These are my dumps:
2Pass ticket / 2x Used
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 05 71 5B A7 | | .q[.
1/0x01 | 4A FA 54 E9 | | J.T.
2/0x02 | 0D 15 00 C0 | | ....
3/0x03 | 03 00 00 00 | 0 | ....
4/0x04 | 02 00 00 05 | 0 | ....
5/0x05 | 02 12 06 16 | 0 | ....
6/0x06 | D3 91 E5 96 | 0 | ....
7/0x07 | 4E 4B 59 7A | 0 | NKYz
8/0x08 | 5F 5F 43 2D | 0 | __C-
9/0x09 | 31 38 36 39 | 0 | 1869
10/0x0A | 02 43 C7 23 | 0 | .C.#
11/0x0B | 00 00 E5 AC | 0 | ....
12/0x0C | 03 0F 29 00 | 0 | ..).
13/0x0D | B4 81 6C 64 | 0 | ..ld
14/0x0E | 11 56 00 01 | 1 | .V..
15/0x0F | 00 00 57 88 | 1 | ..W.
---------------------------------
1 Pass ticket / Not used
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 05 74 F3 0A | | .t..
1/0x01 | 3C 5B 54 E9 | | <[T.
2/0x02 | DA 15 00 C0 | | ....
3/0x03 | 00 00 00 00 | 0 | ....
4/0x04 | 02 00 00 03 | 0 | ....
5/0x05 | 01 12 06 14 | 0 | ....
6/0x06 | F0 D0 78 4D | 0 | ..xM
7/0x07 | C0 A0 29 B8 | 0 | ..).
8/0x08 | 00 00 00 00 | 0 | ....
9/0x09 | 00 00 00 00 | 0 | ....
10/0x0A | 00 00 00 00 | 0 | ....
11/0x0B | 00 00 00 00 | 0 | ....
12/0x0C | 03 10 29 00 | 0 | ..).
13/0x0D | 62 82 E2 FE | 0 | b...
14/0x0E | 10 95 00 01 | 1 | ....
15/0x0F | 00 00 88 24 | 1 | ...$
---------------------------------
Another 1 Pass ticket / 1 Used
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 05 72 A1 5E | | .r.^
1/0x01 | 2E FA 54 E9 | | ..T.
2/0x02 | 69 15 00 C0 | | i...
3/0x03 | 01 00 00 00 | 0 | ....
4/0x04 | 02 00 00 01 | 0 | ....
5/0x05 | 01 12 06 12 | 0 | ....
6/0x06 | E6 12 EE 1B | 0 | ....
7/0x07 | DA EB 72 3B | 0 | ..r;
8/0x08 | 55 5A 31 2D | 0 | UZ1-
9/0x09 | 55 5A 31 00 | 0 | UZ1.
10/0x0A | 01 97 CD 23 | 0 | ...#
11/0x0B | 00 00 14 26 | 0 | ...&
12/0x0C | 03 10 29 00 | 0 | ..).
13/0x0D | 8B EB C0 C3 | 0 | ....
14/0x0E | 10 98 00 01 | 1 | ....
15/0x0F | 00 00 99 57 | 1 | ...W
---------------------------------
- Comparing with 3Pass/2Pass/1Pass you can see Block 5's first byte is changing according to how many times you can use it.
- Block 8 to Block B contains information about Station that you used the ticket. I saw those strings on Bus's information screen. Also inside of normal Istanbulkart. ( can be read with the help of proxy android app, my research on normal ticket )
- Other than Block 3 and Block8-A, no block is changing after transaction.
- Block 5 contains date information but I'm not sure. 0x12 = 20 (in 2020) 0x6 , 6th is month. They are holding this because tickets can be used only within 60 days after you purchase it.
- Locking bytes always set to same block 14 and 15. These blocks cannot be changed.
- OTP section is set after using the ticket. Since iceman's 2/3 pass ticket is also set 03 as OTP, (same as my 2/2 ticket's OTP) I think 03 means 2 times used. 01 means 1 time used.
I'm not done researching it but one of my theory is block 14 and 15 can be mac of card's data. Since there are different type of pass tickets, reader need to know which type (1x/2x/3x) of card its communicating. If it takes type from block 5, It can be changed and machine can be fooled ? If block 14 and 15 is kind of mac they can block this behaviour..
Also as far as I understand in MY D lean SLE 66R01L there is no authentication. Can't we just simulate the card ?
Next day update:
- I incremented the block5[0], but machine gave `invalid card` error which means there is a check for it. Maybe section 6-7 ?
- In second attempt I tried to lock OTP section by writing to Lock section So machine cant write to OTP section (usage count) Machine gave weird error but doors didn't open
I think I have some istanbul tickets aswell layin' around
I have these cards, is there anything I can do for you?
]]>this is a used 1-pass (BirgeƧ)
proxmark3> hf mfu dump
TYPE : INFINEON my-d move lean (SLE 66R01L)
Reading tag memory...
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 05 73 10 ee | |
1/0x01 | 82 fa 54 e9 | |
2/0x02 | c5 15 00 c0 | |
3/0x03 | 01 00 00 00 | 0 | ....
4/0x04 | 02 00 00 03 | 0 | ....
5/0x05 | 01 12 06 14 | 0 | ....
6/0x06 | f7 29 87 ee | 0 | .)..
7/0x07 | e3 ab 57 43 | 0 | ..WC
8/0x08 | 4b 44 45 2d | 0 | KDE-
9/0x09 | 59 4b 44 00 | 0 | YKD.
10/0x0A | 01 31 05 0c | 0 | .1..
11/0x0B | 3a 01 65 77 | 0 | :.ew
12/0x0C | 02 66 26 00 | 0 | .f&.
13/0x0D | 4b bf 5c 67 | 0 | K.\g
14/0x0E | 11 50 00 01 | 1 | .P..
15/0x0F | 31 08 29 34 | 1 | 1.)4
---------------------------------
this is another but i don't know what kind and how much used.
proxmark3> hf mfu dump
TYPE : INFINEON my-d move lean (SLE 66R01L)
Reading tag memory...
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 05 7f b1 43 | |
1/0x01 | 13 ca 54 e9 | |
2/0x02 | 64 15 00 c0 | |
3/0x03 | 01 00 00 00 | 0 | ....
4/0x04 | 02 00 00 03 | 0 | ....
5/0x05 | 01 12 06 14 | 0 | ....
6/0x06 | 52 ef a8 24 | 0 | R..$
7/0x07 | 12 28 4f 49 | 0 | .(OI
8/0x08 | 4b 44 45 2d | 0 | KDE-
9/0x09 | 59 4b 44 00 | 0 | YKD.
10/0x0A | 01 31 05 0c | 0 | .1..
11/0x0B | 3a 01 1e 62 | 0 | :..b
12/0x0C | 02 66 26 00 | 0 | .f&.
13/0x0D | fc 15 8b ab | 0 | ....
14/0x0E | 11 57 00 01 | 1 | .W..
15/0x0F | 31 08 29 33 | 1 | 1.)3
---------------------------------
Haven't found the actual command set yet for the auth though.
]]>Now we only need to add the NFC part of it for that my_d tag...
Didn't seem like the my_d tags supported version|authentication