NDEF on Desfire Ev1 can't be read by NFC Tools

Support
1

I’m having trouble writing an NDEF record that can be read via NFC Tools or Taginfo. I can read the record on the Proxmark 3 RDV4 via the “nfc type4a read” command. I’ve been changing settings and digging at this for hours. I don’t know what I’m missing. Any suggestions?

Here are the following commands I’m using:

hf mfdes formatpicc

hf mfdes createapp --aid 000001 --fid E110 --dfhex D2760000850101 --numkeys 01

hf mfdes createfile --aid 000001 --fid 01 --isofid E103 --amode plain --size 00000F --rrights free --wrights free --rwrights free --chrights free -m plain --no-auth

hf mfdes createfile --aid 000001 --fid 02 --isofid E104 --amode plain --size 0007D0 --rrights free --wrights free --rwrights free --chrights free -m plain --no-auth

hf mfdes write --aid 000001 --fid 01 -d 000F20003B00340406E10400FF00FF -m plain

hf mfdes write --aid 000001 --fid 02 -d 0313C1010000030C5402656E54686520666f6c6c6f77206973206120677569646520746f2061737369737420696e2073657474696e6720757020612073696e676c65204e444546207265636f7264206f6e20616e20446573666972652045563120286f72206c61746572292e20506c656173652072656665726520746f20746865204e44454620646f63756d656e74696f6e20616e64207374616e646172647320666f7220617373697374616e6365206f6e207468652061637475616c204e444546207265636f726420736574757020616e64207374727563747572652e0a0a497420697320617373756d656420796f75206172652066696d756c61722077697468207573696e672061206465736669726520636172647320616e6420636f6d6d616e64732e0a0a54686520666f6c6c6f77206e6f74657320617265206261736564206f6e3a204e5850202d20414e3131303034202d204d494641524520444553466972652061732054797065203420546167205265762e20322e34202d203232204d617920323031330a0a496e206f7264657220746f207365747570204e444546206f6e2061204d69666172652044657366697265206361726420796f75206e65656420746f2063726561746520616e204170706c69636174696f6e20616e642074776f2066696c657320696e736964652074686174206170706c69636174696f6e2e20546865206170706c69636174696f6e20616e642066696c6573206861766520736f6d65207370656369616c206e6565647320696e206f7264657220666f7220746865207374616e64616e647320746f20776f726b20616e6420746865204e44454620726563726f6420746f20626520666f756e642e0a0a53746570203120437265617465204170706c69636174696f6e0a5768696c6520492062656c65697665207468652041707020494420616e642046696c652049447320646f6e74206d61747465722028666f722045563120616e64206c61746572292049206469642066696e642061207265666572656e636520746f207573696e67207468652076616c75657320696e2074686973206578616d706c652e0a0a546865204170706c69636174696f6e204d5553542068617665207468652044464e616d65206f662044323736303030303835303130310a4e6f74653a205468617420697320746865206865782f62696e61727920646174612074686174206e6565647320746f2062652073746f726564210a -m plain

Verify the file and NDEF record:

hf mfdes read --no-auth --aid 000001 --fid 02
nfc type4a read

Here are the current app settings:

[usb] pm3 → hf mfdes lsapp

[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 1 free memory 5728 bytes
[+] PICC level auth commands:
[+] Auth… YES
[+] Auth ISO… YES
[+] Auth AES… NO
[+] Auth Ev2… NO
[+] Auth ISO Native… YES
[+] Auth LRP… NO
[+] PICC level rights:
[+] [1…] CMK Configuration changeable : YES
[+] [.1…] CMK required for create/delete : NO
[+] […1.] Directory list access with CMK : NO
[+] […1] CMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 1
[+] PICC key 0 version: 0 (0x00)

[+] --------------------------------- Applications list ---------------------------------
[+] Application number: 0x01
[+] ISO id… 0xE110
[+] DF name… v ( XX XX XX XX XX 01 01 00 00 00 00 00 00 00 00 00 )
[=] DF AID Function… 000001 : (unknown)
[+] Auth commands:
[+] Auth… YES
[+] Auth ISO… YES
[+] Auth AES… NO
[+] Auth Ev2… NO
[+] Auth ISO Native… YES
[+] Auth LRP… NO
[+]
[+] Application level rights:
[+] – AMK authentication is necessary to change any key (default)
[+] [1…] AMK Configuration changeable : YES
[+] [.1…] AMK required for create/delete : NO
[+] […1.] Directory list access with AMK : NO
[+] […1] AMK is changeable : YES
[+]
[+] Key: 2TDEA
[+] key count: 1
[+]
[+] Key versions [0…0]: 00

Current file settings:

[usb] pm3 → hf mfdes lsfiles --aid 000001
[=] ------------------------------------------ File list -----------------------------------------------------
[+] ID |ISO ID| File type | Mode | Rights: raw, r w rw ch | File settings
[+] ----------------------------------------------------------------------------------------------------------
[+] 01 | e103 | 0x00 Standard data | Plain | eeee, free free free free | Size 15 / 0xF
[+] 02 | e104 | 0x00 Standard data | Plain | eeee, free free free free | Size 2000 / 0x7D0

2

I’m way too lazy to decode your NDEF data but my hunch is there’s a problem with how the data was constructed. Either the record or the message envelope are probably malfarmed.

