1

I have a problem with a Mifare Standard 1k card. I made a value block (00000001FFFFFFFE0000000100FF00FF - valid?) on the data block with address 62. The value of the value block is supposed to be 1, and address of the value block is 0.

I've changed the access bits for the data block 2 to be:

  • C1=1
  • C2=1
  • C3=0

The other 2 data blocks have factory access bits. Access bits for the sector trailer are also changed and are:

  • C1=0
  • C2=1
  • C3=1

So, access bits for the corresponding sector (16th sector) are 3B478C69 (valid?).

The problem is that I can't do any of the value block specific functions on that block (increment, decrement, etc), I always get 6A81 as response -> "Card is blocked or command not supported". The APDU I'm using is FFF5C13E0400000001.

Panagiotis Giannakis
  • 400
  • 1
  • 9
  • 19
Vanja Keglevic
  • 83
  • 1
  • 9
  • Your access bits and your block data look okay. What reader are you using to access the card? Are you sure about the command you are sending to the MIFARE reader? – Michael Roland Oct 16 '13 at 15:25
  • I'm using an Omnikey 5021 CL reader. The command I'm sending is as follows(format: CLA INS P1 P2 Lc Data In): FF F5 Opcode(C0-decrement, C1-increment, C2-restore) SourceBlock 04 Operand. – Vanja Keglevic Oct 17 '13 at 06:53
  • An example of the command: FF F5 C1 56 04 00 00 00 01 – Vanja Keglevic Oct 17 '13 at 07:04
  • 1
    I'm not sure where you got that command from, but the OMNIKEY extensions to PC/SC for MIFARE cards (according to the OMNIKEY Contactless Smart Card Readers Developer Guide) use FF D4 P1 P2 04 XX XX XX XX for increment and FF D8 P1 P2 04 XX XX XX XX for decrement, where P1 is the MSB of the block address, P2 is the LSB of the block address and XX XX XX XX is the increment/decrement value (LSB first). – Michael Roland Oct 17 '13 at 09:48
  • Btw. browsing through my code samples revealed that an older version of that user manual uses a slightly different format for those commands: FF D4 P1 P2 01 XX for increment and FF D8 P1 P2 01 XX for decrement. – Michael Roland Oct 17 '13 at 09:59
  • Thanks! I have that document(OMNIKEY Contactless Smart Card Readers Developer Guide) and I don't know how I didn't saw the chapters for increment and decrement. But now, I don't know where to find the APDU definiton of the other two functions, transfer and restore? – Vanja Keglevic Oct 17 '13 at 10:23
  • As far as I know the restore command is not supported using the PC/SC interface. However, if you need access to the restore command you can use the Omnikey synchronous API. The transfer command seems to be implicitly included in the increment/decrement commands. – Michael Roland Oct 17 '13 at 11:16

1 Answers1

5

OMNIKEY readers have extensions to the PC/SC API for contactless memory cards. The commands defined by these extensions for increment and decrement of MIFARE Classic value blocks are:

Increment:

+------+------+------+------+------+-------------+
| CLA  | INS  | P1   | P2   | Lc   | DATA        |
+------+------+------+------+------+-------------+
| 0xFF | 0xD4 | BLOCK#      | 0x04 | XX 00 00 00 |
+------+------+------+------+------+-------------+

or (depending on the firmware version???) the same command with a 1-byte data field:

+------+------+------+------+------+----+
| 0xFF | 0xD4 | BLOCK#      | 0x01 | XX |
+------+------+------+------+------+----+

Decrement:

+------+------+------+------+------+-------------+
| CLA  | INS  | P1   | P2   | Lc   | DATA        |
+------+------+------+------+------+-------------+
| 0xFF | 0xD8 | BLOCK#      | 0x04 | XX 00 00 00 |
+------+------+------+------+------+-------------+

or (depending on the firmware version???) the same command with a 1-byte data field:

+------+------+------+------+------+----+
| 0xFF | 0xD8 | BLOCK#      | 0x01 | XX |
+------+------+------+------+------+----+

BLOCK#: P1 is the MSB of the block number (always zero) and P2 is the LSB of the block number.

XX: The increment/decrement value.

The commands are documented in OMNIKEY Contactless Smart Card Readers Developer Guide.

It seems as if both commands implicitly issue a transfer command to commit the operation. A restore command is not documented for the PC/SC extensions, however, the restore command is available through the OMNIKEY synchronous API.

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
  • So, when using the increment and decrement functions on a value block, is there some danger on the corruption of the value block? Can it occur? For example, I remove the card during the transaction and I break the transaction. If so, and the value block is corrupted, how can I get my data back from the value block? Also, what is the use of the address in the value block? – Vanja Keglevic Oct 30 '13 at 12:21
  • 1
    Our experience, so far, is that (at least using an OMNIKEY reader, but I assume with other readers too) tearing transactions **can** lead to corrupted data even when using the increment/decrement commands. – Michael Roland Oct 30 '13 at 15:12
  • And what can you do when you have corrupted data on your card? Is there a smarter way to securely write on the card? – Vanja Keglevic Oct 31 '13 at 07:41
  • 1
    Well, not much. One scheme we tried (and that worked quite okay) was to use two value blocks to store the same data and an additional block to store block status flags. Then, write those flags before and after every update of the value blocks. If tearing occured, you can determine which value block is still valid based on the formatting/contents of the value blocks and the flags block. – Michael Roland Oct 31 '13 at 08:44
  • Because this discussion is out of scope from the question I asked at the beginning, I started a new question: http://stackoverflow.com/questions/19709289/mifare-classic-1k-smart-way-of-a-backup – Vanja Keglevic Oct 31 '13 at 17:58
  • Can anybody explain me why the value block is formatted in such a way? Why do we have 2 times the 4-byte value, one time inverted 4-byte value, and 2 1-byte addresses and 2 inverted 1-byte addresses? Is the value block formatted in that way so that the card can restore corrupted data? Or, if a corruption occurs, can I somehow restore the value from the value block knowing what the format of value block is, and applying some mathematical operations on the corrupted data? – Vanja Keglevic Nov 06 '13 at 09:40