Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-10-25 06:15:48

PACMAC
Member
Registered: 2015-10-25
Posts: 5

Can PM3 read & write MIFARE Desfire® EV1 4K

Hi Everyone,

I have been surfing through the net and also reading the proxmark forums but I was not able to find any clear information about my problem.

My question is very simple:
Can pm3 read & write MIFARE Desfire® EV1 4K cards?

I got a pm3 from my friend and I simply want to clone my building access card but so far I was not able to find anything on the internet.

Hope someone on the forums will be able to assist me with this.

Thanks pm3 community.

Offline

#2 2015-10-26 04:37:29

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

your building access uses MIFARE Desfire® EV1 !!! Kadus for that  big_smile

to your question it can read and write but would require authentication key, (I think it is unbreakable unless you can sniff the communication between your card and reader).

hope someone will correct me on this incase big_smile


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#3 2015-10-26 05:28:17

OBP
Member
Registered: 2015-05-29
Posts: 5

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Thanks for the reply Danz, I hope the process is not that difficult but from what you have said it does not look like an easy process... smile

Offline

#4 2015-10-26 10:41:19

PACMAC
Member
Registered: 2015-10-25
Posts: 5

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Danz wrote:

your building access uses MIFARE Desfire® EV1 !!! Kadus for that  big_smile

to your question it can read and write but would require authentication key, (I think it is unbreakable unless you can sniff the communication between your card and reader).

hope someone will correct me on this incase big_smile

How can I do what you have suggested?
Any clear instructions or how to guides anywhere that you might know of?

Offline

#5 2015-10-26 10:45:13

PACMAC
Member
Registered: 2015-10-25
Posts: 5

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

OBP wrote:

Thanks for the reply Danz, I hope the process is not that difficult but from what you have said it does not look like an easy process... smile

Hey, are you trying to achieve the same thing?
Do you know any good websites to read other than pm3 forums or any how to guides?

Offline

#6 2015-10-26 11:13:17

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

the crypto modes available for desfire is DES/3DES/AES/PLAIN.
If your tag system doesn't use crypto (ie PLAIN mode)  then you should be able to sniff the traffic.
Other modes doesn't send the key ( 3-way handshake) and there is no known attack for the newer desfire products.  Only a side-channel attack on an older tag model.

-- if someone takes the most common default passwords and tries them, you might get lucky.   Nothing that is implemented.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2015-10-26 13:29:03

cardix
Member
Registered: 2015-10-26
Posts: 7

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Iceman, this boob PACMAN he is the also using the nickname Mr Nobot,
He is trying to duplicate the key to make profit, there is no point helping him since he cannot understand anything by himself.

Let him get lost.

Offline

#8 2015-10-26 13:37:36

cardix
Member
Registered: 2015-10-26
Posts: 7

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

talk to 0xFFFF, he knows who I am

Offline

#9 2015-10-26 13:46:03

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

When it comes to Desfire, nobody will succeed at the moment. No need to be alarmed.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2015-10-26 13:46:28

cardix
Member
Registered: 2015-10-26
Posts: 7

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

I think too many intelligent guys here are giving away too much to the noobs, there is a big difference between someone trying to learn about RFID and someone just asking stupid questions to turn it into a business!

We saw not long time ago this Chinese guy from xfpga asking hits of question in this forum to finally create a cloner and sell it everywhere in the world, this idiot certainly didn't realised that they used his cloner on the tv show Mr Robot ah ah ah
Thanks to all smart guys here, giving him too much information, he is now rich and instead of using the Proxmark they used his noob cloner, what a shame...

If you want to keep helping noobs this is going to turn into dodgy businesses at the end!
You are smart enough to make the difference!

Offline

#11 2015-10-27 03:49:24

PACMAC
Member
Registered: 2015-10-25
Posts: 5

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

cardix wrote:

Iceman, this boob PACMAN he is the also using the nickname Mr Nobot,
He is trying to duplicate the key to make profit, there is no point helping him since he cannot understand anything by himself.

Let him get lost.

I am not Mr Nobot or Robot or whatever so don't judge a book by the cover.

It is not up to you Cardix to decide if people can help others or not.
I want to duplicate my key, which you have no right to interfere or comment.
This is an open forum so people like me who have little knowledge come here to learn/understand from more knowledgable people. That is the whole idea about a forum and how forums work.

You just created your account yeaterday to comment on these posts so most probably you actually are one of those guys who are making money out of this as a business and you are trying to protect your business by trying to prevent others to learn or have the same knowledge as you do.

But you forget one thing, it is those "smart" people who decide if they want to share their knowledge with the "noob" people, not you.

So talk nicely and learn to respect people!

If someone needs to get lost that is you not people like us...

Offline

#12 2015-10-27 06:42:21

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Guys Chillax... no solution or whatever was exposed here,

That said, I may have something to create the cracking process on smile
I've made one DESFIRE with my own keys, "yes, everyone who use desfire use their own keys, not default, otherwise company would stick to classic if they don't want this security",

now testing the cracking process, the card to tag reply is much shorter when you the first digit/letter of key are same, cool

if someone can create brute force method that can put those measurement into action, it will be great.


