t:kort public transportation card explorations

In a follow up to my DESFire communication example post, here is a brief explanation of what you can find on the “t:kort“.

The “t:kort” is a public transportation card used in the county of “Sør-Trøndelag” in Norway. The card is a Mifare DESFire contactless smartcard, and the data stored on the card follows the NORTIC Specification for Mifare DESFire (NSD) (Statens Vegvesen – Håndbok 206 Elektronisk billettering (2004/05) page 218 )

Some commands do not require authentication, but read/write access to the files in the Transport directory requires the use of key #7, which is not public.

Note: DESFire uses LSBF (Least Significant Byte First).

Here I’ll show the data that is public (does not require auth), and briefly explain what they mean.

General DESFire stuff:

File types:
0x00 = Standard Data Files
0x01 = Backup Data Files
0x02 = Value Files with Backup
0x03 = Linear Record Files with Backup
0x04 = Cyclic Record Files with Backup
Communication mode:
0x00 = Plain communication
0x01 = Plain communication secured by DES/3DES MACing
0x03 = Fully DES/3DES enciphered communication
Communication flow:
--> To card
<-- From card

Communication with a virgin t:kort:

Get Version:
--> 60
<-- af 04 01 01 00 02 18 05
--> af
<-- af 04 01 01 00 06 18 05
--> af
<-- 00 XX XX XX XX XX XX XX ZZ ZZ ZZ ZZ ZZ 29 08

The GetVersion command returns manufacturing data about the PICC (chip).
04 = Vendor id (Philips)
Hardware version is 0.2 (00 02), and storage size is 18 (4096 bytes).
Software version is 0.6 (00 06), and storage size is 18 (4096 bytes)
The X’s are the 7-byte UID
The Z’s are the 5-byte batch number
29 = Calendar week of production
08 = Production year

Get Application IDs:
--> 6a
<-- 00 00 80 57 01 80 57

2 Applications available: 00 80 57 and 01 80 57
57 80 00 is the NORTIC Card Issuer DF (Directory File)
57 80 01 is the NORTIC Transport DF

Select Application 00 80 57:
--> 5a 00 80 57
<-- 00

OK

Get Key Settings for application master key (AID 00 80 57):
--> 45
<-- 00 12 04

12 = configuration not changeable, no free create/delete file, free directory list, master key not changeable, other key changeable using key # 1
04 = number of 3DES keys : 4 (Master key (M, #0), card Issuer key (I, #1), Card retailer key (C,#2), and Read key (R, #3).

Iterating the Get Key Version command shows that keys 00-03 are available.
All other key IDs return 0x40 (No Such Key)

Get Key Version key 00 (AID 00 80 57):
--> 64 00
<-- 00 1d
Get Key Version key 01 (AID 00 80 57):
--> 64 01
<-- 00 1d
Get Key Version key 02 (AID 00 80 57):
--> 64 02
<-- 00 1d
Get Key Version key 03 (AID 00 80 57):
--> 64 03
<-- 00 fb
Get File IDs (AID 00 80 57):
--> 6f
<-- 00 0c

File ID 0c = CI_Header (Card Issuer Header)
This file is created during the personalization process and is never written to during normal process.

Get File Settings for file 0c (AID 00 80 57):
--> f5 0c
<-- 00 00 00 f1 ef 10 00 00

00 = Standard Data file
00 = Plain Communication
f1 ef = read is free, write disabled, r/w disabled, Change Config with key #1
10 00 00 = length 0x10 (16 bytes)

Read Data in file 0c (AID 00 80 57):
--> bd 0c 00 00 00 10 00 00
<-- 00 90 80 00 02 XX XX XX XX 6c 68 00 28 00 02 80 40

First 10 bits = 578 (ISO country code Norway)
Next 20 bits = Format (0)
Next 2 bits = 2 (choice bitmap = cardIDNumber32bits)
Next 32 bits = Application wide unique serial number, set up at prepersonalization (denoted as ‘X’ here). This number can be found on the surface of the card printed in decimal form.
Next 14 bits = cardValidityEndDate. Card is valid until Dec 31st 2015 (Number of days since 1997-01-01 = 6938)
Next 20 bits = 160 (Application Owner Company ID)
Next 20 bits = 160 (Retailer Organisation ID)
Next 4 bits = cardKeyVersion = 1 (Used to identify which keys are in use. Initial = 1)
Last 6 bits = Not used

Select Application 01 80 57:
--> 5a 01 80 57
<-- 00

OK

Get Key Settings application master key (AID 01 80 57):
--> 45
<-- 00 12 08

12 = configuration not changeable, no free create/delete file, free directory list, master key not changeable, other key changeable using key # 1
08 = number of 3DES keys : 8 (Master key (M, #0), application Owner/issuer key (O, #1), Application retailer key (A, #2), Card retailer key (C, #3), Product retailers key (P, #4), add-Value key (V,#5), Service providers key (S, #6) and Read key (R, #7)).

