Ctrlk

Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2

After a MIFARE Plus EV1/EV2/SE/X Tag is activated, the Host uses this command to send commands and receive responses to and from a MIFARE Plus tag.

For MIFARE Plus SE/X, the Device will not auto detect an error from the MIFARE Tag that has been removed to end the pass-through session. To end the pass-through session, the Host application can send the last command, CANCEL command (0xFF), or receive error response from the MIFARE Tag.

For MIFARE Plus EV1/EV2 at Security Level 3, after the first Read/Write/Value operation, the Device will not auto detect an error from the MIFARE Tag that has been removed to end the pass-through session. To end the pass-through session, the Host application can send the last command, CANCEL command (0xFF), or receive error response from the MIFARE Tag.

After the card is configured to successfully switch to Security Level 1, the card will be discovered as MIFARE Classic 1K/4K and can use the same functionality as MIFARE Classic 1K/4K commands.

For more details, please refer to NXP NDA documentation ds206234-Product data sheet MIFARE Plus Functionality of implementations on smart card controllers (3.4)

Table - Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2

Tag
Len
Value / Description
Typ
Req
Default

Beginning of any wrappers, at minimum including Request Message

1103 = Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2

81

var

Command to Send. See Table 110 - MIFARE Plus EV1/EV2/SE/X SL0 (Security Level 0) Commands. See Table 111 – MIFARE Plus EV1/EV2/SE/X SL3 (Security Level 3) Commands

B

R

82

01

00 – No Encrypt 01 - Encrypt

83

01

00 – Expect More Commands 01 – FF (Last Command) If this is the last command, the Device will provide a single beep after receiving a successful response from the tag, otherwise, the device will provide a double beep

B

R

End of any wrappers, at minimum including Request Message

Table - MIFARE Plus EV1/EV2/SE/X SL0 (Security Level 0) Commands

Command
Length
Field Value
EV1
EV2
SE
X

GET_VERSION

1

The GET_VERSION command is used to retrieve manufacturing related data of the MIFARE Plus EV1/EV2 cards Byte 0 = 0x60

Y

Y

N

N

READ_SIG

2

The READ_SIG command returns an IC-specific, 48-byte ECC originality check signature of MIFARE Plus EV1/EV2 cards. Byte 0 = 0x3C Byte 1 = 0x00, RFU

Y

Y

N

N

WRITE_PERSO

19

The WRITE_PERSO command is used to pre-personalize AES keys and data from the initial delivery configuration to a customer specific value.

Byte 0 = 0xA8

Byte 1-2 = Number of Block or Key to be written to (MSB first). See NXP doc ds206234, table 113.

Byte 3 to 18 = 16 bytes value of the key or data which shall be written (in plain)

Y

Y

Y

Y

COMMIT_PERSO

2

The COMMIT_PERSO command is used to finalize the personalization and switch up to security level 1 or security level 3.

For MIFARE Plus EV1/EV2, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 or security level 3.

  • Card Configuration Key

  • Card Master Key

  • Level 2 Switch Key

  • Level 3 Switch Key

For MIFARE Plus SE, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 (for L1 card) or security level 3 (for L3 card).

  • Card Configuration Key

  • Card Master Key

  • Level 3 Switch Key

For MIFARE Plus X, the following mandatory AES keys must be written using the WRITE_PERSO command before it can be switched to security level 1 (for L1 card) or security level 3 (for L3 card).

  • Card Configuration Key

  • Card Master Key

  • Level 2 Switch Key (for L1 card)

  • Level 3 Switch Key (for L1 card)

Byte 0 = 0xAA

Byte 1 = Security Level Option for EV1 and EV2 cards

  • 0x01 = Security Level 1

  • 0x03 = Security Level 3

  • Other values = Invalid. Device will return error.

Byte 1 = 0x00 for SE and X cards. The Device will return error for other values.

It is also highly recommended to change all sector AES keys as well as the data within this security level in a secure environment.

This command is behaved as the last command. The Device will provide a single beep after receiving a successful response from a card, otherwise, device will provide a double beep.

Y

Y

Y

Y

CANCEL

1

This command is used to terminate the pass-through command session.

Byte 0 = 0xFF

Y

Y

Y

Y

Table – MIFARE Plus EV1/EV2/SE/X SL3 (Security Level 3) Commands

Command
Length
Field Value
EV1
EV2
SE
X

MIFARE Plus Authenticate commands

First Authenticate (part1 and part2)

3

First Authenticate Byte 0 = 0x70 Byte 1-2 = Key Number of the key to be authenticated (MSB first). See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key#

  • 0x01 = AES_Key1 = 16 bytes value stored in Property 1.2.1.1.4.5 MIFARE Plus AES_Key1.

