Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2020-12-18 11:59:46

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

MIFARE DEsfire EV2

hello everybody,

i tried my best by myself trying to solve a mystery, but i guess i ve reached my maximum.

we use here these cards :


Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]               UID: 04 5B XX XX XX XX XX
[+]      Batch number: CE 8B 59 XX XX
[+]   Production date: week 11 / 2018

[=] --- Hardware Information
[=]    raw: 04010112001A05
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 12.0 ( DESFire EV2 )
[=]   Storage size: 0x1A ( 8192 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 04010102011A05
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 2.1
[=]   Storage size: 0x1A ( 8192 bytes )
[=]       Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --- Card capabilities

[=] --- Tag Signature
[=]  IC signature public key name: DESFire EV2
[=] IC signature public key value: 04B3........................................................
[=]                              : .............................
[=]                              : ;....................2
[=]                              : ......................;A
[=]     Elliptic curve parameters: NID_secp224r1
[=]              TAG IC Signature: 4EBF5AD8........................................
[=]                              : FBEA208F657........................................
[=]                              : 4600FB5.............................................;
[=]                              : 3AF1A980................
[+]        Signature verification: successful
[+]    Number of Masterkeys                  : 1
[+]    Operation of PICC master key          : (3)DES
[+]    PICC Master key Version               : 0 (0x00)
[=]    ----------------------------------------------------------
[!!] ? APDU: No APDU response.
[+]    [0x1A] Authenticate ISO  : YES
[=] -------------------------------------------------------------
[=]  Key setting: 0x0F [1111]
[+]    [1...] CMK Configuration changeable   : YES
[+]    [.1..] CMK required for create/delete : NO
[+]    [..1.] Directory list access with CMK : NO
[+]    [...1] CMK is changeable              : YES


on some readers, with a chameeon mini revG i ve been able to emulate the UID using the MF Classic 4K 7B card type.

on some readers it s enough to get access, but on another reader, it doesn t see the card.

i have cards that are sold with proxmark RDV4, and i wanted to set this 7B UIDto a card for test, and i never found a way to do that

i ve been able to emulate with rdv4, and again, on the non working reader with the chameleon, same behaviour.


when i do hf mf dump i get this goin for ages
[usb] pm3 --> hf mf dump
[=] Using `hf-mf-045B3BFXXXXXXX-key.bin`
[=] Reading sector access bits...
.[#] Auth error
.[#] Auth error
.[#] Auth error

[-] ⛔ could not get access rights for sector  0. Trying with defaults...

.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error


and then:


[+] saved 1024 bytes to binary file hf-mf-045B3BXXXXXXXX-dump-3.bin
[+] saved 64 blocks to text file hf-mf-045B3XXXXXXXX-dump-3.eml
[+] saved to json file hf-mf-045B3BXXXXXXXXX-dump-3.json


in eml file i guet:

FF000F01504D33620000623300000000
01000000000000000700000000000000
0000000000000000045B3XXXXXXXX00
0000074403200806757781028002F000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000


from that how can i do for do a single copy of a card with just the UID, or is there any kind of way to dump all the keys.

Gear i own:
Proxmark 3 & rdv 4
Chameleon reve E & rev G

thank you for your help

Offline

#2 2020-12-18 14:25:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MIFARE DEsfire EV2

mixed bag of goodies. 
To answer one of your questions, DESFire simulation is not implemented on Proxmark3.
You seem to be confused about MIFARE Classic vs MIFARE DESFire,   maybe read a short datasheet or two to understand what you are trying to ask or want to do? 
The files section on this site has a nice selection of datasheets,   you find a link on top of the page.

Offline

#3 2020-12-18 14:25:48

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

Re: MIFARE DEsfire EV2

thxx a lot! @iceman

Offline

#4 2020-12-18 14:30:34

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

Re: MIFARE DEsfire EV2

how come with the chameleon mini revg i can emulate the card for some reader and not for some other ones ? out of 3 apps that use tis card (printing services, door, car key safe box) the emulation works on all of them except the printer reader, any reason why?
thxx for your time

Offline

#5 2021-12-22 00:34:26

kosgguy
Contributor
Registered: 2021-12-18
Posts: 56

Re: MIFARE DEsfire EV2

iceman wrote:

mixed bag of goodies. 
To answer one of your questions, DESFire simulation is not implemented on Proxmark3.
You seem to be confused about MIFARE Classic vs MIFARE DESFire,   maybe read a short datasheet or two to understand what you are trying to ask or want to do? 
The files section on this site has a nice selection of datasheets,   you find a link on top of the page.

mifare DESFire emulation is not implemented?

