Mifare plus apdu wrapping?

Forum / MIFARE general topics and applications / Mifare plus apdu wrapping?

  • 29. July 2019 at 12:19
    How to use APDU wrapping for Mifare plus cards?
    e.g. for reading dual cards that have bank and Mifare applets.
    The idea to use APDU only mode for reading such cards. (Maybe I'm mistaking and I need to read some other documentation, direct me if you can)

    Preamble
    I'm using Vivopay reader to read Mifare card (e.g. Kiosk II, ViVopay 5000 and legacy compatible readers in Vx820/680 payment terminals). First, enable passthrough mode then use high-level Mifare commands of the reader.
    It works perfectly with Mifare classic 1k, but when I received the dual card (mifare plus 4k/emv bank) I got read error (authentification passed, but reader docs state that it make real authentification on read/write).
    Whats worse after using high-level Mifare commands reader report error on APDU request to that card (need to halt then poll again to work).
    I read description for ARC122 reader, read PCSC documentation, different ViVopay docs and look like Mifare plus work in some emulation mode that is not so 100% compatible with Mifare classic 1-4k. Most docs state that there need to be enabled T=CL protocol for that card. Using some docs examples I managed to make read using some native (i think its Mifare 14443) protocol, but for some kind of cause, it doesn't work for Vx820/680 terminals which I need to do in the first case.
    After reading docs on that card, I notice that they are supporting apdu wrapping mode and all I need to do ISOselect and ISOexternalauthentificate commands to work with them but there is no one example around.

    //MF1P(H)x1y1 MIFARE Plus EV1 Rev. 3.2 — 6 December 2018
    // VC commands available after ISO/IEC 14443-4 activation, using ISO/IEC 7816-4 protocol
    // ISOSelect Select virtual card
    // ISOExternalAuthenticate Authenticate PD

    logs using raw data
    // PT Enable
    >>>: ViVOtech2/0- 2C010001011D19
    <<>>: ViVOtech2/0- 2801000101941F
    <<>>: ViVOtech2/0-2C02000200140C9A
    <<>>: ViVOtech2/0-2C040013198629000003030F0F0F0F0F0F0F0F0F0F0F0F52DD
    <<>>: ViVOtech2/0-2C04000D0C8629000003076080E2745D8021F5
    <<>>: ViVOtech2/0-2C0400091E86290000030F3080E3A7
    <<<: ViVOtech2/0-2C00001500000000801BFC415E7881BC0000000000000000007002


    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    29. July 2019 at 12:30
    logs insertion failed. will try append again
    logs using raw data
    - PT Enable
    send: ViVOtech2/0- 2C010001011D19
    rcv: ViVOtech2/0- 2C0000001C9B
    - Antenna On
    send: ViVOtech2/0- 2801000101941F
    rcv: ViVOtech2/0- 28000000D66A
    - Poll for Token
    send: ViVOtech2/0-2C02000200140C9A
    rcv: ViVOtech2/0-2C00000807-04365DE2745D80C68B (found card type 07, uid=04365DE2745D80)
    - PCD Single Command Exchange Protocol2, Load Mifare Key (PCD loadkey, 2986, 03, 03, RAW = key)
    send: ViVOtech2/0-2C040013198629000003030F0F0F0F0F0F0F0F0F0F0F0F52DD
    rcv: ViVOtech2/0-2C000005000000000014F0
    - PCD Single Command Exchange Protocol2, Mifare Authentication Block 0 Field (PCD auth=0c, 2986, 03, 07, RAW = 60 00 UID(4byte))
    send: ViVOtech2/0-2C04000D0C8629000003076080E2745D8021F5
    rcv: ViVOtech2/0-2C000005000000000014F0
    - PCD Single Command Exchange Protocol2, Read Block 1 Data (PCD TRANCIEVE =1E, TIMEOUT = 2986, FLAGS=03, CRCM=0F, RAW = 30 01)
    send: ViVOtech2/0-2C0400091E86290000030F3080E3A7
    rcv: ViVOtech2/0-2C00001500000000801BFC415E7881BC0000000000000000007002 OK
    -----------
    logs using high-level coms
    - Poll for Token
    Send: "ViVOtech2/0-2C02000200140C9A
    Recieve: "ViVOtech2/0-2C0000080704365DE2745D80C68B
    card type: 7
    - highlevel mifare auth
    Send: "ViVOtech2/0-2C0600088001FFFFFFFFFFFFF19A
    Recieve: "ViVOtech2/0-2C0000001C9B
    - high-level mifare read
    Send: "ViVOtech2/0-2C0700027180D798
    Recieve: "ViVOtech2/0-2C0A0000DB5A
    Mifare READ-1 error: 4510 - failed

    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    30. July 2019 at 10:34
    Hi Yurij,

    First, you must distinguish between the MIFARE card commands and the reader interface layer which may also require an APDU wrapping layer. If and how card commands are wrapped is documented in the user manual of the reader manufacturer.

    You use the MIFARE Plus EV1. This product can operate in three security level (SL) and different card protocols. SL0 is the initial layer, SL1 is the compatibility layer to the MIFARE Classic and SL3 uses the AES encryption. Which level is used, is defined by the card issuer, in which level the card is prepared.

