• nodh
  • New member
  • Offline
  • Registered: 2010-02-11
  • Posts: 5

Topic: Oysters

Hi everyone,

first of all, thank you for providing such amount of knowledge and also to share it !
Thanks to zveriu tool have been able to get the A and B keys of my oysters cards.
Thanks to roel and rconty examples I've made GUI of everything, making it easier to use and maybe quicker.

My question might sound stupid but still here it is:
Why are the keys not the same from one card to another for every single sector? (or at least one...)

Let me explain my logic:
As each Oyster card has to be validated, I though "Great it might exist a master key to read a specific sector and write to it". Like that all the readers will be able to read the wanted data and write to it...so I recovered the (0xf+1)*2 keys to read the all datas from my first oyster card. Once done I just put my second oyster card and tried to read it with the keys of the first one...but no data went out...

My question is so, do they have different keys for each card and do they store them in kind of a database ?
If so I would imagine this will be so stupid because it'll go faster to have the same key for all the cards and to ask the database how much money left on the card (by UID as it's unique) rather than asking a database for the keys corresponding to this UID and so on...and it won't be possible to add/remove money just by having the card smile

I hope you've understood. If not, just wave I'll be sniffing around...

(or maybe there is a master key but we have to emulate a card to see the reader's answer??)

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

Hello !

nodh wrote:

first of all, thank you for providing such amount of knowledge and also to share it !

Our pleasure smile

nodh wrote:

Thanks to roel and rconty examples I've made GUI of everything, making it easier to use and maybe quicker.

Thank you :-)
Will you share your GUI ?

nodh wrote:

My question might sound stupid but still here it is:
Why are the keys not the same from one card to another for every single sector? (or at least one...)

I don't really know about this card but suppose to prevent from whole cards key breaking when one key is reveleated... But its just a supposition..

nodh wrote:

My question is so, do they have different keys for each card and do they store them in kind of a database ?

No idea.

nodh wrote:

If so I would imagine this will be so stupid because it'll go faster to have the same key for all the cards and to ask the database how much money left on the card (by UID as it's unique) rather than asking a database for the keys corresponding to this UID and so on...and it won't be possible to add/remove money just by having the card smile

UID based systems are not enought secure to be used in money system : UID can be emulated using NFC, so with your sheme you will need to only know about UID for somebody card to gain his account.. Too easy to break..
BTW, if a system rely on central database, there is no way to have disconnected (standalone) access controller or so. That can not be applied to a system that can't be continuously connected to a central server like bus transport.

Romuald Conty
  • nodh
  • New member
  • Offline
  • Registered: 2010-02-11
  • Posts: 5

Re: Oysters

I'll be obviously very keen to share my GUI however I'm not a pro coder and my "mother" langage is more pascal so for the moment it's a bit the mess in the file (...yes you read it right...everthing is in one file for the moment smile )
I just have one worry about sharing it: script kiddies. It's only point and click application now and will give access to *a lot* of people of this knowledge without having even look a bit of what t is....or how to use it (and so a lot of information). I am not against sharing (not at all, otherwise how could have done it without YOUR sources)  I'm just affraid of script kiddies.
I'll send you a copy of it (sources+exe) when it will look cleaner and a bit more professional.

Thanks to light my way for the UID based systems, I was thinking more about combining it with specific informations hold on the cards. But whatever... I'm going to push a bit on decoding the information of the Oysters.

Kind regards.

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

This forum is excellent for leaning. I have found that every card has its own keys also. It would be good if you would be willing to share the GUI ! I have got the keys using MFCUK and then then read the card using mf_tool. However when I try to write to the same card I get an error:-

    C:\MFCUK_darkside_0.3 (1)\0.3\src\bin\card22-40>nfc-mftool r a keys22.mfd dump.mfd

    Checking arguments and settings
    Succesful opened MIFARE the required files
    Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)
    Found MIFARE Classic 1K card with uid: 3b1f8867
    Reading out 64 blocks |................|
    Writing data to file: dump.mfd
    Done, all bytes dumped to file!


    C:\MFCUK_darkside_0.3 (1)\0.3\src\bin\card22-40>nfc-mftool w a keys22.mfd dump.mfd

    Checking arguments and settings
    Succesful opened MIFARE the required files
    Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)
    Found MIFARE Classic 1K card with uid: 3b1f8867
    Writing 64 blocks |.!
    Error: authentication failed for block 04

Does anyone know what I might be doing wrong?

  • nodh
  • New member
  • Offline
  • Registered: 2010-02-11
  • Posts: 5

Re: Oysters

Well, I did the same thing (dumping the data and writing the dump back wth key A) and they were just few writing mistakes that I have to investigate but otherwise everything went ok.

Writing 64 blocks
Writing: xxxxx in block 1
Successful
Writing: xxxxx in block 2
Successful
Failed to write trailer block 3
...
Successful
Writing: xxxx in block 62
Successful
Failed to write trailer block 63
Done, 60 of 64 blocks written. (need to be fixed!!)

