多种非接触卡 ATQA 字节说明

 

原文地址

13.56 MHz RFID

Software

• An Open Source implementation of an NFC stack, and various related utilities is available from the LibNFC project.

• The author of this page has released a number of small utilities, and enhancements to third-party ones in a repository on BitBucket.

• A link to a tool for examining data stored on Atmel CryptoRF tokens, and errata is available in this forum post.

• The RFIDIOT project supply a package of tools for manipulating the contents of various types of RFID tokens, and examining Machine-Readable Travel Documents and EMV cards.

• A driver that supposedly allows for use of LibNFC with generic PCSC-enabled applications is available from the ifdnfc project on SourceForge. 
  
  This doesn't seem to build against the latest version of LibNFC:

ifd-nfc.c: In function ‘IFDHTransmitToICC’:
ifd-nfc.c:355:17: error: too few arguments to function ‘nfc_initiator_transceive_bytes’
/usr/local/include/nfc/nfc.h:80:19: note: declared here

Datasheets

• A datasheet is available for the STMicroElectronics SRI512 ISO/IEC 14443-B chipset.

• A datasheet is available from ACS for the InnoVision/Broadcom Topaz family of ISO/IEC 14443-A chipsets.

• A redacted datasheet is available for Maxim's MAX66040 ISO/IEC 14443-B chipset.

• A datasheet (MF0ICU1) is available for the MiFare UltraLight ISO/IEC 14443-A chipset.

• A datasheet is available for FuDan's FM11RF08 chipset (which is supposedly compatible with existing MiFare Classic implementations).

• The Users Manual for the NXP PN532 chipset is available.

• A manual for a variant of the ACS ACR122U card reader is available.

Hardware

FeliCa tokens

Sony FeliCa Lite RC-S701

• LibNFC's nfc-list -v command reports:

1 Felica (212 kbps) passive target(s) found:
        ID (NFCID2): 01  27  00  5d  1a  05  88  cd  
    Parameter (PAD): 00  f0  00  00  02  06  03  00  
   System Code (SC): 88  b4  

1 Felica (424 kbps) passive target(s) found:
        ID (NFCID2): 01  27  00  5d  1a  05  88  cd  
    Parameter (PAD): 00  f0  00  00  02  06  03  00  
   System Code (SC): 88  b4  

• LibNFC's nfc-read-forum-tag3 command reports:

Place your NFC Forum Tag Type 3 in the field...
NDEF Mapping version: 1.0
NFC Forum Tag Type 3 capacity: 208 bytes
NDEF data lenght: 60 bytes

libnfc.chip.pn53x - InListPassiveTarget libnfc.driver.acr122 - TX: ff 00 00 00 09 d4 4a 01 01 00 ff ff 01 00 libnfc.driver.acr122 - RX: d5 4b 01 01 14 01 01 27 00 5d 1a 05 88 cd 00 f0 00 00 02 06 03 00 88 b4 90 00

libnfc.chip.pn53x - InListPassiveTarget libnfc.driver.acr122 - TX: ff 00 00 00 09 d4 4a 01 02 00 ff ff 01 00 libnfc.driver.acr122 - RX: d5 4b 01 01 14 01 | 01 27 00 5d 1a 05 88 cd | 00 f0 00 00 02 06 03 00 | 88 b4 | 90 00

ISO/IEC 14443-A tokens

NXP MiFare Classic 4KB

• LibNFC's nfc-list -v command reports:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  02  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 7c  52  49  e4  
      SAK (SEL_RES): 18  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on ATQA & SAK values:
* Mifare Classic 4K
* SmartMX with Mifare 4K emulation

• Using the MFOC utility under Linux, it is possible to derive the sector keys for a genuine MiFare Classic card, whilst dumping and decrypting its entire contents in a reasonable timeframe (several minutes) on a moderately powerful PC. 
  
  It appears that this tool does not work properly under VirtualBox, due to latency induced by its USB passthrough implementation.

NXP MiFare DESFire EV1

• LibNFC's nfc-list -v command reports:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 03  44  
* UID size: double
* bit frame anticollision supported
       UID (NFCID1): 04  8b  1f  f1  ad  26  80  
      SAK (SEL_RES): 20  
* Compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
                ATS: 75  77  81  02  80  
* Max Frame Size accepted by PICC: 64 bytes
* Bit Rate Capability:
  * PICC to PCD, DS=2, bitrate 212 kbits/s supported
  * PICC to PCD, DS=4, bitrate 424 kbits/s supported
  * PICC to PCD, DS=8, bitrate 847 kbits/s supported
  * PCD to PICC, DR=2, bitrate 212 kbits/s supported
  * PCD to PICC, DR=4, bitrate 424 kbits/s supported
  * PCD to PICC, DR=8, bitrate 847 kbits/s supported
* Frame Waiting Time: 77.33 ms
* Start-up Frame Guard Time: 0.6041 ms
* Node ADdress not supported
* Card IDentifier supported
* Historical bytes Tk: 80  
  * No COMPACT-TLV objects found, no status found
Fingerprinting based on ATQA & SAK values:
* Mifare DESFire / Desfire EV1

DESFire EV1 Oyster

• The mifare-desfire-info utility reports:

===> 0000   90 60 00 00 00                                   |.`...           |
<=== 0000   04 01 01 01 00 16 05 91 af                       |.........       |
===> 0000   90 af 00 00 00                                   |.....           |
<=== 0000   04 01 01 01 03 16 05 91 af                       |.........       |
===> 0000   90 af 00 00 00                                   |.....           |
<=== 0000   04 8b 1f f1 ad 26 80 00 00 00 00 00 42 08 91 00  |.....&......B...|
===> Version information for tag 048b1ff1ad2680:
UID:                      0x048b1ff1ad2680
Batch number:             0x0000000000
Production date:          week 42, 2008
Hardware Information:
    Vendor ID:            0x04
    Type:                 0x01
    Subtype:              0x01
    Version:              1.0
    Storage size:         0x16 (=2048 bytes)
    Protocol:             0x05
Software Information:
    Vendor ID:            0x04
    Type:                 0x01
    Subtype:              0x01
    Version:              1.3
    Storage size:         0x16 (=2048 bytes)
    Protocol:             0x05
===> 0000   90 45 00 00 00                                   |.E...           |
<=== 0000   0b 01 91 00                                      |....            |
Master Key settings (0x0b):
    0x08 configuration changeable;
    0x00 PICC Master Key not required for create / delete;
    0x02 Free directory list access without PICC Master Key;
    0x01 Allow changing the Master Key;
===> 0000   90 64 00 00 01 00 00                             |.d.....         |
<=== 0000   31 91 00                                         |1..             |
Master Key version: 49 (0x31)
===> 0000   90 6e 00 00 00                                   |.n...           |
<=== 0000   e0 04 00 91 00                                   |.....           |
Free memory: 1248 bytes
Use random UID: no

NXP MiFare UltraLight

• LibNFC's nfc-list -v command reports:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  44  
* UID size: double
* bit frame anticollision supported
       UID (NFCID1): 04  45  57  ba  34  23  80  
      SAK (SEL_RES): 00  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on ATQA & SAK values:
* Mifare Ultralight
* Mifare UltralightC

Orange Cash PayPass Card

• LibNFC's nfc-list -v command reports:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 29  8b  cf  51  
      SAK (SEL_RES): 28  
* Compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
                ATS: 78  80  82  02  80  31  80  66  b0  84  12  01  6e  01  83  00  90  00  
* Max Frame Size accepted by PICC: 256 bytes
* Bit Rate Capability:
  * Same bitrate in both directions mandatory
* Frame Waiting Time: 77.33 ms
* Start-up Frame Guard Time: 1.208 ms
* Node ADdress not supported
* Card IDentifier supported
* Historical bytes Tk: 80  31  80  66  b0  84  12  01  6e  01  83  00  90  00  
  * Tk after 0x80 consist of optional consecutive COMPACT-TLV data objects;
    the last data object may carry a status indicator of one, two or three bytes.
    See ISO/IEC 7816-4 8.1.1.3 for more info
Fingerprinting based on ATQA & SAK values:
* JCOP31 v2.3.1
* SmartMX with Mifare 1K emulation

• Using the following TAMA script, it is possible to access the EMV Payment System Environment, and obtain the name of the first application:

02; // Get firmware version
4A  01  00; // 1 target requested

// Select the payment system environment
40 01 00 A4 04 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31;

40 01 80 A8 00 00 02 83 00;

40 01 00 c0 00 00 26;

40 01 00 b2 00 0c 00;

40 01 00 b2 01 0c 00;

40 01 00 b2 01 0c 21;

ISO/IEC 14443-B tokens

• Issue #168 on the LibNFC project's issues list contains some details pertinent to the proprietary "14443-B'" technology used by some Calypso transport cards.

Maxim MAX66040E-000AA+

• LibNFC's nfc-list -v command reports:

1 ISO14443B passive target(s) found:
               PUPI: a2  a6  02  00  
   Application Data: 30  00  2b  e0  
      Protocol Info: 77  21  71  
* Bit Rate Capability:
 * PICC to PCD, 1etu=64/fc, bitrate 212 kbits/s supported
 * PICC to PCD, 1etu=32/fc, bitrate 424 kbits/s supported
 * PICC to PCD, 1etu=16/fc, bitrate 847 kbits/s supported
 * PCD to PICC, 1etu=64/fc, bitrate 212 kbits/s supported
 * PCD to PICC, 1etu=32/fc, bitrate 424 kbits/s supported
 * PCD to PICC, 1etu=16/fc, bitrate 847 kbits/s supported
* Maximum frame sizes: 32 bytes
* Protocol types supported: ISO/IEC 14443-4
* Frame Waiting Time: 38.66 ms
* Frame options supported: NAD

• These cards are advertised as having a 64-bit UID, consisting of data in the PUPI field (e.g. a2 a6 02 00 or 34 ab 02 00), and data in theApplication Data field (e.g. 77 21 71).

• The Application Data field supposedly contains the "upper 32 bits of the UID" (which appears to be consistent between new cards); and the (variable) PUPI corresponds to the "lower 32 bits of the UID".

• It is possible to run the Get System Information (0x2B) command using this PN532 TAMA shell script on a TouchATag reader:

02; // Get firmware version
//4A  01  00; // 1 target requested
4a 01 03 00;
40 01 2B;

• The TAMA commands are wrapped in an InDataExchange (0x40) packet that looks like d4 40 01 2b

• The Get System Information command returns a result similar to 00 00 0f a2 a6 02 00 30 00 2b e0 00 00 13 07 b2

PN532 Pseudo-APDUs

• ISO/IEC 14443-B

0000   d5 4b 01 01 50 34 ab 02 00 30 00 2b e0 77 21 71
0010   01 01 90 00

0000   d5 4b 01 01 50 a2 a6 02 00 30 00 2b e0 77 21 71
0010   01 01 90 00

• DESFire EV1

0000   d5 4b 01 01 03 44 20 07 04 8b 1f f1 ad 26 80 06
0010   75 77 81 02 80 90 00

• MiFare UltraLight

0000   d5 4b 01 01 00 44 00 07 04 2b 6e ba 34 23 80 90
0010   00

• Sony FeliCa Lite RC-S701

0000   d5 4b 01 01 14 01 01 27 00 5d 1a 05 8a cd 00 f0
0010   00 00 02 06 03 00 88 b4 90 00

Hardware Suppliers

• Atmel of the USA have a product sampling programme. 
  
  Although the order process appears to be successful (since I receive an e-mail in my university account), I have had limited success with using the confirmation URL provided in said e-mail, and have not seen any evidence of a product delivery, or further confirmation to date.

• Switch Science of Japan supply Sony FeliCa (RC-S701) tags on an international basis, and fulfil orders promptly. They are also quick to provide refunds, should buyers accidentally make multiple payments for an order. As of writing, the grand total cost of shipping 2 tags to the UK was JPY2,168 (£19.19 according to PayPal).

• The Identive Group of the USA appear to be supplying Topaz 512-byte tags on an international basis - although the author cannot vouch for the company's service, due to having never utilised it.

• Maxim supply a number of RFID-related products through a free sampling programme - although shipments are slightly delayed due to requiring internal Business Manager authorisation; and a commercial or academic e-mail address is required for successful order approval. 
  
  Samples ordered within the UK are usually despatched from a UK-based warehouse, if memory serves correctly.

Other Information

• The YobiWiki has a fairly exhaustive page on Radio Frequency Identification-related content.