NXP has recently started shipping a new generation of Mifare Classic chips, called Mifare Classic EV1 (part numbers MF1S50yyX/V1 for Mifare Classic EV1 1K and MF1S70yyX/V1 for Mifare Classic EV1 4K).
The chips are 100% compliant with earlier Mifare Classic 1K and 4K, with 2 subtle differences:
- the kind of protocol-level ID to be used must be configured once for all during the pre-personalisation step. Possible choices are 7-byte UID, 4-byte fixed but non-unique ID, and 4-byte random ID,
- the load modulation level could be set to ‘high’ or ‘low’.
In this short article we’ll show how to configure both the kind of ID and the load modulation.
Personalize UID usage
This command can be only issued once. The choosen configuration is then locked forever. If you have ordered Mifare Classic EV1 with a specific configuration, the command has been issued in factory and will always fail adterwards.
The Mifare Classic EV1′ “personalize UID usage” allows to select one of four different modes:
- UIDF0 (value 0x00): anti-collision and selection with the 7-B UID
- UIDF1 (value 0x40): anti-collision and selection with the 7-B UID plus a possible shortcut (select only the 4 first bytes and read block 0, bypassing the second step of the selection)
- UIDF2 (value 0x20): anti-collision and selection with a 4-B random ID
- UIDF3 (value 0x60): anti-collision and selection with a 4-B non-unique ID (calculated out of the 7-B UID)
The command code is 0x40 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.
To do so, here’s the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.
# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF
# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00
# Check that the authentication is OK by reading block 0
FF B0 00 00 10
# Send the 'personalize UID' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x60 for UIDF3
FF FE 01 08 02 40 60
The reader returns 90 00 if the card acknowledges the command.
If you receive 6F 02 instead (CRC error), it is likely that the card has sent a NACK, meaning that the configuration has already been set and is therefore locked.
Set modulation strength
The Mifare Classic EV1’s “set modulation strength” command allows configuring the chip for either the strong modulation strength (default, value 0x01), or the weak modulation strength (value 0x00).
The command code is 0x43 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.
To do so, here’s the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.
# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF
# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00
# Check that the authentication is OK by reading block 0
FF B0 00 00 10
# Send the 'set modulation strength' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x00 for weak strength
FF FE 01 08 02 43 00