Open 5aji opened 1 month ago
@5aji any details on the card itself? Vendor? Type? if you have proxmark can you also post details scan details from it?
The key is a Walt Disney World keycard. I believe the vendor is NXP, DESFire EV1.
There are no markings on the front. ![image](https://github.com/user-attachments/assets/45486bb6-6544-47c4-b967-ab53f2a958e3)
``` [usb] pm3 --> hf 14a info [+] UID: 04 3A 34 4A 52 67 80 [+] ATQA: 03 44 [+] SAK: 20 [1] [+] MANUFACTURER: NXP Semiconductors Germany [+] Possible types: [+] MIFARE DESFire CL2 [+] MIFARE DESFire EV1 256B/2K/4K/8K CL2 [+] MIFARE DESFire EV2 2K/4K/8K/16K/32K [+] MIFARE DESFire EV3 2K/4K/8K [+] MIFARE DESFire Light 640B [+] NTAG 4xx [=] -------------------------- ATS -------------------------- [+] ATS: 06 75 77 81 02 80 [ F0 00 ] [=] 06............... TL length is 6 bytes [=] 75............ T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64) [=] 77......... TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8] [=] 81...... TB1 SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc) [=] 02... TC1 NAD is NOT supported, CID is supported [=] -------------------- Historical bytes -------------------- [+] 80 (compact TLV data object) [usb] pm3 --> hf mfdes info [=] ---------------------------------- Tag Information ---------------------------------- [+] UID: 04 3A 34 4A 52 67 80 [+] Batch number: B9 0C 10 45 60 [+] Production date: week 16 / 2020 [=] --- Hardware Information [=] raw: 04010201001205 [=] Vendor Id: NXP Semiconductors Germany [=] Type: 0x01 ( DESFire ) [=] Subtype: 0x02 [=] Version: 1.0 ( DESFire EV1 ) [=] Storage size: 0x12 ( 512 bytes ) [=] Protocol: 0x05 ( ISO 14443-2, 14443-3 ) [=] --- Software Information [=] raw: 04010101051205 [=] Vendor Id: NXP Semiconductors Germany [=] Type: 0x01 ( DESFire ) [=] Subtype: 0x01 [=] Version: 1.5 [=] Storage size: 0x12 ( 512 bytes ) [=] Protocol: 0x05 ( ISO 14443-3, 14443-4 ) [=] --------------------------------- Card capabilities --------------------------------- [+] --- AID list [+] AIDs: f70090, 78e127, 4c4344 [+] ------------------------------------ PICC level ------------------------------------- [+] Applications count: 3 free memory 128 bytes [+] PICC level auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] PICC level rights: [+] [1...] CMK Configuration changeable : YES [+] [.1..] CMK required for create/delete : NO [+] [..1.] Directory list access with CMK : NO [+] [...1] CMK is changeable : YES [+] [+] Key: 2TDEA [+] key count: 1 [+] PICC key 0 version: 254 (0xfe) [=] --- Free memory [+] Available free memory on card : 128 bytes [=] Standalone DESFire ```
If necessary I can pull out my debugger and try and find exactly what check fails.
If you can get backtrace from debugger that will simplify everything
got the backtrace:
```
(gdb) bt
#0 0x080121f4 in __furi_crash_implementation () at furi/core/check.c:170
#1 0x08038a88 in mf_desfire_poller_read_key_versions (instance=0x20025078, data=0x20024260
haven't dug into it much, but it seems to be getting further than it should without the keys. the actual failure is the max_keys being zero for some reason.
EDIT: Dug into it some more, found something interesting about the third app on this card:
[+] Application number: 0x4C4344
[+] ISO id.... 0x0000
[+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[=] DF AID Function... 4C4344 : (unknown)
[+] Auth commands:
[+] Auth.............. NO
[+] Auth ISO.......... NO
[+] Auth AES.......... NO
[+] Auth Ev2.......... NO
[+] Auth ISO Native... YES
[+] Auth LRP.......... NO
[+]
``` [+] ------------------------------------ PICC level ------------------------------------- [+] Applications count: 3 free memory 128 bytes [+] PICC level auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] PICC level rights: [+] [1...] CMK Configuration changeable : YES [+] [.1..] CMK required for create/delete : NO [+] [..1.] Directory list access with CMK : NO [+] [...1] CMK is changeable : YES [+] [+] Key: 2TDEA [+] key count: 1 [+] PICC key 0 version: 254 (0xfe) [+] --------------------------------- Applications list --------------------------------- [+] Application number: 0xF70090 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [+] AID mapped to MIFARE Classic AID (MAD): 7009 [+] MAD AID Cluster 0x70 : hotel [=] MAD AID Function 0x7009 : Access control data for electronic locks [Timelox AB] [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] [+] Application level rights: [+] -- AMK authentication is necessary to change any key (default) [+] [1...] AMK Configuration changeable : YES [+] [.0..] AMK required for create/delete : YES [+] [..1.] Directory list access with AMK : NO [+] [...1] AMK is changeable : YES [+] [+] Key: AES [+] key count: 3 [+] [+] Key versions [0..2]: 00, 00, 00 [+] Application number: 0x78E127 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [=] DF AID Function... 78E127 : Disney MagicBand [Disney] [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] [+] Application level rights: [+] -- AMK authentication is necessary to change any key (default) [+] [1...] AMK Configuration changeable : YES [+] [.0..] AMK required for create/delete : YES [+] [..1.] Directory list access with AMK : NO [+] [...1] AMK is changeable : YES [+] [+] Key: AES [+] key count: 2 [+] [+] Key versions [0..1]: 01, 01 [+] Application number: 0x4C4344 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [=] DF AID Function... 4C4344 : (unknown) [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... NO [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] ```
Describe the bug.
Reading a DESFire card crashes the Flipper with a
furi_check()
error. It seems to crash after trying to read the second block. This is a card I had lying around, and I do not possess the keys (nor am I trying to get them). This happens on both 0.104.0 and 0.105.0-RC.Reproduction
Target
Mifare DESFire Card
Logs
Anything else?
I have a Proxmark3 if that would help provide more information.