Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2014-05-12 12:30:33

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

London Oystercard

After a trip to London,  I finally got hold of a Oystercard. Turns out they are some kind of Mifare Desfire.  Which would explain why people are looking for a desfire impl to the PM3.   Anyhow it will be fun looking into it.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2014-05-12 17:29:01

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: London Oystercard

Yes, after they noticed mifare was actively being exploited, they chose to move to Desfire for newer cards; to cut down on card fraud. Legacy mifare cards appear to still work if you have one.

Side note: UK Bus passes (for the older ladies, gents and even students) and some library cards also use Desfire.

Last edited by midnitesnake (2014-05-12 17:33:10)

Offline

#3 2014-05-12 22:12:36

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

Well, London has a lot of commuters and even with blacklisting a "clone" it is still hard to narrow down a person. Desfire seems alot better crypto-wise thou.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2014-05-15 14:52:03

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

I wonder why my response from the Desfire card is "95xxxxxxxx"  ,  it should be "AFxxxxxxxx"
and can someone explain why the response is not in the "hf 14a list" output?


pm3 --> hf 14a reader
ATQA : 44 03
 UID : 04 77 29 5a 86 34 80
 SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
 ATS : 06 75 77 81 02 80 02 f0
       -  TL : length is 6 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0, FWI = 8
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : 80
pm3 --> hf mfdes auth k 0
#db# UID :0477295a863480
#db# Auth1 Resp: 9e872b8045a1bf7fa8e571
#db# AUTH 1 FINISHED
pm3 --> hf 14a list
Recorded Activity

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)

     Start |       End | Src | Data
-----------|-----------|-----|--------
         0 |       992 | Rdr | 52    -
      2228 |      4596 | Tag | 44  03    -
      7040 |      9504 | Rdr | 93  20    -
     10676 |     16500 | Tag | 88  04  77  29  d2    -
     18688 |     29216 | Rdr | 93  70  88  04  77  29  d2  6c  76    -
     30388 |     33908 | Tag | 24  d8  36    -
     35200 |     37664 | Rdr | 95  20    -
     38836 |     44724 | Tag | 5a  86  34  80  68    -
     46848 |     57376 | Rdr | 95  70  5a  86  34  80  68  22  58    -
     58548 |     62132 | Tag | 20  fc  70    -
     63616 |     68384 | Rdr | e0  80  31  73    -
     69556 |     78836 | Tag | 06  75  77  81  02  80  02  f0    -
     81024 |     83424 | Rdr | 0a  00    -
pm3 -->

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2014-05-15 16:12:15

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: London Oystercard

@iceman:

looks like your reader is not sending the proper auth request :  02  0a  00  dc  ed   ('dc ed' is the CRC)

you appear to be sending just 0a 00

Offline

#6 2014-05-15 17:22:43

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: London Oystercard

wrong crypto

oyster is AES and your are using 3DES

Offline

#7 2014-05-15 19:02:55

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

hm,  oyster is AES...  check.  good to know.
I so need a blank desfire card to play with.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2014-05-31 14:08:33

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: London Oystercard

Hi iceman

Looking for my nesecidades forum I found that the Oystercard card is the same card that I want to work.
I could see you did a reading and to my surprise is the same reading I did
to mine.
let me know how it goes on that topic and if you can help with your more advanced knowledge than mine.
proxmark3 here a reading of .... ( http://prntscr.com/3ob7mm )

Best regards

Offline

#9 2014-05-31 14:50:17

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

Well,  its not much you can do without the correct AES key for the Oystercard.  There was some old card from 2006 which uses old mifare classic which u can experiment with.
If you can sniff the traffic between a underground gate reader and a card with the pm3 then I would like to have a copy of that tracedump. wink


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2014-05-31 16:06:41

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: London Oystercard

yes i can sniff the traffic,,,

Last edited by LaserByte (2014-07-31 15:43:05)

Offline

#11 2014-05-31 16:17:11

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

Well,  if you can run your pm3 and antenna between reader and card,  then

1. run "hf 14a snoop"
2. present yr card to the reader
3. then the "hf 14a list"  will give you the trace from the transaction.


google on the snoop command  or  read  http://www.cs.bham.ac.uk/~garciaf/publi … DSec12.pdf
to get an idea of what you need to do.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2014-05-31 16:29:14

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: London Oystercard

ok thanks
I can read the card when paying the ticket or
when to charge money to the card ...
2 dumps copy and I sent them ...
you think?

again thank you very much

Offline

#13 2014-05-31 16:30:55

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

Well,  try different things,
like checking the amount on the card,
like paying a ticket
like recharging the card.  <-- this one is extra interesting if you can get a tracedump from the shop ;-)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2014-05-31 17:31:03

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: London Oystercard

ok


give me two days

Offline

#15 2014-06-01 21:32:38

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: London Oystercard

Hi Iceman

A Cordial greetings

By testing and reading, I found this card ( http://prntscr.com/3or3zj )
is a mifare 1k,
is part of the same transport system, for some reason this card has  the same functions and serves  the  same purpose as the Mifare 4k Desfire
( http://prntscr.com/3ob7mm ) card
the only thing different is that recharge elsewhere and have no access to sniff ..
But I think as it is a mifare 1k it easier to clone.
I ask you please help me in this work.
this is what I have ..   ( http://prntscr.com/3orbb8 )

1 proxmark3
1 Hf antenna
1 Chinese magic card (http://prntscr.com/3or8ho)
1 mifare 1k  card ticket with balance.

thank you..

Offline

#16 2014-06-02 09:38:20

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

Well,  read the documentation here..
the mifare classic road is straight-forward. 
You need to get the cryptokeys for the card you want to dump the contents of.
just look into "hf mf mifare" and the commands under  "hf mf".
then you want to write the dump on to a magic card (which u already have)...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2015-06-25 03:04:34

NICK94102
Member
Registered: 2015-06-25
Posts: 1

Re: London Oystercard

Im new to this forum
it has some pretty interesting  posts
I too was using oyster card last time I was in London
now Im reading here that there is possibility to clone it ?
is somebody  doing it ?
and also how ''end result '' looks like?..is every card usable ?..for example if you clone one card with balance of say 5 pounds and then spend 1 pound for a ride ..will all cloned cards have same -1 pound balance afterwards? or each card will behave separately till system finds out that there are  cloned cards and cancels all of them regardless which one could be a ''real one''?..I hope someone can help me and answer those questions..Im very curious about how that system works...thank you

Offline

#18 2015-06-25 20:51:39

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: London Oystercard

It smells like fraud...

Offline

#19 2015-06-25 22:23:06

iceman
Administrator
Registered: 2013-04-25
Posts: 6,697
Website

Re: London Oystercard

don't worry Asper,  the Oyster keys are not known to be broken so even if s/he want to do fraud it is impossible to date.

But, s/he can start to learn PM3 and some different easier protocols and maybe find something new.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB