I have someone in my city making desfire, he not cloning he getting the data this my reasearch he wont share. so i hope someone smarter then me can figure it out for the coummity

Support
1

◢◤ DESFIRE CLONING MASTER GUIDE ◢◤

KOBE’S KEYS - RFID RESEARCH DOCUMENTATION

Salto | Kantech | RBH | ICT

Mamba Mentality for Your Security

1. SYSTEM IDENTIFICATION

When you get a DESFire card, identify the system first:

hf mfdes info # Get UID, chip type, manufacturerhf mfdes lsapp # List application IDs (AIDs)

Common AIDs by System

System

Common AIDs

Key Type

Salto

F4B1xx, F5xxxx

AES + KDF (AN10922)

Kantech ioSmart

Various

AES static

RBH

Various

AES static master key

ICT Protege

F4857x

AES

Gallagher

F48120-F4812B

AES + KDF variant

HID iCLASS SE

Various

AES

2. ATTACK WORKFLOW

Phase 1: Scan the Card

hf mfdes infohf mfdes lsapphf mfdes getaids --no-auth

Phase 2: Key Attack

Try dictionary attack WITHOUT diversification first:

hf mfdes chk -f mfdes_extended_keys_v2 --aid [AID]

If no keys found, try WITH AN10922 diversification (Salto):

hf mfdes chk -f mfdes_extended_keys_v2 --aid [AID] --kdf 1 -i [UID]

Try Gallagher diversification:

hf mfdes chk -f mfdes_extended_keys_v2 --aid [AID] --kdf 2 -i [UID]

Phase 3: Authenticate & Dump

Once you have a key:

# DES keyhf mfdes auth --aid [AID] -n 0 -t des -k [KEY]# AES keyhf mfdes auth --aid [AID] -n 0 -t aes -k [KEY]# With diversificationhf mfdes auth --aid [AID] -n 0 -t aes -k [MASTER] --kdf 1 -i [UID]# Dump datahf mfdes dump --aid [AID]

Phase 4: Clone to Blank

# Auth to blank DESFire cardhf mfdes auth -n 0 -t des -k 0000000000000000# Create applicationhf mfdes createapp --aid [AID] --numkeys 1 --ks1 0F# Create filehf mfdes createfile --aid [AID] --fid 01 --size 000020 --rawrights EEEE --amode plain# Write datahf mfdes write --aid [AID] --fid 01 --offset 000000 -d [DATA] --no-auth

3. SYSTEM-SPECIFIC DETAILS

SALTO

Property

Value

Encryption

AES-128

Key Diversification

AN10922 (KDF)

Formula

Master Key + UID + AN10922 = Card Key

Common AID

F4B1xx

Difficulty

HARD - need master key + KDF

PM3 Command

hf mfdes chk --aid F4B1xx --kdf 1 -i [UID]

Note: “Saltos issue is not key is DATA - have to calculate each block manually”

KANTECH ioSmart

Property

Value

Card Type

MIFARE Plus EV1 2K

Encryption

AES-128

Format

Site Code : Card Number

Example

8020:11485

Key Type

Static (not diversified from UID)

Difficulty

MEDIUM - formula from card number

Number on back: 8020:11485 = Site 8020, Card 11485

“UID has nothing to do with fob key” - calculated from number only

RBH ACCESS

Property

Value

Card Type

MIFARE DESFire EV1/EV2/EV3

Format

50-bit (16-bit site + 32-bit card)

Example

A4000 / 0004897846

Key Type

Static master key

Default Site

4000 (0x0FA0) - RBH ships this

Difficulty

MEDIUM - once you have master key, clone any card

Format on fob: A4000 = Site 4000, 0004897846 = Card Number

Kobe said: “Master key is for RBH DESFire” - static, not diversified

ICT PROTEGE

Property

Value

Card Type

MIFARE DESFire

Default Format

34-bit (16-bit site + 16-bit card)

Common AID

F4857x

PM3 Support

Built-in commands

Difficulty

EASIER - PM3 has commands

Commands:

hf ict helphf ict infohf ict credential

4. DEFAULT KEYS REFERENCE

NXP Factory Defaults

Key Type

Length

Default Value

DES

8 bytes

0000000000000000

2TDEA

16 bytes

00000000000000000000000000000000

3TDEA

24 bytes

000000000000000000000000000000000000000000000000

AES

16 bytes

00000000000000000000000000000000

KDF Options

–kdf Value

Algorithm

Used By

0

None (static key)

