SL3 switch by command query

Forum / MIFARE general topics and applications / SL3 switch by command query

  • 31. January 2018 at 7:00
    We are following below process to switch card from SL1 to SL3 but getting 9000 in response rather than “90XX”

    • FFA0000703010001 //Open Generic Session
    • FFA00005080100F3000064E08100 //Switching to ISO14443 part 4 (RATS)
    • MF Plus -> 70039000 //first authentication with block 0x9003
    • SAM -> 80A30D00190100C77036E3F7B3D58ED80C2633AAF2BEAD047B41FA69578000 //SAM_AuthenticateMFP Part-1
    • MF Plus -> FFA00005270100F3000064 72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2 //SAM_AuthenticateMFP Part-2
    • above returns 9000 instead of 90xx...xx where xx...xx = Ek(RndA')

    Could you please help us?


    + 0  |  - 0

    Re: SL3 switch by command query

    1. February 2018 at 17:44
    Hi Tithi,
    I'd first like to understand the log you're pasting.
    I understand that you're operating MIFARE SAM AV2 in non-X-mode. Is that correct?

    Then, you authenticate to key 9003 with command 70039000.
    If the card that you're addressing is a MIFARE Plus S, SE or X, the command is correct. If the card is a MIFARE Plus EV1, then is wrong.

    MIFARE Plus EV1 needs to have at least 1 byte of PCDCap, that is used to select between the Secure Messaging EV0 and EV1. If you'd like to address MIFARE Plus EV1, my advice would be to use the following command: 7003900100

    Then, you address SAM with the MFP authenticate command:
    80 A3 0D 00 19 0100C77036E3F7B3D58ED80C2633AAF2BEAD047B41FA69578000
    0D: Key derivation, SL3 derivation

    01:Key number
    00:Key version
    C77036E3F7B3D58ED80C2633AAF2BEAD: E(RndB)
    047B41FA695780: DivInput -> most likely the UID of the card
    00

    The next line displays the following:
    MF Plus -> FFA00005270100F3000064 72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2

    The part "72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2" is clearly the command of the Authenticate continue where the 32 byte challenge RndA|RndB' is sent to the card, but the first part, FFA00005270100F3000064 I do not understand. What is this?

    Finally, what is the issue you're reporting? That the answer from the card to command AuthenticateContinue is just 9000h and does not include the extra bytes payload with TI, RndA', PDcap2 and PCDcap2 or that the execution of the second part of the SAM_AuthenticateMFP (80A30000...) answers with 9000?
    + 0  |  - 0

    Re: SL3 switch by command query

    6. February 2018 at 8:49
    I understand that you're operating MIFARE SAM AV2 in non-X-mode. Is that correct?

    [Tithi] Yes

    Then, you authenticate to key 9003 with command 70039000.

    [Tithi] Yes

    If the card that you're addressing is a MIFARE Plus S, SE or X, the command is correct. If the card is a MIFARE Plus EV1, then is wrong.

    [Tithi] It is MIFARE Plus X

    FFA00005270100F3000064 I do not understand. What is this?

    [Tithi] We are using HID Omnikey 6321 which requires Generic APDU wrapper to be used for non-ISO apdus

    Finally, what is the issue you're reporting? That the answer from the card to command AuthenticateContinue is just 9000h and does not include the extra bytes payload with TI, RndA', PDcap2 and PCDcap2 or that the execution of the second part of the SAM_AuthenticateMFP (80A30000...) answers with 9000?

    [Tithi] The issue is, the answer from the card to command AuthenticateContinue is just 9000h and does not include the extra bytes payload with TI, RndA', PDcap2 and PCDcap2

    Hope the above helps!

    + 0  |  - 0

    Re: SL3 switch by command query

    12. February 2018 at 12:20
    Hi Tithi,
    When sending an authentication command to key 9003 in SL1, to a MIFARE Plus X, I do get an answer with correct TI, RndA', PDcap2 and PCDcap2 from the card. If you don't see that in your log, I'd recommend you to take a look into your logging parser.
    Then, I guess that your real problem is that despite authenticating correctly with key 9003, your card is still in SL1. MIFARE Plus X, enforces that changes of security level must be sequential, meaning SL0->SL1->SL2->SL3.
    You cannot authenticate to key 9003 in SL1 and expect to change to SL3. You need to authenticate first to 9002, switch to SL2 and then once you're already in SL2, authenticate with 9003 and switch to SL3.
    Hope this fixes your real issue.

    + 0  |  - 0
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.