Read DESFire cards or tags or Apple Access credentials
MIFARE DESFire cards may contain a number of applications, identified by an application ID. Each application may contain a number of data files and a number of cryptographic keys, for use with either the AES or 3DES ciphers. Each file is identified with a file ID and may be individually protected, requiring authentication with one of the application keys, for read or write access and for communications security.
Apple Access DESFire credentials behave in the same way as DESFire cards or tags. When the AccessTCI setting is used the VTAP reader will operate in ECP2 mode and enable DESFire credential reading. More about this
To read data from a DESFire card, the config.txt file for your VTAP reader must specify the application ID and file ID, where the required data is stored. The VTAP reader supports a number of formats and options to read, decode or output the secure data. To read any protected data you also need to load the appropriate key into one of the VTAP reader’s app key slots, and specify in the config.txt file the crypto algorithm, the key number (within the card’s application) and the corresponding VTAP app key slot, where that key has been loaded.
After looking at reading data from individually secured files on DESFire cards in this section,
VTAP reader configuration to read your secure DESFire cards
Step 1: Upload necessary DESFire application key(s) to your VTAP reader.
This follows the same approach as when you first uploaded mobile pass key files.
-
Save each of the DESFire application keys you need to use in a file, with the name appkey#.txt, where # is replaced with a number from 1 to 9. Each text file should just contain one DESFire application key with 32 hex digits, for example, key=bd6a15d1039e7527edfd01f37a220f3e
Note: A VTAP reader cannot use more than 9 application key files.
-
Load your keys by copying these files onto your VTAP reader. Just connect your VTAP reader to a PC via USB, so it appears as a mass storage device on the PC file system (unless disabled or locked), then you can drag and drop the files.
Alternatively, transfer the file to your VTAP reader using Zmodem to transfer over a serial interface.
-
Power cycle your VTAP reader. (Disconnect or safely remove the drive from the PC then reconnect it.) When you reboot the VTAP reader your key will have been stored in hardware, and will no longer be listed as a file on the device.
Alternatively, send a ?KEYLOAD command over a serial interface for the key to be loaded, to avoid the need to restart the VTAP reader.
Step 2: Add extra lines to the config.txt file to describe the Application ID, appkey and format to use
-
Open the file config.txt in a text editor (such as Windows Notepad).
-
Add lines to the file config.txt, using your own Application ID, File ID and Key Number. If there is already a line reading NFCType4=U, instructing the VTAP reader to read only the UID of DESFire cards, you will need to overwrite that line with the new content.
Note: The VTAP reader expects the DESFireAppID to be a 24 bit number formatted as 6 hex digits with the most significant byte first. However, some vendors and software treat the Application ID value as a byte sequence with the least significant byte first, which is the byte order used in communications with the card. If the VTAP reader fails to read your DESFire card application, try reversing the order of the DESFireAppID bytes. For example, if DESFireAppID=F56400 try DESFireAppID=0064F5.
Two examples follow, the first where the DESFire data is securely held and requires keys, and the second without cryptography or a DESFire format.
Example: Settings in config.txt to read secured data from DESFire cards or tags
Copy!VTAPconfig
NFCType4=D ; Read NFC Type4 cards as DESFire
DESFireAppID=F56400 ; 24 bit value (6 hex digits)
DESFireFileID=1 ; File ID within application (decimal 0 to 255)
DESFireCrypto=3 ; 0 = None; 1 = 3DES; 3 = AES (default)
DESFireKeyNum=1 ; Application key number used for authentication
DESFireKeySlot=1 ; Application key slot number on VTAP
; here use appkey 1
DESFireFormat=1 ; How to interpret the data
; =0 no format
; (set DESFireReadLength and TagReadFormat)
; =1 KEY-ID format (26 bit facility code
; and number, H10301 compatible)If DESFireCrypto=0 (no cryptography) or DESFireKeySlot=0 (no key), there will be no authentication or file communications encryption. This will allow unrestricted, plain text file access to some application data, only if this is permitted by the DESFire card configuration.
When DESFireFormat=0, you can further control the output by using the settings:
-
TagReadFormat - to output the payload in either hex (=h, default), ASCII (=a) or decimal (=d).
-
If ASCII is set, each byte is an ASCII character.
-
When decimal is set, the VTAP reader will interpret binary data as a 64 bit decimal value and output ASCII decimal digits. In this case TagReadLength should not exceed 4 bytes.
-
For hexadecimal, the VTAP reader will convert binary data to ASCII hex digits with 2 digits per byte.
-
TagWiegandBits - to set the number of bits output over the Wiegand interface (=1 to 255), where the default is 0, or for automatic detection of bits available use =0 value.
