github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-03-03 14:17:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

review desfire.md

Browse Source
This commit is contained in:
Philippe Teuwen 2021-08-22 01:23:46 +02:00
parent 58dda7a809
commit 8e526567b3
1 changed files with 51 additions and 51 deletions

102
doc/desfire.md

@ -1,8 +1,8 @@
# Desfire card
# DESFire card
## Documentation
[Desfire Light datasheet MF2DL(H)x0](https://www.nxp.com/docs/en/data-sheet/MF2DLHX0.pdf)
[DESFire Light datasheet MF2DL(H)x0](https://www.nxp.com/docs/en/data-sheet/MF2DLHX0.pdf)
[Features and Hints AN12343](https://www.nxp.com/docs/en/application-note/AN12343.pdf)
@ -38,25 +38,25 @@
## Communication channel with a card:
The card can work in the combination of: key type - command set - secure channel - communication mode
The card can work with a combination of: key type - command set - secure channel - communication mode
*key types:*
**des** - 8 bytes key. can be present in a form of **2tdea** key with length 16 bytes by duplicate contents twice.
**des** - 8-byte key. can be present in a form of **2tdea** key with length 16 bytes by duplicating contents twice.
**2tdea** - 16 bytes key
**2tdea** - 16-byte key
**3tdea** - 24 bytes key. can be disabled on the card level.
**3tdea** - 24-byte key. can be disabled on the card level.
**aes** - 16 bytes aes-128 key
**aes** - 16-byte AES-128 key
*command sets:*
**native** - raw commands
**native iso** - wrap raw commands into the iso apdu. **CLA** = 0x90, **INS** = command code, **data** = the rest data from raw command
**native iso** - wraps raw commands into the ISO APDU. **CLA** = 0x90, **INS** = command code, **data** = the remaining data from raw command
**iso** - work only several commands: iso select by iso id (if enabled), authenticate, read and write in the **plain** mode, read in the **mac** mode
**iso** - works only for some commands: ISO select by ISO ID (if enabled), authenticate, read and write in the **plain** mode, read in the **mac** mode
*secure channels:*
@ -66,17 +66,17 @@ The card can work in the combination of: key type - command set - secure channel
**ev2** - the newest channel that can work with **aes** key only
*communication modes*
*communication modes*
**plain** - just plain data between card and reader
**maced** - mac applied to reqest/response/both (may be sent and may be not)
**maced** - mac applied to request/response/both (may be sent or not)
**encrypted** - encrypted data in the reqest/response/both. in the ev2 channel data signed with mac.
**encrypted** - encrypted data in the request/response/both in the ev2 channel data signed with mac.
## Card architecture
The card has several applications on it and the application have files and some other objects
The card has several applications on it and the applications have files and some other objects.
Each card has a master application with AID 0x000000 that saves the card's configuration.
@ -88,22 +88,22 @@ Each application may have its own key type and set of keys. Each file can only h
- Application
- Application number: 1 byte
- Application ISO number: if set at the time of application creation. It can be selected by this id in the iso command set.
- Application DF name: 1-16 chars. It can be selected by this name in the iso command set.
- Application ISO number: if set at the time of application creation. It can be selected by this ID in the ISO command set.
- Application DF name: 1-16 chars. It can be selected by this name in the ISO command set.
- Key settings: number of keys, key type, key config (what can do/not user with keys)
- Keys: up to 14 keys (indexes 0..d)
- Key versions: key version of corresponded key
- Key versions: key version of corresponding key
- Files:
- File number: 1 byte
- File iso number: should be if application created with iso number and should not be if there is no iso number at the application level.
- File ISO number: should be present if and only if application created with ISO number.
- File type: standard, backup, value, cyclic record, linear record, transaction mac
- Some settings that belonged to file type (size for standard file at sample)
- Some settings that belong to file type (size for standard file for example)
- File communication mode: plain/maced/encrypted
- File access right: there is 4 modes: read/write/read-write/change settings. And each mode access can be: key0..keyD, E - free access, F - deny access
- File access right: there are 4 modes: read/write/read-write/change settings. And each mode access can be: key0..keyD, E - free access, F - deny access
## Desfire Light:
## DESFire Light:
The card has one preinstalled master file (iso id 0x3f00) and one application (0xdf01)
The card has one preinstalled master file (ISO ID 0x3f00) and one application (0xdf01)
In the application, there are 6 files:
@ -116,18 +116,18 @@ In the application, there are 6 files:
User can't create/delete files (except Transaction MAC file).
ISO file IDs and the other file and application parameters can be changed via SetConfiguration command only.
ISO file IDs, the other files and application parameters can be changed via SetConfiguration command only.
The card has two secure channels: EV2 and LRP. By default, EV2 is on. LRP can be switched on by issue SetConfiguration command and after that, it can't be switched off.
The card has two secure channels: EV2 and LRP. By default, EV2 is on. LRP can be switched on by issuing SetConfiguration command and after that, it can't be switched off.
Application on the card can't be selected by desfire native select. Needs to issue iso select command. All the commands that can work in LRP channel have **--appisoid** option
Application on the card can't be selected by DESFire native select. Needs to issue ISO select command. All the commands that can work in LRP channel have **--appisoid** option
Transaction MAC file - the only file that can be created and deleted. By default, all transaction operations (operations with Value and Record file) need to issue CommitReaderID command.
So) to fast check- it needs to delete this file) it has default file id - 0x0f.
Transaction MAC file - the only file that can be created and deleted. By default, all transaction operations (operations with Value and Record file) need to issue CommitReaderID command.
So (to fast check- it is needed to delete this file) it has default file id - 0x0f.
FCI sends from card to reader after selecting the application (df01 by default)
If it needs to have more space for FCI - just change the id of one of the bigger files to 0x1f (and the current id to somewhere) via SetConfiguration command
If it needs to have more space for FCI - just change the ID of one of the bigger files to 0x1f (and the current ID to something else) via SetConfiguration command.
## How to
@ -163,7 +163,7 @@ All the commands use these settings by default if a more important setting is no
### How to try communication channel settings
`hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456` - try application 123456 master key
`hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456` - try application 123456 master key
