Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2018-06-13 15:29:57

61106960
Contributor
Registered: 2018-06-12
Posts: 5

Read Legic Token

I am struggeling with a Legic Token.
The chip should be a Legic Advant ATC1024 or a Legic Prime MIM1024 (I am not sure) and I am not realy able to read it.

I have 2 different token/cards of the same system and they behave completely in the same way.

Here are the steps I made with the latest Iceman Fork.

[ ARM ]
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-16 16:04:18
      os: iceman/master/ice_v3.1.0-876-g49c8ec65 2018-06-05 13:23:58
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

[ Hardware ]
  --= uC: AT91SAM7S256 Rev D
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 238736 bytes (91%) Free: 23408 bytes ( 9%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


hf search (exact the same output for both cards)
UID  : E0 04 01 50 4A 60 75 3C
TYPE : NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)

[+] Valid ISO15693 Tag Found


hf 15 info * (exact the same output for both cards)
Detected UID E0 04 01 50 4A 60 75 3C
  UID  : E0 04 01 50 4A 60 75 3C
  TYPE : NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)
  SYSINFO : 00 0F 3C 75 60 4A 50 01 04 E0 00 C2 1B 03 01
     - DSFID supported        [0x00]
     - AFI   supported        [0xC2]
     - IC reference supported [0x01]
     - Tag provides info on memory layout (vendor dependent)
           4 (or 3) bytes/blocks x 28 blocks


hf 15 dump (exact the same output for both cards)      
block#   | data         |lck| ascii
---------+--------------+---+----------
  0/0x00 | 11 02 01 30  | 0 | ...0
  1/0x01 | 30 30 30 30  | 0 | 0000
  2/0x02 | 33 30 36 35  | 0 | 3065
  3/0x03 | 38 33 30 32  | 0 | 8302
  4/0x04 | 39 00 00 DB  | 0 | 9...
  5/0x05 | 75 44 45 4D  | 0 | uDEM
  6/0x06 | 33 36 00 00  | 0 | 36..
  7/0x07 | 00 00 00 00  | 0 | ....
  8/0x08 | 00 00 00 00  | 0 | ....
  9/0x09 | 00 00 00 00  | 0 | ....
10/0x0A | 00 00 00 00  | 0 | ....
11/0x0B | 00 00 00 00  | 0 | ....
12/0x0C | 00 00 00 00  | 0 | ....
13/0x0D | 00 00 00 00  | 0 | ....
14/0x0E | 00 00 00 00  | 0 | ....
15/0x0F | 00 00 00 00  | 0 | ....
16/0x10 | 00 00 00 00  | 0 | ....
17/0x11 | 00 00 00 00  | 0 | ....
18/0x12 | 00 00 00 00  | 0 | ....
19/0x13 | 00 00 00 00  | 0 | ....
20/0x14 | 00 00 00 00  | 0 | ....
21/0x15 | 00 00 00 00  | 0 | ....
22/0x16 | 00 00 00 00  | 0 | ....
23/0x17 | 00 00 00 00  | 0 | ....
24/0x18 | 00 00 00 00  | 0 | ....
25/0x19 | 00 00 00 00  | 0 | ....
26/0x1A | 00 00 00 00  | 0 | ....
27/0x1B | 00 00 00 00  | 0 | ....

[+] saved 28 blocks to text file hf-15-3C75604A500104E0-dump.eml
[+] saved 112 bytes to binary file hf-15-3C75604A500104E0-dump.bin


Here are the steps I made with the latest official proxmark SW.

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-16 16:04:18
os: master/v3.0.1-375-g2bb7f7e-suspect 2018-06-05 11:25:34
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 199763 bytes (76%). Free: 62381 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory


hf search (exact the same output for both cards)
Tag UID : E00401504A60753C
Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)

Valid ISO15693 Tag Found - Quiting Search


hf 15 read (exact the same output for both cards)
Reading memory from tag UID=E00401504A60753C
Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)
Block 00   11 02 01 30    ...0
Block 01   30 30 30 30    0000
Block 02   33 30 36 35    3065
Block 03   38 33 30 32    8302
Block 04   39 00 00 DB    9...
Block 05   75 44 45 4D    uDEM
Block 06   33 36 00 00    36..
Block 07   00 00 00 00    ....
Block 08   00 00 00 00    ....
Block 09   00 00 00 00    ....
Block 0a   00 00 00 00    ....


From my point of view that does not make sense, at least as these are two different cards.
I had exptected that the cards should be detected as Legic cards and not as ISO15693.

Can somebody help me with this topic?

Offline

#2 2018-07-26 10:01:10

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Read Legic Token

This isn't a Legic prime card. It's an advant card.
The encryption of advant cards are not yet known, so Proxmark can not read this card.

Legic advant is a technology-reuse of various technologies present on the market. The most known reuse are the DESfire medias for the EAL4 certieifed Legic media types. Therfore Proxmark will detect them "as is", in this case an ISO 15693 type of card. Because they are...

Offline

Pages: 1

Board footer

Powered by FluxBB