Mifare 1k value block operations

1
votes

I have a problem with a Mifare Standard 1k card. I made a value block (00000001FFFFFFFE0000000100FF00FF - valid?) on the data block with address 62. The value of the value block is supposed to be 1, and address of the value block is 0.

I've changed the access bits for the data block 2 to be:

  • C1=1
  • C2=1
  • C3=0

The other 2 data blocks have factory access bits. Access bits for the sector trailer are also changed and are:

  • C1=0
  • C2=1
  • C3=1

So, access bits for the corresponding sector (16th sector) are 3B478C69 (valid?).

The problem is that I can't do any of the value block specific functions on that block (increment, decrement, etc), I always get 6A81 as response -> "Card is blocked or command not supported". The APDU I'm using is FFF5C13E0400000001.

1
nfcrfidmifareapducontactless-smartcard
Your access bits and your block data look okay. What reader are you using to access the card? Are you sure about the command you are sending to the MIFARE reader?Michael Roland
I'm using an Omnikey 5021 CL reader. The command I'm sending is as follows(format: CLA INS P1 P2 Lc Data In): FF F5 Opcode(C0-decrement, C1-increment, C2-restore) SourceBlock 04 Operand.Vanja Keglevic
An example of the command: FF F5 C1 56 04 00 00 00 01Vanja Keglevic
I'm not sure where you got that command from, but the OMNIKEY extensions to PC/SC for MIFARE cards (according to the OMNIKEY Contactless Smart Card Readers Developer Guide) use FF D4 P1 P2 04 XX XX XX XX for increment and FF D8 P1 P2 04 XX XX XX XX for decrement, where P1 is the MSB of the block address, P2 is the LSB of the block address and XX XX XX XX is the increment/decrement value (LSB first).Michael Roland
Btw. browsing through my code samples revealed that an older version of that user manual uses a slightly different format for those commands: FF D4 P1 P2 01 XX for increment and FF D8 P1 P2 01 XX for decrement.Michael Roland

1 Answers

5
votes

OMNIKEY readers have extensions to the PC/SC API for contactless memory cards. The commands defined by these extensions for increment and decrement of MIFARE Classic value blocks are:

Increment:

+------+------+------+------+------+-------------+
| CLA  | INS  | P1   | P2   | Lc   | DATA        |
+------+------+------+------+------+-------------+
| 0xFF | 0xD4 | BLOCK#      | 0x04 | XX 00 00 00 |
+------+------+------+------+------+-------------+

or (depending on the firmware version???) the same command with a 1-byte data field:

+------+------+------+------+------+----+
| 0xFF | 0xD4 | BLOCK#      | 0x01 | XX |
+------+------+------+------+------+----+

Decrement:

+------+------+------+------+------+-------------+
| CLA  | INS  | P1   | P2   | Lc   | DATA        |
+------+------+------+------+------+-------------+
| 0xFF | 0xD8 | BLOCK#      | 0x04 | XX 00 00 00 |
+------+------+------+------+------+-------------+

or (depending on the firmware version???) the same command with a 1-byte data field:

+------+------+------+------+------+----+
| 0xFF | 0xD8 | BLOCK#      | 0x01 | XX |
+------+------+------+------+------+----+

BLOCK#: P1 is the MSB of the block number (always zero) and P2 is the LSB of the block number.

XX: The increment/decrement value.

The commands are documented in OMNIKEY Contactless Smart Card Readers Developer Guide.

It seems as if both commands implicitly issue a transfer command to commit the operation. A restore command is not documented for the PC/SC extensions, however, the restore command is available through the OMNIKEY synchronous API.