Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-08-24 13:47:32

wil
Contributor
Registered: 2010-04-13
Posts: 14

Reading/Writing legic prime using arbitrary IV

Hi,

I just pushed a new branch on my fork [0] that allows reading/writing a legic prime tag by specifying an arbitrary IV.

This is one step closer towards understanding how simulation code might work.

As an example, with 0x11 for IV, the command for reading is:

proxmark3> hf legic reader 0x11

and the command for writing (with 0x10 being the offset and 0x1 the length) is:

proxmark3> hf legic write 0x10 0x1 0x11

The help messages are also up-to-date.

This code confirms that the PRNG fix proposed in [1] is correct.


Wil

[0] https://github.com/wllm-rbnt/proxmark3/tree/legicfix
[1] http://www.proxmark.org/forum/viewtopic … 5437#p5437

Offline

#2 2016-09-28 20:42:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

Current status after endless checkings, snoop, traces, compilation & flashes,  HUGE thanks to @wil here.

New functions:
- A nice tracelog   http://pastebin.com/2fBfCfhW
- added legic to "hf search"
- can use ANY IV for legic prng initialisation.

Offline

#3 2016-10-05 21:12:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

Changes, Changes, breaking changes in iceman fork.

Command name changes.

hf legic info is now  "hf legic reader"
hf legic read is now  "hf legic rdmem"
hf legic decode is now  "hf legic info"

New command

"hf legic dump"  --  which dumps a tag to a binary file

Offline

#4 2016-10-06 18:39:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

Some emulator memory functions:

hf legic eload   - uploads a binary file to emulator mem.
hf legic esave  - saves emulator memory to a binary file.

Works with the dump command quite well.

Now everything is prepared for  WRITE & SIM commands do be updated.

Offline

#5 2016-10-07 22:10:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

Success!  The updated write command now works.

pm3 --> hf legic write h
 Write sample buffer to a legic tag. (use after load or read)
Usage:  hf legic write [h] o <offset> d <data (hex symbols)>
Options:
  h             : this help
  o <offset>    : offset in data array to start writing
  d <data>      : bytes to write (hex symbols)

Samples:
      hf legic write o 10 d 11223344    - Write 0x11223344 starting from offset 0x10
pm3 -->
pm3 --> hf legic write o 08 d 1122334455
TYPE : MIM256 card (234 bytes)
Writing to tag
pm3 --> hf list legic
Recorded Activity (TraceLen = 189 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
LEGIC    - Timings are in ticks (1us == 1.5ticks)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        969 | Rdr |07  55  00  00  55  00  00                                       |     | IV 0x55
       1016 |       2350 | Tag |06  1d  00                                                       |     | MIM256
       2705 |       3513 | Rdr |06  39  00  00  19  00  00                                       |     | ACK 256/1024
       3798 |       6508 | Rdr |15  18  aa  10  4e  3a  0a                                       |     | WRITE Byte(12) 55

       6519 |      12111 | Tag |01  01  27  00                                                   |     |
      12389 |      14861 | Rdr |15  16  88  1a  01  ac  02                                       |     | WRITE Byte(11) 44

      14872 |      20464 | Tag |01  01  27  00                                                   |     |
      20743 |      23694 | Rdr |15  14  66  0a  df  17  07                                       |     | WRITE Byte(10) 33

      23705 |      29295 | Tag |01  01  27  00                                                   |     |
      29574 |      32224 | Rdr |15  12  44  04  e4  87  08                                       |     | WRITE Byte(9) 22

      32235 |      37828 | Tag |01  01  27  00                                                   |     |
      38107 |      40756 | Rdr |15  10  22  12  b8  42  13                                       |     | WRITE Byte(8) 11

      40767 |      46359 | Tag |01  01  27  00                                                   |     |
pm3 -->

Offline

#6 2016-10-07 22:11:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

And yes, it writes backwards.
and yes, it has a tracelog aswell,

Offline

#7 2016-10-08 11:06:27

spaceteddy
Contributor
Registered: 2016-09-10
Posts: 17

Re: Reading/Writing legic prime using arbitrary IV

wow, nice work!
(y)

Offline

#8 2016-10-08 11:48:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

todo: 
'hf legic sim'
'hf legic restore'

and changes to the great lua scripts by @mosci et al

then its done. fine. no more.

Offline

#9 2016-10-09 14:56:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

Works

hf legic dump o myfile
hf legic restore i myfile     -- does not overwrite first 7bytes on card. ie doesn't overwrite DCF

hf legic write  -- now asks if user wants to overwrite DCF bytes a offset5,6

Almost there, only sim left to do.

Offline

#10 2016-10-10 06:52:48

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Reading/Writing legic prime using arbitrary IV

Ready for a Pull Request to master?

Offline

#11 2016-10-10 07:57:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

When it is finished, maybe but in general no.  I'm not interested in merging PM3 Master with icemanfork anymore. Horrible job for nothing.

Offline

#12 2016-10-14 14:51:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: Reading/Writing legic prime using arbitrary IV

and another good to have command

pm3 --> hf legic wipe h
Fills a legic tag memory with zeros. From byte7 and to the end.
 Usage:  hf legic wipe [h]
Options:
      h             : this help

Samples:
      hf legic wipe

Offline

Board footer

Powered by FluxBB