Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-09-09 17:02:37

daos
Contributor
Registered: 2013-09-09
Posts: 18

Libfreefare

Hi everyone !

In my research I found the libraries libfreefare that is compatible with the Mifare DESfire Card, would be a good idea that works with proxmark, what do you think about this proyect ?


MIFARE Classic 1k     Supported
MIFARE Classic 4k     Supported
MIFARE DESFire 2k     Supported
MIFARE DESFire 4k     Supported
MIFARE DESFire 8k     Supported
MIFARE DESFire EV1     Supported
MIFARE Mini     Not supported
MIFARE Plus S 2k     Not supported
MIFARE Plus S 4k     Not supported
MIFARE Plus X 2k     Not supported
MIFARE Plus X 4k     Not supported
MIFARE Ultralight     Supported
MIFARE UltralightC     Supported

Offline

#2 2014-04-16 23:03:49

pentura_prox
Contributor
From: England,UK
Registered: 2014-03-11
Posts: 22
Website

Re: Libfreefare

Sure; Desfire v0.6

proxmark3> hf desfire des-auth k 0
#db# Auth1 Resp: 02afed489b91bb7ec990b1                 
#db# AUTH 1 FINISHED                 
enc(nc)/b0:ed 48 9b 91 bb 7e c9 90           
r0:b1 f0 7d ff 22 8c cd db           
r1:f0 7d ff 22 8c cd db b1           
b2:2b 14 d2 1b 72 6a 3f f4           
#db# Auth2 Resp: 03006edd9db5eeb14721                 
#db# AUTH 2 FINISHED                 
b3:6e dd 9d b5 ee b1 47 21           
proxmark3> hf 14a list
Recorded Activity          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
All times are in carrier periods (1/13.56Mhz)          
          
     Start |       End | Src | Data          
-----------|-----------|-----|--------          
         0 |       992 | Rdr | 52              
      2404 |      4772 | Tag | 44  03              
      7040 |      9504 | Rdr | 93  20              
     10852 |     16740 | Tag | 88  04  31  1a  a7              
     18816 |     29280 | Rdr | 93  70  88  04  31  1a  a7  23  1e              
     30692 |     34212 | Tag | 24  d8  36              
     35456 |     37920 | Rdr | 95  20              
     39268 |     45156 | Tag | f2  e2  26  80  b6              
     47232 |     57696 | Rdr | 95  70  f2  e2  26  80  b6  10  0c              
     59108 |     62692 | Tag | 20  fc  70              
     64000 |     68768 | Rdr | e0  80  31  73              
     70116 |     79396 | Tag | 06  75  77  81  02  80  02  f0              
     81024 |     86880 | Rdr | 02  0a  00  dc  ed              
     96484 |    110436 | Tag | 02  af  ed  48  9b  91  bb  7e  c9  90  b1  ef              
   1081344 |   1104480 | Rdr | 03  af  a2  f6  20  2e  86  e6  56  1d  2b  14  d2  1b  72  6a  3f  f4  ef  b7              
   1115108 |   1129060 | Tag | 03  00  6e  dd  9d  b5  ee  b1  47  21  ac  f8

Offline

#3 2014-05-08 13:08:41

pentura_prox
Contributor
From: England,UK
Registered: 2014-03-11
Posts: 22
Website

Re: Libfreefare

Its just a rather simple poc at the moment, needs more work to generate a session key, and works needs to be done on raw apdus or the iso1718? apdus.  I can share with you what i've done so far.  Whats your email address?

Offline

#4 2014-05-19 19:15:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Libfreefare

Just a quick question Pentura_prox,   what is the inital 0x02, and the 0x03  in your commands to the tag?   I just cant find it in any pdfs.  Wrapped commands starts w 0x90 (and little endian)   but  native cmds should just be 0x0a 0x00  + crc...

Offline

#5 2014-05-19 19:52:32

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Libfreefare

02 and 03 are "configuration bytes" used in rfid smartcard ISO14443A. For what I understood 02 is used if a simple answer is waited from the card while 03 if some more series of commands are needed (this is only an opinion, datasheets are a bit vague about them). It is different from real contact smart cards; thsoe one don't need that byte.

Offline

#6 2014-05-19 19:52:43

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Libfreefare

A quick summary of the authentication handshake (bottom of the trace):

    81024 |     86880 | Rdr | 02  0a  00  dc  ed   
Reader : Request DES Auth
header (auth request)+ body=02 0a 00
crc = dc ed 

    96484 |    110436 | Tag | 02  af  ed  48  9b  91  bb  7e  c9  90  b1  ef   
Tag: Respond DES(Rand A)/ Nonce b0     
header (response)=02 af, 
data = ed  48  9b  91  bb  7e  c9  90,
crc=b1  ef     

1081344 |   1104480 | Rdr | 03  af  a2  f6  20  2e  86  e6  56  1d  2b  14  d2  1b  72  6a  3f  f4  ef  b7   
Reader: Responds  b1.b2 
header (handshake p2 request)=03 af ,
b1=a2  f6  20  2e  86  e6  56  1d,
b2= 2b  14  d2  1b  72  6a  3f  f4,
crc=ef  b7   

1115108 |   1129060 | Tag | 03  00  6e  dd  9d  b5  ee  b1  47  21  ac  f8
Tag: Thank you handshake complete, here is b3 for generating session_key.   
header (handshake p2 response) =03 00,
data= 6e  dd  9d  b5  ee  b1  47  21,
crc= ac  f8

So essentially the 02 & 03 are the phases of authentication if you receive "02 ae" or "03 ae" that means an error occurred during the handshake.

Offline

#7 2014-06-09 04:55:06

daos
Contributor
Registered: 2013-09-09
Posts: 18

Re: Libfreefare

Thanks @pentura_prox I appreciate that. Can you put the code in https://github.com/Proxmark/proxmark3 or maybe can you upload the .os that everyone can install in your pm3

Offline

Board footer

Powered by FluxBB