Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2016-07-27 09:29:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
[request] data from a Legic Advant tag
Hi everybody,
I've been fiddling with the CRC implementations and got back to the CRC16 for Legic Advant. I would like to have data samples from a Legic Advant tag to be able to verify the CRC.
- bytes with a crc in the end.
- the uid from tag where the data came from.
The uid is needed to calc the uidCRC, which is used as initial_value for the Legic CRC16 algo.
Offline
#2 2016-07-27 14:53:34
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: [request] data from a Legic Advant tag
since they are encrypted, I guess we need to have some empty tags, on which we can apply a (for us) know key
as far as I know they support 3 different types of encryption 3des, des and legic (legic-encrytion is well known from the prime - so it's no encryption at all)
AES 128 & AES 256 are also mentioned, but have not found them on the description about legic-advant-tags (for now)
but they are mentiond in the cmd-reference for sm-4500 ( which I do not have completely )
thus I have ordered me 5 Legic Advant ( ATC2048 ) cards/tags to play a little with them ...
we will see what we can do with it ... once they have arrived
Last edited by mosci (2016-07-27 15:36:22)
Offline
#3 2016-07-27 18:13:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
Perfect!
One question that arises is if the crc is calculated before crypto is applied or after. If after then we can analyse a valid advant tag for this.
Offline
#4 2016-07-27 19:08:56
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: [request] data from a Legic Advant tag
I guess pm3 is not able to read advant tags now and not able to sniff also (even not prime) - so, I have to fiddle around with twn4 and raw commands of the sm-4500 - and since nobody has ever posted some valid segments or other stuff about the advant here - don't expect too much ;-)
If there is a uidCRC like on prime - I suppose that the uidCRC is also not writable but present from beginning on - like it is on prime tags - but without advant-support within pm3 it will be hard to dump a tag (to get the uidCRC)
the sm (security-module) doesn't have a 'dump function' (as far as I know) ... but, it has a 'makeCRC' and 'checkCRC' function ...
but to use that, you must have a valid tag before ... so again ... don't expect too much - I guess it will be a long way to get into the advant stuff - as long as we don't get some help ;-)
anyway - we have to start somewhere - and why not on a empty tag. perhaps pm3 is able to read a empty tag - then we will have a good chance to get a uidCRC.
If I could create a valid tag, then we should be able to make and check a crc also.
as far as I know the MasterToken don't has to be a advant-tag - it just has to valid - which is no problem - I've create some of them already - so ... I hope that pm3 can read at least the first 10 bytes which should be uid (8 byte) and uidCRC (2 bytes - if crc16)
I'm curious what pm3 can do with advant 'out of the box' maybe we can sniff/spoof with ordinary 14443A functions
there are serval 'types' of advant tags available
ATC1024-MV - ISO 15693
ATC2048-MP - ISO 14443 A (I will get that one)
the above only support
Legic encryption
des 56bit
3des 112bit
the blow will also support
aes 128 & 256 bit
ATC256- MV410 - ISO 15693
CTC4096-MP - ISO 14443 A
ATC4096- MP31 - ISO 14443 A
AFS4096-JP - ISO 14443 A (micro controller smartcard)
the security should raise from from top to bottom
so MIM256/1024 (Prime) is less secure than ATC1024-MV
ATC1024-MV is less secure than AFS4096-JP
(from a legic perspective ;-) - as we know already -> prime isn't secure at all)
Last edited by mosci (2016-07-27 19:17:37)
Offline
#5 2016-07-27 19:33:46
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: [request] data from a Legic Advant tag
I still guess that people with more rfid-knowledge than me, can do much more with the twn4
but unfortunately no one here want's to buy it from me 
so we have to deal with the circumstance that a rfid-noob tries to investigate on a unknown tag 
but it can be fun for me , if there will be some progress over time 
Offline
#6 2016-07-27 19:35:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
We all are beginners once, what a great challenge you have now. And I do say that you have become very good at Legic Prime.
