RFID Authentication key

Hello everyone,

for some weeks I am playing around with a RFID shield (RFID-RC522) like it is used in most of the cases.
Everything is working well, but now I am on my next key step (literally) and there is where I need your help.

My plan is to read out the cards ID and then one or two sectors which contain some random data.
I used one of the writing sketches but now I can’t reauthenticate because the authentication key was changed.
My problem is that I don’t know where I can find it. I tried some different keys but had no success.

I will post my hole sketch so that you can see what was going on.

Thank you for your help!!

Best

sketch_may05c.ino (11.2 KB)

curtp: My problem is that I don't know where I can find it.

Find what exactly ? The authentication key ? The part of your sketch where you changed this key ?

Hi Casou,

thank you for your reply. I know where the key is declared in the code, the default key is FF, but I don't know the key which was used to write the new sectors so I can't change or read them anymore. For my understanding, the key has to be somewhere in the code. But where?

Thank you very much for your help,

curt

Hi Curt,

I had a lot of fun with RFID keys not a while ago... :grin: If I were you, I'd explore two options :

1) I use some "known" keys as : A0A1A2A3A4A5 or 0000000000. 2) I try to read my tag using an android app since there are some well done. This option would be faster than the first one since they usually have some well known keys, they can use to dump your RFID card/tag 3) Last but not least, did you check the ACs (Access Conditions) of the 15 sectors of you card ? If you messed up those AC, you can't authenticate even if you use the right key. Unless you use the key B...

Hi Casou,

this is what is coming out of my serial printing:

59 ms!Card UID: 01 1B 32 34 PICC type: MIFARE 1KB

Read trailerBlock before writing : sector ONE Settore : 0 Value :4 Sector : 1 Value :3 Sector : 2 Value :153 Sector : 3 Value :154 Sector : 4 Value :0 Sector : 5 Value :0 Sector : 6 Value :0 Sector : 7 Value :0 Sector : 8 Value :0 Sector : 9 Value :0 Sector :10 Value :0 Sector :11 Value :0 Sector :12 Value :0 Sector :13 Value :0 Sector :14 Value :0 Sector :15 Value :0

Authenticating using key A... PCD_Authenticate() failed: Timeout in communication.

It seems that the Trailers for Sector 0 to 3 are "affected" or encrypted.

As far as I can see the access conditions are newly set in the following lines:

byte value1Block[] = { 1,2,3,4,5,6,  0xff,0x07,0x80,0x69  ,6,5,4,3,2,1};
        status = mfrc522.MIFARE_Write(trailerBlock, value1Block, 16);

But how can I access them again? Thank you very much, I really appreciate your help.

curt

PS: The keys are both used, key A and key B.

curtp: As far as I can see the access conditions are newly set in the following lines:

byte value1Block[] = { 1,2,3,4,5,6,  0xff,0x07,0x80,0x69  ,6,5,4,3,2,1};
        status = mfrc522.MIFARE_Write(trailerBlock, value1Block, 16);

Well then, it is all crystal clear to me : your new keys are : Key A : 010203040506 Key B : 060504030201

Your AC is the factory format one so it's perfect. The keys however are quite srange since the factory format should leave them as FFFFFFFFFF but you might have changed them.

Oh thank you so much, I will try this tomorrow!
Best, curt

Let me know if this works then !

Hi, I tried, but it was not successful. This is what was coming out of the Serial:

Scan a MIFARE Classic PICC to demonstrate read and write. Using key (for A and B): 01 02 03 04 05 06 BEWARE: Data will be written to the PICC, in sector #1 Card UID: 01 1B 32 34 PICC type: MIFARE 1KB Authenticating using key A... PCD_Authenticate() failed: Error in communication.

What can I do?

Thanks and bye curt

I am sorry. I can’t know why it is not working.
I’ll try your sketch on my MFRC 522 and see what happens then.

Hi,
it would be very nice of you trying the code.
Meanwhile I tried to used the read-write-sketch with the following code of https://github.com/miguelbalboa/rfid:

    // Prepare the key (used both as key A and as key B)
    // using FFFFFFFFFFFFh which is the default at chip delivery from the factory
    key.keyByte[0] = 0x01;
    key.keyByte[1] = 0x02;
    key.keyByte[2] = 0x03;
    key.keyByte[3] = 0x04;
    key.keyByte[4] = 0x05;
    key.keyByte[5] = 0x06;
        
    /*for (byte i = 0; i < 6; i++) {
        key.keyByte[i] = 0xFF;
    }*/

I tried also the hex values of the numbers like 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, but wasn’t successful.

