mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-03-03 06:07:21 -08:00
review desfire.md
This commit is contained in:
parent
58dda7a809
commit
8e526567b3
102
doc/desfire.md
102
doc/desfire.md
@ -1,8 +1,8 @@
|
||||
# Desfire card
|
||||
# DESFire card
|
||||
|
||||
## Documentation
|
||||
|
||||
[Desfire Light datasheet MF2DL(H)x0](https://www.nxp.com/docs/en/data-sheet/MF2DLHX0.pdf)
|
||||
[DESFire Light datasheet MF2DL(H)x0](https://www.nxp.com/docs/en/data-sheet/MF2DLHX0.pdf)
|
||||
|
||||
[Features and Hints AN12343](https://www.nxp.com/docs/en/application-note/AN12343.pdf)
|
||||
|
||||
@ -38,25 +38,25 @@
|
||||
|
||||
## Communication channel with a card:
|
||||
|
||||
The card can work in the combination of: key type - command set - secure channel - communication mode
|
||||
The card can work with a combination of: key type - command set - secure channel - communication mode
|
||||
|
||||
*key types:*
|
||||
|
||||
**des** - 8 bytes key. can be present in a form of **2tdea** key with length 16 bytes by duplicate contents twice.
|
||||
**des** - 8-byte key. can be present in a form of **2tdea** key with length 16 bytes by duplicating contents twice.
|
||||
|
||||
**2tdea** - 16 bytes key
|
||||
**2tdea** - 16-byte key
|
||||
|
||||
**3tdea** - 24 bytes key. can be disabled on the card level.
|
||||
**3tdea** - 24-byte key. can be disabled on the card level.
|
||||
|
||||
**aes** - 16 bytes aes-128 key
|
||||
**aes** - 16-byte AES-128 key
|
||||
|
||||
*command sets:*
|
||||
|
||||
**native** - raw commands
|
||||
|
||||
**native iso** - wrap raw commands into the iso apdu. **CLA** = 0x90, **INS** = command code, **data** = the rest data from raw command
|
||||
**native iso** - wraps raw commands into the ISO APDU. **CLA** = 0x90, **INS** = command code, **data** = the remaining data from raw command
|
||||
|
||||
**iso** - work only several commands: iso select by iso id (if enabled), authenticate, read and write in the **plain** mode, read in the **mac** mode
|
||||
**iso** - works only for some commands: ISO select by ISO ID (if enabled), authenticate, read and write in the **plain** mode, read in the **mac** mode
|
||||
|
||||
*secure channels:*
|
||||
|
||||
@ -66,17 +66,17 @@ The card can work in the combination of: key type - command set - secure channel
|
||||
|
||||
**ev2** - the newest channel that can work with **aes** key only
|
||||
|
||||
*communication modes*
|
||||
*communication modes*
|
||||
|
||||
**plain** - just plain data between card and reader
|
||||
|
||||
**maced** - mac applied to reqest/response/both (may be sent and may be not)
|
||||
**maced** - mac applied to request/response/both (may be sent or not)
|
||||
|
||||
**encrypted** - encrypted data in the reqest/response/both. in the ev2 channel data signed with mac.
|
||||
**encrypted** - encrypted data in the request/response/both in the ev2 channel data signed with mac.
|
||||
|
||||
## Card architecture
|
||||
|
||||
The card has several applications on it and the application have files and some other objects
|
||||
The card has several applications on it and the applications have files and some other objects.
|
||||
|
||||
Each card has a master application with AID 0x000000 that saves the card's configuration.
|
||||
|
||||
@ -88,22 +88,22 @@ Each application may have its own key type and set of keys. Each file can only h
|
||||
|
||||
- Application
|
||||
- Application number: 1 byte
|
||||
- Application ISO number: if set at the time of application creation. It can be selected by this id in the iso command set.
|
||||
- Application DF name: 1-16 chars. It can be selected by this name in the iso command set.
|
||||
- Application ISO number: if set at the time of application creation. It can be selected by this ID in the ISO command set.
|
||||
- Application DF name: 1-16 chars. It can be selected by this name in the ISO command set.
|
||||
- Key settings: number of keys, key type, key config (what can do/not user with keys)
|
||||
- Keys: up to 14 keys (indexes 0..d)
|
||||
- Key versions: key version of corresponded key
|
||||
- Key versions: key version of corresponding key
|
||||
- Files:
|
||||
- File number: 1 byte
|
||||
- File iso number: should be if application created with iso number and should not be if there is no iso number at the application level.
|
||||
- File ISO number: should be present if and only if application created with ISO number.
