My Custom Public Transport Conversion Experience šŸš (Almost)

Projects
1

Public Transport Conversion by image
Feasibility

Throughout the world :earth_asia: There are many and varied Public Transport Infrastructures utilising a wide range of RFID technology, fortunately for some, there are some older / less secure systems such as Mifare Classic (There are a few examples here on the Forum) and fortunately for people with access to those systems, Dangerous Things image have some ā€œoff the shelf optionsā€ .
But, The odds are, Most Public Transport Companies will be using more secure protocols such as DESFireĀ®.

The likelihood of a compatible implant is still possible, but it probably wonā€™t be as simple as grabbing an ā€œoff the shelf optionā€

My First thought

Dangerous Things "Off the shelf DESFire" ( Failed attempt )

As the Dangerous Things DESFireĀ® Range do not have modifiable UIDs, ( It will require more than a simple UID anyway, see below) Therefore, it would likely require some significant social engineering to get your implant enrolled and applet installed through the Transport Agencyā€™s system ( I have not yet tried approaching anybody for mine yet )

It is protected to transport use only, I have attempted a few things to try and work out how to free up memory to make it multifunctional all unsuccessfully.

WHAT I COULD STILL TRY
Approach Auckland transport about enrolling a DT Flex Implant, and convince them to allow me to ā€œBring my ownā€
My options are
xDF2 But I donā€™t think an xSeries would be optimal for this purpose
FlexDF The DESFire is closest to a one for one swap
FlexDF2 The DESFire2 is backward compatible, and the Newer more capable chip, so ideally this is my first choice

My Second thought

DESFire(r) Modifiable cards (failed attempt)

MIFARE DESFIREĀ® COMPATIBLE UID MODIFIABLE EMULATOR CARD I got mine from KSEC

There are two variations of card, 7-byte UID and 4-byte UID .

Please note, this card does not emulate any other MIFARE DESFireĀ® features.

Modification of the UID is incredibly simple, thanks to a raw 14443 command.
Using your Proxmark 3, you can issue the following command:

hf 14a raw -s -c 02 00 ab 00 00 07 xx xx xx xx xx xx xx

Where xx xx xx xx xx xx xx is your target UID. ( In my case 04 7F 3B 72 47 50 80 )
For 4-byte cards, your UID will be 4-bytes, for 7-byte cards, the UID will be 7-bytes

IMPORTANT:

The UID of MIFARE DESFireĀ® Compatible UID Modifiable tags is comprised of two parts: the UID itself , and the BCC . The BCC is a checksum value calculated from the UID . If the BCC is incorrect, tag will be rejected by the reader.

Most RFID tools, such as the Proxmark, LibNFC, MCT etc automatically calculate the BCC when the UID is modified. If you are modifying the UID by hand, it is vital that the BCC is correctly calculated.

There is NO support or refunds under any circumstances for cards that were ā€˜brickedā€™ due to incorrect UID/BCC configuration.

WHAT ARE THE ATS VALUES?

The card responds with 06 75 77 81 02 80 02 F0

CAN I MODIFY THE ATS / ATQA / SAK VALUES ?

No, the ATS / ATQA values are fixed.

SAK values can be modified upon request at the factory.
I wrote my UID to the card and tested it on a reader, and not surprisingly, it did not work.

My third thought, and valid attempt :+1:

Which brings us to the reason for this thread:

I have done some work around the feasibility of POTENTIALLY getting my official Public Transport card converted to an implant.

Below are the steps I followed: (your experience may differ, but the process may be similar)

In Auckland, New Zealand, we have one transport agency image
That covers Bus, Train and Ferry image
Form Factors

  • Cards
    These ā€œcardsā€ come in 2 types ( Gold for those over 65 who get free public transport )
    image image
  • Fob / Keyring
    image
    image598Ɨ518 50 KB

    Approx 60mm x 30mm x 5mm
  • 3rd Unofficial Potential option image from DT Conversion

DO NOT DO WHAT I DID SEND YOURS TO AMAL IN ITā€™S ORIGINAL STATE

Acetone vs. Tag
image

image
image598Ɨ518 50 KB

image
20200922_065442
20200922_0654423024Ɨ4032 3.45 MB
20200922_065549
20200922_0655493024Ɨ4032 3.5 MB

I know, I know, I really should have taken better photos
image

This is from another thread, But it is worth putting this here :arrow_heading_down:

