I have mistakenly overwritten sector 1 block 7 of one of my Mifare classic 1k tags. It was meant for testing and the 16 byte data that I wrote on block 7 is shown below:
0xaa 0xaa 0xaa 0xaa 0xbb 0xbb 0xbb 0xbb 0xcc 0xcc 0xcc 0xcc 0xdd 0xdd 0xdd 0xdd
If not mistaken, by doing so, my access keys and permission bits have become as following:
- Key-A:
0xaa 0xaa 0xaa 0xaa 0xbb 0xbb - Key-B:
0xcc 0xcc 0xdd 0xdd 0xdd 0xdd - Permisssion Bits: -->
0xbb 0xbb 0xcc
I have tried to use Key-A and Key-B as shown above to read/write block 7 in sector 1. But I am no longer able to access (no read or write) any block in sector 1 anymore.
I know the keys to all other sectors (e.g. sector 0 and sectors 2-15) and able to access them.
Considering the situation, I would like to know if there is any way to reset sector 1 or block 7 to regain my access. Many thanks.
Update:
I have confirmed that both Key-A and Key-B as shown above are correct and I can authenticate to the card with both of them. Also, as per the Mifare Classic specification (screenshot), my access bits are as follows:
Byte 6 = 0xbb = 0b10111011 -------------------------- C2_3 C2_2 C2_1 C2_0 C1_3 C1_2 C1_1 C1_0 1 1 0 1 1 1 0 1 Byte 7 = 0xbb = 0b10111011 -------------------------- C1_3 C1_2 C1_1 C1_0 C3_3 C3_2 C3_1 C3_0 1 1 0 1 1 1 0 1
Now, considering the specification/screenshot, C1_3, C2_3 and C3_3 bits enable read/write access to sector-trailer. In my case, for block 7 (trailer for sector 7) they are all set to 1. Should I not have write access to this block then?
In the Mifare classic specification you linked says:
Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversibly blocked.
Your access bytes does not verify the format. In the folowing table ~ means inverted
Byte 6
--------------------------
~C2_3 ~C2_2 ~C2_1 ~C2_0 ~C1_3 ~C1_2 ~C1_1 ~C1_0
1 0 1 1 1 0 1 1
Byte 7
--------------------------
C1_3 C1_2 C1_1 C1_0 ~C3_3 ~C3_2 ~C3_1 ~C3_0
1 0 1 1 1 0 1 1
Byte 8
--------------------------
C3_3 C3_2 C3_1 C3_0 C2_3 C2_2 C2_1 C2_0
1 1 0 0 1 1 0 0
So, for instance, C2_3 = 1 and ~C2_3 = 1. They are not complementary. Format not verified, sector is irreversibily blocked.
In the same document there is a table (table 7) that shows that keyA can always be readed. Maybe this is the reason you can authenticate.
Once the Access Control bits are not configured correctly (for example, bits that are supposed to be each other's complement are not complementary, like in your case), the sector cannot be accessed anymore at all.
来源:https://stackoverflow.com/questions/14635394/recover-sector-in-mifare-classic-1k-with-overwritten-permission-bits