Access Control
The tag includes access bits that enable access control for the data stored in the tag. This chapter will explore how these access bits function. This section might feel a bit overwhelming, so I'll try to make it as simple and easy to understand as possible.
Be careful when writing the access bits, as incorrect values can make the sector unusable.
Permissions
These are the fundamental permissions that will be used to define access conditions. The table explains each permission operation and specifies the blocks to which it is applicable: normal data blocks (read/write), value blocks, or sector trailers.
Operation | Description | Applicable for Block Type |
---|---|---|
Read | Reads one memory block | Read/Write, Value, Sector Trailer |
Write | Writes one memory block | Read/Write, Value, Sector Trailer |
Increment | Increments the contents of a block and stores the result in the internal Transfer Buffer | Value |
Decrement | Decrements the contents of a block and stores the result in the internal Transfer Buffer | Value |
Restore | Reads the contents of a block into the internal Transfer Buffer | Value |
Transfer | Writes the contents of the internal Transfer Buffer to a block | Value, Read/Write |
Access conditions
Let's address the elephant in the room: The access conditions. During my research, I found that many people struggled to make sense of the access condition section in the datasheet. Here is my attempt to explain it for easy to understand 🤞.
You can use just 3 bit-combinations per block to control its permissions. In the official datasheet, this is represented using a notation like CXY (C1₀, C1₂... C3₃) for the access bits. The first number (X) in this notation refers to the access bit number, which ranges from 1 to 3, each corresponding to a specific permission type. However, the meaning of these permissions varies depending on whether the block is a data block or a trailer block. The second number (Y) in the subscript denotes the relative block number, which ranges from 0 to 3.
Table 1: Access conditions for the sector trailer
In the original datasheet, the subscript number is not specified in the table. I have added the subscript "3", as the sector trailer is located at Block 3.
If you can read the key, it cannot be used as an authentication key. Therefore, in this table, whenever Key B is readable, it cannot serve as the authentication key. If you've noticed, yes, the Key A can never be read.
Access Bits | Access Condition for | Remark | |||||||
---|---|---|---|---|---|---|---|---|---|
Key A | Access Bits | Key B | |||||||
C13 | C23 | C33 | Read | Write | Read | Write | Read | Write | |
0 | 0 | 0 | never | key A | key A | never | key A | key A | Key B may be read |
0 | 1 | 0 | never | never | key A | never | key A | never | Key B may be read |
1 | 0 | 0 | never | key B | key A|B | never | never | key B | |
1 | 1 | 0 | never | never | key A|B | never | never | never | |
0 | 0 | 1 | never | key A | key A | key A | key A | key A | Key B may be read; Default configuration |
0 | 1 | 1 | never | key B | key A|B | key B | never | key B | |
1 | 0 | 1 | never | never | key A|B | key B | never | never | |
1 | 1 | 1 | never | never | key A|B | never | never | never |
How to make sense out of this table?
It is a simple table showing the correlation between bit combinations and permissions.
For example: Let's say you select "1 0 0" (3rd row in the table), then you can't read KeyA, KeyB. However, you can modify the KeyA as well as KeyB value with KeyB. You can Read Access Bits with either KeyA or KeyB. But, you can never modify the Access Bits.
Now, where should these bits be stored? We will place them in the 6th, 7th, and 8th bytes at a specific location, which will be explained shortly.
Table 2: Access conditions for data blocks
This applies to all data blocks. The original datasheet does not include the subscript "Y", I have added it for context. Here, "Y" represents the block number (ranging from 0 to 2).
The default config here indicates that both Key A and Key B can perform all operations. However, as seen in the previous table, Key B is readable (in default config), making it unusable for authentication. Therefore, only Key A can be used.
Access Bits | Access Condition for | Application | |||||
---|---|---|---|---|---|---|---|
C1Y | C2Y | C3Y | Read | Write | Increment | Decrement,Transfer/Restore | |
0 | 0 | 0 | key A|B | key A|B | key A|B | key A|B | Default configuration |
0 | 1 | 0 | key A|B | never | never | never | read/write block |
1 | 0 | 0 | key A|B | key B | never | never | read/write block |
1 | 1 | 0 | key A|B | key B | key B | key A|B | value block |
0 | 0 | 1 | key A|B | never | never | key A|B | value block |
0 | 1 | 1 | key B | key B | never | never | read/write block |
1 | 0 | 1 | key B | never | never | never | read/write block |
1 | 1 | 1 | never | never | never | never | read/write block |
How to make sense out of this table?
It's similar to the previous one; it shows the relationship between bit combinations and permissions.
For example: If you select "0 1 0" (2nd row in the table) and use this permission for block 1, you can use either KeyA or KeyB to read block 1. However, no other operations can be performed on block 1.
The notation for this is as follows: the block number is written as a subscript to the bit labels (e.g., C11, C21, C31). Here, the subscript "1" represents block 1. For the selected combination "0 1 0", this means:
- C11 = 0
- C21 = 1
- C31 = 0
These bits will also be placed in the 6th, 7th, and 8th bytes at a specific location, which will be explained shortly.
Table 3: Access conditions table
Let's colorize the original table to better visualize what each bit represents. The 7th and 3rd bits in each byte are related to the sector trailer. The 6th and 2nd bits correspond to Block 2. The 5th and 1st bits are associated with Block 1. The 4th and 0th bits are related to Block 0.
The overline on the notation indicates inverted values. This means that if the CXy value is 0, then CXy becomes 1.
Byte | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
---|---|---|---|---|---|---|---|---|
Byte 6 | C23 | C22 | C21 | C20 | C13 | C12 | C11 | C10 |
Byte 7 | C13 | C12 | C11 | C10 | C33 | C32 | C31 | C30 |
Byte 8 | C33 | C32 | C31 | C30 | C23 | C22 | C21 | C20 |
The default access bit "FF 07 80". Let's try to understand what it means.
Byte | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
---|---|---|---|---|---|---|---|---|
Byte 6 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
Byte 7 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 |
Byte 8 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
We can derive the CXY values from the table above. Notice that only C33 is set to 1, while all other values are 0. Now, refer to Table 1 and Table 2 to understand which permission this corresponds to.
Block | C1Y | C2Y | C3Y | Access |
---|---|---|---|---|
Block 0 | 0 | 0 | 0 | All permissions with Key A |
Block 1 | 0 | 0 | 0 | All permissions with Key A |
Block 2 | 0 | 0 | 0 | All permissions with Key A |
Block 3 (Trailer) | 0 | 0 | 1 | You can write Key A using Key A. Access Bits and Key B can only be read and written using Key A. |
Since Key B is readable, you cannot use it for authentication.
Calculator on next page
Still confused? Use the calculator on the next page to experiment with different combinations. Adjust the permissions for each block and observe how the Access Bits values change accordingly.