I would like to emulate MIFARE DESFire 4k cards.

Thanks

Offline

#6 2021-12-22 18:47:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MIFARE DEsfire EV2

Feel free to contribute!

Offline

#7 2021-12-25 07:06:07

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

Hi there!
it's been a long time, since my last visit here ...
a lot changed - source-wise - and I really appreciate how easy it is nowadays to compile and flash the pm3.

Thanks for that! 

but what's the problem on provide some functionality like there is on these 'desfire-fakes', where you can write the uid, and which ansers with the correct ATQA & ATS

no, my C-Skills didn't develop over time, so I can not support here (yet) - but I want to understand why nobody provides that functionality -

are there some 'secrets' missing?
does nobody see the need for this?
or why ?

I played around with this 'chameleon-fork' with desfire-support, but that did not really gets detected as desfire (at least on pm3-side,  only tested that with my Kaos-RevG and pm3.

I also tried the 'stand-alone-module' HF_YOUNG, which unfortunately didn't worked out also (wrong ATQA and ATS), but from my
poor understanding, it should not be that hard to make a module like that for desfire - or? - what's the problem?
just the lack of motivated hackers?

real desfire-tag on pm3:

 
[usb] pm3 --> hf 14a info

[+]  UID: 04 62 7F 7A 19 29 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 77 81 02 80 [ f0 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+]    80
[?] Hint: try `hf mfdes info`

same card scanned with HF_YOUNG (slightly modified for ATQA 0x0344)  on pm3:

 
[usb] pm3 --> hf 14a info

[+]  UID: 04 62 7F 7A 19 29 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 05 75 80 60 02 [ 58 00 ]
[=]      05...............  TL    length is 5 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            80.........  TA1   different divisors are NOT supported, DR: [], DS: []
[=]               60......  TB1   SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 6 (FWT = 262144/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported
[?] Hint: try `hf mfdes info`

so, from my (simple) point of view - it just needs one more byte on the ATS ( 5 vs 6) - despite of all the header-infos, which are also missing (hf mfdes info doesn't show anything meaningful on the simulated one here)
or?

looks like the simulator needs a additional feature/type for 6 byte ATQA (just my simple understanding)
HF-YOUNG uses tagtyp '3'
so, since I own more than one proxmark, I can run 'hf 14a sim -t 3 -u 04627F7A192980' on the one hand, and the
simulator at the other.

just need to bring in some Header-Infos and a 6-byte ATS (which still looks different to the original)

Last edited by mosci (2021-12-25 07:56:23)

Offline

#8 2021-12-25 07:58:24

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

or did I mixup simulation and emulation?
For me, propper simulation would be the first step - or?

Offline

#9 2021-12-25 08:27:10

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

if
if I change the rATS, in iso14443a.c 's SimulateIso14443aInit method, from

static uint8_t rRATS[] = { 0x05, 0x75, 0x80, 0x60, 0x02, 0x00, 0x00 };
static uint8_t rRATS[] = { 0x06, 0x75, 0x77, 0x81, 0x02, 0x80, 0x00, 0x00 };

I get:

[usb] pm3 --> hf 14a sim -t 3 -u 04627F7A192980
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 62 7F 7A 19 29 80 )
[=] Press pm3-button to abort simulation
[#] ToSend buffer, Out-of-bound, when modulating bits for tag answer:
[#] d0 73 87
[#] Not enough modulation buffer size, exit after 10 elements
[=] Done

big_smile - that was probably thought too simply

Offline

#10 2021-12-25 08:43:38

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

disabling (uncomment) the 'buffer-check' will probably lead to other problems, but
the reader now at least get's the same information ... at least at running
'hf 14a reader/info' at the reader and
'hf 14a sim -t 3 -u 04627F7A192980' on the  simulator

pm3sim:

[usb] pm3 --> hf 14a sim -t 3 -u 041457F29F5980
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 14 57 F2 9F 59 80 )
[=] Press pm3-button to abort simulation
[#] ToSend buffer, Out-of-bound, when modulating bits for tag answer:
[#] d0 73 87

reader detects pm3-sim:

