How to protect data block in the MIFARE Classic 1K or 4K?

Introduction

In this tutorial we will show how to protect data block in the MIFARE Classic 1K tag using the Pepper C1 RFID reader and the C1 Client.

\The MIFARE Classic tags (MF1S50yyX/V1) have a mechanism of protection data against read/write operations using Authentication Keys: A (mandatory) or B (optional).
The 1024 × 8 bit EEPROM memory is organized in 16 sectors of 4 blocks. One block contains 16 bytes.

Each sector has the sector trailer (block no 3) containing:

• secret keys: A (mandatory) and B (optional), which return logical “0”s when read and
• the access conditions for the blocks of that sector, which are stored in bytes 6…9. The access bits also specify the type (data or value) of the data blocks.

If key B is not needed, the last 6 bytes of the sector trailer can be used as data bytes.
The access bits for the sector trailer have to be configured accordingly.
Byte 9 of the sector trailer is available for user data. For this byte the same access rights as for byte 6, 7 and 8 apply.
When the sector trailer is read, the key bytes are blanked out by returning logical zeros.
If key B is configured to be readable, the data stored in bytes 10 to 15 is returned.
All keys are set to FFFF FFFF FFFFh at chip delivery and the bytes 6, 7 and 8 are set to FF0780h.

In our example we will use Key A to protect Block 28 in Sector 7. Block 28 is the first block in Sector 7.

Step 1 – connect with the C1 reader and check the Key Storage

The Pepper C1 reader has an option to store several keys in the non-volatile memory to easily operate with MIFARE tags. To check these keys written in the memory, open the Web Interface or the RFID configuration window in the C1 Client:

By default, the Key 0 equals 0x FF FF FF FF FF FF FF FF FF FF FF FF, which is a composition of default values of both Key A and B.

Step 2 – writing block with default key A

Let’s now take a random MIFARE Classic 1k tag and try to write some data to Block 28 using the default key value:
The first command to execute – “[02] Get tag count”:

This command searches for tags within the antenna range. Once some tags (one or several) is/are detected the first found tag is activated and the reader automatically perform the Get UID command.
In our example, there is only one tag on the antenna with UID = D440F72A.

The next command is “MF Classic – Write Block”. We will write 1 block starting from Block no. 28 (Sector 7). We will use Key A with a value stored in the Key Storage at position 0 (Key number 0). Data to be written: 0xAABBCCDDEEFF00112233445566778899 (16 bytes).

Now, let’s read this block:

A screenshot from the NFC TagInfo by NXP app showing the memory content of this tag:

Step 3 – change the default key A

In this step we will change the default key A in Sector Trailer 0. Let’s set this key to: 0xAAAAAABBBBBB. To do it, we need to write Block no. 31 (Sector Trailer for sector  no. 7) which contains Key A, Key B and Access Bits. We don’t want to change any of the Access Bits and the Key B so we will write the following 16 bytes:

0xAAAAAABBBBBB FF078069 FFFFFFFFFFFF.

The new key A in red, Access Bits in green, key B in blue.

Now, the whole sector 7 is protected with a new key A = 0xAAAABBBB.
Let’s check if we can still read sector 7 using the phone app and default key A value:

Sector 7 is protected now against reading.

To read it, you need to know the new value of Key A. Let’s now add this new key A to the reader configuration. It can be done in the RFID configuration tab either in the C1 Client or in the Web Interface:

Key 1 set to: 0xAAAAAABBBBBBFFFFFFFFFFFF.

Now, let’s read block 28 protected by the new key A. To do it we have to execute the Get Tag count command first and then the “MF Classic – Read Block” command with proper parameters (Key number = 1):