Online Store

NDEF Detection and Access – MIFARE Classic & MIFARE Plus tags

Table of Contents

NDEF Detection and Access #

This chapter describes how NDEF data (e.g. NDEF Message) will be stored and accessed in the MIFARE Classic and MIFARE Plus tags.

The NDEF message that this application note manages inside a MIFARE Classic and MIFARE Plus, is stored inside an NDEF Message TLV that is called mandatory NDEF Message TLV or first NDEF Message TLV. The mandatory NDEF Message TLV is also the NDEF Message TLV found by the NDEF Detection Procedure (see section 1.4.1).

NDEF Management #

To detect and access NDEF data (e.g. NDEF Message) inside the MIFARE Classic and MIFARE Plus tag the MAD will be used together with the GPB of the NFC Sectors.

An application identifier (AID) of the MAD, called NFC AID, has been reserved to identify sectors with NDEF data. A sector with NDEF data is called NFC Sector. The two fields of the NFC AID are set as follows:

the function cluster code is equal to E1h to identify the cluster of sectors with NDEF data, and

the application code is equal to 03h to identify the NFC Sector that this application note is related to.

One or more NFC Sectors MAY be present inside a MIFARE Classic 1k/4k tag.

If more than one NFC Sector is present, the NFC Sectors will be contiguous. In the case of MIFARE Classic 4k or MIFARE Plus with 4 Kbytes, it will be considered contiguous a sequence of NFC Sectors that includes the MAD sector 16.

Examples of contiguous NFC Sectors are:

  • NFC Sectors from sector 2 to sector 3, and
  • NFC Sectors from sector 1 to sector 39. In this case, the MAD sector 16 is contained but still as defined above the NFC Sectors are considered contiguous.

An example of non-contiguous NFC Sectors is:

  • sector 3 and sector 5 without sector 4 are NFC Sectors. In this case sector, 4 is not an NFC Sector so the two remaining NFC Sectors are not contiguous.

The NDEF data will be written starting from the NFC Sector with the smallest sector number to the biggest one.

The General Purpose Byte (GPB, see section 2.1 and section 2.3) of each NFC Sector provides information about the version number of the mapping model used to store the NDEF data into the MIFARE Classic and MIFARE Plus (see section 1.1.1) and the write access of the NFC Sectors. GPB will be coded as described in Table 1.

Table 1. General Purpose Byte structure

msb Bit 7  Bit 6  Bit 5  Bit 4  Bit 3  Bit 2  Bit 1 lsb Bit 0
Mapping version number Access conditions
Major version number Minor version number Read access condition Write access condition

The 4 least significant bits (lsb) of the GPB indicate the access conditions of the NFC Sector:

  • Bit 2-3 indicates the read access condition:
    • The value 00b indicates read access granted without any security.
    • The value 11b indicates no read access granted at all.
    • Any other value indicates that vendor security operations are required to grant read access i.e. proprietary.
  • Bit 0-1 indicates the write access condition:
    • The value 00b indicates write access granted without any security.
    • The value 11b indicates no write access granted at all.
    • Any other value indicates that vendor security operations are required to grant write access i.e. proprietary.

The 4 most significant bits (msb) indicate the mapping version number (see section 1.1.1):

  • Bit 7-6 (the 2 msb of the mapping version number field) indicates the major version number.
  • Bit 5-4 (the 2 lsb of mapping version number field) indicates the minor version number.

Inside a MIFARE Classic and MIFARE Plus tag the NFC Sector(s) containing the mandatory NDEF Message TLV will be set with reading access condition equal to 00h and write access conditions equal to either 00b or 11b (see section 1.3).

The Reader device implementing this application note will manage MIFARE Classic and MIFARE Plus tags with the major version number equal to 01b and the minor version number equal to 00b i.e. mapping version 1.0.

Version Treating #

The GPB of the NFC Sectors contains the mapping version number of the applied mapping model of the MIFARE Classic 1k/4k or MIFARE Plus tag. The mapping version number is indicated with two numbers: major version number and minor version number.

The handling of the different major and minor version numbers of the MIFARE Classic or MIFARE Plus tag (called MSVNo) and the one implemented in the Reader device (called NFCDevVNo) is explained in the 4 cases of Table 12.

Table 12. Handling of the mapping document version numbers

No Version Number Case Handling
1 Major NFCDevVNo is equal to major MSVNo, and

minor NFCDevVNo is bigger than or equal to minor MSVNo

 The Reader device will access the MIFARE Classic or MIFARE Plus tag and will use all features of the applied mapping document to this MIFARE Classic or MIFARE Plus tag.
2 If major NFCDevVNo is equal to major MSVNo, and

minor NFCDevVNo is lower than minor MSVNo

 Possibly not all features of the MIFARE Classic or MIFARE Plus tag can be accessed. The Reader device will use all its features and will access this MIFARE Classic or MIFARE Plus tag.
 

