step into the boat wink

Last edited by mosci (2016-07-27 19:52:17)

Offline

#8 2016-07-28 14:54:47

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

I can't provide RAW data dumps from advant cards. This is not possible with official readers. But anyway... I think it's not the same as on Legic prime. It workes more like DESfire, someone toled me once they use a DESfire media with modified firmware... but I think this is wrong. Anyway: Since the ISO 14443A cards follow a offical communication standard the communication should be traced with PM3, but I never tried this. In fact: There must be some authentication mechanism, something how DESfire is doing this (I think). Maybe this is some hashed value with some secret and the UID I think (I would do this this way), since any advant card could we read with any advant reader. So individual customized authentication keys are not possible this way...


mosci wrote:

AES 128 & AES 256 are also mentioned, but have not found them on the description about legic-advant-tags

Some newer tags support this ATC4096-MP311 for example. The noted CTC chips are quit new: They are some kind of hybrid-chips. They support Legic prime and advant from one single chip. In fact this are seperated worlds from the user side. So effectivly this chip is a die-combination of a single prime and a single advant chip. The chip was introduced to easly migrate from prime to advant... but I think the best benefit you gain from this chip is the better performance instead of to single chips inside one platic card (this will make some trouble).

mosci wrote:

as far as I know the MasterToken don't has to be a advant-tag

You will fail, sorry wink ... as of a good reason the prime master tokens are locked by firmware to create advant media. You can create prime media from advant MTs of course, but not in the other direction, sorry!


iceman wrote:

I would like to have data samples from a Legic Advant tag


I will generate some data, I think the algorithm is the same on prime, since prime cards could also be handled the same way from advant readers. Making different algorithms makes no sence.
No need to buy cards, I have all kinds on my desk wink


Heres a picture from a advant card from the official software... the user look and feel is the same as for prime cards, the only addition is some more detail functions exist on advant media, except this the system is the same.

unbenanntigs7d.jpg

Offline

#9 2016-07-28 16:19:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

Perfect!  Lets see what we need to change to make PM3 able to read legic advant!

Offline

#10 2016-07-28 17:52:00

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: [request] data from a Legic Advant tag

Jason wrote:

No need to buy cards, I have all kinds on my desk wink

that helps a lot to get some dumps for Iceman !
but your desk is far away from me and I would like to have some to play around with wink


Jason wrote:

Heres a picture from a advant card from the official software... the user look and feel is the same as for prime cards, the only addition is some more detail functions exist on advant media, except this the system is the same.

and I would like to have that software
I'm already installing me windooze on a VitualBox
ah, I can see at the Picture-Upload - that we can talk german too  - so your desk is not that far away as I thought cool

Last edited by mosci (2016-07-28 18:12:33)

Offline

#11 2016-07-28 19:08:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

Seems @jason will contribute just fine smile

Which bytes is used for CRC16?  The CRC8 has some mixes. I wonder if it is the same.

Offline

#12 2016-07-29 13:22:12

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

mosci wrote:

but your desk is far away from me

you can't imagine the size of my desk, do you? wink

mosci wrote:

and I would like to have that software (...)

Your reader module is a SM-4000 series reader, right? Unfortunately the shown software does only operate with advant 2000 series reader. The command set was completly changed on the 4000 series. Currently I don't have the CSW-4000 software (no need). I have the development software for SM-4000 readers, I never used it, but if it is such "elemental" as like the 2000 series software was, you won't have much joy with is. Maybe we should talk in a less official way about further options... maybe in other preffered languages, who knows... cool

mosci wrote:

ah, I can see at the Picture-Upload - that we can talk german too  - so your desk is not that far away as I thought cool

Maybe... maybe not cool ... perhaps a wrong hint, who knows... big_smile


iceman wrote:

Which bytes is used for CRC16?

Bytes of what? The shown picture does not show any CRC ... hmm... maybe the last UID byte is CRC. As I checked with few consectutive fabricated cards the last hey-byte seems to we a "random" value, where the upper 5 bytes are incremental. But this might be wrong.

Anyway, I started to trace some communication. First I was disappointed... until I realized I marked my white plastic cards in a wrong way big_smile ... I marked ISO15 card as ISO14... oops smile ... finaly, with real 14a advant cards I traced the following:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr |26                                                               |     | REQA
       2288 |       4624 | Rdr |f9  7f                                                           |     | ?
      10336 |      12800 | Rdr |93  20                                                           |     | ANTICOLL
      28832 |      39296 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
     693968 |     694960 | Rdr |52                                                               |     | WUPA
     696256 |     698592 | Rdr |f9  7f                                                           |     | ?
     704496 |     714960 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
     716256 |     717440 | Rdr |7f                                                               |     | ?
     727072 |     732992 | Rdr |10  00  00  81  20                                               |  ok | ?
     775232 |     782304 | Rdr |20  03  00  05  9a  61                                           |  ok | ?
 -162644656 | -162623952 | Rdr |72! fd  fd  fd  80  80  80  80! ed! 01  8a  38  04! f3! e6! d7!  |     | 
            |            |     |c4  94                                                           | !crc| ?
     887808 |     906400 | Rdr |da  fa  fa  fa  b3  48  e9  5a  25  15  99  26  8a  fd  84  a1   | !crc| ?
     972016 |     973200 | Rdr |00!                                                              |     | ?
    1003744 |    1011968 | Rdr |10  01  00  68  b9  c1  61                                       | !crc| ?
    1135984 |    1144208 | Rdr |10  ff  00  90  44  78  a2                                       | !crc| ?
    1180128 |    1184256 | Rdr |cf! fe  f8! 07                                                   | !crc| ?
 -162644656 | -162642576 | Rdr |f0  0f!                                                          |     | ?
 -162644656 | -162641616 | Rdr |08  73  10                                                       | !crc| ?
    1267344 |    1275504 | Rdr |10  fe  00  0b  0d  30  d1                                       | !crc| ?
    1311488 |    1313952 | Rdr |7f  fe                                                           |     | ?
    1314176 |    1314976 | Rdr |0f!                                                              |     | ?
    1315200 |    1317024 | Rdr |71! 07                                                           |     | ?
    1317248 |    1318688 | Rdr |7f  00!                                                          |     | ?
    1318912 |    1322656 | Rdr |92  06  24! 00!                                                  | !crc| ?
    1322880 |    1323552 | Rdr |01                                                               |     | ?
    1324032 |    1325344 | Rdr |73                                                               |     | ?
    1399744 |    1407968 | Rdr |10  fd  00  c9  5e  32  d9                                       | !crc| ?
    1443888 |    1453264 | Rdr |f9  7f  7f  7f  7f  7f  88  f9!                                  | !crc| ?
    1453488 |    1454160 | Rdr |01                                                               |     | ?
    1454384 |    1456336 | Rdr |0e! 09!                                                          |     | ?
    1456560 |    1457488 | Rdr |18!                                                              |     | ?
    1535360 |    1543584 | Rdr |10  fb  00  8d  cd  e4  ea                                       | !crc| ?
 -162644656 | -162644048 | Rdr |0c!                                                              |     | ?
    1583984 |    1584784 | Rdr |04                                                               |     | ?
    1586288 |    1587088 | Rdr |04                                                               |     | ?
    1588592 |    1589008 | Rdr |00!                                                              |     | ?
    1589488 |    1590160 | Rdr |00!                                                              |     | ?
    1590384 |    1590800 | Rdr |00!                                                              |     | ?
 -162644656 | -162644368 | Rdr |00!                                                              |     | ?
    1592560 |    1593104 | Rdr |02                                                               |     | ?
    3384864 |    3393024 | Rdr |10  0c  00  2c  2f  90  6f                                       | !crc| ?
    3429008 |    3429680 | Rdr |02                                                               |     | ?
    3431184 |    3431984 | Rdr |04                                                               |     | ?
    3433488 |    3434288 | Rdr |04                                                               |     | ?
    3435792 |    3436592 | Rdr |04                                                               |     | ?
    3438096 |    3438384 | Rdr |00!                                                              |     | ?
    3438864 |    3439664 | Rdr |01                                                               |     | ?
    3439888 |    3442480 | Rdr |71! e6! 00!                                                      | !crc| ?
 -162644656 | -162644368 | Rdr |00!                                                              |     | ?

