Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
- Logged in as ikarus
- Last visit: Today 11:22:42
- Topics: Posted | New | Active | Unanswered
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-10-25 06:15:48
- PACMAC
- Member
- Registered: 2015-10-25
- Posts: 5
Can PM3 read & write MIFARE Desfire® EV1 4K
Hi Everyone,
I have been surfing through the net and also reading the proxmark forums but I was not able to find any clear information about my problem.
My question is very simple:
Can pm3 read & write MIFARE Desfire® EV1 4K cards?
I got a pm3 from my friend and I simply want to clone my building access card but so far I was not able to find anything on the internet.
Hope someone on the forums will be able to assist me with this.
Thanks pm3 community.
#2 2015-10-26 04:37:29
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
your building access uses MIFARE Desfire® EV1 !!! Kadus for that 
to your question it can read and write but would require authentication key, (I think it is unbreakable unless you can sniff the communication between your card and reader).
hope someone will correct me on this incase
#4 2015-10-26 10:41:19
- PACMAC
- Member
- Registered: 2015-10-25
- Posts: 5
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
your building access uses MIFARE Desfire® EV1 !!! Kadus for that
to your question it can read and write but would require authentication key, (I think it is unbreakable unless you can sniff the communication between your card and reader).
hope someone will correct me on this incase
How can I do what you have suggested?
Any clear instructions or how to guides anywhere that you might know of?
#5 2015-10-26 10:45:13
- PACMAC
- Member
- Registered: 2015-10-25
- Posts: 5
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Thanks for the reply Danz, I hope the process is not that difficult but from what you have said it does not look like an easy process...
Hey, are you trying to achieve the same thing?
Do you know any good websites to read other than pm3 forums or any how to guides?
#6 2015-10-26 11:13:17
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
the crypto modes available for desfire is DES/3DES/AES/PLAIN.
If your tag system doesn't use crypto (ie PLAIN mode) then you should be able to sniff the traffic.
Other modes doesn't send the key ( 3-way handshake) and there is no known attack for the newer desfire products. Only a side-channel attack on an older tag model.
-- if someone takes the most common default passwords and tries them, you might get lucky. Nothing that is implemented.
#7 2015-10-26 13:29:03
- cardix
- Member
- Registered: 2015-10-26
- Posts: 7
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Iceman, this boob PACMAN he is the also using the nickname Mr Nobot,
He is trying to duplicate the key to make profit, there is no point helping him since he cannot understand anything by himself.
Let him get lost.
#10 2015-10-26 13:46:28
- cardix
- Member
- Registered: 2015-10-26
- Posts: 7
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
I think too many intelligent guys here are giving away too much to the noobs, there is a big difference between someone trying to learn about RFID and someone just asking stupid questions to turn it into a business!
We saw not long time ago this Chinese guy from xfpga asking hits of question in this forum to finally create a cloner and sell it everywhere in the world, this idiot certainly didn't realised that they used his cloner on the tv show Mr Robot ah ah ah
Thanks to all smart guys here, giving him too much information, he is now rich and instead of using the Proxmark they used his noob cloner, what a shame...
If you want to keep helping noobs this is going to turn into dodgy businesses at the end!
You are smart enough to make the difference!
#11 2015-10-27 03:49:24
- PACMAC
- Member
- Registered: 2015-10-25
- Posts: 5
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Iceman, this boob PACMAN he is the also using the nickname Mr Nobot,
He is trying to duplicate the key to make profit, there is no point helping him since he cannot understand anything by himself.Let him get lost.
I am not Mr Nobot or Robot or whatever so don't judge a book by the cover.
It is not up to you Cardix to decide if people can help others or not.
I want to duplicate my key, which you have no right to interfere or comment.
This is an open forum so people like me who have little knowledge come here to learn/understand from more knowledgable people. That is the whole idea about a forum and how forums work.
You just created your account yeaterday to comment on these posts so most probably you actually are one of those guys who are making money out of this as a business and you are trying to protect your business by trying to prevent others to learn or have the same knowledge as you do.
But you forget one thing, it is those "smart" people who decide if they want to share their knowledge with the "noob" people, not you.
So talk nicely and learn to respect people!
If someone needs to get lost that is you not people like us...
