Bruteforcing command codes #1

nullableVoidPtr · 2024-07-27T07:56:55Z

nullableVoidPtr
Jul 27, 2024
Maintainer

I wrote the following script to use Proxmark3's SWIG library to interface with my ICOCA card and bruteforce command codes, with the format of the node code list found within a Request Service command:

#!/usr/bin/env python3

import pm3
from output_grabber import OutputGrabber
p=pm3.pm3("/dev/ttyACM0")

def crc16_xmodem(data):
    crc = 0x0000

    for c in data:
        crc = crc ^ (c << 8)
        for _ in range(8):
            xor = crc & 0x8000
            crc = crc << 1

            if xor:
                crc ^= 0x1021

    crc = crc & 0xFFFF
    return crc.to_bytes(2, 'big')


def transceive(data: bytes) -> bytes:
    with OutputGrabber() as out:
        p.console(f"hf felica raw {bytes([len(data) + 1, *data]).hex()} -c")

    for i, line in enumerate(out.capturedtext.split("\n")):
        if not line.startswith("[+] "):
            raise ValueError("Unexpected error from pm3")

        line = line[4:]

        if i == 0:
            if line.startswith("Data: "):
                continue

            raise ValueError("Unexpected line")

        if not line.startswith("("):
            raise ValueError("Cannot parse from pm3")

        length, response_hex = line[1:].split(")", 1)
        if not length.isnumeric():
            raise ValueError("Invalid length from pm3")

        length = int(length, 10)
        raw_response = bytes.fromhex(response_hex)
        if len(raw_response) != length:
            raise ValueError("Incorrect length from pm3")

        if not raw_response.startswith(b"\xB2\x4D"):
            raise ValueError("Incorrect sync code")

        expected_crc = crc16_xmodem(raw_response[2:-2])
        response_crc = raw_response[-2:]
        if response_crc != expected_crc:
            print(response_crc, expected_crc)
            raise ValueError("Incorrect checksum")

        length = raw_response[2] - 1
        response_data = raw_response[3:-2]
        if len(response_data) != length:
            raise ValueError("Incorrect length")

        return response_data

    raise ValueError()

def make_node_code_list(node_codes: list[int]) -> bytes:
    return len(node_codes).to_bytes() + b"".join(c.to_bytes(2, "little") for c in node_codes)

# Found using Search Service Code
AREAS = [
    0x0000, # - FFFE
    0x0040, # - 07FF
]

SERVICES = [
    0x0048,
    0x004A,
]

ENCODED_LISTS = [
    make_node_code_list([AREAS[0]]),
    make_node_code_list([SERVICES[0]]),
    make_node_code_list(AREAS),
    make_node_code_list(SERVICES),
    make_node_code_list(AREAS + SERVICES),
]

EXCLUDED_COMMAND_CODES = {
    *range(0x00, 0x0E, 0x02),
    *range(0x10, 0x18, 0x02),
    0x22,
    0x28,
    *range(0x32, 0x3A, 0x02),
    *range(0x3C, 0x48, 0x02),
    0x4C,
    0x78,
    0xA4,
    0xB0,
    *range(0xF0, 0x100, 0x02),
}

print(list(map(hex, EXCLUDED_COMMAND_CODES)))

idm = transceive(bytes.fromhex("00ffff0000"))[1:9]
print("IDm", idm.hex())

with open("output_ncl.lst", "w") as f:
    for command_code in range(0x00, 0x100, 0x02):
        if command_code in EXCLUDED_COMMAND_CODES:
            continue

        print(f"Command code: {command_code:02x}")

        for l in ENCODED_LISTS:
            command = command_code.to_bytes() + idm + l
            try:
                response = transceive(command)
                result = response.hex()
            except:
                continue

            output = f"\t{command.hex()} -> {result}"
            print(output)
            f.write(output + "\n")

The only command this script found was 0x3a, which can just be called using an IDm:

[usb] pm3 --> hf felica raw -c 0a3a<IDM>
[+] Data: 0A 3A 01 01 XX XX XX XX XX XX EE 3A 
[+] (25) B2 4D 15 3B 01 01 XX XX XX XX XX XX 00 00 08 36 01 51 06 A1 07 54 00 04 BC

It is still unknown what this output data is:

