Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi,
I just pushed a new branch on my fork [0] that allows reading/writing a legic prime tag by specifying an arbitrary IV.
This is one step closer towards understanding how simulation code might work.
As an example, with 0x11 for IV, the command for reading is:
proxmark3> hf legic reader 0x11
and the command for writing (with 0x10 being the offset and 0x1 the length) is:
proxmark3> hf legic write 0x10 0x1 0x11
The help messages are also up-to-date.
This code confirms that the PRNG fix proposed in [1] is correct.
Wil
[0] https://github.com/wllm-rbnt/proxmark3/tree/legicfix
[1] http://www.proxmark.org/forum/viewtopic … 5437#p5437
Current status after endless checkings, snoop, traces, compilation & flashes, HUGE thanks to @wil here.
New functions:
- A nice tracelog http://pastebin.com/2fBfCfhW
- added legic to "hf search"
- can use ANY IV for legic prng initialisation.
Changes, Changes, breaking changes in iceman fork.
Command name changes.
hf legic info is now "hf legic reader"
hf legic read is now "hf legic rdmem"
hf legic decode is now "hf legic info"
New command
"hf legic dump" -- which dumps a tag to a binary file
Some emulator memory functions:
hf legic eload - uploads a binary file to emulator mem.
hf legic esave - saves emulator memory to a binary file.
Works with the dump command quite well.
Now everything is prepared for WRITE & SIM commands do be updated.
Success! The updated write command now works.
pm3 --> hf legic write h
Write sample buffer to a legic tag. (use after load or read)
Usage: hf legic write [h] o <offset> d <data (hex symbols)>
Options:
h : this help
o <offset> : offset in data array to start writing
d <data> : bytes to write (hex symbols)
Samples:
hf legic write o 10 d 11223344 - Write 0x11223344 starting from offset 0x10
pm3 -->
pm3 --> hf legic write o 08 d 1122334455
TYPE : MIM256 card (234 bytes)
Writing to tag
pm3 --> hf list legic
Recorded Activity (TraceLen = 189 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
LEGIC - Timings are in ticks (1us == 1.5ticks)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 969 | Rdr |07 55 00 00 55 00 00 | | IV 0x55
1016 | 2350 | Tag |06 1d 00 | | MIM256
2705 | 3513 | Rdr |06 39 00 00 19 00 00 | | ACK 256/1024
3798 | 6508 | Rdr |15 18 aa 10 4e 3a 0a | | WRITE Byte(12) 55
6519 | 12111 | Tag |01 01 27 00 | |
12389 | 14861 | Rdr |15 16 88 1a 01 ac 02 | | WRITE Byte(11) 44
14872 | 20464 | Tag |01 01 27 00 | |
20743 | 23694 | Rdr |15 14 66 0a df 17 07 | | WRITE Byte(10) 33
23705 | 29295 | Tag |01 01 27 00 | |
29574 | 32224 | Rdr |15 12 44 04 e4 87 08 | | WRITE Byte(9) 22
32235 | 37828 | Tag |01 01 27 00 | |
38107 | 40756 | Rdr |15 10 22 12 b8 42 13 | | WRITE Byte(8) 11
40767 | 46359 | Tag |01 01 27 00 | |
pm3 -->
wow, nice work!
(y)
Works
hf legic dump o myfile
hf legic restore i myfile -- does not overwrite first 7bytes on card. ie doesn't overwrite DCF
hf legic write -- now asks if user wants to overwrite DCF bytes a offset5,6
Almost there, only sim left to do.
and another good to have command
pm3 --> hf legic wipe h
Fills a legic tag memory with zeros. From byte7 and to the end.
Usage: hf legic wipe [h]
Options:
h : this help
Samples:
hf legic wipe