3

I shouldn’t have used that large amount of data as an example. It does it with any data I use.

I can format the Desfire and write the same data to the Desfire using only NFC Tools. Then overwrite the data using the Proxmark.

Example:

hf mfdes write --aid 000001 --fid 02 -d 0313C1010000030C5402656E54686520666f6c6c6f77206973206120677569646520746f2061737369737420696e2073657474696e6720757020612073696e676c65204e444546207265636f7264206f6e20616e20446573666972652045563120286f72206c61746572292e20506c656173652072656665726520746f20746865204e44454620646f63756d656e74696f6e20616e64207374616e646172647320666f7220617373697374616e6365206f6e207468652061637475616c204e444546207265636f726420736574757020616e64207374727563747572652e0a0a497420697320617373756d656420796f75206172652066696d756c61722077697468207573696e672061206465736669726520636172647320616e6420636f6d6d616e64732e0a0a54686520666f6c6c6f77206e6f74657320617265206261736564206f6e3a204e5850202d20414e3131303034202d204d494641524520444553466972652061732054797065203420546167205265762e20322e34202d203232204d617920323031330a0a496e206f7264657220746f207365747570204e444546206f6e2061204d69666172652044657366697265206361726420796f75206e65656420746f2063726561746520616e204170706c69636174696f6e20616e642074776f2066696c657320696e736964652074686174206170706c69636174696f6e2e20546865206170706c69636174696f6e20616e642066696c6573206861766520736f6d65207370656369616c206e6565647320696e206f7264657220666f7220746865207374616e64616e647320746f20776f726b20616e6420746865204e44454620726563726f6420746f20626520666f756e642e0a0a53746570203120437265617465204170706c69636174696f6e0a5768696c6520492062656c65697665207468652041707020494420616e642046696c652049447320646f6e74206d61747465722028666f722045563120616e64206c61746572292049206469642066696e642061207265666572656e636520746f207573696e67207468652076616c75657320696e2074686973206578616d706c652e0a0a546865204170706c69636174696f6e204d5553542068617665207468652044464e616d65206f662044323736303030303835303130310a4e6f74653a205468617420697320746865206865782f62696e61727920646174612074686174206e6565647320746f2062652073746f726564210a -m plain

Once overwritten with the Proxmark, the NDEF data can still be read with with NFC Tools or TagInfo.
This makes me think NFC Tools is setting an option that I’m missing.

4

Okay, maybe it is a data issue. I’m wondering if it’s a size limit. I used all of the above commands to write the word “hi” and NFC Tools can read it no problem.

hf mfdes write --aid 000001 --fid 02 -d 0009D101055402656E6869 -m plain

I’ll keep playing with it.

5

I think it’s still something to do with settings.

I can read the data written by NFC Tools and use the sed command to parse it into the exact hex string. After writing that string with the Proxmark commands above, NFC Tools still can’t read the NDEF data.

NFC Tools written data dump:

