ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

DESFire GetCardUID random result

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

DESFire GetCardUID random result

ソリューションへジャンプ
‎03-03-2025 06:01 PM
2,433件の閲覧回数
dakhnod
Contributor III

I am authenticating with the default key (0,0,0...) to a DESFire EV1 card.

Then, I am calling GetCardUID, and getting 16 bytes back.

These I then decrypt, and expect to get this result:

 

 

0 = 0x4
1 = 0x8A
2 = 0x71
3 = 0x72
4 = 0x66
5 = 0x61
6 = 0x80
7 = 0x98
8 = 0x67
9 = 0x46
10 = 0x1D

 

 

I can see my serial in the first 7 bytes.

 

Unfortunately, most of the times I get different results, like this one:

 

 

0 = 0x84
1 = 0x7F
2 = 0xEE
3 = 0xCF
4 = 0x4C
5 = 0x6
6 = 0x22
7 = 0xF9
8 = 0x67
9 = 0x46
10 = 0x1D

 

 

The padding remains 0 (cut out here), and the last three bytes are always the same, which indicate a successful decryption to me.

 

Now my question: Why do I get different, seemingly random results most of the times?

 

Thanks!

 

タグ(3)
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎03-10-2025 04:43 PM
2,208件の閲覧回数
dakhnod
Contributor III

Goddammit, figured it out.

I already solved this once and completely wiped it off my mind, apparently.

 

I was right with the 25% change. The decryption worked properly if the leftmost two bits for subkey calculation were 00, hence the 25% change.

I was always using 0x87 as XOR when one of the bits was 1.

Turns out I have to use 0x1B for xor with a blocksize of 8.

 

In any case, thanks for your help!

元の投稿で解決策を見る

0 件の賞賛
返信
15 返答(返信)

ソリューションへジャンプ
‎03-07-2025 07:59 AM
2,366件の閲覧回数
vincentthivent
Contributor III

Hi,

I never called GetCardUID, because I have the UID number in the identification :). I'll do a test this weekend. I'll let you know.

 

THanks,

 

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎03-08-2025 05:18 PM
2,347件の閲覧回数
dakhnod
Contributor III

Heyo,

 

any success?

 

Regards,

Daniel

0 件の賞賛
返信

ソリューションへジャンプ
‎03-09-2025 06:37 AM
2,325件の閲覧回数
vincentthivent
Contributor III

Hi Daniel,

I just did a test like this
-Identification
-Authenticate EV2 with software SAM
-ReadFile
-GetCARDuid

the uid card number is correct.

I use ComMode:FULL

GatCardUID.png

which reader and software do you use?

Thanks

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎03-09-2025 08:22 AM
2,309件の閲覧回数
vincentthivent
Contributor III

it's work with authenticate EV2 and SAM AV3

GatCardUID_SAM.png

0 件の賞賛
返信

ソリューションへジャンプ
‎03-09-2025 11:33 AM
2,291件の閲覧回数
dakhnod
Contributor III

Thanks, it is weird that it also works for me, but only every seventh time or so.

 

Are you using some library to call GetCardUID?

0 件の賞賛
返信

ソリューションへジャンプ
‎03-10-2025 12:46 AM
2,264件の閲覧回数
vincentthivent
Contributor III

Hi Daniel,

I use the ODALID library and readers

which library and reader do you use?

Which a DESFire Cartd you use? (EV1/EV2/EV3)

Is authentication EV2 or EV1?

Thanks,

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎03-10-2025 02:32 AM
2,249件の閲覧回数
dakhnod
Contributor III

Hey, thanks for your time.

 

I am using a DESFire EV1, and writing my own library.

It is weird that the encryption works only some of the time...

 

Kind regards,

Daniel

0 件の賞賛
返信

ソリューションへジャンプ
‎03-10-2025 05:48 AM
2,236件の閲覧回数
vincentthivent
Contributor III

Hi Daniel,

you can send me the card's encrypted response to the GetCardUID command when you have the wrong UID number; when you authenticate with the default key.

0 件の賞賛
返信

ソリューションへジャンプ
‎03-10-2025 04:43 PM
2,209件の閲覧回数
dakhnod
Contributor III

Goddammit, figured it out.

I already solved this once and completely wiped it off my mind, apparently.

 

I was right with the 25% change. The decryption worked properly if the leftmost two bits for subkey calculation were 00, hence the 25% change.

I was always using 0x87 as XOR when one of the bits was 1.

Turns out I have to use 0x1B for xor with a blocksize of 8.

 

In any case, thanks for your help!

0 件の賞賛
返信

ソリューションへジャンプ
‎03-11-2025 12:24 AM
2,183件の閲覧回数
vincentthivent
Contributor III
HiDaniel
happy for you
0 件の賞賛
返信

ソリューションへジャンプ
‎03-10-2025 04:02 PM
2,218件の閲覧回数
dakhnod
Contributor III

Again, thanks for taking a look at this.