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#13 2015-10-27 10:38:00

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

For which crypto-mode does the tag behave like that?
and does this repeat itself when the first+second byte of key is the same?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2015-10-27 18:38:43

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Hello Iceman, it was for AES, haven't test on other crypto yet.

The deauth replay is comes faster "talking about time" the closer to the right key.

tic toc, I think it is processing issue that can lead to something !?! cool


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#15 2015-10-27 19:09:01

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

That is definite something to verify...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#16 2015-10-28 07:51:00

PACMAC
Member
Registered: 2015-10-25
Posts: 5

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

Danz wrote:

Hello Iceman, it was for AES, haven't test on other crypto yet.

The deauth replay is comes faster "talking about time" the closer to the right key.

tic toc, I think it is processing issue that can lead to something !?! cool

Hey Danz, I hope you can successfully figure things out and help me with my task as well.
If there is anything that I can assist you with please let me know. smile

Offline

#17 2015-10-28 13:52:39

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

@danz,   so what you are saying is that tagresponse  "0b 00 ae c6 c0 "  0xAE comes faster if the first byte of the given key is correct?  or do you mean the  "0b  00  af  0a ...."  response comes faster?

If only I had a desfire tag with a known key,  this would be some much easier to verify...


--snippet log AUTH/AES for a Desfire 4k

        0 |        992 | Rdr |52                                                               |     | WUPA
     2244 |       4612 | Tag |44  03                                                           |     |
     7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
    10692 |      16516 | Tag |88  04  77  29  d2                                               |     |
    18688 |      29216 | Rdr |93  70  88  04  77  29  d2  6c  76                               |  ok | SELECT_UID
    30404 |      33924 | Tag |24  d8  36                                                       |     |
    35200 |      37664 | Rdr |95  20                                                           |     | ANTICOLL-2
    38852 |      44740 | Tag |5a  86  34  80  68                                               |     |
    46848 |      57376 | Rdr |95  70  5a  86  34  80  68  22  58                               |  ok | ANTICOLL-2
    58564 |      62148 | Tag |20  fc  70                                                       |     |
    63488 |      68256 | Rdr |e0  80  31  73                                                   |  ok | RATS
    69444 |      78724 | Tag |06  75  77  81  02  80  02  f0                                   |  ok |
    85504 |      92512 | Rdr |0a  00  aa  00  21  d8                                           |  ok | ?
   128452 |     152772 | Tag |0a  00  af  f7  a2  cf  33  2e  68  e1  b7  d9  27  b6  13  ce   |     |
          |            |     |8d  b6  b4  ef  8c                                               |  ok |
   162816 |     205600 | Rdr |0b  00  af  0a  b2  ad  48  77  78  56  2f  39  52  66  2c  ca   |     |
          |            |     |14  63  13  b7  6d  54  ad  b9  fc  28  a1  c5  f9  fc  ee  83   |     |
          |            |     |1c  72  5f  27  ea                                               |  ok | ?
   228676 |     234500 | Tag |0b  00  ae  c6  c0                                               |     |
   563584 |     567136 | Rdr |c2  e0  b4                                                       |  ok | RESTORE(224)

Last edited by iceman (2015-10-28 19:56:25)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2015-11-04 11:45:54

key
Contributor
Registered: 2015-10-28
Posts: 20

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

iceman wrote:

the crypto modes available for desfire is DES/3DES/AES/PLAIN.
If your tag system doesn't use crypto (ie PLAIN mode)  then you should be able to sniff the traffic.
Other modes doesn't send the key ( 3-way handshake) and there is no known attack for the newer desfire products.  Only a side-channel attack on an older tag model.

-- if someone takes the most common default passwords and tries them, you might get lucky.   Nothing that is implemented.

if sniff on wires, can get info about crypto key used?

Offline

#19 2015-11-04 11:57:39

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

maybe if you have access to the sourcecode of the system or the firmware of the reader you might find the cryptokeys.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2015-12-07 15:42:50

key
Contributor
Registered: 2015-10-28
Posts: 20

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

same question here:Can PM3 read & write MIFARE Desfire® EV1 4K
so what is answer????

Offline

#21 2016-10-09 23:21:59

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

As far as I'm aware, there's still nothing on this specific card, she's crazy secure, best bet is to obtain the reader and extract the key from it.

Offline

#22 2016-10-11 07:50:39

cjbrigato
Contributor
Registered: 2016-09-04
Posts: 52

Re: Can PM3 read & write MIFARE Desfire® EV1 4K

I was reading some "Knowledgable Insider's" internal paper (which I strongly hope to get pas the "internal" and become public),
anyway it seems that Side-channel attacks had successful implementation as now-"easy" way on getting more or less what you want from an accessible desfire card, without invasive treatment shuch as MITM/Sniff etc.
Power Consumptions and alikes side channel attacks seems of nothing very promising (as I am aware, maybe wrong but I doubt it ?)
E.M. leakage Side channels are on their side very,very,very more interesting.

You can build the necessary to start such implementation within very constrained budget.

Offline

Board footer

Powered by FluxBB