Calculate MAC for Mifare Plus SL3

Sentinel · 2017-12-27 15:26:21

hi All!
1.Authorization completed by FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AESSectorKey 0x4000
2.Card set Transaction identifier: b551c6e7
3.Reading a card using the 33 command

data for calc MAC: 33 0000 b551c6e7 0300 01
33 - command code
0000 - read counter
b551c6e7 - Transaction identifier
0300 01 - Adress to read, block to read

substitute data for online calculation:330000b551c6e7030001
artjomb.github.io/cryptojs-extension
resalt CMAC: a33bd445f12b23a020c6b83b13f0e1d8

further 16 bytes turn into 8 bytes:
/* truncated MAC = [1, 3, 5, 7, 9, 11, 13, 15] of the input Mac */
MAC:3b452ba0c63bf0d8

4026592 | 4043968 | Rdr |02 33 03 00 01 a6 0b 6d 59 b5 b4 d9 38 e3 71 | ok |
resalt from trace: a60b6d59b5b4d938

The calculated and trace results are not equal:
3b452ba0c63bf0d8 <> a60b6d59b5b4d938

Documentation for the calculation of MAС:
http://nvlpubs.nist.gov/nistpubs/Legacy … 00-38b.pdf

iceman · 2017-12-27 18:45:54

Well, if the calculated and trace results isnt equal then used AES key isnt the same...

Sentinel · 2017-12-29 13:24:56

Iceman, you are always right) The key for SMAC every time is different.

5fa7a36e1643c52eb6eb67a2714a9e9d - RNDB (from card)
80000000000000000000000000000001 - RNDA (magic RNDA from the program android NXP TOOL)

00000000002eb6eb67a2DFA7A36E1622 <-Session Key
encrypt key:FFFFF...FFFF of Session Key
e492273a7e903826e00ba488f3b48042 <- use this key for CMAC

iceman · 2017-12-29 16:53:41

yeay!

Proxmark3 community

Announcement

#1 2017-12-27 15:26:21

Calculate MAC for Mifare Plus SL3

#2 2017-12-27 18:45:54

Re: Calculate MAC for Mifare Plus SL3

#3 2017-12-29 13:24:56

Re: Calculate MAC for Mifare Plus SL3

#4 2017-12-29 16:53:41

Re: Calculate MAC for Mifare Plus SL3

Board footer