Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-11-24 21:04:02
- bogito
- Contributor
- Registered: 2017-10-18
- Posts: 52
Greek transportation system part 2 - Mifare DESFire EV1
This is the second type of cards/tickets used in the transportation system of Greece. The first one is here: http://www.proxmark.org/forum/viewtopic.php?id=5126.
Using the latest iceman build, here is the info obtained from the card I got.
pm3 --> hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 7B 1E 6A B9 49 80
Batch number : BA 64 97 E7 80
Production date : week 27, 2015
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.0 (Desfire EV1)
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : YES
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : YES
Max number of keys : 174
Master key Version : 0 (0x00)
----------------------------------------------------------
[0x0A] Authenticate : YES
[0x1A] Authenticate ISO : YES
[0xAA] Authenticate AES : NO
----------------------------------------------------------
Available free memory on card : 2688 bytes
-------------------------------------------------------------I wasn't able to read any block using the rdbl command, not sure if that command is implemented yet; it always returned nothing.
Is there currently a way to dump the contents of that card?
While playing around a bit with the auth command, I got this output:
pm3 --> hf mfdes auth 1 1 0 0000000000000000
DES selected
#db# Authetication failed.
Client command failed.
-------------------------------------------------------------
pm3 --> hf mfdes auth 2 1 0 0000000000000000
DES selected
Key :00 00 00 00 00 00 00 00
SESSION :00 00 00 00 00 00 00 00
-------------------------------------------------------------Does that mean that the authentication in the second attempt was correct?
I also tried the "mfdes enum" command but results in some communication error:
pm3 --> hf mfdes enum
-- Desfire Enumerate Applications ---------------------------
-------------------------------------------------------------
Aid 0 : 31 54 41
AMK - Application Master Key settings
Can't read Application Master key settings
Sending bytes to proxmark failed
Can't read Application Master key version. Trying all keys
Sending bytes to proxmark failed
Can't get file ids
Sending bytes to proxmark failed
Timed-out
-------------------------------------------------------------Any thoughts are really appreciated.
Offline
#2 2017-11-25 07:52:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Greek transportation system part 2 - Mifare DESFire EV1
You can try the new APDU command under hf 14a apdu and commands from a desfire datasheet. since its iso-7816, you can also look at the new emv command.
Offline
#3 2017-11-28 13:00:32
- bogito
- Contributor
- Registered: 2017-10-18
- Posts: 52
Re: Greek transportation system part 2 - Mifare DESFire EV1
Unfortunately the emv commands didn't help.
But this is what I got from the card while using the new apdu command:
get version (keep field on while AF)
pm3 --> hf 14a apdu -k -s 60
>>>>[sel keep ] 60
<<<< AF 04 01 01 01 00 18 05
APDU response: 18 05 -
pm3 --> hf 14a apdu -k af
>>>>[keep ] AF
<<<< AF 04 01 01 01 04 18 05
APDU response: 18 05 -
pm3 --> hf 14a apdu -k af
>>>>[keep ] AF
<<<< 00 04 7B 1E 6A B9 49 80 BA 64 97 E7 80 27 15
APDU response: 27 15 -
list applications:
pm3 --> hf 14a apdu -s 6A
>>>>[sel ] 6A
<<<< 00 31 54 41
select application:
pm3 --> hf 14a apdu -s 5a315441
>>>>[sel ] 5A 31 54 41
APDU ERROR: Small APDU response. Len=3As you can see the select application command failed, which seems a bit odd, since the AID is correct.
While I was snooping the UL-EV1s (from the part 1 thread), I also sniffed the reload of this card that proved kind of interesting.
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
2296295696 | 2296296688 | Rdr |52 | | WUPA
2296297924 | 2296300292 | Tag |44 03 | |
2296621616 | 2296622672 | Rdr |26 | | REQA
2296623860 | 2296626228 | Tag |44 03 | |
2296640304 | 2296642768 | Rdr |93 20 | | ANTICOLL
2296643956 | 2296649844 | Tag |88 04 7b 1e e9 | |
2296665264 | 2296675792 | Rdr |93 70 88 04 7b 1e e9 35 a7 | ok | SELECT_UID
2296676964 | 2296680484 | Tag |24 d8 36 | |
2296695584 | 2296698048 | Rdr |95 20 | | ANTICOLL-2
2296699236 | 2296705124 | Tag |6a b9 49 80 1a | |
2296720544 | 2296731072 | Rdr |95 70 6a b9 49 80 1a ca 5d | ok | ANTICOLL-2
2296732276 | 2296735860 | Tag |20 fc 70 | |
2296752928 | 2296757696 | Rdr |e0 80 31 73 | ok | RATS
2296758884 | 2296768164 | Tag |06 75 77 81 02 80 02 f0 | ok |
2296811168 | 2296825152 | Rdr |02 90 5a 00 00 03 31 54 41 00 14 c7 | ok | ** SELECT APPLICATION
2296844132 | 2296850020 | Tag |02 91 00 29 10 | |