  • 0x02 = AES_Key2 = 16 bytes value stored in Property 1.2.1.1.4.6 MIFARE Plus AES_Key2.

  • 0x03 = AES_Key3 = 16 bytes value stored in Property 1.2.1.1.4.7 MIFARE Plus AES_Key3.

  • 0x04 = AES_Key4 = 16 bytes values stored in Property 1.2.1.1.4.8 MIFARE Plus AES_Key4.

  • 0x05 = AES_Key5 = 16 bytes values stored in Property 1.2.1.1.4.9 MIFARE Plus AES_Key5.

  • 0x06 = AES_Key6 = 16 bytes values stored in Property 1.2.1.1.4.A MIFARE Plus AES_Key6.

Y

Y

Y

Y

Following Authenticate (part 1 and part 2)

3

Following Authenticate Byte 0 = 0x76 Byte 1-2 = Key Number of the key to be authenticated (MSB first). See NXP doc ds206234, table 113. Byte 3 = MIFARE Plus AES_Key# (same AES_Key# options as First Authenticate)

Y

Y

Y

Y

ResetAuth

1

Reset the authentication Byte 0 = 0x78

Y

Y

Y

Y

READ commands

Read

4

Reading encrypted, no MAC on response, MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is only used on the command sent to the PICC, no MAC is attached to the response. Byte 0 = 0x30 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read MACed

4

Reading encrypted, MAC on response, MAC on Command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is used on the command sent to the PICC and on the response received. Byte 0 = 0x31 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read Plain

4

Reading in plain, no MAC on response, MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the command and not on the response. Byte 0 = 0x32 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read Plain MACed

4

Reading in plain, MAC on response, MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the command sent to the PICC as well as on the response from the PICC Byte 0 = 0x33 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read UnMACed

4

Reading encrypted, no MAC on response, no MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x34 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read UnMACed, Response MACed

4

Reading encrypted, MAC on response, no MAC on command. This command offers the possibility to read the data from one or multiple blocks in an encrypted way. A MAC is used only on the response received. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x35 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read Plain UnMACed

4

Reading in plain, no MAC on response, no MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is not used on the response and not on the command. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x36 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

Read Plain UnMACed, Response MACed

4

Reading in plain, MAC on response, no MAC on command. This command offers the possibility to read the data in plain from one or multiple blocks. A MAC is used on the response and not on the command. By default, Read with MAC on command is required. To Read with no MAC on command, needs to modify the card MFP Configuration Block. Byte 0 = 0x37 Byte 1-2 = Block number of the 1st block to be read (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01 – 0x0F = Number of blocks to be read. Sector Trailers do not count if Byte 3 > 1. Use Byte 3 = 1 for reading Sector Trailer.

Y

Y

Y

Y

WRITE commands

Y

Y

Y

Y

Write

20/36/52

Writing encrypted, no MAC on response, MAC on Command. This command offers the possibility to write the data to up to three blocks in an encrypted way. MAC is only used on the command sent to the PICC. Byte 0 = 0xA0 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16.

Y

Y

Y

Y

Write MACed

20/36/52

Writing encrypted, MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in an encrypted way. A MAC is used on the command sent to the PICC and on the response received from the PICC. Byte 0 = 0xA1 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16.

Y

Y

Y

Y

Write Plain

20/36/52

Writing in plain, no MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in plain. A MAC is only used on the command sent to the PICC. Byte 0 = 0xA2 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16.

Y

Y

Y

Y

Write Plain MACed

20/36/52

Writing in plain, MAC on response, MAC on command. This command offers the possibility to write the data to up to three blocks in plain. A MAC is used on the command sent to the PICC as well as on the response from the PICC Byte 0 = 0xA3 Byte 1-2 = Block number of the 1st to be written block (MSB first). See NXP doc ds206234, table 113. Byte 3 = 0x01/0x02/0x03 = number of blocks (16 byte) of the data to be written Byte 4 – n = Data to be written, equal to number of blocks * 16.

