Sector 09 - FOUND_KEY Sector 09 - FOUND_KEY Sector 08 - FOUND_KEY Sector 08 - FOUND_KEY Sector 07 - FOUND_KEY Sector 07 - FOUND_KEY Sector 06 - FOUND_KEY Sector 06 - FOUND_KEY Sector 05 - FOUND_KEY Sector 05 - FOUND_KEY Sector 04 - FOUND_KEY Sector 04 - FOUND_KEY Sector 03 - FOUND_KEY Sector 03 - FOUND_KEY Sector 02 - FOUND_KEY Sector 02 - FOUND_KEY Sector 01 - FOUND_KEY Sector 01 - FOUND_KEY Sector 00 - FOUND_KEY Sector 00 - FOUND_KEY ' no key found, '/ ' A key found, '\ ' B key found, 'x ' both keys found Try to authenticate to all sectors with default keys. Other possible matches based on ATQA & SAK values: * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1 TODOįingerprinting based on MIFARE type Identification Procedure: I spent a lot of time finding this out, so please boot into a linux live cd for the following example or use a Raspberry Pi. Connecting a NFC device to a VM running linux will not work reliable because the drivers mess with this timing. Important notice: NFC and the used attack depend a lot on timing. Here is a basically memory layout of a Mifare Classic tag:
This section is only writeable on some special chinese tags. Sector 0 Block 0 also contains a non changeable UID (the tags unique ID) and some manufacturer data.
As an example you can define to use Key A for reading the block and Key B for writing to it. Each sector has two keys: Key A and Key B Each of the 16 sectors can define it’s own access right and wich key is needed for a particular action. Before reading a sector, the reader must authenticate to the tag with a secret access key. Each of these sectors has 3 blocks of data storage and 1 block for storing the secret access keys and access controls. There are also other types like the “Mifare Classic 4k” and the “Mifare Mini” each having a different memory size.Ī Mifare Classic 1k tag contains 16 sectors. 1k stands for the size of data the tag can store. The NFC tag I analyzed is a so called “Mifare Classic 1k” tag.
0 kommentar(er)
