Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-12-11 02:34:24

frank
Contributor
Registered: 2017-12-10
Posts: 15

False detection as DESFire

I got a transport card from M@c@u. Here is the detection

boot wrote:

Proxmark3 RFID instrument

[ ARM ]
bootrom: iceman/master/ice_v3.1.0-269-g2d6fead9 2017-12-10 10:36:18
      os: iceman/master/ice_v3.1.0-269-g2d6fead9 2017-12-10 10:36:24
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

[ Hardware ]
  --= uC: AT91SAM7S256 Rev D
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 233234 bytes (89%) Free: 28910 bytes (11%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

hf 14a info wrote:

pm3 --> hf 14a info
UID : XX XX XX XX
ATQA : 00 08
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 10 78 11 C0 02 86 86 01 56 33 90 31 47 6C F2 C1 5C 1E
       -  TL : length is 16 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
       - TA1 : different divisors are supported, DR: [2], DS: [2]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 12 (FWT = 16777216/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : 86 86 01 56 33 90 31 47 6C F2 C1
Answers to magic commands: NO

But according to this website and page 7 of this document, the UID of DESFire must be 7 bytes. So is it a false detection? or DESFire with 4 bytes UID really exists?
Since UID of Classic 1k, plus and Topaz 512 are 4 bytes, they are the only hope. Then I tried this and confirmed that it is not Topaz 512.

hf topaz reader wrote:

Sending bytes to proxmark failed
ATQA : 00 08
Tag doesn't support the Topaz protocol.

Offline

#2 2017-12-12 09:34:35

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: False detection as DESFire

TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41

According to the output, DESFire is only one option. It could be a MifarePlus and a JCOP card as well.
And yes, it could be a false detection. The detection based on SAK and ATQA is not 100% reliable.
And yes, DESFire with 4 Byte NUID do exist.

Offline

#3 2017-12-12 09:58:50

frank
Contributor
Registered: 2017-12-10
Posts: 15

Re: False detection as DESFire

Good to know that DESFire with 4bytes uid does exists. Let me play around it soon

Last edited by frank (2017-12-12 10:04:55)

Offline

#4 2017-12-12 10:03:59

frank
Contributor
Registered: 2017-12-10
Posts: 15

Re: False detection as DESFire

Just read that someone has cracked this card and being arrested in 2012. I believe that that card may be a mifare m1 card which is different from the one in my hand

https://goo.gl/PN6FTA

Last edited by frank (2017-12-12 10:04:15)

Offline

#5 2017-12-24 16:16:10

frank
Contributor
Registered: 2017-12-10
Posts: 15

Re: False detection as DESFire

pm3 --> hf mfdes info
#db# Wrong UID size. Expected 7byte got 4
Card is most likely not Desfire. Its UID has wrong size

Seems it is not a Desfire card.
How can I check if it is a Mifare Plus 2k/4k SL3 or JCOP? Is sniffing by "hf 14a sniff" the last method I can try?

Offline

Board footer

Powered by FluxBB