aidswidjaja/opal-hacking.md

## opal-hacking.md

      
    Raw
  

              opal-hacking.md
            
          
    Aim: Dump contents of school Opal card, transfer to school ID card and use school ID card to tap on at stations.
Resources


https://www.nxp.com/docs/en/application-note/AN10833.pdf
https://hackmethod.com/hacking-mifare-rfid-2/?v=6cc98ba2045f
https://hackmethod.com/hacking-mifare-rfid/?v=6cc98ba2045f

Background

School opal card

NXP MIFARE Ultralight C (MF0ICU2)
SAK: 0x00
NOTE: The whole MIFARE Ultralight family uses the same ATQA and SAK.
Block diagram

+------------------------------------------------------------------------------------+
|       +--------------------------------------------------------------------------+ |
|       | +----------------++---------------------------------------+ +----------+ | |
|       | |                ||         DIGITAL CONTROL UNIT          | |          | | |
|       | |                || +---------------------+ +-----------+ | |          | | |
|       | |                || | CRYPTO CO PROCESSOR | |           | | |          | | |
|       | |                || |                     | |           | | |          | | |
|       | |                || +---------------------+ |           | | |          | | |
| #-----+ |                ||                         |           | | |          | | |
| #     | |                || +---------------------+ |           | | |          | | |
| # ANT.| |  RF-INTERFACE  || | CRYPTO CONTROL UNIT | | EEPROM    | | |  EEPROM  | | |
| #     | |                || |                     | | INTERFACE | | |          | | |
| #-----+ |                || +---------------------+ |           | | |          | | |
|       | |                ||                         |           | | |          | | |
|       | |                || +---------------------+ |           | | |          | | |
|       | |                || | COMMAND INTERPRETER | |           | | |          | | |
|       | |                || |                     | |           | | |          | | |
|       | |                || +---------------------+ +-----------+ | |          | | |
|       | +----------------++---------------------------------------+ +----------+ | |
|       +--------------------------------------------------------------------------+ |
+------------------------------------------------------------------------------------+

Memory structure


Data-sheet: https://www.nxp.com/docs/en/data-sheet/MF0ICU2.pdf
ATQA = 0x4400
zero-indexing
1024 B, 15 sectors (16B/row, with 3 data blocks and 1 access control block per row)

[00]  *  04:94:15 0D (UIDO-UID2, BCCO)
[01]  *  2A:6E:65:80 (UID3-UID6) 
[02]  +  A1 48 39 00 (BCC1, INT, LOCKO-LOCK1) 
[03]  *  8A:A8:16:06 (0TPO-0TP3)

      +---------------------------+
04:05 |     Unknown (8 B) [xp]    |
      +---------------------------+
      +---------------------------+
06:0F |     Unknown (36 B) [.p]   |
      +---------------------------+
      +---------------------------+
10:27 |      Data (92 B) [?p]     |
      +---------------------------+
      
[28]  ?p  XX XX -- -- (LOCK2-LOCK3)
[29]  ?p  XX XX -- -- (CNT0-CNT1)
[2A]  ?p  04 -- -- -- (AUTH0)
[2B]  ?p  XX -- -- -- (AUTH1)

      +---------------------------+
2C:2F |     Unknown (16 B) [?P]   |
      +---------------------------+

Key

[x] = locked and blocked
[xp] = blocked and pwd-protected
[.p] = un(b)locked and pwd-protected
[?p] unknown and pwd-protected
[?P] unknown and pwd-protected write-only