Search code examples
androidauthenticationnfcrfidmifare

Reading when write is restricted on Mifare Ultralight C

I have just received Mifare Ultralight C. I can easily read values from it using android phone(Galaxy Ace 3).

0 hex: 04 9a 6f 79
1 hex: 52 02 3a 80
2 hex: ea 48 00 00
3 hex: 00 00 00 00
4 hex: 02 00 00 10
5 hex: 00 06 01 10
6 hex: 11 ff 00 00
7 hex: 00 00 00 00
8 hex: 00 00 00 00
9 hex: 00 00 00 00
10 hex: 00 00 00 00
11 hex: 00 00 00 00
12 hex: 00 00 00 00
13 hex: 00 00 00 00
14 hex: 00 00 00 00
15 hex: 00 00 00 00
16 hex: 00 00 00 00
17 hex: 00 00 00 00
18 hex: 00 00 00 00
19 hex: 00 00 00 00
20 hex: 00 00 00 00
21 hex: 00 00 00 00
22 hex: 00 00 00 00
23 hex: 00 00 00 00
24 hex: 00 00 00 00
25 hex: 00 00 00 00
26 hex: 00 00 00 00
27 hex: 00 00 00 00
28 hex: 00 00 00 00
29 hex: 00 00 00 00
30 hex: 00 00 00 00
31 hex: 00 00 00 00
32 hex: 00 00 00 00
33 hex: 00 00 00 00
34 hex: 00 00 00 00
35 hex: 00 00 00 00
36 hex: 00 00 00 00
37 hex: 00 00 00 00
38 hex: 00 00 00 00
39 hex: 00 00 00 00
40 hex: 00 00 00 00
41 hex: 00 00 00 00
42 hex: 30 00 00 00
43 hex: 00 00 00 00

Then I'm changing values in page 43 to 0x80 and page 42 to 0x2A. Now when I'm reading values this way:

Log.e(LOG, "read");
for(int j = 0; j <= 40; j += 4){
byte[] resp = mifare.readPages(j);
logResponse(j, resp);


private void logResponse(int j, byte[] resp){
     for(int i = 0; i < resp.length; i += 4){
            Log.e(LOG, String.valueOf(j + i / 4) + " hex: " 
                    + String.format("%02x ", resp[i])
                    + String.format("%02x ", resp[i + 1]) 
                    + String.format("%02x ", resp[i + 2]) 
                    + String.format("%02x", resp[i + 3]));
      }
}

I'm getting values from page 0 and 1 instead of 42 and 43.
Next thing is that when I send message 0x1A00 in order to authenticate, I'm getting transceive failed.
Is there a way to check if it actually is Mifare Ultralight C or some other tag? Or am I wrong that value 0x80 in page 43 only restricts write access?

Solution

  • The content that you read from the tag does look as if it could be a MIFARE Ultralight C tag (particularly that you were able to read pages 42 and 43).

    • The roll-over that you see after setting AUTH0 to 42 (0x2A) is expected behavior. I.e. when you protect the tag memory starting at page X, the READ command will roll-over after page X - 1.

    • Setting AUTH1 to 0x80 will not do what you expected. Only the lowest bit in AUTH1 is relevant, so you would typically set AUTH1 to either 0x00 (restrict read and write) or 0x01 (restrict only write).

    • I'm not quite sure why the authentication command fails though.

      byte[] cmd = { (byte)0x1A, (byte)0x00 };
byte[] result = mifare.transceive(cmd);

      Typically, if this command returns anything other that 0xAF (or throws an exception), that is a clear indication that a tag is not MIFARE Ultralight C.