ndef_dump.txt

[=] 0/0x00 | 03 13 C1 01 00 00 03 0C 54 02 65 6E 54 68 65 20 | …T.enThe
[=] 16/0x10 | 66 6F 6C 6C 6F 77 20 69 73 20 61 20 67 75 69 64 | follow is a guid
[=] 32/0x20 | 65 20 74 6F 20 61 73 73 69 73 74 20 69 6E 20 73 | e to assist in s
[=] 48/0x30 | 65 74 74 69 6E 67 20 75 70 20 61 20 73 69 6E 67 | etting up a sing
[=] 64/0x40 | 6C 65 20 4E 44 45 46 20 72 65 63 6F 72 64 20 6F | le NDEF record o
[=] 80/0x50 | 6E 20 61 6E 20 44 65 73 66 69 72 65 20 45 56 31 | n an Desfire EV1
[=] 96/0x60 | 20 28 6F 72 20 6C 61 74 65 72 29 2E 20 50 6C 65 | (or later). Ple
[=] 112/0x70 | 61 73 65 20 72 65 66 65 72 65 20 74 6F 20 74 68 | ase refere to th
[=] 128/0x80 | 65 20 4E 44 45 46 20 64 6F 63 75 6D 65 6E 74 69 | e NDEF documenti
[=] 144/0x90 | 6F 6E 20 61 6E 64 20 73 74 61 6E 64 61 72 64 73 | on and standards
[=] 160/0xA0 | 20 66 6F 72 20 61 73 73 69 73 74 61 6E 63 65 20 | for assistance
[=] 176/0xB0 | 6F 6E 20 74 68 65 20 61 63 74 75 61 6C 20 4E 44 | on the actual ND
[=] 192/0xC0 | 45 46 20 72 65 63 6F 72 64 20 73 65 74 75 70 20 | EF record setup
[=] 208/0xD0 | 61 6E 64 20 73 74 72 75 63 74 75 72 65 2E 20 49 | and structure. I
[=] 224/0xE0 | 74 20 69 73 20 61 73 73 75 6D 65 64 20 79 6F 75 | t is assumed you
[=] 240/0xF0 | 20 61 72 65 20 66 69 6D 75 6C 61 72 20 77 69 74 | are fimular wit
[=] 256/0x100 | 68 20 75 73 69 6E 67 20 61 20 64 65 73 66 69 72 | h using a desfir
[=] 272/0x110 | 65 20 63 61 72 64 73 20 61 6E 64 20 63 6F 6D 6D | e cards and comm
[=] 288/0x120 | 61 6E 64 73 2E 20 54 68 65 20 66 6F 6C 6C 6F 77 | ands. The follow
[=] 304/0x130 | 20 6E 6F 74 65 73 20 61 72 65 20 62 61 73 65 64 | notes are based
[=] 320/0x140 | 20 6F 6E 3A 20 4E 58 50 20 2D 20 41 4E 31 31 30 | on: NXP - AN110
[=] 336/0x150 | 30 34 20 2D 20 4D 49 46 41 52 45 20 44 45 53 46 | 04 - MIFARE DESF
[=] 352/0x160 | 69 72 65 20 61 73 20 54 79 70 65 20 34 20 54 61 | ire as Type 4 Ta
[=] 368/0x170 | 67 20 52 65 76 2E 20 32 2E 34 20 2D 20 32 32 20 | g Rev. 2.4 - 22
[=] 384/0x180 | 4D 61 79 20 32 30 31 33 20 49 6E 20 6F 72 64 65 | May 2013 In orde
[=] 400/0x190 | 72 20 74 6F 20 73 65 74 75 70 20 4E 44 45 46 20 | r to setup NDEF
[=] 416/0x1A0 | 6F 6E 20 61 20 4D 69 66 61 72 65 20 44 65 73 66 | on a Mifare Desf
[=] 432/0x1B0 | 69 72 65 20 63 61 72 64 20 79 6F 75 20 6E 65 65 | ire card you nee
[=] 448/0x1C0 | 64 20 74 6F 20 63 72 65 61 74 65 20 61 6E 20 41 | d to create an A
[=] 464/0x1D0 | 70 70 6C 69 63 61 74 69 6F 6E 20 61 6E 64 20 74 | pplication and t
[=] 480/0x1E0 | 77 6F 20 66 69 6C 65 73 20 69 6E 73 69 64 65 20 | wo files inside
[=] 496/0x1F0 | 74 68 61 74 20 61 70 70 6C 69 63 61 74 69 6F 6E | that application
[=] 512/0x200 | 2E 20 54 68 65 20 61 70 70 6C 69 63 61 74 69 6F | . The applicatio
[=] 528/0x210 | 6E 20 61 6E 64 20 66 69 6C 65 73 20 68 61 76 65 | n and files have
[=] 544/0x220 | 20 73 6F 6D 65 20 73 70 65 63 69 61 6C 20 6E 65 | some special ne
[=] 560/0x230 | 65 64 73 20 69 6E 20 6F 72 64 65 72 20 66 6F 72 | eds in order for
[=] 576/0x240 | 20 74 68 65 20 73 74 61 6E 64 61 6E 64 73 20 74 | the standands t
[=] 592/0x250 | 6F 20 77 6F 72 6B 20 61 6E 64 20 74 68 65 20 4E | o work and the N
[=] 608/0x260 | 44 45 46 20 72 65 63 72 6F 64 20 74 6F 20 62 65 | DEF recrod to be
[=] 624/0x270 | 20 66 6F 75 6E 64 2E 20 53 74 65 70 20 31 20 43 | found. Step 1 C
[=] 640/0x280 | 72 65 61 74 65 20 41 70 70 6C 69 63 61 74 69 6F | reate Applicatio
[=] 656/0x290 | 6E 20 57 68 69 6C 65 20 49 20 62 65 6C 65 69 76 | n While I beleiv
[=] 672/0x2A0 | 65 20 74 68 65 20 41 70 70 20 49 44 20 61 6E 64 | e the App ID and
[=] 688/0x2B0 | 20 46 69 6C 65 20 49 44 73 20 64 6F 6E 74 20 6D | File IDs dont m
[=] 704/0x2C0 | 61 74 74 65 72 20 28 66 6F 72 20 45 56 31 20 61 | atter (for EV1 a
[=] 720/0x2D0 | 6E 64 20 6C 61 74 65 72 29 20 49 20 64 69 64 20 | nd later) I did
[=] 736/0x2E0 | 66 69 6E 64 20 61 20 72 65 66 65 72 65 6E 63 65 | find a reference
[=] 752/0x2F0 | 20 74 6F 20 75 73 69 6E 67 20 74 68 65 20 76 61 | to using the va
[=] 768/0x300 | 6C 75 65 73 20 69 6E 20 74 68 69 73 20 65 78 61 | lues in this exa
[=] 784/0x310 | 6D 70 6C 65 2E 00 00 00 00 00 00 00 00 00 00 00 | mple…

