-1

When sending the FormatPICC command to a MIFARE DESFire EV1 card, I observe the following behavior:

PCD  ---> PICC
--------------
0xFC --->
     <--- 0x00   or   0x00 + MAC   or   ERROR CODE
  1. If authenticated with the command 0x0A (legacy (3)DES authentication), the response to the FormatPICC command is only one byte (0x00).
  2. If authenticated with the command 0xAA (AES authentication), the response to the FormatPICC command is the status byte (0x00) plus the MAC.

When I send another command (e.g. GetVersion (0x60)), the response does not contain the MAC regardless of which authentication was used (0x0A or 0xAA).

Why is that difference? Should I still calculate the MAC for such commands (to update crypto state)? Is there some document that explains that?

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
bin.chen
  • 1
  • 1
  • I'm sure this question makes sense to you. But I can't interpret it **at all**. I can't even understand the question title. Is this a programming language? What's the precise issue? – wally Aug 16 '17 at 16:07

1 Answers1

0

Your observation seems to be wrong. Once authenticated using either AuthenticateISO (0x1A) with TDES or AuthenticateAES (0xAA), MIFARE DESFire EV1 will return a MAC in response to all commands (except, of course, the authentication commands and SelectApplication, which both reset authentication).

Consequently, a MAC should be returned in response to the GetVersion command. However, note that the GetVersion command is split across 3 frames. The MAC is only appended to the last frame (the one with the status code 0x00):

PCD  ---> PICC
--------------
0x60 --->
     <--- 0xAF + DATA
0xAF --->
     <--- 0xAF + DATA
0xAF --->
     <--- 0x00 + DATA + MAC
Michael Roland
  • 39,663
  • 10
  • 99
  • 206