#12 2015-10-27 06:42:21
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Guys Chillax... no solution or whatever was exposed here,
That said, I may have something to create the cracking process on 
I've made one DESFIRE with my own keys, "yes, everyone who use desfire use their own keys, not default, otherwise company would stick to classic if they don't want this security",
now testing the cracking process, the card to tag reply is much shorter when you the first digit/letter of key are same, 
if someone can create brute force method that can put those measurement into action, it will be great.
#14 2015-10-27 18:38:43
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Hello Iceman, it was for AES, haven't test on other crypto yet.
The deauth replay is comes faster "talking about time" the closer to the right key.
tic toc, I think it is processing issue that can lead to something !?!
#16 2015-10-28 07:51:00
- PACMAC
- Member
- Registered: 2015-10-25
- Posts: 5
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
Hello Iceman, it was for AES, haven't test on other crypto yet.
The deauth replay is comes faster "talking about time" the closer to the right key.
tic toc, I think it is processing issue that can lead to something !?!
Hey Danz, I hope you can successfully figure things out and help me with my task as well.
If there is anything that I can assist you with please let me know.
#17 2015-10-28 13:52:39
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
@danz, so what you are saying is that tagresponse "0b 00 ae c6 c0 " 0xAE comes faster if the first byte of the given key is correct? or do you mean the "0b 00 af 0a ...." response comes faster?
If only I had a desfire tag with a known key, this would be some much easier to verify...
--snippet log AUTH/AES for a Desfire 4k
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |44 03 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |88 04 77 29 d2 | |
18688 | 29216 | Rdr |93 70 88 04 77 29 d2 6c 76 | ok | SELECT_UID
30404 | 33924 | Tag |24 d8 36 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38852 | 44740 | Tag |5a 86 34 80 68 | |
46848 | 57376 | Rdr |95 70 5a 86 34 80 68 22 58 | ok | ANTICOLL-2
58564 | 62148 | Tag |20 fc 70 | |
63488 | 68256 | Rdr |e0 80 31 73 | ok | RATS
69444 | 78724 | Tag |06 75 77 81 02 80 02 f0 | ok |
85504 | 92512 | Rdr |0a 00 aa 00 21 d8 | ok | ?
128452 | 152772 | Tag |0a 00 af f7 a2 cf 33 2e 68 e1 b7 d9 27 b6 13 ce | |
| | |8d b6 b4 ef 8c | ok |
162816 | 205600 | Rdr |0b 00 af 0a b2 ad 48 77 78 56 2f 39 52 66 2c ca | |
| | |14 63 13 b7 6d 54 ad b9 fc 28 a1 c5 f9 fc ee 83 | |
| | |1c 72 5f 27 ea | ok | ?
228676 | 234500 | Tag |0b 00 ae c6 c0 | |
563584 | 567136 | Rdr |c2 e0 b4 | ok | RESTORE(224)Last edited by iceman (2015-10-28 19:56:25)
#18 2015-11-04 11:45:54
- key
- Contributor
- Registered: 2015-10-28
- Posts: 20
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
the crypto modes available for desfire is DES/3DES/AES/PLAIN.
If your tag system doesn't use crypto (ie PLAIN mode) then you should be able to sniff the traffic.
Other modes doesn't send the key ( 3-way handshake) and there is no known attack for the newer desfire products. Only a side-channel attack on an older tag model.-- if someone takes the most common default passwords and tries them, you might get lucky. Nothing that is implemented.
if sniff on wires, can get info about crypto key used?
#22 2016-10-11 07:50:39
- cjbrigato
- Contributor
- Registered: 2016-09-04
- Posts: 52
Re: Can PM3 read & write MIFARE Desfire® EV1 4K
I was reading some "Knowledgable Insider's" internal paper (which I strongly hope to get pas the "internal" and become public),
anyway it seems that Side-channel attacks had successful implementation as now-"easy" way on getting more or less what you want from an accessible desfire card, without invasive treatment shuch as MITM/Sniff etc.
Power Consumptions and alikes side channel attacks seems of nothing very promising (as I am aware, maybe wrong but I doubt it ?)
E.M. leakage Side channels are on their side very,very,very more interesting.
You can build the necessary to start such implementation within very constrained budget.