No Version Number Case Handling
3 If major NFCDevVNo is smaller than major MSVNo Incompatible data format. The Reader device cannot understand the MIFARE Classic or MIFARE Plus tag data. The Reader device will reject this MIFARE Classic or MIFARE Plus tag.
4 If major NFCDevVNo is bigger than major MSVNo The Reader device might implement the support for previous versions of this specification in addition to its main version. In case the Reader device has the support from the previous version, it will access the MIFARE Classic or MIFARE Plus tag. On the contrary, in case the Reader device has no support from the previous version, it will reject the MIFARE Classic or MIFARE Plus tag.

NDEF Storage #

The data format of the NDEF Message is defined in [NDEF]. The NDEF Message will be stored inside the value field of the NDEF Message TLV (see section 2.6.1) using one or more NFC Sectors. NFC Sectors are identified by the NFC AID in the MAD sector(s).

Life Cycle #

The NFC Sectors of a MIFARE Classic or MIFARE Plus tag MAY be in the following states INITIALISED, READ/WRITE, or READ-ONLY. The NFC Sectors will be in only one state at a specific moment in time. The state will be reflected by the content of the NFC Sectors. The state is not related to a single NFC Sector but all NFC Sectors together. The states are described in the following sections.

If the MIFARE Classic or MIFARE Plus tag contains only NFC Sectors the state of the NFC Sectors is called the state of the MIFARE Classic or MIFARE Plus tag. In the description below the state of the MIFARE Classic or MIFARE Plus tag is confused with (i.e. equal to) the state of the NFC Sectors.

Every state has its valid operations called transitions or state changes. The state transitions are only relevant for reader devices, which are capable of writing MIFARE Classic or MIFARE Plus tags.

The different states are identified by comparing the GPB of the NFC Sector where the mandatory NDEF Message TLV starts, and the fields of the mandatory NDEF Message TLV. Note that the access bits of the sector trailer described in section 2.5, is not used in this application note to identify the specific state.

If the MIFARE Classic or MIFARE Plus tag is not in a valid state according to this application note, the NDEF data of the MIFARE Classic or MIFARE Plus tag in all NFC Sectors will be ignored. The reasons MAY be:

  • Non-contiguous NFC Sectors.
  • No NFC Sectors are present inside the tag i.e. no sectors are indicated by the MAD using the NFC AID.
  • A mismatch between the overall TLV block length and the actual length of the data area.
  • Invalid TLV block.

INITIALISED State #

A MIFARE Classic or MIFARE Plus tag will be detected in the INITIALISED state when:

        • the GPB is set as described in section 1.1, in particular with bit 0-1 equal to 00b and bit 2-3 equal to 00b (read and write access granted),
        • the NFC Sector(s) contains one NDEF Message TLV (the mandatory one), and
        • the length field of the mandatory NDEF Message TLV is equal to 00h.

In the INITIALISED state the NFC device MAY modify the content of the mandatory NDEF Message TLV writing an NDEF Message in it. Annex D in chapter 10Annex E in chapter 0, and Annex F in chapter 12 show two examples of respectively MIFARE Classic 1k, MIFARE Plus with 2 Kbytes, and MIFARE Classic 4k or MIFARE Plus with 4 Kbytes all in the INITIALISED state.

READ/WRITE State #

A MIFARE Classic or MIFARE Plus tag will be detected in the READ/WRITE state when:

        • the GPB is set as described in section 1.1, in particular with bit 0-1 equal to 00b and bit 2-3 equal to 00b (read and write access granted),
        • the mandatory NDEF Message TLV is present in the NFC Sector(s), and
        • the length field of the mandatory NDEF Message TLV is different from zero.

The READ/WRITE state will be reached via the INITIALISED state. In this state, the NFC device MAY modify the content of the mandatory NDEF Message TLV writing an NDEF Message in it.

READ-ONLY State #

A MIFARE Classic or MIFARE Plus tag will be detected in the READ-ONLY state when:

        • the GPB is set as described in section 1.1, in particular with bit 0-1 equal to 11b and bit 2-3 equal to 00b (no write access is granted, only read access is granted),
        • the mandatory NDEF Message TLV is present in the NFC Sector(s), and
        • the length field of the mandatory NDEF Message TLV will be different from zero.

In the READ-ONLY state, all NFC Sectors have read-only access granted. The MIFARE Classic or MIFARE Plus tag remains in a READ-ONLY state for the remaining life cycle.

