Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hey all,
We are currently looking for any information available about Sony Felica.
Please post a link or send me a email, so we can integrate the Felica modulation into the Proxmark.
Cheers,
Roel
Offline
The modulation is manchester coding based from reader to card and card to reader.
The protocol is defined within Japanese Industrial Standard (JIS) X 6319-4 but you need to buy it
However you can find the same protocol definition in the ECMA 340 here :
http://www.ecma-international.org/cgi-b … ma-340.pdf
:-)
The high speed protocol : 212K and 424K is exactly the same as the Sony Felica protocol and the device detection allows at least to recover the serial number of the chip
After selection the SONY Felica perform authentication using 3-DES
Offline
Thank you for the information!
This will cover the modulation I think. Does all Felica tags use 3-DES? Or are the versions that are now used in Singapore for more than 5 years maybe an older version of those? It would be nice to have a protocol description of these tags.
If anyone has an idea, please share.
Thanks in advance, cheers,
Roel
Offline
Sorry, in fact this is a single DES for Singapore but using 2 keys to encrypt 2 different randoms and exchanging the results to verify mutual authentication. This is a 3-pass authentication. When needed I can add some more infos here ...
Just for fun and to get some information about security of this chip, here is a paper explaining the security target :
http://www.commoncriteriaportal.org/fil … liCaRC.pdf
The funny thing now : You will see a lot of REMOVED squares in it. it is probably to protect the information they didn't want to disclose ... However, the guy who did it was not very good as the text is still behind the REMOVED squares. To see it, you just have to make CTRL-A and CTRL-V in a word file or copy with drag and drop using the mouse ;-)
Offline
Hey rf_hack,
Thank you for this document, it is really nice to have more information about this card.
I have revised the PDF document and restored all the text that could be "revealed" from the REMOVED boxes.
Pretty stupid they actually left it in the document
You can find the new version at:
http://www.proxmark.org/files/index.php … stored.pdf
Thanks again, cheers,
Roel
Offline
let me know if you start to analyze the card, I will have some more info to share ...
and thanks for the restored file, this is easier to read it like this
Offline
Hi rf_hack, Roel,
I'm playing around with on of NXP PN51x Chips and I'm trying to read a Felica Card. Unfortunatly I don't have a protocol specification. Could you probably help me you? I'd like to read a Suica Card, like with a Pasori Reader and check the amount of yen which is left on the card.
cheers, geri-m
Last edited by geri-m (2008-12-22 11:50:35)
Offline
Hey,
Great project. I'm still looking for some time to dive into the felica chips.
Did you ever looked at the following websites:
http://felicalib.tmurakam.org/
http://libpasori.sourceforge.jp/
I know, mostly it is in japanese, but the code will just compile in any environment
The commands are probably available in the code.
Let us know if you found something / wrote a howto or so.
Offline
Hi roel,
thanks for the links. (looks like I do have to learn at least some japanese ;-). This issue is, I'm not using a PaSoRi-Reader, but a different one (an NFC reader, that supports 13,56 Mhz @212 kBits and allows to send _any_ command and I can already detect the Card in the Field an get the UID). I actually do need the commands, that go over the RF-Field for reading and writing, which are different than the ones, the PaSoRi readers are using. (it at least seams so).
I have already another plan: I'm planning eaversdrop the communication with a felica card (mode-0 no encryption) using the comprion CLT-Move hardware. But therefore I do need a pasori reader and unfortunatly I did not find an online shop, that is shipping to Europe/Austria. (not even on Ebay). http://www.photoatm.com/ sells them, but there is no deliver option for europe ;-(
Any hint is appreciated.
cheers, geri-m
Last edited by geri-m (2008-12-22 11:49:26)
Offline
I just was in Tokyo and got myself one of the New Pasori Reader (S330), but I can't install it under my Windows XP SP3 (GER-Version). (I do get an expception in Japanesse ... *grrr* ;-). Anyone out there doing a better job?
Cheers, geri-m
Offline
thanks for the hint. installing the language files didn't help - you need the JP Win32. I already got this information from the sony support. but the international driver is already under construction ;-)
Offline
I'm confused about the encryption method of Felica, could any one help me?
I have read both the security target paper and JIS X 6319-4 papers, here are my questions:
1. Read/Writer generates the access key for mutual authentication. Access Key requires area key and service key info. But ATQC command only provides the area key version and service key version instead of the actual keys, then how can the Read/Writer know them?
2. The mutual authenication is encrypted by 3DES, what keys the 3DES used on both sides? Since access key, challenge data 1 & 2 are only created after the authentication.
3. After the mutual authentication, transaction messages are encrypted by DES or 3DES?
Many thanks!!!
Offline
Pages: 1