Octopus Security Analysis (system based on FeliCa cards)

asper · 2012-11-12 16:00:41

Felica seems to be a real secure system.

http://courses.ece.ubc.ca/412/previous_years/2007_1_spring/modules/term_project/reports/2007/security_analysis_of_octopus_smart_card_system.pdf

RadioWar · 2012-11-14 13:23:48

i have something for Octopus~maybe can do something~~~

asper · 2012-11-14 17:06:22

Post or PM, thanks

RadioWar · 2012-11-16 18:30:23

asper wrote:

Post or PM, thanks

I cant PM you man~~give me your email~

asper · 2012-11-17 18:56:04

You are right, no PM here, sorry; can you provide a public mail ? I will contact you there, thanks !

RadioWar · 2012-11-18 16:04:37

asper wrote:

You are right, no PM here, sorry; can you provide a public mail ? I will contact you there, thanks !

radiowar<At>QQ.com

asper · 2012-11-18 19:41:51

QQ server seems not toaccept my mail... another one ?

RadioWar · 2012-11-19 11:22:06

asper wrote:

QQ server seems not toaccept my mail... another one ?

Fuxking QQ~~~admin<At>radiowar.org

happyboyxxx · 2015-10-07 11:04:38

Sounds interesting,
and now some Metro tickets were adopted into the Felica Lite-S tags,
is it secure?

iceman · 2016-03-06 15:17:23

@Asper Seems to be something they have in Hongkong. What info do you have? I'll get my hands on one tag soon.

happyboyxxx · 2016-03-14 06:32:04

Hi
It seems that the metro ticket uses 2 different types of tags : Ultralight C and FeliCa Lite-S
I used my NFC phone to read the FeliCa one but seems it needs the key for authentication...
Only known the system code 0x8008 is sames as the octopus card code.

Hope this information could help...:P

Here is the ticket pictures and some screenshot:
http://postimg.org/image/bnc66qtej/
http://postimg.org/image/5julmu34r/
http://postimg.org/image/qi0rkx2zf/

happyboyxxx · 2016-03-14 06:52:12

Oh yes,

there are different type of octopus card,
and seems that some of the octopus card are now phase out.( because of not supporting NFC function? or due to the low security?)

Sony has not disclose the commands to operate FeliCa with keys, seems that it is so difficult to know it...
However, the octopus card company allow the user to plug the ACR122U to check the card balance and records.
Could it be the chance to know how to read the FeliCa with keys?

http://www.octopus.com.hk/customer-service/octopus-pc-reader-service/en/index.html

I have capture some APDU command through the checking and I am still understanding these (but very confusing...:( )

iceman · 2016-03-14 10:20:23

Someone told me you can download the .jar file and decompile it. Inside you'll find some APDU's used.

But if the PM3 can understand Felicia is different matter.

iceman · 2016-03-16 15:15:04

I got my hands on three octopus tags now.
Have someone ever read a Felica based tag with the PM3

If so, please contact me. even if I don't see the private messages anymore, you still can email me.

frank · 2017-12-11 01:58:26

happyboyxxx wrote:

Oh yes,
there are different type of octopus card,
and seems that some of the octopus card are now phase out.( because of not supporting NFC function? or due to the low security?)
Sony has not disclose the commands to operate FeliCa with keys, seems that it is so difficult to know it...
However, the octopus card company allow the user to plug the ACR122U to check the card balance and records.
Could it be the chance to know how to read the FeliCa with keys?
http://www.octopus.com.hk/customer-service/octopus-pc-reader-service/en/index.html
I have capture some APDU command through the checking and I am still understanding these (but very confusing...:( )

Not sure if anyone is interested.
https://wfe.oos.octopus-cards.com/agenda/oors/ocapvm-0.0.1.jar
https://wfe.oos.octopus-cards.com/agenda/oors/ocapclient-dvf.jar

Probably the most relevant files are these

Card.class wrote:

package com.octopuscards.oos.client.card;
import java.util.Arrays;
public class Card
{
protected CardType type;
protected byte[] manufacturerID;

public Card(CardType type, byte[] mId)
{
this.type = type;
this.manufacturerID = mId;
}

public CardType getType()
{
return this.type;
}

public void setType(CardType type)
{
this.type = type;
}

public byte[] getManufacturerID()
{
return this.manufacturerID;
}

public void setManufacturerID(byte[] manufacturerID)
{
this.manufacturerID = manufacturerID;
}

public boolean equals(Object card)
{
if ((Card.class.isInstance(card)) &&
(((Card)card).getType() == this.type) &&
(Arrays.equals(((Card)card).getManufacturerID(), this.manufacturerID))) {
return true;
}
return false;
}
}

