MIFARE DESFire
MIFARE DESFire¶
- Cant currently clone
- Uses the ISO/IEC 14443-4 protocols
- Operates at 13.56 MHz
- Can be DES/2DES/3DES or 16 bit AES
- Are backwards compatible EV3 -> EV2 -> EV1 -> D40
Channel:
- d40: old secure channel that can work only with des and 2tdea keys
- ev1: secure channel that can work with all the keys: des, 2tdea, 3tdea, aes
- ev2: the newest channel that can work with aes key only
Communication Modes:
- plain: just plain data between card and reader
- maced: mac applied to request/response/both (may be sent or not)
- encrypted: encrypted data in the request/response/both in the ev2 channel data signed with mac.
Documents:
- Security Review
- Sample Communications
- Example EV1 Commands
DESFire Light¶
- Has one preinstalled master file (ISO ID 0x3f00) and one application (0xdf01)
In the application, there are 6 files:
- 0x00 Standard data file with size 256 bytes
- 0x01 Cyclic record file with 5 records with size 16 bytes each
- 0x03 Value file
- 0x04 Standard data file with size 256 bytes
- 0x0f Transaction MAC file with size 256 bytes
- 0x1f Standard data file with size 32 bytes. Used for FCI.
User can't create/delete files (except Transaction MAC file).
ISO file IDs, the other files and application parameters can be changed via SetConfiguration command only.
The card has two secure channels: EV2 and LRP. By default, EV2 is on. LRP can be switched on by issuing SetConfiguration command and after that, it can't be switched off.
Application on the card can't be selected by DESFire native select. Needs to issue ISO select command. All the commands that can work in LRP channel have --appisoid option
Transaction MAC file - the only file that can be created and deleted. By default, all transaction operations (operations with Value and Record file) need to issue CommitReaderID command.
So (to fast check- it is needed to delete this file) it has default file id - 0x0f.
FCI sends from card to reader after selecting the application (df01 by default)
If it needs to have more space for FCI - just change the ID of one of the bigger files to 0x1f (and the current ID to something else) via SetConfiguration command.
DESFire¶
- Vulnerable to sidechannel attack
- Uses DES and 3DES
DESFire EV1¶
- Uses True Random Number Generato
- Not Vulnerable to sidechannel attack like DESFire
- Uses AES-128
Proxmark¶
Get Info:
[usb] pm3 --> hf mfdes info
[=] ---------------------------------- Tag Information ----------------------------------
[+] UID: 04 89 29 12 72 51 80
[+] Batch number: B9 0C 16 49 90
[+] Production date: week 29 / 2016
[+] Product type: MIFARE DESFire native IC (physical card)
[=] --- Hardware Information
[=] raw: 04010101001805
[=] Vendor Id: NXP Semiconductors Germany
[=] Type: 0x01
[=] Subtype: 0x01
[=] Version: 1.0 ( DESFire EV1 )
[=] Storage size: 0x18 ( 4096 bytes )
[=] Protocol: 0x05 ( ISO 14443-2, 14443-3 )
[=] --- Software Information
[=] raw: 04010101041805
[=] Vendor Id: NXP Semiconductors Germany
[=] Type: 0x01
[=] Subtype: 0x01
[=] Version: 1.4
[=] Storage size: 0x18 ( 4096 bytes )
[=] Protocol: 0x05 ( ISO 14443-3, 14443-4 )
[=] --------------------------------- Card capabilities ---------------------------------
[=] 1.4 - DESFire Ev1 MF3ICD21/41/81, EAL4+
[+] --- AID list
[+] AIDs: ffffff, f21030
[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 2 free memory 2240 bytes
[+] PICC level auth commands:
[+] Auth.............. YES
[+] Auth ISO.......... YES
[+] Auth AES.......... NO
[+] Auth Ev2.......... NO
[+] Auth ISO Native... YES
[+] Auth LRP.......... NO
[+] PICC level rights:
[+] [1...] CMK Configuration changeable : YES
[+] [.0..] CMK required for create/delete : YES
[+] [..1.] Directory list access with CMK : NO
[+] [...1] CMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 1
[+] PICC key 0 version: 3 (0x03)
[=] --- Free memory
[+] Available free memory on card : 2240 bytes
[=] Standalone DESFire
Bruteforce AIDs:
[usb] pm3 --> hf mfdes bruteaid
[=] Enumerating through all AIDs manually, this will take a while!
[+] Got new APPID 000000
[|]Progress: 0 %, current AID: 027E3E
[!] Communicating with Proxmark3 device failed
[usb] pm3 --> hf mfdes bruteaid --start 3a7e02
[=] Bruteforce from 027e3a to ffffff
[=] Enumerating through all AIDs manually, this will take a while!