Y

Y

Y

Y

VALUE operations

Increment

7

Increment encrypted, no MAC on response, MAC on command. This command offers the possibility to increment a value block where the command is secured by a MAC calculated, but not on the response. Byte 0 = 0xB0 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00

Y

Y

Y

Y

Increment MACed

7

Increment encrypted, MAC on response, MAC on command. Byte 0 = 0xB1 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00

Y

Y

Y

Y

Decrement

7

Decrement encrypted, no MAC on response, MAC on command. Byte 0 = 0xB2 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00

Y

Y

Y

Y

Decrement MACed

7

Decrement encrypted, MAC on response, MAC on command. Byte 0 = 0xB3 Byte 1-2 = Source Block number (MSB first). Byte 3-6 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00

Y

Y

Y

Y

Transfer

3

Transfer, no MAC on response, MAC on command. The Transfer command stores the content of the Transfer Buffer to the specified address. The Transfer command can be applied to any block. The Transfer command can only be executed after an Increment, Decrement, IncrementTransfer, DecrementTransfer or Restore command has been successfully executed since the latest authentication. The command is secured by a MAC on a command. No MAC is calculated on the response. Byte 0 = 0xB4 Byte 1-2 = Destination Block number (MSB first).

Y

Y

Y

Y

Transfer MACed

3

Transfer, MAC on response, MAC on command. Byte 0 = 0xB5 Byte 1-2 = Destination Block number (MSB first).

Y

Y

Y

Y

Increment Transfer

9

Increment Transfer encrypted, no MAC on response, MAC on Command. Combined increment and transfer. Byte 0 = 0xB6 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be incremented in LSB order. Example for increment by 1: 0x01 00 00 00

Y

Y

Y

Y

Increment Transfer MACed

9

Increment Transfer encrypted, MAC on response, MAC on command. Byte 0 = 0xB7 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be incremented in LSB order.

Y

Y

Y

Y

Decrement Transfer

9

Decrement Transfer encrypted, no MAC on response, MAC on command. Byte 0 = 0xB8 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00

Y

Y

Y

Y

Decrement Transfer MACed

9

Decrement Transfer encrypted, MAC on response, MAC on command. Byte 0 = 0xB9 Byte 1-2 = Source Block number (MSB first). Byte 3-4 = Destination Block number (MSB first). Byte 5-8 = The 4 bytes value to be decremented in LSB order. Example for decrement by 1: 0x01 00 00 00

Y

Y

Y

Y

Restore

3

Restore encrypted, no MAC on response, MAC on command. The Restore command copies the Content found in the Value Block at the given address to the Transfer Buffer. The Restore command can only be applied to value blocks. Byte 0 = 0xC2 Byte 1-2 = Source Block number (MSB first).

Y

Y

Y

Y

Restore MACed

3

Restore encrypted, MAC on response, MAC on command. Byte 0 = 0xC3 Byte 1-2 = Source Block number (MSB first).

Y

Y

Y

Y

Others

GET_VERSION

1

The GET_VERSION command is used to retrieve manufacturing related data of the MIFARE Plus EV1/EV2 cards. This command can be sent before Read/Write/Value commands. Byte 0 = 0x60

Y

Y

N

N

READ_SIG

2

The READ_SIG command returns an IC-specific, 48-byte ECC originality check signature of MIFARE Plus EV1/EV2 cards. This command can be sent before Read/Write/Value commands. Byte 0 = 0x3C Byte 1 = 0x00, RFU

Y

Y

N

N

CANCEL

1

This command is used to terminate the pass-through command session. Byte 0 = 0xFF

Y

Y

Y

Y

Table - Response Data for Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2

Tag
Len
Value / Description
Typ
Req
Default

Beginning of any wrappers, at minimum including Response Message

1103 = Command 0x1103 – Pass Through Command for MIFARE Plus, Type 2

81

01

Tag Response Code 0x00 = Success 0x01 = Failed

B

R

N/A

82

Var

Encryption Control If encrypted, see Table 93 - Payload for Encrypted NFC/MIFARE Data. If unencrypted see Table 94 – Unencrypted NFC/MIFARE Data.

B

O

N/A

End of any wrappers, at minimum including Response Message

If the request started successfully, the Request Status in the message wrapper is OK, Started / Running, All good / requested operation was successful.

Table - Request Example (Get Version)

Table - Response Example (Get Version)

Encrypted Data Format

Table - Payload for Encrypted NFC/MIFARE Data

Tag
Len
Value / Description
Typ
Req
Default

/DFDF59

var

Encrypted Data Primitive. Decrypt the value of this TLV data object using the algorithm and variant specified in the Encrypted Data KSN parameter and the Encrypted Data Encryption Type parameter to read its contents. The format of the decrypted data is shown in Table 360.

B

R

/DFDF50

var

Encrypted Data KSN

B

R

/DFDF51

01

Encrypted Data Encryption Type. See section 4.4 Encryption Type for a list of valid values.

B

R

End of Notification Message

Table – Unencrypted NFC/MIFARE Data

Tag
Len
Value / Description
Typ
Req
Default

FC

var

NFC/MIFARE Data Container

T

R

/DF7A

var

NFC/MIFARE Data

B

O

Last updated