Mifare Application Directory - what is stored on RFID card in your wallet?

touchatag.png I have been playing with RFID cards for a while, but recently I borrowed touchatag reader which supports Mifare cards to take a look what is stored on public transit card which I carry in my wallet.

Mifare Classic weak crypto was reverse-engineered and recently Harald Welte took a look at one such payment system and had interesting observations about it's security.

So, reading your Mifare card isn't hard. If you have libnfc supported reader you can run Mifare Classic Offline Cracker to dump data. But then, you are presented with dumps which you don't understand.

Mifare Application Directory (MAD) documents directory-like structure that describes how sectors on card are used. It took me a while to figure out that pdf file called Mifare address book is authoritative source of data about card issuers.

But, browsing pdf and watching hex numers is not fun, so I wrote perl-Mifare-MAD - simple script which decodes card data in format similar to following:

manufacturer block
Serial number: 7ef11d7f
CB: ed
manufacturer data: 880400465976525d103308
ADV (MAD version code): 1
MA (multiapplication): yes
DA (MAD available): yes
Info byte (publisher sector): 0
0000 7ef11d7fed880400465976525d103308 010 R:AB W:-- I:-- DTR:--
0010 b100040015007b887b887b887b886220 100 R:AB W:-B I:-- DTR:--
0020 62200000000000000000000000000000 100 R:AB W:-B I:-- DTR:--
0030 a0a1a2a3a4a5696789c1a7a2676192a6 011 R/W: KEYSECXA:-/B ACCESS COND:AB/B KEYSECXB:-/B
KEY A:a0a1a2a3a4a5 | 696789 GDP: c1 | B:a7a2676192a6

MAD sector 1 @12 0004 [miscellaneous applications]
sector contains card holder information in ASCII format.
surname     1 
given name 18 Vrijednosna karta
any         5 0x09200901
0040 0100525672696a65646e6f736e61206b 110 R:AB W:-B I:-B DTR:AB
0050 6172746100c509200901000000000000 110 R:AB W:-B I:-B DTR:AB
0060 00000000000000000000000000000000 110 R:AB W:-B I:-B DTR:AB
0070 269d97f5a18508778f000f0dabf8179a 011 R/W: KEYSECXA:-/B ACCESS COND:AB/B KEYSECXB:-/B
KEY A:269d97f5a185 | 08778f GDP: 00 | B:0f0dabf8179a

MAD sector 2 @14 0015 [miscellaneous applications]
- card administration MIKROELEKTRONIKA spol.s.v.MIKROELEKTRONIKA spol.s.v.o. worldwide 1 01.02.2007 Card publisher info
Card number: 000040067318
0080 0326898400000460378177277382e134 110 R:AB W:-B I:-B DTR:AB
0090 13ee921ab8f5f6120000000000000036 110 R:AB W:-B I:-B DTR:AB
00a0 0000000000000000000000000000000b 110 R:AB W:-B I:-B DTR:AB
00b0 a0a1a2a3a4a508778f00969185651f84 011 R/W: KEYSECXA:-/B ACCESS COND:AB/B KEYSECXB:-/B
KEY A:a0a1a2a3a4a5 | 08778f GDP: 00 | B:969185651f84
...and so on, for all 16 sectors of Mifare Classic card. It uses data from publicly available sources (created using copy/paste from pdf files to end of script) and decodes all bits from documentation that I understand so far.

Only other information about Miface Class format is on mfuck wiki but it doesn't really explain MAD.

Last year, we had podcast about RFID in Croatian so if you want to learn more take a look!