Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-01 03:46:18

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Mifare Plus Card - Dual Keyset? SL0 and SL1 info

I have acquired a reader and a set of software which can write Mifare Plus cards with AES keys.  This takes the card from SL0 to SL1.

I have put my own custom keys on a card, and wanted to try the hardnested attack.  Now realizing the hardnested is only against the legacy side of the card (12 byte keys for CRYPTO1) I realized I never set those, so they should be default.  What is interesting is that hardnested cannot seem to authenticate to the card, but the simple libfreefare tools can dump and re-write the SL1 card no problem, but cannot do anything with the SL0 card. 

Does anyone have any idea what I am missing here or can offer some explanation?  To help, here is a dump of the card factory fresh SL0, and SL1 reads:

SL0:

proxmark3> hf 14a reader
 UID : 04 48 22 b2 d0 32 80           
ATQA : 00 44          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : NXP Semiconductors Germany          
 ATS : 0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3           
       -  TL : length is 12 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : c1 05 2f 2f 00 35 c7 -> MIFARE Plus S 2K or 4K          
               c1 -> Mifare or (multiple) virtual cards of various type          
                  05 -> Length is 5 bytes          
                     2x -> MIFARE Plus          
                        2x -> Released          
                           x0 -> Only VCSL supported          
Answers to chinese magic backdoor commands: NO       

SL1:

proxmark3> hf 14a reader
 UID : 04 48 22 b2 d0 32 80           
ATQA : 00 44          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
MANUFACTURER : NXP Semiconductors Germany          
SAK incorrectly claims that card doesn't support RATS          
 ATS : 0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3           
       -  TL : length is 12 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : c1 05 2f 2f 00 35 c7 -> MIFARE Plus S 2K or 4K          
               c1 -> Mifare or (multiple) virtual cards of various type          
                  05 -> Length is 5 bytes          
                     2x -> MIFARE Plus          
                        2x -> Released          
                           x0 -> Only VCSL supported          
Answers to chinese magic backdoor commands: NO

Offline

#2 2016-07-01 06:50:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mifare Plus Card - Dual Keyset? SL0 and SL1 info

Interesting,  the only thing that changed was the SAK,  from 0x20 -> 0x08

Offline

#3 2016-07-04 13:56:33

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Mifare Plus Card - Dual Keyset? SL0 and SL1 info

Indeed, interesting why SL0 is treated as mandatory encryption card... hm...

Offline

Board footer

Powered by FluxBB