Detailed explanation of M1 card block control bits
Mifare 1S50/Mifare 1S70
The password and access control of each sector are independent, and their own password and access control can be set according to actual needs. The access control is 4 bytes, with a total of 32 bits. The access conditions of each block (including the data block and the control block) in the sector are determined by the password and the access control. In the access control, each block. Each block has three corresponding control bits, which are defined as follows:
Block 0: C10 C20 C30
Block 1: C11 C21 C31
Block 2: C12 C22 C32
Block 3: C13 C23 C33
Three control bits exist in the access control byte in positive and negative forms, which determine the access authority of the block (for example, KEY A must be verified for decrement operation, KEY B must be verified for increment operation, etc.). The position of the three control bits in the access control byte, taking block 0 as an example:
Note that the high and low byte order is different.
(1), take the common setting "08 77 8F 69" control condition as an example, first find out the access authority it has.
1. Calculate the value of "08 77 8F 69", which is located in the four bytes of 6, 7, 8, and 9 of each block 3, byte 6=08, byte 7=77, byte 8= 8F, byte 9=69 (default value, not counted).
2. For example: byte 6=08, corresponding to its binary value=00001000, then the binary conversion results of the three bytes 6, 7, and 8 are shown in the following table:
|
Byte 6 = 0 0 0 0 1 0 0 0
|
Byte 7 = 0 1 1 1 0 1 1 1
|
Byte 8 = 1 0 0 0 1 1 1 1
|
3. Referring to the algorithm in Table 2 and Table 4, all binary values of byte 6 are inverted, the lower four binary values of byte 7 are inverted, and byte 8 is unchanged.
get:
|
byte number
|
corresponding binary value
|
Location
|
High 4 bits
|
Location
|
lower 4 bits
|
|
byte 6
byte 7
byte 8
|
0 0 0 0 1 0 0 0
0 1 1 1 0 1 1 1
1 0 0 0 1 1 1 1
|
C2Y
C1Y
C3Y
|
1 1 1 1
0 1 1 1
1 0 0 0
|
C1Y
C3Y
C2Y
|
0 1 1 1
1 0 0 0
1 1 1 1
|
|
owning block
|
block 3 block 2 block 1 block 0
|
block 3 block 2 block 1 block 0
|
4. The access/control binary values of the above 6, 7, and 8 bytes have been inverted. According to Table 2, the block bits of Table 4 are converted into control values of each block, as shown in the following table:
|
block 3 bits
|
Byte 7, Byte 6, Byte 8 = C13, C23, C33 = C1Y, C2Y, C3Y = 0 1 1
|
|
block 2 bits
block 1 bit
block 0
|
Byte 7, Byte 6, Byte 8 = C12, C22, C32 = C1Y, C2Y, C3Y = 1 1 0
Byte 7, Byte 6, Byte 8 = C11, C21, C31 = C1Y, C2Y, C3Y = 1 1 0
Byte 7, Byte 6, Byte 8 = C10, C20, C30 = C1Y, C2Y, C3Y = 1 1 0
|
Notice:
1. When each block value of high 4 bits = each block value of low 4 bits, its value is available. When the upper 4-bit value ≠ the lower 4-bit value, its value is not available!
2. The order of high and low bits is different. The high bits are C2, C1, C3 from top to bottom. The low bits are C1, C3, C2
|
7
|
6
|
5
|
4
|
3
|
2
|
1
|
0
|
|
|
6
|
c23_b
|
c22_b
|
c21_b
|
c20_b
|
c13_b
|
c12_b
|
c11_b
|
c10_b
|
|
7
|
c13
|
c12
|
c11
|
c10
|
c33_b
|
c32_b
|
c31_b
|
c30_b
|
|
8
|
c33
|
c32
|
c31
|
c30
|
c23
|
c22
|
c21
|
c20
|
|
9
|
5. Check the access authority (data access control according to table 3, block 3 access control according to table 5), the access authority of this example "08 77 8F 69" is:
◆ Block 3 = 011: The permission is: KeyA and KeyB are not readable. After verifying that KeyB is correct, KeyA and KeyB can be rewritten, and after verifying that KeyA or KeyB is correct, the "control bit" can be read. The importance of the key KeyB can be seen here. If KeyB is incorrect, the control value of block 3 cannot be seen, and the key cannot be modified.
◆ Block 2 = Block 1 = Block 0 = 110: The permission is: after verifying KeyA or KeyB, the block data can be read, reduced and initialized, and the block data can only be rewritten after verifying that KeyB is correct. Here you can see the password The key KeyB also plays a key role in rewriting the data block.
(2), "08 77 8F 69" control condition setting steps:
It can be seen from (1) that KeyB is unreadable after it is set, and it needs to be verified correctly when rewriting data and rewriting control bits, so the program after KeyB is set
The operator must keep the KeyB value properly, otherwise when the data and control bits are rewritten later, the incorrect KeyB value will not be able to realize any operation of the card!!!
1. Modify the value of the control bit of block 3: the initial KeyA and KeyB in each block 3 are the manufacturer's 12 "F" default values (KeyA is unreadable under any conditions, and most reader programs show that KeyA is Unknown 12 "0"), when modifying the control value, do not modify the default passwords KeyA and KeyB first, and then change the new password value after the control bits are successfully modified. That is, first modify the control bits of block 3 (the default value FF 07 80 69 is changed to the new value 08 77 8F 69) and execute the write operation. After the control bit is successfully written, KeyB is also 12 "0" unreadable, but it is still the hidden default value of 12 "f".
