Forum Replies Created

  • Re: Reply To: SL3 switch by command query

    12. February 2018 at 12:20
    in reply to: SL3 switch by command query
    Hi Tithi,
    When sending an authentication command to key 9003 in SL1, to a MIFARE Plus X, I do get an answer with correct TI, RndA', PDcap2 and PCDcap2 from the card. If you don't see that in your log, I'd recommend you to take a look into your logging parser.
    Then, I guess that your real problem is that despite authenticating correctly with key 9003, your card is still in SL1. MIFARE Plus X, enforces that changes of security level must be sequential, meaning SL0->SL1->SL2->SL3.
    You cannot authenticate to key 9003 in SL1 and expect to change to SL3. You need to authenticate first to 9002, switch to SL2 and then once you're already in SL2, authenticate with 9003 and switch to SL3.
    Hope this fixes your real issue.

    + 0  |  - 0

    Re: Reply To: SL3 switch by command query

    1. February 2018 at 17:44
    in reply to: SL3 switch by command query
    Hi Tithi,
    I'd first like to understand the log you're pasting.
    I understand that you're operating MIFARE SAM AV2 in non-X-mode. Is that correct?

    Then, you authenticate to key 9003 with command 70039000.
    If the card that you're addressing is a MIFARE Plus S, SE or X, the command is correct. If the card is a MIFARE Plus EV1, then is wrong.

    MIFARE Plus EV1 needs to have at least 1 byte of PCDCap, that is used to select between the Secure Messaging EV0 and EV1. If you'd like to address MIFARE Plus EV1, my advice would be to use the following command: 7003900100

    Then, you address SAM with the MFP authenticate command:
    80 A3 0D 00 19 0100C77036E3F7B3D58ED80C2633AAF2BEAD047B41FA69578000
    0D: Key derivation, SL3 derivation

    01:Key number
    00:Key version
    C77036E3F7B3D58ED80C2633AAF2BEAD: E(RndB)
    047B41FA695780: DivInput -> most likely the UID of the card

    The next line displays the following:
    MF Plus -> FFA00005270100F3000064 72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2

    The part "72A12B6C318FE202076A3056DC6F7CC9B951257E8103DCE1535A64F660B7BEF4E2" is clearly the command of the Authenticate continue where the 32 byte challenge RndA|RndB' is sent to the card, but the first part, FFA00005270100F3000064 I do not understand. What is this?

    Finally, what is the issue you're reporting? That the answer from the card to command AuthenticateContinue is just 9000h and does not include the extra bytes payload with TI, RndA', PDcap2 and PCDcap2 or that the execution of the second part of the SAM_AuthenticateMFP (80A30000...) answers with 9000?
    + 0  |  - 0
Viewing 2 posts - 1 through 2 (of 2 total)