Example: Settings in config.txt to read data from DESFire cards or tags without cryptography or DESFire format
Copy!VTAPconfig
NFCType4=D
DESFireAppID=2308A1
DESFireFileID=48
DESFireCrypto=0 ; No cryptography
DESFireFormat=0 ; No format, so must set DESFireReadLength and
; TagReadFormat
DESFireReadLength=8 ; Number of bytes to read if DESFireFormat=0
TagReadFormat=a ; Output payload in ASCII format, with each byte
; interpreted as an ASCII character
TagWiegandBits=64 ; Set the Wiegand output bit length to 64 -
-
Save the amended config.txt file and these changes will take effect immediately.
Read multiple applications or files in the same DESFire card
You may need to read and output values from multiple applications or files within the same DESFire card, where all the applications may have different security requirements.
The VTAP readers can read up to 6 applications within the same DESFire card, access them separately (according to their corresponding security requirements), and output the values, concatenated with a defined separator.
To use this feature, DESFire... settings become DESFire#... settings, where # is a number from 1 to 6. The number shows which settings form a group for reading each of 1 to 6 values from separate files and or applications on a DESFire card or tag. If you use multiple DESFire#... settings the values read will be output together, spaced by the DESFireSeparator string. The lowest numbered DESFire read will be first in the output string, then continuing in ascending numeric order.
Note: If a number is not used in DESFire... settings, then the VTAP reader would treat those settings as DESFire1... For example DESFireCrypto or DESFireFileID would be considered as DESFire1Crypto and DESFire1FileID.
Example: Settings in config.txt to read multiple applications or files from DESFire cards or tags
!VTAPconfig
NFCType4=D
DESFire1AppID=A253C6
DESFire1FileID=0
DESFire1Crypto=3 ; AES (default)
DESFire1KeyNum=1
DESFire1KeySlot=2 ; use appkey 2
DESFire1Format=0
DESFire1ReadLength=12
DESFire2AppID=D90200
DESFire2FileID=1
DESFire2Crypto=0 ; no authentication required
DESFire2Format=0
DESFire2ReadLength=13The output from this DESFire card read will be the two defined application reads, concatenated and with a default comma separator between them: 303038393939353739343937,4D4F4C30303531353930323137
Use DESFireSeparator (defaults to ",") to set a separator character(s) between the outputs of all the DESFire applications. Up to 16 characters can be used and URL encoding is also supported.
Example: Settings in config.txt to set a custom separator between outputs from multiple DESFire applications, output as ASCII format data
!VTAPconfig
NFCType4=D
DESFire3AppID=83A205
DESFire3FileID=1
DESFire3Crypto=0 ; no authentication required
DESFire3Format=0
DESFire3ReadLength=13
DESFire5AppID=C200A1
DESFire5FileID=1
DESFire5Crypto=3 ; AES (default)
DESFire1KeyNum=1
DESFire1KeySlot=1 ; use appkey 1
DESFire5Format=0
DESFire5ReadLength=12
DESFireSeparator=|
TagReadFormat=aThe output from this DESFire card read will then be the two defined application reads, concatenated and with a custom | separator between them, presented as ASCII: 086280451106|AOM0844175535
Without the TagReadFormat setting the output would be: 414F4D30383434313735353335|303836323830343531313036
When using the Wiegand interface, multiple reads are not supported. In this case, only the lowest numbered DESFire#... settings will be used, which might not be DESFire1.... If only DESFire3... and DESFire4... settings are defined in config.txt, the DESFire3... settings would then be used for output over Wiegand.
Read Apple Access credentials
In order to read Apple Access DESFire credentials you need to set an AccessTCI value. The TCI is an ID assigned by Apple Access credential issuer. When this setting is used, the VTAP reader will operate in ECP2 mode and enable DESFire credential reading.
Example: Settings in config.txt to read secured data from Apple Access DESFire credentials
!VTAPconfig
AccessTCI=203C20 ; ID assigned by Apple Access credential issuer
DESFireAppID=F56400 ; 24 bit value (6 hex digits)
DESFireFileID=1 ; File ID within application (decimal 0 to 255)
DESFireCrypto=3 ; 0 = None; 1 = 3DES; 3 = AES (default)
DESFireKeyNum=1 ; Application key number used for authentication
DESFireKeySlot=1 ; Application key slot number on VTAP
; here use appkey 1
DESFireFormat=1 ; How to interpret the data
; =0 no format
; (set DESFireReadLength and TagReadFormat)
; =1 KEY-ID format (26 bit facility code
; and number, H10301 compatible)