DO NOT DO WHAT I DID SEND YOURS TO AMAL IN ITā€™S ORIGINAL STATE

MY analysis

  • To me, the chip looks viable for conversion
  • The card is a DESFireĀ® EV1 4kB
  • 17pF version of the chip
  • Surprisingly ( To me any at least ) the remaining space is only 928 bytes
  • However that remainder of the memory is protected
    Screenshot_20201128-100207_TagWriter
    Screenshot_20201128-100207_TagWriter1080Ɨ2005 216 KB

THE CARD DETAILS

CARD NUMBER ( 19 Digits ) Printed on the card / fob and used to register the card

CARD UID ( 7 BYTE )

ID: 04:7F:3B:72:47:50:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x1C

Screenshot_20201122-205658_TagInfo
Screenshot_20201122-205658_TagInfo1080Ɨ2005 319 KB

.
.
BALANCE TOP-UP
There are 4 ways to check and top up balance:

    • AT Customer Service Centres
    • Retail Agents (Requires Human interaction, Can be problematic with not a consistent nor predictable reaction)
    • Top up Machines
      Unfortunately due to the design of the Top Up machines, they require the card or Fob to be dropped into the receptacle, which would be difficult to do whilst the implant remains inside you :raised_hand:
      image
      image417Ɨ616 105 KB
    • Online, With an implant, the ā€œbestā€ / ā€œeasiestā€ way is Online

EXPIRY
I believe the card / fob does not expire UNLESS no value is loaded onto it for a continuous period of six years. With the minimum topup being $1 (in person, or at machine ) or $5 online

image

image
image602Ɨ502 34.4 KB

.
.
.

LEGAL STUFF, Boring but important

Legal

( I have highlighted to save you the pain of reading )
5.5. take proper care of the AT HOP card to avoid damage including keeping the AT HOP card flat and not bending it (as that may damage the AT HOP card);
5.6. not misuse, deface, modify, or destroy, the AT HOP card;
5.7. not tamper, or allow anyone else to tamper, with the AT HOP card;

5.9. not alter, remove, or replace any notices, trade marks, or artwork on the AT HOP card; and

  1. Right to Retain: We, the Retail Agents and Public Transport Operators will be entitled to confiscate or retain any AT HOP card which:

6.1. we (or a Retail Agent or Public Transport Operator) suspect or have reason to believe has been fraudulently issued, stolen, tampered with, or used in breach of the Terms;

8.3. we retain the right to manage and change the software and data on the AT HOP cards at any time; and
8.4. On-demand by any employee or representative of us or of any Retail Agent or Public Transport Operator at any time, you must produce for inspection all AT HOP cards in your possession or control.

  1. Suspension: We may suspend any AT HOP card or AT HOP online account (Online Account) if you breach any of these Terms and such breach amounts to what AT determines to be fraud or fare evasion. In the event that we suspend any AT HOP card or Online Account:

tamper

verb

  1. interfere with (something) in order to cause damage or make unauthorized alterations.

confiscate or retain any AT HOP card which:
[ā€¦] believe has been [ā€¦] tampered with , or used in breach of the Terms;
you must produce for inspection all AT HOP cards in your possession or control.

:rofl: :rofl: :rofl: Good luck with that

TESTING TIME

PERFORMANCE / FUNCTION / RANGE
Amalā€™s AMAL-YSIS
image

:man_shrugging:

:man_shrugging:
Therefore, if I choose to get this converted, with one of DTā€™s tuned 13.56MHz antennas, this should improve the range and performance over the official fob antenna.
:+1:

Feasibility

The conversion is :100:% feasible, even though factory performance is poor due to being off frequency, but with the ā€œcorrectā€ DT antenna from the conversion service it SHOULD be a great little performer.

My Decision

If I could have also utilised the remaining 928 bytes of memory then it would be much more worthwhile, So at this stage I am leaning toward a NOā€¦ but I may change my mind

RECOMMENDED?

As with my payment conversion, Absolutely, I highly recommend considering any conversion service from Dangerous Things, including a Transport conversion like this one.

If you are interested in this service, FIRST Contact Dangerous Things for their opinion of the feasibility

image image

Dangerous Things Micro Bank Card Payment Conversion Service

5 Likes
2

be warned someone did this in Australia and got it deactivated and a big olā€™ fine due to it not being an official card/fob that the inspector can look at.

