Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2012-11-12 16:00:41

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Octopus Security Analysis (system based on FeliCa cards)

Felica seems to be a real secure system.

http://courses.ece.ubc.ca/412/previous_years/2007_1_spring/modules/term_project/reports/2007/security_analysis_of_octopus_smart_card_system.pdf

Offline

#2 2012-11-14 13:23:48

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: Octopus Security Analysis (system based on FeliCa cards)

i have something for Octopus~maybe can do something~~~


[b]Team Website[/b]: [url]http://radiowar.org[/url]
[b]Chinese Proxmark3 Dev WIKI:[/b][url]http://wiki.radiowar.org[/url]

Offline

#3 2012-11-14 17:06:22

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Octopus Security Analysis (system based on FeliCa cards)

Post or PM, thanks wink

Offline

#4 2012-11-16 18:30:23

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: Octopus Security Analysis (system based on FeliCa cards)

asper wrote:

Post or PM, thanks wink

I cant PM you man~~give me your email~


[b]Team Website[/b]: [url]http://radiowar.org[/url]
[b]Chinese Proxmark3 Dev WIKI:[/b][url]http://wiki.radiowar.org[/url]

Offline

#5 2012-11-17 18:56:04

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Octopus Security Analysis (system based on FeliCa cards)

You are right, no PM here, sorry; can you provide a public mail ? I will contact you there, thanks !

Offline

#6 2012-11-18 16:04:37

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: Octopus Security Analysis (system based on FeliCa cards)

asper wrote:

You are right, no PM here, sorry; can you provide a public mail ? I will contact you there, thanks !

radiowar<At>QQ.com


[b]Team Website[/b]: [url]http://radiowar.org[/url]
[b]Chinese Proxmark3 Dev WIKI:[/b][url]http://wiki.radiowar.org[/url]

Offline

#7 2012-11-18 19:41:51

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Octopus Security Analysis (system based on FeliCa cards)

QQ server seems not toaccept my mail... another one ?

Offline

#8 2012-11-19 11:22:06

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: Octopus Security Analysis (system based on FeliCa cards)

asper wrote:

QQ server seems not toaccept my mail... another one ?

Fuxking QQ~~~admin<At>radiowar.org


[b]Team Website[/b]: [url]http://radiowar.org[/url]
[b]Chinese Proxmark3 Dev WIKI:[/b][url]http://wiki.radiowar.org[/url]

Offline

#9 2015-10-07 11:04:38

happyboyxxx
Contributor
From: Hong Kong
Registered: 2015-10-07
Posts: 4

Re: Octopus Security Analysis (system based on FeliCa cards)

Sounds interesting,
and now some Metro tickets were adopted into the Felica Lite-S tags,
is it secure?

Offline

#10 2016-03-06 15:17:23

iceman
Administrator
Registered: 2013-04-25
Posts: 6,703
Website

Re: Octopus Security Analysis (system based on FeliCa cards)

@Asper  Seems to be something they have in Hongkong.  What info do you have? I'll get my hands on one tag soon.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2016-03-14 06:32:04

happyboyxxx
Contributor
From: Hong Kong
Registered: 2015-10-07
Posts: 4

Re: Octopus Security Analysis (system based on FeliCa cards)

Hi
It seems that the metro ticket uses 2 different types of tags : Ultralight C and FeliCa Lite-S
I used my NFC phone to read the FeliCa one but seems it needs the key for authentication...
Only known the system code 0x8008 is sames as the octopus card code.

Hope this information could help...:P

Here is the ticket pictures and some screenshot:
http://postimg.org/image/bnc66qtej/
http://postimg.org/image/5julmu34r/
http://postimg.org/image/qi0rkx2zf/

Offline

#12 2016-03-14 06:52:12

happyboyxxx
Contributor
From: Hong Kong
Registered: 2015-10-07
Posts: 4

Re: Octopus Security Analysis (system based on FeliCa cards)

Oh yes,

there are different type of octopus card,
and seems that some of the octopus card are now phase out.( because of not supporting NFC function? or due to the low security?)

Sony has not disclose the commands to operate FeliCa with keys, seems that it is so difficult to know it...
However, the octopus card company allow the user to plug the ACR122U to check the card balance and records.
Could it be the chance to know how to read the FeliCa with keys?

http://www.octopus.com.hk/customer-service/octopus-pc-reader-service/en/index.html

I have capture some APDU command through the checking and I am still understanding these (but very confusing...:(  )

Offline

#13 2016-03-14 10:20:23

iceman
Administrator
Registered: 2013-04-25
Posts: 6,703
Website

Re: Octopus Security Analysis (system based on FeliCa cards)

Someone told me you can download the .jar file and decompile it.  Inside you'll find some APDU's used.

But if the PM3 can understand Felicia is different matter.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2016-03-16 15:15:04

iceman
Administrator
Registered: 2013-04-25
Posts: 6,703
Website

Re: Octopus Security Analysis (system based on FeliCa cards)

I got my hands on three octopus tags now.
Have someone ever read a Felica based tag with the PM3

If so, please contact me.   even if I don't see the private messages anymore, you still can email me.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#15 2017-12-11 01:58:26

frank
Contributor
Registered: 2017-12-10
Posts: 15

Re: Octopus Security Analysis (system based on FeliCa cards)

happyboyxxx wrote:

Oh yes,

there are different type of octopus card,
and seems that some of the octopus card are now phase out.( because of not supporting NFC function? or due to the low security?)

