Is possible to add money in a Mifare DESFire EV1 4K?

Hi fam, I am completely new to this kind of forums, but recently I heard that some people could edit the balance of the bus card. The bus card here works with NFC so this could mean that using some device you can edit the information inside, for example change 5$ of balance to 50$. I don´t know if all the NFC cards allow this so I am here to ask if is possible and if I am allowed to do this.
I do not want to get profit or even exploit this, I just want to learn how this works for fun.

Info of my card:
Type of label: ISO 144443-4
NXP - Mifare DESFire EV1 4K

IsoDep, NfcA, NdeFormatable

1 Like

Ethical arguments aside, DESFire cards have strong encryption that makes them impossible to decrypt and edit unless you have the proper keys.

Not to mention, lots of modern network-connected systems only really use the card as a unique identifier (UID). The data for balance information is likely stored in a database elsewhere and looked up by the UID on the card.

1 Like

About this I am talking about a wallet-card, there is no connection or identification with a database 100%, this is why I asked about this topic, if the card acts only like an information key will be impossible to edit anything.

Thanks mate, I assume that is pretty hard and a noob like me cannot do anything, thanks!!

You’re talking about a stored value card or purse applications. The DESFire supports a specific file type for this kind of application, and you will need the proper cryptographic key in order to increment or decrement the value of the purse.

and how can i get the key?

Short answer you probably can’t

1 Like

Is possible to decrypt the wallet-card with a tool or with any stuff? for example a proxmark tool?

As of now, if implemented correctly, there is no practicable way to crack DesFire cards.
Unless they made mistakes on implementing the interaction with the card, you are out of luck.
In addition, adding money to a card without paying for it is illegal in most parts of the world

1 Like

Honestly no. Purse applications don’t work like that even if you have the proper key. It only accepts specific commands for incrementing.and decrementing the balance, and getting a current balance. You never get the actual raw data.

At this point I think we’re done dealing with this because clearly what you’re wanting to do is illegal. The short answer is, whatever vendor you’re trying to swindle has been smart enough to use a secure card. There is no hack for AES encryption at this time, which is what modern desfire cards use. They have properly secured their application and you’re not going to be able to steal from them.


As I said in the initial message I am not trying to break anything and I don´t want to get profit or had a bad behaviour, I am very interested in this kind of things and I don´t want to steal. This is for fun, not for revenue!!

Anyway if you think that this is done you can close the thread but I still interested in if is possible to change the data, nice day!

Then I suggest you buy your own desfire card from someone like KSEC

You don’t lockpick locks you don’t own for “fun”
You get your own lock to play with, because you shouldn’t mess with other peoples stuff

Same thing here


Understood, thanks for the idea @Eriequiet !!

1 Like

If you get your hands on a Javacard you could experiment with some of the wallet applets here,

1 Like


I missed a glorious opening for a meme


This is not entirely true. It’s always context dependant. There are certain modes of AES which do not protect against specific attacks. Here’s an example:

But yes, AES is not really broken but e.g. malleability can be a comcern, in some cases, probably not applicable here…

Very dumbed down idea how this could work here:

Let’s say you get a message like “pay $1”, encrypted it will look like gibberish, e.g. “foobar”.
But you know the last character is what makes the price. Just have a card with 0 on it, try to pay but intercept the communication and randomly change the last byte. Most of the times it will be some random nr, but maybe with luck the random byte decrypts to 0 one time → free coffee.

Ofc in reality it will be much more complex, but just having “AES” doesn’t protect against every possible attack. Again, the makers of DF2 chips probably know that. Someone who knows more should review the docs to see if there is a way to configure it in a way that could be broken. Then, with luck, the applet you wanna hack is configured in that way. Don’t get me started on implementation issues in the software reading the card…

1 Like