and once again, the same card:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr |26                                                               |     | REQA
       2288 |       4624 | Rdr |f9  7f                                                           |     | ?
      10048 |      12512 | Rdr |93  20                                                           |     | ANTICOLL
      29440 |      39904 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
      41200 |      42384 | Rdr |7f                                                               |     | ?
      42608 |      43408 | Rdr |00!                                                              |     | ?
      43632 |      44176 | Rdr |03!                                                              |     | ?
      44400 |      44752 | Rdr |03!                                                              |     | ?
     679296 |     680288 | Rdr |52                                                               |     | WUPA
     681584 |     683920 | Rdr |f9  7f                                                           |     | ?
     689824 |     700288 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
     712720 |     718640 | Rdr |10  00  00  81  20                                               |  ok | ?
     719872 |     725152 | Rdr |f3  7f  7f  7f  06!                                              | !crc| ?
     725376 |     725792 | Rdr |01                                                               |     | ?
     726272 |     726816 | Rdr |00!                                                              |     | ?
     727296 |     728352 | Rdr |18!                                                              |     | ?
  -63559568 |  -63559280 | Rdr |00!                                                              |     | ?
     730112 |     730528 | Rdr |01                                                               |     | ?
     730752 |     731040 | Rdr |00!                                                              |     | ?
     731264 |     731488 | Rdr |01                                                               |     | ?
     760976 |     768048 | Rdr |20  03  00  05  9a  61                                           |  ok | ?
     873808 |     892336 | Rdr |d6  fa  fa  fa  64  6b  2e  4e  8e  73  dd  a4  ad  20  f6  ff   | !crc| ?
     989696 |     997856 | Rdr |10  01  00  69  6b  3a  11                                       | !crc| ?
    1033840 |    1034512 | Rdr |02                                                               |     | ?
    1035504 |    1041808 | Rdr |27! 09  0f! e0! c7  00!                                          | !crc| ?
    1042032 |    1044880 | Rdr |c4  4c  03!                                                      | !crc| ?
    1045104 |    1045776 | Rdr |03!                                                              |     | ?
    1046000 |    1046800 | Rdr |0f!                                                              |     | ?
  -63559568 |  -63559280 | Rdr |00!                                                              |     | ?
    1120704 |    1128928 | Rdr |10  ff  00  17  81  ab  9e                                       | !crc| ?
    1164848 |    1168976 | Rdr |cf! fe  f8! 07                                                   | !crc| ?
  -63559568 |  -63550128 | Rdr |0e  60  00! 41! ae  f6! 71! d2! 01                               | !crc| ?
    1252048 |    1260208 | Rdr |10  fe  00  bd  35  6c  81                                       | !crc| ?
    1296192 |    1298656 | Rdr |7f  fe                                                           |     | ?
    1298880 |    1299680 | Rdr |0f!                                                              |     | ?
    1299904 |    1301728 | Rdr |71! 07                                                           |     | ?
    1301952 |    1303392 | Rdr |7f  00!                                                          |     | ?
    1303616 |    1305440 | Rdr |92  06!                                                          |     | ?
    1305664 |    1307104 | Rdr |71! 00!                                                          |     | ?
    1307328 |    1308896 | Rdr |21! 01                                                           |     | ?
    1309376 |    1310048 | Rdr |04                                                               |     | ?
    1383920 |    1392080 | Rdr |10  fd  00  80  10  a8  f5                                       | !crc| ?
    1428064 |    1438208 | Rdr |f9  7f  7f  7f  7f  7f  88  f9  08                               | !crc| ?
    1521216 |    1529440 | Rdr |10  fb  00  4d  09  4d  02                                       | !crc| ?
  -63559568 |  -63545968 | Rdr |6a! 92! 93! 75  ab  75  ab  b5  e8  11! 6f! 0f!                  | !crc| ?
    3370016 |    3378176 | Rdr |10  0c  00  83  e3  ca  09                                       | !crc| ?
    3414160 |    3414832 | Rdr |02                                                               |     | ?
    3416336 |    3417136 | Rdr |04                                                               |     | ?
    3418640 |    3419440 | Rdr |04                                                               |     | ?
    3420944 |    3421744 | Rdr |04                                                               |     | ?
    3423248 |    3425456 | Rdr |24! 30!                                                          |     | ?
    3426192 |    3427120 | Rdr |09!                                                              |     | ?
    3427600 |    3428016 | Rdr |01                                                               |     | ?

