4

I'm using the SMARTCARD API from CardWerk.

How can I change the default key ((byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF) using an APDU?

The APDU consits of a CLASS, an INSTRUCTION, P1, P2. I have been reading documentation but I'm unable to find what parameters do I need to change the actual key to a new one.

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
GeorgeMR
  • 177
  • 1
  • 3
  • 10

1 Answers1

15

The process for changing the keys of a MIFARE Classic card is like this:

  1. Authenticate to the secor for which you want to change the key.
  2. Read the sector trailer using normal read operation (or generate a new sector trailer containing the access bytes you want). The sector trailer is the last block of the sector (i.e. for MF Classic 1K, block 3 of each sector).
  3. Fill the sector trailer with the new key(s). Note that you won't be able to read the current keys in step 2, so you have to fill in key A and key B (if it exists) even if you want them to stay the same as before!)
  4. Write the sector trailer using normal write operation.
  5. Authenticate to another sector (if you want the change to take effect immediately).

The sector trailer is formatted like this:

xx xx xx xx xx xx zz zz zz gg yy yy yy yy yy yy

Where xx xx xx xx xx xx is key A, yy yy yy yy yy yy is key B and zz zz zz are the access bytes that enforce key-based access permissions. gg is a general-purpose byte with no specific meaning unless you use a MIFARE application directory or NXP's NDEF mapping for using MIFARE Classic as NFC tag).

Be warned that setting the access bytes to an invalid value will render the card inaccessible!

An example sector trailer could look like this:

FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF

The access conditions meaning that you can read with key A and read/write with key B.

As MIFARE Classic cards do not speak APDU, it's difficult to give you a ready-made APDU command for this. (MIFARE Classic cards are contactless memory cards and use their own proprietary contactless protocol and PC/SC-compliant smartcard readers usually only map these proprietary memory access commands to APDUs.)

However, if your reader supports PC/SC 2.01 commands for storage cards, commands could look like this:

  1. Load a key xxxxxxxxxxxx to key slot 0 (depending on your reader you might need to encode a different slot numer in P2; remember to adapt the authenticate command in that case):

    FF 82 2000 06 xxxxxxxxxxxx

  2. Authenticate sector 0 using that key as key A:

    FF 86 0000 05 01 0000 60 00

  3. Or authenticate sector 0 using that key as key B:

    FF 86 0000 05 01 0000 61 00

  4. Write new sector trailer for sector 0 (in block 3):

    FF D6 0003 10 xxxxxxxxxxxx zzzzzz gg yyyyyyyyyyyy
Michael Roland
  • 39,663
  • 10
  • 99
  • 206
  • 1
    Thanks a lot, this help me to understand. Im getting 'SW1='65' with SW2= '81': Memory failure (unsuccessful writing).' when i try to write the new keys. Is that a problem with my current authetication? Im using default keys and they return me that is successful. – GeorgeMR May 16 '14 at 20:17
  • @GeorgeMR What key do you use to authenticate and what sector trailer do you read? Or do you get the error already during authentication or reading? – Michael Roland May 16 '14 at 20:51
  • Im using the default key 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF that comes in the new mifare cards. My authentication is succesfull but when I send the new key with the write command: {new Key A} { sector } 0x00 {new key B} I got the error. – GeorgeMR May 19 '14 at 17:48
  • I honestly dont know about the sector trailer commands. Maybe there's my problem? – GeorgeMR May 19 '14 at 17:49
  • I'm sending 78 77 88 00 – GeorgeMR May 19 '14 at 17:54
  • It seems that i was able to change the keys using the block 3 sector trailer 0. The authentication pass with the new key but when i read i receive the code: 6400 '64XX' State of non-volatile memory unchanged (SW2='00', other values are RFU) – GeorgeMR May 19 '14 at 18:24
  • do i missing something? – GeorgeMR May 19 '14 at 19:23
  • @GeorgeMR Difficult to say without knowing what you actually did (exact commands you sent to the reader, exact data you read/wrote, etc.) – Michael Roland May 19 '14 at 20:29
  • Thanks a lot. I check an old card that already have the authentication key and the access bit was this: FF 07 80 69 . Can you tell what does that mean please. – GeorgeMR May 23 '14 at 19:01
  • That means read and write access is possible with key A only, key B is not used as access key. – Michael Roland May 23 '14 at 20:43
  • Now I understand. Your help was very important. Thanks a lot. – GeorgeMR May 26 '14 at 17:54
  • @GeorgeMR I hope you are going to accept the answer then. – Michael Roland May 26 '14 at 18:48