Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-10-04 07:43:23

Dose13
Contributor
Registered: 2019-09-26
Posts: 19

How to create a (new) Segment ?

Good morning,

I have a "wiped" legic card that used to be segmented. I tried to add segments with the legic.lua script but either I am not using it right or the script does not support my card. The script crashes with the following message:

Legic command? ('h' for help - 'q' for quit) (default: h ) 
 > as
/usr/local/bin/../share/proxmark3/luascripts/legic.lua:2468: attempt to index upvalue 'inTAG' (a nil value)
          
[+] Finished legic.lua
          
[usb] pm3 --> 

My next guess was to use the "legic write" command. I can write single bytes to the card but I am not able to create a segment. I think I am missing something here. Can anyone advise or guide me to something useful?

Thank's and Regards

Offline

#2 2020-10-04 09:34:42

iceman
Administrator
Registered: 2013-04-25
Posts: 6,699
Website

Re: How to create a (new) Segment ?

sounds like a bug in the lua script.
Make a issue on GH


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2020-10-04 15:04:07

Dose13
Contributor
Registered: 2019-09-26
Posts: 19

Re: How to create a (new) Segment ?

Thank's iceman, I posted it on GH. Any hints how to create a segment manually using the "legic write" command?

Offline

#4 2020-10-12 10:24:58

pizza_4u
Contributor
Registered: 2018-07-28
Posts: 8

Re: How to create a (new) Segment ?

Dose13 wrote:

Thank's iceman, I posted it on GH. Any hints how to create a segment manually using the "legic write" command?

You have to build your segment header as it is documented here:
https://sar.informatik.hu-berlin.de/res … 11-03_.pdf

You can write the bytes by using

hf legic wrbl o 10 d 11223344

    - Write 0x11223344 starting from offset 0x10

Offline

#5 2020-10-21 12:07:24

Dose13
Contributor
Registered: 2019-09-26
Posts: 19

Re: How to create a (new) Segment ?

I have managed to "reverse" engineer the data from my active card to another card with a different UID. However, I fell across some special details. I have tried to calculate the CRC (BCK) - Byte  13 - according to this post http://www.proxmark.org/forum/viewtopic.php?id=6917, which says:

electron wrote:

CRC-Calcutlation is done over:
   
[MCD][MSN0][MSN1][MSN2][MSN3] + Byte 0x0D but BIT7 (=DIRT-Bit) MUST SET FOR CALCULATION = 8, BIT 0-6 is Seg-Nr  (max Seg = 127) + Bytes 0x0E..0x12

Even on my active card I cannot verify this byte. I am quite sure that it is calculated differently in my case. Any hints, ideas or recommendations what to try?

However, what I found, in contrast to this https://sar.informatik.hu-berlin.de/res … 11-03_.pdf

The payload area is obfuscated with the CRC of the UID: All bytes,beginning with byte 22, are XORd with CRCUID (address 4). Within the payload area the different segments are stored consecutively and each segment starts with a five byte segment header.

is that all bytes, beginning with byte 22 are obfuscated with the CRC of the UID and another fixed byte. (e.g. CRC (UID) = 13; byte 22 = 33, fix byte = FF this results with the:

 analyse  lcr 13FF33 = DF 

Bad news is that the CRC for the individual segment headers are also not properly calculated. But I guess this is more or less directly related to the calculation of my byte 13 problem. I tried:

Segment Header with CRC:
CRC calculated over [MCD][MSN0][MSN1][MSN2][MSN3]+0x16..0x19 as well as only 0x 16..0x19

Any hints, ideas or whatever might solve my problem is highly appreciated!

Thank' s in advance!

Last edited by Dose13 (2020-10-21 16:44:40)

Offline

#6 2020-10-22 09:06:01

Dose13
Contributor
Registered: 2019-09-26
Posts: 19

Re: How to create a (new) Segment ?

I was able to figure out how the Segement headers are calculated. Actually it is exactly as always. I.e.: [MCD][MSN0][MSN1][MSN2][MSN3]+0x16..0x19 The only difference to all other bytes (after Byte 22) is that the CRCs of the headers are obfuscated with the CRC of the UID.

I.e CRC Byte(s) of Segment header(s):
analyse lcr CRC([MCD][MSN0][MSN1][MSN2][MSN3]+0x16..0x19) + CRC(UID)

all other bytes are calculated as follows:
analyse lcr (0x (byte to calculate)) + CRC(UID) + Fixed Byte

Regarding Byte 13 I just figured out that I mixed some figures. I can confirm electron’s calculation method!

Last edited by Dose13 (2020-10-22 21:09:08)

Offline

Board footer

Powered by FluxBB