`hf mfdes auth -n 0 -t aes --save` - try PICC AES master key and save the configuration to defaults if authentication succeeds
@ -175,7 +175,7 @@ All the commands use these settings by default if a more important setting is no
`hf mfdes lsapp --files` - show applications list with their files
`hf mfdes getaids --no-auth` - this command can return a simple aid list if it is enabled in the card settings
`hf mfdes getaids --no-auth` - this command can return a simple AID list if it is enabled in the card settings
### How to look/dump files from the application file list
@ -185,7 +185,7 @@ All the commands use these settings by default if a more important setting is no
### How to change key
Change key algorithm can be done only in one case - change card master key.
Changing key algorithm can be done only in one case - change card master key.
Key algorithm for application can be chosen only on its creation.
@ -197,17 +197,17 @@ Key algorithm for application can be chosen only on its creation.
### How to create the application
`hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes` - create an application with iso file id, df name, and key algorithm AES
`hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes` - create an application with ISO file ID, df name, and key algorithm AES
`hf mfdes createapp --aid 123456` - create an application 123456 with DES key algorithm and without iso file id. in this case, iso file id can't be provided for application's files
`hf mfdes createapp --aid 123456` - create an application 123456 with DES key algorithm and without ISO file ID. in this case, iso file id can't be provided for application's files
### How to create files
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010` - create standard file with iso id and default access settings
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010` - create standard file with ISO ID and default access settings
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 --backup` - create backup file
create standard file with mac access mode and specified access settings. access settigs can be changed later with command `hf mfdes chfilesettings`
Create standard file with mac access mode and specified access settings. access settings can be changed later with command `hf mfdes chfilesettings`
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 --amode mac --rrights free --wrights free --rwrights free --chrights key0`
@ -231,17 +231,17 @@ create standard file with mac access mode and specified access settings. access
`hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001` - read one last record from a record file
*read via iso command set:*
*read via ISO command set:*
Here needs to specify type of the file because there is no `hf mfdes getfilesettings` in the iso command set
Here it is needed to specify the type of the file because there is no `hf mfdes getfilesettings` in the ISO command set
`hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso` - select application via native command and then read file via iso
`hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso` - select application via native command and then read file via ISO
`hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso` - select all via iso commands and then read
`hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso` - select all via ISO commands and then read
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001` - read one record (number 5) from file 1100 via iso command set
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001` - read one record (number 5) from file ID 1100 via ISO command set
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000` - read all the records (from 5 to 1) from file 1100 via iso command set
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000` - read all the records (from 5 to 1) from file ID 1100 via ISO command set
*write:*
@ -255,33 +255,33 @@ Here needs to specify type of the file because there is no `hf mfdes getfilesett
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304` write data to a record file
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0` update record 0 (lastest) in the record file.
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0` update record 0 (latest) in the record file.
*write via iso command set:*
`hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304` write data to std/backup file via iso commandset
`hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304` write data to std/backup file via ISO command set
`hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304` send record to record file via iso commandset
`hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304` send record to record file via ISO command set
*transactions:*
for more detailed samples look at the next howto.
For more detailed samples look at the next howto.
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203` write data to the file with CommitReaderID command before and CommitTransaction after write
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203` write data to the file with CommitReaderID command before and CommitTransaction after write
### How to work with transaction mac
There are two types of transactions with mac: with and without the CommitReaderID command. This type can be chosen by `hf mfdes createmacfile` command.
There are two types of transactions with mac: with and without the CommitReaderID command. The type can be chosen by `hf mfdes createmacfile` command.
By default, the application works with transactions. All the write operations except write to standard file need to be committed by CommitTransaction command.
CommitTransaction command issued at the end of each write operation (except standard file).
Mac mode of transactions can be switched on by creation mac file. There may be only one file with this file type for one application.
Mac mode of transactions can be switched on by creating a mac file. There may be only one file with this file type for one application.
Command CommitReaderID enable/disable mode can be chosen at the creation of this file.
When CommitReaderID is enabled - needs to issue this command once per transaction. The transaction can't be committed without this command.
When CommitReaderID is enabled, it is needed to issue this command once per transaction. The transaction can't be committed without this command.
When the command is disabled - CommitReaderID returns an error.
@ -315,7 +315,7 @@ When the command is disabled - CommitReaderID returns an error.
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203`
*write to data file with CommitReaderID and decode previous reader id:*
*write to data file with CommitReaderID and decode previous reader ID:*
step 1. read mac file or read all the files to get transaction mac counter
@ -327,7 +327,7 @@ step 2. write something to a file with CommitReaderID command and provide the ke
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 --trkey 00112233445566778899aabbccddeeff`
### How to switch Desfire Light to LRP mode
### How to switch DESFire Light to LRP mode
Remove failed authentication counters (if needs, but strongly recommended)