Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-05-09 12:34:30

PlayGround
Contributor
Registered: 2019-05-08
Posts: 10

Sniffing / Dumping a Desfire Card?

Hello Forum,

i just read through this forum about desfire. to make sure i got it right:

until now, dumping a desfire card is not possible, am i right?
can i fully dump the desfires if i have the keys to that card?
can i obtail the keys with the proxmark if i dont know them?

hf search
          
 UID : 04 5f 56 8a XX XX XX           
ATQA : 03 44          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : NXP Semiconductors Germany          
 ATS : 06 75 77 81 02 80 02 f0           
       -  TL : length is 6 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : 80           
No chinese magic backdoor command detected          
PRNG data error: Wrong length: 0          
Prng detection error.          

Valid ISO14443A Tag Found - Quiting Search

best regards

Paul

Offline

#2 2019-05-12 10:04:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Sniffing / Dumping a Desfire Card?

for more details with regards to desfire,  try  the  hf mfdes info command.
For desfire normally we would need to enumerate all AID's and try to see which can be read.

Offline

#3 2019-05-27 11:17:11

PlayGround
Contributor
Registered: 2019-05-08
Posts: 10

Re: Sniffing / Dumping a Desfire Card?

Hello,

thank you for your reply.
I pushed the iceman firmware on my device with success. Second i received the following informations from my desfirecard:

hf mfdes info

          
-- Desfire Information --------------------------------------          
-------------------------------------------------------------          
  UID                : 04 5F 56 8A 94 3F 80           
  Batch number       : BA 65 10 E5 80           
  Production date    : week 40, 2015          
  -----------------------------------------------------------          
  Hardware Information          
      Vendor Id      : NXP Semiconductors Germany          
      Type           : 0x01          
      Subtype        : 0x02          
      Version        : 1.0 (Desfire EV1)          
      Storage size   : 0x18 (4096 bytes)          
      Protocol       : 0x05 (ISO 14443-3, 14443-4)          
  -----------------------------------------------------------          
  Software Information          
      Vendor Id      : NXP Semiconductors Germany          
      Type           : 0x01          
      Subtype        : 0x01          
      Version        : 1.4          
      storage size   : 0x18 (4096 bytes)          
      Protocol       : 0x05 (ISO 14443-3, 14443-4)          
-------------------------------------------------------------          
 CMK - PICC, Card Master Key settings           
          
   [0x08] Configuration changeable       : YES          
   [0x04] CMK required for create/delete : NO          
   [0x02] Directory list access with CMK : NO          
   [0x01] CMK is changeable              : YES          
          
   Max number of keys       : 174          
   Master key Version       : 0 (0x00)          
   ----------------------------------------------------------          
   [0x0A] Authenticate      : NO          
   [0x1A] Authenticate ISO  : NO          
   [0xAA] Authenticate AES  : YES          
          
   ----------------------------------------------------------          
   Available free memory on card       : 4000 bytes          
-------------------------------------------------------------

after that i sniffed the communication  and did a hf14a list:
hf 14a list

trace pointer not allocated
Recorded Activity (TraceLen = 930 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
          