[usb] pm3 --> hf 14a reader
[+]  UID: 04 14 57 F2 9F 59 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+]  ATS: 06 75 77 81 02 80
[usb] pm3 --> hf 14a info

[+]  UID: 04 14 57 F2 9F 59 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 77 81 02 80 [ f0 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+]    80
[?] Hint: try `hf mfdes info`

reader detects fake-tag:

[[usb] pm3 --> hf 14a info

[+]  UID: 04 14 57 F2 9F 59 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 33 81 02 00 [ 10 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            33.........  TA1   different divisors are supported, DR: [2, 4], DS: [2, 4]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+]    00
[?] Hint: try `hf mfdes info`

so, now the pm3-simulator responds the same like the 'desfire fake tag', and this fake-tag is known to work at our 'company-charging-stations' - which seem to just check for the uid and cardtype wink
I'm on vacation now - but next year I will double-check that at work.

Last edited by mosci (2021-12-25 09:12:09)

Offline

#11 2021-12-25 13:39:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MIFARE DEsfire EV2

You need to add some length to the reserved space for encoded messages when simulating if you increase the length.
if you do what you did,  you end up corrupting memory.

PM3 doesn't have a proper DESFire simulation.  Feel free to implement one.  It is a complex matter.  Just getting support to read/write desfire took some years so I wouldn't count on it being done in the next year or so.  To be honest there is very little work being done on the PM3 source.

Offline

#12 2021-12-25 13:46:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MIFARE DEsfire EV2

I pushed your changes but with correct allocation.  Try it and see if it works.

Offline

#13 2021-12-25 15:08:51

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

thx Iceman

nearly - might be a typo wink
I can not push to branches ... so here is the diff:

 proxmark3 git:(fix_desfire_rats) git diff master
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 7f3040685..f8aec2a81 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -1044,7 +1044,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
             rATQA[0] = 0x04;
             rATQA[1] = 0x03;
             sak = 0x20;
-            memcpy(rRATS, "\x06\x75\x77\x81\x02\x00\x00\x00", 8);
+            memcpy(rRATS, "\x06\x75\x77\x81\x02\x80\x00\x00", 8);
         }
         break;
         case 4: { // ISO/IEC 14443-4 - javacard (JCOP)

with the above diff applied:
the 'original' desfile read:

[usb] pm3 --> hf 14a info

[+]  UID: 04 62 7F 7A 19 29 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 77 81 02 80 [ f0 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+]    80
[?] Hint: try `hf mfdes info`

and the simulated one (hf 14a sim -t 3 -u 04627F7A192980)

[usb] pm3 --> hf 14a info

[+]  UID: 04 62 7F 7A 19 29 80
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 77 81 02 80 [ f0 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+]    80
[?] Hint: try `hf mfdes info`

that looks fine - so far!

Last edited by mosci (2021-12-25 15:25:36)

Offline

#14 2021-12-25 15:13:33

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

next step would be to get the Header-Data (hardware version, software version, batch , prodDate)
into the simulator also.

just shoot me a note once we can pair on it smile

Offline

#15 2021-12-25 15:38:02

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

and here is the patch for getting the HF_YOUNG work with that too:
but that has to be maintained by him (Mr. Young) - I guess wink

diff --git a/armsrc/Standalone/hf_young.c b/armsrc/Standalone/hf_young.c
index e7b69d550..7b18763e5 100644
--- a/armsrc/Standalone/hf_young.c
+++ b/armsrc/Standalone/hf_young.c
@@ -257,6 +257,10 @@ void RunMod(void) {
                     } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0x03) {
                         DbpString("Mifare DESFire");
                         SimulateIso14443aTag(3, flags, data, 0);
+                    } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0x03) {
+                        DbpString("Mifare DESFire Ev1/Plus/JCOP");
+                        SimulateIso14443aTag(3, flags, data, 0);
                     } else {
                         Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
                         SimulateIso14443aTag(1, flags, data, 0);

Last edited by mosci (2021-12-25 15:43:30)

Offline

#16 2021-12-25 16:16:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MIFARE DEsfire EV2

pushed the fixes,  but the version etc needs changes in the state machine,  I have no lust to play with it.

Offline

#17 2021-12-25 17:16:27

mosci
Contributor
Registered: 2016-01-09
Posts: 94
Website

Re: MIFARE DEsfire EV2

thx - works like a charm wink

Offline

Pages: 1

Board footer

Powered by FluxBB