How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

suixo · 2016-04-27 13:51:40

Hello guys,

I am trying to determine the class of a bunch of MIFARE DESFire cards, to be able to tell DESFire (MF3ICD40) from DESFire EV1, and EV1 from EV2.

Running `hf search` on the one I currently have handy returns the following:

pm3 --> hf search                                                                               
          
 UID : XX XX XX XX
ATQA : 03 04          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
 ATS : 06 75 77 81 02 80 02 F0           
       -  TL : length is 6 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : 80           
Answers to magic commands (GEN1): NO          

Valid ISO14443A Tag Found - Quiting Search

And using the `hf mfdes info` from the latest Iceman's fork gives:

pm3 --> hf mfdes info
          
-- Desfire Information --------------------------------------          
-------------------------------------------------------------          
  UID                : XX XX XX XX 00 00 00           
  Batch number       : BA 55 52 8B A0           
  Production date    : week 52, 2014          
  -----------------------------------------------------------          
  Hardware Information          
      Vendor Id      : NXP Semiconductors Germany          
      Type           : 0x01          
      Subtype        : 0x01          
      Version        : 1.0          
      Storage size   : 0x18 (4096 bytes)          
      Protocol       : 0x05 (ISO 14443-3, 14443-4)          
  -----------------------------------------------------------          
  Software Information          
      Vendor Id      : NXP Semiconductors Germany          
      Type           : 0x01          
      Subtype        : 0x01          
      Version        : 1.4          
      storage size   : 0x18 (4096 bytes)          
      Protocol       : 0x05 (ISO 14443-3, 14443-4)          
-------------------------------------------------------------          
 CMK - PICC, Card Master Key settings           
          
   [0x08] Configuration changeable       : YES          
   [0x04] CMK required for create/delete : YES          
   [0x02] Directory list access with CMK : NO          
   [0x01] CMK is changeable              : YES          
          
   Max number of keys       : 188          
   Master key Version       : 2 (0x02)          
   ----------------------------------------------------------          
   [0x0A] Authenticate      : NO          
   [0x1A] Authenticate ISO  : NO          
   [0xAA] Authenticate AES  : YES          
          
   ----------------------------------------------------------          
   Available free memory on card       : 4192 bytes          
-------------------------------------------------------------

Is it possible to find what DESFire class it is?

I guess the supported ciphers can help but I haven't fully read and understood the full specifications of the cards...

Thank you for your help

iceman · 2016-04-27 14:17:38

Looking at the pdf http://www.nxp.com/documents/short_data … X2_SDS.pdf
there is ways to identify the new EV2. Among one, some new authentication modes like AuthenticateEV2First and AuthenticateEV2NonFirst. Not to mention a lot of new commands like the proximity check.

Mackwa · 2016-06-10 14:10:18

Hello,

are you still working on this?

You can distinguish between DESFire (MF3ICD40), DESFire EV1 and DESFire EV2 by the GetVersion Command (0x60).
The "hf mfdes info" from the iceman repo is already using this command.

With Hardware Major Version Byte you can detect DESFire Version:
(in iceman repo "PrintAndLog(" Version : %d.%d",resp.d.asBytes[10]")
- 0x00 -> DESFire (MF3ICD40)
- 0x01 -> MIFARE DESFire EV1
- 0x12 -> MIFARE DESFire EV2

Greetz Mackwa

iceman · 2016-06-12 18:29:37

How about you make a PR on github to my fork, and I'll merge it

Mackwa · 2016-06-13 08:32:04

iceman wrote:

How about you make a PR on github to my fork, and I'll merge it

can do this, but will possibly last some time (multiple weeks not unrealistic)
Had worked with a borrowed proxmark 3 before, only as client user, no development.

But I'm planning to buy one proxmark 3 in the near future for rfid evaluations.

iceman · 2016-06-13 08:55:51

its no hurry

iceman · 2016-06-13 10:19:57

Btw, I'm looking at it. The version bytes is in BCD form, where did you find the identification list of the high version byte?

