FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Authentication MIFARE Plus EV1 2K (SL3) - Session Key Generation & Read/Write Command Structure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication MIFARE Plus EV1 2K (SL3) - Session Key Generation & Read/Write Command Structure

‎07-03-2025 05:58 PM
729 Views
tungnguyenthanh20270704
Contributor I

Hello NXP Community,

I am currently working on MIFARE Plus EV1 2K in Security Level 3 (SL3) mode, and I need support regarding session key generation and Read/Write command structure.

I am performing tests on Sector 3 of the card.
So far, I have successfully completed AES authentication, meaning:

I sent the First Authentication Command (0x70)
Then followed up with the Second Authentication Command (0x72)
I received valid 0x90 + data responses in both steps
After that, I understand that I need to:

Generate the session key
Generate MAC (MAC8)
Build and send command 0x31 (Read), for example
However, I could not find any official NXP documentation that explains:

How to derive the session key from the authentication responses
The exact structure of Read (0x31) / Write (0xA1) commands for MIFARE Plus EV1 in SL3
How to correctly generate the MAC for these commands
I have tried generating the MAC8 and sending command 0x31, but I received the response:

08 90 00

I understand this might indicate failure, possibly due to an incorrect MAC or key/session derivation.

Could anyone from the community or NXP team guide me on:

The correct method for session key derivation
The format of Read/Write commands for MIFARE Plus EV1 2K (SL3 only)
And if there is an official document or application note specific to MIFARE Plus EV1 2K, please share it.
I'm aware that documents for other card types (like DESFire or Plus S) may not apply correctly to Plus EV1.

Thank you in advance!

Best regards,
Nguyen Thanh Tung

-----
Log
-----

[CircleDebug] Transparent Start

[CircleDebug] O: FF C2 00 00 02 81 00

[CircleDebug] I: C0 03 00 90 00 90 00

[CircleDebug] Antenna On

[CircleDebug] O: FF C2 00 00 02 84 00

[CircleDebug] I: C0 03 00 90 00 90 00

[CircleDebug] ISO Switch (Type A Layer 4)

[CircleDebug] O: FF C2 00 02 04 8F 02 00 04

[CircleDebug] I: C0 03 00 90 00 5F 51 0C 3B 87 80 01 C1 05 2F 2F 01 BC D6 A9 90 00

[CircleDebug] =================================================================

[CircleDebug] Authenticate, Sector 1 Block 00 with AES Key

[CircleDebug] =================================================================

[CircleDebug] AuthenticateFirst

[CircleDebug] O: 70 07 40 00

[CircleDebug] I: 90 C4 D4 7E B5 E2 88 60 16 51 9C E0 62 89 20 99 11

[CircleDebug] - E(Kx,RndB)  : C4 D4 7E B5 E2 88 60 16 51 9C E0 62 89 20 99 11

[CircleDebug] - RndB        : 19 98 B5 0A C0 21 3F DA 92 5E 98 48 46 76 65 D0

[CircleDebug] - rndBShifted        : 98 B5 0A C0 21 3F DA 92 5E 98 48 46 76 65 D0 19

[CircleDebug] - RndA        : E4 A4 71 4E C8 AF 62 59 0B 3E 04 54 C7 EC 70 C3

[CircleDebug] - RndA||RndB' : E4 A4 71 4E C8 AF 62 59 0B 3E 04 54 C7 EC 70 C3 98 B5 0A C0 21 3F DA 92 5E 98 48 46 76 65 D0 19

[CircleDebug] - E(RndA||RndB') : D6 86 24 89 0B 95 24 AF EF EC F0 4A 6B 92 59 BD 52 49 CF D1 22 B0 99 70 39 14 AC 4D 04 D1 AA 1B

[CircleDebug] - Authen cmd  : 72 D6 86 24 89 0B 95 24 AF EF EC F0 4A 6B 92 59 BD 52 49 CF D1 22 B0 99 70 39 14 AC 4D 04 D1 AA 1B

[CircleDebug] I: 90 30 9B 9F 69 56 F0 2C 74 9A 11 70 0D 78 AF E4 77 BB D2 2A 3E 2B B6 80 DE 2F 76 9F 8F 2A 47 7A 31

[CircleDebug] - E(PDResp)   : 30 9B 9F 69 56 F0 2C 74 9A 11 70 0D 78 AF E4 77 BB D2 2A 3E 2B B6 80 DE 2F 76 9F 8F 2A 47 7A 31

[CircleDebug] - PDResp   : E0 56 8E 2C A4 71 4E C8 AF 62 59 0B 3E 04 54 C7 EC 70 C3 E4 00 00 00 00 00 00 00 00 00 00 00 00

[CircleDebug] - TI          : E0 56 8E 2C

[CircleDebug] - RndA        : A4 71 4E C8 AF 62 59 0B 3E 04 54 C7 EC 70 C3 E4

[CircleDebug] - Capabilities: 00 00 00 00 00 00 00 00 00 00 00 00

[CircleDebug] Session Key generation for EV1

[CircleDebug]  - A           : E4 A4 71 4E C8

[CircleDebug]  - B           : 48 46 76 65 D0

[CircleDebug]  - C           : AF 62 59 0B 3E

[CircleDebug]  - D           : C0 21 3F DA 92

[CircleDebug]  - E           : C0 21 3F DA 92

[CircleDebug]  - F           : 04 54 C7 EC 70

[CircleDebug]  - G           : DA 92 5E 98 48

[CircleDebug]  - H           : E4 A4 71 4E C8

[CircleDebug]  - I           : 19 98 B5 0A C0

[CircleDebug]  - J           : 19 98 B5 0A C0

[CircleDebug]  - Base of KEnc: E4 A4 71 4E C8 48 46 76 65 D0 C0 21 3F DA 92 11

[CircleDebug]  - KEnc        : DE 76 BD C2 FD 67 C4 2F 85 ED BE 62 03 20 87 4A

[CircleDebug]  - Base of KMac: 04 54 C7 EC 70 DA 92 5E 98 48 19 98 B5 0A C0 22

[CircleDebug]  - KMac        : 70 5E BC 1C C5 12 51 FA C5 4A 15 25 DD 40 65 06

[CircleDebug] =================================================================

[CircleDebug] ReadEncryptedMAC_MACed, Sector 1 Block 0

[CircleDebug] =================================================================

[CircleDebug] - m1          : 31 0C 00 E0 56 8E 2C 00 00 01

[CircleDebug] - mac       : ED 93 39 69 18 08 CA 93 17 5F A1 9D BD 27 9E 27

[CircleDebug] - mac8        : 93 69 08 93 5F 9D 27 27

[CircleDebug] - cmd         : 31 0C 00 01 93 69 08 93 5F 9D 27 27

[CircleDebug] I: 08 90 00

0 Kudos
Reply
1 Reply

‎07-09-2025 02:18 AM
694 Views
jimmychan
NXP TechSupport
NXP TechSupport

The details is in the full datasheet. You can download it in the "Secure" file.

mifareplus.png

 

0 Kudos
Reply