    The TapLinx team
    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    30. July 2019 at 12:29
    I'm absolutely sure that card is working in SL1 mode since it can be read using ordinary low-level CTLS commands for Mifare classic on ACR122.
    Ok, there are some commands for the reader itself, but there is no description of Mifare low-level commands.
    Reader docs describe its own commands format for sure, its serial package (Vivotech2/0-2byte_cmd-2byte_len-DATA-2byte_crc). where DATA:
    high-level Mifare auth DATA = (block, key)
    high-level Mifare read DATA = (start block|block quantity)
    high-level Mifare write DATA = (start block|block quantity, data_bytes)
    high-level Mifare epurse DATA = (debit/credit)
    low-level CTLS_card DATA = (cmd,timeout,flag,crc, RAW_data) no description on RAW data content, except example (even there RAW_data bytes not described).
    ISO_APDU_Exchange where DATA = (cla, ins, p1,p2)
    ----
    If "Poll for Token" command detects a card of type 07 (ISO 14443-4 Type-A and Mifare), the reader will process according to the first command which will be received. e.g. Mifare/ISO_APDU. So I can access that dual card (mentioned above) using low-level CTLS_card command only (high-level Mifare commands result failed) and on standalone readers only. EMV bank applet is required ISO_APDU_Exchange. There is no problem or resetting NFC field and polling again, the problem is that Mifare applet cannot be accessed in Mifare mode on Vx680/Vx820 no matter high or low-level commands used.

    So again, is there APDU mode described somewhere for such cards for reading Mifare applet or I'm just mistaking and must use only Mifare command to access it?
    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    30. July 2019 at 15:42
    Hi Iurii,

    It is not clear for me about what kind of product we are talking. Apparently, it is not a MIFARE Plus EV1, it is somehow mixed, a JCOP card with a MIFARE applet? Is it an NXP product or a third-party product?

    Sorry, but this must be cleared first,
    The TapLinx team

    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    31. July 2019 at 7:48
    using NXP taginfo with NOKIA 8 android phone i got card data:
    =============== IC INFO ================
    IC manufacturer
    NXP Semiconductors
    IC type
    ISO/IEC 14443 - probably personalized card
    MIFARE application
    No known MIFARE application found
    =============== EXTRA ================
    MIFARE memory size
    4kb
    -32 sectors of 4block and 8 sectors of 16 blocks
    -256 blocks? with 16 bytes per blocks
    ATS historical bytes detail
    NXP IC information coding
    =============== FULL SCAN ================
    Technologies supported
    MIFARE Classic compartible
    ISO/IEC 7816-4 compartible
    ISO/IEC 14443-4 (Type A) compartible
    ISO/IEC 14443-3 (Type A) compartible
    ISO/IEC 14443-2 (Type A) compartible
    Detailed protocol information
    ID 04:36:5D:E2:74:5D:80
    ATQA 0x4400
    SAK 0x38
    ATS 0x0B78807102C1052F2F01BC00009F6501
    ...
    Sector 32 (which I need to read from terminal)
    [80] 1B FC 41 5E 78 81 BC 00
    rW- 00 00 00 00 00 00 00 00
    [81] 00 00 00 00 00 00 00 00
    rWi 00 00 00 00 00 00 00 00
    [82] 00 00 00 00 00 00 00 00
    rW- 00 00 00 00 00 00 00 00
    [83] 00 00 00 00 00 00 00 00
    rW- 00 00 00 00 00 00 00 00
    [84] 00 00 00 00 00 00 00 00
    rW- 00 00 00 00 00 00 00 00
    [85] 00 00 00 00 00 00 00 00
    rWI 00 00 00 00 00 00 00 00
    [86] 00 00 00 00 00 00 00 00
    rWI 00 00 00 00 00 00 00 00
    [87] 00 00 00 00 00 00 00 00
    rWI 00 00 00 00 00 00 00 00
    [88] 00 00 00 00 00 00 00 00
    rWI 00 00 00 00 00 00 00 00
    [89] 00 00 00 00 00 00 00 00
    rWI 00 00 00 00 00 00 00 00
    [8A] 00 00 00 00 00 00 00 00
    rwi 00 00 00 00 00 00 00 00
    [8B] 00 00 00 00 00 00 00 00
    rwi 00 00 00 00 00 00 00 00
    [8C] 00 00 00 00 00 00 00 00
    rwi 00 00 00 00 00 00 00 00
    [8D] 00 00 00 00 00 00 00 00
    rwi 00 00 00 00 00 00 00 00
    [8E] 00 00 00 00 00 00 00 00
    rwi 00 00 00 00 00 00 00 00
    [8F] FF:FF:FF:FF:FF:FF factory default key
    WXW 5C:37:8A 00
    XX:XX:XX:XX:XX:XX key unavailible

    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    31. July 2019 at 15:16
    I found some info regarding direct APDU exchange. Trying to find correct CLA for SL1 now.
    Apdu command:
    Code Value Meaning
    CLA ’00’ ISO CLA according to Secure Messaging Level (sl0-3)
    INS ’A8’ Data Exchange
    P1 ’00’ (Mandatory)
    P2 ’00’ (Mandatory)
    Lc Var Mifare Plus Native Command Length
    Data Data Mifare Plus Native Command
    Apdu Responce:
    SW Meaning
    9000 + Data Access permitted + Mifare Plus Card native answer
    6982 Error in secure messaging (no session key established or Mifare key or PW not encrypted)

    + 0  |  - 0

    Re: Mifare plus apdu wrapping?

    1. August 2019 at 16:57
    Hi Iurii,

    I evaluated which product you use. It is SmartMX3 card and for this card are datasheets available. You use the card with a MIFARE Plus EV1. I recommend reading the datasheet:
    MIFARE Plus EV1 - Functionality of implementation on N7121 VA
    This document is available via our DocStore service. The datasheet explains the APDU wrapping in detail.

    You need a valid NDA with us to download the datasheet. If you need to sign an NDA, you can write to me your legal company business address. I will hand it over to one of my colleagues.

    My email address: taplinx@nxp.com

    I hope, this helps,
    The TapLinx team
    + 0  |  - 0
Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.