[|]Progress: 0 %, current AID: 04AF97
Show Applications:
[usb] pm3 --> hf mfdes lsapp --no-auth
[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 2 free memory 2240 bytes
[+] PICC level auth commands:
[+] Auth.............. YES
[+] Auth ISO.......... YES
[+] Auth AES.......... NO
[+] Auth Ev2.......... NO
[+] Auth ISO Native... YES
[+] Auth LRP.......... NO
[+] PICC level rights:
[+] [1...] CMK Configuration changeable : YES
[+] [.0..] CMK required for create/delete : YES
[+] [..1.] Directory list access with CMK : NO
[+] [...1] CMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 1
[+] PICC key 0 version: 3 (0x03)
[+] --------------------------------- Applications list ---------------------------------
[+] Application number: 0xFFFFFF
[+] ISO id.... 0x0000
[+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[+] AID mapped to MIFARE Classic AID (MAD): FFFF
[+] MAD AID Cluster 0xFF : miscellaneous applications
[=] MAD AID Function 0xFFFF : Miscellaneous applications [Reserved For future Use]
[+] Auth commands:
[+] Auth.............. YES
[+] Auth ISO.......... YES
[+] Auth AES.......... NO
[+] Auth Ev2.......... NO
[+] Auth ISO Native... YES
[+] Auth LRP.......... NO
[+]
[+] Application level rights:
[+] -- Authentication with the specified key (0x01) is necessary to change any key.
[+] A change key and a PICC master key (CMK) can only be changed after authentication with the master key.
[+] For keys other then the master or change key, an authentication with the same key is needed.
[+] [1...] AMK Configuration changeable : YES
[+] [.0..] AMK required for create/delete : YES
[+] [..1.] Directory list access with AMK : NO
[+] [...1] AMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 4
[+]
[+] Key versions [0..3]: 03, 03, 03, 03
[+] Application number: 0xF21030
[+] ISO id.... 0x0000
[+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[+] AID mapped to MIFARE Classic AID (MAD): 2103
[+] MAD AID Cluster 0x21 : reserved
[=] MAD AID Function 0x2103 : Multi-Modal Transit (Vix/ERG) [ERG Transit Systems]
[+] Auth commands:
[+] Auth.............. YES
[+] Auth ISO.......... YES
[+] Auth AES.......... NO
[+] Auth Ev2.......... NO
[+] Auth ISO Native... YES
[+] Auth LRP.......... NO
[+]
[+] Application level rights:
[+] -- Authentication with the specified key (0x01) is necessary to change any key.
[+] A change key and a PICC master key (CMK) can only be changed after authentication with the master key.
[+] For keys other then the master or change key, an authentication with the same key is needed.
[+] [1...] AMK Configuration changeable : YES
[+] [.0..] AMK required for create/delete : YES
[+] [..1.] Directory list access with AMK : NO
[+] [...1] AMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 5
[+]
[+] Key versions [0..4]: 02, 02, 02, 02, 02
Interact with the application:
[usb] pm3 --> hf mfdes selectapp --aid F21030
[+] Application 0xf21030 selected succesfully
List Files for Application:
[usb] pm3 --> hf mfdes lsfiles --aid FFFFFF --no-auth
[!!] Desfire GetFileISOIDList command error. Result: -20
[!] ISO ID list returned no data
[=] ------------------------------------------ File list -----------------------------------------------------
[+] ID |ISO ID| File type | Mode | Rights: raw, r w rw ch | File settings
[+] ----------------------------------------------------------------------------------------------------------
[+] 0f | | 0x00 Standard data | Plain | eff2, free deny deny key2 | Size 9 / 0x9
[+] 07 | | 0x01 Backup data | MAC | e332, free key3 key3 key2 | Size 32 / 0x20
[usb] pm3 --> hf mfdes lsfiles --aid F21030 --no-auth
[!!] Desfire GetFileISOIDList command error. Result: -20
[!] ISO ID list returned no data
[=] ------------------------------------------ File list -----------------------------------------------------
[+] ID |ISO ID| File type | Mode | Rights: raw, r w rw ch | File settings
[+] ----------------------------------------------------------------------------------------------------------
[+] 05 | | 0x01 Backup data | Plain | e432, free key4 key3 key2 | Size 32 / 0x20
[+] 00 | | 0x01 Backup data | Plain | e432, free key4 key3 key2 | Size 160 / 0xA0
[+] 0f | | 0x00 Standard data | MAC | e432, free key4 key3 key2 | Size 416 / 0x1A0
[+] 02 | | 0x04 Cyclic Record | Plain | e432, free key4 key3 key2 | Rec cnt 1/11 size: 48 [0x30]b
[+] 03 | | 0x04 Cyclic Record | Plain | e432, free key4 key3 key2 | Rec cnt 1/6 size: 48 [0x30]b
[+] 04 | | 0x01 Backup data | MAC | e432, free key4 key3 key2 | Size 64 / 0x40
[+] 06 | | 0x01 Backup data | Plain | e432, free key4 key3 key2 | Size 64 / 0x40
[+] 07 | | 0x01 Backup data | Plain | e432, free key4 key3 key2 | Size 64 / 0x40
[usb] pm3 -->
View Files:
[usb] pm3 --> hf mfdes read --aid FFFFFF --fid 0f --no-auth
[=] ------------------------------- File 0f data -------------------------------
[+] Read 9 bytes from file 0x0f offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 00 04 B5 55 00 C2 8C BF 08 | ...U.....
