Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.


Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-12-07 12:27:01

Registered: 2017-12-07
Posts: 2

Emulation of a "custom" DESFire card

Hi, I have a card which seems to be a DESFire "variant". For most use cases no encryption is used, the reader simply does anti-collision and uses the UID to "authenticate" the user. I would like to clone my card with a proxmark3.

If I query the original card with an ACR122 and nfc-list, this is what I get (replaced some bytes with X for my privacy)

1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  41
    UID (NFCID1): 16  XX  XX  XX  XX  0d  3d
    SAK (SEL_RES): 20
    ATS: 77  77  81  02

If I do a hf 14a sim 3 16XXXXXXXX0d3d I get

    ATQA (SENS_RES): 03  44 
    UID (NFCID1): 16  XX  XX  XX  XX  0d  3d 
    SAK (SEL_RES): 20 
    ATS: 58  80  02 

It was quite easy to set the right ATQA value by setting (in armsrc/iso14443a.c)

     response1[0] = 0x01;                                               
     response1[1] = 0x00;

However I have no luck changing the ATS to a 4 byte sequence. What I have tried is to change (in the same file):

       uint8_t response6[] = { 0x05, 0x77, 0x77, 0x81, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
        // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 5, &response6[5], &response6[6]);

However, nfc-list simply stays silent with this configuration. Since I have only one proxmark I have no idea what data is actually sent sad  Does anyone know that part of the pm3 code and can give me some hints about what might go wrong?


Board footer

Powered by FluxBB