Command Sequence Description #

In this section, several procedures are described to manage NDEF data e.g. the mandatory NDEF Message TLV inside the NFC Sector(s). The different state changes or transitions between the states of the MIFARE Classic or MIFARE Plus tag are shown in detail as well.

Each involved sector in the procedures will be authenticated using the Authentication operation before reading or writing it. The public key A will be selected based on the sector type i.e. MAD sector or NFC Sector.

NDEF Detection Procedure #

The NDEF Detection Procedure will be used to detect the mandatory NDEF Message (see [NDEF]) inside a MIFARE Classic or MIFARE Plus tag.

The NDEF Detection Procedure is based on the check of:

        • the MAD sector(s),
        • the NFC Sector(s), and
        • the mandatory NDEF Message TLV that contains the NDEF Message.

As already mentioned the NDEF Message TLV found by the NDEF Detection Procedure is called mandatory NDEF Message TLV or first NDEF Message TLV. When the MIFARE Classic or MIFARE Plus is in the READ/WRITE or READ-ONLY state, this NDEF Message TLV contains an NDEF Message. In the INITIALISED state the NDEF Message TLV is empty.

NDEF graph(1) After an Authentication or a Read operation fails, the MIFARE Classic or MIFARE Plus does not respond anymore to any commands and it needs to be re-activated and selected to continue the NDEF Detection Procedure.

To execute the NDEF Detection Procedure the Reader device (or NFC device) will perform the following operations (see also Fig 6) on the MIFARE Classic or MIFARE Plus:

  1. Check the existence of the MAD sector(s).
  2. Authenticate and Read the MAD sector(s): sector 0 for MAD1, or sector 0 and 16 for MAD2 using the Read operation.
  1. If inside the MAD one or more AID(s) equal to the NFC AID related to one or more contiguous sector(s) are found, then go to item 4. Otherwise, no NFC AID has been detected in the MIFARE Classic or MIFARE Plus tag, and the MIFARE Classic or MIFARE Plus tag is not in a valid state.
  2. For each NFC Sector, perform the following operations starting from the smallest sector number to the highest one:
    1. Authenticate and read the sector trailer of the NFC Sector using the public key A for NFC Sectors (see Table 6).
    2. If the authentication and the read operations are successful, check the sector trailer of the NFC Sector. Otherwise, if the authentication or the read operation fails, a proprietary NFC Sector (see description of the NFC Sector below) is found then go to item f.
    3. If bits 4-7 of the GPB describe the right version number according to the rules defined above then go to item d. Otherwise, stop the procedure because the MIFARE Classic or MIFARE Plus tag is not in a valid state.
    4. If the read access condition field (bit 2-3) value of the GPB is equal to 00b and the write access condition field (bit 0-1) value of the GPB is equal to either 00b or 11b, read the data blocks of the relative NFC Sector using the Read operation specified in section 5.1.3, look for NDEF Message TLVs, and go to item e. Otherwise, if the read access field value of the GPB is different from 00h or the write access condition filed (bit 0-1) value of the GPB is different from 00b and 11b, a proprietary NFC Sector (see description of the NFC Sector below) is found then go to item f.
    5. If an NDEF Message TLV is found, this is the (i.e. the first one) mandatory NDEF Message TLV then go to item 5. Otherwise, if no NDEF Message TLV is found go to item f.
    6. If available check the next NFC Sector and go to item a. Otherwise if no more NFC Sectors are available, stop the procedure because no NDEF Message TLV is found. The MIFARE Classic or MIFARE Plus tag is not in a valid state.
  3. If the length field of the mandatory NDEF Message TLV is different from zero, the NDEF Message (see [NDEF]) is detected in the MIFARE Classic or MIFARE Plus tag and the Reader device MAY use the NDEF Read Procedure or the NDEF Write Procedure. If the length field is equal to zero, no NDEF Message is detected in the MIFARE Classic or MIFARE Plus tag and the Reader device MAY use the NDEF Write Procedure (the tag might be in INITIALISED state).

The NDEF Detection Procedure does not relate to a valid NDEF Message. It reads the NDEF Message length from the length field of the NDEF Message TLV but does not parse the NDEF Message.

The Reader device will ignore and jump over the proprietary NFC Sectors. The proprietary NFC Sector is defined as an NFC Sector that is: either non-authenticable with the public key A for NFC Sectors or the read access field value of the GPB is different from 00b or the write access condition filed (bit 0-1) value of the GPB is different from 00b and 11b.

Each time an Authentication operation, a Read operation, or a Write operation fails, the MIFARE Classic or MIFARE Plus remains silent and does not respond anymore to any

commands. In this situation to continue the NDEF Detection Procedure, the MIFARE Classic or MIFARE Plus needs to be re-activated and selected.

