Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-06-27 13:30:13

atmel9077
Contributor
Registered: 2017-06-25
Posts: 21

Assumptions about Legic Advant

Documents used:
Legic advant overview (page 6)
Post #15 of this topic
RFID general table

Legic Advant introduced around 2000 is the successor of the outdated (but still used) Legic Prime technology which is today completely broken (it uses fixed encryption with no keys and the security of the system does solely relies on the secrecy of the obfuscation algorithm, the keystream generator).

Advant is presented as much more secure than Legic Prime. However it is not much different:
On traditional smartcard/RFID system, each application is protected by its own key and its own area in the card's memory. The access control is done by the card itself.
On Legic Advant (and Legic Prime) the principle is different: all Legic reader chips or modules can have access to all cards, and the access control is managed by the reader which stores its own access rights. On the application side you have access to high level commands (i.e. read or write a segment...) and the reader manages by itself the communication with the card (authentication, reading and writing of blocks)

In fact a Legic advant card is just a dumb (but secure) memory card, that is programmed with a diversified key. (Which means thet the reader has to store the diversification key...). But how secure are these cards?

If you read the Legic Advant overview you'll see that the cards from ATC128MV to ATC2048MV uses 3DES, DES or Legic encryption for the "Data transfer & storage encryption"
But on the "Cryptographic authentication" line you'll see that the ATC128 and ATC256 chips use 96 bit encryption.
If you look at the RFID general table you'll see that EM Microelectronics Marin sells ISO15693 chips with 96-bit proprietary crypto. Strange!
Then if you look at the ATC1204(iso15693) and ATC2048(iso14443a) chips you'll see that they use a 64-bit crypto. Surprisingly it seems that Infineon makes an ISO15693 chip with 1KB EEPROM (SRF 55V10S) and a ISO14443A chip with a 2KB EEPROM (SLE 55R16), both with 64-bit proprietary crypto! If you look at the "security" column of the rfid general table for the SLE55R16, you'll see that it used CRC before authentication and a 32bit MAC after, whiwh matches the traces recorded by Jason in this topic.

The ATC4096 chip is a MIFARE Desfire 4KB preprogrammed with one application but tht was already known.
The CTC4096 is compatible with both ISO14443A and LEGIC RF, so they cannot have reused an existing chip. It seems to really use 3DES encryption since the key length is 112 bits.

The coincidences are too strong, it seems that Legic Advant reuses existing chips. Legic did just design the readers and the CTC4096 chip!

The documentation is misleading and lets you think that the card uses standard and peer reviewed crypto. The data stored on the card is probably encrypted with open crypto but the card itself still uses security by obscurity...
Hacking these cryptos would compromise the entire Legic Advant system like it's been the case for MIFARE and ICLASS

For the 96-bit crypto i'm sure it's almost the same as the Megamos crypto, which is designed by EM Marin and uses 96-bit key and is broken!!!
Nobody has ever talked of the Infineon crypto yet. But the chips seems very old (2001) and may be as flawed as MIFARE...

After MIFARE, ICLASS and Legic Prime the next thing to break is Legic Advant!

Sorry for my bad English. And I forgot, both Legic and EM-Marin have a 256-byte chip with Grain128a crypto. Lol that's not just a coincidence...

Last edited by atmel9077 (2017-09-12 07:56:27)


Those who forget the past are doomed to repeat it.

Offline

#2 2017-06-27 15:56:24

Jason
Contributor
Registered: 2016-07-21
Posts: 38

Re: Assumptions about Legic Advant

Nice conclusion, it really might be a EM and/or Infinion card.
But the truth might be a way to much in this context wink

In fact the spec sheets mention the Grain128a algorithm, specially for the ATC256-MV410 card. Legic reuses a lot of other technology, that's a fact. The old series 2000 reader chips for example: The µC was from Renesas, Legic removed the original marking with a laser and just put a sticker on it. The ATC4096-MP311 ist DESfire from NXP, right. The newer SM-4000 reader chips seems to be specially made for Legic. My guess is they are made by NXP, possibly with some kind of Cortex µC core.
The CTC chip is, my guess, also a reused/modified version of something existent. Maybe also a DESfire chip where NXP added the older prime stuff. So it makes sense this one is not EAL4+ certified, since it had to be re-certified in this sub-version.

