However I haven't found any docs on byte6 in Block0 yet
]]>However I never found any documents,files from these danish hackers.
Which information are you looking for specifically? :-)
Specific block information such as TCEL, TCAS or the "v4" of the RKF specification
]]>18 is the correct SAK and 98 is part of the manufacturer data. Whether the latter is "correct" cannot be determined by us.
]]>And ha, I was right! SAK and byte 6 of block 0 need not to be the same.
I think I remember that the Danish travel cards had been upgraded from Mifare Classic to Mifare Plus a few years ago...
]]>So,
18 is the SAK response from the tag.
98 is the databyte in Block 0
SAK : 18 [2]
the [2] means :
if( (sak & 0x20) == 0) {
return 2; // non iso14443a compliant tag
}
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
2228 | 4596 | Tag | 02 00
7040 | 9504 | Rdr | 93 20
10676 | 16500 | Tag | c3 8c be 79 88
18688 | 29216 | Rdr | 93 70 c3 8c be 79 88 b8 80
30388 | 33972 | Tag | 18 37 cd <---SAK response
Thanks; that makes sense. I'll try and figure out how Android has implemented it :-)
]]>Same card - TWO sak. The difference is between raw and emul2html.
output from "hf mf dump"
S0 - B0: aabbccdd88 98 0200 64b995114d204209
The mystique SAK value can be explained when looking at it from different outputs, see snippet below. I think it is a mixture of how to see the bitpattern mask from different sourcecode. Some show raw data, some has added a bitmask and then shown the data.
Same card and the sak is 18 - 88 - 98
pm3 --> hf 14a re
ATQA : 02 00
UID : aa bb cc dd
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
output from "hf mf dump"
S0 - B0: aabbccdd 88 98020064b995114d204209
output from "script run dumptoemul" -> "script run emul2html"
Type Mifare
Size 4096 Bytes
UID aabbccdd
SAK 98
ATQA 0200
Name MPCOS
I believe it to be, or be based on, MF1 IC S70 (http://www.nxp.com/documents/errata_sheet/m057731.pdf), as I found an old specification for travel cards in Scandinavia (swedish), this deals with MF1 IC S50 (1024B). I know that the data on my card is following this specification to most of it's extent, but seeing as my card is 4096B, I'm likely to assume that it must be MF1 IC S70.
All this about SAK might be nothing, and I might not be fully understanding how it works - but in my optic, if the raw dump reads 98h for SAK, it should of course be 98h and not 18h.
We'll see what happens when my Proxmark arrives :-)
Again, thank you for your expertise
]]>