Cloning LEGIC Prime MIM256

r00t · June 20, 2023, 12:04pm

Howdy Folks,
I have my lunch break right now and since my proxmark arrived, I’ve decided to give it a spin. Flashing bootrom and full image of iceman fork was a breeze. It took me less time compared to brewing a coffee. So now it’s playtime
I mentioned in my previous topic that I have one tag which I cannot read with the flipper. Well I can read it with the proxmark just fine.
So the usual drill went as follow
lf search - nothing.
hf search and we have a winner

[usb] pm3 → hf search
Searching for LEGIC tag…
[+] MCD: **
[+] MSN: ** ** **
[+] TYPE: MIM256 card (234 bytes)

[+] Valid LEGIC Prime tag found

Please bare in mind that * are actual numbers. So I started digging about Legic mim and found this very nice article from KSEC https://tagbase.ksec.co.uk/legic/legic-prime-mim256/

I will for sure spend more time researching this product, but just to cut some corners(and share some experience). Is the mim256 clonable to something like gena1 1k s50 ? Maybe a lame question but I just discovered mim256 15 mins ago. Thanks a lot!

Calle · June 20, 2023, 6:37pm

Same here – I appreciate any advice!

I am an absolut newbie, but I found this, and even though I don’t know how to follow this instruction, it sounds promising:

github.com

zhovner/proxmark3-1/blob/4784cfd3fd2acc12d3057e322cbd8cb719a5325c/client/scripts/Legic_clone.lua#L91


      
          		Stp0..n=	Stamp0...									(variable length) length = Segment-Len - UserData - 1
          		UID0..n=	UserDater									(variable length - with KGH hex 0x00-0x63 / dec 0-99) length = Segment-Len - WRP - WRC - 1 
          		 	 kghC=	KabaGroupHeader						(1 Byte + addr 0x0c must be 0x11)
          	as seen on ths example: addr 0x05..0x08 & 0x0c must have been set to this values - otherwise kghCRC will not be created by a official reader (not accepted)
          --]]
          
          
example = "Script create a clone-dump of a dump from a Legic Prime Tag"
          author = "Mosci"
          desc =
          [[
          This is a script which create a clone-dump of a dump from a Legic Prime Tag (MIM256 or MIM1024)
          (created with 'hf legic save my_dump.hex') 
          requiered arguments:
          	-i <input file>		(file to read data from)
          	
          optional arguments :
          	-h                  - Help text
          	-o <output file> 	- requieres option -c to be given
          	-c <new-tag crc> 	- requieres option -o to be given
          	-d					- Display content of found Segments
          	-s					- Display summary at the end

r00t · June 20, 2023, 7:15pm

Thank you! I just loaded the lua script like so
mkdir ~/.proxmark3/luascripts
cd ~/.proxmark3/luascripts
wget https://raw.githubusercontent.com/zhovner/proxmark3-1/4784cfd3fd2acc12d3057e322cbd8cb719a5325c/client/scripts/Legic_clone.lua

next when I exec pm3 and then
[usb] pm3 → script list

[ Lua scripts ]
├── /Users/$myusername/.proxmark3/luascripts/
│ └── Legic_clone.lua

Next would be to dump the tag memory. Lua is not my strongest language, but it doesn’t look like a quantum mechanics as well.
Let’s see after I dump the data what I could do with it.
Thanks for the link!

r00t · June 20, 2023, 7:22pm

btw one more thing( or actually a few)
seems like the legic is officially supported in the proxmark
check this out
hf legic info
also the lua script advices to create a hex dump via
hf legic save my_dump.hex

if you run the iceman fork

[usb] pm3 → hf legic reader

[+] MCD: 11

[+] MSN: 22 33 44

[+] TYPE: MIM256 card (234 bytes)

[usb] pm3 → hf legic dump

[+] TYPE: MIM256 card (234 bytes)

[+] Reading tag memory 256 b…

[=] Using UID as filename

[=] FILE PATH: hf-legic-11223344-dump.bin

[+] saved 256 bytes to binary file hf-legic-11223344-dump.bin

[=] FILE PATH: hf-legic-11223344-dump.eml

[+] saved 32 blocks to text file hf-legic-11223344-dump.eml

[=] FILE PATH: hf-legic-11223344-dump.json

[+] saved to json file hf-legic-11223344-dump.json

now to see how to write this 0 and 1s to another medium

r00t · June 20, 2023, 9:02pm

@amal @Pilgrimsmaster
Folks do you know if legic prime mim256 can be emulated or replicated(please check the posts above)? I am almost sure the answer is not really, but I am looking for your input. Thanks!

Pilgrimsmaster · June 21, 2023, 3:10am

Here come my excuses

I am away from home at the moment

I dont have my PM3 with me

I don’t have a MIM256 card

I’ve never tried before

Does it provide you with a UID?
How many bytes is the UID?

r00t · June 21, 2023, 6:50pm

No worries @Pilgrimsmaster
I am researching the topic as we speak. Not much info thou.
Found some official specs under LEGIC Smartcard ICs: LEGIC
I also found the following presentation made from two very interesting individuals, which I am planning to watch right now
26C3: Legic Prime: Obscurity in Depth 1/7 - YouTube
Looks like a nice thing to research and to play with.

haz · February 19, 2024, 4:03pm

I managed to emulate my legic prime mim1024 successfully with the proxmark3 easy, next step is to clone it. not sure if i’m able to clone it onto any old nfc card but i will try and report back.

Equipter · February 19, 2024, 7:38pm

Definitely not

haz · February 19, 2024, 11:07pm

What cards can I clone it onto? Is it only other legic prime cards? I can only find 100 packs of those online for €400+.

Equipter · February 19, 2024, 11:58pm

You can’t make a 1-1 perfect clone you can only carry over block content from the memory but it won’t validate correctly against a different UID.

haz · February 20, 2024, 8:26am

I see, so only block content is changeable on legic prime cards and not UID, and there are no magic cards compatible with legic prime readers that allow you to change the UID?

Pilgrimsmaster · February 20, 2024, 9:04am

3 posts were merged into an existing topic: The anti:no_entry_sign:-derailment:railway_car: & thread:thread: hijacking:gun: thread:thread:

haz · February 28, 2024, 2:38pm

Just giving an update, I got a spare legic card, tried to dump the info from my own legic card onto the spare with my proxmark3.

hf legic restore -f hf-legic-**********-dump-001

Unfortunately this didn’t work, I assume for the reasons you told me about it having a different UID.

r00t · March 2, 2024, 1:39pm

Glad to see there is some movement on the topic I’ve created after some time, unfortunately not the desired outcome. Anyways I gave up cloning the legic long ago