Mifare desfire EV1 Copy method

Hello. I have a student ID with a mag strip on the back. I can already easily copy that onto other cards and it allows for meal swipes, laundry money, print money, and room access to be copied from card to card. This is cool and all, but some places only accept tap(not swipe) and so i was wondering how to copy the NFC functionality, as i havent figured that out. I am willing to spend some money on tools, but looking into some of the popular tools such as the iCopy-X which cost like 400 euros, it seems that even that tool cannot copy it automatically. I cant imagine that the NFC would be on such lockdown when the magnetic strip is completely stored in just plaintext to be read/write at will. Am i missing something? Here is the data from the card. Knowing this, is there any way to copy the card? I am not looking to illegally add money to the card or anything outside of being able to transfer the data from one card to another. Thank you.

i dont know how to read this data, but it mentions both AES and raw/ASCII, so is the data encrypted or is it stored in plain text? If possible please let me know what tools i need to read/write. I have a KSEC 4K magic 4 Byte UID changeable card, but no tool to write to it as i was unaware that it functioned differently. I am very new to NFC, so feel free to educate me on it lol

DESFire cards are impossible to decrypt and copy unfortunately. Your best bet would be to approach the person(s) at your university in charge or enrolling the cards and ask them nicely if you could enroll your card/chip.

It’s probably unlikely that they’ll allow you to make a 1:1 copy to a card, but they might be willing to make a copy for something more interesting like an implant. I’ve heard some people have success.

Really, it’s all about how you approach them and ask. Take your time and think about how you’ll ask them before you do it. Maybe some others with experience asking will chime in.

so even a tool like this wouldnt be able to solve my problem? Proxgrind ChameleonMini RevG - Access Control, Chameleon, Gadgets & Tools, ProxGrind, Red Team Tools, RFID Cloners & Emulators, RFID NFC Tools - KSEC Solutions
i assumed with access to the readers that scan the card it could use the keys to decrypt it and thus allow allow me to read/copy its data. This tool itself isnt avaliable for like another 260 days at least which is too late for my application, but it seems like it could be possible unless im misunderstanding something?

No, as of now, a properly implemented Desfire card system can’t be cloned.
The communication between reader and card is encrypted as well, so sniffing it with a Proxmark or others is not possible.
The only way to use it is to get it enrolled as a new card.

DESFire chips use strong AES encryption that, as far as I’m aware, has yet to be broken. So unless you have a supercomputer to crack the encryption keys on your card, it’s unlikely that you’ll be able to clone it yourself.

1 Like

alright so lets go with the assumption that the desfire card system ISNT properly implemented, since my school doesn’t exactly have best safety practices. How would i be able to tell if they messed up somewhere?

Its very unlikely that they screwed up the implementation that horribly. I think the most likely scenario for a messed up implementation is allowing legacy Prox cards, Mifare Ultralight, Mifare Classic, and Mifare plus cards to do access control, it sounds like to me that your school also has a wallet application running on the card so it is highly unlikely that your school still has legacy credentials walking around. All of this is saying you can’t break their system, as much as it hurts me to say it, you can’t clone the card yourself. If you do however get a friend in university security or IT you might be able to convince them to let you enroll your implant into the system if it beeps they screwed up if it doesn’t they didnt screw up.

If you wanted to see if they messed up the implementation you could take a low frequency card and present it to a access control reader.

so even though they have communication set to plain instead of encrypted there’s no way to see the data? it doesnt make sense that they put so much effort into securing the payment via NFC but i can just use magnetic strip to copy and use anyones account balance O.o

They are unlikely to be using their own solution to provision and manage the ID cards for payment and authentication and are using software/hardware that is purchased. Whoever designed this hardware/software put in the effort to implement proper security. Mifare Classics have been broken for so long that i cant see why any decent product designer would implement them in a new design except where there are no security implications at all. Convenient for people here to copy onto implants? yes Good for real secuirity? No.

Pretty much all of the proper DESFire datasheets are under NDA but from the limited documents that are available the communication can be either Plain, Plain+MAC, or encrypted. But this is the communication of the data - you still need to correctly authenticate with the card to read/write the data and as of now there are no known exploits for these cards and you are not going to be brute forcing them.

DESFire has several different file types that supports for its application AIDs. It’s likely they are using a purse style application file, which allows them to complete authentication through the Diffie-Hellman style system it uses and then issue an increment or decrement command. Because these commands are not sensitive, there’s no reason to encapsulate that command communication inside of a secure tunnel with the chip. It’s a bit overkill.

1 Like