M1flex installation with Apex needle

Projects
172

Hi,
per our private discussion I did some research on this with my Gen1 and Gen2 cards and here are the findings.

So the idea is to write incorrect access bits to sector trailer and see what happens. I used Amal’s document as a starting point for good access bit values: http://amal.net/wp-content/uploads/2012/11/NFC-Access-Control-for-Mifare-S50.pdf
These are good, valid access bits: 787788. I then modified a single bit to get invalid values:

  • 797788 - invalid inverted bit for block 0
  • 7A7788 - invalid inverted bit for block 1
  • 7C7788 - invalid inverted bit for block 2
  • 707788 - invalid inverted bit for block 3
  • 786788 - invalid “regular” bit for block 0
  • 785788 - invalid “regular” bit for block 1
  • 783788 - invalid “regular” bit for block 2
  • 78F788 - invalid “regular” bit for block 3

More invalid combinations can be generated. I tested with the above to “cover” scenarios when “regular” and inverted bits are invalid.

Gen1 findings

  • Messing up access bits does indeed lock the whole sector for reads and writes (with either key A or key B).
  • Other sectors on the card are NOT affected by the messed up sector. Reading other sectors on a card works fine with regular Mifare commands.
  • Chinese “magic” commands can still read everything normally - even when access bits are invalid!
  • Chinese “magic” commands CAN easily fix invalid access bits. Just write valid access bits to sector trailer and done. Previously written values in data blocks are preserved.
  • After fixing the sector with the chinese “magic” command, data blocks in the sector can normally be read and written.

Gen2 findings

  • Writing invalid access bits locks the whole sector. Can’t read with either key A or key B. Proxmark returns an error:

    #db# Auth error
    failed reading block

  • Reading from and writing to other sectors on the card still works fine. Messed up sector does NOT affect the whole card.

  • If sector access bits are messed up, it’s game over for that sector. It’s locked forever. I was unable to find a way to fix access bits with neither key A or key B.

6 Likes