CardCommand.class wrote:

package com.octopuscards.oos.client.card;
public class CardCommand
{
public static final byte[] FELICA_SEAC_POLL = { 6, 0, 1, 1, 1, 1 };
public static final byte[] FELICA_DES_POLL = { 6, 0, Byte.MIN_VALUE, 8, 0, 1 };
public static final byte[] MOBILE_SIM_POLL = { 0, -1, -1, 0, 0 };
public static final byte[] FELICA_DES_REQSRV = { 13, 2, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1, -1 };
public static final byte[] FELICA_DES_REQRSP = { 10, 4, 0, 0, 0, 0, 0, 0, 0, 0 };
public static final byte[] TYPEA_POLL = new byte[0];
public static final byte[] TYPEB_POLL = new byte[0];

public static byte[] getDESReqSrvCmd(byte[] idm)
{
byte[] reqsrv = new byte[FELICA_DES_REQSRV.length];
System.arraycopy(FELICA_DES_REQSRV, 0, reqsrv, 0, reqsrv.length);
System.arraycopy(idm, 0, reqsrv, 2, idm.length);
return reqsrv;
}

public static byte[] getDESReqRspCmd(byte[] idm)
{
byte[] reqRsp = new byte[FELICA_DES_REQRSP.length];
System.arraycopy(FELICA_DES_REQRSP, 0, reqRsp, 0, reqRsp.length);
System.arraycopy(idm, 0, reqRsp, 2, idm.length);
return reqRsp;
}
}

CardCommand.class wrote:

package com.octopuscards.oos.client.card;
public enum CardType
{
DES(CardCommand.FELICA_DES_POLL, CardCommand.FELICA_DES_REQRSP), SEAC(CardCommand.FELICA_SEAC_POLL, CardCommand.FELICA_SEAC_POLL), MOBILE_SIM(CardCommand.MOBILE_SIM_POLL, CardCommand.MOBILE_SIM_POLL);

private byte[] pollcmd;
private byte[] reqRspCmd;

public byte[] getPollcmd()
{
return this.pollcmd;
}

public void setPollcmd(byte[] pollcmd)
{
this.pollcmd = pollcmd;
}

private CardType(byte[] pollcmd, byte[] reqRspCmd)
{
this.pollcmd = pollcmd;
this.reqRspCmd = reqRspCmd;
}

public byte[] getManufacturorID(byte[] pollResp)
{
try
{
if ((this == SEAC) && (pollResp.length >= 10))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 2, idm, 0, 8);
return idm;
}
if ((this == DES) && (pollResp.length >= 10))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 2, idm, 0, 8);
return idm;
}
if ((this == MOBILE_SIM) && (pollResp.length >= 8))
{
byte[] idm = new byte[8];
System.arraycopy(pollResp, 1, idm, 0, 8);
return idm;
}
return null;
}
catch (RuntimeException e)
{
e.printStackTrace();
}
return null;
}

public byte[] getReqRspCmd()
{
return this.reqRspCmd;
}

public void setReqRspCmd(byte[] reqRspCmd)
{
this.reqRspCmd = reqRspCmd;
}
}

Proxmark3 community

Announcement

#1 2012-11-12 16:00:41

Octopus Security Analysis (system based on FeliCa cards)

#2 2012-11-14 13:23:48

Re: Octopus Security Analysis (system based on FeliCa cards)

#3 2012-11-14 17:06:22

Re: Octopus Security Analysis (system based on FeliCa cards)

#4 2012-11-16 18:30:23

Re: Octopus Security Analysis (system based on FeliCa cards)

#5 2012-11-17 18:56:04

Re: Octopus Security Analysis (system based on FeliCa cards)

#6 2012-11-18 16:04:37

Re: Octopus Security Analysis (system based on FeliCa cards)

#7 2012-11-18 19:41:51

Re: Octopus Security Analysis (system based on FeliCa cards)

#8 2012-11-19 11:22:06

Re: Octopus Security Analysis (system based on FeliCa cards)

#9 2015-10-07 11:04:38

Re: Octopus Security Analysis (system based on FeliCa cards)

#10 2016-03-06 15:17:23

Re: Octopus Security Analysis (system based on FeliCa cards)

#11 2016-03-14 06:32:04

Re: Octopus Security Analysis (system based on FeliCa cards)

#12 2016-03-14 06:52:12

Re: Octopus Security Analysis (system based on FeliCa cards)

#13 2016-03-14 10:20:23

Re: Octopus Security Analysis (system based on FeliCa cards)

#14 2016-03-16 15:15:04

Re: Octopus Security Analysis (system based on FeliCa cards)

#15 2017-12-11 01:58:26

Re: Octopus Security Analysis (system based on FeliCa cards)

Board footer