Offline
#7 2016-07-27 19:43:40
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: [request] data from a Legic Advant tag
legic prime was easy - because pm3 could at least read/write & decode the tag-content
and many of the 'layout' was already known ... and the crc8-function was the last piece that was missing
to create a valid tag - all other was just 'separate the data and the crc's'
hopefully advant has many in common with prime - but if I was Mr. Legic
I would have made the second attempt much different from the first 
... we will see ...
maybe Jason can/will step into the boat
Last edited by mosci (2016-07-27 19:52:17)
Offline
#8 2016-07-28 14:54:47
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
I can't provide RAW data dumps from advant cards. This is not possible with official readers. But anyway... I think it's not the same as on Legic prime. It workes more like DESfire, someone toled me once they use a DESfire media with modified firmware... but I think this is wrong. Anyway: Since the ISO 14443A cards follow a offical communication standard the communication should be traced with PM3, but I never tried this. In fact: There must be some authentication mechanism, something how DESfire is doing this (I think). Maybe this is some hashed value with some secret and the UID I think (I would do this this way), since any advant card could we read with any advant reader. So individual customized authentication keys are not possible this way...
AES 128 & AES 256 are also mentioned, but have not found them on the description about legic-advant-tags
Some newer tags support this ATC4096-MP311 for example. The noted CTC chips are quit new: They are some kind of hybrid-chips. They support Legic prime and advant from one single chip. In fact this are seperated worlds from the user side. So effectivly this chip is a die-combination of a single prime and a single advant chip. The chip was introduced to easly migrate from prime to advant... but I think the best benefit you gain from this chip is the better performance instead of to single chips inside one platic card (this will make some trouble).
as far as I know the MasterToken don't has to be a advant-tag
You will fail, sorry ... as of a good reason the prime master tokens are locked by firmware to create advant media. You can create prime media from advant MTs of course, but not in the other direction, sorry!
I would like to have data samples from a Legic Advant tag
I will generate some data, I think the algorithm is the same on prime, since prime cards could also be handled the same way from advant readers. Making different algorithms makes no sence.
No need to buy cards, I have all kinds on my desk
Heres a picture from a advant card from the official software... the user look and feel is the same as for prime cards, the only addition is some more detail functions exist on advant media, except this the system is the same.
Offline
#9 2016-07-28 16:19:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
Perfect! Lets see what we need to change to make PM3 able to read legic advant!
Offline
#10 2016-07-28 17:52:00
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: [request] data from a Legic Advant tag
No need to buy cards, I have all kinds on my desk
that helps a lot to get some dumps for Iceman !
but your desk is far away from me and I would like to have some to play around with
Heres a picture from a advant card from the official software... the user look and feel is the same as for prime cards, the only addition is some more detail functions exist on advant media, except this the system is the same.
and I would like to have that software
I'm already installing me windooze on a VitualBox
ah, I can see at the Picture-Upload - that we can talk german too - so your desk is not that far away as I thought
Last edited by mosci (2016-07-28 18:12:33)
Offline
#11 2016-07-28 19:08:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
Seems @jason will contribute just fine 
Which bytes is used for CRC16? The CRC8 has some mixes. I wonder if it is the same.
Offline
#12 2016-07-29 13:22:12
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
but your desk is far away from me
you can't imagine the size of my desk, do you?
and I would like to have that software (...)
Your reader module is a SM-4000 series reader, right? Unfortunately the shown software does only operate with advant 2000 series reader. The command set was completly changed on the 4000 series. Currently I don't have the CSW-4000 software (no need). I have the development software for SM-4000 readers, I never used it, but if it is such "elemental" as like the 2000 series software was, you won't have much joy with is. Maybe we should talk in a less official way about further options... maybe in other preffered languages, who knows...
ah, I can see at the Picture-Upload - that we can talk german too - so your desk is not that far away as I thought
Maybe... maybe not ... perhaps a wrong hint, who knows... 
Which bytes is used for CRC16?
Bytes of what? The shown picture does not show any CRC ... hmm... maybe the last UID byte is CRC. As I checked with few consectutive fabricated cards the last hey-byte seems to we a "random" value, where the upper 5 bytes are incremental. But this might be wrong.
Anyway, I started to trace some communication. First I was disappointed... until I realized I marked my white plastic cards in a wrong way ... I marked ISO15 card as ISO14... oops ... finaly, with real 14a advant cards I traced the following:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2288 | 4624 | Rdr |f9 7f | | ?
10336 | 12800 | Rdr |93 20 | | ANTICOLL
28832 | 39296 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
693968 | 694960 | Rdr |52 | | WUPA
696256 | 698592 | Rdr |f9 7f | | ?
704496 | 714960 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
716256 | 717440 | Rdr |7f | | ?
727072 | 732992 | Rdr |10 00 00 81 20 | ok | ?
775232 | 782304 | Rdr |20 03 00 05 9a 61 | ok | ?
-162644656 | -162623952 | Rdr |72! fd fd fd 80 80 80 80! ed! 01 8a 38 04! f3! e6! d7! | |
| | |c4 94 | !crc| ?
887808 | 906400 | Rdr |da fa fa fa b3 48 e9 5a 25 15 99 26 8a fd 84 a1 | !crc| ?
972016 | 973200 | Rdr |00! | | ?
1003744 | 1011968 | Rdr |10 01 00 68 b9 c1 61 | !crc| ?
1135984 | 1144208 | Rdr |10 ff 00 90 44 78 a2 | !crc| ?
1180128 | 1184256 | Rdr |cf! fe f8! 07 | !crc| ?
-162644656 | -162642576 | Rdr |f0 0f! | | ?
-162644656 | -162641616 | Rdr |08 73 10 | !crc| ?
1267344 | 1275504 | Rdr |10 fe 00 0b 0d 30 d1 | !crc| ?
1311488 | 1313952 | Rdr |7f fe | | ?
1314176 | 1314976 | Rdr |0f! | | ?
1315200 | 1317024 | Rdr |71! 07 | | ?
1317248 | 1318688 | Rdr |7f 00! | | ?
1318912 | 1322656 | Rdr |92 06 24! 00! | !crc| ?
1322880 | 1323552 | Rdr |01 | | ?
1324032 | 1325344 | Rdr |73 | | ?
1399744 | 1407968 | Rdr |10 fd 00 c9 5e 32 d9 | !crc| ?
1443888 | 1453264 | Rdr |f9 7f 7f 7f 7f 7f 88 f9! | !crc| ?
1453488 | 1454160 | Rdr |01 | | ?
1454384 | 1456336 | Rdr |0e! 09! | | ?
1456560 | 1457488 | Rdr |18! | | ?
1535360 | 1543584 | Rdr |10 fb 00 8d cd e4 ea | !crc| ?
-162644656 | -162644048 | Rdr |0c! | | ?
1583984 | 1584784 | Rdr |04 | | ?
1586288 | 1587088 | Rdr |04 | | ?
1588592 | 1589008 | Rdr |00! | | ?
1589488 | 1590160 | Rdr |00! | | ?
1590384 | 1590800 | Rdr |00! | | ?
-162644656 | -162644368 | Rdr |00! | | ?
1592560 | 1593104 | Rdr |02 | | ?
3384864 | 3393024 | Rdr |10 0c 00 2c 2f 90 6f | !crc| ?
3429008 | 3429680 | Rdr |02 | | ?
3431184 | 3431984 | Rdr |04 | | ?
3433488 | 3434288 | Rdr |04 | | ?
3435792 | 3436592 | Rdr |04 | | ?
3438096 | 3438384 | Rdr |00! | | ?
3438864 | 3439664 | Rdr |01 | | ?
3439888 | 3442480 | Rdr |71! e6! 00! | !crc| ?
-162644656 | -162644368 | Rdr |00! | | ?and once again, the same card:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2288 | 4624 | Rdr |f9 7f | | ?
10048 | 12512 | Rdr |93 20 | | ANTICOLL
29440 | 39904 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
41200 | 42384 | Rdr |7f | | ?
42608 | 43408 | Rdr |00! | | ?
43632 | 44176 | Rdr |03! | | ?
44400 | 44752 | Rdr |03! | | ?
679296 | 680288 | Rdr |52 | | WUPA
681584 | 683920 | Rdr |f9 7f | | ?
689824 | 700288 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
712720 | 718640 | Rdr |10 00 00 81 20 | ok | ?
719872 | 725152 | Rdr |f3 7f 7f 7f 06! | !crc| ?
725376 | 725792 | Rdr |01 | | ?
726272 | 726816 | Rdr |00! | | ?
727296 | 728352 | Rdr |18! | | ?
-63559568 | -63559280 | Rdr |00! | | ?
730112 | 730528 | Rdr |01 | | ?
730752 | 731040 | Rdr |00! | | ?
731264 | 731488 | Rdr |01 | | ?
760976 | 768048 | Rdr |20 03 00 05 9a 61 | ok | ?
873808 | 892336 | Rdr |d6 fa fa fa 64 6b 2e 4e 8e 73 dd a4 ad 20 f6 ff | !crc| ?
989696 | 997856 | Rdr |10 01 00 69 6b 3a 11 | !crc| ?
