MIFARE DESFire card or tag settings

A list of all valid configuration settings which relate to extracting secure data from DESFire cards or tags for the config.txt file. You may also need to use some of the general Card or tag settings alongside these.

DESFire cards may contain a number of applications, identified by an application ID. Each application may contain a number of data files, each identified by a file number, which may be individually protected. The VTAP reader supports a number of formats to read, decode or output the secure data. The format might be HID 10301 26‑bit or HID 10301 37‑bit. Reading data, from a DESFire card which contains secured data, therefore includes uploading the app key file, and providing information about the application ID and the key number to be used for authentication, along with the file number and the crypto algorithm for decoding each file and bit format.

To read DESFire cards will require setting NFCType4=D, uploading a suitable appkey#.txt files with the relevant application keys, and using all of these settings prefixed DESFire.... Only DESFire cards which are unformatted or Key-ID 26-bit HID 10301 data are currently supported.

Note: In these settings # is a number from 1 to 6, showing which settings form a group for reading each of 1 to 6 values from separate files and or applications on a DESFire card or tag. If you use multiple DESFire#... settings the values read will be output together, spaced by the DESFireSeparator string. The lowest numbered DESFire read will be first in the output string, then continuing in ascending numeric order. (For Wiegand data multiple reads are not supported, so only the lowest numbered DESFire#... settings will be used.) If no number is used the setting will be treated as set 1.

Some cards or passes can be set up so that each one carries a different key, although all are derived from the same master key. This is a feature of DESFire EV1 and EV2 cards, MIFARE2Go passes, Apple Wallet Access passes and others. One form of 'key diversification' scheme to support this is NXP AN10922. If your DESFire cards are using NXP AN10922 key diversification, you will need settings that are enabled by DESFire#Diversification=1. You will need to upload a Privacy key identified in DESFire#PrivacyKeySlot, and set a Privacy key number DESFire#PrivacyKeyNum, together with uploading System Identifier information (up to 16 bytes of data, saved as if it was another key) identified by DESFire#SysIDKeySlot. This is in addition to the usual settings needed to decode secured data in an encrypted application.

For examples refer to the section Read secured data from DESFire cards or tags.

Settings below: DESFireAppID | DESFireCrypto | DESFireDiversification | DESFireFileID | DESFireFormat | DESFireKeyNum | DESFireKeySlot | DESFirePrivacyKeyNum | DESFirePrivacyKeySlot | DESFireReadLength | DESFireSysIDKeySlot | DESFireSysIDLength | DESFireSeparator

DESFire#AppID
Definition:

Hex number identifying your DESFire application

Options:

24 bit number formatted as 6 hex digits with the most significant byte first

Note: The VTAP reader expects the DESFireAppID to be a 24 bit number formatted as 6 hex digits with the most significant byte first. However, some vendors and software treat the Application ID value as a byte sequence with the least significant byte first, which is the byte order used in communications with the card. If the VTAP reader fails to read your DESFire card application, try reversing the order of the DESFireAppID bytes. For example, if DESFireAppID=F56400 try DESFireAppID=0064F5.

Default value: N/A
Example value: =F56400
DESFire#Crypto
Definition:

Identifies the cryptographic method used for DESFire cards or tags

Options:

=3 identifies AES (default),
=1 identifies 3DES cryptography,
=0 for no cryptography

Default value: =3
Example value: =1
DESFire#Diversification
Definition:

Enables/disables DESFire key diversification settings.

Options:

=1 enables key diversification in accordance with NXP AN10922 Symmetric key diversifications Application Note rev 2.2. (You will then also need to set DESFire#PrivacyKeySlot, DESFire#PrivacyKeyNum and DESFire#SysIDKeySlot).

=0 disables the feature

Default value: =0
Example value: =1
DESFire#FileID
Definition:

Number identifying the file within your DESFire application to read

Options:

Use a value from 1 to 255

Default value: N/A
Example value: =1
DESFire#KeyNum
Definition:

Number identifying the application key needed to read your DESFire file

Options:  
Default value: N/A
Example value: =1
DESFire#KeySlot
Definition:

Identifies which uploaded appkey#.txt file contains the key for accessing the DESFire file

Options:

=1 to =9, to refer to the application key files uploaded as appkey1.txt through appkey9.txt

Default value: N/A
Example value: =1
DESFire#PrivacyKeyNum
Definition:

Number identifying the Privacy key within the DESFire application that is used to restrict access to the real UID, when a random UID is used to protect the card identity. Needed when key diversification is in use.

Options:

Valid numbers will depend on your cards/passes.

Default value: N/A
Example value: =1
DESFire#PrivacyKeySlot
Definition:

Identifies which key slot, filled by an uploaded appkey#.txt file, contains the Privacy key for accessing the UID. Needed when key diversification is in use.

Options:

=1 to =9, to refer to the application key files uploaded as appkey1.txt through appkey9.txt

Default value: N/A
Example value: =1
DESFire#Format
Definition:

Identifies which bit format is used to store the data.

Options:

=0 means no format (specify DESFire#ReadLength and TagReadFormat to determine how the data is output),
=1 means KEY-ID format (26 bit facility code and number format, H10301 compatible),

Default value: =0
Example value: =1
DESFire#ReadLength
Definition:

The number of bytes of data to read from DESFire cards, distinct from TagReadLength which applies to other cards and tags.

Options:

=1 byte to =255 bytes. In practice limited by the data that a DESFire card can return in a single message, typically 240 bytes maximum.

(Default =3 suits Key‑ID encoded cards, however the setting is not required if DESFire#Format has selected a Key-ID format, as the length is then automatic.)

Default value: =3
Example value: =4
DESFire#SysIDKeySlot
Definition:

Identifies which key slot, filled by an uploaded appkey#.txt file, contains the System Identifier information. Needed when key diversification is in use.

Options:

=1 to =9, to refer to the application key files uploaded as appkey1.txt through appkey9.txt

Default value: N/A
Example value: =1
DESFire#SysIDLength
Definition:

Defines the length of the System Identifier key (number of bytes), when key diversification is in use. Optional when key diversification is in use.

Options:

=0, or omitting this setting, will automatically use the length of the stored System Identified app key

=1 to =16 will fix the length of app key in bytes

Default value: =0
Example value: =1
DESFireSeparator
Definition:

Defines a string to include in between the data obtained from separate DESFire card reads, when there is more than one.

Options:

Choose any separator that suits your application, up to 16 characters. (Note: Pre/postfix strings can still also be applied to the combined DESFire read output over a given interface.)

Default value: =,
Example value: =|