Mathew McBride's website

Dumps of myki short term ticket cards

technologynfcmykiTue 25 Sep 2012 11:22:39No comments

In light of a recent demonstration of a 'replay' attack on MiFare Ultralight Cards, here is some further analysis.

Some years back I had posted on the (now-defunct) forum that myki used DESFire and the STT's Ultralight C (with 3DES encryption). The STT's are actually the plain Ultralight variety. (In fact, Ultralight C was only launched shortly before myki went live)

Also, at that time, libnfc did not contain the code to differentiate between a normal Ultralight card, and the 'C' variant

The following data was generated by using the libnfc and associated libfreefare toolkits

How to generate using libnfc and libfreefare programs:
Check card type: mifare-ultralight-info
Dump card: nfc-mfclassic r /tmp/card.dump

UID 04 E0 72 F1 63 27 80
Tag with UID 04e072f1632780 is a Mifare UltraLight
04E0721E | F1632780 | 3548F000 | 0B91DB03C9B40400110B6B241E94B79A99DDED1C0CB9730CE80304077E064C63F93EDAD64D468908130002063CE8A81732CF6823

Page 3 (35 48 F0 00), and specifically bytes F0, 00 are the lock bytes.
F0 indicates the first four blocks are locked out from further writes.

Tried writing card contents back:
nfc-mfultralight w /tmp/2780.tmp 
NFC device: Philips / USB TAMA opened
Found MIFARE Ultralight card with UID: 04e072f1632780
Write OTP bytes ? [yN] n
Write Lock bytes ? [yN] n
Writing 16 pages |ssssxxxx........|
Done, 8 of 16 pages written (4 pages skipped).

As expected, the 'x' indicates failure to write the four locked pages

UID 04 14 A3 FA 91 1F 80
Tag with UID 0414a3fa911f80 is a Mifare UltraLight

UID 04 86 C1 82 81 1D 80
Tag with UID 0487c182811d80 is a Mifare UltraLight

Bonus points if anyone can figure out the data format. Here is what the vending machine says about the last card:
Expires: August 19 2012 4:00pm
2 Hour
Full fare
Zone 4

Your email address will not be published

Please retry reCAPTCHA

Welcome to my site

Mathew McBride, telecoms hardware access engineer, programmer, gamer and all round nerd

Warning: contents of blog may not make any sense whatsoever.

ipv6 ready

You are accessing this page over IPv6!

(C) Mathew McBride, 2006-2017
Creative Commons License
Unless specified, the content on this website is licensed under a Creative Commons Attribution-ShareAlike 3.0 Australia License.