As of what I can see out of this communication, the sequence 20  03  00  05  9a  61 seems to start a encrypted communication... I think the data below is some kind of encrypted random number send by the card... somehow like DESfire is doing this (as I wrote).

The beginning of the communication is just (more or less) normal 14a card selection stuff, as like on all cards with with standard. The UID D6-7A-F5-51 is correct in this stream.

Last edited by Jason (2016-07-29 13:39:47)

Offline

#13 2016-07-29 13:34:35

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

Oh, I forgot to give some CRC-data of advant segments:

I created the same card as documented in the other thread, just on a advant card (the card noted in the post above):

UID         :  D6-7A-F5-51
STAMP     :  00-01-02-03
WRC area:  12-34-56-[EF-6F]
Data        :  25-FC-D7-5A-44-66-D8-0C-[F7-56]

I placed each CRC16 value in brackets.

Offline

#14 2016-07-29 18:26:07

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [request] data from a Legic Advant tag

strange that you don't get the tags responses.  can you adjust the position of the tag to see if you can pick it up as well?

Offline

#15 2016-08-02 17:34:58

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

You are right marshmellow, the Tag communication was not sniffed.
I tried a lot of positions and found one with better results:

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr |26                                                               |     | REQA
       2244 |       4612 | Tag |04  00                                                           |     | 
      10048 |      12512 | Rdr |93  20                                                           |     | ANTICOLL
      13700 |      19588 | Tag |51  f5  7a  d6  08                                               |     | 
      28544 |      39008 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
      40260 |      43844 | Tag |00  fe  51                                                       |     | 
     685120 |     686112 | Rdr |52                                                               |     | WUPA
     687364 |     689732 | Tag |04  00                                                           |     | 
    1322944 |    1323936 | Rdr |52                                                               |     | WUPA
    1325188 |    1327556 | Tag |04  00                                                           |     | 
    1333488 |    1343952 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
    1345204 |    1348788 | Tag |00  fe  51                                                       |     | 
    2748656 |    2749712 | Rdr |26                                                               |     | REQA
    2750900 |    2753268 | Tag |04  00                                                           |     | 
    2758720 |    2761184 | Rdr |93  20                                                           |     | ANTICOLL
    2762372 |    2768260 | Tag |51  f5  7a  d6  08                                               |     | 
    2777216 |    2787680 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
    2788932 |    2792516 | Tag |00  fe  51                                                       |     | 
    4915568 |    4916560 | Rdr |52                                                               |     | WUPA
    4917812 |    4920180 | Tag |04  00                                                           |     | 
    6344160 |    6345216 | Rdr |26                                                               |     | REQA
    6346404 |    6348772 | Tag |04  00                                                           |     | 
    6354528 |    6356992 | Rdr |93  20                                                           |     | ANTICOLL
    6358180 |    6360420 | Tag |51  f5!                                                          |     | 
    9306048 |    9307104 | Rdr |26                                                               |     | REQA
    9308292 |    9310660 | Tag |04  00                                                           |     | 
    9316112 |    9318576 | Rdr |93  20                                                           |     | ANTICOLL
    9319764 |    9322004 | Tag |51  f5!                                                          |     | 
