bad detection performance of Desfire cards

spaceteddy · 2016-09-16 22:11:24

dear all,

I'm new wit the proxmark3 and have a question regarding reading Desfire cards.
With my Electrohouse Easy I can read Mifare tags quite good. almost every "hf 14a reader" commands reads out card information....

UID : 24 xx xx 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

I tried different Mifare tags and it works relatively good.

Unfortunaty with Desfire cards, detection is only one out of 20-30 tries. It seems that different cards and distance to the reader has no influence.

hw tune says the following:

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
.....
# LF antenna: 28.74 V @ 125.00 kHz
# LF antenna: 33.41 V @ 134.00 kHz
# LF optimal: 37.12 V @ 130.43 kHz
# HF antenna: 28.86 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

I checked different repros and the original proxmark3 github repro recognizes the Desfire card better then icemans fork.

I there a way that I can improve the stability of detection?

thanks a lot.

Bob

Last edited by spaceteddy (2016-09-16 22:12:00)

iceman · 2016-09-18 17:52:11

Did you try the "hf mfdes info" command in my fork?

spaceteddy · 2016-09-20 19:18:53

Hi iceman,

thanks a lot for your feedback.

Well, yes I tried this command, but unfortunately the same behaviour. It seems that all commands have an issue with these cards, even if I use hf 14a raw commands.
Proxmark3 HW should be ok, because in sniffer or stand alone mode, the cards are recognized immediately.
i checked the cards with my PN532 reader as well and no issue at all.
So, if there are any settings, or timings I can change, i would be very happy.

thanks a lot

Bob

iceman · 2016-09-20 19:39:56

How is your antenna voltage?
and have you tried different distances between tag and antenna? Sweetspot normally 1-2.5cm

spaceteddy · 2016-09-21 06:52:42

Yes, Antenna voltage is:
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
.....
# LF antenna: 28.74 V @ 125.00 kHz
# LF antenna: 33.41 V @ 134.00 kHz
# LF optimal: 37.12 V @ 130.43 kHz
# HF antenna: 28.86 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

I tied also different distances and different materials under the reader. Wooden table , air, etc. all behaves the same.

I can improve the detection if i put an Mifare Classic card first, and then immideatly after that the desfire card. But this helps only in 30%

,
Chris

iceman · 2016-09-21 07:02:35

Your HF voltage looks good,

sometime you need to hold the tag in an angle over the antenna. How big is the tags that you are trying to read?
A picture of your setup?

Hm, in sniffer or standalone mode it works, you could set the debug level to 4, with "hf mf dbg 4" and see more detail during the "hf 14a reader" commands

spaceteddy · 2016-09-21 20:39:05

seems to be an timeout...

pm3 --> hf mf dbg 4
#db# Debug level: 4
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
iso14443a card select failed
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
iso14443a card select failed

iceman · 2016-09-21 20:42:29

Looks like you don't have a good tag positioning over your antenna...

spaceteddy · 2016-09-22 17:54:04

mhhh,

but why only by mifire desfire cards?

classic cards work fine:

pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 -->

is there a more advanced debug mode that shows me more bytes during try to read the card?

iceman · 2016-09-22 18:16:58

Can you post the output for

hf mf dbg 4
hf mf 14a read
hf list 14a            --> this
hf mfdes infor
hf list 14a           --> this

spaceteddy · 2016-09-22 19:06:37

--------------------------------- desfire -----------------------------------------------------
pm3 --> hf mf dbg 4
#db# Debug level: 4
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
iso14443a card select failed
pm3 --> hf list 14a
Recorded Activity (TraceLen = 10 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
pm3 --> hf mfdes info
#db# ISO14443A Timeout set to 1060 (10ms)
#db# Can't select card
Command unsuccessful
pm3 --> hf list 14a
Recorded Activity (TraceLen = 22 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
158208 | 161760 | Rdr |c2 e0 b4 | ok | RESTORE(224)
pm3 -->

