DESfire EV1 AES authentication no reply

StackOverflow https://stackoverflow.com/questions/16217105

  •  13-04-2022
  •  | 
  •  

Question

I'm trying to authenticate with a DESfire EV1 card, but the card doesn't reply. Before trying to authenticate, I've just formatted the card and created a new application, selected the new application and need to authenticate before creating a file.

Here's the communcation from format to fail:

Format card to start over
bsp_mifare --> 0b 01 90 fc 00 00 00 (tranceive, 56 bits)
bsp_mifare <-- fa 01 01 (24 bits)
bsp_mifare --> fa 01 01 (tranceive, 24 bits)
bsp_mifare <-- fa 01 01 (24 bits)
bsp_mifare --> fa 01 01 (tranceive, 24 bits)
bsp_mifare <-- fa 01 01 (24 bits)
bsp_mifare --> fa 01 01 (tranceive, 24 bits)
bsp_mifare <-- fa 01 01 (24 bits)
bsp_mifare --> fa 01 01 (tranceive, 24 bits)
bsp_mifare <-- fa 01 01 (24 bits)
bsp_mifare --> fa 01 01 (tranceive, 24 bits)
bsp_mifare <-- 0b 01 91 00 (32 bits)
bsp_mifare --> 0a 01 90 0a 00 00 01 00 00 (tranceive, 72 bits)
bsp_mifare <-- 0a 01 ad 51 73 29 dc 6e 33 cf 91 af (96 bits)
bsp_mifare --> 0b 01 90 af 00 00 10 2e 4a 13 9c a9 d4 23 61 25 28 48 ce 2c 73 2c 70 00 (tranceive, 192 bits)
bsp_mifare <-- 0b 01 fc 25 2e 4f 00 c3 86 e8 91 00 (96 bits)
Create application with default AES key
bsp_mifare --> 0a 01 90 ca 00 00 05 33 22 11 0b 84 00 (tranceive, 104 bits)
bsp_mifare <-- 0a 01 91 00 (32 bits)
Select application...
bsp_mifare --> 0b 01 90 5a 00 00 03 33 22 11 00 (tranceive, 88 bits)
bsp_mifare <-- 0b 01 91 00 (32 bits)
Authenticate...
bsp_mifare --> 0a 01 90 aa 00 00 01 00 00 (tranceive, 72 bits)
bsp_mifare <-- (0 bits)
bsp_mifare --> 0a 01 90 aa 00 00 01 00 00 (tranceive, 72 bits)
bsp_mifare <-- (0 bits)
Failed to authenticate with null AES key: 0x00

If I try to authenticate with an invalid key number (e.g. 6 when num_keys is 4), I do get a "no such key" reply, so the card is at least partly understanding my request.

So my question is, what's wrong with this "start of authentication" command:

bsp_mifare --> 0a 01 90 aa 00 00 01 00 00 (tranceive, 72 bits)

(The data shown is the raw data, including wrapping. The actual native command is "aa 00").

Was it helpful?

Solution

Turns out this was a hardware failure: the AES commands need more power than the DES/Crypto1 ones (50% more), which the antenna failed to deliver at the reading range I was testing with. Moving the card closer fixed the problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top