Search code examples
nfcmifare

Recover sector in Mifare Classic 1k with overwritten permission bits

I have mistakenly overwritten sector 1 block 7 of one of my Mifare classic 1k tags. It was meant for testing and the 16 byte data that I wrote on block 7 is shown below:

0xaa 0xaa 0xaa 0xaa 
0xbb 0xbb 0xbb 0xbb
0xcc 0xcc 0xcc 0xcc  
0xdd 0xdd 0xdd 0xdd

If not mistaken, by doing so, my access keys and permission bits have become as following:

  • Key-A: 0xaa 0xaa 0xaa 0xaa 0xbb 0xbb
  • Key-B: 0xcc 0xcc 0xdd 0xdd 0xdd 0xdd
  • Permisssion Bits: --> 0xbb 0xbb 0xcc

I have tried to use Key-A and Key-B as shown above to read/write block 7 in sector 1. But I am no longer able to access (no read or write) any block in sector 1 anymore.

I know the keys to all other sectors (e.g. sector 0 and sectors 2-15) and able to access them.

Considering the situation, I would like to know if there is any way to reset sector 1 or block 7 to regain my access. Many thanks.

Update:

I have confirmed that both Key-A and Key-B as shown above are correct and I can authenticate to the card with both of them. Also, as per the Mifare Classic specification (screenshot), my access bits are as follows:

Byte 6 = 0xbb = 0b10111011
--------------------------
C2_3 C2_2 C2_1 C2_0 C1_3 C1_2 C1_1 C1_0
  1    1    0    1    1    1    0    1

Byte 7 = 0xbb = 0b10111011
--------------------------
C1_3 C1_2 C1_1 C1_0 C3_3 C3_2 C3_1 C3_0
  1    1    0    1    1    1    0    1

Now, considering the specification/screenshot, C1_3, C2_3 and C3_3 bits enable read/write access to sector-trailer. In my case, for block 7 (trailer for sector 7) they are all set to 1. Should I not have write access to this block then?

Solution

  • In the Mifare classic specification you linked says:

    Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversibly blocked.

    Your access bytes does not verify the format. In the folowing table ~ means inverted 

    Byte 6 
--------------------------
~C2_3 ~C2_2 ~C2_1 ~C2_0 ~C1_3 ~C1_2 ~C1_1 ~C1_0
  1     0     1     1     1     0     1     1

Byte 7 
--------------------------
 C1_3  C1_2  C1_1  C1_0 ~C3_3 ~C3_2 ~C3_1 ~C3_0
   1     0     1     1     1     0     1     1

Byte 8 
--------------------------
 C3_3  C3_2  C3_1  C3_0  C2_3  C2_2  C2_1  C2_0
   1     1     0     0     1     1     0     0

    So, for instance, C2_3 = 1 and ~C2_3 = 1. They are not complementary. Format not verified, sector is irreversibily blocked.

    In the same document there is a table (table 7) that shows that keyA can always be readed. Maybe this is the reason you can authenticate.