gm3197

Reverse Engineered VAS Protocol Specification

Research by Grayson Martin
Last Updated 7/8/23

Introduction

Value Added Services (VAS) is the protocol used by NFC capable passes in Apple Wallet. Access to this protocol is heavily restricted on both the device end (a special certificate issued by Apple is required to create these passes) and the reader end (NDA enforced confidentiality). As such, a desire arose to better understand the protocol in order to explore additional use cases and examine its cryptographic integrity. There are gaps in understanding in certain parts of this protocol, however this document contains the minimum necessary understanding to automatically select, read data from, and decrypt a pass.

Importantly, this specification does not enable a malicious actor to read the data from a pass for which they do not have both the reader's private key, and the pass type identifier. Imp

smidgedy

#!/usr/env python3
########################################################################
#
#  Simple HTTP server that  supports file upload  for moving data around
#  between boxen on HTB. Based on a gist by bones7456, but mangled by me 
#  as I've tried  (badly) to port it to Python 3, code golf it, and make
#  It a  little more  robust. I was also able to  strip out a lot of the 
#  code trivially  because Python3 SimpleHTTPServer is  a thing, and the
#  cgi module handles multipart data nicely.
#

jetheis

/**
 * onetoughpuzzle.js
 *
 * The model and puzzle solving functionality for finding solutions to
 * the One Tough Puzzle toys distributed by Great American Puzzle Factory
 *
 * Copyright (C) 2011 Jimmy Theis
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy of
 * this software and associated documentation files (the "Software"), to deal in