Cloning LEGIC Prime MIM256

Howdy Folks,
I have my lunch break right now and since my proxmark arrived, I’ve decided to give it a spin. Flashing bootrom and full image of iceman fork was a breeze. It took me less time compared to brewing a coffee. So now it’s playtime :slight_smile:
I mentioned in my previous topic that I have one tag which I cannot read with the flipper. Well I can read it with the proxmark just fine.
So the usual drill went as follow
lf search - nothing.
hf search and we have a winner

[usb] pm3 → hf search
:clock9: Searching for LEGIC tag…
[+] MCD: **
[+] MSN: ** ** **
[+] TYPE: MIM256 card (234 bytes)

[+] Valid LEGIC Prime tag found

Please bare in mind that * are actual numbers. So I started digging about Legic mim and found this very nice article from KSEC https://tagbase.ksec.co.uk/legic/legic-prime-mim256/

I will for sure spend more time researching this product, but just to cut some corners(and share some experience). Is the mim256 clonable to something like gena1 1k s50 ? Maybe a lame question but I just discovered mim256 15 mins ago. Thanks a lot!

2 Likes

Same here – I appreciate any advice!

I am an absolut newbie, but I found this, and even though I don’t know how to follow this instruction, it sounds promising:

1 Like

Thank you! I just loaded the lua script like so
mkdir ~/.proxmark3/luascripts
cd ~/.proxmark3/luascripts
wget https://raw.githubusercontent.com/zhovner/proxmark3-1/4784cfd3fd2acc12d3057e322cbd8cb719a5325c/client/scripts/Legic_clone.lua

next when I exec pm3 and then
[usb] pm3 → script list

[ Lua scripts ]
├── /Users/$myusername/.proxmark3/luascripts/
│ └── Legic_clone.lua

Next would be to dump the tag memory. Lua is not my strongest language, but it doesn’t look like a quantum mechanics as well.
Let’s see after I dump the data what I could do with it.
Thanks for the link!

btw one more thing( or actually a few)
seems like the legic is officially supported in the proxmark
check this out
hf legic info
also the lua script advices to create a hex dump via
hf legic save my_dump.hex

if you run the iceman fork

[usb] pm3 → hf legic reader

[+] MCD: 11

[+] MSN: 22 33 44

[+] TYPE: MIM256 card (234 bytes)

[usb] pm3 → hf legic dump

[+] TYPE: MIM256 card (234 bytes)

[+] Reading tag memory 256 b…

[=] Using UID as filename

[=] FILE PATH: hf-legic-11223344-dump.bin

[+] saved 256 bytes to binary file hf-legic-11223344-dump.bin

[=] FILE PATH: hf-legic-11223344-dump.eml

[+] saved 32 blocks to text file hf-legic-11223344-dump.eml

[=] FILE PATH: hf-legic-11223344-dump.json

[+] saved to json file hf-legic-11223344-dump.json

now to see how to write this 0 and 1s to another medium

@amal @Pilgrimsmaster
Folks do you know if legic prime mim256 can be emulated or replicated(please check the posts above)? I am almost sure the answer is not really, but I am looking for your input. Thanks!

Here come my excuses

I am away from home at the moment

I dont have my PM3 with me

I don’t have a MIM256 card

I’ve never tried before

Does it provide you with a UID?
How many bytes is the UID?

1 Like

No worries @Pilgrimsmaster
I am researching the topic as we speak. Not much info thou.
Found some official specs under LEGIC Smartcard ICs: LEGIC
I also found the following presentation made from two very interesting individuals, which I am planning to watch right now
https://www.youtube.com/watch?v=MvTEA5FD1uo
Looks like a nice thing to research and to play with.

1 Like

I managed to emulate my legic prime mim1024 successfully with the proxmark3 easy, next step is to clone it. not sure if i’m able to clone it onto any old nfc card but i will try and report back.

1 Like

Definitely not

What cards can I clone it onto? Is it only other legic prime cards? I can only find 100 packs of those online for €400+.

You can’t make a 1-1 perfect clone you can only carry over block content from the memory but it won’t validate correctly against a different UID.

I see, so only block content is changeable on legic prime cards and not UID, and there are no magic cards compatible with legic prime readers that allow you to change the UID?

3 posts were merged into an existing topic: The anti​:no_entry_sign:-derailment​:railway_car: & thread​:thread: hijacking​:gun: thread​:thread: :interrobang:

Just giving an update, I got a spare legic card, tried to dump the info from my own legic card onto the spare with my proxmark3.

hf legic restore -f hf-legic-**********-dump-001

Unfortunately this didn’t work, I assume for the reasons you told me about it having a different UID.

Glad to see there is some movement on the topic I’ve created after some time, unfortunately not the desired outcome. Anyways I gave up cloning the legic long ago

1 Like

Hi there.
I just ordered a proxmark3, have not received it yet but looking for information and learning.
I’m a system consultant in a company dealing with ID cards, printers for ID cards and all of those little and big things surrounding the cards.
And I’m responsible for analysing customer cards to offer replacements and encoding of smartcards. So I have quite a bunch of encoders and readers in my drawer.
Regarding the LEGIC prime cards:
Those Legic cards are quite special. To encode them, you alway need a legic encoder (with a genuine Legic Chipset allowed for not only reading but encoding media!). And, what most people are not aware of: You need an authorization media (a smartcard), called “IAM” (Initialization Authorization Media). It’s like a security card needed for ordering new keys for your door locks. Without this card you are not able to initialize this Legic card. All our customers have to send us their IAM-Card for ordering new media (usually older access-control-systems). The IAM-card contains a so called “Stamp”, this is a unique code belonging to a single customer and system. This stamp is written on the destination card, too. All readers in the system are programmed (with a different authorization media [SAM] again) to only accept cards with this stamp.
Legic prime does have a proprietary protocol, it’s not standard ISO14443 or any other. The newer Legic Advant is more compliant to industry-standards - but it’s not cracked yet, like Mifare DESFire.
But since Legic prime is hacked and considered unsafe - maybe there’s a way to get data on the media without the genuine tools and authorization media.

Interesting in this matter:

When I receive my Proxmark, I will check myself, what’s possible.

2 Likes