NXP Mifare S50 Standard IC card-access bit (access bits) analysis

The Mifare S50 standard IC card has a 1 K-byte EEPROM, which is used primarily to store data and control information. The 1-byte EEPROM is divided into 16 zones, each divided into 4 segments, with 16 bytes in each of the 1 segments. The last segment of each zone is called "tail" (trailer), which includes two keys and the access conditions (programmable) for each segment in the zone.

Storage Organization (Memory Organization)

Storage access (Memory access)

Before any memory operation, the card needs to be selected and certified (Keya or keyb). Possible memory operations for addressable blocks of data depend on the key being used and the access conditions stored at the corresponding end of the zone.

Access bit (access bits) analysis

Assuming that the data for Block 3 of Sector 10 (Hex representation) is known, a total of 16 bytes, as follows:

xx/xx/xx FF 0B 0B 0B 0B 0B 0B

Based on the above access criteria (Access Conditions) chart, you know:

1) byte distribution

The first 6 bytes (byte 0-byte 5) are keys key A, which is 00 00 00 00 00 00

The middle 4 bytes (byte 6-byte 9) are access bits (access bits), which is FF 07 80 69

After 6 bytes (byte 10-byte 15) is key key B, i.e. 0B 0B 0B 0B 0B 0B

2) access control bit distribution

According to Byte 6 high 4 bits, C23 C22 C21 C20 0 0 0 0;

According to Byte 6 low 4 bits, C13 C12 C11 C10 0 0 0 0;

According to Byte 7 low 4 bits, the C33 C32 C31 C30 is 1 0 0 0.

The access bit means as follows:

The last digit of each access bit indicates the relevant block (Block 0-block 3), and the result is as follows:

C13 C23 C33 0 0 1,block 3,sector trailer

C12 C22 C32 0 0 0,block 2,data Block

C11 C21 C31 0 0 0,block 1,data Block

C10 C20 C30 0 0 0,block 0,data Block

Note: The byte ordinal starts from 0 in ascending order (from left to right), and the ordinal of the bit in the byte starts at 7 descending (from left to right).

Also, the access conditions (access conditions) of the end (sector trailer) and data block are inconsistent

1) zone end access conditions (access conditions for the sector trailer)

Note: The line marked in gray is the access condition where key B can be read, at which point the key B can hold the data.

For a given data, the access bit for the end of the zone is 0 0 1, and you can see that only key A can be used, the key Keya but not readable, the access control bits and keyb can be read and written.

2) Access conditions for data segments (access conditions for data blocks)

1 if key B can be read at the corresponding end of the zone, it cannot be used to confirm (all gray rows in the Access condition table in the end of the zone). Result: If RWD (read write device) is to confirm any segment with these (gray marked) access key B, the card rejects any memory access operations after confirmation .

The C1 C2 C3 for the data segment in the example is 0 0 0 for the transport configuration (transport configuration), at which point the key B cannot be used for authentication.

Resources:

1, MIFARE standard IC card MF1 IC S50 function manual

2, NXP MF1 IC S50 Function specification rev.5.2 January 2007

NXP Mifare S50 Standard IC card-access bit (access bits) analysis