I have mistakenly overwritten sector 1 block 7 of one of my Mifare classic 1k tags. It was meant for testing and the 16 byte data that I wrote on block 7 is shown below:

0xaa 0xaa 0xaa 0xaa 
0xbb 0xbb 0xbb 0xbb
0xcc 0xcc 0xcc 0xcc  
0xdd 0xdd 0xdd 0xdd

If not mistaken, by doing so, my access keys and permission bits have become as following:

• Key-A: 0xaa 0xaa 0xaa 0xaa 0xbb 0xbb
• Key-B: 0xcc 0xcc 0xdd 0xdd 0xdd 0xdd
• Permisssion Bits: --> 0xbb 0xbb 0xcc

I have tried to use Key-A and Key-B as shown above to read/write block 7 in sector 1. But I am no longer able to access (no read or write) any block in sector 1 anymore.

I know the keys to all other sectors (e.g. sector 0 and sectors 2-15) and able to access them.

Considering the situation, I would like to know if there is any way to reset sector 1 or block 7 to regain my access. Many thanks.

Update:

I have confirmed that both Key-A and Key-B as shown above are correct and I can authenticate to the card with both of them. Also, as per the Mifare Classic specification (screenshot), my access bits are as follows:

Byte 6 = 0xbb = 0b10111011
--------------------------
C2_3 C2_2 C2_1 C2_0 C1_3 C1_2 C1_1 C1_0
  1    1    0    1    1    1    0    1

Byte 7 = 0xbb = 0b10111011
--------------------------
C1_3 C1_2 C1_1 C1_0 C3_3 C3_2 C3_1 C3_0
  1    1    0    1    1    1    0    1

Now, considering the specification/screenshot, C1_3, C2_3 and C3_3 bits enable read/write access to sector-trailer. In my case, for block 7 (trailer for sector 7) they are all set to 1. Should I not have write access to this block then?

In the Mifare classic specification you linked says:

Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversibly blocked.

Your access bytes does not verify the format. In the folowing table ~ means inverted

Byte 6 
--------------------------
~C2_3 ~C2_2 ~C2_1 ~C2_0 ~C1_3 ~C1_2 ~C1_1 ~C1_0
  1     0     1     1     1     0     1     1

Byte 7 
--------------------------
 C1_3  C1_2  C1_1  C1_0 ~C3_3 ~C3_2 ~C3_1 ~C3_0
   1     0     1     1     1     0     1     1

Byte 8 
--------------------------
 C3_3  C3_2  C3_1  C3_0  C2_3  C2_2  C2_1  C2_0
   1     1     0     0     1     1     0     0

So, for instance, C2_3 = 1 and ~C2_3 = 1. They are not complementary. Format not verified, sector is irreversibily blocked.

In the same document there is a table (table 7) that shows that keyA can always be readed. Maybe this is the reason you can authenticate.

Once the Access Control bits are not configured correctly (for example, bits that are supposed to be each other's complement are not complementary, like in your case), the sector cannot be accessed anymore at all.

In the Mifare classic specification you linked says:

Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversibly blocked.

Your access bytes does not verify the format. In the folowing table ~ means inverted

Byte 6 
--------------------------
~C2_3 ~C2_2 ~C2_1 ~C2_0 ~C1_3 ~C1_2 ~C1_1 ~C1_0
  1     0     1     1     1     0     1     1

Byte 7 
--------------------------
 C1_3  C1_2  C1_1  C1_0 ~C3_3 ~C3_2 ~C3_1 ~C3_0
   1     0     1     1     1     0     1     1

Byte 8 
--------------------------
 C3_3  C3_2  C3_1  C3_0  C2_3  C2_2  C2_1  C2_0
   1     1     0     0     1     1     0     0

So, for instance, C2_3 = 1 and ~C2_3 = 1. They are not complementary. Format not verified, sector is irreversibily blocked.

In the same document there is a table (table 7) that shows that keyA can always be readed. Maybe this is the reason you can authenticate.

Given your access bits equate to [ 1 1 1 ] this means you have set the sector to never allow keyA to be rewritten, and never allow keyB to be rewritten, and never allow the access bits to be rewritten. The only operation allowable is the access bits can be read using KEYA to authenticate (which in this case you know). Block 6, 5, 4 are set to [011], [100], [100] respectively. This combination theoretically allows you to write to blocks 6, 5, and 4 using keyB. However BB BB CC is an invalid ACB format, and for the ACBs given you should have written 34 B3 CC. Nevertheless, setting the trailer block to 111 disables writing to that sector forever, and is not something you would typically ever want to do with a re-writable card.