帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

DESFire GetCardUID random result

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

DESFire GetCardUID random result

跳至解决方案
‎03-03-2025 06:01 PM
2,446 次查看
dakhnod
Contributor III

I am authenticating with the default key (0,0,0...) to a DESFire EV1 card.

Then, I am calling GetCardUID, and getting 16 bytes back.

These I then decrypt, and expect to get this result:

 

 

0 = 0x4
1 = 0x8A
2 = 0x71
3 = 0x72
4 = 0x66
5 = 0x61
6 = 0x80
7 = 0x98
8 = 0x67
9 = 0x46
10 = 0x1D

 

 

I can see my serial in the first 7 bytes.

 

Unfortunately, most of the times I get different results, like this one:

 

 

0 = 0x84
1 = 0x7F
2 = 0xEE
3 = 0xCF
4 = 0x4C
5 = 0x6
6 = 0x22
7 = 0xF9
8 = 0x67
9 = 0x46
10 = 0x1D

 

 

The padding remains 0 (cut out here), and the last three bytes are always the same, which indicate a successful decryption to me.

 

Now my question: Why do I get different, seemingly random results most of the times?

 

Thanks!

 

标记 (3)
0 项奖励
回复
1 解答

跳至解决方案
‎03-10-2025 04:43 PM
2,221 次查看
dakhnod
Contributor III

Goddammit, figured it out.

I already solved this once and completely wiped it off my mind, apparently.

 

I was right with the 25% change. The decryption worked properly if the leftmost two bits for subkey calculation were 00, hence the 25% change.

I was always using 0x87 as XOR when one of the bits was 1.

Turns out I have to use 0x1B for xor with a blocksize of 8.

 

In any case, thanks for your help!

在原帖中查看解决方案

0 项奖励
回复
15 回复数

跳至解决方案
‎03-07-2025 07:59 AM
2,379 次查看
vincentthivent
Contributor III

Hi,

I never called GetCardUID, because I have the UID number in the identification :). I'll do a test this weekend. I'll let you know.

 

THanks,

 

Vincent

0 项奖励
回复

跳至解决方案
‎03-08-2025 05:18 PM
2,360 次查看
dakhnod
Contributor III

Heyo,

 

any success?

 

Regards,

Daniel

0 项奖励
回复

跳至解决方案
‎03-09-2025 06:37 AM
2,338 次查看
vincentthivent
Contributor III

Hi Daniel,

I just did a test like this
-Identification
-Authenticate EV2 with software SAM
-ReadFile
-GetCARDuid

the uid card number is correct.

I use ComMode:FULL

GatCardUID.png

which reader and software do you use?

Thanks

Vincent

0 项奖励
回复

跳至解决方案
‎03-09-2025 08:22 AM
2,322 次查看
vincentthivent
Contributor III

it's work with authenticate EV2 and SAM AV3

GatCardUID_SAM.png

标记 (1)
0 项奖励
回复

跳至解决方案
‎03-09-2025 11:33 AM
2,304 次查看
dakhnod
Contributor III

Thanks, it is weird that it also works for me, but only every seventh time or so.

 

Are you using some library to call GetCardUID?

0 项奖励
回复

跳至解决方案
‎03-10-2025 12:46 AM
2,277 次查看
vincentthivent
Contributor III

Hi Daniel,

I use the ODALID library and readers

which library and reader do you use?

Which a DESFire Cartd you use? (EV1/EV2/EV3)

Is authentication EV2 or EV1?

Thanks,

Vincent

0 项奖励
回复

跳至解决方案
‎03-10-2025 02:32 AM
2,262 次查看
dakhnod
Contributor III

Hey, thanks for your time.

 

I am using a DESFire EV1, and writing my own library.

It is weird that the encryption works only some of the time...

 

Kind regards,

Daniel

0 项奖励
回复

跳至解决方案
‎03-10-2025 05:48 AM
2,249 次查看
vincentthivent
Contributor III

Hi Daniel,

you can send me the card's encrypted response to the GetCardUID command when you have the wrong UID number; when you authenticate with the default key.

0 项奖励
回复

跳至解决方案
‎03-10-2025 04:43 PM
2,222 次查看
dakhnod
Contributor III

Goddammit, figured it out.

I already solved this once and completely wiped it off my mind, apparently.

 

I was right with the 25% change. The decryption worked properly if the leftmost two bits for subkey calculation were 00, hence the 25% change.

I was always using 0x87 as XOR when one of the bits was 1.

Turns out I have to use 0x1B for xor with a blocksize of 8.

 

In any case, thanks for your help!

0 项奖励
回复

跳至解决方案
‎03-11-2025 12:24 AM
2,196 次查看
vincentthivent
Contributor III
HiDaniel
happy for you
0 项奖励
回复

跳至解决方案
‎03-10-2025 04:02 PM
2,231 次查看
dakhnod
Contributor III

Again, thanks for taking a look at this.

