Search code examples
androidauthenticationnfcrfidmifare

How to access a MIFARE Classic card that uses the MIFARE Application Directory structure?

How can I make authenticate and read data from a MIFARE Classic card that is formatted with the MIFARE Application Directory structure? I'm using Android.

Solution

  • See NXP's application note on the MIFARE Application Directory. Typically, in order to read data from a MIFARE Classic card that makes use of the MAD, you would do something like the following:

    1. Authenticate to sector 0 (MAD sector) using key A A0 A1 A2 A3 A4 A5 (the public MAD read key).
    2. Read block 3.
    3. Based on the general purpose byte (byte 9 read from block 3), you can determine
      • if the card uses the MAD (bit 7 = 1),
      • if the card supports multiple applications (bit 6 = 1), and
      • the MAD version (bits 1-0).

    4. Read blocks 1 and 2, these blocks have the following format (where AIDx is the application ID assigned to sector number x):

              +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
   Byte |  0 |  1 |  2 |  3 |  4 |  5 |  6 |  7 |  8 |  9 | 10 | 11 | 12 | 13 | 14 | 15 |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
Block 1 |CRC |INFO|  AID01  |  AID02  |  AID03  |  AID04  |  AID05  |  AID06  |  AID07  |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
Block 2 |  AID08  |  AID09  |  AID10  |  AID11  |  AID12  |  AID13  |  AID14  |  AID15  |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+

    5. Verify the CRC (block 1, byte 0).

    6. Browse through the AID list (as generated from the data of blocks 1 and 2) to find your application AIDs (and consequently to find the sectors that contain your application data).

    7. If MAD version 2 is used, authenticate to sector 16 and read blocks 0 (64), 1 (65), and 2 (66) in order to get the extended AID list. The format of these blocks is:

              +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
   Byte |  0 |  1 |  2 |  3 |  4 |  5 |  6 |  7 |  8 |  9 | 10 | 11 | 12 | 13 | 14 | 15 |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
Block 0 |CRC |INFO|  AID17  |  AID18  |  AID19  |  AID20  |  AID21  |  AID22  |  AID23  |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
Block 1 |  AID24  |  AID25  |  AID26  |  AID27  |  AID28  |  AID29  |  AID30  |  AID31  |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+
Block 2 |  AID32  |  AID33  |  AID34  |  AID35  |  AID36  |  AID37  |  AID38  |  AID39  |
        +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+----+

    8. Authenticate to the sectors of your application (as discovered through the AID list) and read/write the data of your application.