RBH, Kantech, ICT

1

AN10922

Salto, many others

2

Gallagher variant

Gallagher/Cardax

5. CREDENTIAL CALCULATIONS

Kantech Example: 8020:11485

Field

Decimal

Hex

Bytes (BE)

Bytes (LE)

Site Code

8020

1F54

1F 54

54 1F

Card Number

11485

2CDD

2C DD

DD 2C

Combined

-

1F542CDD

1F 54 2C DD

DD 2C 54 1F

RBH Example: A4000 / 4897846

Field

Decimal

Hex

Bytes (BE)

Bytes (LE)

Site Code

4000

0FA0

0F A0

A0 0F

Card Number

4897846

004ABC36

00 4A BC 36

36 BC 4A 00

Full 50-bit

-

See calc

0F A0 00 4A BC 36

-

Use Python calculators to generate patterns for any card number

6. YOUR TOOLS

Tool

Purpose

Usage

kantech_decoder_gui.py

Kantech number to hex/bytes

python kantech_decoder_gui.py

rbh_decoder_gui.py

RBH 50-bit calculator

python rbh_decoder_gui.py

mfdes_extended_keys_v2.dic

4,589 key dictionary

Copy to PM3 dictionaries folder

Dictionary Location

C:\ProxSpace\pm3\proxmark3\client\dictionaries\mfdes_extended_keys_v2.dic

Install GUI Dependencies

pip install customtkinter pyperclip

7. FIELD WORKFLOW CHECKLIST

  • ☐ 1. Get card from client

  • ☐ 2. Note any numbers on card (Site:Card format)

  • ☐ 3. Run: hf mfdes info

  • ☐ 4. Run: hf mfdes lsapp

  • ☐ 5. Identify system (Salto/Kantech/RBH/ICT)

  • ☐ 6. Run dictionary attack:

  • hf mfdes chk -f mfdes_extended_keys_v2 --aid [AID]

  • ☐ 7. If no key, try with KDF:

  • hf mfdes chk -f mfdes_extended_keys_v2 --aid [AID] --kdf 1 -i [UID]

  • ☐ 8. If key found: SAVE IT with building address

  • ☐ 9. Dump card data

  • ☐ 10. Clone to blank DESFire

8. KEY DATABASE

Every key you find, log it here:

Building Address

System

AID

Key Type

Key Value
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----
undefined ---- ---- ---- ----

9. WHAT Kobe REVEALED

His Setup

  • Proxmark3 RDV4 (blue case, hidden branding)

  • Custom “sparefob” command alias

  • Calculator/software for key derivation

  • Blank DESFire EV3 fobs

His Process (30 seconds with fob)

  1. Scans fob: hf mfdes info → gets UID

  2. Lists apps: hf mfdes lsapp → gets AID

  3. Manual calculation: Uses paper/pen/calculator to derive key

  4. Writes to blank: hf mfdes write

Key Intel from Kobe

  • RBH: “Master key is for RBH DESFire” - static master key

  • Kantech: “Kantech i can copy just by number on fob” - no UID needed

  • Salto: “Saltos issue is not key is DATA” - has keys, stuck on format

  • KDF: Confirmed Salto uses “KDF” (Key Derivation Function)

  • Timeline: 1.5 years for Salto keys, 2 years for Kantech

What This Means

  • RBH/Kantech use static keys - easier to crack

  • Salto uses AN10922 diversification - need master key

  • He has collected master keys over 1.5-2 years

  • You can catch up by running dictionary attacks on every job

10. COMPETITIVE ADVANTAGE

Your Current Position

  • :white_check_mark: Proxmark3 RDV4 ready

  • :white_check_mark: Custom dictionary (4,589 keys)

  • :white_check_mark: Kantech calculator

  • :white_check_mark: RBH calculator

  • :white_check_mark: ICT commands built into PM3

  • :hourglass_not_done: Need to collect master keys

Strategy

  1. Run hf mfdes chk on EVERY job - catch weak/default setups

  2. Save every found key with building address

  3. Focus on older buildings - more likely to have default keys

  4. Build key database over time

  5. Network with other locksmiths - share keys

Realistic Timeline

  • You’re NOT 1.5 years behind in skill

  • You’re 1.5 years behind in key collection

  • Start with buildings using default keys

  • Expand as database grows

◢ KOBE’S KEYS © 2025 | MAMBA MENTALITY ◤

2

here some more info, im stuck here. at this point someone how has the skill can take over. and figure it out:

Proxmark3 DESFire EV3 Tutorial: Step-by-Step Guide

This document summarizes our entire session with the Proxmark3 (Iceman firmware) and a blank MIFARE DESFire EV3 card. It’s designed for study: Each step includes the command, what it does, why we use it, expected output, and troubleshooting. The goal was to configure a blank card, add data, and prepare for cloning (e.g., field cards like transit badges).

