Trouble with GetCardUID

Forum / MIFARE general topics and applications / Trouble with GetCardUID

  • 2. May 2018 at 3:35
    Hello everyone. I am working with a DESFire EV1 card and have some trouble with the GetCardUID command. No matter what I have tried, I cannot correctly decrypt the response from the card.

    I am trying the following:


    -- Select App
    SEND : 5a 00 00 00
    GOT : 91 00

    -- Authenticate with the default 2K3DES key 0
    SEND : 1a 00
    GOT : db 33 0e 57 8c c8 c1 51 91 af
    RndB : 8b d1 d0 a3 30 5f bc 4c (decrypted)
    RndA : 43 db 12 62 de 8b bd 6e (generated)
    SEND : af 5c 71 49 21 d7 04 40 c2 3e 6a 8b 46 2e bd 62 6a
    GOT : f0 e8 33 22 5a cc 6f 55 91 00
    (Decryped and matching RndA)

    Calculated:
    Session Key : 42 da 12 62 8a d0 d0 a2 de 8a bc 6e 30 5e bc 4c (Filled parity bits with 0)
    CMAC K1 : 37 74 f5 a3 08 b9 36 a5
    CMAC K2 : 6e e9 eb 46 11 72 6d 4a

    -- Get card UID
    SEND : 5x (GetCardUID)
    GOT : 46 99 76 f2 18 55 0d 46 fc 16 65 8f 23 fc 46 ae 91 00

    To decrypt this, I first calculate the CMAC over the data sent in order to update the session IV

    I pad the INS to block-size : 5x 80 00 00 00 00 00 00
    (Then I xor to K2, since it was padded, and encrypt using the session key, using a blank IV)
    I calculated CMAC (and set the new IV) : 80 00 0e cc 1c f4 1c ff

    Then I try to decrypt the response using the session key and the above IV:
    Input: 46 99 76 f2 18 55 0d 46 fc 16 65 8f 23 fc 46 ae
    Key: 42 da 12 62 8a d0 d0 a2 de 8a bc 6e 30 5e bc 4c
    IV: 80 00 0e cc 1c f4 1c ff
    Output: 02 31 9d ca 67 9b 17 75 cf a8 01 ec 14 67 fd 00


    But it does not match the ID and of course the CRC does not match. Any ideas what could be wrong?
    + 0  |  - 0

    Re: Trouble with GetCardUID

    2. May 2018 at 10:40
    Hi Ioannis,

    please take in mind that command GetCardUID is only available if your card is configured to use a random UID in the anti-collision procedure.

    The TapLinx team

    + 0  |  - 0

    Re: Trouble with GetCardUID

    2. May 2018 at 12:38
    Oh, good to know. Indeed I haven't enabled random UID. I was thinking of using this command to debug the implementation of my crypto algorithm, since I am also getting integrity errors with the ChangeKey instruction...

    Thank you for your feedback.
    + 0  |  - 0

    Re: Trouble with GetCardUID

    3. May 2018 at 8:44
    Hi Ioannis,

    as a recommendation: it exists an application note with calculated examples for change key and encrypted communication. It is helpful to verify your implementation. You can obtain it via NXP DocStore:

    “AN 0945 – MIFARE DESFire EV1 – Features and Hints”.

    The TapLinx team
    + 0  |  - 0

    Re: Trouble with GetCardUID

    3. May 2018 at 21:35
    Thank you for your feedback!

    Apparently I was wrongly assuming that the default key on the blank card was a 2K3DES key, and this lead me to compute the session key using the 2K3DES approach instead of the DES approach. Now I am back on track :)

    And, by the way, the GetCardUID did now returns the correct card ID (that matches the ID that I received during a passive handshake) even though I haven't enabled random UID on the card.
    + 0  |  - 0

    Re: Trouble with GetCardUID

    4. May 2018 at 15:39
    Hi Ioannis,

    You are right! This command works in both cases and the datasheet is wrong. It is fixed in the next release.

    Thank you,
    The TapLinx team

    + 0  |  - 0
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.