Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-10-20 21:28:28

olze6
Contributor
Registered: 2021-10-20
Posts: 2

reading/writing MIFARE DESFire

hi, i have some random rfid/nfc tags from a vendor (NXP) which i would like to use to do some tests.
when i write to them with my mobile phone, all seems to be fine. but i would love to do the same with the proxmark, but i am a bit lost tbh.
the complete rfid thing is pretty new to me, so things like APDU/SAK/ATS/SAK/ATQA are new to me.

[usb] pm3 --> hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 04 3C 17 12 5B 66 80 
[+]      Batch number: CE ED 55 59 90 
[+]   Production date: week 26 / 2019

[=] --- Hardware Information
[=]    raw: 04040230001105
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x04
[=]        Subtype: 0x02
[=]        Version: 30.0 ( DESFire Light )
[=]   Storage size: 0x11 ( 512 - 256 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 04040201021105
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x04
[=]        Subtype: 0x02
[=]        Version: 1.2
[=]   Storage size: 0x11 ( 512 - 256 bytes )
[=]       Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --------------------------------- Card capabilities ---------------------------------

[=] --- Tag Signature
[!] ⚠️  --- Card doesn't support GetSignature cmd
[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 0 free memory n/a
[+] PICC level auth commands: auth: NO auth iso: NO auth aes: NO auth ev2: NO auth iso native: NO auth lrp: NO

[=] --- Desfire Light info
[+]    Card have not a default iso id for application
[+]    Card have LRP key in the MF/key1

thought i could just iterate over all fields (like a dump that is printed) with hf mfdes enum, but i only get the help of proxmark printed.
some commands also just return an error, not sure if that command needs some authentication or key?
like:

[usb] pm3 --> hf mfdes freemem
[!!] ? Desfire authenticate error. Result: [1] Sending auth command failed

any help is very appreciated!

Offline

#2 2021-12-21 23:33:56

kosgguy
Contributor
Registered: 2021-12-18
Posts: 56

Re: reading/writing MIFARE DESFire

In my case I have a few iphones and android and I have tried scanning mifare classic 1k, mifare desfire 4k and a few other cards and it doesn't detect them.

I also receive the same error when scanning a mifare desfire 4k

[usb] pm3 --> hf mfdes freemem
[!!] Desfire authenticate error. Result: [7] Sending auth command failed

With classic 1k cards I know that you can execute
hf mf cview
And it will return all the sector data, like this:

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .................................................................

[=] ----+-------------------------------------------------+-----------------
[=] blk | data                                            | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | D6 D5 DC 3D E2 08 04 00 01 6F 01 6D 45 68 F8 1D | ...=.....o.mEh..
[=]   1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   8 | 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF | .."3DUfw........
[=]   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] ----+-------------------------------------------------+-----------------

but with mifare desfire I also don't know how to get all the data.
and when I do:
hf mfdes getuid
I receive

[usb] pm3 --> hf mfdes getuid
[!!] Desfire AID select error.
[-] Select or authentication AID 000000 failed. Result [202] Can't select application by ISO ID.

I also have a doubt in standalone mode, after doing hw status, my installed standalone mode is

[#] Installed StandAlone Mode
[#]   HF iCLASS mode -  aka iceCLASS (iceman)

But when I execute the standalone mode, I get the following

[#] Stand-alone mode, no computer necessary
[#] HF iCLASS mode a.k.a iceCLASS started
[#] -=[ enter `full simulation` mode ]=-
[#] error iceclass-orig.bin file missing
[#] -=[ exit ]=-

and I don't know what to do. Any ideas?

Offline

#3 2021-12-22 18:49:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,518
Website

Re: reading/writing MIFARE DESFire

1) You need authentication credentials like the desfire authentication key used for the application/file you want to access.
2) is a iCLASS question not related to desfire, post in correct topic

Offline

#4 2021-12-24 02:06:48

kosgguy
Contributor
Registered: 2021-12-18
Posts: 56

Re: reading/writing MIFARE DESFire

1) I end up getting some data on an android app called "Mifare desfire tool", but I don't think it is the authentication credentials.
Could this authentication credentials be get from the card reader that reads those mifare desfire 4k?
How does it look like?

I have been reading the documentation https://www.nxp.com/docs/en/data-sheet/MF1S70YYX_V1.pdf and I don't get any a conclusion. I only get specific characteristic about the mifare desfire tag.

2) Okay, I willl post in the correct topic

Offline

Board footer

Powered by FluxBB