-----------------------------------classic -------------------------------------
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf list 14a
Recorded Activity (TraceLen = 153 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |14 d9 f7 06 3c | |
18944 | 29408 | Rdr |93 70 14 d9 f7 06 3c d9 ee | ok | SELECT_UID
30644 | 34164 | Tag |08 b6 dd | |
465024 | 469792 | Rdr |e0 80 31 73 | ok | RATS
470980 | 471620 | Tag |04 | |
971008 | 972000 | Rdr |40 | | MAGIC WUPC1
973508 | 974084 | Tag |0a! | |
978048 | 979360 | Rdr |43 | | MAGIC WUPC2
980548 | 981124 | Tag |0a! | |
985088 | 989856 | Rdr |50 00 57 cd | ok | HALT
pm3 --> hf mfdes info
#db# ISO14443A Timeout set to 1060 (10ms)
#db# [WCMD <--: :0/5] 0a 00 60 68 b5 00 00 00
#db# fukked
Command unsuccessful
pm3 --> hf list 14a
Recorded Activity (TraceLen = 103 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |14 d9 f7 06 3c | |
18944 | 29408 | Rdr |93 70 14 d9 f7 06 3c d9 ee | ok | SELECT_UID
30660 | 34180 | Tag |08 b6 dd | |
49920 | 55840 | Rdr |0a 00 60 68 b5 | ok |
212608 | 216160 | Rdr |c2 e0 b4 | ok | RESTORE(224)
pm3 -->

-------------------------------------------------------------------------------------
in the seldom case that a Desfire card can be read:
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 1060 (10ms)
#db# ISO14443A Timeout set to 131072 (1236ms)
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf list 14a
Recorded Activity (TraceLen = 152 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |d0 1d 8c 8e cf | |
18944 | 29472 | Rdr |93 70 d0 1d 8c 8e cf ed ef | ok | SELECT_UID
30660 | 34244 | Tag |20 fc 70 | |
35840 | 40608 | Rdr |e0 80 31 73 | ok | RATS
41796 | 62660 | Tag |10 78 b3 c0 02 00 31 c0 64 77 e3 03 00 82 90 00 | |
| | |d6 4c | ok |
511744 | 512736 | Rdr |40 | | MAGIC WUPC1
17291136 | 17292448 | Rdr |43 | | MAGIC WUPC2
34071296 | 34076064 | Rdr |50 00 57 cd | ok | HALT
pm3 -->

Last edited by spaceteddy (2016-09-22 19:10:47)

piwi · 2016-09-23 06:56:02

Are your DESFire cards different in size compared to the Mifare Classic cards?

Did you try several DESFire cards or only one?

spaceteddy · 2016-09-23 09:37:04

Hi,
Most of my desfire cars have the same size and antenna structure like the classic cards.
I tried also an desfire with small form factor, but I see no differences.

Also distance to tag, angle of tag has no influence.

I 'm really wondering, because sniffing hf 14a sniff or detection in standalone mode
Works really good in a distance of around 5 or more cm

Regards,

Bob

iceman · 2016-09-23 17:53:12

I can now confirm that @OP is indeed right, in my fork the desfire works, well sometimes...

if you add the "hf mf dbg 3" it works all the times. So its a timing issue.

iceman · 2016-09-23 20:32:43

OP,
I've push some changes to my fork, if you could try them out and see if the "hf mfdes info" commands and desfire detection in general works better now I'd be grateful.

spaceteddy · 2016-09-23 21:13:56

Hi iceman,

thanks for your effort and willingness to improve my situation.
I updated your fork but unfortunatly there is no improvement

Now, I try to downgrade my reader to an really old version. maybe it works better.

