Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello guys,
I am trying to determine the class of a bunch of MIFARE DESFire cards, to be able to tell DESFire (MF3ICD40) from DESFire EV1, and EV1 from EV2.
Running `hf search` on the one I currently have handy returns the following:
pm3 --> hf search
UID : XX XX XX XX
ATQA : 03 04
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 06 75 77 81 02 80 02 F0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 80
Answers to magic commands (GEN1): NO
Valid ISO14443A Tag Found - Quiting Search
And using the `hf mfdes info` from the latest Iceman's fork gives:
pm3 --> hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : XX XX XX XX 00 00 00
Batch number : BA 55 52 8B A0
Production date : week 52, 2014
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.0
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : YES
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : YES
Max number of keys : 188
Master key Version : 2 (0x02)
----------------------------------------------------------
[0x0A] Authenticate : NO
[0x1A] Authenticate ISO : NO
[0xAA] Authenticate AES : YES
----------------------------------------------------------
Available free memory on card : 4192 bytes
-------------------------------------------------------------
Is it possible to find what DESFire class it is?
I guess the supported ciphers can help but I haven't fully read and understood the full specifications of the cards...
Thank you for your help
Offline
Looking at the pdf http://www.nxp.com/documents/short_data … X2_SDS.pdf
there is ways to identify the new EV2. Among one, some new authentication modes like AuthenticateEV2First and AuthenticateEV2NonFirst. Not to mention a lot of new commands like the proximity check.
Offline
Hello,
are you still working on this?
You can distinguish between DESFire (MF3ICD40), DESFire EV1 and DESFire EV2 by the GetVersion Command (0x60).
The "hf mfdes info" from the iceman repo is already using this command.
With Hardware Major Version Byte you can detect DESFire Version:
(in iceman repo "PrintAndLog(" Version : %d.%d",resp.d.asBytes[10]")
- 0x00 -> DESFire (MF3ICD40)
- 0x01 -> MIFARE DESFire EV1
- 0x12 -> MIFARE DESFire EV2
Greetz Mackwa
Offline
How about you make a PR on github to my fork, and I'll merge it
Offline
How about you make a PR on github to my fork, and I'll merge it
can do this, but will possibly last some time (multiple weeks not unrealistic)
Had worked with a borrowed proxmark 3 before, only as client user, no development.
But I'm planning to buy one proxmark 3 in the near future for rfid evaluations.
Offline
its no hurry
Offline
Btw, I'm looking at it. The version bytes is in BCD form, where did you find the identification list of the high version byte?
Offline
Btw, I'm looking at it. The version bytes is in BCD form,
where did you find this information? Can't remember exactly, but it's not in the datasheet. I'm wrong?
where did you find the identification list of the high version byte?
found the information by reading out different DESFire Cards and I think it's in the datasheet also.
Offline
Yes, that part is in the datasheets.
Don't know, Haven't seen it in the ev1 or old desfire datasheets. I don't have the full datasheet for Ev2.
Offline
Yes, that part is in the datasheets.
Didn't find it in the datasheet...
Don't know, Haven't seen it in the ev1 or old desfire datasheets. I don't have the full datasheet for Ev2.
There is no list in the datasheets. But in every DESFire datasheet there is an example reply of the GetVersion (0x60) command.
And from that example answers you can get the version byte info.
My DESFire cards replyed all according to the list, that I posted earlier.
Offline
ok, unclear of me. I also found the old desfire and ev1 Getcommand instruction. I don't have ev2 to verify it.
However, the version you are suggesting is two byte long. byte 10 and 11.
So for EV2 is it 1.2? or 12.0 ? (major version 1, minor version 2) or (majorversion 12 , minor 0)
I can push some changes tonite and you can test it out for me?
Offline
Hello,
I posted only Hardware Major Version Byte, in your example it is Byte 10,
if it is really BCD coded, it will be 12.X for DESFire EV2.
can't test, cause I don't have a proxmark 3 at the moment.
will buy it soon
Greetz
Mackwa
Offline
I pushed some changes, it will not find the EV2 yet since I'vent found a EV2 datasheet where it explains the actual major byte value it gonna use. It looks for major 1, minor 2 in this version.
Maybe you have a friend who has a pm3 and a EV2 tag to test it for me.
Offline
I read out diffrent DESFire cards ... (answer to getVersion 0x60)
DESFire 4K (MF3ICD40)
---------------------
04 01 01 00 02 18 05
04 01 01 00 06 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV1 2K 17pF
----------------------
don't have one, but would be:
04 01 01 01 00 16 05
04 01 01 01 04 16 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV1 4K 17pF
----------------------
04 01 01 01 00 18 05
04 01 01 01 04 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV1 8K 17pF
----------------------
04 01 01 01 00 1A 05
04 01 01 01 04 1A 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV2 2K 17pF
----------------------
04 01 01 12 00 16 05
04 01 01 02 00 16 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV2 4K 17pF
----------------------
04 01 01 12 00 18 05
04 01 01 02 00 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
DESFire EV2 8K 17pF
----------------------
04 01 01 12 00 1A 05
04 01 01 02 00 1A 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>
I think, this is helpful
Offline
and there it is, in black and grey, major version byte 0x12. So odd.
I think I changed my detection yesterday on github.
Offline