Sony has not disclose the commands to operate FeliCa with keys, seems that it is so difficult to know it...
However, the octopus card company allow the user to plug the ACR122U to check the card balance and records.
Could it be the chance to know how to read the FeliCa with keys?

http://www.octopus.com.hk/customer-service/octopus-pc-reader-service/en/index.html

I have capture some APDU command through the checking and I am still understanding these (but very confusing...:(  )

Not sure if anyone is interested.
https://wfe.oos.octopus-cards.com/agenda/oors/ocapvm-0.0.1.jar
https://wfe.oos.octopus-cards.com/agenda/oors/ocapclient-dvf.jar

Probably the most relevant files are these

Card.class wrote:

package com.octopuscards.oos.client.card;

import java.util.Arrays;

public class Card
{
  protected CardType type;
  protected byte[] manufacturerID;
 
  public Card(CardType type, byte[] mId)
  {
    this.type = type;
    this.manufacturerID = mId;
  }
 
  public CardType getType()
  {
    return this.type;
  }
 
  public void setType(CardType type)
  {
    this.type = type;
  }
 
  public byte[] getManufacturerID()
  {
    return this.manufacturerID;
  }
 
  public void setManufacturerID(byte[] manufacturerID)
  {
    this.manufacturerID = manufacturerID;
  }
 
  public boolean equals(Object card)
  {
    if ((Card.class.isInstance(card)) &&
      (((Card)card).getType() == this.type) &&
      (Arrays.equals(((Card)card).getManufacturerID(), this.manufacturerID))) {
      return true;
    }
    return false;
  }
}

CardCommand.class wrote:

package com.octopuscards.oos.client.card;

public class CardCommand
{
  public static final byte[] FELICA_SEAC_POLL = { 6, 0, 1, 1, 1, 1 };
  public static final byte[] FELICA_DES_POLL = { 6, 0, Byte.MIN_VALUE, 8, 0, 1 };
  public static final byte[] MOBILE_SIM_POLL = { 0, -1, -1, 0, 0 };
  public static final byte[] FELICA_DES_REQSRV = { 13, 2, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1, -1 };
  public static final byte[] FELICA_DES_REQRSP = { 10, 4, 0, 0, 0, 0, 0, 0, 0, 0 };
  public static final byte[] TYPEA_POLL = new byte[0];
  public static final byte[] TYPEB_POLL = new byte[0];
 
  public static byte[] getDESReqSrvCmd(byte[] idm)
  {
    byte[] reqsrv = new byte[FELICA_DES_REQSRV.length];
    System.arraycopy(FELICA_DES_REQSRV, 0, reqsrv, 0, reqsrv.length);
    System.arraycopy(idm, 0, reqsrv, 2, idm.length);
    return reqsrv;
  }
 
  public static byte[] getDESReqRspCmd(byte[] idm)
  {
    byte[] reqRsp = new byte[FELICA_DES_REQRSP.length];
    System.arraycopy(FELICA_DES_REQRSP, 0, reqRsp, 0, reqRsp.length);
    System.arraycopy(idm, 0, reqRsp, 2, idm.length);
    return reqRsp;
  }
}

CardCommand.class wrote:

package com.octopuscards.oos.client.card;

public enum CardType
{
  DES(CardCommand.FELICA_DES_POLL, CardCommand.FELICA_DES_REQRSP),  SEAC(CardCommand.FELICA_SEAC_POLL, CardCommand.FELICA_SEAC_POLL),  MOBILE_SIM(CardCommand.MOBILE_SIM_POLL, CardCommand.MOBILE_SIM_POLL);
 
  private byte[] pollcmd;
  private byte[] reqRspCmd;
 
  public byte[] getPollcmd()
  {
    return this.pollcmd;
  }
 
  public void setPollcmd(byte[] pollcmd)
  {
    this.pollcmd = pollcmd;
  }
 
  private CardType(byte[] pollcmd, byte[] reqRspCmd)
  {
    this.pollcmd = pollcmd;
    this.reqRspCmd = reqRspCmd;
  }
 
  public byte[] getManufacturorID(byte[] pollResp)
  {
    try
    {
      if ((this == SEAC) && (pollResp.length >= 10))
      {
        byte[] idm = new byte[8];
        System.arraycopy(pollResp, 2, idm, 0, 8);
        return idm;
      }
      if ((this == DES) && (pollResp.length >= 10))
      {
        byte[] idm = new byte[8];
        System.arraycopy(pollResp, 2, idm, 0, 8);
        return idm;
      }
      if ((this == MOBILE_SIM) && (pollResp.length >= 8))
      {
        byte[] idm = new byte[8];
        System.arraycopy(pollResp, 1, idm, 0, 8);
        return idm;
      }
      return null;
    }
    catch (RuntimeException e)
    {
      e.printStackTrace();
    }
    return null;
  }
 
  public byte[] getReqRspCmd()
  {
    return this.reqRspCmd;
  }
 
  public void setReqRspCmd(byte[] reqRspCmd)
  {
    this.reqRspCmd = reqRspCmd;
  }
}

Offline

Board footer

Powered by FluxBB