Fixing a bricked Mifare Classic 1K RFID card

A very frustrating action when you write an RFID card is to get it bricked, e.g. by overwriting the trailer block with inconsistent values.

A 1KB Mifare Classic card has 16 sectors of 4 blocks with 16 bytes per block (64 blocks at 16 bytes).

The trailer block is the last block for each sector, so from the 1KB of capacity we must subtract 16 bytes due to the first block (where the identifier is) and the 16 tail blocks (blocks 3,7,11,15... 59, and 63).

This block is where the keys A and B for access to the remaining blocks of the sector are stored, as as well as the access bits.

It essentially indicates what is readable and writable and what is the password to do so.

So the effective capacity is: (64 blocks - 16 trailer - 1 header)*16bytes = 752 usable bytes.

0 E9D517B49F0804006263646566676869
1 00000000000000000000000000000000
2 00000000000000000000000000000000
3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF ← bloque trailer
4 00000000000000000000000000000000
5 00000000000000000000000000000000
6 00000000000000000000000000000000
7 FFFFFFFFFFFFFF078069FFFFFFFFFFFF ← bloque trailer
...
60 00000000000000000000000000000000
61 00000000000000000000000000000000
62 00000000000000000000000000000000
63 FFFFFFFFFFFFFF078069FFFFFFFFFFFF ← bloque trailer

Therefore, when we write the "trailer" block with an invalid value (especially the access bits) we can consider the whole sector as lost and thus we have just turned our magnificent RFID card into an useless piece of plastic.

There is no human way to recover it... or is there?

There is a type of RFID cards with interchangeable UID also known as "magic cards" or "chinese RFID cards" that are often used to make an exact duplicate of another card, including the identifier (block 0).

They are identical on the outside but have the peculiarity that with a set of commands from the reader/writer a privileged mode with full access will be enabled.

This means that we will have access to ALL the blocks regardless of whether or not we have the access keys to the sector in question and can therefore overwrite them, for example block zero, where the UID is located.

In other words, in this mode you are allowed to write any block, including block zero, where the UID card identifier is located.

So if we have such a card, all is not lost, we can write the zero block or "trailer" blocks with the appropriate values for its recovery.

Which is what we need:

• The card to recover (at the moment only the 1k Mifare Classic is supported). If your card is not "magic" this procedure will not work.
• Wemos D1 mini (ESP8266 based), arduino or equivalent.
• An mfrc522 reader/writer and connecting cables.
• The mfrc522cli software.

This program allows the repair of the zero block but also to restore the "trailer" blocks of the 16 sectors that a Mifare Classic 1k card has to a value suitable for reuse:

«FFFFFFFFFFFFFF078069FFFFFFFFFFFF»
With this value, the access keys A and B for all blocks will remain «FFFFFFFFFFFF».
The procedure is very simple.

Once we have loaded the sketch in our Arduino variant and connected correctly the MFRC522 as shown in the following image:

We have to run them through the serial port of the Arduino editor:

fix start
fix trailer

Bring the card close and in 1 or 2 seconds the "OK" message will appear.
Now we can stop the repair process with a:

fix stop

otherwise it will do the same process every time a card is brought close to the reader/writer.

With all this, the card will be repaired.