Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello,
i was requested by my company to have a look our company cards. so I got myself a proxmark and started to analyse the cards. Thanks to all the good information provided here I was able dump and simulate my card quite easily. however when trying to clone it to another card bought from the internet I was not lucky. I assume there is a CRC was not able to reproduce, so maybe someone has already seen the following segment structure:
[+] CDF: System Area
------------------------------------------------------
[+] MCD: XX MSN: XX XX XX MCC: 1B ( OK )
[+] DCF: 60000 (60 ea), Token Type = IM-S (OLE = 0)
[+] WRP = 15, WRC = 1, RD = 1, SSC = FF
[+] Remaining Header Area
[+] 00 00 00 11 02 53 C0 08 C0 69 97 00 00
------------------------------------------------------
[+] ADF: User Area
------------------------------------------------------
[+] Segment | 01
[+] raw header | 0x18 0x40 0x0B 0x00
[+] Segment len | 24, Flag: 0x4 (valid:1, last:0)
[+] | WRP: 11, WRC: 00, RD: 0, CRC: 0x54 ( OK )
[+] Remaining write protected area: (I 27 | K 0 | WRC 0 | WRP 11 WRP_LEN 11)
row | data
-----+------------------------------------------------
[00] | 20 00 YY YY 00 00 ZZ ZZ ZZ D2 10
-----+------------------------------------------------
[+] Remaining segment payload: (I 38 | K 38 | Remain LEN 8)
row | data
-----+------------------------------------------------
[00] | 00 00 00 00 00 00 00 00
-----+------------------------------------------------
I have XX out the UID, YY should be our company code from the provider, ZZ is the number printed on the card.
What I assume is some sort of CRC in the D2 10. I tried it with the KGH information from the forum and also tried to brute force it with the crc function of the proxmark, but all the results I got failed when applied on the second valid card that I have.
So maybe someone here has an idea what else i could try.
Thanks in advance
Offline
This is an Interflex access segment.
If I remember correctly they don't use the standard KGH layout. I think it was a 16 bit CRC, but in any case not standard KGH.
D2 and 10 in your dump is the CRC, if I remember correctly.
Offline
Hey all,
I'm currently also researching legic prime cards, and, as Jason wrote, this is an interflex segment and D2 10 are some kind of CRC16.
I already tried all kinds of combinations with standard crc16 as well as the crc16_legic algo from the proxmark client.
The fields I use to create combinations come from a sniff with the access controller to see what data got transferred.
I can't find the field combination (like MCC, STP0, STP1) that are used to correctly calculate the CRC16, right know I assembled a python script that is trying each combination of those fields, but no luck so far.
Jason - do you know what fields of the legic cards with interflex segment are used to calculate the 2-byte CRC?
Last edited by BioS (2023-03-06 18:40:51)
Offline
Pages: 1