I was not able to write in block 4 neither in none of the trailer blocks.

BTW I have a question about that, do we need to authenticate to the trailer first to write or read the data of the sector ?
Because:
1- in your loops you're beginning by the end of the blocks (so each trailer is authenticated first)
2- I did the loops the opposite way (by adding an other authentification step before reading/writing) for the output to be more user friendly and it seems to work too...but it is maybe not very elegant, isn't it ?

I might begin to rebuilt the GUi in several files for it to be more "understable" tomorrow...but no rush, I still got some work to do smile

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

Did you use mftool to write the data. It looks like you had more sucess than me.

  • nodh
  • New member
  • Offline
  • Registered: 2010-02-11
  • Posts: 5

Re: Oysters

Nope, modified version of nfc-mfclassic

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

Can you please post or email me your version of nfc-mfclassic. Thx.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

It seems it could be interesting for both of you to use libfreefare to read / write to MIFARE Classic tag.

http://code.google.com/p/nfc-tools/sour … ibfreefare

There is no documentation at the moment but unit tests and examples should be self-explained :
- formatting a MIFARE Classic tag: http://code.google.com/p/nfc-tools/sour … c-format.c
- unit test for MIFARE Classic tag: http://code.google.com/p/nfc-tools/sour … _classic.c

Hope, it helps.

Romuald Conty
  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

Does Libfreefare run under windows? I am not familiar with Linux, would not really know where to start unless there is a simple guide somewhere. Are there binaries available for these, it would certainly save me having to get into linux and the compiler.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

Hello,

skanker wrote:

Does Libfreefare run under windows?

Windows is not tested and not supported (and probably will never be).

skanker wrote:

I am not familiar with Linux, would not really know where to start unless there is a simple guide somewhere. Are there binaries available for these, it would certainly save me having to get into linux and the compiler.

Sorry, i haven't any quick guide to learn using a GNU/Linux system, but Internet should have plenty of them.. And there are many distribution that are really easy to learn..

Romuald Conty

12 Reply by ud

  • ud
  • New member
  • Offline
  • Registered: 2009-10-07
  • Posts: 8

Re: Oysters

@nodh

I think your error is related to this:
http://www.libnfc.org/community/topic/9 … fclassicc/

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

OK. So I have now installed Debian and after several hours I managed to figure out how to compile in Linux with all the packages etc... I feel I am nearly there. However I am not getting the error:-

debian:/home/test/libnfc-1.3.3/src/examples# nfc-mfclassic r a dump.mfd keys22.mfd
INFO: Sorry, serial auto-probing have been disabled at compile time.
Error connecting NFC reader

The reader is correctly connected to the usb, if I do a lsusb, I get:-

Bus 003 Device 002: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader

What am I missing, do I need a driver for the touchatag in Linux?

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

Hello ,

skanker wrote:

OK. So I have now installed Debian and after several hours I managed to figure out how to compile in Linux with all the packages etc...

There are now some instructions to install libnfc of Debian using a clean way.
http://www.libnfc.org/documentation/ins … ian_ubuntu

skanker wrote:

I feel I am nearly there. However I am not getting the error:-

debian:/home/test/libnfc-1.3.3/src/examples# nfc-mfclassic r a dump.mfd keys22.mfd
INFO: Sorry, serial auto-probing have been disabled at compile time.
Error connecting NFC reader

The reader is correctly connected to the usb, if I do a lsusb, I get:-

Bus 003 Device 002: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader

What am I missing, do I need a driver for the touchatag in Linux?

Are you sure that libusb-0.1-4 libpcsclite1 libccid pcscd packages are installed ?

Romuald Conty
  • From: Hanoi, Vietnam
  • Registered: 2009-04-26
  • Posts: 13

Re: Oysters

nodh wrote:

Hi everyone,

My question is so, do they have different keys for each card and do they store them in kind of a database ?
If so I would imagine this will be so stupid because it'll go faster to have the same key for all the cards and to ask the database how much money left on the card (by UID as it's unique) rather than asking a database for the keys corresponding to this UID and so on...and it won't be possible to add/remove money just by having the card smile

I hope you've understood. If not, just wave I'll be sniffing around...

(or maybe there is a master key but we have to emulate a card to see the reader's answer??)

Hi Nodh,

Smartcard systems usually use a technique called "derived keys" to assign a different key for each card based on a single master key: derived key = ENCRYPT(master key, card id)

That way the card validator only need to hold master key (in Security Authentication Module) and be able to generate derived key when needed. At the same time, the attacker need to perform the same attack on every card in order to retrieve the derived keys. Performing attack on every card may not be economically beneficial for the attacker. Because he only has an window of time to use the card before it is backlisted by the operator, assuming the attack is hard enough and the operator can spot a compromised card quickly. You can read more about the technique in books about smartcard systems, Smart card Handbook by Wolfgang Rankl and Wolfgang Effing for example.

