Mifare Desfire EV1 ChangeKey returns Integrity Error (0x1E)

Forum / MIFARE and NFC Reader IC`s / Mifare Desfire EV1 ChangeKey returns Integrity Error (0x1E)

  • 8. February 2017 at 13:26

    I have been trying to get the ChangeKey command to work for my Desfire EV1/EV2 cards. I'm using the MFRC500 reader IC (same as my Pegoda 700 reader). I have followed the examples given in the AN094533 (DESFire EV1-Features and Hints p75) and other sources online (Ridrix blog). I tested my code on the data from these examples and I retrieve the same calculated CRC32, padding and encryption. The values given in NXP's RFIDDiscover log file also matches my own crc and encryption. Following steps are taken in my main code:

    Activate Card + Send RATS
    Select Application (AID 00 00 00)
    Authenticate AES

    Send: AA 00
    Answer: AF 0379CEA29D6ACFCD9EF3A673F7D12176

    RndA: E8A2B4332E899E58A07D8F643B04001D
    RndB: FC938C674669A65E6D437D8D2D58273F

    Send: AF 483EE515927EE8C97CD71711735CBD7EEE279BE2C59A8D85359A5231A19E0960
    Answer: 50DADDF04D37842AA908223DD9AFFD3F

    Sessionkey: E8A2B433FC938C673B04001D2D58273F

    => Authentication succes!


    Use case 2 for AES crypto mode, key to change is the same as the one used for authentication, keysettings1 = 0x0F (allow masterkey change).

    Key No: 00 (picc master key)
    Key version: 01

    Calculate CRC32 on cmd+keyno+newkey+keyversion: C4 00 B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF 01
    CRC32: B7EE5C9A

    Encrypt following data: B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF 01 B7EE5C9A 0000000000000000000000
    Encrypted: 968A4A8D9BCA0B0B50F9316AA8653EEE1C766828E2726B3667488BE4668D86CA

    Send: C400968A4A8D9BCA0B0B50F9316AA8653EEE1C766828E2726B3667488BE4668D86CA
    Answer: 1E

    => Integrity error: Wrong crc32/padding/cmac

    Using the RFIDDiscover tool, I am able to change the PICC master key. The values retrieved from the tool's log verify my own crc and ecryption calculations. Are there any other reasons that can cause an integrity error? Hardware related issues? Card related issues? Thanks for your help.

    + 0  |  - 0

    Re: Mifare Desfire EV1 ChangeKey returns Integrity Error (0x1E)

    9. February 2017 at 10:40

    KeyNo had to be set to 0x80. The 2 most-significant bits define the crypto mode of the new key, needed to be set to '10' for AES. The code example in the "EV1-Features and hints" and "EV2-Features and hints" define this parameter as 0x00.
    + 0  |  - 0

    Re: Mifare Desfire EV1 ChangeKey returns Integrity Error (0x1E)

    9. February 2017 at 15:13
    Hello Wouter,

    Integrity Error means that the CRC, MAC or the padding is wrong. If you use the RFIDdiscover tool you can check every step and re-calculate all intermediate values by hand. The complete log with these values can be found in the Log Window.

    The Taplinx team
    + 0  |  - 0
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.