Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-06-14 17:08:20

sirmixalot
Contributor
Registered: 2017-06-14
Posts: 5

Simulating MIFARE DESFire 4k 7 byte UID - Possible on pm3?

I'm hoping someone can shed some light on how to emulate the 7 byte UID of a MIFARE DESFire 4k tag.

The current card I have identifies as:

proxmark3> hf search
UID : 04 xx xx xx xx xx 80
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 f0
       -  TL : length is 6 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : 80
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search

I am on the latest iceman release, but also tried with the latest stock release and I get similar results.

The command I am using is:

proxmark3> hf 14a sim 3 <7 byte UID here>
Emulating ISO/IEC 14443 type A tag with 7 byte UID <7 byte UID displayed here>
#db# Recieved unknown command (len=1):
#db# 69
#db# Recieved unknown command (len=3):
#db# b2 67 c7
#db# Recieved unknown command (len=3):
#db# b3 ee d6

The "recieved unknown command" is generated when I try to read the emulated tag. I am using an ACR122U to attempt to read the tag. The ACR122U has no problem reading the original card, getting its UID and identifying it as a MIFARE DESFire 4k card, it is only the proxmark3 that is failing.

I am using the software GoToTags windows application as the interface for my ACR122U. It has this message as the result of attempting to read the proxmark3:

{"Uid":null,"ReadOnly":false,"DataLength":null,"CanMakeReadOnly":false,"Formatted":false,"Records":null,"TagTech":null,"MaxDataLength":null,"Exception":"The NFC tag's type is not supported."}

I also tried using the "hf mf sim" command, but it doesn't appear to support a 7 byte UID (it looks like that might just be for mifare classic, not DESFire?)


I've read elsewhere on this forum that this was "theoretically" possible, but it was an old post. Is this possible?

Any help would be greatly appreciated!

Again, I am just looking to simulate the 7 byte UID, not extract/crack keys.

Last edited by sirmixalot (2017-06-14 17:11:05)

Offline

#2 2017-06-14 17:32:40

iceman
Administrator
Registered: 2013-04-25
Posts: 4,879
Website

Re: Simulating MIFARE DESFire 4k 7 byte UID - Possible on pm3?

I doubt we have desfire simulation, since we even don't have support for Desfire.

The iso14443a part simulation (hf 14a sim)  should'nt be hard to add Desfire,  but this is only the anticollision, select part.
Which is what I think is what you want.


&#20912;&#20154;

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2018-10-12 13:13:45

merlok
Contributor
Registered: 2011-05-16
Posts: 128

Re: Simulating MIFARE DESFire 4k 7 byte UID - Possible on pm3?

Possible.
But if someone writes some code)

Offline

Board footer

Powered by FluxBB