Access Control

The tag includes access bits that enable access control for the data stored in the tag. This chapter will explore how these access bits function. This section might feel a bit overwhelming, so I'll try to make it as simple and easy to understand as possible.

Modifying Access Bits

Be careful when writing the access bits, as incorrect values can make the sector unusable.

Permissions

These are the fundamental permissions that will be used to define access conditions. The table explains each permission operation and specifies the blocks to which it is applicable: normal data blocks (read/write), value blocks, or sector trailers.

OperationDescriptionApplicable for Block Type
ReadReads one memory blockRead/Write, Value, Sector Trailer
WriteWrites one memory blockRead/Write, Value, Sector Trailer
IncrementIncrements the contents of a block and stores the result in the internal Transfer BufferValue
DecrementDecrements the contents of a block and stores the result in the internal Transfer BufferValue
RestoreReads the contents of a block into the internal Transfer BufferValue
TransferWrites the contents of the internal Transfer Buffer to a blockValue, Read/Write

Access conditions

Let's address the elephant in the room: The access conditions. During my research, I found that many people struggled to make sense of the access condition section in the datasheet. Here is my attempt to explain it for easy to understand 🤞.

You can use just 3 bit-combinations per block to control its permissions. In the official datasheet, this is represented using a notation like CXY (C1₀, C1₂... C3₃) for the access bits. The first number (X) in this notation refers to the access bit number, which ranges from 1 to 3, each corresponding to a specific permission type. However, the meaning of these permissions varies depending on whether the block is a data block or a trailer block. The second number (Y) in the subscript denotes the relative block number, which ranges from 0 to 3.

Table 1: Access conditions for the sector trailer

In the original datasheet, the subscript number is not specified in the table. I have added the subscript "3", as the sector trailer is located at Block 3.

Readable Key

If you can read the key, it cannot be used as an authentication key. Therefore, in this table, whenever Key B is readable, it cannot serve as the authentication key. If you've noticed, yes, the Key A can never be read.

Access Bits Access Condition for Remark
Key A Access Bits Key B
C13 C23 C33 Read Write Read Write Read Write
0 0 0 never key A key A never key A key A Key B may be read
0 1 0 never never key A never key A never Key B may be read
1 0 0 never key B key A|B never never key B
1 1 0 never never key A|B never never never
0 0 1 never key A key A key A key A key A Key B may be read; Default configuration
0 1 1 never key B key A|B key B never key B
1 0 1 never never key A|B key B never never
1 1 1 never never key A|B never never never

How to make sense out of this table?

It is a simple table showing the correlation between bit combinations and permissions.

For example: Let's say you select "1 0 0" (3rd row in the table), then you can't read KeyA, KeyB. However, you can modify the KeyA as well as KeyB value with KeyB. You can Read Access Bits with either KeyA or KeyB. But, you can never modify the Access Bits.

Now, where should these bits be stored? We will place them in the 6th, 7th, and 8th bytes at a specific location, which will be explained shortly.

Table 2: Access conditions for data blocks

This applies to all data blocks. The original datasheet does not include the subscript "Y", I have added it for context. Here, "Y" represents the block number (ranging from 0 to 2).

The default config here indicates that both Key A and Key B can perform all operations. However, as seen in the previous table, Key B is readable (in default config), making it unusable for authentication. Therefore, only Key A can be used.

Access Bits Access Condition for Application
C1Y C2Y C3Y Read Write Increment Decrement,Transfer/Restore
0 0 0 key A|B key A|B key A|B key A|B Default configuration
0 1 0 key A|B never never never read/write block
1 0 0 key A|B key B never never read/write block
1 1 0 key A|B key B key B key A|B value block
0 0 1 key A|B never never key A|B value block
0 1 1 key B key B never never read/write block
1 0 1 key B never never never read/write block
1 1 1 never never never never read/write block
Note: "If KeyB can be read in the Sector Trailer, it can't be used for authentication. As a result, if the reader uses KeyB to authenticate a block with access conditions that uses KeyB, the card will refuse any further memory access after authentication."

How to make sense out of this table?

It's similar to the previous one; it shows the relationship between bit combinations and permissions.

For example: If you select "0 1 0" (2nd row in the table) and use this permission for block 1, you can use either KeyA or KeyB to read block 1. However, no other operations can be performed on block 1.

The notation for this is as follows: the block number is written as a subscript to the bit labels (e.g., C11, C21, C31). Here, the subscript "1" represents block 1. For the selected combination "0 1 0", this means:

  • C11 = 0
  • C21 = 1
  • C31 = 0

These bits will also be placed in the 6th, 7th, and 8th bytes at a specific location, which will be explained shortly.

Table 3: Access conditions table

Let's colorize the original table to better visualize what each bit represents. The 7th and 3rd bits in each byte are related to the sector trailer. The 6th and 2nd bits correspond to Block 2. The 5th and 1st bits are associated with Block 1. The 4th and 0th bits are related to Block 0.

The overline on the notation indicates inverted values. This means that if the CXy value is 0, then CXy becomes 1.

Byte 7 6 5 4 3 2 1 0
Byte 6 C23 C22 C21 C20 C13 C12 C11 C10
Byte 7 C13 C12 C11 C10 C33 C32 C31 C30
Byte 8 C33 C32 C31 C30 C23 C22 C21 C20

The default access bit "FF 07 80". Let's try to understand what it means.

Byte 7 6 5 4 3 2 1 0
Byte 6 1 1 1 1 1 1 1 1
Byte 7 0 0 0 0 0 1 1 1
Byte 8 1 0 0 0 0 0 0 0

We can derive the CXY values from the table above. Notice that only C33 is set to 1, while all other values are 0. Now, refer to Table 1 and Table 2 to understand which permission this corresponds to.

Block C1Y C2Y C3Y Access
Block 0 0 0 0 All permissions with Key A
Block 1 0 0 0 All permissions with Key A
Block 2 0 0 0 All permissions with Key A
Block 3 (Trailer) 0 0 1 You can write Key A using Key A. Access Bits and Key B can only be read and written using Key A.

Since Key B is readable, you cannot use it for authentication.

Calculator on next page

Still confused? Use the calculator on the next page to experiment with different combinations. Adjust the permissions for each block and observe how the Access Bits values change accordingly.

Reference