Then I tried the original code again, but nothing happens at all. In some way I have messed up thing a little.
This is the place the original code comes from:
http://www.plcgoods.net/media/editor_uploads/Online-Tutorial/Arduino/Mifare%20change%20Key/Mifare_change_key.ino

Thanks for your help. curt.

A day late and a dollar short on this.

I know this is close to 2 years old, but came across it while working on my first Arudino project. I was trying to do exactly what this code was doing.

First of all thank you to everyone else who posted as it really clarified how this stuff is working. As well as a few friendly posts on Stack Exchange.

The problem with the linked code is that it authenticated with KeyB and then tried to read / write the ‘authenticated’ blocks. I don’t know how it did messed up the key specifically, but when I commented out that block of code it would successfully read the 4 blocks (4,5,6,7) in sector 1.

I took some extra precautions while investigating, I commented out all the write blocks, and just printed everything out to the console. Since everything is a byte array and since it is done everywhere in various files around this RFID module. I wrote a little helper function.

void printByteArray (byte toPrint,int sizeOfToPrint)
{
for (int i = 0; i < sizeOfToPrint; i++)
{
Serial.print(String(toPrint < 0x10 ? “0” : “”));
_ Serial.print(toPrint*, HEX);_
_
}_
_
Serial.println("");_
_
}*_
Also the code in another tutorial helped me better understand why different blocks were ‘special’, and when I made it affect similar blocks as this code it was able to successfully read them.
http://makecourse.weebly.com/week10segment1.html
Lastly I also made a ‘dump’ of all the contents of each card I was playing with so I could reference if everything was looking good. That was one of the first things I did and it came from the examples folder for the library I was using to interface with my module.
GitHub - miguelbalboa/rfid: Arduino RFID Library for MFRC522
In the end I should have just played with all the examples and links from the initial page I found on this site:
http://playground.arduino.cc/Learning/MFRC522

Hi everyone. I'm new o this forum and I want to help me with this problem. I use MFRC522 and I have a lot of mifare clasic card 1k, I see the UID but I don't have acces to write data in to card memory, the mesage is this "PCD_Authenticate() failed: Error in communication.", I try with default keys but nothing. I want to restore the default key on these card's, how to do this? or how to find the pass key A and B?

I have more that 1000 card's....

Hello,

four years latter from original post.

I'm trying to find Authorisation Key in order to read sectors 4 until 14 of my RFID card 13.56Mhz.

Error: "PCD_Authenticate() failed: Timeout in communication."

Where sector 16 and 15 can still be read if accessed other way around from 16 to 1.

So my cards are pre-programmed in a way to work with Lockers and Access Control Gantner manufacture so specific key is installed to specific sectors in the tag in order to work with devices.

Accessing to program folder of the software "GAT programmer" I found the following .INI file:

VERSION=1.0 Convert_UID7_to_UID4=0 [SECTOR_4] Segment=LOCKER, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_5] Segment=LOCKER, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_6] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_7] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_8] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_9] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_10] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_11] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_12] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_13] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF [SECTOR_14] Segment=KEYCHANGE, SiteKey=61DADE770DD48D9123834C95A3F491F12984, KeyA=FFFFFFFFFFFF, KeyB=FFFFFFFFFFFF

I tired to set Key A in Arduino Sketch as provided in this topic:

(0xFF,0xFF,0xFF,0xFF,0xFF,0xFF), (0x61,0xDA,0xDE,0x77,0x0D,0xD4), (0x8D,0x91,0x23,0x83,0x4C,0x95), (0xA3,0xF4,0x91,0xF1,0x29,0x84)

failing to read sectors as mentioned reporting the the timeout.

With FFFFFFFFFFFF I can access sector 1 to 3, 15 and 16 only I run DumpInfo MFRC522 to verify.

  • Is there a way to find out what Key is used in order to decrypt the sector blocks in remaning sectors?

  • How does Key B work with Key A the to decrypt MIFARE 1k data excately?