Set own authentication keys MiFare Classic with APDU C#

StackOverflow https://stackoverflow.com/questions/23616263

Question

I'm using the SMARTCARD API from CardWerk.

How can I change the default key ((byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF) using an APDU?

The APDU consits of a CLASS, an INSTRUCTION, P1, P2. I have been reading documentation but I'm unable to find what parameters do I need to change the actual key to a new one.

Was it helpful?

Solution

The process for changing the keys of a MIFARE Classic card is like this:

  1. Authenticate to the secor for which you want to change the key.
  2. Read the sector trailer using normal read operation (or generate a new sector trailer containing the access bytes you want). The sector trailer is the last block of the sector (i.e. for MF Classic 1K, block 3 of each sector).
  3. Fill the sector trailer with the new key(s). Note that you won't be able to read the current keys in step 2, so you have to fill in key A and key B (if it exists) even if you want them to stay the same as before!)
  4. Write the sector trailer using normal write operation.
  5. Authenticate to another sector (if you want the change to take effect immediately).

The sector trailer is formatted like this:

xx xx xx xx xx xx zz zz zz gg yy yy yy yy yy yy

Where xx xx xx xx xx xx is key A, yy yy yy yy yy yy is key B and zz zz zz are the access bytes that enforce key-based access permissions. gg is a general-purpose byte with no specific meaning unless you use a MIFARE application directory or NXP's NDEF mapping for using MIFARE Classic as NFC tag).

Be warned that setting the access bytes to an invalid value will render the card inaccessible!

An example sector trailer could look like this:

FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF

The access conditions meaning that you can read with key A and read/write with key B.

As MIFARE Classic cards do not speak APDU, it's difficult to give you a ready-made APDU command for this. (MIFARE Classic cards are contactless memory cards and use their own proprietary contactless protocol and PC/SC-compliant smartcard readers usually only map these proprietary memory access commands to APDUs.)

However, if your reader supports PC/SC 2.01 commands for storage cards, commands could look like this:

  1. Load a key xxxxxxxxxxxx to key slot 0 (depending on your reader you might need to encode a different slot numer in P2; remember to adapt the authenticate command in that case):

    FF 82 2000 06 xxxxxxxxxxxx

  2. Authenticate sector 0 using that key as key A:

    FF 86 0000 05 01 0000 60 00

  3. Or authenticate sector 0 using that key as key B:

    FF 86 0000 05 01 0000 61 00

  4. Write new sector trailer for sector 0 (in block 3):

    FF D6 0003 10 xxxxxxxxxxxx zzzzzz gg yyyyyyyyyyyy
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top