1033840 | 1034512 | Rdr |02 | | ?
1035504 | 1041808 | Rdr |27! 09 0f! e0! c7 00! | !crc| ?
1042032 | 1044880 | Rdr |c4 4c 03! | !crc| ?
1045104 | 1045776 | Rdr |03! | | ?
1046000 | 1046800 | Rdr |0f! | | ?
-63559568 | -63559280 | Rdr |00! | | ?
1120704 | 1128928 | Rdr |10 ff 00 17 81 ab 9e | !crc| ?
1164848 | 1168976 | Rdr |cf! fe f8! 07 | !crc| ?
-63559568 | -63550128 | Rdr |0e 60 00! 41! ae f6! 71! d2! 01 | !crc| ?
1252048 | 1260208 | Rdr |10 fe 00 bd 35 6c 81 | !crc| ?
1296192 | 1298656 | Rdr |7f fe | | ?
1298880 | 1299680 | Rdr |0f! | | ?
1299904 | 1301728 | Rdr |71! 07 | | ?
1301952 | 1303392 | Rdr |7f 00! | | ?
1303616 | 1305440 | Rdr |92 06! | | ?
1305664 | 1307104 | Rdr |71! 00! | | ?
1307328 | 1308896 | Rdr |21! 01 | | ?
1309376 | 1310048 | Rdr |04 | | ?
1383920 | 1392080 | Rdr |10 fd 00 80 10 a8 f5 | !crc| ?
1428064 | 1438208 | Rdr |f9 7f 7f 7f 7f 7f 88 f9 08 | !crc| ?
1521216 | 1529440 | Rdr |10 fb 00 4d 09 4d 02 | !crc| ?
-63559568 | -63545968 | Rdr |6a! 92! 93! 75 ab 75 ab b5 e8 11! 6f! 0f! | !crc| ?
3370016 | 3378176 | Rdr |10 0c 00 83 e3 ca 09 | !crc| ?
3414160 | 3414832 | Rdr |02 | | ?
3416336 | 3417136 | Rdr |04 | | ?
3418640 | 3419440 | Rdr |04 | | ?
3420944 | 3421744 | Rdr |04 | | ?
3423248 | 3425456 | Rdr |24! 30! | | ?
3426192 | 3427120 | Rdr |09! | | ?
3427600 | 3428016 | Rdr |01 | | ?As of what I can see out of this communication, the sequence 20 03 00 05 9a 61 seems to start a encrypted communication... I think the data below is some kind of encrypted random number send by the card... somehow like DESfire is doing this (as I wrote).
The beginning of the communication is just (more or less) normal 14a card selection stuff, as like on all cards with with standard. The UID D6-7A-F5-51 is correct in this stream.
Last edited by Jason (2016-07-29 13:39:47)
Offline
#13 2016-07-29 13:34:35
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
Oh, I forgot to give some CRC-data of advant segments:
I created the same card as documented in the other thread, just on a advant card (the card noted in the post above):
UID : D6-7A-F5-51
STAMP : 00-01-02-03
WRC area: 12-34-56-[EF-6F]
Data : 25-FC-D7-5A-44-66-D8-0C-[F7-56]I placed each CRC16 value in brackets.
Offline
#14 2016-07-29 18:26:07
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: [request] data from a Legic Advant tag
strange that you don't get the tags responses. can you adjust the position of the tag to see if you can pick it up as well?
Offline
#15 2016-08-02 17:34:58
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
You are right marshmellow, the Tag communication was not sniffed.
