Pass Through for MIFARE Classic/MINI/Plus SL1

Command 0x1101 – Pass Through Command for MIFARE Classic/MINI®/Plus SL1 (Security Level 1), Type 2

After a MIFARE Tag is activated, the host uses this command to send commands and receive responses to and from a MIFARE tag.

For MIFARE Plus EV1/EV2/SE/X at SL1 (Security Level 1), the tag is discovered as MIFARE Classic, and can use the same functionality as MIFARE Classic 1K/4K commands in Table 96 – MIFARE Classic/MINI® Commands. Furthermore, an additional optional AES authentication is available in this level without affecting the MIFARE Classic 1K/4K functionality. The authenticity of the card can be proven using strong cryptographic means with this additional functionality. In addition to the backwards compatibility mode, MIFARE Plus card can be switched to higher security levels. After MIFARE Plus is authenticated with AES Security Level 1 Key, the Device doesn’t auto detect an error from the MIFARE Tag has been removed to end the pass-through session. To end the pass-through session, the Host application can send the last command, the CANCEL command (0xFF), or receive an error response from the MIFARE Tag.

Table - Request Data for Command 0x1101 - Pass Through Command for MIFARE Classic/MINI®/Plus SL1 (Security Level 1)

Tag

Len

Value / Description

Typ

Req

Default

Beginning of any wrappers, at minimum including Request Message

1101 = Command 0x1101 – Pass Through Command for MIFARE Classic/MINI®/Plus SL1 (Security Level 1), Type 2

var

Command to Send. See Table 96 – MIFARE Classic/MINI® Commands See Table 97 – MIFARE Plus EV1/EV2/SE/X SL1 (Security Level 1) Commands

00 – No Encrypt 01 - Encrypt

00 – Expect More Commands 01 – FF (Last Command). If last command, Device will provide a single beep after receiving a successful response from tag, otherwise, device will provide a double beep.

End of any wrappers, at minimum including Request Message

Table – MIFARE Classic/MINI® Commands

Command

Length

Field Value

MIFARE Read

Byte 0 – 0x30 – Read Command Byte 1 – Sector Number to Read Byte 2 – Start Block Number Byte 3 – End Block Number Byte 4 – Key Type, 0 = A, 1 = B Byte 5 to 10 = 6 Byte Key

MIFARE Write

Byte 0 – 0xA0 – Write Command Byte 1 – Sector Number to Write Byte 2 – Start Block Number Byte 3 – End Block Number Byte 4 – Key Type 0 = A, 1 = B Byte 5 to 10 = 6 Byte Key Byte 11 to x = Variable length Byte Data (16 bytes per block)

MIFARE Increment

Byte 0 – 0xC1 – Increment Command Byte 1 – Source Sector Number Byte 2 – Source Block Number Byte 3 – Key Type 0 = A, 1 = B Byte 4 to 9 = 6 Byte Key Byte 10 to 13 = 4 Byte Operand

MIFARE Decrement

Byte 0 – 0xC0 – Decrement Command Byte 1 – Source Sector Number Byte 2 – Source Block Number Byte 3 – Key Type 0 = A, 1 = B Byte 4 to 9 = 6 Byte Key Byte 10 to 13 = 4 Byte Operand

MIFARE Restore

Byte 0 – 0xC2 – Restore Command Byte 1 – Source Sector Number Byte 2 – Source Block Number Byte 3 – Key Type 0 = A, 1 = B Byte 4 to 9 = 6 Byte Key

MIFARE Transfer

Byte 0 – 0xB0 – Write the value from the Transfer Buffer into destination block number Byte 1 – Destination Sector Number Byte 2 – Destination Block Number Byte 3 – Key Type 0 = A, 1 = B Byte 4 to 9 = 6 Byte Key

Table – MIFARE Plus EV1/EV2/SE/X SL1 (Security Level 1) Commands

Command

Length

Field Value

EV1

EV2

First Authenticate (part1 and part2)

First Authenticate. Use this command to switch to higher security levels. This command is behaved as the last command. Device will provide a single beep after receiving a successful response from a card, otherwise, device will provide a double beep.

Byte 0 = 0x70 Byte 1-2 = Level 2 Switch Key (MIFARE Plus X only), or Level 3 Switch Key. See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key# - 0x01 = AES_Key1 = 16 bytes value stored in Property 1.2.1.1.4.5 MIFARE Plus AES_Key1. - 0x02 = AES_Key2 = 16 bytes value stored in Property 1.2.1.1.4.6 MIFARE Plus AES_Key2. - 0x03 = AES_Key3 = 16 bytes value stored in Property 1.2.1.1.4.7 MIFARE Plus AES_Key3. - 0x04 = AES_Key4 = 16 bytes values stored in Property 1.2.1.1.4.8 MIFARE Plus AES_Key4. - 0x05 = AES_Key5 = 16 bytes values stored in Property 1.2.1.1.4.9 MIFARE Plus AES_Key5. - 0x06 = AES_Key6 = 16 bytes values stored in Property 1.2.1.1.4.A MIFARE Plus AES_Key6.

