PCSC Operation APDU Interpreter Vendor instructions MIFARE CLASSIC VALUE
April 13, 2023 at 2:39 AMMIFARE CLASSIC VALUE instruction
The MIFARE CLASSIC VALUE instruction makes it possible to invoke the DECREMENT, INCREMENT,and RESTORE functions of a Mifare Classic PICC (e.g. Mifare 1K or Mifare 4K, or Mifare Plus in level1), followed by a TRANSFER function.
The DECREMENT, INCREMENT, RESTORE (and TRANSFER) functions can be performed only on the blocks that have been formatted as VALUE block in the sector trailer (access condition bits). Do not invoke this function on DATA blocks, and do not invoke this function if the currently activated PICCis not a Mifare Classic!
MIFARE CLASSIC VALUE opcode, operand, and transfer address. The P1 parameter in the MIFARE CLASSIC VALUE command APDU in the PICCs’ operation code (opcode), as defined in Mifare Classic specification.
Allowed values are:
-
C1for INCREMENT -
C0for DECREMENT -
C2for RESTORE
All three operations requires an operand. The operand is a 4-byte signed integer.
- INCREMENT operation: the operand must be > 0 (between
00000001and7FFFFFFF). Theoperand is added to the current value of the source block, and the result is kept by thePICC in a register - DECREMENT operation: the operand must be > 0 (between
00000001and7FFFFFFF). Theoperand is subtracted from the current value of the source block, and the result is kept bythe PICC in a register - RESTORE operation: the operand must be 0 (
00000000). The PICC copies the current valueof the source block into a register
After the INCREMENT, DECREMENT or RESTORE operation has been performed by the PICC, the firmware invokes the TRANSFER operation: the value of the register is written into a target block.
- If the destination block number is not the same as the source block number, the original value remains unchanged in the source block (this is a sort of “backup” feature)
- If the destination block number is the same as the source block number, or not destinationblock number is defined, then the source block is overwritten with the new value.
MIFARE CLASSIC VALUE using coupler’s keys
In this mode, the application doesn’t specify anything. The firmware tries every keys he knows (both permanent keys in E2PROM and temporary keys previously loaded in volatile memory) until one succeeds.
Because the coupler must try all the keys, this method can take up to 1000ms. The ordering of the keys in coupler’s memory is very important to speed-up the process: the upper the right key is inthe coupler’s memory, the sooner the authentication will succeed.For DECREMENT and RESTORE operations, the coupler tries all “type A” keys first, and onlyafterwards all the “type B” keys.For INCREMENT operation, the coupler tries all “type B” keys first, and only afterwards all the“type A“ keys
The destination block can optionally be specified at the end of the command APDU. If not, thesource block is overwritten by the TRANSFER operation.
Command format, using coupler’s key, without backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 04 |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Le | absent |
Command format, using coupler’s key, with backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 05 |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Dest. block | 1 Byte | |
| Le | absent |
Refer to the UPDATE BINARY instruction for response and status wor
MIFARE CLASSIC VALUE selecting a key in the coupler
In this mode, the application chooses one the key previously loaded in the firmware through the LOADKEY instruction. The destination block can optionally be specified at the end of the command APDU. If not, thesource block is overwritten by the TRANSFER operation.
Command format, selecting a key, without backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 06 |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Key location or Type | 1 Byte | |
| Key index | 1 Byte | |
| Le | absent |
Command format, selecting a key, with backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 06 |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Key location or Type | 1 Byte | |
| Key index | 1 Byte | |
| Dest. block | 1 Byte | |
| Le | absent | |
The understanding and values for bytes Key location or Key type and Key index are documented in GENERAL AUTHENTICATE instruction’ page. Refer to the UPDATE BINARY instruction for response and status words.
MIFARE CLASSIC VALUE with specified key
In this mode, the application provides the key to the firmware.
For DECREMENT and RESTORE operations, the coupler tries the key as a “type A” first, and onlyafterwards as a “type B”.For INCREMENT operation, the coupler tries the key as a “type B” first, and only afterwards as a“type A“.
The destination block can optionally be specified at the end of the command APDU. If not, the source block is overwritten by the TRANSFER operation.
Command format, key specified, without backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 0A |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Key Value | 6 Bytes | |
| Le | absent |
Command format, key specified, with backup
| Field | Value | Remark |
|---|---|---|
| CLA | FF |
|
| INS | F5 |
|
| P1 | Opcode | |
| P2 | Source block | |
| Lc | 0B |
|
| DataIn | Operand | 4 Bytes – MSB first |
| Key Value | 6 Bytes | |
| Dest. block | 1 Byte | |
| Le | absent |
Refer to the UPDATE BINARY instruction for response and status words.