---------------------------classic---------------------------
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
UID : 14 D9 F7 06
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES

---------------------desfire------------------------------------

pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
iso14443a card select failed
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
iso14443a card select failed
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
iso14443a card select failed
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
iso14443a card select failed
pm3 --> hf 14a reader
#db# ISO14443A Timeout set to 2120 (20ms)
iso14443a card select failed
pm3 -->

iceman · 2016-09-23 21:39:10

Now thats odd, mine worked better with these changes. recompiled/flashed and the same client from build?

hf mf dbg 2
hf mfdes info

You still need a distance between antenna and tag.

spaceteddy · 2016-09-23 22:03:02

hi,

yes, I do always a make clean all.
tomorrow I will complete reinstall the Proxmark3 easy. and I will do some tried w/o attached LF antenna.

pm3 --> hf search

no known/supported 13.56 MHz tags found

pm3 --> hf mf dbg 2
#db# Debug level: 2
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 --> hf mfdes info
#db# Can't select card
Command unsuccessful
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 35 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
292608 | 296160 | Rdr |c2 e0 b4 | ok | RESTORE(224)
299648 | 304416 | Rdr |50 00 57 cd | ok | HALT

iceman · 2016-09-23 22:12:01

ok,
do you have a mifare classic 1k/4k tag around?
Put that one on the antenna and try the "hf 14a read". When it works, swap over to your desfire tag and try again

iceman · 2016-09-23 22:28:09

I think one of my earlier changes removed a "spindelay(20)" call, needed in the setup function.
The fix is pushed to my fork, sorry for making you test it again. But this one should fix it good.

A 14a tag needs 5ms of powering up before entering "idle" state where it starts to listen.

spaceteddy · 2016-09-24 07:10:20

Dear Iceman,

thanks a lot for your investigation.

as described in my first posting, it is really a differece if I read a classic card first and then a desfire card.
I tried your last update and can verify that.
This unfortunately works reproducible with one of my cards only.

see below:

-------------------------------snip------------------------------------
pm3 --> hf 14a reader
UID : EC C8 3E 4A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 05
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a list
Recorded Activity (TraceLen = 152 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |05! 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |d0 1d 8c 8e cf | |
18944 | 29472 | Rdr |93 70 d0 1d 8c 8e cf ed ef | ok | SELECT_UID
30660 | 34244 | Tag |20 fc 70 | |
35840 | 40608 | Rdr |e0 80 31 73 | ok | RATS
41796 | 62660 | Tag |10 78 b3 c0 02 00 31 c0 64 77 e3 03 00 82 90 00 | |
| | |d6 4c | ok |
563072 | 564064 | Rdr |40 | | MAGIC WUPC1
17342464 | 17343776 | Rdr |43 | | MAGIC WUPC2
34122624 | 34127392 | Rdr |50 00 57 cd | ok | HALT
pm3 --> hf 14a reader
UID : EC C8 3E 4A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : EC C8 3E 4A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 -->
-------------------------------snap--------------------------------------------------------------

with this desfire card, I tried to read the card several times in a row.
Interesting is, that the card could be red only every second attempt!?!?!?!

-------------------------------log--------------------------------------
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 07 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 07 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 --> hf 14a reader
iso14443a card select failed
pm3 --> hf 14a reader
UID : D0 1D 8C 8E
ATQA : 00 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 B3 C0 02 00 31 C0 64 77 E3 03 00 82 90 00 D6 4C
- TL : length is 16 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4], DS: [2, 4]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 00 31 C0 64 77 E3 03 00 82 90 00
Answers to magic commands (GEN1): NO
pm3 -->
----------------------------------------------log-----------------------------------------------------

with an other card behaviour is different and can not read at all

very srtange

Bob.

iceman · 2016-09-24 08:12:09

So there has been a difference in failure rate with these changes?

You can test in my fork to change the following value..
In iso14443a.c function iso14443a_setup() row 2005
Try to increase the spindelay(20) call with 40, 60 , 80, 100

You need compile/flash between every change.
and let me know if and which value fixes your problem

thanks,

spaceteddy · 2016-09-24 08:34:33

hi iceman,

when are you sleeping ????

well, I changed the spindelay already with different values, but there was no success.