I tried a lot of positions and found one with better results:
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2244 | 4612 | Tag |04 00 | |
10048 | 12512 | Rdr |93 20 | | ANTICOLL
13700 | 19588 | Tag |51 f5 7a d6 08 | |
28544 | 39008 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
40260 | 43844 | Tag |00 fe 51 | |
685120 | 686112 | Rdr |52 | | WUPA
687364 | 689732 | Tag |04 00 | |
1322944 | 1323936 | Rdr |52 | | WUPA
1325188 | 1327556 | Tag |04 00 | |
1333488 | 1343952 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
1345204 | 1348788 | Tag |00 fe 51 | |
2748656 | 2749712 | Rdr |26 | | REQA
2750900 | 2753268 | Tag |04 00 | |
2758720 | 2761184 | Rdr |93 20 | | ANTICOLL
2762372 | 2768260 | Tag |51 f5 7a d6 08 | |
2777216 | 2787680 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
2788932 | 2792516 | Tag |00 fe 51 | |
4915568 | 4916560 | Rdr |52 | | WUPA
4917812 | 4920180 | Tag |04 00 | |
6344160 | 6345216 | Rdr |26 | | REQA
6346404 | 6348772 | Tag |04 00 | |
6354528 | 6356992 | Rdr |93 20 | | ANTICOLL
6358180 | 6360420 | Tag |51 f5! | |
9306048 | 9307104 | Rdr |26 | | REQA
9308292 | 9310660 | Tag |04 00 | |
9316112 | 9318576 | Rdr |93 20 | | ANTICOLL
9319764 | 9322004 | Tag |51 f5! | |
12268368 | 12269424 | Rdr |26 | | REQA
12270612 | 12272980 | Tag |04 00 | |
12278416 | 12280880 | Rdr |93 20 | | ANTICOLL
12282068 | 12284308 | Tag |51 f5! | |
15228976 | 15230032 | Rdr |26 | | REQA
15231220 | 15233588 | Tag |04 00 | |
15239024 | 15241488 | Rdr |93 20 | | ANTICOLL
15242676 | 15248564 | Tag |51 f5 7a d6 08 | |
15257520 | 15267984 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
15269236 | 15272820 | Tag |00 fe 51 | |
17395904 | 17396896 | Rdr |52 | | WUPA
17398148 | 17400516 | Tag |04 00 | |
18826656 | 18827712 | Rdr |26 | | REQA
18828900 | 18831268 | Tag |04 00 | |
21788112 | 21789168 | Rdr |26 | | REQA
21790356 | 21792724 | Tag |04 00 | |
21798176 | 21800640 | Rdr |93 20 | | ANTICOLL
21801828 | 21804068 | Tag |51 f5! | |
24747088 | 24748144 | Rdr |26 | | REQA
24749332 | 24751700 | Tag |04 00 | |
24757136 | 24759600 | Rdr |93 20 | | ANTICOLL
24760788 | 24766676 | Tag |51 f5 7a d6 08 | |
24775632 | 24786096 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
24787348 | 24790932 | Tag |00 fe 51 | |
26915072 | 26916064 | Rdr |52 | | WUPA
26917316 | 26919684 | Tag |04 00 | |
28344656 | 28345712 | Rdr |26 | | REQA
28346900 | 28349268 | Tag |04 00 | |
28354704 | 28357168 | Rdr |93 20 | | ANTICOLL
28358356 | 28364244 | Tag |51 f5 7a d6 08 | |
28373200 | 28383664 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
28384916 | 28388500 | Tag |00 fe 51 | |
30511072 | 30512064 | Rdr |52 | | WUPA
30513316 | 30515684 | Tag |04 00 | |
31941232 | 31942288 | Rdr |26 | | REQA
31943476 | 31945844 | Tag |04 00 | |
31951280 | 31953744 | Rdr |93 20 | | ANTICOLL
31954932 | 31960820 | Tag |51 f5 7a d6 08 | |
34903872 | 34904928 | Rdr |26 | | REQA
34906116 | 34908484 | Tag |04 00 | |
37863904 | 37864960 | Rdr |26 | | REQA
37866148 | 37868516 | Tag |04 00 | |
40825472 | 40826528 | Rdr |26 | | REQA
40827716 | 40830084 | Tag |04 00 | |
43786784 | 43787840 | Rdr |26 | | REQA
43789028 | 43791396 | Tag |04 00 | |
43796848 | 43799312 | Rdr |93 20 | | ANTICOLL
43800500 | 43806388 | Tag |51 f5 7a d6 08 | |
43815344 | 43825808 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
43827060 | 43830644 | Tag |00 fe 51 | |
45952384 | 45953376 | Rdr |52 | | WUPA
45954628 | 45956996 | Tag |04 00 | |
45963232 | 45973696 | Rdr |93 70 51 f5 7a d6 08 c7 ca | ok | SELECT_UID
45974948 | 45978532 | Tag |00 fe 51 | |
45985808 | 45991728 | Rdr |10 00 00 81 20 | ok | ?
45992916 | 46004564 | Tag |08 00 00 00 51 f5 7a d6 ad ba | ok |
46033952 | 46041024 | Rdr |20 03 00 05 9a 61 | ok | ?