   12268368 |   12269424 | Rdr |26                                                               |     | REQA
   12270612 |   12272980 | Tag |04  00                                                           |     | 
   12278416 |   12280880 | Rdr |93  20                                                           |     | ANTICOLL
   12282068 |   12284308 | Tag |51  f5!                                                          |     | 
   15228976 |   15230032 | Rdr |26                                                               |     | REQA
   15231220 |   15233588 | Tag |04  00                                                           |     | 
   15239024 |   15241488 | Rdr |93  20                                                           |     | ANTICOLL
   15242676 |   15248564 | Tag |51  f5  7a  d6  08                                               |     | 
   15257520 |   15267984 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
   15269236 |   15272820 | Tag |00  fe  51                                                       |     | 
   17395904 |   17396896 | Rdr |52                                                               |     | WUPA
   17398148 |   17400516 | Tag |04  00                                                           |     | 
   18826656 |   18827712 | Rdr |26                                                               |     | REQA
   18828900 |   18831268 | Tag |04  00                                                           |     | 
   21788112 |   21789168 | Rdr |26                                                               |     | REQA
   21790356 |   21792724 | Tag |04  00                                                           |     | 
   21798176 |   21800640 | Rdr |93  20                                                           |     | ANTICOLL
   21801828 |   21804068 | Tag |51  f5!                                                          |     | 
   24747088 |   24748144 | Rdr |26                                                               |     | REQA
   24749332 |   24751700 | Tag |04  00                                                           |     | 
   24757136 |   24759600 | Rdr |93  20                                                           |     | ANTICOLL
   24760788 |   24766676 | Tag |51  f5  7a  d6  08                                               |     | 
   24775632 |   24786096 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
   24787348 |   24790932 | Tag |00  fe  51                                                       |     | 
   26915072 |   26916064 | Rdr |52                                                               |     | WUPA
   26917316 |   26919684 | Tag |04  00                                                           |     | 
   28344656 |   28345712 | Rdr |26                                                               |     | REQA
   28346900 |   28349268 | Tag |04  00                                                           |     | 
   28354704 |   28357168 | Rdr |93  20                                                           |     | ANTICOLL
   28358356 |   28364244 | Tag |51  f5  7a  d6  08                                               |     | 
   28373200 |   28383664 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
   28384916 |   28388500 | Tag |00  fe  51                                                       |     | 
   30511072 |   30512064 | Rdr |52                                                               |     | WUPA
   30513316 |   30515684 | Tag |04  00                                                           |     | 
   31941232 |   31942288 | Rdr |26                                                               |     | REQA
   31943476 |   31945844 | Tag |04  00                                                           |     | 
   31951280 |   31953744 | Rdr |93  20                                                           |     | ANTICOLL
   31954932 |   31960820 | Tag |51  f5  7a  d6  08                                               |     | 
   34903872 |   34904928 | Rdr |26                                                               |     | REQA
   34906116 |   34908484 | Tag |04  00                                                           |     | 
