Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-10-12 12:56:05

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Mifare Plus open information

I collect here open info about mifare plus cards

https://www.jinmuyu.com/download/MIFARE … 0Guide.pdf

MIFARE Data/Value Blocks
MIFARE Sector Trailers                     |00 00h to 00 7Fh     | Sector 0 to 31
MIFARE Data/Value Blocks
MIFARE Sector Trailers                     |00 80h to 00 FFh     | Sector 32 to 39
MFP Configuration Block                   |B0 00h                   |Defines the number of unmaced commands as
                                                                                    |well as if plain communication is possible
Installation Identifier                        |B0 01h                  |Installation identifier as used in VC concept. The
                                                                                    |installation Identifier can be requested from NXP.
ATS information                               |B0 02h                   |The 'Answer To Select' Information
Field Configuration Block                  |B0 03h                   |Defines if Proximity Check is mandatory and if
                                                                                    |RandomID shall be enabled.

Keys

AES Sector Keys                              |40 00h to 40 3Fh     |AES Sector Keys from Sector 0 to 31. The second
                                                                                     | byte defines the sector number and which key
                                                                                     | (Key A or Key B) is used.
                                                                                     | KEY A = sector number muitiplied by 2
                                                                                     | KEY B = sector number muitiplied by 2 + 1
                                                                                     | E.g. Key A for sector 2 has the number: 40 04
AES Sector Keys                              |40 40h to 40 4F       |AES Sector Keys from Sector 32 to 39. The
                                                                                     |second byte defines the sector number and which
                                                                                     |key (Key A or Key B) is used.
                                                                                     |KEY A = sector number muitiplied by 2
                                                                                     |KEY B = sector number muitiplied by 2 + 1
Originality Key                                 |80 00h                    |The originality is personalised by NXP to the IC
                                                                                     |and cannot be changed. As the value of the key is
                                                                                     |not distributed outside of NXP, the authentication
                                                                                     |with this key is only possible with a special
                                                                                     |prepared SAM, supplied by NXP.
Card Master Key                               |90 00h                   |Can be used to change the Level Switch Keys as
                                                                                     |well as the MFP Configuration key.
Card Configuration Key                      |90 01h                   |Can be used to change the Field Configuration Block
Level 2 Switch Key                            |90 02h                   |Key to switch from Level 1 to Level 2
Level 3 Switch Key                            |90 03h                   |Key to switch from Level 2 to Level 3
SL1 Card Authentification Key            |90 04h                   |Key to do one additional AES authentification in security level 1
Select VC Key                                   |A0 00h                   | Key to perform Select VC
Proximity Check Key                          |A0 01h                  |Key to verify the Proximity Check
VC Polling ENC Key                           | A0 80h                  |Select VC Polling ENCKey
VC Polling MAC Key                           |A0 81h                   |Select VC Polling MAC Key

Offline

#2 2018-10-12 12:57:16

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

open datasheet
https://www.nxp.com/docs/en/data-sheet/ … Y1_SDS.pdf

[6] NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
[7] NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
[9] FIPS PUB 197 ADVANCED ENCRYPTION STANDARD — Recommendation for block cipher modes of operation: Methods and techniques.
[10] ISO/IEC Standard — ISO/IEC 9797-1 Information technology - security techniques
- Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher.

Last edited by merlok (2018-10-25 12:05:18)

Offline

#3 2018-10-12 12:58:34

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

https://github.com/Proxmark/proxmark3/b … rePlus.lua

GETVERS_INIT = "0360" -- Begins the GetVersion command
GETVERS_CONT = "03AF" -- Continues the GetVersion command
POWEROFF = "OFF"
WRITEPERSO = "03A8"
COMMITPERSO = "03AA"
AUTH_FIRST = "0370"
AUTH_CONT = "0372"
AUTH_NONFIRST = "0376"
PREPAREPC = "03F0"
PROXIMITYCHECK = "03F2"
VERIFYPC = "03FD"
READPLAINNOMACUNMACED = "0336"

Offline

#4 2018-10-12 13:00:20

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

https://pastebin.com/CaC8nj7p

mifare desfire aes authentication flow:
-> 90 5A 00 00 03 10 10 10 00 (select app, appId 10 10 10)
<- 91 00 (ok)
-> 90 AA 00 00 01 00 00 (request for AES auth)
<- 2C 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 91 AF (challenge from card)

//computation_start
1. 'generate' randomA
randomA = 01 02 03 04 05 06 07 08 09 00 0A 0B 0C 0D 0E 0F
2. trim challenge to receive randomB
randomB = 2C 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE
3. left shift randomB
randomB' = 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 2C
4. randomA+ranomBb' = 01 02 03 04 05 06 07 08 09 00 0A 0B 0C 0D 0E 0F 0B 9F 68 69 77 0C 05 AF 0E 40 6C 5E 90 F6 BE 2C
5. encrypt randomA+ranomBb' with 16byte 0x00 IV and given 16byte KEY
enrypted = CB BB D6 90 96 61 FB AB 03 26 77 B6 9B C7 DA B0 89 E1 BE F7 A7 2A 77 01 31 89 D1 75 A6 A5 C2 55
//computation_end

-> 90 AF 00 00 20 CB BB D6 90 96 61 FB AB 03 26 77 B6 9B C7 DA B0 89 E1 BE F7 A7 2A 77 01 31 89 D1 75 A6 A5 C2 55 00
<- 91AE (auth error)

Offline

#5 2018-10-12 13:30:55

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

http://www.proxmark.org/forum/viewtopic.php?id=2517

1.Send: [03 0A 00]
2.Received: [03 AF 66 12 F8 D0 91 6E 45 90]
ENCRYPT RndB = 32 f4 30 06 b3 0d ab 5d
ROTATE RndB’ = f4 30 06 b3 0d ab 5d 32
RndA = bd 4d 00 00 0a 21 00 00
3.Send: [02 AF 9D B9 C9 5A D2 8E 4A F2 CA 48 9E CE 3B F4 2F1B]
4.Received:[02 00 CB 8A D2 B5 56 4D E3 E6]
RndA’ =4d 00 00 0a 21 00 00 bd
Session Key
RndA(4)+RndB(4) =bd 4d 00 00 32 f4 30 06
5.Send:[03 C4 80 39 3D 34 DB 64 49 E8 B4 D1 EF 20 BC D8 1B 71 CF 52 EF E3 B4 80 7E 2C 52]
6.Received:[03 00] – OK

ENCRYPT {39 3D 34 DB 64 49 E8 B4 D1 EF 20 BC D8 1B 71 CF 52 EF E3 B4 80 7E 2C 52} =
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
42 63 24 00 00 00 00 00 <- 42 63 24 ?
the first two lines – a new key for AES. which means bytes 42 63 24 ?

Offline

#6 2018-10-12 13:42:31

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

http://boysen-dharaelvis.blogspot.com/2 … mmand.html

Mifare Plus WritePerso
sample RAW Command (hex)
A8 00 90 {key -16 bytes)}

Last edited by merlok (2018-10-12 13:42:48)

Offline

#7 2018-10-14 09:13:34

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Mifare Plus open information

Hi Merlok! How can I contact you?

Offline

#8 2018-10-16 11:55:04

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Plus open information

---

Last edited by merlok (2018-10-16 14:39:05)

Offline

#9 2018-10-26 14:08:49

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare Plus open information

Offline

Board footer

Powered by FluxBB