Hello NFC community,
MIFARE® Ultralight-based tickets offer an ideal solution for low-cost, high-volume applications such as public transport, loyalty cards and event ticketing. They serve as a perfect contactless replacement for magnetic stripe, barcode, or QR-code systems. The introduction of the contactless MIFARE Ultralight® ICs for limited-use applications can lead to reduced system installation and maintenance costs. As you may know the MIFARE family has the Ultralight C tag which is a contactless IC supporting 3DES cryptography is mostly used in limited use applications such smart ticketing, this tag complies with ISO 14443-3 type A and it is defined as type 2 tag, in this document I want to show you the procedure to change the default key to a custom key also to protect certain areas in the tag so the authentication is needed to perform a read or write operation.
---------------------------------------------------------------------------------------------------
For this document I used :
---------------------------------------------------------------------------------------------------
Information
----------------------------------------------------------------------------------------------------
Command Direction
Command |
| Data message |
REQA = Request Command, Type A | > | 26 |
ATQA = Answer To Request, Type A | < | 4400 |
SEL + NVB = SEL (Select code for cascade level ) 93, NVB (Number of Valid bits) 20 | > | 9320 |
ANTICOLLISION START | < | 8804598356 |
| > | 93708804598356 |
SAK (Select Acknowledge) = indicates additional cascade level | < | x04 |
| > | 9520 |
| < | E1ED2580A9 |
| > | 9570E1ED2580A9 |
| < | x00 |
UID = 045983E1ED2580
** the following procedure is explained in section 7.5.5 from the datasheet**
Command |
| Data message |
Authenticate Part 1 (command 1A) | > | 1A00 |
| < | AFA1ED1D682E5101422CC7 |
Authenticate Part 2 (command AF) | > | AF2970D895F186D0302970D895F186D030188AAF4DAF68C5B9 |
| < | 006BD027CEC3E04EBC6919 |
[AUTHENTICATED]
Then according to section 7.5.7 of the datasheet the sections where the 3DES key are saved are the 2C (Page 44) to the 2F (Page 47).
We proceed to write our new key using the A2 (WRITE command)
Command |
| Data message |
DATA = byte 07,06,05,04 | = | 11223344 |
WRITE to page 44 (2C) | > | A22C11223344 |
Positive acknowledge (ACK) | < | 0A |
DATA = byte 03,02,01,00 | = | 55667788 |
WRITE to page 45 (2D) | > | A22D55667788 |
Positive acknowledge (ACK) | < | 0A |
DATA = byte 0F,0E,0D,0C | = | 99112233 |
WRITE to page 46 (2E) | > | A22E99112233 |
Positive acknowledge (ACK) | < | 0A |
DATA = byte 0B,0A,09,08 | = | 44556677 |
WRITE to page 47 (2F) | > | A22F44556677 |
Positive acknowledge (ACK) | < | 0A |
[RESET FIELD]
[Authenticate with new key]
Command |
| Data message |
Authenticate Part 1 (command 1A | > | 1A00 |
| < | AFFAE2EFF17FAAD69862E7 |
Authenticate Part 2 (command AF) | > | AFFD5794F2D4EA1B19FD5794F2D4EA1B196CF420CD4D9E8104 |
| < | 0030922228601939B8FA18 |
[AUTENTICATED WITH NEW KEY]
we proceed to define from which sector the authentication is needed in order to read or write, to do this we use a write command to the AUTH0 (AUTH0 defines the page address from which the authentication is required. Valid address values for byte AUTH0 are from 03h to 30h.)
the AUTH0 is located on the section 2A please check table 5 from #datasheet.
**for this example we will define that from page 6 (06) we will need authentication to perform a read or write operation**
Command |
| Data message |
WRITE command (A2) to AUTH0 (2A) from page 6 (06) | > | A22A06000000 |
Positive acknowledge (ACK) | < | 0A |
Now the Read capabilities from page 06 require an Authentication in order to be read or written.
Hope you find this document useful to get a better understanding of the behavior of the Ultralight C and how its security features can help you in your applications.
Have a great day!
BR
Jonathan