Regarding brute-force,
If you get hold of the datasheets from NXP about DESFire, I believe you can find the best practice for it.
for more details with regards to desfire, try the hf mfdes info command.
For desfire normally we would need to enumerate all AID's and try to see which can be read.
What would be the process to enumerate AIDs? Is the only option to brute force them?
]]>"-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card"
how is the procedure to find this out?
i have to sniff the communication between reader and desfire?
can i use my proxmark3 or cameleon mini rev.g for it (sniffing 14a)?
how can i see if the communication is plain or encrypted in the sniff.log?
what if it is plain, can i clone this desfire with a rw desfire and how does this work?
sorry for this amount of questions...
]]>now for desfire:
- mf desfire is kind of file system oriented with applications and files within the applications with 14 diffrent keys for each application
-> mutual auth with 3DES or AES key -> cannot get key from sniffing
-> if the communication between reader and card is done in plain mode you can sniff the data, that the terminal reads from the card
your posted sniff is lacking the reader / terminal side,
can you post a better snoop?
thank you for your reply.
I pushed the iceman firmware on my device with success. Second i received the following informations from my desfirecard:
hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 5F 56 8A 94 3F 80
Batch number : BA 65 10 E5 80
Production date : week 40, 2015
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x02
Version : 1.0 (Desfire EV1)
Storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x18 (4096 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : NO
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : YES
Max number of keys : 174
Master key Version : 0 (0x00)
----------------------------------------------------------
[0x0A] Authenticate : NO
[0x1A] Authenticate ISO : NO
[0xAA] Authenticate AES : YES
----------------------------------------------------------
Available free memory on card : 4000 bytes
-------------------------------------------------------------
after that i sniffed the communication and did a hf14a list:
hf 14a list
trace pointer not allocated
Recorded Activity (TraceLen = 930 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |44 03 | |
18032 | 23920 | Tag |88 04 5f 56 85 | |
49520 | 53040 | Tag |24 d8 36 | |
69728 | 75616 | Tag |8a 94 3f 80 a1 | |
101328 | 104912 | Tag |20 fc 70 | |
125376 | 134656 | Tag |06 75 77 81 02 80 02 f0 | ok |
154928 | 167728 | Tag |02 af 04 01 02 01 00 18 05 44 a4 | ok |
188560 | 201360 | Tag |03 af 04 01 01 01 04 18 05 14 97 | ok |
222848 | 243648 | Tag |02 00 04 5f 56 8a 94 3f 80 ba 65 10 e5 80 40 15 a1 be | ok |
279168 | 283904 | Tag |03 00 c8 34 | |
341104 | 364272 | Tag |02 af fd e5 23 f4 37 76 1b e2 76 d6 bb 2b cc 2c 73 01 | |
| | |b9 80 | ok |
638928 | 662032 | Tag |03 00 57 59 42 f1 8e 41 9a ab b5 ac b6 d4 e7 c0 4d 15 | |
| | |33 24 | ok |
823216 | 845168 | Tag |02 00 00 00 10 ef 20 00 00 5a f7 71 a8 65 21 45 6b d7 | |
| | |f5 | ok |
1018896 | 1063952 | Tag |03 00 01 00 00 1d 68 00 00 00 00 00 00 73 10 00 e7 5d | |
| | |91 c8 a4 07 10 90 00 ff cf a0 30 9b 10 70 5a 91 d0 2a | |
| | |55 bf a1 | ok |
1262448 | 1284400 | Tag |02 00 01 00 40 33 00 01 00 c8 e1 41 31 57 22 ea 1b 33 | |
| | |b2 | ok |
1455824 | 1487056 | Tag |03 00 00 30 01 00 00 14 12 59 37 a6 4c f8 00 00 00 24 | |
| | |81 56 42 f3 a5 65 73 b7 37 | ok |
1653040 | 1675056 | Tag |02 00 01 00 40 33 00 01 00 d7 1a 2b 63 58 e1 3b 19 89 | |
| | |46 | ok |
1855632 | 1906448 | Tag |03 00 00 00 00 00 00 48 07 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 3a | |
| | |d3 50 96 f6 62 07 1c 2f | ok |
128835728 | 128838096 | Tag |44 03 | |
128853760 | 128859648 | Tag |88 04 5f 56 85 | |
128885232 | 128888752 | Tag |24 d8 36 | |
128905440 | 128911328 | Tag |8a 94 3f 80 a1 | |
128937040 | 128940624 | Tag |20 fc 70 | |
128961216 | 128970496 | Tag |06 75 77 81 02 80 02 f0 | ok |
128990768 | 129003568 | Tag |02 af 04 01 02 01 00 18 05 44 a4 | ok |
129024672 | 129037472 | Tag |03 af 04 01 01 01 04 18 05 14 97 | ok |
129059072 | 129079872 | Tag |02 00 04 5f 56 8a 94 3f 80 ba 65 10 e5 80 40 15 a1 be | ok |
129115504 | 129120240 | Tag |03 00 c8 34 | |
129177184 | 129200288 | Tag |02 af 7c 5a 48 41 be 95 65 35 5a 3d d8 95 e5 31 47 e1 | |
| | |92 44 | ok |
129476912 | 129500080 | Tag |03 00 f7 80 a7 c6 f0 e2 e4 24 5d b4 1f 59 f9 19 58 c5 | |
| | |1d 16 | ok |
129660448 | 129682400 | Tag |02 00 00 00 10 ef 20 00 00 9a 33 cf 46 9a f3 a0 ff ce | |
| | |7e | ok |
129856384 | 129901440 | Tag |03 00 01 00 00 1d 68 00 00 00 00 00 00 73 10 00 e7 5d | |
| | |91 c8 a4 07 10 90 00 ff cf a0 30 13 3b 72 5b 23 38 76 | |
| | |9f 7a d5 | ok |
130099680 | 130121696 | Tag |02 00 01 00 40 33 00 01 00 77 45 78 7b cd ee ee f2 dd | |
| | |40 | ok |
130292288 | 130323520 | Tag |03 00 00 30 01 00 00 14 12 59 37 a6 4c f8 00 00 00 40 | |
| | |a9 57 63 65 3a 4e c5 34 51 | ok |
130490144 | 130512096 | Tag |02 00 01 00 40 33 00 01 00 42 b1 bd 82 9d 95 76 ff 35 | |
| | |6f | ok |
130692608 | 130743360 | Tag |03 00 00 00 00 00 00 48 07 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0e | |
| | |13 42 ee 8a 28 2f 17 00 | ok |
from that point right now, i cannot do anything with that card, right?
not dumping the card to a file
not getting the keys
not cracking anything
not cloning
am i right?
best regards
Paul
]]>i just read through this forum about desfire. to make sure i got it right:
until now, dumping a desfire card is not possible, am i right?
can i fully dump the desfires if i have the keys to that card?
can i obtail the keys with the proxmark if i dont know them?
hf search
UID : 04 5f 56 8a XX XX XX
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 f0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 80
No chinese magic backdoor command detected
PRNG data error: Wrong length: 0
Prng detection error.
Valid ISO14443A Tag Found - Quiting Search
best regards
Paul
]]>