Background:

  • DESFire EV3: A secure NFC/RFID card (8KB storage) for access/payment. Organized as PICC (global “cabinet”) > Apps (“drawers” with AIDs) > Files (data blobs).

  • Proxmark3: Hardware tool for reading/writing NFC. Use Iceman fork for best DESFire support.

  • Your Card: Blank 8KB EV3 (UID: 04 6F B5 2A 77 18 90), factory defaults (zero keys, open rights).

  • Assumptions: Quiet area (no other tags), card 1-2cm from antenna. Run cmds in Proxmark client (pm3 -->).

Copy this guide to Google Docs/Word and export as PDF for printing/studying. Total steps: ~15 cmds, 30-60 min.

Key Concepts Before Starting

  • Auth: Unlocks sessions (PICC or app level). Defaults: All-zero keys (0000000000000000 for DES/2TDEA).

  • AID: 3-byte app ID (e.g., 010203 = test folder).

  • FID: 1-byte file ID (e.g., 01 = note).

  • Rights/Settings: 0F/EEEE = “free/open” (no keys needed for read/write).

  • Troubleshooting Common Errors:

    • [7] Sending auth failed / BCC incorrect: Signal glitch—run hf tune, reposition card, power cycle Proxmark.

    • [202] Can’t select AID: Collision (multiple tags)—remove nearby NFC (phone/wallet), retry.

    • Even digits error: Hex string odd-length—type manual, no spaces.

    • Card level error: Context lost—re-select app (hf mfdes selectapp --aid 010203).

Step-by-Step Commands & Explanations

Use tables for clarity: Command | Purpose | What It Does | Expected Output | Notes/Troubleshoot.

Phase 1: Card Detection & Basics (Verify Blank State)

Step

CMD

USE

What It Does

Expected Output

Notes/Troubleshoot

1

hf mfdes info

Dump card metadata

Scans UID, version, apps, memory, security. Confirms EV3 blank (0 apps, 8192 free bytes).

UID, EV3 version, 0 apps, 8192 bytes free, sig verified. Possible BCC/collision warnings.

Run first always. If “no tag”: Reposition. Collisions: Clear area.

2

hf tune

Calibrate antenna

Tunes HF signal (13.56MHz) for stable comms. Fixes [7]/BCC errors.

HF bars (green = good). ~30s scan.

Run if errors. Hold card steady.

Phase 2: PICC-Level Auth & Verification (Unlock Global)

Step

CMD

USE

What It Does

Expected Output

Notes

3

hf mfdes auth -n 0 -t des -k 0000000000000000 --kdf none

Authenticate PICC (whole card)

Establishes session with master key #0 (zeros, factory default). Unlocks creates. Session ~10-30s.

[+] PICC selected and authenticated. Context: Key 0, session key/IV.

If fail: Try 2TDEA (-t 2TDEA -k 00000000000000000000000000000000). Add -v for APDUs. Re-run if timeout.

4

hf mfdes getkeysettings

Verify PICC rights

Peeks CMK settings (changeable? reqs?). Confirms open state.

Key Settings Byte: 0F. YES changeable, NO reqs for create/list, 1 key (2TDEA).

Run post-auth. Error? Re-auth.

Phase 3: Create & Manage App (Add “Folder”)

Step

Cmd

USE

What It Does

Expected Output

Notes/Troubleshoot

5

hf mfdes createapp --aid 010203 --numkeys 1 --ks1 0F

Create test app

Makes app with AID 010203, 1 key slot, 0F settings (free access). Uses PICC session.

[+] Desfire application 010203 successfully created.

AID arbitrary (non-zero). If exists: Change to 010204. Post-auth.

6

hf mfdes lsapp

List apps

Scans PICC for apps (confirms creation).