|
||||
- File type: standard, backup, value, cyclic record, linear record, transaction mac
|
||||
- Some settings that belonged to file type (size for standard file at sample)
|
||||
- Some settings that belong to file type (size for standard file for example)
|
||||
- File communication mode: plain/maced/encrypted
|
||||
- File access right: there is 4 modes: read/write/read-write/change settings. And each mode access can be: key0..keyD, E - free access, F - deny access
|
||||
- File access right: there are 4 modes: read/write/read-write/change settings. And each mode access can be: key0..keyD, E - free access, F - deny access
|
||||
|
||||
## Desfire Light:
|
||||
## DESFire Light:
|
||||
|
||||
The card has one preinstalled master file (iso id 0x3f00) and one application (0xdf01)
|
||||
The card has one preinstalled master file (ISO ID 0x3f00) and one application (0xdf01)
|
||||
|
||||
In the application, there are 6 files:
|
||||
|
||||
@ -116,18 +116,18 @@ In the application, there are 6 files:
|
||||
|
||||
User can't create/delete files (except Transaction MAC file).
|
||||
|
||||
ISO file IDs and the other file and application parameters can be changed via SetConfiguration command only.
|
||||
ISO file IDs, the other files and application parameters can be changed via SetConfiguration command only.
|
||||
|
||||
The card has two secure channels: EV2 and LRP. By default, EV2 is on. LRP can be switched on by issue SetConfiguration command and after that, it can't be switched off.
|
||||
The card has two secure channels: EV2 and LRP. By default, EV2 is on. LRP can be switched on by issuing SetConfiguration command and after that, it can't be switched off.
|
||||
|
||||
Application on the card can't be selected by desfire native select. Needs to issue iso select command. All the commands that can work in LRP channel have **--appisoid** option
|
||||
Application on the card can't be selected by DESFire native select. Needs to issue ISO select command. All the commands that can work in LRP channel have **--appisoid** option
|
||||
|
||||
Transaction MAC file - the only file that can be created and deleted. By default, all transaction operations (operations with Value and Record file) need to issue CommitReaderID command.
|
||||
So) to fast check- it needs to delete this file) it has default file id - 0x0f.
|
||||
Transaction MAC file - the only file that can be created and deleted. By default, all transaction operations (operations with Value and Record file) need to issue CommitReaderID command.
|
||||
So (to fast check- it is needed to delete this file) it has default file id - 0x0f.
|
||||
|
||||
FCI sends from card to reader after selecting the application (df01 by default)
|
||||
|
||||
If it needs to have more space for FCI - just change the id of one of the bigger files to 0x1f (and the current id to somewhere) via SetConfiguration command
|
||||
If it needs to have more space for FCI - just change the ID of one of the bigger files to 0x1f (and the current ID to something else) via SetConfiguration command.
|
||||
|
||||
## How to
|
||||
|
||||
@ -163,7 +163,7 @@ All the commands use these settings by default if a more important setting is no
|
||||
|
||||
### How to try communication channel settings
|
||||
|
||||
`hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456` - try application 123456 master key
|
||||
`hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456` - try application 123456 master key
|
||||
|
||||
`hf mfdes auth -n 0 -t aes --save` - try PICC AES master key and save the configuration to defaults if authentication succeeds
|
||||
|
||||
@ -175,7 +175,7 @@ All the commands use these settings by default if a more important setting is no
|
||||
|
||||
`hf mfdes lsapp --files` - show applications list with their files
|
||||
|
||||
`hf mfdes getaids --no-auth` - this command can return a simple aid list if it is enabled in the card settings
|
||||
`hf mfdes getaids --no-auth` - this command can return a simple AID list if it is enabled in the card settings
|
||||
|
||||
### How to look/dump files from the application file list
|
||||
|
||||
@ -185,7 +185,7 @@ All the commands use these settings by default if a more important setting is no
|
||||
|
||||
### How to change key
|
||||
|
||||
Change key algorithm can be done only in one case - change card master key.
|
||||
Changing key algorithm can be done only in one case - change card master key.
|
||||
|
||||
Key algorithm for application can be chosen only on its creation.
|
||||
|
||||
@ -197,17 +197,17 @@ Key algorithm for application can be chosen only on its creation.
