Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2019-05-09 12:34:30
- PlayGround
- Contributor
- Registered: 2019-05-08
- Posts: 10
Sniffing / Dumping a Desfire Card?
Hello Forum,
i just read through this forum about desfire. to make sure i got it right:
until now, dumping a desfire card is not possible, am i right?
can i fully dump the desfires if i have the keys to that card?
can i obtail the keys with the proxmark if i dont know them?
hf search
UID : 04 5f 56 8a XX XX XX
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 f0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 80
No chinese magic backdoor command detected
PRNG data error: Wrong length: 0
Prng detection error.
Valid ISO14443A Tag Found - Quiting Searchbest regards
Paul
Offline
#2 2019-05-12 10:04:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Sniffing / Dumping a Desfire Card?
for more details with regards to desfire, try the hf mfdes info command.
For desfire normally we would need to enumerate all AID's and try to see which can be read.
Offline
#3 2019-05-27 11:17:11
- PlayGround
- Contributor
- Registered: 2019-05-08
- Posts: 10
Re: Sniffing / Dumping a Desfire Card?
Hello,
thank you for your reply.
I pushed the iceman firmware on my device with success. Second i received the following informations from my desfirecard:
hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 5F 56 8A 94 3F 80
Batch number : BA 65 10 E5 80
Production date : week 40, 2015
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x02
Version : 1.0 (Desfire EV1)
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : NO
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : YES
Max number of keys : 174
Master key Version : 0 (0x00)
----------------------------------------------------------
[0x0A] Authenticate : NO
[0x1A] Authenticate ISO : NO
[0xAA] Authenticate AES : YES
----------------------------------------------------------
Available free memory on card : 4000 bytes
-------------------------------------------------------------after that i sniffed the communication and did a hf14a list:
hf 14a list
trace pointer not allocated
Recorded Activity (TraceLen = 930 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |44 03 | |
18032 | 23920 | Tag |88 04 5f 56 85 | |
49520 | 53040 | Tag |24 d8 36 | |
69728 | 75616 | Tag |8a 94 3f 80 a1 | |
101328 | 104912 | Tag |20 fc 70 | |
125376 | 134656 | Tag |06 75 77 81 02 80 02 f0 | ok |
154928 | 167728 | Tag |02 af 04 01 02 01 00 18 05 44 a4 | ok |
188560 | 201360 | Tag |03 af 04 01 01 01 04 18 05 14 97 | ok |
222848 | 243648 | Tag |02 00 04 5f 56 8a 94 3f 80 ba 65 10 e5 80 40 15 a1 be | ok |
279168 | 283904 | Tag |03 00 c8 34 | |
341104 | 364272 | Tag |02 af fd e5 23 f4 37 76 1b e2 76 d6 bb 2b cc 2c 73 01 | |
| | |b9 80 | ok |
638928 | 662032 | Tag |03 00 57 59 42 f1 8e 41 9a ab b5 ac b6 d4 e7 c0 4d 15 | |
| | |33 24 | ok |
823216 | 845168 | Tag |02 00 00 00 10 ef 20 00 00 5a f7 71 a8 65 21 45 6b d7 | |
| | |f5 | ok |
1018896 | 1063952 | Tag |03 00 01 00 00 1d 68 00 00 00 00 00 00 73 10 00 e7 5d | |
| | |91 c8 a4 07 10 90 00 ff cf a0 30 9b 10 70 5a 91 d0 2a | |
| | |55 bf a1 | ok |
1262448 | 1284400 | Tag |02 00 01 00 40 33 00 01 00 c8 e1 41 31 57 22 ea 1b 33 | |
| | |b2 | ok |
1455824 | 1487056 | Tag |03 00 00 30 01 00 00 14 12 59 37 a6 4c f8 00 00 00 24 | |
| | |81 56 42 f3 a5 65 73 b7 37 | ok |
1653040 | 1675056 | Tag |02 00 01 00 40 33 00 01 00 d7 1a 2b 63 58 e1 3b 19 89 | |
| | |46 | ok |
1855632 | 1906448 | Tag |03 00 00 00 00 00 00 48 07 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 3a | |
| | |d3 50 96 f6 62 07 1c 2f | ok |
128835728 | 128838096 | Tag |44 03 | |
128853760 | 128859648 | Tag |88 04 5f 56 85 | |
128885232 | 128888752 | Tag |24 d8 36 | |
128905440 | 128911328 | Tag |8a 94 3f 80 a1 | |
128937040 | 128940624 | Tag |20 fc 70 | |