   37863904 |   37864960 | Rdr |26                                                               |     | REQA
   37866148 |   37868516 | Tag |04  00                                                           |     | 
   40825472 |   40826528 | Rdr |26                                                               |     | REQA
   40827716 |   40830084 | Tag |04  00                                                           |     | 
   43786784 |   43787840 | Rdr |26                                                               |     | REQA
   43789028 |   43791396 | Tag |04  00                                                           |     | 
   43796848 |   43799312 | Rdr |93  20                                                           |     | ANTICOLL
   43800500 |   43806388 | Tag |51  f5  7a  d6  08                                               |     | 
   43815344 |   43825808 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
   43827060 |   43830644 | Tag |00  fe  51                                                       |     | 
   45952384 |   45953376 | Rdr |52                                                               |     | WUPA
   45954628 |   45956996 | Tag |04  00                                                           |     | 
   45963232 |   45973696 | Rdr |93  70  51  f5  7a  d6  08  c7  ca                               |  ok | SELECT_UID
   45974948 |   45978532 | Tag |00  fe  51                                                       |     | 
   45985808 |   45991728 | Rdr |10  00  00  81  20                                               |  ok | ?
   45992916 |   46004564 | Tag |08  00  00  00  51  f5  7a  d6  ad  ba                           |  ok | 
   46033952 |   46041024 | Rdr |20  03  00  05  9a  61                                           |  ok | ?
   46042212 |   46063012 | Tag |a5  fa  fa  fa  00  00  00  00  db  02  14  70  08  e7  cc  af   |     | 
            |            |     |8a  be                                                           |  ok | 
   46146656 |   46165184 | Rdr |9a  fa  fa  fa  7a  e0  42  2f  db  e1  23  c0  23  d8  fc  dd   | !crc| ?
   46230820 |   46232036 | Tag |ff                                                               |     | 
   46262448 |   46270672 | Rdr |10  01  00  82  fa  8b  13                                       | !crc| ?
   46306548 |   46320500 | Tag |59  0a  4c  07  ff  00  f1  67  6b  f3  b0  62                   | !crc| 
   46394912 |   46403072 | Rdr |10  ff  00  32  fe  7d  b2                                       | !crc| ?
   46439012 |   46452900 | Tag |20  01  07  d0  07  b0  00  20  dd  65  98  53                   | !crc| 
   46526496 |   46534656 | Rdr |10  fe  00  ce  34  c3  3f                                       | !crc| ?
   46570596 |   46584548 | Tag |00  01  05  32  42  00  9b  12  fc  01  61  dc                   | !crc| 
   46658768 |   46666928 | Rdr |10  fd  00  71  f2  bf  18                                       | !crc| ?
   46702868 |   46716756 | Tag |07  00  00  00  00  00  1a  08  b7  b8  3f  ee                   | !crc| 
   46793984 |   46802208 | Rdr |10  fb  00  90  68  3b  19                                       | !crc| ?
   46838084 |   46852036 | Tag |a8  ba  de  97  73  96  3e  b2  55  c0  1d  51                   | !crc| 
   46932928 |   46941152 | Rdr |10  fa  00  b2  0f  62  1a                                       | !crc| ?
   46977028 |   46990916 | Tag |3f  9e  16  ba  39  9d  12  bf  95  60  51  2b                   | !crc| 
   49283840 |   49292000 | Rdr |10  fb  00  e6  0a  f2  f6                                       | !crc| ?
   49327940 |   49341892 | Tag |a8  ba  de  97  73  96  3e  b2  e1  a1  20  e3                   | !crc| 
   50602448 |   50610608 | Rdr |10  f9  00  e5  b2  c1  cc                                       | !crc| ?
   50646548 |   50660500 | Tag |15  96  78  6c  6c  83  d6  50  6a  b2  de  61                   | !crc| 
   50734912 |   50743136 | Rdr |10  f8  00  3c  54  95  df                                       | !crc| ?
   50779012 |   50792964 | Tag |55  ee  40  53  07  59  74  8f  97  a5  c5  4a                   | !crc| 
   50867184 |   50875344 | Rdr |10  f7  00  8f  81  a7  30                                       | !crc| ?
   50911284 |   50925172 | Tag |17  b2  3e  93  13  b6  3a  97  91  8c  49  18                   | !crc| 

