[=] # | access rights
[=] ----±------------------------------------------------------------------
[=] 0 | none
[=] 1 | read AB; decrement transfer restore AB
[=] 2 | read AB; decrement transfer restore AB
[=] 3 | write A by B; read ACCESS by AB; write B by B
[=] ------------------------------------------------------------------------
Good gentlemen, is there any command or way to decrease or increase, blocks 1 and 2 of sector 0, the Access Bits (E6 98 71) are blocked and do not change.
Technically there should be a way if keys can be cracked (if the chip is vulnerable to it). Clearly this is an electronic purse application of some sort, so straight up asking if there is a way to add money to a stored value card is unlikely going to get a clear step by step guide type response.. at least not publicly. Do more research on the proxmark3 and what it’s capable of.
What is this card? A laundry token card or something? Also be aware that card tampering is often checked periodically against a centralized database to ensure these kinds of shenanigans aren’t going on.
You can do it “raw”.. I guess just top it up, get a scan, spend some money, get a scan, spend some more money, get a scan.. check for changes, see if you can correlate value to change. I’m not 100% versed in Mifare EP applications but my hunch is the value is “encrypted” (ugh) using one of the keys. Typically with purse applications there are actual “increment” and “decrement” commands that will do all that hard work for you and store the result.
I think the commands for Mifare (from my old ass notes) are;
0xC0 decrement
0xC1 increment
0xC2 restore
oxC3 transfer
So I believe you have to auth the sector first, then inc/dec, then transfer to “write” the changes to the block. What I don’t know is if the Proxmark3 mifare command set supports any of this.. you might have to start tossing raw commands at your chip instead.