Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I collect here open info about mifare plus cards
https://www.jinmuyu.com/download/MIFARE … 0Guide.pdf
MIFARE Data/Value Blocks
MIFARE Sector Trailers |00 00h to 00 7Fh | Sector 0 to 31
MIFARE Data/Value Blocks
MIFARE Sector Trailers |00 80h to 00 FFh | Sector 32 to 39
MFP Configuration Block |B0 00h |Defines the number of unmaced commands as
|well as if plain communication is possible
Installation Identifier |B0 01h |Installation identifier as used in VC concept. The
|installation Identifier can be requested from NXP.
ATS information |B0 02h |The 'Answer To Select' Information
Field Configuration Block |B0 03h |Defines if Proximity Check is mandatory and if
|RandomID shall be enabled.
Keys
AES Sector Keys |40 00h to 40 3Fh |AES Sector Keys from Sector 0 to 31. The second
| byte defines the sector number and which key
| (Key A or Key B) is used.
| KEY A = sector number muitiplied by 2
| KEY B = sector number muitiplied by 2 + 1
| E.g. Key A for sector 2 has the number: 40 04
AES Sector Keys |40 40h to 40 4F |AES Sector Keys from Sector 32 to 39. The
|second byte defines the sector number and which
|key (Key A or Key B) is used.
|KEY A = sector number muitiplied by 2
|KEY B = sector number muitiplied by 2 + 1
Originality Key |80 00h |The originality is personalised by NXP to the IC
|and cannot be changed. As the value of the key is
|not distributed outside of NXP, the authentication
|with this key is only possible with a special
|prepared SAM, supplied by NXP.
Card Master Key |90 00h |Can be used to change the Level Switch Keys as
|well as the MFP Configuration key.
Card Configuration Key |90 01h |Can be used to change the Field Configuration Block
Level 2 Switch Key |90 02h |Key to switch from Level 1 to Level 2
Level 3 Switch Key |90 03h |Key to switch from Level 2 to Level 3
SL1 Card Authentification Key |90 04h |Key to do one additional AES authentification in security level 1
Select VC Key |A0 00h | Key to perform Select VC
Proximity Check Key |A0 01h |Key to verify the Proximity Check
VC Polling ENC Key | A0 80h |Select VC Polling ENCKey
VC Polling MAC Key |A0 81h |Select VC Polling MAC Key
Offline
open datasheet
https://www.nxp.com/docs/en/data-sheet/ … Y1_SDS.pdf
[6] NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
[7] NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
[9] FIPS PUB 197 ADVANCED ENCRYPTION STANDARD — Recommendation for block cipher modes of operation: Methods and techniques.
[10] ISO/IEC Standard — ISO/IEC 9797-1 Information technology - security techniques
- Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher.
Last edited by merlok (2018-10-25 12:05:18)
Offline
https://github.com/Proxmark/proxmark3/b … rePlus.lua
GETVERS_INIT = "0360" -- Begins the GetVersion command
GETVERS_CONT = "03AF" -- Continues the GetVersion command
POWEROFF = "OFF"
WRITEPERSO = "03A8"
COMMITPERSO = "03AA"
AUTH_FIRST = "0370"
AUTH_CONT = "0372"
AUTH_NONFIRST = "0376"
PREPAREPC = "03F0"
PROXIMITYCHECK = "03F2"
VERIFYPC = "03FD"
READPLAINNOMACUNMACED = "0336"
Offline
mifare desfire aes authentication flow:
-> 90 5A 00 00 03 10 10 10 00 (select app, appId 10 10 10)
<- 91 00 (ok)
-> 90 AA 00 00 01 00 00 (request for AES auth)
<- 2C 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 91 AF (challenge from card)
//computation_start
1. 'generate' randomA
randomA = 01 02 03 04 05 06 07 08 09 00 0A 0B 0C 0D 0E 0F
2. trim challenge to receive randomB
randomB = 2C 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE
3. left shift randomB
randomB' = 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 2C
4. randomA+ranomBb' = 01 02 03 04 05 06 07 08 09 00 0A 0B 0C 0D 0E 0F 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 2C
5. encrypt randomA+ranomBb' with 16byte 0x00 IV and given 16byte KEY
enrypted = CB BB D6 90 96 61 FB AB 03 26 77 B6 9B C7 DA B0 89 E1 BE F7 A7 2A 77 01 31 89 D1 75 A6 A5 C2 55
//computation_end
-> 90 AF 00 00 20 CB BB D6 90 96 61 FB AB 03 26 77 B6 9B C7 DA B0 89 E1 BE F7 A7 2A 77 01 31 89 D1 75 A6 A5 C2 55 00
<- 91AE (auth error)
Offline
http://www.proxmark.org/forum/viewtopic.php?id=2517
1.Send: [03 0A 00]
2.Received: [03 AF 66 12 F8 D0 91 6E 45 90]
ENCRYPT RndB = 32 f4 30 06 b3 0d ab 5d
ROTATE RndB’ = f4 30 06 b3 0d ab 5d 32
RndA = bd 4d 00 00 0a 21 00 00
3.Send: [02 AF 9D B9 C9 5A D2 8E 4A F2 CA 48 9E CE 3B F4 2F1B]
4.Received:[02 00 CB 8A D2 B5 56 4D E3 E6]
RndA’ =4d 00 00 0a 21 00 00 bd
Session Key
RndA(4)+RndB(4) =bd 4d 00 00 32 f4 30 06
5.Send:[03 C4 80 39 3D 34 DB 64 49 E8 B4 D1 EF 20 BC D8 1B 71 CF 52 EF E3 B4 80 7E 2C 52]
6.Received:[03 00] – OK
ENCRYPT {39 3D 34 DB 64 49 E8 B4 D1 EF 20 BC D8 1B 71 CF 52 EF E3 B4 80 7E 2C 52} =
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
42 63 24 00 00 00 00 00 <- 42 63 24 ?
the first two lines – a new key for AES. which means bytes 42 63 24 ?
Offline
http://boysen-dharaelvis.blogspot.com/2 … mmand.html
Mifare Plus WritePerso
sample RAW Command (hex)
A8 00 90 {key -16 bytes)}
Last edited by merlok (2018-10-12 13:42:48)
Offline
Hi Merlok! How can I contact you?
Offline
---
Last edited by merlok (2018-10-16 14:39:05)
Offline
Did you see this one?
Offline
Pages: 1