legic reader PRL5A

Sentinel · 2016-08-08 13:17:34

If long pulse "1" and short "0" every time the reader generates a new request. The trace is recorded in the absence of the card. Where can I find information about this request?
1110000
1111101
1110111
1010000
1010110
1000001
1111000
1110101
1111000
1000011
1010111
1010101
1011101
1011110
1001111
1101000
1010110
1001001
1011100
1001100
1000000

iceman · 2016-08-08 13:56:55

If its legic, try chap 3 "Legic prime protocol" in https://sar.informatik.hu-berlin.de/res … 11-03_.pdf

It looks like the initialization frame with RAND (7bits in LSB-order) and LSB=1

Sentinel · 2016-09-12 11:51:10

@iceman: Thank you very much for your answer!
Part of the table of requests and responses:
53 3F
55 3B (on the image)
59 20
5B 26
5D 1A
5F 1C
61 28
63 28
65 20
67 30
69 02
6B 22
6D 22
6F 32
71 19
73 28
75 31
77 38
Do I understand correctly, respons card XOR of special function Legic?

iceman · 2016-09-12 12:28:01

Hm, lets assume your first colum is the RAND (IV for LSFR).
Reader sends IV (0x55) 7bits (sample from your post)
tag answers obsfuscated of tag type.

plain text tag type:

 0x0D == mim22
 0x1D == mim256
 0x3D == mim1024

53 ^ 3F = 6C
55 ^ 3B = 6E
59 ^ 20 = 79
5B ^ 26 = 7D
5D ^ 1A = 47
5F ^ 1C = 43

Your list doesn't "decrypt" to valid tag types...

Sentinel · 2016-09-12 12:36:28

may be modulation 212 kHz in card response - a log 0?

iceman · 2016-09-12 12:38:11

for a MIM 256 tag, you should have gotten the following answers..

53 ^ 22
55 ^ 26
59 ^ 3d
5B ^ 3B

Sentinel · 2016-09-12 12:40:17

and the next question about secret functions Legic

nothing is said about the inputs of the multiplexer

iceman · 2016-09-12 12:53:53

Good question lets see, I haven't found anything either in the available documents. You should ask the authors?

legic_prng_forward function deals with Operation A, B
legic_prng_get_bit function should be your multiplexer

the A part gives a shift index, to be used on B >> (shift A) = 1bit out.

Sentinel · 2016-09-12 13:20:04

@iceman: Thank you very much for the quick response! learn more : )

iceman · 2016-09-12 13:36:00

I know the feeling when you have questions and noone ask.

Been trying to make the legic code better, got some the tracelog out with stuff which helps in understanding this very simple protocol. I still don't get it when the prng skips forward, when sending its bit-period (100us/60us) and when not sending is (100us well 99.1us according to documents). But is "not sending" the pause between frames?!?

pastebin.com/btXN9dvH

Sentinel · 2016-09-12 14:56:08

0 | 770 | Rdr |01 00 07 00 07
1314 | 2216 | Tag |1d! 00! 06! 04 00! 02 08

If I understand You correctly, the transmit 0x01 - response 0x1d ?

zerobased RAND, receive 0x19

iceman · 2016-09-12 16:42:36

well, yes, but I print the deobsfuscated data. Your sample says 0x19, which ( 1D ^ 04 == 0x19) is correct..

19 = obsfuscated
04 = lsfr xor (legic prng)
1D = plain text

iceman · 2016-09-13 00:50:12

Would you mind getting a trace from direct after the setup phase (7-6-6) and a read byte 0 command on your oscilloiscope?

Sentinel · 2016-09-13 05:39:53

PRL5A: sendspace.com file 34ggcp
Soft: saleae.com downloads

Sentinel · 2016-09-13 06:00:08

I recorded only the signal Tx (5 channel)
How does the non-connected 6 channel appeared Rx signal, I do not understand until now!
I repeat again and again record, but Rx signal does not appear
maybe the capacitance between the wires 5 and 6 are so affected

Sentinel · 2016-09-13 06:13:30

iceman · 2016-09-13 09:05:25

Thanks for the trace, much appreciated.
Trying to see all the frame timings in it, especially how long pauses between frame (reader to tag) and how long a reader / tag frame is.

Sentinel · 2016-09-13 16:34:12

If smoothly change the time from 200mkS to 500mkS between the 7-6-6 (Setup fase) and 9 bit page request - first response cards disappear (300mkS) and then changes (500mkS) !

Sentinel · 2016-09-13 16:46:14

Sentinel · 2016-09-13 20:19:27

RTFM "The obfuscation stream generator is !continously! running"

iceman · 2016-09-13 22:19:30

well, yes...
When carefully reading the available documentation, they say about PRNG

1) normal iteration is 99.1us
2) when sending, it follows bit frames, ie 100us (ONE) 60us (ZERO)

this is my problem at the moment, to verify this claims in the paper...
I just can't get your trace to match up with these statements from the papers

Sentinel · 2016-09-14 11:05:46

@iceman: looking in the sourse code CRC4 func to 12 bits card responce, and CRC8 for card UID. Little hint can be ?

Sentinel · 2016-09-14 11:15:54

Another trace from the reader base on MFRC530, times between sending copied from the reader PRL5A
Channel 3 - bit internal parser of receive bits
sendspace.com file 2cpso2

iceman · 2016-09-14 12:36:26

No, my timing issue is with tx/rx frame and which step in time the prng is.

The crc4 from the "read byte" response is a later problem. As it is now, the crc doesn't work anymore in my fork.

But one problem at the time.

Proxmark3 community

Announcement

#1 2016-08-08 13:17:34

legic reader PRL5A

#2 2016-08-08 13:56:55

Re: legic reader PRL5A

#3 2016-09-12 11:51:10

Re: legic reader PRL5A

#4 2016-09-12 12:28:01

Re: legic reader PRL5A

#5 2016-09-12 12:36:28

Re: legic reader PRL5A

#6 2016-09-12 12:38:11

Re: legic reader PRL5A

#7 2016-09-12 12:40:17

Re: legic reader PRL5A

#8 2016-09-12 12:53:53

Re: legic reader PRL5A

#9 2016-09-12 13:20:04

Re: legic reader PRL5A

#10 2016-09-12 13:36:00

Re: legic reader PRL5A

#11 2016-09-12 14:56:08

Re: legic reader PRL5A

#12 2016-09-12 16:42:36

Re: legic reader PRL5A

#13 2016-09-13 00:50:12

Re: legic reader PRL5A

#14 2016-09-13 05:39:53

Re: legic reader PRL5A

#15 2016-09-13 06:00:08

Re: legic reader PRL5A

#16 2016-09-13 06:13:30

Re: legic reader PRL5A

#17 2016-09-13 09:05:25

Re: legic reader PRL5A

#18 2016-09-13 16:34:12

Re: legic reader PRL5A

#19 2016-09-13 16:46:14

Re: legic reader PRL5A

#20 2016-09-13 20:19:27

Re: legic reader PRL5A

#21 2016-09-13 22:19:30

Re: legic reader PRL5A

#22 2016-09-14 11:05:46

Re: legic reader PRL5A

#23 2016-09-14 11:15:54

Re: legic reader PRL5A

#24 2016-09-14 12:36:26

Re: legic reader PRL5A

Board footer