Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
If long pulse "1" and short "0" every time the reader generates a new request. The trace is recorded in the absence of the card. Where can I find information about this request?
1110000
1111101
1110111
1010000
1010110
1000001
1111000
1110101
1111000
1000011
1010111
1010101
1011101
1011110
1001111
1101000
1010110
1001001
1011100
1001100
1000000
If its legic, try chap 3 "Legic prime protocol" in https://sar.informatik.hu-berlin.de/res … 11-03_.pdf
It looks like the initialization frame with RAND (7bits in LSB-order) and LSB=1
@iceman: Thank you very much for your answer!
Part of the table of requests and responses:
53 3F
55 3B (on the image)
59 20
5B 26
5D 1A
5F 1C
61 28
63 28
65 20
67 30
69 02
6B 22
6D 22
6F 32
71 19
73 28
75 31
77 38
Do I understand correctly, respons card XOR of special function Legic?
Hm, lets assume your first colum is the RAND (IV for LSFR).
Reader sends IV (0x55) 7bits (sample from your post)
tag answers obsfuscated of tag type.
plain text tag type:
0x0D == mim22
0x1D == mim256
0x3D == mim1024
53 ^ 3F = 6C
55 ^ 3B = 6E
59 ^ 20 = 79
5B ^ 26 = 7D
5D ^ 1A = 47
5F ^ 1C = 43
Your list doesn't "decrypt" to valid tag types...
Good question lets see, I haven't found anything either in the available documents. You should ask the authors?
legic_prng_forward function deals with Operation A, B
legic_prng_get_bit function should be your multiplexer
the A part gives a shift index, to be used on B >> (shift A) = 1bit out.
I know the feeling when you have questions and noone ask.
Been trying to make the legic code better, got some the tracelog out with stuff which helps in understanding this very simple protocol. I still don't get it when the prng skips forward, when sending its bit-period (100us/60us) and when not sending is (100us well 99.1us according to documents). But is "not sending" the pause between frames?!?
I recorded only the signal Tx (5 channel)
How does the non-connected 6 channel appeared Rx signal, I do not understand until now!
I repeat again and again record, but Rx signal does not appear
maybe the capacitance between the wires 5 and 6 are so affected
well, yes...
When carefully reading the available documentation, they say about PRNG
1) normal iteration is 99.1us
2) when sending, it follows bit frames, ie 100us (ONE) 60us (ZERO)
this is my problem at the moment, to verify this claims in the paper...
I just can't get your trace to match up with these statements from the papers
No, my timing issue is with tx/rx frame and which step in time the prng is.
The crc4 from the "read byte" response is a later problem. As it is now, the crc doesn't work anymore in my fork.
But one problem at the time.