Emulation of a "custom" DESFire card

tim0s · 2017-12-07 12:27:01

Hi, I have a card which seems to be a DESFire "variant". For most use cases no encryption is used, the reader simply does anti-collision and uses the UID to "authenticate" the user. I would like to clone my card with a proxmark3.

If I query the original card with an ACR122 and nfc-list, this is what I get (replaced some bytes with X for my privacy)

1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 41
UID (NFCID1): 16 XX XX XX XX 0d 3d
SAK (SEL_RES): 20
ATS: 77 77 81 02

If I do a hf 14a sim 3 16XXXXXXXX0d3d I get

ATQA (SENS_RES): 03 44
UID (NFCID1): 16 XX XX XX XX 0d 3d
SAK (SEL_RES): 20
ATS: 58 80 02

It was quite easy to set the right ATQA value by setting (in armsrc/iso14443a.c)

response1[0] = 0x01;
response1[1] = 0x00;

However I have no luck changing the ATS to a 4 byte sequence. What I have tried is to change (in the same file):

uint8_t response6[] = { 0x05, 0x77, 0x77, 0x81, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
// TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
// TC(1) = 0x02: CID supported, NAD not supported
ComputeCrc14443(CRC_14443_A, response6, 5, &response6[5], &response6[6]);

However, nfc-list simply stays silent with this configuration. Since I have only one proxmark I have no idea what data is actually sent Does anyone know that part of the pm3 code and can give me some hints about what might go wrong?

Proxmark3 community

Announcement

#1 2017-12-07 12:27:01

Emulation of a "custom" DESFire card

Board footer