NDEF Read Procedure #

The NDEF Read Procedure is used by the Reader device to read the NDEF Message from the mandatory NDEF Message TLV. Before reading the NDEF Message the NDEF Detection Procedure will be executed, and the MIFARE Classic or MIFARE Plus tag will be in a valid state.

Using the NDEF Read Procedure the Reader device will read the whole NDEF Message from the mandatory NDEF Message TLV using one or more read operations. The length of the NDEF message to be read is provided from the length field of the mandatory NDEF Message TLV.

If the mandatory NDEF Message TLV is stored in one or more NFC Sectors, the Reader device will be able to authenticate all these sectors with the Public Key A for NFC Sectors (see Table 6). In case the authentication procedure fails the MIFARE Classic or MIFARE Plus tag is not in a valid state.

NDEF Write Procedure #

The NDEF Write Procedure will be used by the Reader device to write the mandatory NDEF Message TLV containing an NDEF Message inside a MIFARE Classic or MIFARE Plus tag.

The NDEF Write Procedure uses the Read and Write operations (see section 5.1.3 and section 5.1.4).

To write the NDEF Message the MIFARE Classic or MIFARE Plus tag will be in INITIALISED or READ/WRITE state i.e. the mandatory NDEF Message TLV will be already present inside the MIFARE Classic or MIFARE Plus tag.

NDEF write procedure

To execute the NDEF Write Procedure, the Reader device will do the following operations on the MIFARE Classic or MIFARE Plus tag:

  1. Use the NDEF Detection Procedure (see section 1.4.1) to find the mandatory NDEF Message TLV. If the mandatory NDEF Message TLV is found go to item 2. Otherwise, if no NDEF Message TLV is found, end the procedure.
  2. If the available memory size for the NDEF Message TLV is equal to or bigger than the NDEF Message size, the operations below will be done in the following order using one or more Write operations:
    1. the length field of the mandatory NDEF Message TLV will be one byte long and its value will be set to 00h,
    2. the new NDEF Message will be written in the value field of the mandatory NDEF Message TLV, and
    1. the length field of the mandatory NDEF Message TLV will be updated with the length of the NDEF Message.

Otherwise if not enough memory space is available in the MIFARE Classic or MIFARE Plus tag, the NDEF Message will NOT be written in the MIFARE Classic or MIFARE Plus tag.

  1. If item 2 is done successfully, the Reader device will write the Terminator TLV in the next byte after the NDEF Message TLV using the Write operation. The Terminator TLV will NOT be written when the mandatory NDEF Message TLV ends at the last byte of the last available NFC Sector i.e. the NFC Sector with the biggest sector number.

Concerning operation item 2. b, the writing of the value field of the found NDEF Message TLV will leave 1 or 3 bytes for the length field that is needed by the next operation item 2. c to store the length of the NDEF Message.

The NDEF Write Procedure does not change the starting position of the mandatory NDEF Message TLV.

The NDEF Write Procedure MAY write the NDEF Message TLV across contiguous NFC Sectors except MAD sector 16 in case MIFARE Classic 4k and MIFARE Plus with 4 Kbytes are used.

The available memory size for the mandatory NDEF Message TLV is calculated from the position of the mandatory NDEF Message TLV as the sum of:

  • the free memory space of the NFC Sector containing the mandatory NDEF Message TLV. The free memory space starts from the beginning of the mandatory NFC Message TLV and finishes at the end of the NFC Sector, and
  • the whole memory space of the NFC Sectors following the sector containing the mandatory NDEF Message TLV. The following NFC Sectors MAY have a size of 48 bytes (3 blocks) or 240 bytes (15 blocks). The information about the following available NFC Sectors will be retrieved from the MAD sectors.

For the Write operation, the reading of not completely updated blocks is needed first when e.g. the NDEF Message TLV starts in the middle of a block.

State Changes #

This section describes the possible state changes of the MIFARE Classic or MIFARE Plus tag. Fig 8 shows the states and the state change (also called transition) between them. In this application note, the only specified transition is from INITIALISED to READ/WRITE.

The Reader device MAY issue a MIFARE Classic or MIFARE Plus tag in the INITIALISED state, READ/WRITE state, or even in a READ-ONLY state.life cycle transaction

The transition from INITIALISED to READ/WRITE #

To perform the transition from INITIALISED to READ/WRITE the Reader device will do the following operation: a non-empty NDEF Message TLV (length field different from zero) will replace the previous empty NDEF Message TLV using the NDEF Write Procedure. The NDEF Message TLV is the mandatory one detected utilizing the NDEF Detection Procedure.

The empty NDEF Message MAY be used to replace a non-empty NDEF Message.

Knowledge Base, Mifare, NDEF records, µFR Nano Online, µFR Series
What are your Feelings