HF - Mifare DESFire
DESFire® Format
- Mifare DESFire MF3ICD40: uses 3DES encryption, product discontinued.
- Mifare DESFire EV1 : Secure channel that can work with all the keys: DES, two-key 3DES, three-key 3DES and AES. Limited to 28 applications containing a maximum of 32 files per application.
- Mifare DESFire EV2 : The newest channel that can work with aes key only
- Mifare DESFire EV3 : Enhanced transaction speed and even better multi-application support.
Each card has a master application with AID 0x000000 that saves the card's configuration.
The memory organization of DESFire supports up to 28 applications on the card and up to 32 files in each application.
- Master Application (0x000000)
- Applications
- Files
Applications
hf mfdes lsapp --no-auth # show applications list without authentication
hf mfdes lsapp # show applications list with authentication from default settings
hf mfdes lsapp --files # show applications list with their files
hf mfdes getaids --no-auth # this command can return a simple AID list if it is enabled in the card settings
Each application has an individual set of up to 14 application keys (can be AES-128 or DES keys)
Files
- Standard File: used for static data like a employee ID
- Backup File: like a Standard File but with a "Commit" feature that allows for secure storage of data, e.g. a changeable user password
- Value File: storing changeable value information, e.g. the amount on a canteen payment card
- Linear Record File: storing a defined number of records, e.g. collecting of goodies
- Cyclic Record File: like a Linear Record file but this file doesn't get "full" but the oldest entry gets overwritten by a new entry, e.g. for a log file
Each file has it’s own Communication Mode:
- Plain: all data transfer between the NFC tag and the NFC reader is done in plain
- MACed: like in Plain mode the communication is is readable but secured by an appended MAC
- Encrypted: the communication is not visible be anyone, but only who posses the used key is been able to read the data.
Dump files
hf mfdes lsfiles --aid 123456 -t aes # file list for application 123456 with aes key
hf mfdes dump --aid 123456 # shows files and their contents from application 123456
Read/Write files
Read
hf mfdes read --aid 123456 --fid 01 # autodetect file type (with hf mfdes getfilesettings) and read its contents
hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 # read one last record from a record file
Read via ISO command set
hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso # select application via native command and then read file via ISO
hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso # select all via ISO commands and then read
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 # read one record (number 5) from file ID 1100 via ISO command set
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 # read all the records (from 5 to 1) from file ID 1100 via ISO command set
Write
hf mfdes write --aid 123456 --fid 01 -d 01020304 # autodetect file type (with hf mfdes getfilesettings) and write data with offset 0
hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit # write backup data file and commit
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 # increment value file
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit # decrement value file
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 # write data to a record file
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 # update record 0 (latest) in the record file.
Write via iso command set
hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 # write data to std/backup file via ISO command set
hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 # send record to record file via ISO command set
Default Keys
Changing the default keys is a crucial step in the deployment of MIFARE DESFire cards to prevent unauthorized cloning and access.
- Default AES key
- Default DES key
Use a key to get UID
hf mfdes getuid # authenticate with default key
hf mfdes getuid -s d40 # via d40 secure channel
hf mfdes getuid -s ev2 -t aes -k 11223344556677889900112233445566 # via ev2 secure channel with specified aes key
hf mfdes detect # simply detect key for master application (PICC level)
hf mfdes detect --save # detect key and save to defaults. look after to output of hf mfdes default
hf mfdes detect -s d40 # detect via channel d40
hf mfdes detect --dict mfdes_default_keys # detect key with help of dictionary file
hf mfdes detect --aid 123456 -n 2 # detect key 2 from application with AID 123456
hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456 # try application 123456 master key
hf mfdes auth -n 0 -t aes --save # try PICC AES master key and save the configuration to defaults if authentication succeeds
UID check
The UID of the modifiable MIFARE DESFire® Compatible UID tags consists of two parts: the UID itself and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, the tag will be rejected by the reader.
For MIFARE DESFire cards, Flipper Zero is able to emulate only the UID.
UID rewritable cards: - LAB 401 - MODIFIABLE MIFARE DESFIRE® COMPATIBLE UID - LAB 401 - MIFARE DESFIRE® COMPATIBLE MODIFIABLE UID / ATQA / SAK / ATS / APDU
References
- Mifare DESFire EV3 — a beginner tutorial (Android Java) using the DESFire for Android tools - AndroidCrypto - Feb 18, 2024
- Mifare DESFire EVx NFC tag: Change the Master Application Key from DES to AES (Android/Java) - AndroidCrypto - Jun 19, 2024
- DESFireChangeMasterAppKey - AndroidCrypto - Jun 19, 2024
- Notes on MIFARE DESFire - iceman1001 - 2021
- Mifare DESFire - An Introduction - David Coelho - 19 mai 2019
- AN-315 - Understanding MIFARE DESFire Credentials - ICT | Protege - 11-May-22
- MIFARE DESFire gallagher-research - megabug