3B : Response code
01 01 XX XX XX XX XX XX : IDM
00 00 08 36 01 51 06 A1 07 54 00 : Unknown

The last field does not match the PMm of the ICOCA: 0136428247459AFF

nullableVoidPtr · 2024-07-27T08:32:57Z

nullableVoidPtr
Jul 27, 2024
Maintainer Author

RC-S100

Output from uninitialized RC-S100 (SD1):

[usb] pm3 --> hf felica raw -c 0a3a<IDm>
[+] Data: 0A 3A XX XX XX XX XX XX XX XX YY YY
[+] (25) B2 4D 15 3B XX XX XX XX XX XX XX XX 00 00 08 32 03 51 06 A1 07 54 00 ZZ ZZ

Extracted payload is 00 00 08 32 03 51 06 A1 07 54 00, same across all RC-S100 cards tested (x3)

RC-S120

Extracted payloads from uninitialized RC-S120 (SD2):

IDm: 01010701B11E4102
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 5F 99 06 01 01 00 01 01 01 CF 7D F2 EC 08 A6 3A 27 4F FA 59 BF 57 BD EE 81 25 B6 A5 D7
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 5F 99 06 01 01 00 01 01 01 89 3D 55 D7 9A F1 0C 14 33 83 9D 55 58 11 E5 5E DD 40 1F 19
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 5F 99 06 01 01 00 01 01 01 B8 87 8D 44 D9 FE 61 FE 3E 53 C1 00 3F B3 4C FC AE BC FA B1
IDm: 01010801B11E4202
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 6B 90 06 01 01 00 01 01 01 F7 02 FA 74 48 54 FC 33 A1 98 5A 84 E0 97 4C 6B DB A6 3C 44
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 6B 90 06 01 01 00 01 01 01 99 C9 41 EC CC 5F FC CA 26 AA AE 45 B8 EA 28 F2 A6 13 D6 3E
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 6B 90 06 01 01 00 01 01 01 3F 0D 31 FB F7 F3 59 65 02 42 F7 CB 5B E3 53 ED 70 BB AC 7C
IDm: 01010801B11E4302
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 59 90 06 01 01 00 01 01 01 A7 3B AD 27 AE 22 2D 53 4F 3E 2D 0D 43 B7 2E CC CD 10 CA 60
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 59 90 06 01 01 00 01 01 01 B5 CC 9B 23 83 AC 8F 28 9E 53 B7 97 24 C9 52 8E 50 25 75 EC
- 00 00 2D 44 01 01 01 00 01 20 00 0B 00 DF 0D 94 BC EB 49 59 90 06 01 01 00 01 01 01 43 6B 5A 9B F2 FF C7 D5 BC 66 2F 95 01 2A 30 93 9D 54 E3 DF

Bytes 0 through 10 appear to be the same format as RC-S100 and the ICOCA card.

Last 20 bytes appear seemingly random each invocation.

0 replies

nullableVoidPtr · 2024-07-27T09:10:49Z

nullableVoidPtr
Jul 27, 2024
Maintainer Author

RC-S100 payload dissected

32 03 51 06 A1 07 54 00
^  ^  ^     ^     ^
|  |  |     |     +- IC software version
|  |  |     +- FeliCa OS version
|  |  +- IC hardware version
|  +- FeliCa ROM type
+- FeliCa IC type

5106 and 5400 is correlated by Security Target documentation for the JREM 6K card which shares the same Smartcard IC as RC-SA00. RC-SA00 was evaluated earlier than the JREM 6K card, which has a later IC software version 5401.

0 replies

This comment has been hidden.

Sign in to view

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bruteforcing command codes #1

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

This comment has been hidden.

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Bruteforcing command codes #1

Uh oh!

Uh oh!

nullableVoidPtr Jul 27, 2024 Maintainer

Replies: 3 comments

Uh oh!

nullableVoidPtr Jul 27, 2024 Maintainer Author

RC-S100

RC-S120

This comment has been hidden.

Uh oh!

Uh oh!

nullableVoidPtr Jul 27, 2024 Maintainer Author

RC-S100 payload dissected

nullableVoidPtr
Jul 27, 2024
Maintainer

nullableVoidPtr
Jul 27, 2024
Maintainer Author

nullableVoidPtr
Jul 27, 2024
Maintainer Author