2298724656 | 2298743184 | Rdr |03 90 bd 00 00 07 02 02 00 00 30 00 00 00 07 21 | ok | ** READ DATA FROM FILE
2298750852 | 2298812036 | Tag |03 01 83 01 1a 01 01 01 30 01 01 00 04 29 03 18 | |
| | |00 00 42 90 31 20 16 10 18 20 26 10 17 01 01 00 | |
| | |00 00 00 00 98 96 7f 00 00 27 10 00 01 00 00 00 | |
| | |00 91 00 05 1a | ok |
2298843056 | 2298861584 | Rdr |02 90 bd 00 00 07 02 02 00 00 30 00 00 00 ed 5f | ok | ** READ DATA FROM FILE
2298869236 | 2298930420 | Tag |02 01 83 01 1a 01 01 01 30 01 01 00 04 29 03 18 | |
| | |00 00 42 90 31 20 16 10 18 20 26 10 17 01 01 00 | |
| | |00 00 00 00 98 96 7f 00 00 27 10 00 01 00 00 00 | |
| | |00 91 00 b9 1f | ok |
2298962608 | 2298981136 | Rdr |03 90 bd 00 00 07 04 02 00 00 30 00 00 00 b6 3c | ok | ** READ DATA FROM FILE
2298989300 | 2299050420 | Tag |03 04 37 76 73 76 00 00 47 73 76 47 73 76 01 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 19 87 11 22 00 00 00 00 00 00 00 | |
| | |00 91 00 72 1d | ok |
2299081392 | 2299099920 | Rdr |02 90 bd 00 00 07 02 02 00 00 30 00 00 00 ed 5f | ok | ** READ DATA FROM FILE
2299107572 | 2299168756 | Tag |02 01 83 01 1a 01 01 01 30 01 01 00 04 29 03 18 | |
| | |00 00 42 90 31 20 16 10 18 20 26 10 17 01 01 00 | |
| | |00 00 00 00 98 96 7f 00 00 27 10 00 01 00 00 00 | |
| | |00 91 00 b9 1f | ok |
2299197488 | 2299216080 | Rdr |03 90 bd 00 00 07 10 00 00 00 20 00 00 00 0a 85 | ok | ** READ DATA FROM FILE
2299229428 | 2299272116 | Tag |03 00 32 64 01 37 01 1e ec e5 4a 00 00 00 00 00 | |
| | |00 05 00 00 00 00 00 00 19 08 b1 74 01 00 00 00 | |
| | |00 91 00 35 ac | ok |
2299301296 | 2299312912 | Rdr |02 90 6c 00 00 01 0e 00 08 1b | ok | ** READ VALUE
2299327092 | 2299337588 | Tag |02 00 00 00 00 91 00 19 b0 | ok |
2299362736 | 2299374416 | Rdr |03 90 6c 00 00 01 1a 00 46 68 | ok | ** READ VALUE
2299391860 | 2299402356 | Tag |03 fa 74 2b 7d 91 00 63 ce | ok |
2299427632 | 2299439248 | Rdr |02 90 6c 00 00 01 0c 00 b8 28 | ok | ** READ VALUE
2299451620 | 2299462052 | Tag |02 02 00 00 00 91 00 4f b8 | ok |
2299490480 | 2299509008 | Rdr |03 90 bd 00 00 07 02 02 00 00 30 00 00 00 07 21 | ok | ** READ DATA FROM FILE
2299516644 | 2299577828 | Tag |03 01 83 01 1a 01 01 01 30 01 01 00 04 29 03 18 | |
| | |00 00 42 90 31 20 16 10 18 20 26 10 17 01 01 00 | |
| | |00 00 00 00 98 96 7f 00 00 27 10 00 01 00 00 00 | |
| | |00 91 00 05 1a | ok |
2299607856 | 2299626448 | Rdr |02 90 bd 00 00 07 10 20 00 00 20 00 00 00 63 98 | ok | ** READ DATA FROM FILE
2299639796 | 2299682484 | Tag |02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 91 00 87 bb | ok |
2299712816 | 2299724496 | Rdr |03 90 6c 00 00 01 0f 00 6f 83 | ok | ** READ VALUE
2299738980 | 2299749476 | Tag |03 00 00 00 00 91 00 cc 2f | ok |
2299775664 | 2299787344 | Rdr |02 90 6c 00 00 01 1a 00 f9 e9 | ok | ** READ VALUE
2299804388 | 2299814884 | Tag |02 fa 74 2b 7d 91 00 b6 51 | ok |
2299841312 | 2299852992 | Rdr |03 90 6c 00 00 01 0d 00 df b0 | ok | ** READ VALUE
2299866212 | 2299876708 | Tag |03 00 00 00 00 91 00 cc 2f | ok |
2299902368 | 2299913984 | Rdr |02 90 6c 00 00 01 05 00 a0 ff | ok | ** READ VALUE
2299923812 | 2299934308 | Tag |02 00 00 00 00 91 00 19 b0 | ok |
2299959200 | 2299970880 | Rdr |03 90 6c 00 00 01 1a 00 46 68 | ok | ** READ VALUE
2299988084 | 2299998580 | Tag |03 fa 74 2b 7d 91 00 63 ce | ok |
2300551600 | 2300556368 | Rdr |50 00 57 cd | ok | HALTUntil the RATS response the communication relies on the native command set. But after that response, both switch to wrapped native(?) commands. What I couldn't figure out is what is that "02" and "03" in front of the wrapped native commands. Of course, that made the annotation of each command to be empty, so I added some myself (denoted with the two asterisks **).
The select application command that previously failed, works fine when sent like in the sniffed data:
hf 14a raw -c -p -s 02 90 5a 00 00 03 31 54 41 00
Card selected. UID[7]:
04 7B 1E 6A B9 49 80
received 5 bytes:
02 91 00 29 10Following that, I wanted to view the available file ids of the selected application, but failed with an invalid command length error:
pm3 --> hf 14a raw -c -p 03 90 6f 00 00 00 00 00 00 00
>>>> 03 90 6F 00 00 00 00 00 00 00 63 63
received 5 bytes:
03 91 7E 0C D0By the way, just for debugging purposes, I added an extra line (denoted with ">>>>") when the append CRC option (-c) is used that shows the command to be sent, including the CRC bytes.
Of course the read commands, as shown in the sniffed communication, worked fine as well.
Since my post is already quite long (sorry), if interested, you can see the actual authentication (3DES) and reload of the card here: https://www.sendspace.com/file/os55nm
Any ideas on what should I check now?
Offline