[solved] LF VISA2000 commands

iceman · 2016-12-14 23:36:31

I got some info on a older rfid system used in France called "Visa2000".
Simple LF based on T55x7.

Even if the tag format in not all quite understood, I've added a Clone/Sim/Read for it in iceman fork.

martinlbb · 2016-12-15 12:57:09

Per request of Iceman, here is some dump with engraved ID:

56495332 00096ebd 00000077 —> tag id 618173
56495332 00093f31 00000017 —> tag id 606001
56495332 00075506 00000101 —> tag id 480518

Got a tag ID 480539 already broken, if checksum is found, I can test it on the reader that usually accepted it.

Block 0 is not found now. To be continued..

iceman · 2016-12-15 13:50:03

t55x7 layout
blk | bytes
--+-----------
0 | 00148068   --> STT, maxblock3, ask/manchester, clock 64
1 | 56495332    --> preamp fixed 'VIS2'
2 | 00096ebd    --> cardid in hex
3 | 00000077    --> unknown checksum/parity

Question is the unknown block 3 data.

iceman · 2016-12-15 13:52:02

To make a clone, the current implementation sets block3 to zero.

lf t55 wr b 0 d 00148068
lf t55 wr b 1 d 56495332
lf t55 wr b 2 d 00ab4130
lf t55 wr b 3 d 00000000

iceman · 2016-12-15 14:02:30

Strong connection between xoring nibbles in block 2, with last nibble in block3.

0^0^0^9^6^e^b^d = 7
0^0^0^9^3^f^3^1 = 7
0^0^0^7^5^5^0^6 = 1

iceman · 2016-12-16 12:47:30

I've added this chksum to LF VISA2000 commands now.

iceman · 2016-12-16 12:51:50

More tags us needed

iceman · 2017-02-27 20:08:44

Thanks to @.... we got some more sample to play with.

56495332 00095996 0000000A FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
56495332 00093F31 00000017 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
56495332 0009A598 00000017 00000000000000000000000000000000
56495332 000656EE 00000035 518175E4000000000000000000000000
56495332 00093853 00000044 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
56495332 0009FD2B 00000072 00000000000000000000000000000000
56495332 00096EBD 00000077 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
56495332 000A10C5 00000082 00000000000000000000000000000000
56495332 00098D37 000000D8 00000000000000000000000000000000
56495332 0009EE61 000000DE 00000000000000000000000000000000
56495332 000A221F 000000E4 00000000000000000000000000000000
56495332 00097DB8 000000F0 00000000000000000000000000000000
56495332 000982D8 000000F6 00000000000000000000000000000000
56495332 000A1E48 000000F9 00000000000000000000000000000000
56495332 0004C3B0 00000120 55555555AAAAAAAA55555555AAAAAAAA
56495332 0001DEE4 000001F8 00000000000000000000000000000000

iceman · 2017-03-05 17:33:36

ok, figured out the unknown byte.

its not checksum, its the even parity of the all nibbles in ID.

0001DEE4 000001F8
eeeeeeee         eex
xxxxxxxxx

x = xor of nibbles.
e =  0x1F (

 even parity of 0x0 (0000) = 0
 even parity of 0x0 (0000) = 0
 even parity of 0x0 (0000) = 0
 even parity of 0x1 (0001) = 1

 even parity of 0xD (1101) = 1
 even parity of 0xE (1110) = 1
 even parity of 0xE (1110) = 1
 even parity of 0x4 (0100) = 1

 0001 1111 = 0x1F
)

Proxmark3 community

Announcement

#1 2016-12-14 23:36:31

[solved] LF VISA2000 commands

#2 2016-12-15 12:57:09

Re: [solved] LF VISA2000 commands

#3 2016-12-15 13:50:03

Re: [solved] LF VISA2000 commands

#4 2016-12-15 13:52:02

Re: [solved] LF VISA2000 commands

#5 2016-12-15 14:02:30

Re: [solved] LF VISA2000 commands

#6 2016-12-16 12:47:30

Re: [solved] LF VISA2000 commands

#7 2016-12-16 12:51:50

Re: [solved] LF VISA2000 commands

#8 2017-02-27 20:08:44

Re: [solved] LF VISA2000 commands

#9 2017-03-05 17:33:36

Re: [solved] LF VISA2000 commands

Board footer