 

Here is the log for a successfull attempt:

request: 5A 00 00 00 , response: 00
request: 1A 00 , response: AF F3 73 EE A4 5C E6 DB AE
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
remote random encrypted: AF F3 73 EE A4 5C E6 DB AE , decrypted: AF 15 3B 83 ED DD 7D 33
own random encrypted: 3B 97 0F 73 8A 60 73 20
random numbers concatenated and shifted: 3B 97 0F 73 8A 60 73 20 15 3B 83 ED DD 7D 33 AF , encrypted: 9A 2A 57 89 66 A6 6A 02 B3 3B 24 2F 63 4C A7 A4
request: AF 9A 2A 57 89 66 A6 6A 02 B3 3B 24 2F 63 4C A7 A4 , response: 00 52 A7 34 BB B4 9B 8E 8C
random response: 00 52 A7 34 BB B4 9B 8E 8C , decrypted: 97 0F 73 8A 60 73 20 3B
session key: 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82
subkeys: 1: 59 EC 47 70 68 E3 6F 72 2: B3 D8 8E E0 D1 C6 DE E4
old CMAC: 00 00 00 00 00 00 00 00
new CMAC for data E2 58 8E E0 D1 C6 DE E4 : B6 AB AD F6 E2 16 14 52
request: 51 , response: 00 81 6A 2E C8 7F 8D AC 8E A6 32 2A 95 D9 53 CA 18
decrypting using key 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 3A 96 0E 72 AE 14 3A 82 and IV B6 AB AD F6 E2 16 14 52 : 81 6A 2E C8 7F 8D AC 8E A6 32 2A 95 D9 53 CA 18 -> 04 8A 71 72 66 61 80 98 67 46 1D 00 00 00 00 00

 

And here for an unsuccessfull:


request: 5A 00 00 00 , response: 00
request: 1A 00 , response: AF 30 8C E3 EE 34 83 E3 0C
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
remote random encrypted: AF 30 8C E3 EE 34 83 E3 0C , decrypted: 44 C2 21 D1 0F F3 63 5B
own random encrypted: D6 30 6F 85 BC DC 2D BA
random numbers concatenated and shifted: D6 30 6F 85 BC DC 2D BA C2 21 D1 0F F3 63 5B 44 , encrypted: 53 BC 03 55 33 2E 4A 88 9D 86 70 30 4D B8 64 11
request: AF 53 BC 03 55 33 2E 4A 88 9D 86 70 30 4D B8 64 11 , response: 00 65 60 4E 12 05 BD 68 D7
random response: 00 65 60 4E 12 05 BD 68 D7 , decrypted: 30 6F 85 BC DC 2D BA D6
session key: D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0
subkeys: 1: 78 6F 68 2C 2F CB 34 0D 2: F0 DE D0 58 5F 96 68 1A
old CMAC: 00 00 00 00 00 00 00 00
new CMAC for data A1 5E D0 58 5F 96 68 1A : 20 11 91 00 F3 A0 5B 1B
request: 51 , response: 00 0D C7 E7 8B 2D C4 03 6F 0C D7 C9 70 56 10 DA 5F
decrypting using key D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 D6 30 6E 84 44 C2 20 D0 and IV 20 11 91 00 F3 A0 5B 1B : 0D C7 E7 8B 2D C4 03 6F 0C D7 C9 70 56 10 DA 5F -> D9 EF 56 79 ED E4 71 03 67 46 1D 00 00 00 00 00

 

In fact, I am pretty sure that stastically, I get the right result in 25% of all attempts.

This seems like there are 2 bits from some random number that I am not processing properly...

0 项奖励
回复

跳至解决方案
‎03-04-2025 01:43 PM
2,428 次查看
vincentthivent
Contributor III

Hello,

 

why do you authenticate to the DESFire card?

the UID is given before authentication.

Vincent

0 项奖励
回复

跳至解决方案
‎03-04-2025 03:08 PM
2,423 次查看
dakhnod
Contributor III
Hi,

I want to make the GetCardUID call work.
GetCardUID returns an encrypted result, so it needs the authentication.
0 项奖励
回复

跳至解决方案
‎03-04-2025 11:32 PM
2,405 次查看
vincentthivent
Contributor III

Hi

ok I understand, if you want to use the GetCardUID command, you have to check that the authenticate command is valid.

What I mean is that before any authentication, the system must perform the identification phase as follows
1 Identification
2 Authentificate
3 GetCarduid

Identification gives the uid number

Vincent

0 项奖励
回复

跳至解决方案
‎03-07-2025 06:57 AM
2,385 次查看
dakhnod
Contributor III

Hi, thanks for the hint.

 

I did do all the steps. Obviously I did anticollision, getting the UID. Then I authenticated, and then attempted to read the real UID.

And reading the readl UID sometimtes works, but most of the time not, very weird.

 

Are you able to successfully call GetCardUID 100% of the time?

0 项奖励
回复