 

Here is the log for a successfull attempt:

request: 5A 00 00 00 , response: 00
request: 1A 00 , response: AF F3 73 EE A4 5C E6 DB AE
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
remote random encrypted: AF F3 73 EE A4 5C E6 DB AE , decrypted: AF 15 3B 83 ED DD 7D 33
own random encrypted: 3B 97 0F 73 8A 60 73 20
random numbers concatenated and shifted: 3B 97 0F 73 8A 60 73 20 15 3B 83 ED DD 7D 33 AF , encrypted: 9A 2A 57 89 66 A6 6A 02 B3 3B 24 2F 63 4C A7 A4
request: AF 9A 2A 57 89 66 A6 6A 02 B3 3B 24 2F 63 4C A7 A4 , response: 00 52 A7 34 BB B4 9B 8E 8C
random response: 00 52 A7 34 BB B4 9B 8E 8C , decrypted: 97 0F 73 8A 60 73 20 3B
session key: 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82
subkeys: 1: 59 EC 47 70 68 E3 6F 72 2: B3 D8 8E E0 D1 C6 DE E4
old CMAC: 00 00 00 00 00 00 00 00
new CMAC for data E2 58 8E E0 D1 C6 DE E4 : B6 AB AD F6 E2 16 14 52
request: 51 , response: 00 81 6A 2E C8 7F 8D AC 8E A6 32 2A 95 D9 53 CA 18
decrypting using key 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 and IV B6 AB AD F6 E2 16 14 52 : 81 6A 2E C8 7F 8D AC 8E A6 32 2A 95 D9 53 CA 18 -> 04 8A 71 72 66 61 80 98 67 46 1D 00 00 00 00 00

 

And here for an unsuccessfull:


request: 5A 00 00 00 , response: 00
request: 1A 00 , response: AF 30 8C E3 EE 34 83 E3 0C
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
remote random encrypted: AF 30 8C E3 EE 34 83 E3 0C , decrypted: 44 C2 21 D1 0F F3 63 5B
own random encrypted: D6 30 6F 85 BC DC 2D BA
random numbers concatenated and shifted: D6 30 6F 85 BC DC 2D BA C2 21 D1 0F F3 63 5B 44 , encrypted: 53 BC 03 55 33 2E 4A 88 9D 86 70 30 4D B8 64 11
request: AF 53 BC 03 55 33 2E 4A 88 9D 86 70 30 4D B8 64 11 , response: 00 65 60 4E 12 05 BD 68 D7
random response: 00 65 60 4E 12 05 BD 68 D7 , decrypted: 30 6F 85 BC DC 2D BA D6
session key: D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0
subkeys: 1: 78 6F 68 2C 2F CB 34 0D 2: F0 DE D0 58 5F 96 68 1A
old CMAC: 00 00 00 00 00 00 00 00
new CMAC for data A1 5E D0 58 5F 96 68 1A : 20 11 91 00 F3 A0 5B 1B
request: 51 , response: 00 0D C7 E7 8B 2D C4 03 6F 0C D7 C9 70 56 10 DA 5F
decrypting using key D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 and IV 20 11 91 00 F3 A0 5B 1B : 0D C7 E7 8B 2D C4 03 6F 0C D7 C9 70 56 10 DA 5F -> D9 EF 56 79 ED E4 71 03 67 46 1D 00 00 00 00 00

 

In fact, I am pretty sure that stastically, I get the right result in 25% of all attempts.

This seems like there are 2 bits from some random number that I am not processing properly...

0 件の賞賛
返信

ソリューションへジャンプ
‎03-04-2025 01:43 PM
2,415件の閲覧回数
vincentthivent
Contributor III

Hello,

 

why do you authenticate to the DESFire card?

the UID is given before authentication.

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎03-04-2025 03:08 PM
2,410件の閲覧回数
dakhnod
Contributor III
Hi,

I want to make the GetCardUID call work.
GetCardUID returns an encrypted result, so it needs the authentication.
0 件の賞賛
返信

ソリューションへジャンプ
‎03-04-2025 11:32 PM
2,392件の閲覧回数
vincentthivent
Contributor III

Hi

ok I understand, if you want to use the GetCardUID command, you have to check that the authenticate command is valid.

What I mean is that before any authentication, the system must perform the identification phase as follows
1 Identification
2 Authentificate
3 GetCarduid

Identification gives the uid number

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎03-07-2025 06:57 AM
2,372件の閲覧回数
dakhnod
Contributor III

Hi, thanks for the hint.

 

I did do all the steps. Obviously I did anticollision, getting the UID. Then I authenticated, and then attempted to read the real UID.

And reading the readl UID sometimtes works, but most of the time not, very weird.

 

Are you able to successfully call GetCardUID 100% of the time?

0 件の賞賛
返信