2. Modify the KeyA and KeyB values of block 3: After the control bit 08 77 8F 69 value is successfully written, verify that KeyB is correct before rewriting the new passwords of KeyA and KeyB. In the password operation mode, enter the previous password B of the block to be rewritten (if the previous password is the default value, it does not need to be changed and loaded). After loading, return to the data operation mode, and then read the value, and rewrite the KeyA and KeyB values.
3. Modify the data in block 0 to block 2: According to the new control condition 08778F69, to modify the data, you must first verify KeyB, so first set the password operation as the KeyB authentication mode, and then return to the data operation mode after loading. The data block performs the overwriting operation of the value.
4. In the above example, the access conditions of "08 77 8F 69" and the rewriting steps are analyzed, and other control conditions for users can also be applied by reference.
Block 012 permission description:
Block 3 permission description:
Fudan Microelectronics document states as follows:
The more common control bits
FF 07 80 69
Defaults
|
Byte 6 FF= 1 1 1 1 1 1 1 1
|
Byte 7 07= 0 0 0 0 0 1 1 1
|
Byte 8 80= 1 0 0 0 0 0 0 0
|
|
byte number
|
corresponding binary value
|
Location
|
High 4 bits
|
Location
|
lower 4 bits
|
|
byte 6
byte 7
byte 8
|
1 1 1 1 1 1 1 1
0 0 0 0 0 1 1 1
1 0 0 0 0 0 0 0
|
C2Y
C1Y
C3Y
|
0 0 0 0
0 0 0 0
1 0 0 0
|
C1Y
C3Y
C2Y
|
0 0 0 0
1 0 0 0
0 0 0 0
|
|
owning block
|
block 3 block 2 block 1 block 0
|
block 3 block 2 block 1 block 0
|
|
block 3 bits
|
Byte 7, Byte 6, Byte 8 = C13, C23, C33 = C1Y, C2Y, C3Y = 0 0 1
|
|
block 2 bits
block 1 bit
block 0
|
Byte 7, Byte 6, Byte 8 = C12, C22, C32 = C1Y, C2Y, C3Y = 0 0 0
Byte 7, Byte 6, Byte 8 = C11, C21, C31 = C1Y, C2Y, C3Y = 0 0 0
Byte 7, Byte 6, Byte 8 = C10, C20, C30 = C1Y, C2Y, C3Y = 0 0 0
|
Permission explanation: The permission of data block 012 is 000, which means that both keyA and keyB are readable and writable. highest authority.
Block 3 is 001, password A is not readable at any time, and can be written by AB.
Password B can be read and written through AB.
Control bytes can be read and written via AB.
-------------------------------------------------------------------------------------------------------------
08 77 8F 69 [suitable for practical use, relatively good authority control]
|
Byte 6 = 0 0 0 0 1 0 0 0
|
Byte 7 = 0 1 1 1 0 1 1 1
|
Byte 8 = 1 0 0 0 1 1 1 1
|
|
byte number
|
corresponding binary value
|
Location
|
High 4 bits
|
Location
|
lower 4 bits
|
|
byte 6
byte 7
byte 8
|
0 0 0 0 1 0 0 0
0 1 1 1 0 1 1 1
1 0 0 0 1 1 1 1
|
C2Y
C1Y
C3Y
|
1 1 1 1
0 1 1 1
1 0 0 0
|
C1Y
C3Y
C2Y
|
0 1 1 1
1 0 0 0
1 1 1 1
|
|
owning block
|
block 3 block 2 block 1 block 0
|
block 3 block 2 block 1 block 0
|
|
block 3 bits
|
Byte 7, Byte 6, Byte 8 = C13, C23, C33 = C1Y, C2Y, C3Y = 0 1 1
|
|
block 2 bits
block 1 bit
block 0
|
Byte 7, Byte 6, Byte 8 = C12, C22, C32 = C1Y, C2Y, C3Y = 1 1 0
Byte 7, Byte 6, Byte 8 = C11, C21, C31 = C1Y, C2Y, C3Y = 1 1 0
Byte 7, Byte 6, Byte 8 = C10, C20, C30 = C1Y, C2Y, C3Y = 1 1 0
|
Permission explanation: The permission of data block 012 is 110, password AB can be read, only password B can be written. Password B can be increased or decreased. For example, password A can be used for consumption and password B can be used for recharging in actual business.
block 3
011, password A and password B are not allowed to be read at any time, only password B can be used to write. Both control bytes AB are readable, and only B is writable.
07 8F 0F 69【冰冻,永远只可读不可写】
00 F0 FF 69【自杀,永远不可读不可写】自杀模式还有很多,把控制字写的不认识也无法使用,在实际中新手经常干的事,所以一定要控制好。
对数据块的操作
读 (Read):读一个块;
写 (Write):写一个块;
加(Increment):对数值块进行加值;
减(Decrement):对数值块进行减值;
存储(Restore):将块中的内容存到数据寄存器中;
传输(Transfer):将数据寄存器中的内容写入块中;
中止(Halt):将卡置于暂停工作状态;