Following Authenticate (part 1 and part 2)

Following Authenticate. Use this command for an option to put the NFC tag in Security Level 1 AES Authenticated before sending MIFARE Classic commands. Byte 0 = 0x76 Byte 1-2 = Security Level 1 Card Authentication Key. See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key# (same key numbering as First Authenticate)

READ_SIG

The READ_SIG command returns an IC-specific, 48-byte ECC originality check signature. Byte 0 = 0x3C Byte 1 = 0x00, RF

Personalize UID

Set anti-collision, selection and authentication behavior. The execution of this command requires an authentication to MF Classic sector 0 (use MIFARE Read command sector 0 from Table 96 – MIFARE Classic/MINI® Commands).

Once this command has been issued and accepted by the PICC, the configuration is automatically locked. A subsequently issued ‘Personalize UID Usage’ command is not executed and fails.

Byte 0 = 0x40 Byte 1 = Encoded type of UID usage: - 0x00 = UIDF0 = anti-collision and selection with the double size UID (7-byte) according to ISO/IEC14443-3 - 0x40 = UIDF1 = anti-collision and selection with the double size UID (7-byte) according to ISO/IEC14443-3 and optional usage of a selection process shortcut - 0x20 = UIDF2 = anti-collision and selection with a single size random ID (4-byte) according to ISO/IEC14443-3. After the card is configured with random ID, it won’t be able to perform any MF Classic authentication since MF Classic authentication requires UID. - 0x60 = UIDF3 = anti-collision and selection with a single size NUID (4-byte) according to ISO/IEC14443-3 where the NUID is calculated out of the 7-byte UID

CANCEL

This command is used to terminate the pass-through command session.

Byte 0 = 0xFF

Table - Response Data for Command 0x1101 – Pass Through Command for MIFARE Classic/MINI®/Plus SL1 (Security Level 1), Type 2

Tag

Len

Value / Description

Typ

Req

Default

Beginning of any wrappers, at minimum including Response Message

1101 = Command 0x1101 – Pass Through Command for MIFARE Classic/MINI®/Plus SL1 (Security Level 1), Type 2

var

Tag Response Code

Byte 0 = 0x00 = Success

Byte 0 = 0x01 = I/O Failed Byte 0 = 0x02 = Authentication Failed Byte 1 = 0x01 = Block that Failed (optional)

N/A

var

Encryption Control. If encrypted, see Table 93 - Payload for Encrypted NFC/MIFARE Data. If unencrypted see Table 94 – Unencrypted NFC/MIFARE Data.

N/A

End of any wrappers, at minimum including Response Message

If the request started successfully, the Request Status in the message wrapper is: OK, Started / Running, All good / requested operation was successful.

Table - Request Example (Read Sector 0, Block Number Start 0 - End 0, KeyType A, Key = FFFFFFFFFFFF)

Example (Hex)

AA 00 81 04 01 19 11 01 84 15 11 01 81 0B 30 00 00 00 00 FF FF FF FF FF FF 82 01 00 83 01 00

Table - Response Example (Read Sector 0, Block Number Start 0 - End 0, KeyType A, Key = FFFFFFFFFFFF)

Example (Hex)

AA 00 81 04 82 19 11 01 82 04 01 00 00 00 84 1C 11 01 81 01 00 82 15 FC 13 DF 7A 10 A4 FB 0D 3E
6C 08 04 00 03 0D C0 90 EE BF BB 1D

Table - Payload for Encrypted NFC/MIFARE Data

Tag

Len

Value / Description

Typ

Req

Default

/DFDF59

var

Encrypted Data Primitive. Decrypt the value of this TLV data object using the algorithm and variant specified in the Encrypted Data KSN parameter and the Encrypted Data Encryption Type parameter to read its contents. The format of the decrypted data is shown in Table 360.

/DFDF50

var

Encrypted Data KSN

/DFDF51

Encrypted Data Encryption Type. See section 4.4 Encryption Type for a list of valid values.

End of any wrappers, at minimum including Response Message

Table – Unencrypted NFC/MIFARE Data

Tag

Len

Value / Description

Typ

Req

Default

var

NFC/MIFARE Data Container

/DF7A

var

NFC/MIFARE Data

Last updated 1 month ago