I have got two type of Mifare Classic tags. One have UID of 4 byte and other one have 7 byte.
I am trying to read the block of both. I am successful in reading the block of the tag having 4 byte UID but failed to authenticate in case of 7 byte UID. The reader I am using is a ACR122U and reading using ACR122U Tool.
Assuming you are using an older version of the ACR122U, you would use the PN532 data exchange command to send an authentication command:
FF 00 0000 0F D440 <TAG_ID> <AUTH_TYPE> <BLOCK> <KEY> <UID>
<TAG_ID> is the index of the tag on the reader (typically 0x01). <AUTH_TYPE> is 0x60 if you want to authenticate with key A and 0x61 if you want to authenticate with key B. <BLOCK> is the block to authenticate for. <KEY> is the 6-byte key (e.g. FF FF FF FF FF FF for the default key). <UID> is the 4-byte UID (or the last 4 bytes of a 7-byte UID).
So if you want to authenticate using key A A0 A1 A2 A3 A4 A5 for block 0 on a tag with the UID 04 AA BB CC DD EE FF, you would use the following command:
FF 00 0000 0F D440 01 60 00 A0A1A2A3A4A5 CCDDEEFF
On newer versions of the reader, you would instead use the standardized mechanism for contactless memory cards defined by PC/SC:
Load authentication keys:
FF 82 0000 06 <KEY>
Authenticate:
FF 86 0000 05 0100 <BLOCK> <AUTH_TYPE> 00
Related
i've an big trouble with my NTAG215 tags.
I use this PDF below for reffer:
https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf
COMMANDS
I send these raw commands:
AUTH TAG ( with default password )
nfc.transceive('1B FF FF FF FF')
CHANGE DEFAULT PASSWORD
nfc.transceive('A2 85 AA BB CC DD')
SET PACK
nfc.transceive('A2 86 EE FF 00 00')
PROTECT ADDRESS 04 TO 81
nfc.transceive('A2 83 04 00 00 04')
ENABLE READ/WRITE PROTECTION
nfc.transceive('A2 84 10 00 00 00')
After send these commands, i read my NTAG215, and confirm results, but...i can read all memory blocks without PWD ( 1B command ).
I need protect these memory blocks from read without correct password.
Thanks for all help guys.
Everything looks fine except for the last command.
ENABLE READ/WRITE PROTECTION
nfc.transceive('A2 84 10 00 00 00')
In order to enable the protection the command must be as follows:
nfc.transceive('A2 84 80 00 00 00')
So once a "session" is authenticated it stays authenticated until the session ends.
So if you connect with no/default/existing password, you then have to remove the Tag from the RF field so that the session ends.
The next time the Tag enters RF fields it will need authenticating again with the new password.
I am using javax.smartcardio library to access my Felica card. I am able to get the ID of the felica card without any error. When I try to write a block to Felica card, I am getting the following status flag.
0xA5: Area or Service specified by the command cannot be accessed.
Here is the format of the command apdu I am using,
FF 00 00 00 D4 40 01 08 <8 bytes of ID> 01 < number of blocks 01> <16 bytes sof data>
The response I am getting is:
D5 41 00 <8 bytes of ID> 01 A5
The status flag2-A5 is the error specifying 'Area or Service specified by the command cannot be accessed.'
After discussing with the Felica manufacturing team, I found that the card was empty and that's the reason I can't write/read the block.
I am working on NFC enabled SIM, using ISO-7816-4. While I try to SELECT MF, DF or EF, response is always 6A 82( File not found). Following are the APDUs
00 A4 00 00 02 3F 00 -> To SELECT MF
00 A4 00 00 02 2F E2 -> To SELECT EF
00 A4 00 00 02 7F 20 -> To SELECT DF
Response is always the same, i.e., 6A 82. Am I missing something here? Kindly help.
Your P2 is incorrect. However, I'm not sure why the card is returning status 6A 82 (File not found) instead of 6A 86 (Incorrect parameters to P1 to P2).
To select by FID (File Identifier), you need to set the P2 as follow:
P2=04. In case of successful SELECT, you will get status 61XX. Send GET RESPONSE and you will have the FCP Template in the response data.
P2=0C. In case of successful SELECT, no data returned. Only status 9000.
