Forum / MIFARE and NFC Reader IC`s / Mifare Desfire EV1 ChangeKey returns Integrity Error (0x1E)
Tagged: 1E, desfire, integrity error, mifare
-
Hi,
I have been trying to get the ChangeKey command to work for my Desfire EV1/EV2 cards. I'm using the MFRC500 reader IC (same as my Pegoda 700 reader). I have followed the examples given in the AN094533 (DESFire EV1-Features and Hints p75) and other sources online (Ridrix blog). I tested my code on the data from these examples and I retrieve the same calculated CRC32, padding and encryption. The values given in NXP's RFIDDiscover log file also matches my own crc and encryption. Following steps are taken in my main code:
Activate Card + Send RATS
Select Application (AID 00 00 00)
Authenticate AES
Send: AA 00
Answer: AF 0379CEA29D6ACFCD9EF3A673F7D12176
RndA: E8A2B4332E899E58A07D8F643B04001D
RndB: FC938C674669A65E6D437D8D2D58273F
Send: AF 483EE515927EE8C97CD71711735CBD7EEE279BE2C59A8D85359A5231A19E0960
Answer: 50DADDF04D37842AA908223DD9AFFD3F
Sessionkey: E8A2B433FC938C673B04001D2D58273F
=> Authentication succes!
ChangeKey
Use case 2 for AES crypto mode, key to change is the same as the one used for authentication, keysettings1 = 0x0F (allow masterkey change).
Key No: 00 (picc master key)
New key: B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF
Key version: 01
Calculate CRC32 on cmd+keyno+newkey+keyversion: C4 00 B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF 01
CRC32: B7EE5C9A
Encrypt following data: B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF 01 B7EE5C9A 0000000000000000000000
Encrypted: 968A4A8D9BCA0B0B50F9316AA8653EEE1C766828E2726B3667488BE4668D86CA
Send: C400968A4A8D9BCA0B0B50F9316AA8653EEE1C766828E2726B3667488BE4668D86CA
Answer: 1E
=> Integrity error: Wrong crc32/padding/cmac
Using the RFIDDiscover tool, I am able to change the PICC master key. The values retrieved from the tool's log verify my own crc and ecryption calculations. Are there any other reasons that can cause an integrity error? Hardware related issues? Card related issues? Thanks for your help.
+ 0 | - 0
Hi,
KeyNo had to be set to 0x80. The 2 most-significant bits define the crypto mode of the new key, needed to be set to '10' for AES. The code example in the "EV1-Features and hints" and "EV2-Features and hints" define this parameter as 0x00.
+ 0 | - 0
Hello Wouter,
Integrity Error means that the CRC, MAC or the padding is wrong. If you use the RFIDdiscover tool you can check every step and re-calculate all intermediate values by hand. The complete log with these values can be found in the Log Window.
The Taplinx team
+ 0 | - 0
-
AuthorPosts
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic.