| Tag | Len | Value / Description | Typ | Req | Default |
|---|---|---|---|---|---|
| Beginning of any wrappers, at minimum including Request Message | |||||
| 1103 = Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2 | |||||
| 81 | var | Command to Send. See Table 110 - MIFARE Plus EV1/EV2/SE/X SL0 (Security Level 0) Commands. See Table 111 – MIFARE Plus EV1/EV2/SE/X SL3 (Security Level 3) Commands | B | R | |
| 82 | 01 | 00 – No Encrypt 01 - Encrypt | |||
| 83 | 01 | 00 – Expect More Commands 01 – FF (Last Command) If this is the last command, the Device will provide a single beep after receiving a successful response from the tag, otherwise, the device will provide a double beep | B | R | |
| End of any wrappers, at minimum including Request Message |
| Command | Length | Field Value | EV1 | EV2 | SE | X |
|---|---|---|---|---|---|---|
| GET_VERSION | 1 | The GET_VERSION command is used to retrieve manufacturing related data of the MIFARE Plus EV1/EV2 cards Byte 0 = 0x60 | Y | Y | N | N |
| READ_SIG | 2 | The READ_SIG command returns an IC-specific, 48-byte ECC originality check signature of MIFARE Plus EV1/EV2 cards. Byte 0 = 0x3C Byte 1 = 0x00, RFU | Y | Y | N | N |
| WRITE_PERSO | 19 | The WRITE_PERSO command is used to pre-personalize AES keys and data from the initial delivery configuration to a customer specific value. Byte 0 = 0xA8 Byte 1-2 = Number of Block or Key to be written to (MSB first). See NXP doc ds206234, table 113. Byte 3 to 18 = 16 bytes value of the key or data which shall be written (in plain) | Y | Y | Y | Y |
| COMMIT_PERSO | 2 | The COMMIT_PERSO command is used to finalize the personalization and switch up to security level 1 or security level 3. For MIFARE Plus EV1/EV2, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 or security level 3.
For MIFARE Plus SE, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 (for L1 card) or security level 3 (for L3 card).
For MIFARE Plus X, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 (for L1 card) or security level 3 (for L3 card).
Byte 0 = 0xAA Byte 1 = Security Level Option for EV1 and EV2 cards
Byte 1 = 0x00 for SE and X cards. The Device will return error for other values. It is also highly recommended to change all sector AES keys as well as the data within this security level in a secure environment. This command is behaved as the last command. The Device will provide a single beep after receiving a successful response from a card, otherwise, device will provide a double beep. | Y | Y | Y | Y |
| CANCEL | 1 | This command is used to terminate the pass-through command session. Byte 0 = 0xFF | Y | Y | Y | Y |
| Command | Length | Field Value | EV1 | EV2 | SE | X |
|---|---|---|---|---|---|---|
| MIFARE Plus Authenticate commands | ||||||
| First Authenticate (part1 and part2) | 3 | First Authenticate Byte 0 = 0x70 Byte 1-2 = Key Number of the key to be authenticated (MSB first). See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key#
| Y | Y | Y | Y |
| Following Authenticate (part 1 and part 2) | 3 | Following Authenticate Byte 0 = 0x76 Byte 1-2 = Key Number of the key to be authenticated (MSB first). See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key# (same AES_Key# options as First Authenticate) | Y | Y | Y | Y |
| ResetAuth | 1 | Reset the authentication Byte 0 = 0x78 | Y | Y | Y | Y |
| READ commands | ||||||
| Read | 4 | Reading encrypted, no MAC on response, MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is only used on the command sent to the PICC, no MAC is attached to the response. Byte 0 = 0x30 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read MACed | 4 | Reading encrypted, MAC on response, MAC on Command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is used on the command sent to the PICC and on the response received. Byte 0 = 0x31 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read Plain | 4 | Reading in plain, no MAC on response, MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the command and not on the response. Byte 0 = 0x32 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read Plain MACed | 4 | Reading in plain, MAC on response, MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the command sent to the PICC as well as on the response from the PICC Byte 0 = 0x33 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read UnMACed | 4 | Reading encrypted, no MAC on response, no MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x34 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read UnMACed, Response MACed | 4 | Reading encrypted, MAC on response, no MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is used only on the response received. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x35 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read Plain UnMACed | 4 | Reading in plain, no MAC on response, no MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is not used on the response and not on the command. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x36 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| Read Plain UnMACed, Response MACed | 4 | Reading in plain, MAC on response, no MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the response and not on the command. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x37 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer. | Y | Y | Y | Y |
| WRITE commands | Y | Y | Y | Y | ||
