Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-10-29 16:05:10

mnemarchon
Contributor
Registered: 2019-08-30
Posts: 9

Rfxsecure.com Magic Desfire keyfob

Since I didn't receive answer from the shop even after a month about how much of the Desfire functionality it actually implements, decided to try it out.

In short it seems to implement very little from Desfire command set.

There should be a lua script for proxmark somewhere or set of APDUs to change the UID, but I can't find it anywhere.

Attempt to write a file like NDEF to the card seems to work, but nothing is written when you read it back. Libfreefare segfaults when trying to read the tag.

You can't authenticate to the card.

It has either hardcoded list of applications or it just simply answers OK to any SELECT APDU so that it seems that way.

An example when you try to read it as if it was Visa card, it just answers OK to the Visa debit AID:

% pn53x-tamashell < read-visa.tamashell       
NFC reader: SCM Micro / SCL3711-NFC&RW opened
> #!/usr/local/bin/pn53x-tamashell
> #poll for card until one is present in reader's field
> 4a  01  00  
Tx: 4a  01  00  
Rx: 01  01  03  44  20  07  00  00  00  00  00  00  00  06  75  33  81  02  00  
> #select Visa debit AID
> 40 01 00 A4 04 00 07 A0 00 00 00 03 10 10 00
Tx: 40  01  00  a4  04  00  07  a0  00  00  00  03  10  10  00  
Rx: 00  90  00  
> #select file 1 record 2 (track 2 equivalent data - number + name)
> 40 01 00 B2 02 0C 00
Tx: 40  01  00  b2  02  0c  00  
Rx: 00  6d  00  
> Bye!

Offline

#2 2019-11-05 23:57:09

mnemarchon
Contributor
Registered: 2019-08-30
Posts: 9

Re: Rfxsecure.com Magic Desfire keyfob

Changing the UID is the following Proxmark CLI command (different from classic "backdoor commands") :

hf 14a raw -s -c 02 00 ab 00 00 07 UID

Last edited by mnemarchon (2019-11-05 23:58:01)

Offline

Board footer

Powered by FluxBB