Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NFC: Certain DESFire cards cannot be read #3168

Closed
gsurkov opened this issue Oct 27, 2023 · 16 comments
Closed

NFC: Certain DESFire cards cannot be read #3168

gsurkov opened this issue Oct 27, 2023 · 16 comments
Assignees
@gornekich
Labels
Bug NFC NFC-related

Comments

@gsurkov
Copy link
Member

gsurkov commented Oct 27, 2023
edited
Loading

Describe the bug.

According to @noproto's data, two MF DESFire EV2 cards cannot be read. Attempting to read them also leads to application abnormal behaviour.

Original posts:

More info is available in the of #3050 discussion thread.

UPDATE: Most likely happening only with HID-branded cards due to additional protocol extensions.

Reproduction

The bug could not be reproduced by any of the devs.

UPDATE: Waiting for HID cards to become available for testing (ETA: 2w...1mo)

Target

No response

Logs

No response

Anything else?

No response
@gsurkov gsurkov added NFC NFC-related Bug labels Oct 27, 2023
@gsurkov gsurkov mentioned this issue Oct 27, 2023
Merged
3 tasks
@sodoku
Copy link

sodoku commented Oct 30, 2023

Not sure if it's the same issue, but I can't read one of my Desfire cards with 0.94.1-rc it hangs. It works fine with 0.93.

The log says:

311686 [D][ST25TBPoller] error during trx: 2
311719 [D][Nfc] FWT Timeout
311744 [D][Nfc] FWT Timeout
311769 [D][Nfc] FWT Timeout
311821 [D][Nfc] FWT Timeout
311849 [D][Nfc] FWT Timeout
311851 [D][ST25TBPoller] error during trx: 2
311920 [D][Nfc] FWT Timeout
311945 [D][Nfc] FWT Timeout
312008 [D][Nfc] FWT Timeout
312047 [D][Nfc] FWT Timeout
312049 [D][ST25TBPoller] error during trx: 2
312074 [D][NfcScanner] Found 4 children
312131 [D][Nfc] FWT Timeout
312133 [D][Nfc] FWT Timeout
312167 [D][Nfc] FWT Timeout
312200 [D][Iso14443_4aPoller] Read ATS success
312221 [I][NfcScanner] Detected 1 protocols
312353 [D][Iso14443_4aPoller] Read ATS success
312360 [D][MfDesfirePoller] Read version success
312365 [D][MfDesfirePoller] Read free memory success
312368 [D][MfDesfirePoller] Read master key settings success
312372 [D][MfDesfirePoller] Read master key version success
312376 [D][MfDesfirePoller] Read application ids success
312381 [E][MfDesfirePoller] Failed to read applications
312384 [D][Nfc] FWT Timeout
312386 [D][Nfc] FWT Timeout
312489 [D][Nfc] FWT Timeout

@skotopes
Copy link
Member

Yep we received those card, they are clearly differ from the standard ones. We'll include fix in next release.

@noproto
Copy link
Contributor

noproto commented Oct 31, 2023
edited
Loading

Good morning! Sorry, I've been under the weather and missed a few updates. I did want to drop in and confirm that my DESFire cards are HID-branded. I wasn't aware HID branded DESFire EV2 cards were different from "standard" DESFire EV2 cards, but that certainly sounds correct.

@Jupiops
Copy link

Jupiops commented Nov 1, 2023

I have a NXP MIFARE DESFire Ev2 that also just in some rare cases get's read successfully by the Flipper Zero as ISO 14443-4A (Unknown) but in 90% of the time it just hangs in Reading card, Don't move.... The card is a danish public transport card called Rejsekort

Here is the proxmark read log of the card:

[usb] pm3 --> hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 04 32 25 8A DE 0F 90 
[+]      Batch number: CF 5D 14 41 60 
[+]   Production date: week 44 / 2021
[+]      Product type: MIFARE DESFire native IC (physical card)

[=] --- Hardware Information
[=]    raw: 04010112001805
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 12.0 ( DESFire EV2 )
[=]   Storage size: 0x18 ( 4096 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 04010102011805
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 2.1
[=]   Storage size: 0x18 ( 4096 bytes )
[=]       Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --------------------------------- Card capabilities ---------------------------------

[=] --- Tag Signature
[=]  IC signature public key name: DESFire Ev2
[=] IC signature public key value: 04B304DC4C615F5326FE9383DDEC9AA8
[=]                              : 92DF3A57FA7FFB3276192BC0EAA252ED
[=]                              : 45A865E3B093A3D0DCE5BE29E92F1392
[=]                              : CE7DE321E3E5C52B3A
[=]     Elliptic curve parameters: NID_secp224r1
[=]              TAG IC Signature: 9BB3F701D053A9D5DCD871A0A0DD987C
[=]                              : F0F5C02AB5CA9012F858BC5F13B80FD3
[=]                              : 7EEC060589F9DBD725DB5F1CA6452CF5
[=]                              : 6CD05B42E5AF5F3D
[+]        Signature verification: successful