[usb] pm3 --> hf mfdes read --aid FFFFFF --fid 07 --no-auth
[!] File needs communication mode `mac` but there is no authentication
[=] ------------------------------- File 07 data -------------------------------
[+] Read 32 bytes from file 0x07 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 03 00 00 01 FF FF 03 48 00 00 00 00 00 FF FF FF | .......H........
[=] 16/0x10 | FF C0 00 00 00 00 01 5D 00 00 00 00 00 00 00 00 | .......]........
[usb] pm3 --> hf mfdes read --aid F21030 --fid 00 --no-auth
[=] ------------------------------- File 00 data -------------------------------
[+] Read 160 bytes from file 0x00 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | FF FF 20 42 00 02 01 00 00 00 00 00 00 00 00 00 | .. B............
[=] 16/0x10 | 00 00 00 00 00 FF FF FF FF 00 00 00 FF FF FF FF | ................
[=] 32/0x20 | 00 00 00 00 01 00 B1 00 04 04 00 00 00 02 29 80 | ..............).
[=] 48/0x30 | 08 04 00 00 00 02 29 C0 0C 04 00 00 00 00 00 00 | ......).........
[=] 64/0x40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 80/0x50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 96/0x60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 112/0x70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 128/0x80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 144/0x90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 02 --no-auth
[=] ------------------------------- File 02 data -------------------------------
[+] Read 48 bytes from file 0x02 from record 0 record count 1 record length 48
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 10 90 00 75 8F B9 E0 98 00 02 5A 08 60 12 00 02 | ...u......Z.`...
[=] 16/0x10 | 26 0C 83 C9 FF F9 00 0D C0 5D F0 0B 47 3A 20 10 | &........]..G: .
[=] 32/0x20 | 01 00 00 E1 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 03 --no-auth
[=] ------------------------------- File 03 data -------------------------------
[+] Read 48 bytes from file 0x03 from record 0 record count 1 record length 48
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 10 80 00 75 8F B9 D6 C0 B4 25 44 38 20 06 00 03 | ...u.....%D8 ...
[=] 16/0x10 | E8 01 B8 9D 9D FF FF FF FE 02 00 00 00 3E 80 00 | .............>..
[=] 32/0x20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 04 --no-auth
[!] File needs communication mode `mac` but there is no authentication
[=] ------------------------------- File 04 data -------------------------------
[+] Read 64 bytes from file 0x04 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 10 48 18 00 00 02 00 00 00 00 A7 5E 00 02 00 01 | .H.........^....
[=] 16/0x10 | F4 00 01 F4 03 78 00 0F AD 00 07 00 00 00 00 00 | .....x..........
[=] 32/0x20 | 00 00 00 00 00 00 00 10 00 00 E1 00 03 00 00 00 | ................
[=] 48/0x30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 05 --no-auth
[=] ------------------------------- File 05 data -------------------------------
[+] Read 32 bytes from file 0x05 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 00 00 00 00 01 00 00 00 01 30 00 25 AA A8 06 14 | .........0.%....
[=] 16/0x10 | 65 F8 00 FF FF FF FF 03 00 00 00 00 00 00 00 00 | e...............
[usb] pm3 --> hf mfdes read --aid F21030 --fid 06 --no-auth
[=] ------------------------------- File 06 data -------------------------------
[+] Read 64 bytes from file 0x06 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 18 00 24 7F 15 CF D0 E7 A0 01 00 00 4B 40 00 0E | ..$.........K@..
[=] 16/0x10 | 02 26 00 02 27 15 CF D0 02 26 00 00 02 26 00 00 | .&..'....&...&..
[=] 32/0x20 | 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 48/0x30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 07 --no-auth
[=] ------------------------------- File 07 data -------------------------------
[+] Read 64 bytes from file 0x07 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 18 00 2F FE 00 00 00 00 00 01 FF FF FF FE 00 02 | ../.............
[=] 16/0x10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 32/0x20 | 01 F0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 48/0x30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mfdes read --aid F21030 --fid 0f --no-auth
[!] File needs communication mode `mac` but there is no authentication
[=] ------------------------------- File 0f data -------------------------------
[+] Read 416 bytes from file 0x0f offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 16/0x10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 32/0x20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 48/0x30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 64/0x40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 80/0x50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 96/0x60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 112/0x70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 128/0x80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 144/0x90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 160/0xA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 176/0xB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 192/0xC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 208/0xD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 224/0xE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 240/0xF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 256/0x100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 272/0x110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 288/0x120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 304/0x130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 320/0x140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 336/0x150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 352/0x160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 368/0x170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 384/0x180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 400/0x190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 -->
DESFire EV2¶
DESFire EV3¶
- Uses DES/3K3DES/3K3DES/AES128