Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-10-11 21:38:10

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Carpark - Timestamp

Hi there,

A few days ago I parked at a carpark that use legic prime cards as an access control system. Luckily I was able to get a read before and after the payment.

I arrived at October 6th at roughly 17:45 (CEST - time) (i.e. 5.45 p.m) and I parked for 4h:39min. The card at that time was:

[usb] pm3 --> hf legic info
[+] Reading full tag memory of 256 bytes...

[+]  CDF: System Area
------------------------------------------------------
[+] MCD: 81 MSN: FE D7 39  MCC: 13 (OK)
[+] DCF: 60000 (60 ea), Token Type = IM-S (OLE = 0)
[+] WRP = 15, WRC = 1, RD = 1, SSC = FF
[+] Remaining Header Area
[+] 00 00 00 11 01 06 80 00 00 FD 61 00 00 
------------------------------------------------------
[+] ADF: User Area
------------------------------------------------------
[+] Segment     | 01
[+] raw header  | 0x74 0xC0 0x07 0x40
[+] Segment len | 116,  Flag: 0xC (valid:1, last:1)
[+]             | WRP: 07, WRC: 04, RD: 0, CRC: 0x34 (OK)

[+] WRC protected area:   (I 27 | K 0| WRC 4)


row  | data
-----+------------------------------------------------
[=] 00 | 50 38 14 00                                     | P8..
-----+------------------------------------------------

[+] Remaining write protected area:  (I 31 | K 31 | WRC 4 | WRP 7  WRP_LEN 3)

row  | data
-----+------------------------------------------------
[=] 00 | 01 AE 5D                                        | ..]
-----+------------------------------------------------

[+] Remaining segment payload:  (I 34 | K 34 | Remain LEN 104)

-----+------------------------------------------------
[=] 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 01 | FF FF FF FF FF FF FF FF FF FF 6B 01 68 2A 2C 04 | ..........k.h*,.
[=] 02 | 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 FF | ................
[=] 03 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 04 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 05 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 06 | FF FF FF FF FF FF FF FF                         | ........
-----+------------------------------------------------

After I had payed the only difference was in the area of the remaining segment payload:

[+] Remaining segment payload:  (I 34 | K 34 | Remain LEN 104)

row  | data
-----+------------------------------------------------
[=] 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 01 | FF FF FF FF FF FF FF FF FF FF 58 05 68 2A 2C 04 | ..........X.h*,.
[=] 02 | 00 00 00 00 00 00 00 00 00 68 2A 42 05 32 00 FF | .........h*B.2..
[=] 03 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 04 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 05 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 06 | FF FF FF FF FF FF FF FF                         | ........
-----+------------------------------------------------

In addition to that I had access to a different card. However, I do not have any information about arrival, park duration or when the carpark was left. The reed of the last part is the following:

[+] Remaining segment payload:  (I 34 | K 34 | Remain LEN 104)

row  | data
-----+------------------------------------------------
[=] 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 01 | FF FF FF FF FF FF FF FF FF FF 5C 05 68 2A 69 04 | ..........\.h*i.
[=] 02 | 00 00 00 00 00 00 00 00 00 68 2A 31 05 00 00 FF | .........h*1....
[=] 03 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 04 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 05 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
[=] 06 | FF FF FF FF FF FF FF FF                         | ........
-----+------------------------------------------------

My guess is that the card should probably store the actual date and contain at least one time stamp. (i.e. arrival, duration, etc). Furthermore I guess the information that the ticket is payed should also be stored somewhere. I tried to figure how time stamps are stored in hex but I was not able to track either the actual date, my arrival or leave time nor the duration. Any ideas?

Thank's and Regards

Last edited by Dose13 (2021-10-12 11:37:18)

Offline

#2 2021-10-12 21:07:09

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Carpark - Timestamp

The best guess that I have for now is the following:

The 6B 01 in little endian is 01 6B which equals 363 in dec, divided by 60 = 6.05 -> 18h + .05*60 = 18:03

I did this also with:

5805 -> 0558 -> 1368 dez -> 22,8 -> 22:48h
4205 -> 0542 -> 1372 dez -> 22,43 -> 22:26h

The funny thing is that these are roughly the times when I entered and left the area but they do not match. I am 100% sure that I got my ticket well before 18:00. Any hints or ideas are highly appreciated!

Last edited by Dose13 (2021-10-13 01:43:39)

Offline

#3 2022-01-13 09:51:55

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: Carpark - Timestamp

hi ... any progress?

is there a Number printed on that card?
that's usual on legic-cards, and you need to find that 'uid' within your data ...
not necessarily post it here, since that might be your user-id in the carpark-system
(I assume it's a 'member-card', not a anonymous one wink )

Offline

#4 2022-01-13 21:07:49

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Carpark - Timestamp

Hi mosci,

unfortunately I did not do any progress. I had a feeling that I am on the wrong track. ... My guess for now is that what I wrote back in October is complete nonsense. According to doegox github issue 896 (https://github.com/RfidResearchGroup/proxmark3/issues/896) were he wrote

LEGIC - Reader Mode: Timings are in ticks (1us == 1.5ticks), Tag mode: (1/212 kHz == 4.7us)

I am now thinking that the timestamps are somehow correlating with this ticks. However, I have no clue in what way.

Honestly, it is an anonymous card. I had a chance to get one. The number printed on the card is 23982 (i.e. 5D AE). I posted the entire output in my first post. This number appears in the "remaining write proteced" area.

If you have any further ideas or guesses let me know.

Last edited by Dose13 (2022-01-13 21:13:54)

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB