使用覆盖的权限位恢复Mifare Classic 1k中的扇区 [英] Recover sector in Mifare Classic 1k with overwritten permission bits

问题描述

我错误地覆盖了我的Mifare经典1k标签之一的扇区1块7.它是为了测试而设计的，我在块7上写的16字节数据如下所示:

I have mistakenly overwritten sector 1 block 7 of one of my Mifare classic 1k tags. It was meant for testing and the 16 byte data that I wrote on block 7 is shown below:

0xaa 0xaa 0xaa 0xaa 
0xbb 0xbb 0xbb 0xbb
0xcc 0xcc 0xcc 0xcc  
0xdd 0xdd 0xdd 0xdd

如果没有记错的话，我的访问密钥和权限位如下所示:

If not mistaken, by doing so, my access keys and permission bits have become as following:

• 键A:0xaa 0xaa 0xaa 0xaa 0xbb 0xbb
• 密钥B:0xcc 0xcc 0xdd 0xdd 0xdd 0xdd
• 权限位:-> 0xbb 0xbb 0xcc

• Key-A: 0xaa 0xaa 0xaa 0xaa 0xbb 0xbb
• Key-B: 0xcc 0xcc 0xdd 0xdd 0xdd 0xdd
• Permisssion Bits: --> 0xbb 0xbb 0xcc

我已尝试使用上述的Key-A和Key-B在sector 1中读取/写入block 7.但是我不再能够访问(不能读取或写入)sector 1中的任何块.

I have tried to use Key-A and Key-B as shown above to read/write block 7 in sector 1. But I am no longer able to access (no read or write) any block in sector 1 anymore.

我知道其他所有扇区(例如sector 0和sectors 2-15)的密钥，并且能够访问它们.

I know the keys to all other sectors (e.g. sector 0 and sectors 2-15) and able to access them.

考虑到这种情况，我想知道是否有任何方法可以重置sector 1或block 7来重新获得我的访问权限.非常感谢.

Considering the situation, I would like to know if there is any way to reset sector 1 or block 7 to regain my access. Many thanks.

更新:

我已经确认以上所示的Key-A和Key-B都是正确的，并且我可以同时使用它们对卡进行身份验证.另外，根据 Mifare Classic规范(

I have confirmed that both Key-A and Key-B as shown above are correct and I can authenticate to the card with both of them. Also, as per the Mifare Classic specification (screenshot), my access bits are as follows:

Byte 6 = 0xbb = 0b10111011
--------------------------
C2_3 C2_2 C2_1 C2_0 C1_3 C1_2 C1_1 C1_0
  1    1    0    1    1    1    0    1

Byte 7 = 0xbb = 0b10111011
--------------------------
C1_3 C1_2 C1_1 C1_0 C3_3 C3_2 C3_1 C3_0
  1    1    0    1    1    1    0    1

现在，考虑到规格/屏幕截图，C1_3，C2_3和C3_3位允许对sector-trailer进行读/写访问.在我的情况下，对于块7(扇区7的预告片)，它们都设置为1.那我应该没有对该块的写访问权吗?

Now, considering the specification/screenshot, C1_3, C2_3 and C3_3 bits enable read/write access to sector-trailer. In my case, for block 7 (trailer for sector 7) they are all set to 1. Should I not have write access to this block then?

推荐答案

在链接的Mifare经典规范中，说:

In the Mifare classic specification you linked says:

备注:每次访问存储器时，内部逻辑都会验证格式 访问条件.如果检测到整个格式违规 扇区被不可逆转地阻止.

Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversibly blocked.

您的访问字节不验证格式.在以下表格中，〜表示倒置

Your access bytes does not verify the format. In the folowing table ~ means inverted

Byte 6 
--------------------------
~C2_3 ~C2_2 ~C2_1 ~C2_0 ~C1_3 ~C1_2 ~C1_1 ~C1_0
  1     0     1     1     1     0     1     1

Byte 7 
--------------------------
 C1_3  C1_2  C1_1  C1_0 ~C3_3 ~C3_2 ~C3_1 ~C3_0
   1     0     1     1     1     0     1     1

Byte 8 
--------------------------
 C3_3  C3_2  C3_1  C3_0  C2_3  C2_2  C2_1  C2_0
   1     1     0     0     1     1     0     0

因此，例如C2_3 = 1和〜C2_3 =1.它们不是互补的.格式未经验证，扇区不可逆转地被阻止.

So, for instance, C2_3 = 1 and ~C2_3 = 1. They are not complementary. Format not verified, sector is irreversibily blocked.

在同一文档中，有一个表(表7)显示始终可以读取keyA.也许这就是您可以进行身份​​验证的原因.

In the same document there is a table (table 7) that shows that keyA can always be readed. Maybe this is the reason you can authenticate.

这篇关于使用覆盖的权限位恢复Mifare Classic 1k中的扇区的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！