Search code examples
javanfcrfidmifarecontactless-smartcard

Locking mechanism of Mifare Classic 1K

The procedure of Mifare Classic 1K is

  1. Polling for tags
  2. Authenticate those tags
  3. If authentication succeded then read/write.

I already completed those procedures and also read and write data from specific sectors.

Command for Polling for tags is

new byte[] { (byte) 0xFF, (byte) 0x00, (byte) 0x00,
                (byte) 0x00, (byte) 0x04, (byte) 0xD4, (byte) 0x4A,
                (byte) 0x01, (byte) 0x00 }

Authentication command is 

new byte[] { (byte) 0xFF, (byte) 0x86, (byte) 0x00,
                (byte) 0x00, (byte) 0x05, (byte) 0x01,(byte) 0x00, (byte) 0x04, 
                                    (byte) 0x60,(byte) 0x00 };

Here "(byte) 0x01" is the Sector 1

And Write on Sector 1, block 5 is 

new byte[] { (byte) 0xFF, (byte) 0x00, (byte) 0x00,(byte) 0x00, (byte) 0x15, (byte) 0xD4,
             (byte)    0x40,(byte) 0x01, (byte) 0xA0, (byte) 0x05,(byte) 0x01, (byte) 0x02, 
             (byte) 0x03,(byte) 0x04, (byte) 0x05, (byte) 0x06, (byte) 0x07,(byte) 0x08, 
             (byte) 0x09,(byte) 0x0A,(byte) 0x0B, (byte) 0x0C, (byte) 0x0D,(byte) 0x0E, 
             (byte) 0x0F, (byte) 0x10};

Here

(byte) 0x01, (byte) 0x02, (byte) 0x03,(byte) 0x04, (byte) 0x05, (byte) 0x06, (byte) 0x07,(byte) 0x08,(byte) 0x09,(byte) 0x0A,(byte) 0x0B, (byte) 0x0C, (byte) 0x0D,(byte) 0x0E,(byte) 0x0F,(byte) 0x10

is data those are writing on block 5 on Sector 1.

Read From Sector 1 and Block 5 Command is

new byte[] { (byte) 0xFF, (byte) 0x00, (byte) 0x00,
                (byte) 0x00, (byte) 0x05, (byte) 0xD4, (byte) 0x40,
                (byte) 0x01, (byte) 0x30, (byte) 0x05 };

My Related Complete Code is here...

My Problem is how can I "Lock/make read only" a block from a specific sector?

Solution

  • The authentication keys and the access conditions for each sector of a MIFARE card are located in the last block of that sector (the sector trailer). You can update this block with new access conditions and authentication keys using a regular write command.

    The sector trailer looks like this:

    +-----------------------------+--------------+----+-----------------------------+
|  0 |  1 |  2 |  3 |  4 |  5 |  6 |  7 |  8 |  9 | 10 | 11 | 12 | 13 | 14 | 15 |
+-----------------------------+--------------+----+-----------------------------+
|            Key A            | Access Bits  | GP |            Key B            |
|          (6 bytes)          |  (3 bytes)   | B  |          (6 bytes)          |
+-----------------------------+--------------+----+-----------------------------+

    So the access bits are located in byte 6-8 and look like this:

            +-------+-------+-------+-------+-------+-------+-------+-------+
        | Bit 0 | Bit 1 | Bit 2 | Bit 3 | Bit 4 | Bit 5 | Bit 6 | Bit 7 |
        +-------+-------+-------+-------+-------+-------+-------+-------+
Byte 6: | nC2_3 | nC2_2 | nC2_1 | nC2_0 | nC1_3 | nC1_2 | nC1_1 | nC1_0 |
        +-------+-------+-------+-------+-------+-------+-------+-------+
Byte 7: |  C1_3 |  C1_2 |  C1_1 |  C1_0 | nC3_3 | nC3_2 | nC3_1 | nC3_0 |
        +-------+-------+-------+-------+-------+-------+-------+-------+
Byte 8: |  C3_3 |  C3_2 |  C3_1 |  C3_0 |  C2_3 |  C2_2 |  C2_1 |  C2_0 |
        +-------+-------+-------+-------+-------+-------+-------+-------+

    Where nCx_y = not Cx_y and "C1_x, C2_x, C3_x" is the access condition for block x:

    • C1_3, C2_3, C3_3: sector trailer (block 3 in this sector)
    • C1_2, C2_2, C3_2: block 2 in this sector
    • C1_1, C2_1, C3_1: block 1 in this sector
    • C1_0, C2_0, C3_0: block 0 in this sector

    You can find a detailed list of possible access conditions in the MIFARE 1K datasheet: https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf