Is it possible to simulate a topaz bin file dump with the proxmark? is it the same as for amiibo ?? thank you in advance
]]>Best regards
]]>hf felica reader
hf felica raw
hf list raw
pm3 --> hf felica reader
FeliCa Card found
IDm 01 2B 07 01 5C 16 AF 01
- CODE 01 2B
- NFCUID1 07 01 5C 16 AF 01
PMm 01 20 22 04 27 67 4E FF
- IC CODE 01 20
- MRT 22 04 27 67 4E FF
SERVICE CODE B8 A5
pm3 --> hf list raw
Recorded Activity (TraceLen = 313 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 6784 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
273792 | 292224 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
547584 | 577664 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
821376 | 863104 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
1095168 | 1148544 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
1368960 | 1433984 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
1642752 | 1653888 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
1916544 | 1939328 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
2190336 | 2224768 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
2464128 | 2510208 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
2737920 | 2795648 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
3011712 | 3015552 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
3285504 | 3300992 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
3559296 | 3586432 | Rdr |b2 4d 06 00 ff ff 00 00 09 21 | |
3570956 | 3573076 | Tag |b2! 4d! 12! 01 01 2b! 07 01 5c! 16 af! 01 01 20 22! 04 | |
| | |27! 67 4e! ff! b8! a5! | |
Oh yes,
there are different type of octopus card,
and seems that some of the octopus card are now phase out.( because of not supporting NFC function? or due to the low security?)Sony has not disclose the commands to operate FeliCa with keys, seems that it is so difficult to know it...
However, the octopus card company allow the user to plug the ACR122U to check the card balance and records.
Could it be the chance to know how to read the FeliCa with keys?http://www.octopus.com.hk/customer-service/octopus-pc-reader-service/en/index.html
I have capture some APDU command through the checking and I am still understanding these (but very confusing...:( )
Not sure if anyone is interested.
https://wfe.oos.octopus-cards.com/agenda/oors/ocapvm-0.0.1.jar
https://wfe.oos.octopus-cards.com/agenda/oors/ocapclient-dvf.jar
Probably the most relevant files are these
package com.octopuscards.oos.client.card;
import java.util.Arrays;
public class Card
{
protected CardType type;
protected byte[] manufacturerID;
public Card(CardType type, byte[] mId)
{
this.type = type;
this.manufacturerID = mId;
}
public CardType getType()
{
return this.type;
}
public void setType(CardType type)
{
this.type = type;
}
public byte[] getManufacturerID()
{
return this.manufacturerID;
}
public void setManufacturerID(byte[] manufacturerID)
{
this.manufacturerID = manufacturerID;
}
public boolean equals(Object card)
{
if ((Card.class.isInstance(card)) &&
(((Card)card).getType() == this.type) &&
(Arrays.equals(((Card)card).getManufacturerID(), this.manufacturerID))) {
return true;
}
return false;
}
}
package com.octopuscards.oos.client.card;
public class CardCommand
{
public static final byte[] FELICA_SEAC_POLL = { 6, 0, 1, 1, 1, 1 };
public static final byte[] FELICA_DES_POLL = { 6, 0, Byte.MIN_VALUE, 8, 0, 1 };
public static final byte[] MOBILE_SIM_POLL = { 0, -1, -1, 0, 0 };
public static final byte[] FELICA_DES_REQSRV = { 13, 2, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1, -1 };
public static final byte[] FELICA_DES_REQRSP = { 10, 4, 0, 0, 0, 0, 0, 0, 0, 0 };
public static final byte[] TYPEA_POLL = new byte[0];
public static final byte[] TYPEB_POLL = new byte[0];
public static byte[] getDESReqSrvCmd(byte[] idm)
{
byte[] reqsrv = new byte[FELICA_DES_REQSRV.length];
System.arraycopy(FELICA_DES_REQSRV, 0, reqsrv, 0, reqsrv.length);
System.arraycopy(idm, 0, reqsrv, 2, idm.length);
return reqsrv;
}
public static byte[] getDESReqRspCmd(byte[] idm)
{
byte[] reqRsp = new byte[FELICA_DES_REQRSP.length];
System.arraycopy(FELICA_DES_REQRSP, 0, reqRsp, 0, reqRsp.length);
System.arraycopy(idm, 0, reqRsp, 2, idm.length);
return reqRsp;
}
}
package com.octopuscards.oos.client.card;
public enum CardType
{
DES(CardCommand.FELICA_DES_POLL, CardCommand.FELICA_DES_REQRSP), SEAC(CardCommand.FELICA_SEAC_POLL, CardCommand.FELICA_SEAC_POLL), MOBILE_SIM(CardCommand.MOBILE_SIM_POLL, CardCommand.MOBILE_SIM_POLL);
private byte[] pollcmd;
private byte[] reqRspCmd;
public byte[] getPollcmd()
{
return this.pollcmd;
}
public void setPollcmd(byte[] pollcmd)
{
this.pollcmd = pollcmd;
}
private CardType(byte[] pollcmd, byte[] reqRspCmd)
{
this.pollcmd = pollcmd;
this.reqRspCmd = reqRspCmd;
}
public byte[] getManufacturorID(byte[] pollResp)
{
try
{
if ((this == SEAC) && (pollResp.length >= 10))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 2, idm, 0, 8);
return idm;
}
if ((this == DES) && (pollResp.length >= 10))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 2, idm, 0, 8);
return idm;
}
if ((this == MOBILE_SIM) && (pollResp.length >= 8))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 1, idm, 0, 8);
return idm;
}
return null;
}
catch (RuntimeException e)
{
e.printStackTrace();
}
return null;
}
public byte[] getReqRspCmd()
{
return this.reqRspCmd;
}
public void setReqRspCmd(byte[] reqRspCmd)
{
this.reqRspCmd = reqRspCmd;
}
}
I just (sadly) discovered that there is no support for FeliCa tags in the Proxmark, but I was surprised to see that my phone (Google Nexus 5, with NFC support) is totally able to read and interpret the data from the Suica card (Tokyo transportation) I got my hands on.
I am using a FOSS Android app called FareBot and the (Java...) source files related to the FeliCa support are available here: https://github.com/codebutler/farebot/tree/master/src/main/java/com/codebutler/farebot/card/felica.
The app is able to display the money available on the card, along with the last events (debit at stations or credit at ticket machines).
I guess nobody is working on it right now, but maybe this information could be useful if someone wants to write the FeliCa module
]]>"FeliCa Lite-S" - the next generation "FeliCa Lite" ia a product which will expands contactless applications in various new markets. It is planned to be released to the market next spring.
"FeliCa Lite" is a low cost IC chip with simple security and an optimized file system. The power-saving customized chip can support small design antennas, ideal for tags and stickers as well as ID1-size card products. The "FeliCa Lite-S" is compatible with Sony's first generation "FeliCa Lite", and furthermore, has an improved security function as well as smaller chip size therefore achieving better cost performance. The "FeliCa Lite-S" can be used for applications such as single journey and event ticketing, as well as membership, loyalty, gift, game and ID cards. In addition, the "FeliCa Lite-S" can be used for NFC Forum Type 3 Tag solution such as smart poster and handover connection in combination with NFC device.
FEATURES:
1 - New security-function in addition to "FeliCa Lite":
In addition to "Read access control" function of "FeliCa Lite", "FeliCa Lite-S" has "Write access control" function by adding MAC *1code in order to prevent any unauthorized access. The combination of data read with MAC code and data write with MAC code makes it possible to carry out streamlined mutual authentication.
*1: MAC - Message Authentication Code
2 - Compatibility with NFC Forum Type 3 Tag:
The "FeliCa Lite-S" supports Type 3 Tag operation, as defined by the NFC Forum. The chip can communicate with NFC smart phones and readers.
3 - Anti-broken transaction function and data integrity-check function:
"FeliCa Lite-S" has anti-broken transaction functionality in order to prevent incomplete data update. Even if data error occurs in the chip, as there is CRC data check code for every data block (16 byte), data error can be detected.
4 - Reusable existing FeliCa compatible products:
By adopting the same RF format and backward compatible command set to the existing FeliCa card products, FeliCa Lite-S can be used with the same reader and development infrastructure, for example FeliCa Port, NFC reader and SDK for NFC/FeliCa.
]]>
Original Documentation:
http://www.sony.net/Products/felica/bus … index.html
AUTHENTICATION SYSTEM, ITS METHOD, AUTHENTICATION DEVICE AND ITS METHOD
http://v3.espacenet.com/origdoc?DB=EPODOC&IDX=JP10327142&F=0&QPN=JP10327142
Unfortunately all in japanese language... the patent should be over so maybe it can contains useful information.
If someone can upload somewhere, makes a copy of those files.
]]>Here is the libpasori source: http://sourceforge.jp/projects/libpasori/releases/
]]>Unfortunately it is missing all the NDA specifications.
]]>1. Read/Writer generates the access key for mutual authentication. Access Key requires area key and service key info. But ATQC command only provides the area key version and service key version instead of the actual keys, then how can the Read/Writer know them?
2. The mutual authenication is encrypted by 3DES, what keys the 3DES used on both sides? Since access key, challenge data 1 & 2 are only created after the authentication.
3. After the mutual authentication, transaction messages are encrypted by DES or 3DES?
Many thanks!!!
]]>Currently I have one octopus card. Now I need to get hold of the initiator data which is supplied to wake up a (corresponding) felica tag.
It seems there are other products available on the internet which already support this kind of modulation. It would be very useful if someone is willing to post a communication trace made by such a product so we can integrate support for this in the Proxmark.
Thanks in advance, cheers,
Roel
]]>