| Write | 20/36/52 | Writing encrypted, no MAC on response, MAC on Command. This command offers the possibility to write the data to up to three blocks in an encrypted way. MAC is only used on the command sent to the PICC. Byte 0 = 0xA0 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16. | Y | Y | Y | Y |
| Write MACed | 20/36/52 | Writing encrypted, MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in an encrypted way. A MAC is used on the command sent to the PICC and on the response received from the PICC. Byte 0 = 0xA1 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16. | Y | Y | Y | Y |
| Write Plain | 20/36/52 | Writing in plain, no MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in plain. A MAC is only used on the command sent to the PICC. Byte 0 = 0xA2 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16. | Y | Y | Y | Y |
| Write Plain MACed | 20/36/52 | Writing in plain, MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in plain. A MAC is used on the command sent to the PICC as well as on the response from the PICC Byte 0 = 0xA3 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16. | Y | Y | Y | Y |
| VALUE operations | ||||||
| Increment | 7 | Increment encrypted, no MAC on response, MAC on command. This command offers the possibility to increment a value block where the command is secured by a MAC calculated, but not on the response. Byte 0 = 0xB0 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Increment MACed | 7 | Increment encrypted, MAC on response, MAC on command. Byte 0 = 0xB1 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Decrement | 7 | Decrement encrypted, no MAC on response, MAC on command. Byte 0 = 0xB2 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Decrement MACed | 7 | Decrement encrypted, MAC on response, MAC on command. Byte 0 = 0xB3 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Transfer | 3 | Transfer, no MAC on response, MAC on command. The Transfer command stores the content of the Transfer Buffer to the specified address. The Transfer command can be applied to any block. The Transfer command can only be executed after an Increment, Decrement, IncrementTransfer, DecrementTransfer or Restore command has been successfully executed since the latest authentication. The command is secured by a MAC on a command. No MAC is calculated on the response. Byte 0 = 0xB4 Byte 1-2 = Destination Block number (MSB first). | Y | Y | Y | Y |
| Transfer MACed | 3 | Transfer, MAC on response, MAC on command. Byte 0 = 0xB5 Byte 1-2 = Destination Block number (MSB first). | Y | Y | Y | Y |
| Increment Transfer | 9 | Increment Transfer encrypted, no MAC on response, MAC on Command. Combined increment and transfer. Byte 0 = 0xB6 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Increment Transfer MACed | 9 | Increment Transfer encrypted, MAC on response, MAC on command. Byte 0 = 0xB7 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be incremented in LSB order. | Y | Y | Y | Y |
| Decrement Transfer | 9 | Decrement Transfer encrypted, no MAC on response, MAC on command. Byte 0 = 0xB8 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Decrement Transfer MACed | 9 | Decrement Transfer encrypted, MAC on response, MAC on command. Byte 0 = 0xB9 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00 | Y | Y | Y | Y |
| Restore | 3 | Restore encrypted, no MAC on response, MAC on command. The Restore command copies the Content found in the Value Block at the given address to the Transfer Buffer. The Restore command can only be applied to value blocks. Byte 0 = 0xC2 Byte 1-2 = Source Block number (MSB first). | Y | Y | Y | Y |
| Restore MACed | 3 | Restore encrypted, MAC on response, MAC on command. Byte 0 = 0xC3 Byte 1-2 = Source Block number (MSB first). | Y | Y | Y | Y |
| Others | ||||||
| GET_VERSION | 1 | The GET_VERSION command is used to retrieve manufacturing related data of the MIFARE Plus EV1/EV2 cards. This command can be sent before Read/Write/Value commands. Byte 0 = 0x60 | Y | Y | N | N |
| READ_SIG | 2 | The READ_SIG command returns an IC-specific, 48-byte ECC originality check signature of MIFARE Plus EV1/EV2 cards. This command can be sent before Read/Write/Value commands. Byte 0 = 0x3C Byte 1 = 0x00, RFU | Y | Y | N | N |
| CANCEL | 1 | This command is used to terminate the pass-through command session. Byte 0 = 0xFF | Y | Y | Y | Y |
| Tag | Len | Value / Description | Typ | Req | Default |
|---|---|---|---|---|---|
| Beginning of any wrappers, at minimum including Response Message | |||||
| 1103 = Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2 | |||||
| 81 | 01 | Tag Response Code 0x00 = Success 0x01 = Failed | B | R | N/A |
| 82 | Var | Encryption Control If encrypted, see Table 93 - Payload for Encrypted NFC/MIFARE Data. If unencrypted see Table 94 – Unencrypted NFC/MIFARE Data. | B | O | N/A |
| End of any wrappers, at minimum including Response Message |
| Tag | Len | Value / Description | Typ | Req | Default |
|---|---|---|---|---|---|
| /DFDF59 | var | Encrypted Data Primitive. Decrypt the value of this TLV data object using the algorithm and variant specified in the Encrypted Data KSN parameter and the Encrypted Data Encryption Type parameter to read its contents. The format of the decrypted data is shown in Table 360. | B | R | |
| /DFDF50 | var | Encrypted Data KSN | B | R | |
| /DFDF51 | 01 | Encrypted Data Encryption Type. See section 4.4 Encryption Type for a list of valid values. | B | R | |
| End of Notification Message |