[+] --- AID list
[+] AIDs:  7d0005

[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 1 free memory 1024 bytes
[+] PICC level auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... YES
[+]    Auth Ev2.......... YES
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] PICC level rights:
[+] [1...] CMK Configuration changeable   : YES
[+] [.0..] CMK required for create/delete : YES
[+] [..1.] Directory list access with CMK : NO
[+] [...1] CMK is changeable              : YES
[+] 
[+] Key: AES
[+] key count: 1
[+] PICC key 0 version: 1 (0x01)

[=] --- Free memory
[+]    Available free memory on card         : 1024 bytes

[=] Standalone DESFire

@bettse
Copy link
Contributor

bettse commented Nov 11, 2023

I have a Desfire EV1 from KISI that also has the same infinite Reading card, Don't move.... Here are the logs:

6549766 [D][RpcGui] SendInputEvent
6549824 [D][RpcGui] SendInputEvent
6549833 [D][NfcScanner] Found 5 base protocols
6549841 [D][DolphinState] icounter 11, butthurt 0
6549884 [D][Nfc] FWT Timeout
6549905 [D][RpcGui] SendInputEvent
6549909 [D][ViewDispatcher] View changed while key press 2001CCC8 -> 2001CEB0. Sending key: OK, type: Release, sequence: 00000035 to previous view port
6549912 [D][Nfc] FWT Timeout
6549963 [D][Nfc] FWT Timeout
6549991 [D][Nfc] FWT Timeout
6549993 [D][ST25TBPoller] error during trx: 2
6550017 [D][NfcScanner] Found 4 children
6550074 [D][Nfc] FWT Timeout
6550077 [D][Nfc] FWT Timeout
6550110 [D][Nfc] FWT Timeout
6550144 [D][Iso14443_4aPoller] Read ATS success
6550176 [I][NfcScanner] Detected 1 protocols
6550303 [D][Iso14443_4aPoller] Read ATS success
6550311 [D][MfDesfirePoller] Read version success
6550314 [D][MfDesfirePoller] Read free memory success
6550318 [E][MfDesfirePoller] Failed to read master key settings
6550321 [D][Nfc] FWT Timeout
6550323 [D][Nfc] FWT Timeout
6550425 [D][Nfc] FWT Timeout
6550528 [D][Nfc] FWT Timeout
6550631 [D][Nfc] FWT Timeout
6550734 [D][Nfc] FWT Timeout
6550837 [D][Nfc] FWT Timeout
6550940 [D][Nfc] FWT Timeout
6551043 [D][Nfc] FWT Timeout
6551146 [D][Nfc] FWT Timeout

@LeeroysHub
Copy link

Myki DESFire Mini 0.3K used to work before refactor, but now Myki public transport card wont read either. Stays on Reading card, Don't move. Don't have proxmark to dump unfortunately!

@skotopes
Copy link
Member

skotopes commented Dec 7, 2023

@LeeroysHub fix is coming soon

@jkter
Copy link

jkter commented Dec 18, 2023
edited
Loading

With firmware 0.96.1 the problem with Reading card, Don't move... infinite loop still occurs.

According to my observations with several cards it seems that the infinite loop occurs when there is an application with unavailable key configuration present on the card.

I could read empty card without any problems. After adding an application with publicly unavailable key configuration (in my case 2N PICard), flipper gets stuck in an infinite loop while reading.

@skotopes
Copy link
Member

@jkter probably same issues, please wait till fix will be released

@gsp8181
Copy link
Contributor

gsp8181 commented Dec 27, 2023

I've got a few other DESFire cards that don't work

Ola money (Mumbai Metro)
Rabbit (Bangkok Stored Value Card)
PTV Myki Card (Melbourne), this loops with or without the parser installed

@kautzz
Copy link

kautzz commented Dec 29, 2023
edited
Loading

Can confirm NXP DESFire EV3 stuck on „reading card don’t move…“ with fw version 0.97.1

Could check our BOM if knowing the exact part number of the NFC IC helps.

@skotopes
Copy link
Member

@kautzz yep we are working on it. fix coming soon.

@gsp8181 do you have them? can you check them with proxmark?

@gsp8181
Copy link
Contributor

gsp8181 commented Dec 30, 2023
edited
Loading

@skotopes sure thing, i've got 2 PTV cards and one of the others

@bobbylapointe-ops
Copy link

Same problem here, with Xtreme or Momentum...

@gornekich
Copy link
Member

The fix arrived in dev. Please, reopen the issue if the problem persists.

@zinongli zinongli mentioned this issue May 27, 2024
Closed
@pelrun
Copy link

pelrun commented Sep 11, 2024

Just tried to read my PTV Myki card again after installing 1.0.1 and the behaviour is unchanged. Log shows reads constantly failing with the following error:

41589083 [E][MfDesfirePoller] Failed to read free memory

I've doublechecked that the previous fix attempt made it into the release, and it appears it has, but mf_desfire_poller_read_free_memory() is returning with some other error code than MfDesfireErrorNotPresent so it still bombs out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gornekich gornekich

Labels
Bug NFC NFC-related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
14 participants
@bettse @pelrun @sodoku @skotopes @gsp8181 @kautzz @jkter @noproto @Jupiops @gsurkov @gornekich @bobbylapointe-ops @LeeroysHub and others