      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation          
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------          
          0 |       2368 | Tag |44  03                                                                   |     |           
      18032 |      23920 | Tag |88  04  5f  56  85                                                       |     |           
      49520 |      53040 | Tag |24  d8  36                                                               |     |           
      69728 |      75616 | Tag |8a  94  3f  80  a1                                                       |     |           
     101328 |     104912 | Tag |20  fc  70                                                               |     |           
     125376 |     134656 | Tag |06  75  77  81  02  80  02  f0                                           |  ok |           
     154928 |     167728 | Tag |02  af  04  01  02  01  00  18  05  44  a4                               |  ok |           
     188560 |     201360 | Tag |03  af  04  01  01  01  04  18  05  14  97                               |  ok |           
     222848 |     243648 | Tag |02  00  04  5f  56  8a  94  3f  80  ba  65  10  e5  80  40  15  a1  be   |  ok |           
     279168 |     283904 | Tag |03  00  c8  34                                                           |     |           
     341104 |     364272 | Tag |02  af  fd  e5  23  f4  37  76  1b  e2  76  d6  bb  2b  cc  2c  73  01   |     |           
            |            |     |b9  80                                                                   |  ok |           
     638928 |     662032 | Tag |03  00  57  59  42  f1  8e  41  9a  ab  b5  ac  b6  d4  e7  c0  4d  15   |     |           
            |            |     |33  24                                                                   |  ok |           
     823216 |     845168 | Tag |02  00  00  00  10  ef  20  00  00  5a  f7  71  a8  65  21  45  6b  d7   |     |           
            |            |     |f5                                                                       |  ok |           
    1018896 |    1063952 | Tag |03  00  01  00  00  1d  68  00  00  00  00  00  00  73  10  00  e7  5d   |     |           
            |            |     |91  c8  a4  07  10  90  00  ff  cf  a0  30  9b  10  70  5a  91  d0  2a   |     |           
            |            |     |55  bf  a1                                                               |  ok |           
    1262448 |    1284400 | Tag |02  00  01  00  40  33  00  01  00  c8  e1  41  31  57  22  ea  1b  33   |     |           
            |            |     |b2                                                                       |  ok |           
    1455824 |    1487056 | Tag |03  00  00  30  01  00  00  14  12  59  37  a6  4c  f8  00  00  00  24   |     |           
            |            |     |81  56  42  f3  a5  65  73  b7  37                                       |  ok |           
    1653040 |    1675056 | Tag |02  00  01  00  40  33  00  01  00  d7  1a  2b  63  58  e1  3b  19  89   |     |           
            |            |     |46                                                                       |  ok |           
    1855632 |    1906448 | Tag |03  00  00  00  00  00  00  48  07  00  00  00  00  00  00  00  00  00   |     |           
            |            |     |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  71  3a   |     |           
            |            |     |d3  50  96  f6  62  07  1c  2f                                           |  ok |           
  128835728 |  128838096 | Tag |44  03                                                                   |     |           
  128853760 |  128859648 | Tag |88  04  5f  56  85                                                       |     |           
  128885232 |  128888752 | Tag |24  d8  36                                                               |     |           
  128905440 |  128911328 | Tag |8a  94  3f  80  a1                                                       |     |           
  128937040 |  128940624 | Tag |20  fc  70                                                               |     |           
  128961216 |  128970496 | Tag |06  75  77  81  02  80  02  f0                                           |  ok |           
  128990768 |  129003568 | Tag |02  af  04  01  02  01  00  18  05  44  a4                               |  ok |           
  129024672 |  129037472 | Tag |03  af  04  01  01  01  04  18  05  14  97                               |  ok |           
  129059072 |  129079872 | Tag |02  00  04  5f  56  8a  94  3f  80  ba  65  10  e5  80  40  15  a1  be   |  ok |           
  129115504 |  129120240 | Tag |03  00  c8  34                                                           |     |           
  129177184 |  129200288 | Tag |02  af  7c  5a  48  41  be  95  65  35  5a  3d  d8  95  e5  31  47  e1   |     |           
            |            |     |92  44                                                                   |  ok |           
  129476912 |  129500080 | Tag |03  00  f7  80  a7  c6  f0  e2  e4  24  5d  b4  1f  59  f9  19  58  c5   |     |           
            |            |     |1d  16                                                                   |  ok |           
  129660448 |  129682400 | Tag |02  00  00  00  10  ef  20  00  00  9a  33  cf  46  9a  f3  a0  ff  ce   |     |           
            |            |     |7e                                                                       |  ok |           
  129856384 |  129901440 | Tag |03  00  01  00  00  1d  68  00  00  00  00  00  00  73  10  00  e7  5d   |     |           
            |            |     |91  c8  a4  07  10  90  00  ff  cf  a0  30  13  3b  72  5b  23  38  76   |     |           
            |            |     |9f  7a  d5                                                               |  ok |           
  130099680 |  130121696 | Tag |02  00  01  00  40  33  00  01  00  77  45  78  7b  cd  ee  ee  f2  dd   |     |           
            |            |     |40                                                                       |  ok |           
  130292288 |  130323520 | Tag |03  00  00  30  01  00  00  14  12  59  37  a6  4c  f8  00  00  00  40   |     |           
            |            |     |a9  57  63  65  3a  4e  c5  34  51                                       |  ok |           
  130490144 |  130512096 | Tag |02  00  01  00  40  33  00  01  00  42  b1  bd  82  9d  95  76  ff  35   |     |           
            |            |     |6f                                                                       |  ok |           
  130692608 |  130743360 | Tag |03  00  00  00  00  00  00  48  07  00  00  00  00  00  00  00  00  00   |     |           
            |            |     |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  20  0e   |     |           
            |            |     |13  42  ee  8a  28  2f  17  00                                           |  ok |    

from that point right now, i cannot do anything with that card, right?
not dumping the card to a file
not getting the keys
not cracking anything
not cloning

am i right?

best regards

Paul

Offline

#4 2019-07-31 00:12:21

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: Sniffing / Dumping a Desfire Card?

for now you cannot "dump" a desfire card. desfire cards are very diffrent vs mifare classic / ultralights ...
for recap:
- mf classic is sector / block oriented with crackable keys -> cloneable
- mf ultralight ev1 is block oriented with sniffable PASS -> cloneable
- mf ultralight c is block oriented with mutual auth with 3DES key -> cannot get key with sniffing

now for desfire:
- mf desfire is kind of file system oriented with applications and files within the applications with 14 diffrent keys for each application
-> mutual auth with 3DES or AES key -> cannot get key from sniffing
-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card

your posted sniff is lacking the reader / terminal side,
can you post a better snoop?

Offline

#5 2019-11-05 15:19:18

sdr_herrmanns
Contributor
Registered: 2017-11-11
Posts: 28

Re: Sniffing / Dumping a Desfire Card?

mackwa thank you for the nice recap. very understandable even for me!
i have a question about the last part (desfire):

"-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card"

how is the procedure to find this out?

i have to sniff the communication between reader and desfire?
can i use my proxmark3 or cameleon mini rev.g for it (sniffing 14a)?
how can i see if the communication is plain or encrypted in the sniff.log?
what if it is plain, can i clone this desfire with a rw desfire and how does this work?

sorry for this amount of questions... smile

Offline

#6 2021-03-30 00:06:49

BlackTalonRaider
Contributor
Registered: 2021-03-28
Posts: 3

Re: Sniffing / Dumping a Desfire Card?

iceman wrote:

for more details with regards to desfire,  try  the  hf mfdes info command.
For desfire normally we would need to enumerate all AID's and try to see which can be read.

What would be the process to enumerate AIDs? Is the only option to brute force them?

Last edited by BlackTalonRaider (2021-03-30 00:07:03)

Offline

#7 2021-03-30 07:56:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Sniffing / Dumping a Desfire Card?

... yes,  which command to run if I want to enumerate all AID's can be tricky.

Regarding brute-force,
If you get hold of the datasheets from NXP about DESFire,   I believe you can find the best practice for it.

Offline

Board footer

Powered by FluxBB