46042212 | 46063012 | Tag |a5 fa fa fa 00 00 00 00 db 02 14 70 08 e7 cc af | |
| | |8a be | ok |
46146656 | 46165184 | Rdr |9a fa fa fa 7a e0 42 2f db e1 23 c0 23 d8 fc dd | !crc| ?
46230820 | 46232036 | Tag |ff | |
46262448 | 46270672 | Rdr |10 01 00 82 fa 8b 13 | !crc| ?
46306548 | 46320500 | Tag |59 0a 4c 07 ff 00 f1 67 6b f3 b0 62 | !crc|
46394912 | 46403072 | Rdr |10 ff 00 32 fe 7d b2 | !crc| ?
46439012 | 46452900 | Tag |20 01 07 d0 07 b0 00 20 dd 65 98 53 | !crc|
46526496 | 46534656 | Rdr |10 fe 00 ce 34 c3 3f | !crc| ?
46570596 | 46584548 | Tag |00 01 05 32 42 00 9b 12 fc 01 61 dc | !crc|
46658768 | 46666928 | Rdr |10 fd 00 71 f2 bf 18 | !crc| ?
46702868 | 46716756 | Tag |07 00 00 00 00 00 1a 08 b7 b8 3f ee | !crc|
46793984 | 46802208 | Rdr |10 fb 00 90 68 3b 19 | !crc| ?
46838084 | 46852036 | Tag |a8 ba de 97 73 96 3e b2 55 c0 1d 51 | !crc|
46932928 | 46941152 | Rdr |10 fa 00 b2 0f 62 1a | !crc| ?
46977028 | 46990916 | Tag |3f 9e 16 ba 39 9d 12 bf 95 60 51 2b | !crc|
49283840 | 49292000 | Rdr |10 fb 00 e6 0a f2 f6 | !crc| ?
49327940 | 49341892 | Tag |a8 ba de 97 73 96 3e b2 e1 a1 20 e3 | !crc|
50602448 | 50610608 | Rdr |10 f9 00 e5 b2 c1 cc | !crc| ?
50646548 | 50660500 | Tag |15 96 78 6c 6c 83 d6 50 6a b2 de 61 | !crc|
50734912 | 50743136 | Rdr |10 f8 00 3c 54 95 df | !crc| ?
50779012 | 50792964 | Tag |55 ee 40 53 07 59 74 8f 97 a5 c5 4a | !crc|
50867184 | 50875344 | Rdr |10 f7 00 8f 81 a7 30 | !crc| ?
50911284 | 50925172 | Tag |17 b2 3e 93 13 b6 3a 97 91 8c 49 18 | !crc| Just ignore the many anticollision commands. It just works this way...
Last edited by Jason (2016-08-02 17:35:59)
Offline
#16 2016-08-02 19:18:27
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
I must have missed something here but how come iclass protocoll printing matches up with a legic tag?!?
Offline
#17 2016-08-05 17:04:12
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
Maybe using nearly the same protocol!? ... but iclass is iso15, this one is iso14a.
Offline
#18 2017-05-19 19:05:15
- akileos
- Contributor
- Registered: 2017-05-17
- Posts: 23
Re: [request] data from a Legic Advant tag
Hi,
Might be able soon, just ordered the csw-4000 software + reader & got some badges with only one Advant segment.
Card is definetly seen as desfire on proxmark with a lot of zero values.
Offline
#19 2017-05-21 22:39:17
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
I hope the analys of that software brings us some nice insights!
Offline
#20 2017-05-22 01:24:21
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: [request] data from a Legic Advant tag
I'm interested in having a look at the software.
Offline
#21 2017-06-06 12:30:44
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
The Software is not really usefull at all, especially for deeper analysis of the advant system.
The Tech-Docs are more usefull, but last year I failed to remove all the watermarks inside to safely spread it...
Akileos is right with DESfire, but just for a special single advant card type (the EAL4 certified one). This is a DESfire card with only one application occupying the whole card space (I can supply the AID also... somewhere I documented this once... hm).
Anyway... the CSW software drives the legic reader chips. It only can do what the chip (its firmware) allows to do. This is documented in den tech docs. And there you will find the usual struff as like: Select a card, select a segment, read data, write data, create segments, ect.
The only real difference between earlier advant platforms, in contrast to the 4000 series, is the different way to detect and select the card.
Offline
#22 2018-07-19 19:32:15
- Mackwa
- Contributor
- Registered: 2016-06-10
- Posts: 51
Re: [request] data from a Legic Advant tag
Hi,
I would like to bump this topic.
