# 13.10.2020 // DESFire Protokoll

**[LibLogicalAccess](https://github.com/islog/liblogicalaccess)**
> Müssen wir uns mal anschauen, da die das können, was wir wollen


## Links
- [KeySettings](https://developer.fidesmo.com/documentation/desfire-implementation)
- [MIFARE DESFire EV2 Datasheet](https://www.nxp.com/docs/en/data-sheet/MF3DX2_MF3DHX2_SDS.pdf)
- [MIFARE DESFire EV1 Datasheet](https://www.nxp.com/docs/en/data-sheet/MF3ICDX21_41_81_SDS.pdf)
- [Phillips DesFire Tool Manual](http://13.209.45.252/pdf/download.php?id=5dccfb20a6e931d4e5f6d4f397b7cba9e73567&type=P&term=DESFire)
- [DesFire for Python Docs](https://desfire.readthedocs.io/en/stable/readme.html)
- [DesFire for Python Code](https://github.com/miohtama/desfire)
- [MIFARE ISO/IEC 14443 Spec](https://www.nxp.com/docs/en/application-note/AN10834.pdf)
- [Ridrix DesFire Commands](https://ridrix.wordpress.com/tag/desfire-commands/)
- [DesFire Missing Native Commands Forum](https://www.mifare.net/support/forum/topic/native-commands-sending-to-mifare-desfire-ev1/)
- [ISO 7816-4](https://cardwerk.com/smart-card-standard-iso7816-4-section-9-application-independent-card-services/)
- [MIFARE DESFire as Type 4 Tag](https://www.nxp.com/docs/en/application-note/AN11004.pdf)
- [ISO/IEC7816-4](http://www.unsads.com/specs/ISO/7816/ISO7816-4.pdf)
- [MIFARE DESFire Short Spec](https://www.plastikkartenmonster.de/images/datenblaetter/datenblatt-nxp-mifare-desfire-d40.pdf)
- [libfreefare](https://github.com/nfc-tools/libfreefare)
- [DESFire Proof-of-Concept](https://icedev.pl/blog/over-the-air-nfc-services-mifare/)
- [DESFire Client](https://github.com/icedevml/ota-nfc-client)
- [DESFire Server](https://github.com/icedevml/ota-nfc-server)
- [DESFire Application Bytes](http://read.pudn.com/downloads134/ebook/572228/M306_Mifare_DESFire_Func_V1.pdf)
- [DESFire Java App](https://github.com/jekkos/android-hce-desfire/blob/master/hceappletdesfire/src/main/java/net/jpeelaer/hce/desfire/ValueRecord.java)
- [DESFire Arduino Project](https://www.codeproject.com/Articles/1096861/DIY-electronic-RFID-Door-Lock-with-Battery-Backup)
- [Kommunikationsbeispiele](https://stackoverflow.com/questions/38283998/desfire-ev1-communication-examples)
<br><br>
- **[DESFire Lib from JavaCardOS](https://github.com/JavaCardOS/pyResMan/blob/master/pyResMan/DESFireEx.py)**
- DESFire Commands sind nur unter NDA verfügbar.
<br><br>
- [DESFire EV2 Error Code Forum](https://www.mifare.net/support/forum/topic/mifare-desfire-ev2-authenticate-with-6a81-response/)
- [Response Codes](https://www.eftlab.com/knowledge-base/complete-list-of-apdu-responses/)
- [Mifaire DESFire Application](https://scancode.ru/upload/iblock/de4/mifare_application_programming_guide_for_desfire_rev.e.pdf)
- [DESFire Authentification](https://www.linkedin.com/pulse/mifare-desfire-introduction-david-coelho)
- [DESFire Light Authentification Mifare Spec](https://www.nxp.com/docs/en/data-sheet/MF2DLHX0.pdf)
- [Phillips DESFire Training](http://read.pudn.com/downloads134/ebook/572228/M306_Mifare_DESFire_Func_V1.pdf)
- [Mifare Application Dir](https://www.nxp.com/docs/en/application-note/AN10787.pdf)