So to answer your question: yes the keys are different for each card and no they do not need any database.

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

rconty wrote:

Hello ,

skanker wrote:

OK. So I have now installed Debian and after several hours I managed to figure out how to compile in Linux with all the packages etc...

There are now some instructions to install libnfc of Debian using a clean way.
http://www.libnfc.org/documentation/ins … ian_ubuntu

skanker wrote:

I feel I am nearly there. However I am not getting the error:-

debian:/home/test/libnfc-1.3.3/src/examples# nfc-mfclassic r a dump.mfd keys22.mfd
INFO: Sorry, serial auto-probing have been disabled at compile time.
Error connecting NFC reader

The reader is correctly connected to the usb, if I do a lsusb, I get:-

Bus 003 Device 002: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader

What am I missing, do I need a driver for the touchatag in Linux?

Are you sure that libusb-0.1-4 libpcsclite1 libccid pcscd packages are installed ?



Thankyou very very much...with the help of this forum I have now been able to this working. I was missing the libccid package. This is a great place for learning. I am now going to have a play with libfreefare.

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

rconty wrote:

It seems it could be interesting for both of you to use libfreefare to read / write to MIFARE Classic tag.

http://code.google.com/p/nfc-tools/sour … ibfreefare

There is no documentation at the moment but unit tests and examples should be self-explained :
- formatting a MIFARE Classic tag: http://code.google.com/p/nfc-tools/sour … c-format.c
- unit test for MIFARE Classic tag: http://code.google.com/p/nfc-tools/sour … _classic.c

Hope, it helps.

I have tried to bulf this, but am getting the following error :-

debian:/home/test/libfreefare# make
make  all-recursive
make[1]: Entering directory `/home/test/libfreefare'
Making all in libfreefare
make[2]: Entering directory `/home/test/libfreefare/libfreefare'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/test/libfreefare/libfreefare'
Making all in test
make[2]: Entering directory `/home/test/libfreefare/test'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/test/libfreefare/test'
Making all in examples
make[2]: Entering directory `/home/test/libfreefare/examples'
/bin/sh ../libtool --tag=CC   --mode=link gcc -I. -I../libfreefare -I/usr/local/include -I/usr/include/PCSC   -g -O2 -std=c99 -L/usr/local/lib -lnfc -lusb -lpcsclite    -o mifare-classic-format mifare-classic-format.o -lnfc ../libfreefare/libfreefare.la
gcc -I. -I../libfreefare -I/usr/local/include -I/usr/include/PCSC -g -O2 -std=c99 -o .libs/mifare-classic-format mifare-classic-format.o  -L/usr/local/lib /usr/lib/libusb.so /usr/lib/libpcsclite.so /usr/local/lib/libnfc.so ../libfreefare/.libs/libfreefare.so
../libfreefare/.libs/libfreefare.so: undefined reference to `le32toh'
../libfreefare/.libs/libfreefare.so: undefined reference to `htole32'
collect2: ld returned 1 exit status
make[2]: *** [mifare-classic-format] Error 1
make[2]: Leaving directory `/home/test/libfreefare/examples'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/test/libfreefare'
make: *** [all] Error 2
debian:/home/test/libfreefare#

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

Hello,

skanker wrote:

debian:/home/test/libfreefare# make
[...]
make: *** [all] Error 2
debian:/home/test/libfreefare#

I am installing a Debian Lenny to reproduce your bug since on squeeze, i haven't this problem.

BTW, for efficiency, nfc-tools related bugs should be reported at http://code.google.com/p/nfc-tools/issues/list

Thanks for your interest, hope it could be solved soon.

Romuald Conty
  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

This is now fixed in r185: it compile fine on Debian Lenny.

Thanks for report.

Romuald Conty
  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

I am sorry I posted my bug in the wrong place. I have only been using linux for 4 days so was not sure if it was a bug or my lack of knowledge.

I have just tried the updated files and they MAKE fine. Unfortunately when I try to run mifare-classic-format, I get the following error:-

mifare-classic-format: error while loading shared libraries: libfreefare.so.0: cannot open shared object file: No such file or directory

I have installed Ubuntu aswell and recompiled in there, but still get the same problem.

Just checking that I am doing it right, I did the following steps

1. Downloaded the code
2. autoreconf -vis
3. make
4. sudo make install

Is that correct? Many thanks again for your help and support.

  • Registered: 2009-08-22
  • Posts: 37

Re: Oysters

Following the instruction on the libfreefare website (thanks again)

1. Downloaded the code
2. autoreconf -vis
3. ./configure
4. make
5. sudo make install

  • Registered: 2010-02-13
  • Posts: 11

Re: Oysters

Sorry I did include ./configure. I still got the same error.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 642

Re: Oysters

skanker wrote:

Sorry I did include ./configure. I still got the same error.

Sorry but I have to close this topic, libfreefare's bug reports must go in http://code.google.com/p/nfc-tools/issues/list

Thanks for understanding.

Romuald Conty