Just ignore the many anticollision commands. It just works this way...

Last edited by Jason (2016-08-02 17:35:59)

Offline

#16 2016-08-02 19:18:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

I must have missed something here but how come iclass protocoll printing matches up with a legic tag?!?

Offline

#17 2016-08-05 17:04:12

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

Maybe using nearly the same protocol!? ... but iclass is iso15, this one is iso14a.

Offline

#18 2017-05-19 19:05:15

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: [request] data from a Legic Advant tag

Hi,
Might be able soon, just ordered the csw-4000 software + reader & got some badges with only one Advant segment.
Card is definetly seen as desfire on proxmark with a lot of zero values.

Offline

#19 2017-05-21 22:39:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

I hope the analys of that software brings us some nice insights!

Offline

#20 2017-05-22 01:24:21

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: [request] data from a Legic Advant tag

I'm interested in having a look at the software.

Offline

#21 2017-06-06 12:30:44

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

The Software is not really usefull at all, especially for deeper analysis of the advant system.
The Tech-Docs are more usefull, but last year I failed to remove all the watermarks inside to safely spread it...

Akileos is right with DESfire, but just for a special single advant card type (the EAL4 certified one). This is a DESfire card with only one application occupying the whole card space (I can supply the AID also... somewhere I documented this once... hm).

Anyway... the CSW software drives the legic reader chips. It only can do what the chip (its firmware) allows to do. This is documented in den tech docs. And there you will find the usual struff as like: Select a card, select a segment, read data, write data, create segments, ect.
The only real difference between earlier advant platforms, in contrast to the 4000 series, is the different way to detect and select the card.

Offline

#22 2018-07-19 19:32:15

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: [request] data from a Legic Advant tag

Hi,

I would like to bump this topic.
Is there any progress with LEGIC Advant analysis?
I'm also interested in LEGIC Systems.

some info / background from me:
- I have access to some LEGIC docs / spec sheets.
- I own a TWN4 with LEGIC SM-4200.
- I have some LEGIC unsegmented cards (ATC4096, CTC4096, ...)

Anyone willing to share CSW-4000?

Greetz
Mackwa

Offline

#23 2018-07-26 14:24:19

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

As of my opinion the CSW software will not work with the TWN4 readers. The TWN4 reader support direkt module communication, but as far as I know, this is done in a spceial command frame-work. The CSW software only support communication with the reader chip istself (directly). So even if someone sends you this software, it's uselesse. Even more useless: You have - you call this unsegmented (this is not right, because the "unsegmented" state is not possible with advant anymore) - unprogrammed new media. You can do nothing with it. You need at least a Demo IAM from Legic to create segments on this cards. Else they are quit useless garbadge...

Offline

#24 2018-08-07 10:08:02

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: [request] data from a Legic Advant tag

The TWN4 reader works with DKS4000.
Are you sure, that it will not work with CSW4000?

Regarding unsegmented / unprogrammed new media:
Anyone already sniffed / evaluated how LEGIC software detects Advant chip (ISO14443A one) in comparison to MF DESFire chip?

Offline

#25 2018-08-08 10:59:30

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: [request] data from a Legic Advant tag

Mackwa wrote:

The TWN4 reader works with DKS4000.
Are you sure, that it will not work with CSW4000?

If the developing kit is usable, the CSW software is usable too. Both uses bare chip command-set communication.
Never owned a TWN-Reader, I always use bare chips in own designs. My warning was just because I know the TWNs have a user documentation for command stuff, this must be an "own" instruction-set because the Legic command-set must not be supplied by someone else except Legic itself (and there only the one with proper licence will get this infos). So the TWN readers pipeline raw-commands as is or could be switched to "raw" mode... But if you can verify proper function with the dev-kit, it will work with the card software aswell.
But finnaly you can't still do anything, because you don't have a proper IAM, XAM or GAM to create segments on the empty media, you just can read a blank media with its UID.

Mackwa wrote:

Regarding unsegmented / unprogrammed new media:
Anyone already sniffed / evaluated how LEGIC software detects Advant chip (ISO14443A one) in comparison to MF DESFire chip?