- [DESFire Door Lock](https://www.codeproject.com/Articles/1096861/DIY-electronic-RFID-Door-Lock-with-Battery-Backup)
- [DESFire Auth 2K3DES](https://stackoverflow.com/questions/14117025/des-send-and-receive-modes-for-desfire-authentication)
- [Easypay DESFire Lib](https://github.com/nceruchalu/easypay/blob/master/mifare/mifare.c) - sehr brauchbar
## Bytes

### APDU Commands

- SELECT = 00 a4 04 00 07 d2 76 00 00 85 01 00 00
- VERSION = 90 60 00 00 00
- CONTINUE = 90 AF 00 00 00

### APDU Responses
APDU responses will first contain the data followed by two status bytes.

- FRAME_CONTINUE = 91 AF
- OPERATION_OK = 91 00
- OK = 90 00
- INIT = ??
- VERSION 1 = 04 01 01 01 00 1a 05
- VERSION 2 = 04 01 01 01 03 1a 05
- VERSIOn 3 = 04 91 3a 29 93 26 80 00 00 00 00 00 39 08
        

### Instructions DESFire (used inside ADPU)
CLA = 0x90
APDU Sturuktur -> ISO/IEC 7816-4
Befehle        -> DESFire

- 0x0A = AUTHENTICATE
- 0x1A = AUTHENTICATE_ISO
- 0xAA = AUTHENTICATE_AES
- 0x71 = AUTHENTICATE_EV2_FIRST (EV2 only)
- 0x77 = AUTHENTICATE_EV2_NONFIRST (EV2 only)
- 0x54 = CHANGE_KEY_SETTINGS
- 0x5C = SET_CONFIGURATION
- 0xC4 = CHANGE_KEY
- 0x?? = CHANGE_KEY_EV2 (EV2 only)
- 0x?? = INITIALIZE_KEY_SET (EV2 only)
- 0x?? = FINALIZE_KEY_SET (EV2 only)
- 0x?? = ROLL_KEY_SET (EV2 only)
- 0x64 = GET_KEY_VERSION
- 0xCA = CREATE_APPLICATION
- 0x?? = CREATE_DELIGATE_APPLICATION (EV2 only)
- 0xDA = DELETE_APPLICATION
- 0x6A = GET_APPLICATION_IDS
- 0x6E = FREE_MEMORY
- 0x6D = GET_DF_NAMES
- 0x?? = GET_DELIGATE_INFO (EV2 only)
- 0x45 = GET_KEY_SETTINGS
- 0x5A = SELECT_APPLICATION
- 0xFC = FORMAT_PICC
- 0x60 = GET_VERSION
- 0x51 = GET_CARD_UID
- 0x6F = GET_FILE_IDS
- 0xF5 = GET_FILE_SETTINGS
- 0x5F = CHANGE_FILE_SETTINGS
- 0xCD = CREATE_STDDATAFILE
- 0xCB = CREATE_BACKUPDATAFILE
- 0xCC = CREATE_VALUE_FILE
- 0xC1 = CREATE_LINEAR_RECORD_FILE
- 0xC0 = CREATE_CYCLIC_RECORD_FILE
- 0x?? = CREATE_TRANSACTION_MAC_FILE (EV2 only)
- 0xDF = DELETE_FILE
- 0x61 = GET_ISO_FILE_IDS
- 0xBD = READ_DATA (manchmal auch als 0x8D beschrieben)
- 0x3D = WRITE_DATA
- 0x6C = GET_VALUE
- 0x0C = CREDIT
- 0xDC = DEBIT
- 0x1C = LIMITED_CREDIT
- 0x3B = WRITE_RECORD
- 0xBB = READ_RECORDS
- 0xEB = CLEAR_RECORD_FILE
- 0x?? = UPDATE_RECORD_FILE
- 0xC7 = COMMIT_TRANSACTION
- 0xA7 = ABORT_TRANSACTION
- 0xAF = CONTINUE
- 0x?? = COMMIT_READER_ID (EV2 only)