For more details of P1 and P2, refer to ETSI 102.221 section 11.1.1. You can download the file from this ETSI link.
The problem was not with APDUs, but with the value of SAK. SAK value was set to 0x28.
Which means NFC enabled SIM supports both;
CPU level APDUs (the one I was trying to communicate to) and
Mifare 1k sector (the one I should have tried to communicate to in the first place).
However CPU level APDUs had more priority than Mifare sector because of which my NFC reader/writer was unable to communicate to Mifare 1k sector. Once the value of SAK was changed to 0x08, it disabled CPU level APDUs and my NFC reader/writer was able to communicate with the Mifare 1k sector. Hope this helps.
i have mifare classic 4k and ACR1281U reader. I can authenticate/read/load succesfully.I have search the sites how to read the NFC tags but I am missing some; here are my questions
how to read and convert the data from MIfare blocks to human readable form
how to change the default auth key.
EDIT
Ok I just found out something strange. I tried to authenticate the random sector trailor block with the
key A
FF FF FF FF FF FF
then i tried to read that trailor block i found this
00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF 90 00
what i am confused is acccording to documentation, in the sector trailer
the key A comes first then access bits and then key b then response status
now what i get is
keyb? | access bits | key A | response status
Note : i tried to authenticated with Key A which is FFFFFFFFFFFF and successfully authenticated.
could anyone explain this to me?
Thanks a lot.
To write a sector you need to authenticate on that sector with keyB. Then you can overwrite the key block as:
new Key A | access bits | Key B
I always get the failure result when using ACR122U tool to authenticate Mifare 1K NFC tag, but I can use Android phone to read/write this tag.
ACR122U Load Authentication Keys
< FF 82 00 00 06 FF FF FF FF FF FF
> 90 00
< Key Structure: 00 < Key Number: 00
< Key: FF FF FF FF FF FF
Load Authentication Keys Success
ACR122U Authentication
< FF 86 00 00 05 01 00 00 60 00
> 63 00
Operation failed
Your remark about an Android phone being able to read and write this tag suggests it is formatted to contain NDEF data. Instead of the factory default key 0xFFFFFFFFFFFF, you could try to use the MIFARE Application Directory key 0xA0A1A2A3A4A5 for the first sector (blocks 0-3) and the NFC Forum key 0xD3F7D3F7D3F7 for the following sectors. See NFC Type MIFARE Classic Tag Operation for more details.
Use "NFC TagInfo" application for android. You can read hex data with that app and find out your correct keys. In the end of every sectors there will be "keya, access, keyb" data. First 6 byte (12 hex character) is key a and last 6 byte (12 hex character again) is key b. Use new keys for reading and writing to card.
The authentication of a MF Classic 1k card can be failed with different reasons.
Wrong Key
a. Length : It should be 6 bytes (12 Hex chars).
b. Key Matching : The key will be the hex FFFFFFFFFFFF in transport mode (by default) and it can be changed by a card providing vendor. You have to get the exact key from the vendor.
Key Category : The access condition (6-9 bytes of Block 3 of all sectors) will explain which key you have to use to authenticate a corresponding sector for a particular memory operation .To know more details please refer
http://www.nxp.com/documents/data_sheet/MF1S50YYX.pdf
In Mifare Classic 1K tags There are 16 Sectors and each Sectors contains 4 Blocks and each block contains 16 bytes. Before Reading or writing from a page You must have to Authenticate The Sector using Key A or Key B. When Authentication is complete then you can read or write. Here is the Authentication Command Authenticate sector 0 using that key as key A (60):
FF 86 0000 05 01 0000 60 00
Or authenticate sector 0 using that key as key B(61):
FF 86 0000 05 01 0000 61 00
or using this command you can also authenticate sector 0
byte[] authenticationByte = new byte[10];
authenticationByte = new byte[] { (byte) 0xFF, (byte) 0x86, (byte) 0x00,
(byte) 0x00, (byte) 0x05, (byte) 0x00,(byte) 0x00, (byte) 0x04,
(byte) 0x60,(byte) 0x00 };
for more details you can follow this answer
I have written an utility for some ACR readers and the ACR 122U with Mifare classic cards is hitting some kind of bug. The identical code works for ACR 1222L.
However Mifare Classic cards are crap, so I suggest switching cards to work around the problem.