Is there any progress with LEGIC Advant analysis?
I'm also interested in LEGIC Systems.
some info / background from me:
- I have access to some LEGIC docs / spec sheets.
- I own a TWN4 with LEGIC SM-4200.
- I have some LEGIC unsegmented cards (ATC4096, CTC4096, ...)
Anyone willing to share CSW-4000?
Greetz
Mackwa
Offline
#23 2018-07-26 14:24:19
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
As of my opinion the CSW software will not work with the TWN4 readers. The TWN4 reader support direkt module communication, but as far as I know, this is done in a spceial command frame-work. The CSW software only support communication with the reader chip istself (directly). So even if someone sends you this software, it's uselesse. Even more useless: You have - you call this unsegmented (this is not right, because the "unsegmented" state is not possible with advant anymore) - unprogrammed new media. You can do nothing with it. You need at least a Demo IAM from Legic to create segments on this cards. Else they are quit useless garbadge...
Offline
#24 2018-08-07 10:08:02
- Mackwa
- Contributor
- Registered: 2016-06-10
- Posts: 51
Re: [request] data from a Legic Advant tag
The TWN4 reader works with DKS4000.
Are you sure, that it will not work with CSW4000?
Regarding unsegmented / unprogrammed new media:
Anyone already sniffed / evaluated how LEGIC software detects Advant chip (ISO14443A one) in comparison to MF DESFire chip?
Offline
#25 2018-08-08 10:59:30
- Jason
- Contributor
- Registered: 2016-07-21
- Posts: 55
Re: [request] data from a Legic Advant tag
The TWN4 reader works with DKS4000.
Are you sure, that it will not work with CSW4000?
If the developing kit is usable, the CSW software is usable too. Both uses bare chip command-set communication.
Never owned a TWN-Reader, I always use bare chips in own designs. My warning was just because I know the TWNs have a user documentation for command stuff, this must be an "own" instruction-set because the Legic command-set must not be supplied by someone else except Legic itself (and there only the one with proper licence will get this infos). So the TWN readers pipeline raw-commands as is or could be switched to "raw" mode... But if you can verify proper function with the dev-kit, it will work with the card software aswell.
But finnaly you can't still do anything, because you don't have a proper IAM, XAM or GAM to create segments on the empty media, you just can read a blank media with its UID.
Regarding unsegmented / unprogrammed new media:
Anyone already sniffed / evaluated how LEGIC software detects Advant chip (ISO14443A one) in comparison to MF DESFire chip?
The ATC4096 is an DESfire-Chip, but not the only ISO14443A advant media possible in the Legic eco-system.
They just try to select the AID 855 and try to login with the proper (diversified) key. If this works, they are basicly detected as ATC4096. The internal application organisation is unknown, but it's known the whole chip capacity is occupied by this application. I think there's an internal file organisation, most likely sperated in an "organisation" file and data files, maybe each file for every seperate segment. But this is just a guess.
Offline
#26 2018-11-15 14:57:07
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [request] data from a Legic Advant tag
Got hold of some legic Advant 4096 tags. (thanks you-know-who!)
pm3 --> hf 14a i
UID : 04 7C 34 92 DD 39 80
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 F0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO
pm3 --> hf mfdes in
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 7C 34 92 DD 39 80
Batch number : BA 54 13 D2 80
Production date : week 05, 2014
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.0 (Desfire EV1)
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : YES
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : NO
Max number of keys : 125
Master key Version : 154 (0x9a)
----------------------------------------------------------
[0x0A] Authenticate : YES
[0x1A] Authenticate ISO : YES
[0xAA] Authenticate AES : NO
----------------------------------------------------------
Available free memory on card : 224 bytes
-------------------------------------------------------------m3 --> hf 14a i
UID : 04 64 32 92 DD 39 80
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 F0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO
pm3 --> hf mfdes i
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 64 32 92 DD 39 80
Batch number : BA 54 13 D2 80
Production date : week 05, 2014
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.0 (Desfire EV1)
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : YES
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : NO
Max number of keys : 11
Master key Version : 133 (0x85)
----------------------------------------------------------
[0x0A] Authenticate : YES
[0x1A] Authenticate ISO : YES
[0xAA] Authenticate AES : NO
----------------------------------------------------------
Available free memory on card : 224 bytes
-------------------------------------------------------------
pm3 -->...lets see if I can get a directory listing out..
Offline
Pages: 1