re-writing uid and block 0 on Chinese (supposed to be writable) MIFARE 1K card in python

16.7k views Asked by At

Here is my issue: my RC522 module is connected to my Pi2 via SPI and I'm able to read all [64 blocks / 16 sectors] using both MFRC522-python and pi-rc522 libraries. Also I'm able to write and change all the blocks(63 blocks) except for Block 0 (including UID) of a Chinese Mifare 1K card that I bought from ebay and it supposed to be Block 0 / UID writable.

Question is: using the available python libraries(mentioned above), is it possible to write Block 0 on a Chinese writable Mifare 1K card at all or not.

Note: when I received the card the sector trailer access bits were on transport configuration (FF 07 80 -> 001 for sector trailer and 000 for data blocks), which it means normally I could be able to change the data blocks (including Block 0) using KeyA or KeyB, but I couldn't. I changed the access bits to (7F 0F 88 -> 000 for data blocks) and used KeyA/KeyB, it didn't work, and block 0 remained unchanged. I also tried (78 77 88 -> 000 for data blocks) with KeyA or KeyB, same result.

Again, setting proper access bits, I'm able to read/write all the other blocks except for block 0.

Thanks, A.

2

There are 2 answers

0
Madrenes Here On

I was trying the same but in my case I'm using Arduino with an RFID-RC522 writer/reader and this library. In my case I solved it modifying the UnbrickUid Example. I opened the library folder in my case: "\Documents\Arduino\libraries\rfid-master\src\MFRC522Hack.cpp" and changed the buffer (line 190).

The default code is:

byte block0_buffer[] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

Here you can change this hex numbers to the ones you need. Keep in mind that the 4 first bytes are the UID(01,02,03,04) and the following one is the BCC(04). So if you change block 0 be careful to change the BCC accordingly.

After having modified this, run the "FixBrickedUID" example and it will change the entire block 0.

0
Integrated Electronics On

There are 2 types of UID writeble cards:

  1. Block 0 writable cards: you can write block 0 at any moment
  2. Backdoored cards

If writing block 0 does not work, you probably have a backdoored card: To enable the backdoor, you need to send the following sequence to the card: (everything in hexadecimal)

  1. RC522 > Card: 50 00 57 cd (HLTA + CRC)
  2. RC522 > Card: 40 (7 bits only)
  3. Card > RC522: A (4 bits only)
  4. RC522 > Card: 43
  5. Card > RC522: A (4 bits only)

Then you can write to block 0 without authentication. If it still does not work, your card is probably not UID changeable.

To answer your question: There are no reason for Python libraries to refuse writing block 0. It your library can write any block except block 0, it's that your card refuses to write the block.

Do your card sends back a NACK or nothing when trying to write block 0?