BUT, it seems that the hw tune command with the HF voltage made me confuse and put me on the wrong track. I assumed that the antenna must be good because sniffing, classic card, ect works fine.
I disassembled the proxmark easy and pressed the card w/o any air gap direct on the antenna. If I do this in this way, read a desfire card is very stable.
It is not nice, but acceptable now. seems that electrohouse has designed a bad HF antenna, or there is something wring with my PCB.

anyhow, I really appreciate that you have investest a lot of time to improve my situation, but I guess you've found also some bugs

I sent you a small Paypal donation for your effort.

Bob

iceman · 2016-09-24 08:54:00

Thanks for the dontation Bro!

And yeah, I got to fix some problems that I introduced myself when changing stuff. At least it works again
Regarding the ElechouseEasy, you are not the first to have problems with the builtin- HF antenna. Another user told me aswell, s/he also put the tag direct to the antenna to get good reads. The thing is that the voltage 28v is very good , but somehow the signal received into the adc and fpga is not so good anymore. I think you should send a mail to Mr Shen @ Elechouse and ask about this. Maybe they find a solution for it in the fpga code etc.

the spindelay call gives time for the antenna to power up and with that also powers up the tag. So longer wait higher chance of the tag is fully powered when queried.

And yeah, just woke up. Kids in the house you know.

spaceteddy · 2016-09-24 09:31:39

oh well,
thanks lot for this information iceman.
I'm going to try to get in touch with Mr. Shen to try to find a way to make the performance better. But good to know that I'm not the only person with problem with the build in antenna .)

sun is shining outside, i'll forget about the NFC stuff for a while. Use my donation to enjoy a cold beer.

sers,

Proxmark3 community

Announcement

#1 2016-09-16 22:11:24

bad detection performance of Desfire cards

#2 2016-09-18 17:52:11

Re: bad detection performance of Desfire cards

#3 2016-09-20 19:18:53

Re: bad detection performance of Desfire cards

#4 2016-09-20 19:39:56

Re: bad detection performance of Desfire cards

#5 2016-09-21 06:52:42

Re: bad detection performance of Desfire cards

#6 2016-09-21 07:02:35

Re: bad detection performance of Desfire cards

#7 2016-09-21 20:39:05

Re: bad detection performance of Desfire cards

#8 2016-09-21 20:42:29

Re: bad detection performance of Desfire cards

#9 2016-09-22 17:54:04

Re: bad detection performance of Desfire cards

#10 2016-09-22 18:16:58

Re: bad detection performance of Desfire cards

#11 2016-09-22 19:06:37

Re: bad detection performance of Desfire cards

#12 2016-09-23 06:56:02

Re: bad detection performance of Desfire cards

#13 2016-09-23 09:37:04

Re: bad detection performance of Desfire cards

#14 2016-09-23 17:53:12

Re: bad detection performance of Desfire cards

#15 2016-09-23 20:32:43

Re: bad detection performance of Desfire cards

#16 2016-09-23 21:13:56

Re: bad detection performance of Desfire cards

#17 2016-09-23 21:39:10

Re: bad detection performance of Desfire cards

#18 2016-09-23 22:03:02

Re: bad detection performance of Desfire cards

#19 2016-09-23 22:12:01

Re: bad detection performance of Desfire cards

#20 2016-09-23 22:28:09

Re: bad detection performance of Desfire cards

#21 2016-09-24 07:10:20

Re: bad detection performance of Desfire cards

#22 2016-09-24 08:12:09

Re: bad detection performance of Desfire cards

#23 2016-09-24 08:34:33

Re: bad detection performance of Desfire cards

#24 2016-09-24 08:54:00

Re: bad detection performance of Desfire cards

#25 2016-09-24 09:31:39

Re: bad detection performance of Desfire cards

Board footer