sed 's/^[^|]*|//' ndef_dump.txt > format.txt && \
sed -i.bak 's/|.*$//' format.txt && \
sed -i 's/\s+//g' format.txt && \
sed -i ':a; N; s/\n/ /; ta' format.txt && \
sed -i 's/[\t ]//g;/^$/d' format.txt

format.txt gives me:

0313C1010000030C5402656E54686520666F6C6C6F77206973206120677569646520746F2061737369737420696E2073657474696E6720757020612073696E676C65204E444546207265636F7264206F6E20616E20446573666972652045563120286F72206C61746572292E20506C656173652072656665726520746F20746865204E44454620646F63756D656E74696F6E20616E64207374616E646172647320666F7220617373697374616E6365206F6E207468652061637475616C204E444546207265636F726420736574757020616E64207374727563747572652E20497420697320617373756D656420796F75206172652066696D756C61722077697468207573696E672061206465736669726520636172647320616E6420636F6D6D616E64732E2054686520666F6C6C6F77206E6F74657320617265206261736564206F6E3A204E5850202D20414E3131303034202D204D494641524520444553466972652061732054797065203420546167205265762E20322E34202D203232204D6179203230313320496E206F7264657220746F207365747570204E444546206F6E2061204D69666172652044657366697265206361726420796F75206E65656420746F2063726561746520616E204170706C69636174696F6E20616E642074776F2066696C657320696E736964652074686174206170706C69636174696F6E2E20546865206170706C69636174696F6E20616E642066696C6573206861766520736F6D65207370656369616C206E6565647320696E206F7264657220666F7220746865207374616E64616E647320746F20776F726B20616E6420746865204E44454620726563726F6420746F20626520666F756E642E2053746570203120437265617465204170706C69636174696F6E205768696C6520492062656C65697665207468652041707020494420616E642046696C652049447320646F6E74206D61747465722028666F722045563120616E64206C61746572292049206469642066696E642061207265666572656E636520746F207573696E67207468652076616C75657320696E2074686973206578616D706C652E

Which NFC Tools can’t read.

6

Try breaking the data down into NDEF message and NDEF record inside the message, and check lengths…

Also… in the dump I don’t see the termination character FE … all ndef messages should end with FE.

7

I need to read up more on NDEF and Desfire. Would that be the same as writing 2 or more records using NFC tools?

I tested NFC Tools on both my phones and it adds FE to the end of my non-Desfire NFC tags. NFC Tools doesn’t add FE to my Desfire tags.

With Desfire, I noticed I first have to add File 01 (Edit Compatibility Container File) with the following in order to make an NDEF record.

[=] 0/0x00 | 00 0F 20 00 3B 00 34 04 06 E1 04 1E 00 00 00 | .. .;.4........

I’m not even sure why that is. I just saw it in the Proxmark example and also noticed it on my NFC Tools written tags. (Edit I found step 2 @ proxmark3/ndef_type4a.md at master · RfidResearchGroup/proxmark3 · GitHub)

8

Hmm well NDEF is a data format… it’s identical no matter what the tag types are… even active active connections between two phones use the same format. Not sure what’s going on here :confused:

When it comes to files on desfire, there are such things, but there is only one file used for NDEF and it uses a well known AID. Inside that file is where all NDEF data lives, and it’s formatted as one or more “messages”, each with one or more “records” inside, with each record containing a single “payload”.

Typically only one message exists within an NDEF container, though messages will have one or more records.

The end of the message is always FE