2022-01-21
Looking at RFID cards and NFC again
I haven't done anything with NFC in ages. Almost three years ago I dug up my knowledge again and learned about UID changeable cards and before that the last real digging into RFID was 11 years ago: Interesting development with the magna carta rfid card. Anyway, my interest is renewed due to several factors, with "just looking for something to learn about and enjoy the process" as main one. As a first step I dug up my trusty touchatag reader and the collection of RFID tokens/cards. The touchatag reader still doesn't see any of the collected ski passes so I guess those are for other frequencies. The collection of RFID tokens includes a number of one-use public transport tickets. Those are based on Mifare Ultralight "MF0ICU1" according to NXP TagInfo. The little bit that annoys me is that NXP TagInfo manages to list the transport company and the transaction date/time while I can't find any listing of the fields in a Mifare Ultralight for transport use online on a first search. Later searches (see below) give a lot more! So I have to do some digging myself. And maybe get a few more recent one-time-use public transport tickets to get an idea. Anyway, first light on this subject:$ nfc-list nfc-list uses libnfc 1.7.1 NFC device: / CCID USB Reader opened 1 ISO14443A passive target(s) found: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 44 UID (NFCID1): 04 89 92 fa 3b 3c 80 SAK (SEL_RES): 00 $ nfc-mfultralight r kaartje.mfd NFC device: / CCID USB Reader opened Found MIFARE Ultralight card with UID: 048992fa3b3c80 Reading 16 pages |................| Done, 16 of 16 pages readed. Writing data to file: kaartje.mfd ... Done. $ xxd kaartje.mfd 00000000: 0489 9297 fa3b 3c80 7d48 00f0 ccab ffff .....;<.}H...... 00000010: c000 3004 4cd5 3c40 ceb5 6f0b 24d6 efd3 ..0.L.<@..o.$... 00000020: c800 2004 2cd5 3b60 4c54 d001 b6eb 07e7 .. .,.;`LT...... 00000030: d5ab 9a08 5989 8dbf e960 8af4 ffbe 45fa ....Y....`....E.This is 64 bytes to look at, which is not a lot. First things found in the map with help of online documentation at MIFARE ULTRALIGHT User Manual:Byte within page Page 0 1 2 3 00 UID0 UID1 UID2 CB0 UID bytes, CB0 = checkbyte 0 01 UID3 UID4 UID5 UID6 02 CB1 Int. LCK0 LCK1 CB1 = checkbyte 1, LCK is locking bitmap 03 one time programmable area 04..15 user data $ xxd -c 4 -g 1 kaartje.mfd 00000000: 04 89 92 97 .... 00000004: fa 3b 3c 80 .;<. 00000008: 7d 48 00 f0 }H.. 0000000c: cc ab ff ff .... 00000010: c0 00 30 04 ..0. 00000014: 4c d5 3c 40 L.<@ 00000018: ce b5 6f 0b ..o. 0000001c: 24 d6 ef d3 $... 00000020: c8 00 20 04 .. . 00000024: 2c d5 3b 60 ,.;` 00000028: 4c 54 d0 01 LT.. 0000002c: b6 eb 07 e7 .... 00000030: d5 ab 9a 08 .... 00000034: 59 89 8d bf Y... 00000038: e9 60 8a f4 .`.. 0000003c: ff be 45 fa ..E.The UID 048992fa3b3c80 can clearly be found in the first 8 bytes, the bytes at offset 0x03 and 0x08 are the checkbytes. The rest is more interesting, transactions are to be expected at byte 0x0c .. 0x2f. The last 16 bytes are locked according to the locking bitmap which would make them not usable for transactions. The NXP TagInfo app tells me the transactions are numbered 3 and 2. Transaction 3 is a checkout at 28 dec 2014 16:04 with Nederlandse Spoorwegen and transaction 2 is a checkin at 28 dec 2014 15:50 with Nederlandse Spoorwegen. Someone has done this work before: wvengen/ovc-tools: Tools for reading the OV-chipkaart - GitHub which I even mentioned before: In between other stuff I also found time to play with the touchatag rfid reader I ordered. And that makes things simple:$ ./ovc-decode.py kaartje.mfd #003 2014-12-28 16:04:00 NS check-out 0x0ceb56f0b24d6efd3 0x18 0x00 #002 2014-12-28 15:50:00 NS check-in 0x04c54d001b6eb07e7 0x19 0x00