Dumps of myki short term ticket cards
In light of a recent demonstration of a 'replay' attack on MiFare Ultralight Cards, here is some further analysis.
Some years back I had posted on the (now-defunct) myki.org forum that myki used DESFire and the STT's Ultralight C (with 3DES encryption). The STT's are actually the plain Ultralight variety. (In fact, Ultralight C was only launched shortly before myki went live)
Also, at that time, libnfc did not contain the code to differentiate between a normal Ultralight card, and the 'C' variant
How to generate using libnfc and libfreefare programs: Check card type: mifare-ultralight-info Dump card: nfc-mfclassic r /tmp/card.dump UID 04 E0 72 F1 63 27 80 Tag with UID 04e072f1632780 is a Mifare UltraLight 04E0721E | F1632780 | 3548F000 | 0B91DB03C9B40400110B6B241E94B79A99DDED1C0CB9730CE80304077E064C63F93EDAD64D468908130002063CE8A81732CF6823 Page 3 (35 48 F0 00), and specifically bytes F0, 00 are the lock bytes. F0 indicates the first four blocks are locked out from further writes. Tried writing card contents back: nfc-mfultralight w /tmp/2780.tmp NFC device: Philips / USB TAMA opened Found MIFARE Ultralight card with UID: 04e072f1632780 Write OTP bytes ? [yN] n Write Lock bytes ? [yN] n Writing 16 pages |ssssxxxx........| Done, 8 of 16 pages written (4 pages skipped). As expected, the 'x' indicates failure to write the four locked pages UID 04 14 A3 FA 91 1F 80 Tag with UID 0414a3fa911f80 is a Mifare UltraLight 0414A33BFA911F80F448F0004FEDD103C9B404001117122EBE7F6BEB861928C12C4ECC0A130004036475FA14F2540943983DCC0A1300020271C9E0A3143F50ED UID 04 86 C1 82 81 1D 80 Tag with UID 0487c182811d80 is a Mifare UltraLight 0487C1CA82811D809E48F0007FC4CA03C9B4040011F83A350CBAE7B2B50A165011D7790CEA030407040CD1887228E03F8CD6790CEA030206F07F97D5FB975F72
Bonus points if anyone can figure out the data format. Here
is what the vending machine says about the last card:
Expires: August 19 2012 4:00pm