If the oldest versions of advant cards are week, this might be the perfect way to enter the advant stuff. I think Legic know this: Few years ago they introduced the "Master Token Zone". This way they can seperate advant technologys. The very old stuff got Zone A, the DESfire-Reuse (ATC4096-MP311) got C. Master tokens with lower Zone value can not grant Master-Token functionality to higher Zones. So a Zone A SAM63 for example can not be used for Zone C segments/cards. So they lock-out possibly week implementations.

But overall: The possiblity to generate advant Master-Token would give a bunch of new ways to bypass Legic restrictions.

But segment modification might not be possible, since Legic introduced DES/AES encryption with the advant system for the user data itself. So even by breaking the chip security, the data is almost garbage. Breaking the diversification algorithm might be nice, but is very hard to archive. The firmware files for the reader chips are encrypted. If someone gets it decrypted (this must be a static key) a smart guy will find the code peace doing this wink (but I think there's a key somewhere branded in the chip, where the diversified is derived from... so knowing the algo will properly not giving the ability to use it in a right way...)

Offline

#3 2017-06-27 16:22:11

iceman
Administrator
Registered: 2013-04-25
Posts: 3,865
Website

Re: Assumptions about Legic Advant

Interesting conclusion,  but I see some assumptions but no hard facts supporting your assumptions.  They might be right, but its not proven right.  I wouldn't use truth in that sense but I'm old fashioned. So much alternative facts that get presented as truth nowdays, it ain't my style.  Skip the sensationalism, it doesn't impress anyone in this forum.  The oldtimers here is hardcore and you can follow their work.

Megamos might be broken but we don't have a implementation of it in the Proxmark3 source code. So that is quite far from being useful.
Infineo unknown crypto,  still not much known about it and like megamos no implementationen and far from being useful.

All of which is a great start of information gathering.

So given the offical statements and forum posts,  this list of possible cryptos used and what we know about them would be as following.

  • DES/3DES/AES  is given if they build upon Desfire since it support it

  • Legic Prime is mapped/understood/broken

  • Grain128a is mapped/understood/ not broken, there is a KPT attack for it in hashcat (thanks bros!)  the card which uses grain128a will be suspectable to weakness

  • advant 96b crypto   is  unknown/not understood/ not broken,  which if follow the idea that Legic build upon present cryptos in supplier could be a megamos clone crypto,  but still pure speculation


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2017-06-27 16:31:39

atmel9077
Contributor
Registered: 2017-06-25
Posts: 21

Re: Assumptions about Legic Advant

If the crypto gets broken what could be done is a replay attack i.e. putting a card back in a precedent state. If the card holds money we could reload it, use it and write back the old content to reload it. But there is probably a one-way counter somewhere in the card used to compute a signature, in this case reloading is impossible but emulation is still possible.

It seems that Legic realized that and migrated to more secure solutions. Now they have 15693 chips with grain128a and 3DES and the CTC chip. By the way i don't have one but I think the CTC is a memory card that accepts some DESfire commands so it's detected as a CTC4096.

In the latest documentation the chips with 96bit crypto have disappeared, maybe Em Marin told Legic that their crypto was broken (Nobody hacked these EM chips but they probably use the Megamos crypto which is broken).


Those who forget the past are doomed to repeat it.

Offline

#5 2017-06-27 17:11:09

atmel9077
Contributor
Registered: 2017-06-25
Posts: 21

Re: Assumptions about Legic Advant

iceman wrote:

They might be right, but its not proven right.  I wouldn't use truth in that sense but I'm old fashioned

I agree, all what I said is just assumptions. I used the term "truth" because the Legic documentation seems (it's just assumptions) misleading in the sense that they try go hide that they're using existing technology and maybe (in some cases) security by obscurity.
I've quoted only 3 documents but I also went to the Legic, em-marin and Infineon sites

iceman wrote:

Skip the sensationalism, it doesn't impress anyone in this forum.

I definitely should not have used the term "truth".

iceman wrote:

advant 96b crypto   is  unknown/not understood/ not broken

In my assumption there's no "advant 96bit crypto". My assumption is that Legic seems to use Em-Marin chips with 96 bit crypto. Since em marin has developed the Megamos crypto which is 96 bits, the 96bit crypto used in their iso15693 chips may be similar to the Megamos crypto,

Last edited by atmel9077 (2017-06-27 17:14:37)


Those who forget the past are doomed to repeat it.

