Re: [android-montreal] Digest for android-montreal@googlegroups.com - 11 Messages in 3 Topics

103 views
Skip to first unread message

François Proulx

unread,
Apr 24, 2012, 6:16:21 PM4/24/12
to android-...@googlegroups.com
Stop dreaming right now about using the phone as a replacement for the card. The card is seeded at the factory with secret keys which are not accessible through any ISO 7816 command. That's the way smart cards work. Its a one way thing, STM has those keys in their database to authenticate the records. 

The only thing you might be looking to do is read the contents of the card (most of it should be plaintext, but signed). You could potentially read the list of the x last transactions. Also eventually STM might offer an app which would interact with the card to charge it, again all of this would be mutually authenticated using pre shared secret keys .

Sent from my iPhone 4

On 2012-04-24, at 17:59, android-...@googlegroups.com wrote:

Group: http://groups.google.com/group/android-montreal/topics

    John Brohan <jbr...@gmail.com> Apr 24 10:48AM -0400  

    I think it would be wise to conduct this hacking operation away from out
    Google Group. It will likely get us closed down. Can you provide a
    clear legal reason to hack this card? Personally I have had excellent
    service from the STM and I do not want to be associated with an operation
    to break it. Please do not involve the Android Montreal group in this
    venture.
    Yours Sincerely
    John
    --
    *We will not have it censored. We built the Internet as a tool to make
    every individual human being on the planet more empowered. What the users
    do with the Internet is up to them – not up to Hollywood, not up to
    politicians, and not even up to us who built it. Whatever else we Internet
    geeks may disagree on among ourselves, we will not allow our gift of fire
    to be snuffed out by jealous gods*. http://esr.ibiblio.org/?p=4155 Eric S.
    Raymond's Open Letter to Chris Dodd

     

    Tuan Bach Quoc <tuan...@gmail.com> Apr 24 11:13AM -0400  

    There is nothing wrong here... we just read the info in the nfc card...
     
    Nobody wants to breaks the card, we may have the chance to use the phone as
    the opus card, that's it.
     
    I dont know you but the opus card is not working through the wallet, and
    it's SOOO annoying to have to open the wallet every time...
     
     
     
    On Tue, Apr 24, 2012 at 11:08 AM, Pierre-Olivier Dybman <po.d...@gmail.com

     

    "Mathieu Méa" <mathi...@gmail.com> Apr 24 09:07AM -0700  

    One good reason to "hack" the OPUS card will be to able to use your
    NFC-enabled phone instead of the OPUS card.
    I don't think anyone here wants to hack the OPUS card to stop paying
    tickets.
     
    On Tuesday, April 24, 2012 10:48:29 AM UTC-4, jbrohan wrote:

     

    Michael El-Jiz <michae...@gmail.com> Apr 23 12:49PM -0700  

    Allo tout le monde!
     
    J'arrive a lire les donnees sur une Carte Opus jetable, mais pas la vrai
    carte OPUS. Je vais post l'information:
    //* et x veut dire que le secteur est bloque ou qqchose, donc inchangeable
     
    secteur / info ASCII
    [00] * 04:80:00 0C (UID0-UID2, BCC0)
    [01] * AA:57:1F:84 (UID3-UID6)
    [02] x 66 48 E0:00 (BCC1, INT, LOCK0-LOCK1)
    [03] . 00:00:00:00 (OTP0-OTP3) //l'info commence
    apres cette ligne, donc secteur [04]
    [04] . 00 01 00 01 |....|
    [05] x 31 1D 02 20 |1.. |
    [06] x 57 51 84 00 |WQ..|
    [07] x D2 77 27 0F |.w'.|
    [08] . 01 5D 45 20 |.]E |
    [09] . 67 40 41 00 |g@A.|
    [0A] . 65 00 2B A8 |e.+.|
    [0B] . 00 10 41 73 |..As|
    [0C] . 01 5D 45 20 |.]E |
    [0D] . 76 40 11 00 |v@..|
    [0E] . 65 00 2B A8 |e.+.|
    [0F] . 00 10 E7 7E |...~|
     
     
    temps d'achat: le 20 avril 2012 entre 9h et 12h.
    Duree: 24 heures
     
    Je vais essayer de trouver le format de la date (en esperant que se soit
    UTC en secondes) et la duree de la carte. Je me demande combien de temps ca
    va me prendre.
     
    Maintenant pour essayer de reproduire cette carte, je ne trouve pas de
    software qui me laisse simuler ou ecrire sur des tags vides les quelques
    premiers secteurs, mais je ne crois pas que se soit un probleme. Les tags
    que j'ai ET la carte OPUS sont tous les deux NDEF. il me semble que les
    premiers secteurs soient la ID ou quelquechose du genre.
     
    Au boulot!
     
     
    On Monday, June 27, 2011 12:14:28 PM UTC-4, Mathieu Méa wrote:

     

    "François Proulx" <francoi...@gmail.com> Apr 23 07:24PM -0700  

    Vous perdez votre temps en partant comme ça. La spec Calypso est une
    packé binaire, on est loin de l'ASCII. D'ailleurs le format de date
    est plus un Epoch des secondes à partir d'une date quelconque. Si vous
    avez beaucoup de temps à mettre, les specs des DF / ISO 7816 sont
    trouvables sur le net... Il y a même du code open source qui traine
    sur le net...
     
    Mais bon je vous dit tout de suite, c'est assez pénible, même pour
    quelqu'un qui connait bien ISO7816, c'est vraiment pas agréable comme
    format. Rien à voir avec la spec EMV par exemple.
     