[+] App #0: 01 02 03 | Settings: 0F | Keys: 1. Total: 1 app.

Post-create. BCC? Ignore if app shows.

Phase 4: App-Level Setup (Focus & Unlock Drawer)

Step

CMD

USE

What It Does

Expected Output

Notes/Troubleshoot

7

hf mfdes selectapp --aid 010203

Select app

Switches context to app (like cd). No auth needed.

[+] Application 0x010203 selected successfully.

Run before app cmds. Error? Re-run info.

8

hf mfdes auth --aid 010203 -n 0 -t des -k 0000000000000000 --kdf none

Auth app

Unlocks app session (AMK #0 zeros). For writes if locked.

[+] Application AID 010203 selected and authenticated. Context: Session key/IV.

Optional for free settings. Add -v if fail.

Phase 5: Create & Manage File (Add “Note”)

Step

CMD

USE

What It Does

Expected Output

Notes/Troubleshoot

9

hf mfdes createfile --aid 010203 --fid 01 --size 000020 --rawrights EEEE --amode plain

Create data file

Makes standard file (FID 01, 32 bytes, free rights, plain mode).

[+] Standard data file 01 in the app 010203 created successfully. Rights: free all.

--aid forces target. Size: 000020 = 32 bytes. Post-select/auth.

10

hf mfdes lsfiles --aid 010203 --no-auth

List app files

Scans app for files (confirms creation).

[+] 01 | Standard data | Plain | eeee rights | Size 32.

--no-auth for free. -20 ISO error? Ignore.

Phase 6: Read/Write Data (Test Storage)

Step

CMD

USE

What It Does

Expected Output

Notes/Troubleshoot

11a

hf mfdes write --aid 010203 --fid 01 --offset 000000 -d 48 --no-auth

Minimal write test

Writes 1 byte (“H” hex 48) at offset 0. Verifies basic I/O.

[=] Write data file 01 success.

Short -d flag. Even digits error? Manual type.

11b

hf mfdes read --aid 010203 --fid 01 -l 000001 --no-auth

Read test

Pulls 1 byte from offset 0 (verifies write).

[=] 0/0x00 | 48 | H. Read 1 byte.

-l for length (not --size). [202]? Retry.

12a

hf mfdes write --aid 010203 --fid 01 --offset 000000 -d 48656C6C6F20576F726C64 --no-auth

Full write

Writes “Hello World” (11 bytes hex). Overwrites test data.

[=] Write data file 01 success.

22 even digits. Manual type if parser gripes.

12b

hf mfdes read --aid 010203 --fid 01 -l 00000B --no-auth

Full read

Pulls 11 bytes (verifies string).

[=] 0/0x00 | 48 65 6C… | Hello World. Read 11 bytes.

Confirms end-to-end. Padding zeros after.

Phase 7: Export for Cloning (Dump & Restore)

Step

CMD

USE

What It Does

Expected Output

Notes

13

hf mfdes dump --aid 010203 --no-auth

Dump app

Exports app structure + data (JSON-like for clone).

App details, file 01 with 32-byte data (“Hello World” + zeros).

Save: --file dump.json. For field card: Dump first, restore to blank.

14 (on second blank)

hf mfdes restore --file test_app_dump.json

Clone to new card

Imports dump to blank (copies apps/files/data). Needs PICC auth first.

[+] Restored successfully.

Match card size/version. UID mismatch? Emulate (hf 14a sim).

15 (optional)

hf mfdes formatpicc --key 0000000000000000

Factory reset

Wipes all (if mess-up).

[+] PICC formatted. Back to 0 apps, 8192 free.

Use sparingly—loses data!

Cloning Field Cards: Quick Field Guide

  1. Detect: hf mfdes info on target (UID, apps, version).

  2. Auth/Dump: hf mfdes auth (guess keys), hf mfdes dump --picc (full export).

  3. Attack if Locked: hf mfdes nested (key recovery) or brute (hf mfdes chk).

  4. Restore: On blank, hf mfdes restore --file field_dump.json.

  5. Test: hf mfdes read data/functions. Emulate if UID sig fails: hf 14a sim -t desfire.

Success Tips: Weak field cards (defaults) clone in mins. Secure (AES/custom)? Hours + advanced tools. Legal: Own/pentest only.