Offline

#6 2017-06-27 17:21:44

Jason
Contributor
Registered: 2016-07-21
Posts: 38

Re: Assumptions about Legic Advant

atmel9077 wrote:

By the way i don't have one but I think the CTC is a memory card that accepts some DESfire commands so it's detected as a CTC4096.

I mentioned this in my earlier post wink ... and not just because it makes sense...:

 UID : 16 38 04 42 xx xx xx
ATQA : 00 41
 SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : EM Microelectronic-Marin SA Switzerland
 ATS : 05 77 77 81 02 BD 91
       -  TL : length is 5 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 7 (FSC =128)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]

       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported

... I noticed it by reading one wink
And yes, it interacts with DESfire commands:

-------------------------------------------------------------
 CMK - PICC, Card Master Key settings

   [0x08] Configuration changeable       : NO
   [0x04] CMK required for create/delete : YES
   [0x02] Directory list access with CMK : YES
   [0x01] CMK is changeable              : NO

   Max number of keys       : 243
   Master key Version       : 0 (0x00)
   ----------------------------------------------------------
   [0x0A] Authenticate      : YES
   [0x1A] Authenticate ISO  : YES
   [0xAA] Authenticate AES  : YES

   ----------------------------------------------------------
   Available free memory on card       : 10679040 bytes
-------------------------------------------------------------

Thats why I mentoined a modified DESfire chip.

But I totally agree with iceman: Thats all assumptions, they have to be validated to be the "truth".
In case of the CTC chip it could be also some kind of CPU card just emulating DESfire, since this advant-type is already implemented and it was just the easy way.

Offline

#7 2017-06-27 19:12:10

atmel9077
Contributor
Registered: 2017-06-25
Posts: 21

Re: Assumptions about Legic Advant

What's funny is that it's recognized as a MIFARE DESfire card... but the manufacturer is EM Microelectronic Marin! I think it's still a memory card, it just accepts DESfire commands and it acts like the ATC4096 (which is a real desfire). As you can see the configuration is not changeable which lets me think it's a memory card.

When I visited the EM microelectronic Marin site i found an RF front end for iso 14443a/b/15693. This frontend (EM4094) can demodulate 848, 424 and surprisingly 212khz subcarriers, the subcarrier frequency of Legic Prime. Maybe it was used in old Legic readers?


Those who forget the past are doomed to repeat it.

Offline

#8 2017-06-28 18:19:31

Jason
Contributor
Registered: 2016-07-21
Posts: 38

Re: Assumptions about Legic Advant

atmel9077 wrote:

This frontend (EM4094) can demodulate 848, 424 and surprisingly 212khz subcarriers, the subcarrier frequency of Legic Prime. Maybe it was used in old Legic readers?

I can't confirm this. In the very old legic prime reader modules (Legic only sell modules/Chips), e.g. SM-05S reader modules, inside the housing you will find a NEC µC marked with "LEGIC SM" and a 24pin SOIC RF ASIC marked with "LEGIC R21FV". The construction is very similar to the series 2000 advant reader modules with the combination of such a Legic custom RF ASIC and the mentioned Renesas µC. The newest advant 4000 series drop this kind of construction and just use a single chip. My guess is, that this chip is from NXP (couz they have a great µC portfolio), but could be of any other brand as well. But the package is very specific, I don't saw such a construction on no other chip yet. It is not completely developed by Legic for sure, but the RF front end seems to be not just a reused design from some other in the market.
Maybe they packaged the the existent RF ASIC in combination with a µC into a single-package combination for SM-4000, but I don't know. It's a interesting question... maybe I try to grind off the silicon in the package.

Offline

#9 2017-06-28 18:30:03

Jason
Contributor
Registered: 2016-07-21
Posts: 38

Re: Assumptions about Legic Advant

BTW:

atmel9077 wrote:

As you can see the configuration is not changeable which lets me think it's a memory card.

The configuration settings have nothing to do with any further assumptions. It is very common for DESfire to lock it this way. Normaly the master key if allowed to change, but not on all cards you will find in the market.
Anyway: It still could be a real DESfire clone or just some kind of limited function (e.g. the free memory command return garbage: This card will not have 10MB of capacity...), even a software implementation (e.g. Emulation) on any kind of processor-card is possible. But just to note that: The last option seems to be not true, since the price of the blank cards had to be more expensive than...

Offline

Board footer

Powered by FluxBB