Aim: Dump contents of school Opal card, transfer to school ID card and use school ID card to tap on at stations.
- https://www.nxp.com/docs/en/application-note/AN10833.pdf
- https://hackmethod.com/hacking-mifare-rfid-2/?v=6cc98ba2045f
- https://hackmethod.com/hacking-mifare-rfid/?v=6cc98ba2045f
NXP MIFARE Ultralight C (MF0ICU2) SAK: 0x00
NOTE: The whole MIFARE Ultralight family uses the same ATQA and SAK.
+------------------------------------------------------------------------------------+
| +--------------------------------------------------------------------------+ |
| | +----------------++---------------------------------------+ +----------+ | |
| | | || DIGITAL CONTROL UNIT | | | | |
| | | || +---------------------+ +-----------+ | | | | |
| | | || | CRYPTO CO PROCESSOR | | | | | | | |
| | | || | | | | | | | | |
| | | || +---------------------+ | | | | | | |
| #-----+ | || | | | | | | |
| # | | || +---------------------+ | | | | | | |
| # ANT.| | RF-INTERFACE || | CRYPTO CONTROL UNIT | | EEPROM | | | EEPROM | | |
| # | | || | | | INTERFACE | | | | | |
| #-----+ | || +---------------------+ | | | | | | |
| | | || | | | | | | |
| | | || +---------------------+ | | | | | | |
| | | || | COMMAND INTERPRETER | | | | | | | |
| | | || | | | | | | | | |
| | | || +---------------------+ +-----------+ | | | | |
| | +----------------++---------------------------------------+ +----------+ | |
| +--------------------------------------------------------------------------+ |
+------------------------------------------------------------------------------------+
- Data-sheet: https://www.nxp.com/docs/en/data-sheet/MF0ICU2.pdf
- ATQA = 0x4400
- zero-indexing
- 1024 B, 15 sectors (16B/row, with 3 data blocks and 1 access control block per row)
[00] * 04:94:15 0D (UIDO-UID2, BCCO)
[01] * 2A:6E:65:80 (UID3-UID6)
[02] + A1 48 39 00 (BCC1, INT, LOCKO-LOCK1)
[03] * 8A:A8:16:06 (0TPO-0TP3)
+---------------------------+
04:05 | Unknown (8 B) [xp] |
+---------------------------+
+---------------------------+
06:0F | Unknown (36 B) [.p] |
+---------------------------+
+---------------------------+
10:27 | Data (92 B) [?p] |
+---------------------------+
[28] ?p XX XX -- -- (LOCK2-LOCK3)
[29] ?p XX XX -- -- (CNT0-CNT1)
[2A] ?p 04 -- -- -- (AUTH0)
[2B] ?p XX -- -- -- (AUTH1)
+---------------------------+
2C:2F | Unknown (16 B) [?P] |
+---------------------------+
[x] = locked and blocked
[xp] = blocked and pwd-protected
[.p] = un(b)locked and pwd-protected
[?p] unknown and pwd-protected
[?P] unknown and pwd-protected write-only