Resources: Iceman GitHub (proxmark3), NXP DESFire datasheet, r/RFID Discord.

3

Sorry, but this is AI slop. It’s basically saying “brute force the keys” which is not practical .. it’s exactly what the encryption in these chips is meant to protect against. The entropy is too high to just guess in a practical timeframe.

The person doing cloning has somehow gained access to the key derivation code for different systems that use DESFire chips. They will never share this because 1) they could only have obtained this information illegally, and 2) it’s the only way you can actually clone these types of keys. Giving up this illegally obtained information would put themselves out of business.

2 Likes
4

no it not ai , i told ai to write i ran all those cmd on proxmark3 the work fine, he has encoder, and he can make RBH and kantech tag without having them. he told me himself. and my client went there he charged him 100 to make salto fobs, he used proxmark to write the data and the fob open all doors in the condo. so how is he doing it. , how can he make kantech just with number on card.

7

"After talking directly with a veteran Canadian cloner (5+ years full-time, works with licensed Salto encoders), the real bottleneck for Salto DESFire cloning isn’t the key — it’s the data. He says the keys are relatively straightforward (he can derive them in under 2 minutes, no complex KDF needed in many installs), but Salto personalizes roughly 170 blocks of data in a proprietary way that the reader validates. You can’t just raw-dump and restore — the reader rejects it because the data pattern is card-specific. Even with the correct key, you have to manually recalculate/regenerate each block to match what the official Salto encoder would produce. That’s why he’s still doing it semi-manually and needs ~50 samples to fully reverse the format before automating. He has the licensed encoder/software (bought as a dealer) and reversed parts of it, but says no one else in Ontario has a finished Salto solution yet.

8

"For Kantech and RBH DESFire systems, the cloning process is completely different from Salto — and much easier. The cloner I spoke to can duplicate Kantech fobs just from a clear photo of the printed number on the back (e.g., “8020:11485”). The key is derived purely from that site code and card number using a fixed algorithm — the UID on the chip has nothing to do with it. Same for RBH: once you have the static master key (often defaults or leaked), you calculate the credential from the printed format (e.g., A4000 / 0004897846). No Proxmark needed for the math — he does it with a calculator or small script, then programs a blank. That’s why he says “Kantech I can copy just by number on fob” and customers send him pics. These systems use static or predictable keys, not per-card diversification like Salto. Community already has working calculators for both (Kantech byte patterns, RBH 50-bit), so most jobs are fast and don’t even require touching the original tag and this how he does those. he wont tell me how he doing cause ur right he get sued. but that what he doing.

9

Then why not share your sequence of commands directly rather than giving it to an LLM to make a mess of first? It’s frustrating when an attempt at communicating with man via machine ends up diverted to a communication with machine instead of man.

3 Likes
10

i have on my github u can find it ya my bad it didnt paste it how it taught it would GitHub - kobepower/Desfire_calculator: this a calculator for Kantech and RBH

11

i have on my github u can find it ya my bad it didnt paste it how it taught it would GitHub - kobepower/Desfire_calculator: this a calculator for Kantech and RBH

13

Hi, my last message wasn’t very clear because of how the commands pasted.

I pulled all the commands from GitHub and have used all of them so far. On DESFire, I’ve been able to create applications, set my own keys, and write to blank DESFire cards. For actually cracking keys, I haven’t tested anything on a live customer card yet.

If anyone has a customer card they can legally test with, here is my GitHub link. Try it and see if you can recover the keys. I also added a DESFire key dictionary with over 4,000 keys. They’re randomly generated, so they may or may not work.

Right now, this is where I’m at: I made a Kantech calculator and an RBH calculator, and I’ve heard you can sometimes build DESFire tags just from the number printed on the tag.

Good luck everyone, let’s see if this goes anywhere.

….github.com/kobepower/Desfire_calculator

14

Screenshot_20260117_083411_Chrome
Screenshot_20260117_083411_Chrome1080×935 103 KB

Screenshot_20260117_083735_Chrome
Screenshot_20260117_083735_Chrome736×1221 121 KB

2 Likes
16

Eventually I’ll get some DESFire test cards and then I’ll look through resources like these to start learning how it works. I’ll save this for later when I can take a look at it more closely, thank you.

Personally my interest isn’t in cracking keys from the wild, just in utilising my own chips within my own system, so I won’t be much help here, but good luck.

1 Like