128961216 | 128970496 | Tag |06 75 77 81 02 80 02 f0 | ok |
128990768 | 129003568 | Tag |02 af 04 01 02 01 00 18 05 44 a4 | ok |
129024672 | 129037472 | Tag |03 af 04 01 01 01 04 18 05 14 97 | ok |
129059072 | 129079872 | Tag |02 00 04 5f 56 8a 94 3f 80 ba 65 10 e5 80 40 15 a1 be | ok |
129115504 | 129120240 | Tag |03 00 c8 34 | |
129177184 | 129200288 | Tag |02 af 7c 5a 48 41 be 95 65 35 5a 3d d8 95 e5 31 47 e1 | |
| | |92 44 | ok |
129476912 | 129500080 | Tag |03 00 f7 80 a7 c6 f0 e2 e4 24 5d b4 1f 59 f9 19 58 c5 | |
| | |1d 16 | ok |
129660448 | 129682400 | Tag |02 00 00 00 10 ef 20 00 00 9a 33 cf 46 9a f3 a0 ff ce | |
| | |7e | ok |
129856384 | 129901440 | Tag |03 00 01 00 00 1d 68 00 00 00 00 00 00 73 10 00 e7 5d | |
| | |91 c8 a4 07 10 90 00 ff cf a0 30 13 3b 72 5b 23 38 76 | |
| | |9f 7a d5 | ok |
130099680 | 130121696 | Tag |02 00 01 00 40 33 00 01 00 77 45 78 7b cd ee ee f2 dd | |
| | |40 | ok |
130292288 | 130323520 | Tag |03 00 00 30 01 00 00 14 12 59 37 a6 4c f8 00 00 00 40 | |
| | |a9 57 63 65 3a 4e c5 34 51 | ok |
130490144 | 130512096 | Tag |02 00 01 00 40 33 00 01 00 42 b1 bd 82 9d 95 76 ff 35 | |
| | |6f | ok |
130692608 | 130743360 | Tag |03 00 00 00 00 00 00 48 07 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0e | |
| | |13 42 ee 8a 28 2f 17 00 | ok | from that point right now, i cannot do anything with that card, right?
not dumping the card to a file
not getting the keys
not cracking anything
not cloning
am i right?
best regards
Paul
Offline
#4 2019-07-31 00:12:21
- Mackwa
- Contributor
- Registered: 2016-06-10
- Posts: 51
Re: Sniffing / Dumping a Desfire Card?
for now you cannot "dump" a desfire card. desfire cards are very diffrent vs mifare classic / ultralights ...
for recap:
- mf classic is sector / block oriented with crackable keys -> cloneable
- mf ultralight ev1 is block oriented with sniffable PASS -> cloneable
- mf ultralight c is block oriented with mutual auth with 3DES key -> cannot get key with sniffing
now for desfire:
- mf desfire is kind of file system oriented with applications and files within the applications with 14 diffrent keys for each application
-> mutual auth with 3DES or AES key -> cannot get key from sniffing
-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card
your posted sniff is lacking the reader / terminal side,
can you post a better snoop?
Offline
#5 2019-11-05 15:19:18
- sdr_herrmanns
- Contributor
- Registered: 2017-11-11
- Posts: 28
Re: Sniffing / Dumping a Desfire Card?
mackwa thank you for the nice recap. very understandable even for me!
i have a question about the last part (desfire):
"-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card"
how is the procedure to find this out?
i have to sniff the communication between reader and desfire?
can i use my proxmark3 or cameleon mini rev.g for it (sniffing 14a)?
how can i see if the communication is plain or encrypted in the sniff.log?
what if it is plain, can i clone this desfire with a rw desfire and how does this work?
sorry for this amount of questions... 
Offline
#6 2021-03-30 00:06:49
- BlackTalonRaider
- Contributor
- Registered: 2021-03-28
- Posts: 3
Re: Sniffing / Dumping a Desfire Card?
for more details with regards to desfire, try the hf mfdes info command.
For desfire normally we would need to enumerate all AID's and try to see which can be read.
What would be the process to enumerate AIDs? Is the only option to brute force them?
Last edited by BlackTalonRaider (2021-03-30 00:07:03)
Offline
#7 2021-03-30 07:56:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Sniffing / Dumping a Desfire Card?
... yes, which command to run if I want to enumerate all AID's can be tricky.
Regarding brute-force,
If you get hold of the datasheets from NXP about DESFire, I believe you can find the best practice for it.
Offline
Pages: 1