### Instructions ISO/IEC 7816-4 (nativ, aber von DESFire unterstützt)
CLA = 0x00
APDU Sturuktur -> ISO/IEC 7816-4
Befehle        -> ISO/IEC 7816-4

- 0xA4 = SELECT FILE
- 0xB0 = READ BINARY
- 0xD6 = UPDATE BINARY
- 0xB2 = READ RECORDS
- 0xE2 = APPEND RECORD
- 0x84 = GET CHALLENGE
- 0x88 = INTERNAL AUTHENTICATE
- 0x82 = EXTERNAL AUTHENTICATE

### Instruction ISO 14443-3

### Status Codes

from https://github.com/JavaCardOS/pyResMan/blob/master/pyResMan/DESFireEx.py#L54
which, has it from https://github.com/jekkos/android-hce-desfire/blob/master/hceappletdesfire/src/main/java/net/jpeelaer/hce/desfire/DesfireStatusWord.java

- 0x00 = OPERATION_OK Successful operation
- 0x0C = NO_CHANGES No changes done to backup files, CommitTransaction / AbortTransaction not necessary
- 0x0E = OUT_OF_EEPROM_ERROR Insufficient NV-Memory to complete command
- 0x1C = ILLEGAL_COMMAND_CODE Command code not supported
- 0x1E = INTEGRITY_ERROR CRC or MAC does not match data Padding bytes not valid
- 0x40 = NO_SUCH_KEY Invalid key number specified
- 0x7E = LENGTH_ERROR Length of command string invalid
- 0x9D = PERMISSION_DENIED Current configuration / status does not allow the requested command
- 0x9E = PARAMETER_ERROR Value of the parameter(s) invalid
- 0xA0 = APPLICATION_NOT_FOUND Requested AID not present on PICC
- 0xA1 = APPL_INTEGRITY_ERROR Unrecoverable error within application, application will be disabled
- 0xAE = AUTHENTICATION_ERROR Current authentication status does not allow the requested command
- 0xAF = ADDITIONAL_FRAME Additional data frame is expected to be sent
- 0xBE = BOUNDARY_ERROR Attempt to read/write data from/to beyond the file\'s/record\'s limits. Attempt to exceed the limits of a value file.
- 0xC1 = PICC_INTEGRITY_ERROR Unrecoverable error within PICC, PICC will be disabled
- 0xCA = COMMAND_ABORTED Previous Command was not fully completed Not all Frames were requested or provided by the PCD
- 0xCD = PICC_DISABLED_ERROR PICC was disabled by an unrecoverable error
- 0xCE = COUNT_ERROR Number of Applications limited to 28, no additional CreateApplication possible
- 0xDE = DUPLICATE_ERROR Creation of file/application failed because file/application with same number already exists
- 0xEE = EEPROM_ERROR Could not complete NV-write operation due to loss of power, internal backup/rollback mechanism activated
- 0xF0 = FILE_NOT_FOUND Specified file number does not exist
- 0xF1 = FILE_INTEGRITY_ERROR Unrecoverable error within file, file will be disabled

### Files
Not shure yet what these constants do.

crypto operations
- TDES =  00
- TKTDES = 40
- AES = 80

File types
- STANDARD_DATA_FILE = 00
- BACKUP_DATA_FILE = 01
- VALUE_FILE = 02
- LINEAR_RECORD_FILE = 03
- CYCLIC_RECORD_FILE = 04

Transmission modes
- PLAIN_COMMUNICATION = 00
- PLAIN_COMMUNICATION_MAC = 01
- FULLY_ENCRYPTED = 02

# Getestet Reader und Treiber
ACS ACR122U-A9 | Microsoft Usbccid-Smartcard-Leser (WUDF) | Windows 10