    Je connais plusieurs personnes qui ont déjà travaillé un peu sur les
    cartes Opus, mais je connais personne qui a pris le temps de faire le
    mapping de stations / station IDs...
     
    http://dtvax.net/sharedUnit/calypso/
    http://code.google.com/p/cardpeek/
     
     

     

    Tuan Bach Quoc <tuan...@gmail.com> Apr 24 10:20AM -0400  

    Hey,
     
    Very interesting and fun topic.
     
    Here is my quick and dirty analyze. C'est quoi la carte opus jetable?
    Pourquoi ca n'a pas marche avec la carte Opus normal?
     
    Pour faire une belle analyse il faudrait que tu donne plus d'info sur la
    carte. s'il y a des numeros qui trainent derrieres jsuis preneur, prends en
    photo la carte aussi, je vais m'en procurer une.
     
    Merci et belle initiative.
     
    [04] . 00 01 00 01 |....|
    [05] x 31 1D 02 20 |1.. |
    [06] x 57 51 84 00 |WQ..| >> 1464960000 >>
    UNIXTIME >> Friday 3 June 2016 at 9.20am mtrl time (1.20pm GMT), so it
    seems good but exactly 4 years difference... (*130 032 000)*
    [07] x D2 77 27 0F |.w'.|
     
    [08] . 01 5D 45 20 |.]E | >> header // separstor?
    [09] . 67 40 41 00 |g@A.|
    [0A] . 65 00 2B A8 |e.+.| >> header // separstor?
    [0B] . 00 10 41 73 |..As|
     
    [0C] . 01 5D 45 20 |.]E | >> header // separstor?
    [0D] . 76 40 11 00 |v@..|
    [0E] . 65 00 2B A8 |e.+.| >> header // separstor?
    [0F] . 00 10 E7 7E |...~|
     

     

    "Etienne C." <etienn...@gmail.com> Apr 23 06:01PM -0700  

    Hello everyone!
     
    So, the may meetup is coming up, and I'd like to send out a call to
    speakers who might want to dazzle us with their Android knowledge :)
     
    Also, if anyone has a pet subject they'd like to see us tackle, please
    share with the group.

     

    Michael El-Jiz <mic...@eljiz.com> Apr 23 09:04PM -0400  

    Hey, i'm new here!
     
    When and where are the meetups held?
     
    Also maybe we could talk about NFC? I can do a little research maybe...
    Warning though, i'm kind of a n00b.
     
     
    --
    Michael El-Jiz
    www.eljiz.com

     

You received this message because you are subscribed to the Google Group android-montreal.
You can post via email.
To unsubscribe from this group, send an empty message.
For more options, visit this group.

Tuan Bach Quoc

unread,
Apr 24, 2012, 6:33:13 PM4/24/12
to francoi...@gmail.com, android-...@googlegroups.com
But could we clone the info?

Pierre-Olivier Dybman

unread,
Apr 24, 2012, 6:56:13 PM4/24/12
to tuan...@gmail.com, android-montreal, francoi...@gmail.com

No

Envoyé en mobilité

François Proulx

unread,
Apr 24, 2012, 6:57:31 PM4/24/12
to Tuan Bach Quoc, android-...@googlegroups.com
What do you mean by cloning? You should read only access to some stuff such as recent usages, but not much more. 

There would be no way of having the phone do a complete handshake with a metro turnstile reader unless you'd have the secret key. This is off limits for most of us, I mean sure its possible but you'd need to destructively (skim the chip using baths of various acids) and inspect under electron microprobe and inject various metals in small holes under the chip to sniff the traffic inside of it. I'm not even sure that even the best university electronic labs have the tools or skills to do this. This is pretty advanced stuff. 

This stuff is made so that the effort / money required to do this for each card (remember each card is seeded with unique keys at the factory) would be greater than what you could fraud... Say you'd clone a bank card, the bank account behind it would have far less money than what is involved in cracking it. 

Sent from my iPhone 4

Olivier Bilodeau

unread,
Apr 24, 2012, 7:48:40 PM4/24/12
to francoi...@gmail.com, Tuan Bach Quoc, android-...@googlegroups.com
That said, it's still possible that there would be mistakes in the implementation in the smart card itself (ie: buffer overruns) or bad interpretation of standards/protocols but I would expect that it already has been audited thoroughly so anything remaining will be hard to find.

2012/4/24 François Proulx <francoi...@gmail.com>



--
Olivier Bilodeau <oli...@bottomlesspit.org>

François Proulx

unread,
Apr 24, 2012, 8:02:02 PM4/24/12
to Olivier Bilodeau, Tuan Bach Quoc, android-...@googlegroups.com
This is pretty low level stuff. Even if there are mistakes in the "code", the key management is done by the card itself. It's an HSM and Opus is the same system that Oberthur is selling to RATP. The system is live since 2001 and has been audited multiple times, but hacker groups in Europe. Nothing like the Oyster Card in London which has multiple flaws.

I'm not saying its un breakable, but probably out of our league... 

Sent from my iPad

Pierre-Olivier Dybman

unread,
Apr 24, 2012, 8:59:52 PM4/24/12
to francoi...@gmail.com, android-montreal, tuan...@gmail.com, Olivier Bilodeau

Oberthur is only producing the chips. Calypso system is provided by Innovatron. And yes, as said from the beginning, we won't do anything with that

Envoyé en mobilité

Reply all
Reply to author
Forward
0 new messages