Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-12-18 11:59:46

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

MIFARE DEsfire EV2

hello everybody,

i tried my best by myself trying to solve a mystery, but i guess i ve reached my maximum.

we use here these cards :


Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]               UID: 04 5B XX XX XX XX XX
[+]      Batch number: CE 8B 59 XX XX
[+]   Production date: week 11 / 2018

[=] --- Hardware Information
[=]    raw: 04010112001A05
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 12.0 ( DESFire EV2 )
[=]   Storage size: 0x1A ( 8192 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 04010102011A05
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 2.1
[=]   Storage size: 0x1A ( 8192 bytes )
[=]       Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --- Card capabilities

[=] --- Tag Signature
[=]  IC signature public key name: DESFire EV2
[=] IC signature public key value: 04B3........................................................
[=]                              : .............................
[=]                              : ;....................2
[=]                              : ......................;A
[=]     Elliptic curve parameters: NID_secp224r1
[=]              TAG IC Signature: 4EBF5AD8........................................
[=]                              : FBEA208F657........................................
[=]                              : 4600FB5.............................................;
[=]                              : 3AF1A980................
[+]        Signature verification: successful
[+]    Number of Masterkeys                  : 1
[+]    Operation of PICC master key          : (3)DES
[+]    PICC Master key Version               : 0 (0x00)
[=]    ----------------------------------------------------------
[!!] ? APDU: No APDU response.
[+]    [0x1A] Authenticate ISO  : YES
[=] -------------------------------------------------------------
[=]  Key setting: 0x0F [1111]
[+]    [1...] CMK Configuration changeable   : YES
[+]    [.1..] CMK required for create/delete : NO
[+]    [..1.] Directory list access with CMK : NO
[+]    [...1] CMK is changeable              : YES


on some readers, with a chameeon mini revG i ve been able to emulate the UID using the MF Classic 4K 7B card type.

on some readers it s enough to get access, but on another reader, it doesn t see the card.

i have cards that are sold with proxmark RDV4, and i wanted to set this 7B UIDto a card for test, and i never found a way to do that

i ve been able to emulate with rdv4, and again, on the non working reader with the chameleon, same behaviour.


when i do hf mf dump i get this goin for ages
[usb] pm3 --> hf mf dump
[=] Using `hf-mf-045B3BFXXXXXXX-key.bin`
[=] Reading sector access bits...
.[#] Auth error
.[#] Auth error
.[#] Auth error

[-] ⛔ could not get access rights for sector  0. Trying with defaults...

.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error


and then:


[+] saved 1024 bytes to binary file hf-mf-045B3BXXXXXXXX-dump-3.bin
[+] saved 64 blocks to text file hf-mf-045B3XXXXXXXX-dump-3.eml
[+] saved to json file hf-mf-045B3BXXXXXXXXX-dump-3.json


in eml file i guet:

FF000F01504D33620000623300000000
01000000000000000700000000000000
0000000000000000045B3XXXXXXXX00
0000074403200806757781028002F000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000


from that how can i do for do a single copy of a card with just the UID, or is there any kind of way to dump all the keys.

Gear i own:
Proxmark 3 & rdv 4
Chameleon reve E & rev G

thank you for your help

Offline

#2 2020-12-18 14:25:00

iceman
Administrator
Registered: 2013-04-25
Posts: 7,139
Website

Re: MIFARE DEsfire EV2

mixed bag of goodies. 
To answer one of your questions, DESFire simulation is not implemented on Proxmark3.
You seem to be confused about MIFARE Classic vs MIFARE DESFire,   maybe read a short datasheet or two to understand what you are trying to ask or want to do? 
The files section on this site has a nice selection of datasheets,   you find a link on top of the page.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2020-12-18 14:25:48

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

Re: MIFARE DEsfire EV2

thxx a lot! @iceman

Offline

#4 2020-12-18 14:30:34

nocomp
Contributor
Registered: 2020-10-09
Posts: 4

Re: MIFARE DEsfire EV2

how come with the chameleon mini revg i can emulate the card for some reader and not for some other ones ? out of 3 apps that use tis card (printing services, door, car key safe box) the emulation works on all of them except the printer reader, any reason why?
thxx for your time

Offline

Board footer

Powered by FluxBB