Identify Mifare DESFire #249
Comments
|
I did some more testing. When I set ATQARelevant to false (which the documentation recommends) and the ATSRelevant to true it correctly identifies my card. In the source code I found the following comment:
However, if I read the NXP paper, it seem to suggest the opposite. Am I missing something here? |
|
In case ATS and ATQA are indeed mixed up, I wrote a fix for this. |
|
After reading further, NXP indeed does also not recommend the use of the ATS:
It states that we have to use the GET_VERSION command. The problem is, how do I issue the GET_VERSION command? |
|
Hi @johndekroon, |
|
For what I understand so far is that I have to do "send 60" for the GET_VERSION command. The problem is that I don't receive anything:
|
|
I think you have to put |
|
I think I need a little help with that. Is there some example which can help me started? |
|
You can take a look into the code from the libfreefare examples. They have implemented a |
|
just to sum up, something was already mentioned before: Afaik it's not very useful, to identify a card with ATQA and SAK values, cause you would have so many possibilities. Many cards "share" the same values. Purpose for ATQA is for anticollision support and UID length and SAK (select acknowledge) value is for UID (not) complete and ISO14443 Layer 4 support yes/no. To Identify a MIFARE DESFire card command code "60" is the way to go. You would only need ISO framing for the MIFARE DESFire Light, all other DESFire chips should answer to the desfire native command code "60" |
|
@martinbeier That is indeed the case, the card has a random UID. Is there a quick / easy way to send commands to the DESFire? I've looked to the libfreefare project, and the only thing that I was able to extract from it was that it would take me a significant amount of time to understand what they actually are doing. |
|
@johndekroon I'm not really aware, what is already implemented in ChameleonMini firmware. You would need to do Anticol L1 -> Select UID part1 -> Anticol L2 -> Select UID part2 -> RATS (request ATS) -> should be implemented, as you mentioned that you got back ATS from DESFire card, afterwards you would only need to send command code 60 in ISO14443-4 frame including CRC. For testing try to send following three commands: (in order)
did a test with DESFire EV2 8K card:
cannot proper format the output with markdown :/ |
|
@martinbeier what did you use to get this read outs? |
|
@johndekroon |
Hi,
I started experimenting with some other cards. I have a DESFire card which I tried to read using the Identify command. However, it shows "unknown card". The ATQA is 0304 and the SAK is 20.
I tried to patch the code, but then I saw the following lines (Application/Reader14443A.c:99-100):
[CardType_NXP_MIFARE_DESFire] = { .ATQA = 0x0344, .ATQARelevant = true, .SAK = 0x20, .SAKRelevant = true, .ATSRelevant = false, .ATSSize = 5, .ATS = {0x75, 0x77, 0x81, 0x02, 0x80}, .Manufacturer = "NXP", .Type = "MIFARE DESFire" }, [CardType_NXP_MIFARE_DESFire_EV1] = { .ATQA = 0x0344, .ATQARelevant = true, .SAK = 0x20, .SAKRelevant = true, .ATSRelevant = false, .ATSSize = 5, .ATS = {0x75, 0x77, 0x81, 0x02, 0x80}, .Manufacturer = "NXP", .Type = "MIFARE DESFire EV1" },On the forum of the proxmark I saw the following topic: http://proxmark.org/forum/viewtopic.php?id=2982
It stated that the proxmark will correctly identify those cards with the same ATQA as mine. I've tried to change the ATQA to 0x0304, but that doesn't result in a recognised card.
Edit: Hm. While I was reading further in the documentation (https://www.nxp.com/docs/en/application-note/AN10833.pdf) I was reading that the value indeed should be 0344. However:
Page 10:
So a few questions:
Thanks!
The text was updated successfully, but these errors were encountered: