Bluetooth Hacking?
Mifare Classic

From OpenPCD

Jump to: navigation, search

The Mifare Classic type of RFID was originally developed by Micron, later licensed to Infineon. Micron was subsequently bought by Philips, and it became part of NXP once NXP was forked out of Philips.

It is claimed to be the first commercial RFID system with any kind of security/encryption.

However, due to the gate count, size and power restrictions of the early 1990's, the encryption is not based on any peer-reviewed and officially recognized algorithm, but on a self-developed, proprietary and secret CRYPTO1 algorithm.

Several weaknesses have been found in the algorithm over time, some of which have been announced at a presentation in December 2007. For details, see


Standards compliance

While promoters of Mifare Classic often point out that it is in line with ISO 14443, this is only half of the thruth: It is compliant to parts 1 through 3 of that standard, but fails to comply with part 4 (the T=CL protocol).

Memory capacity

Mifare Classic 1k

The 1k memory is organized in 16 sectors of each 4 blocks of each 16 bytes.

Thus, 16 * 4 * 16 = 1024 bytes.

Mifare Classic 4k

The 4k memory is organized in a somewhat strange way:

  • 32 sectors with each 4 blocks (of 16 bytes)
  • 8 sectors with each 16 blocks (of 16 bytes)

Mifare Classic mini

The 320 byte memory is organized in

  • 5 sectors with each 4 blocks (of 16 bytes)

Access Control

Each block has its own access control bits and two keys (called Key A and Key B).

There are the following permissions:

  • read
  • write
  • increment
  • decrement
  • transfer
  • restore

They can be organized in only a small subset of combinations.

FIXME: table with access conditions for the sector trailer.