The ATC4096 is an DESfire-Chip, but not the only ISO14443A advant media possible in the Legic eco-system.
They just try to select the AID 855 and try to login with the proper (diversified) key. If this works, they are basicly detected as ATC4096. The internal application organisation is unknown, but it's known the whole chip capacity is occupied by this application. I think there's an internal file organisation, most likely sperated in an "organisation" file and data files, maybe each file for every seperate segment. But this is just a guess.

Offline

#26 2018-11-15 14:57:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [request] data from a Legic Advant tag

Got hold of some legic Advant 4096 tags.  (thanks you-know-who!)

pm3 --> hf 14a i
 UID : 04 7C 34 92 DD 39 80
ATQA : 03 44
 SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
 ATS : 06 75 77 81 02 80 02 F0
       -  TL : length is 6 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO

pm3 --> hf mfdes in

-- Desfire Information --------------------------------------
-------------------------------------------------------------
  UID                : 04 7C 34 92 DD 39 80
  Batch number       : BA 54 13 D2 80
  Production date    : week 05, 2014
  -----------------------------------------------------------
  Hardware Information
      Vendor Id      : NXP Semiconductors Germany
      Type           : 0x01
      Subtype        : 0x01
      Version        : 1.0 (Desfire EV1)
      Storage size   : 0x18 (4096 bytes)
      Protocol       : 0x05 (ISO 14443-3, 14443-4)
  -----------------------------------------------------------
  Software Information
      Vendor Id      : NXP Semiconductors Germany
      Type           : 0x01
      Subtype        : 0x01
      Version        : 1.4
      storage size   : 0x18 (4096 bytes)
      Protocol       : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
 CMK - PICC, Card Master Key settings

   [0x08] Configuration changeable       : YES
   [0x04] CMK required for create/delete : YES
   [0x02] Directory list access with CMK : NO
   [0x01] CMK is changeable              : NO

   Max number of keys       : 125
   Master key Version       : 154 (0x9a)
   ----------------------------------------------------------
   [0x0A] Authenticate      : YES
   [0x1A] Authenticate ISO  : YES
   [0xAA] Authenticate AES  : NO

   ----------------------------------------------------------
   Available free memory on card       : 224 bytes
-------------------------------------------------------------
m3 --> hf 14a i
 UID : 04 64 32 92 DD 39 80
ATQA : 03 44
 SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
 ATS : 06 75 77 81 02 80 02 F0
       -  TL : length is 6 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO
pm3 --> hf mfdes i

-- Desfire Information --------------------------------------
-------------------------------------------------------------
  UID                : 04 64 32 92 DD 39 80
  Batch number       : BA 54 13 D2 80
  Production date    : week 05, 2014
  -----------------------------------------------------------
  Hardware Information
      Vendor Id      : NXP Semiconductors Germany
      Type           : 0x01
      Subtype        : 0x01
      Version        : 1.0 (Desfire EV1)
      Storage size   : 0x18 (4096 bytes)
      Protocol       : 0x05 (ISO 14443-3, 14443-4)
  -----------------------------------------------------------
  Software Information
      Vendor Id      : NXP Semiconductors Germany
      Type           : 0x01
      Subtype        : 0x01
      Version        : 1.4
      storage size   : 0x18 (4096 bytes)
      Protocol       : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
 CMK - PICC, Card Master Key settings

   [0x08] Configuration changeable       : YES
   [0x04] CMK required for create/delete : YES
   [0x02] Directory list access with CMK : NO
   [0x01] CMK is changeable              : NO

   Max number of keys       : 11
   Master key Version       : 133 (0x85)
   ----------------------------------------------------------
   [0x0A] Authenticate      : YES
   [0x1A] Authenticate ISO  : YES
   [0xAA] Authenticate AES  : NO

   ----------------------------------------------------------
   Available free memory on card       : 224 bytes
-------------------------------------------------------------
pm3 -->

...lets see if I can get a directory listing out..

Offline

Board footer

Powered by FluxBB