Mackwa · 2016-06-13 12:20:04

iceman wrote:

Btw, I'm looking at it. The version bytes is in BCD form,

where did you find this information? Can't remember exactly, but it's not in the datasheet. I'm wrong?

iceman wrote:

where did you find the identification list of the high version byte?

found the information by reading out different DESFire Cards and I think it's in the datasheet also.

iceman · 2016-06-13 15:31:49

Yes, that part is in the datasheets.

Don't know, Haven't seen it in the ev1 or old desfire datasheets. I don't have the full datasheet for Ev2.

Mackwa · 2016-06-13 16:13:11

iceman wrote:

Yes, that part is in the datasheets.

Didn't find it in the datasheet...

iceman wrote:

Don't know, Haven't seen it in the ev1 or old desfire datasheets. I don't have the full datasheet for Ev2.

There is no list in the datasheets. But in every DESFire datasheet there is an example reply of the GetVersion (0x60) command.
And from that example answers you can get the version byte info.

My DESFire cards replyed all according to the list, that I posted earlier.

iceman · 2016-06-13 17:44:36

ok, unclear of me. I also found the old desfire and ev1 Getcommand instruction. I don't have ev2 to verify it.
However, the version you are suggesting is two byte long. byte 10 and 11.
So for EV2 is it 1.2? or 12.0 ? (major version 1, minor version 2) or (majorversion 12 , minor 0)

I can push some changes tonite and you can test it out for me?

Mackwa · 2016-06-13 17:51:16

Hello,

I posted only Hardware Major Version Byte, in your example it is Byte 10,
if it is really BCD coded, it will be 12.X for DESFire EV2.

can't test, cause I don't have a proxmark 3 at the moment.
will buy it soon

Greetz
Mackwa

iceman · 2016-06-13 20:58:11

I pushed some changes, it will not find the EV2 yet since I'vent found a EV2 datasheet where it explains the actual major byte value it gonna use. It looks for major 1, minor 2 in this version.
Maybe you have a friend who has a pm3 and a EV2 tag to test it for me.

Mackwa · 2016-06-15 07:53:26

I read out diffrent DESFire cards ... (answer to getVersion 0x60)

DESFire 4K (MF3ICD40)
---------------------
04 01 01 00 02 18 05
04 01 01 00 06 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV1 2K 17pF
----------------------
don't have one, but would be:
04 01 01 01 00 16 05
04 01 01 01 04 16 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV1 4K 17pF
----------------------
04 01 01 01 00 18 05
04 01 01 01 04 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV1 8K 17pF
----------------------
04 01 01 01 00 1A 05
04 01 01 01 04 1A 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV2 2K 17pF
----------------------
04 01 01 12 00 16 05
04 01 01 02 00 16 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV2 4K 17pF
----------------------
04 01 01 12 00 18 05
04 01 01 02 00 18 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

DESFire EV2 8K 17pF
----------------------
04 01 01 12 00 1A 05
04 01 01 02 00 1A 05
< 7 Byte UID > <5 Byte Batch No> <CW> <Year>

I think, this is helpful

iceman · 2016-06-15 08:14:17

and there it is, in black and grey, major version byte 0x12. So odd.
I think I changed my detection yesterday on github.

Proxmark3 community

Announcement

#1 2016-04-27 13:51:40

How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#2 2016-04-27 14:17:38

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#3 2016-06-10 14:10:18

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#4 2016-06-12 18:29:37

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#5 2016-06-13 08:32:04

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#6 2016-06-13 08:55:51

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#7 2016-06-13 10:19:57

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#8 2016-06-13 12:20:04

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#9 2016-06-13 15:31:49

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#10 2016-06-13 16:13:11

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#11 2016-06-13 17:44:36

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#12 2016-06-13 17:51:16

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#13 2016-06-13 20:58:11

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#14 2016-06-15 07:53:26

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

#15 2016-06-15 08:14:17

Re: How to detect DESFire EV1 vs EV2 vs DESFire (MF3ICD40)

Board footer