Dumb DESFire EV2 / Linux questions

I know very little about DESFire chips. So forgive me if my questions are obvious or stupid.

My two questions are these:

  • Can you allocate space, then write an NDEF-formatted file on a DESFire EV2 so that a vanilla Android or iOS cellphone (i.e. without any additional NFC-related app) reads the NDEF content and does something with it unattended, such as opening a URL, the way it would with an NFC Forum type 2 tag? If so, what minimum versions of Android / iOS are needed to read type 4 tags and function that way?

  • Can you do that in Linux? I’m not interested in configuring NFC chips with mobile phones. I’m from a previous generation :slight_smile: libfreefare seems to support EV1 chips, but Wikipedia says EV2 chips are more or less backward-compatible. So maybe for a simple NDEF application it would work.

1 Like

Hey Rosco,

I have a flexDF (EV1).

Yes, just use the “Erase & format as NDEF” option in TagWriter, then specify the NDEF record size.



That’s a loaded question because different device manufacturers leverage the NFC functionality of Android differently. I would imagine you won’t encounter many phones that can’t handle it nowadays, but I’m not sure.

Yeah, if you have a capable USB NFC reader like the ACR122U. There are plenty of other libraries too, if libfreenfc doesn’t have what you want. You could also try nfcpy. There’s another good one I’ve tried, but I can’t remember the name. I’ll get back to you with it later when I’m at a real computer.

EDIT: The other library was called pyscard

1 Like

Great, thanks for your detailed reply! At least I know the EV1 is well supported.

Another question: have you tried to use your FlexDF for any other applications? Or rather, along other applications? Specifically, I’m thinking of copying files from a DESFire EV1 card - like a bus or train card - “as is” onto the implant, and using them to board a bus or a train obviously.

I’m not talking about cracking the commercial application’s file(s)’ key(s) but rather hosting them on the implant. My understanding is that you can’t even read them without authenticating with the proper key on the original card - and even if you do have a key, it might not allow you to read it - so I’m 99% sure it’s impossible. But perhaps I didn’t do enough research.

For the record, I’m enquiring about the EV2 because I don’t really want to get a chip that’s not supported at least partially in Linux, and Digiwell doesn’t carry the FlexDF anymore. I could order directly from DT of course, but last time I did that, I was hit by the mother of all import duties from the lovely Finnish customs.

I only have experience with the DESFire EV1, but I’m under the impression the EV2 is fully backwards compatible.

I started to look into it, but I realized quickly how much of an undertaking it would be. My public transit authority uses EMV based cards with a proximity payment system environment (PPSE). While I could probably spend a few hours sniffing communication between the card and a reader and then a few days brute forcing the keys, I really don’t care that much. Also, I think the keys for the payment communication are encrypted/decrypted with the results of a separate SELECT NFC command as part of the hash, so unless you could magic your DESFire’s UID or include a relay device like a proxmark in the communication stream, you still wouldn’t be able to authenticate with the system.

Better to just find a way to enroll your implant as a card and deal with the fact that you’ll only be able to use it for that. You’d need access to the contactless programming interface, which is usually inside a machine enclosure to ensure good coupling.

Yeah, kind of what I thought. Interoperability in the little world of NFC is purely theoretical: in reality, everybody does their own thing in their own corner, and assumes the cards they issue are unique and not meant to be shared - which is a reasonable assumption as long as you issue unique physical cards and you ignore the existence of implants, which is what everybody does I guess.

The only commercial software I know of that deals with sharing memory space on a card with another application, without overwriting the other application’s data is Rohos Logon Key: it has provisions to write its own data in free sector, and/or use a custom key-A to authenticate a particular sector on a Mifare Classic. Nice! But rather unique.

I shot an email to the company that manages the public transit card system in most Finnish cities. The Fins are usually pretty open-minded with technological things. It’ll be interesting to see what they answer.

3 Likes

If you’re looking for a flexDF chip in Europe we’ve got them here !

https://cyborg.ksecsolutions.com/product-category/flex-implants/

Only a few units left

Thanks! I’m not particularly keen on implanting it at the moment though. That may change if the friggin’ transit authorities deign answering me at some point, but right now I have no need.

Still maybe it’d be a good idea to get one “just in case”. Do those things have an expiry date?

If they do, point them at Fidesmo because it could be done as an applet deployed to the Apex :slight_smile:

Why not. If I get a reply from a very open-minded / enthusiastic techie, I’ll drop in the suggestion. However, right now it doesn’t look good: I get zero replies.

Well what do you know: when I thought all was lost, I finally did get a reply from a very open-minded / enthusiastic techie :slight_smile: I’ll say no more, but interesting things might be coming my way about this.

If I get a chance to sell them on the idea at some point, can you describe what would be needed for this to happen? I have a feeling that, enthusiastic though they may be, if they have to do any development, I might lose their interest in a hurry.

I will email you and Fidesmo rep about this directly :wink:

I think I already know the answer to that one (from this thread), but I’ll ask again to be extra-sure: if I get a third-party to program my DESFire EV implant (e.g. a transit authority), surely they’ll set their master key. Does this mean I’m SOL if I want to factory-reset the chip to use it for something else later without asking the guys who programmed it to reset the master key?

correct… there is no “reset” option without the master key.