Iterating the Get Key Version command shows that keys 00-07 are available.
All other key IDs return 0x40 (No Such Key)

Get Key Version key 00 (AID 01 80 57):
--> 64 00
<-- 00 1d
Get Key Version key 01 (AID 01 80 57):
--> 64 01
<-- 00 1d
Get Key Version key 02 (AID 01 80 57):
--> 64 02
<-- 00 1d
Get Key Version key 03 (AID 01 80 57):
--> 64 03
<-- 00 1d
Get Key Version key 04 (AID 01 80 57):
--> 64 04
<-- 00 76
Get Key Version key 05 (AID 01 80 57):
--> 64 05
<-- 00 94
Get Key Version key 06 (AID 01 80 57):
--> 64 06
<-- 00 25
Get Key Version key 07 (AID 01 80 57):
--> 64 07
<-- 00 fb
Get File IDs (AID 01 80 57):
--> 6f
<-- 00 01 02 03 04 05 06 0a 0c

8 files available
01 = T_ProductRetailer file
02 = T_ServiceProvider file
03 = T_SpecialEvent File
04 = T_StoredValue file
05 = T_GeneralEventLog file
06 = T_SVReloadLog file
0a = T_Environment file
0c = T_cardHolder file

Get File Settings for file 01 (AID 01 80 57):
--> f5 01
<-- 00 01 01 41 7f 80 01 00

01 = Backup data file
01 = Plain communication with MAC
41 7f = Access bits (Read with key #7, Write disabled, R/W with key#4, Change settings with Key #1)
80 01 00 = File size (0x180 = 384 bytes)

Get File Settings for file 02 (AID 01 80 57):
--> f5 02
<-- 00 01 01 41 76 80 00 00

01 = Backup data file
01 = Plain communication with MAC
41 76 = Access bits (Read with key #7, Write with key #6, R/W with key#4, Change settings with Key #1)
80 00 00 = File size (0x80 = 128 bytes)

Get File Settings for file 03 (AID 01 80 57):
--> f5 03
<-- 00 01 01 41 76 20 01 00

01 = Backup data file
01 = Plain communication with MAC
41 76 = Access bits (Read with key #7, Write with key #6, R/W with key#4, Change settings with Key #1)
20 01 00 = File size (0x120 = 288 bytes)

Get File Settings for file 04 (AID 01 80 57):
--> f5 04
<-- 00 02 01 51 7f 00 00 00 00 ff ff ff 7f 00 00 00 00 00

02 = Value File with Backup
01 = Plain communication with MAC
51 7f = Access bits (Read with key #7, Write disabled, R/W with key #5, Change settings with key #1)
00 00 00 00 = Lower limit
ff ff ff 7f = Upper limit (7fffffff)
00 00 00 00 = Limited credit value
00 = limited credit disabled

Get File Settings for file 05 (AID 01 80 57):
--> f5 05
<-- 00 04 00 f1 76 24 00 00 09 00 00 08 00 00

04 = Cyclic Record File with Backup
00 = Plain communication
f1 76 = Access bits (Read with key #7, Write with key #6, R/W disabled, Change settings with key #1)
24 00 00 = Record size (0x24 = 36 bytes)
09 00 00 = Max number of record (9)
08 00 00 = Current number of records (8)

Get File Settings for file 06 (AID 01 80 57):
--> f5 06
<-- 00 04 00 f1 75 20 00 00 03 00 00 02 00 00

04 = Cyclic Record File with Backup
00 = Plain communication
f1 75 = Access bits (Read with key #7, Write with key #5, R/W disabled, Change settings with key #1)
20 00 00 = Record size (0x20 = 32 bytes)
03 00 00 = Max number of record (3)
02 00 00 = Current number of records (2)

Get File Settings for file 0a (AID 01 80 57):
--> f5 0a
<-- 00 00 00 21 7f 20 00 00

00 = Standard Data File
00 = Plain communication
21 7f = Access bits (Read with key #7, Write disabled, R/W with key#2, Change settings with Key #1)
20 00 00 = File size (0x20 = 32 bytes)

Get File Settings for file 0c (AID 01 80 57):
--> f5 0c
<-- 00 00 00 31 7f 20 00 00

00 = Standard Data File
00 = Plain communication
31 7f = Access bits (Read with key #7, Write disabled, R/W with key#3, Change settings with Key #1)
20 00 00 = File size (0x20 = 32 bytes)

Select PICC Application:
--> 5a 00 00 00
<-- 00

OK

Get Key Settings (for PICC Application):
--> 45
<-- 00 0b 01

0b = configuration changeable, no free create/delete file, free directory list, master key changeable
01 = Only 1 key can exist for this application (the PICC application)

Get Key Version for key 00 (for PICC Application):
--> 64 00
<-- 00 1d

The PICC master key version is 0x1d

That’s all we can read from the card without knowing the read key for the Transport DF (Key #7).


2 responses to “t:kort public transportation card explorations

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: