Chicago Ventra cards

Projects
1

Does anyone know what chip type Ventra cards use? If so, is it possible to clone it to an implant? I thought it would probably be more convenient than having to take out the card from my wallet or using Apple Pay to pay for bus or train fare.

All I know is that the readers also accept normal contactless credit/debit cards, Apple Pay, Google Wallet, etc., so I would take a guess that they also have encrypted chips like EMV cards.

1 Like
2

Can you scan it with your phone? Maybe with TagInfo and post the data here?

1 Like
3

** TagInfo scan (version 4.24.5) 2019-09-29 14:07:32 **
Report Type: External

– IC INFO ------------------------------

IC manufacturer:

NXP Semiconductors

IC type:

MIFARE DESFire EV1

DESFire Applications:

Multi-modal transit #1

  • null

– NDEF ------------------------------

No NDEF data storage populated:

– EXTRA ------------------------------

Memory information:

Size: 256 bytes
Available: 96 bytes

IC detailed information:

Capacitance: 17 pF

DESFire App. ID : ISO-FID : ISO DF-Name:

F21381 : 0100 : 4F74744170706C69636174696F6E

  • Contains ISO FID: 0001

Version information:

Vendor ID: NXP
Hardware info:

  • Type/subtype: 0x01/0x01
  • Version: 1.0
  • Storage size: 256 bytes
  • Protocol: ISO/IEC 14443-2 and -3
    Software info:
  • Type/subtype: 0x01/0x01
  • Version: 1.5
  • Storage size: 256 bytes
  • Protocol: ISO/IEC 14443-3 and -4
    Batch no: 0xB90C174D50
    Production date: week 35, 2017

– FULL SCAN ------------------------------

Technologies supported:

ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

Android technology information:

Tag description:

  • TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA]
  • Maximum transceive length: 261 bytes
  • Default maximum transceive time-out: 309 ms
  • Extended length APDUs not supported
  • Maximum transceive length: 253 bytes
  • Default maximum transceive time-out: 618 ms

Detailed protocol information:

ID: 04:4C:5A:6A:0F:48:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x06757781028000

  • Max. accepted frame size: 64 bytes (FSCI: 5)
  • Supported receive rates:
    • 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
  • Supported send rates:
    • 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
  • Different send and receive rates supported
  • SFGT: 604.1 us (SFGI: 1)
  • FWT: 77.33 ms (FWI: 8)
  • NAD not supported
  • CID supported
  • Historical bytes: 0x80 |.|

Memory content:

Application ID 0x000000 (PICC)

  • Key configuration:
    • 1 (3)DES key
    • Master key changeable
    • Master key required for:
      ~ directory list access: no
      ~ create/delete files: no
    • Configuration changeable

Application ID 0x8113F2

  • Key configuration:

    • 3 (3)DES keys

    • Master key changeable

    • Master key required for:
      ~ directory list access: no
      ~ create/delete files: yes

    • Configuration changeable

    • Master key required for changing a key

    • File ID 0x00: Standard data, 64 bytes
      ~ Communication: encrypted
      ~ Read key: key #1
      ~ Write key: key #2
      ~ Read/Write key: key #2
      ~ Change key: master key
      ~ (No access)

    • File ID 0x01: Standard data, 160 bytes
      ~ Communication: encrypted
      ~ Read key: key #1
      ~ Write key: key #2
      ~ Read/Write key: key #2
      ~ Change key: master key
      ~ (No access)

4

IIRC, not cloneable. DESFire isn’t susceptible like Mifare is.

5

I had a transit card that read like this (DESFire with ISO 7816-4) and it was labeled MasterCard on the front. It looks like the old Ventra cards were prepaid MasterCards.

Ventra-transit-card-used-in-Chicago
Ventra-transit-card-used-in-Chicago.jpg1280×763 44.8 KB

Even if there was a DESFire workaround, I don’t know if you would be able to emulate whatever security provisioning MasterCard does to their chips. They have licensed facilities for that.

2 Likes
6

The Mastercard version is a bit misleading.
The NFC chip inside had nothing to do with the MasterCard usage, you had the option to enable MasterCard payments on the Orginal Ventra Card (grey one) which allowed you to use your loaded transit balance as a prepaid Mastercard too, however it only used a Magstrip on the back of the card for credit card purchases. The new Ventra card has no option for use as a Credit Card and has no Magstrip on the back.
I have had both of the Ventra cards pictured above.

From what I can tell, they both use HF RFID (13.56 MHz) but not sure about any of the other details.

2 Likes
7

Ata Distance (a blog primarily about contactless transit cards and mobile NFC payments) used a screenshot of this thread https://atadistance.net/2020/10/28/apple-pay-ventra-the-closed-open-loop-card/