|
||||
|
||||
### How to create the application
|
||||
|
||||
`hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes` - create an application with iso file id, df name, and key algorithm AES
|
||||
`hf mfdes createapp --aid 123456 --fid 2345 --dfname aid123456 --dstalgo aes` - create an application with ISO file ID, df name, and key algorithm AES
|
||||
|
||||
`hf mfdes createapp --aid 123456` - create an application 123456 with DES key algorithm and without iso file id. in this case, iso file id can't be provided for application's files
|
||||
`hf mfdes createapp --aid 123456` - create an application 123456 with DES key algorithm and without ISO file ID. in this case, iso file id can't be provided for application's files
|
||||
|
||||
### How to create files
|
||||
|
||||
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010` - create standard file with iso id and default access settings
|
||||
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010` - create standard file with ISO ID and default access settings
|
||||
|
||||
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 --backup` - create backup file
|
||||
|
||||
create standard file with mac access mode and specified access settings. access settigs can be changed later with command `hf mfdes chfilesettings`
|
||||
Create standard file with mac access mode and specified access settings. access settings can be changed later with command `hf mfdes chfilesettings`
|
||||
|
||||
`hf mfdes createfile --aid 123456 --fid 01 --isofid 0001 --size 000010 --amode mac --rrights free --wrights free --rwrights free --chrights key0`
|
||||
|
||||
@ -231,17 +231,17 @@ create standard file with mac access mode and specified access settings. access
|
||||
|
||||
`hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001` - read one last record from a record file
|
||||
|
||||
*read via iso command set:*
|
||||
*read via ISO command set:*
|
||||
|
||||
Here needs to specify type of the file because there is no `hf mfdes getfilesettings` in the iso command set
|
||||
Here it is needed to specify the type of the file because there is no `hf mfdes getfilesettings` in the ISO command set
|
||||
|
||||
`hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso` - select application via native command and then read file via iso
|
||||
`hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso` - select application via native command and then read file via ISO
|
||||
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso` - select all via iso commands and then read
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso` - select all via ISO commands and then read
|
||||
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001` - read one record (number 5) from file 1100 via iso command set
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001` - read one record (number 5) from file ID 1100 via ISO command set
|
||||
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000` - read all the records (from 5 to 1) from file 1100 via iso command set
|
||||
`hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000` - read all the records (from 5 to 1) from file ID 1100 via ISO command set
|
||||
|
||||
*write:*
|
||||
|
||||
@ -255,33 +255,33 @@ Here needs to specify type of the file because there is no `hf mfdes getfilesett
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304` write data to a record file
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0` update record 0 (lastest) in the record file.
|
||||
`hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0` update record 0 (latest) in the record file.
|
||||
|
||||
*write via iso command set:*
|
||||
|
||||
`hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304` write data to std/backup file via iso commandset
|
||||
`hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304` write data to std/backup file via ISO command set
|
||||
|
||||
`hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304` send record to record file via iso commandset
|
||||
`hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304` send record to record file via ISO command set
|
||||
|
||||
*transactions:*
|
||||
|
||||
for more detailed samples look at the next howto.
|
||||
For more detailed samples look at the next howto.
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203` write data to the file with CommitReaderID command before and CommitTransaction after write
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203` write data to the file with CommitReaderID command before and CommitTransaction after write
|
||||
|
||||
### How to work with transaction mac
|
||||
|
||||
There are two types of transactions with mac: with and without the CommitReaderID command. This type can be chosen by `hf mfdes createmacfile` command.
|
||||
There are two types of transactions with mac: with and without the CommitReaderID command. The type can be chosen by `hf mfdes createmacfile` command.
|
||||
|
||||
By default, the application works with transactions. All the write operations except write to standard file need to be committed by CommitTransaction command.
|
||||
|
||||
CommitTransaction command issued at the end of each write operation (except standard file).
|
||||
|
||||
Mac mode of transactions can be switched on by creation mac file. There may be only one file with this file type for one application.
|
||||
Mac mode of transactions can be switched on by creating a mac file. There may be only one file with this file type for one application.
|
||||
|
||||
Command CommitReaderID enable/disable mode can be chosen at the creation of this file.
|
||||
|
||||
When CommitReaderID is enabled - needs to issue this command once per transaction. The transaction can't be committed without this command.
|
||||
When CommitReaderID is enabled, it is needed to issue this command once per transaction. The transaction can't be committed without this command.
|
||||
|
||||
When the command is disabled - CommitReaderID returns an error.
|
||||
|
||||
@ -315,7 +315,7 @@ When the command is disabled - CommitReaderID returns an error.
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203`
|
||||
|
||||
*write to data file with CommitReaderID and decode previous reader id:*
|
||||
*write to data file with CommitReaderID and decode previous reader ID:*
|
||||
|
||||
step 1. read mac file or read all the files to get transaction mac counter
|
||||
|
||||
@ -327,7 +327,7 @@ step 2. write something to a file with CommitReaderID command and provide the ke
|
||||
|
||||
`hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 --trkey 00112233445566778899aabbccddeeff`
|
||||
|
||||
### How to switch Desfire Light to LRP mode
|
||||
### How to switch DESFire Light to LRP mode
|
||||
|
||||
Remove failed authentication counters (if needs, but strongly recommended)
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user