Reply To: SL3 switch by command query

Forum MIFARE general topics and applications SL3 switch by command query Reply To: SL3 switch by command query

Re: SL3 switch by command query

1. February 2018 at 17:44
Hi Tithi,
I'd first like to understand the log you're pasting.
I understand that you're operating MIFARE SAM AV2 in non-X-mode. Is that correct?

Then, you authenticate to key 9003 with command 70039000.
If the card that you're addressing is a MIFARE Plus S, SE or X, the command is correct. If the card is a MIFARE Plus EV1, then is wrong.

MIFARE Plus EV1 needs to have at least 1 byte of PCDCap, that is used to select between the Secure Messaging EV0 and EV1. If you'd like to address MIFARE Plus EV1, my advice would be to use the following command: 7003900100

Then, you address SAM with the MFP authenticate command:
80 A3 0D 00 19 0100C77036E3F7B3D58ED80C2633AAF2BEAD047B41FA69578000
0D: Key derivation, SL3 derivation

01:Key number
00:Key version
C77036E3F7B3D58ED80C2633AAF2BEAD: E(RndB)
047B41FA695780: DivInput -> most likely the UID of the card

The next line displays the following:
MF Plus -> FFA00005270100F3000064 72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2

The part "72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2" is clearly the command of the Authenticate continue where the 32 byte challenge RndA|RndB' is sent to the card, but the first part, FFA00005270100F3000064 I do not understand. What is this?

Finally, what is the issue you're reporting? That the answer from the card to command AuthenticateContinue is just 9000h and does not include the extra bytes payload with TI, RndA', PDcap2 and PCDcap2 or that the execution of the second part of the SAM_AuthenticateMFP (80A30000...) answers with 9000?
+ 0  |  - 0