Specifications
Smart Cards Lab COMPGA12 University College London
Assuming that we know the key for a given Oyster card, how can we
know how much money there is currently on our card? First of all, the
exact amount cannot always be determined with certitude. This not as much
because of the complex pricing system used by Transport For London with
price capping and penalties for not touching out. But rather because in the
real life transactions are not always guaranteed to be billed properly. People
are frequently charged more than they should be, and if people complain
they get some of their money refunded, and therefore the current balance
written in the card may be altered. However we are able to get the figure
which in a typical case and if the card indeed has been used correctly, and
after touching-out, will be exactly the balance of a given card.
For this we need to read block 5 and block 6 of the Oyster card. We re-
peat the sequence LOAD KEY IN RAM REGISTERS, MIFARE CLASSIC
AUTHENTICATE described above (unless the key AND the block number
requested is the same as before.
Then we need to issue MIFARE CLASSIC READ twice for block 5 and
6, that according to MiFare Classic specification always use the same key. 2
x MIFARE CLASSIC READ for blocks 5 and 6
CLA INS P1 P2 Le
FF B0 00 05 10
CLA INS P1 P2 Le
FF B0 00 06 10
We get:
05.
06.
Now we need to look and the second block (not the third as it seems)
with numbering 1, 2, 3, 4, 5 . . . byte starting from the left, in each of these
blocks. It is a counter, and one of these two counters will be higher, for
example first will be 0x41 and the other will be 0x40. This means that we
need to use block 5 and discard block 6. Now we look at the two following
bytes 4th and 5th in the same block. The formula to compute the credit of
our card is as follows:
credit =
b5 · 256 + b4
200, 0
in British pounds[£]
c
Nicolas T. Courtois 2009-10