2 Likes
3

Yeah, I am aware thanks; As far as they would know, I have just implanted the fob under my skin.
I would still be able to present it for them to scan.
I would still be able to scan on and off
I would still be able to top it up.

There is very little recourse, and HIGHLY unlikely anyway.
The closest and ONLY fine is

Transport Officers can issue a $150 infringement notice for travelling without a valid ticket or not being tagged-on with your AT HOP card, with the appropriate concession.

Although it goes against some of their Terms of Issue and Use of AT HOP cards
NZD$150 = ~USD$100 , Although ā€œtravelling without a valid ticketā€ doesnā€™t really fit.

Worse case scenario would be a deactivated ā€œcardā€

4

Hereā€™s the link to the story @vampire_blue mentioned:

1 Like
5

@Pilgrimsmaster the case I linked had to pay $220 plus court fees :frowning:

1 Like
6

Rule 1: donā€™t get caught

2 Likes
7

Yeah, Thanks for the concern; I did see that story a while ago, Iā€™m not worried one iota.
Also
That would be HIGHLY unlikely in NZ.

Like I said

I donā€™t think that we should be afraid to do what we do because of incidents like Ludoā€™s, HOWEVER we should be cautious and conscientious to not damage the perception and reputation of ā€œBio-Hackingā€ community by irresponsible actions.

It could definitely be a double-edged sword, it brings implants to the public eye, but a poorly thought-out reaction by taking to social media and news interviews can be damaging but if handled correctly can be beneficial.

In saying that:-
HIGHLY unlikely anything would happen

8
  • Fourth option (the one Iā€™m currently pursuing): work with the transport authority to get an officially-sanctioned implant. Currently on hold indefinitely because of the damn virus, but it should happen when the situation is sorted out because theyā€™re actually interested in the experiment.

That would be Mr. Meow-Meow (yes, thatā€™s his real name :slight_smile:) and it turned out well for him:

Kinda hard to do when scanning your hand instead of a travel card upon boarding a bus.

Itā€™s a bit like that recent poster here - whose name escapes me - who has to scan his hand through a pretend ID card at work so it doesnā€™t look suspicious. That defeats the purpose of an implant really. Thatā€™s why I want my transit card implant to be authorized by my PTA.

9

TouchƩ, but I only really did that in the beginning, to draw less attention while massaging the reader with my hand

Turns out, having the chip properly programmed, and a good read range help

I just make sure nobodies really behind me when I buzz in, and if thereā€™s going to be, I just tail gate
(Yea itā€™s bad)

But yea, sleight of hand is a fun tool to have in the toolbox to prevent getting caught

10

Oh, it was you actually :slight_smile: Yes you would know a thing or two about not getting caught :slight_smile:

11

I havenā€™t ruled it out, In fact if I decide to get the conversion, that will be my first step, It is just a matter of tracking down the correct person and the correct approach.
Finding the correct person, will probably be the hardest part of the whole process!
The fact that I can show them my payment one I think will really help.
If I am denied, I can still do it anyway. That is why I havenā€™t registered that one yet

12

My experience with my PTA is, itā€™s a matter of your email landing in the inbox of an open-minded person in charge (or at least able to convince someone in charge) before it gets rerouted to the trash folder.

I got lucky: my request was forwarded 3 times by people who didnā€™t know how to respond (but didnā€™t junk it outright) and it finally arrived at the guy in charge of NFC development, who was really excited by the idea.

And then his own boss - noticeably less excited - got involved and told me to hold off until the coronavirus thing is over, and until theyā€™re done rolling out their new in-vehicle readers.

Thatā€™s where Iā€™m at with them now. Waiting for the virus to make itself scarce so I can get that particular ball rolling again. Iā€™m sure everybody will be so happy to be free of it when it does that Iā€™ll have no problem convincing those people who are already at least mildly sympathetic to my request to go ahead and program a DT flexDF in their secure facilities.

13

Yeah, I remember your update and was glad for you, it sounds really promising and you were fortunate to find the correct person by email.

I havenā€™t decided whether I am going to try in person, by phone, or email yet.
Iā€™ll make that decision once I decide if i am going to get the conversion finished or not.

I think a conversion will be easier for them to swallow, over a " bring my own" enrolment.

14

Iā€™m super pessimistic and cynical of organizations especially ones dealing with government or the public

Way too too much burn out on the employees, and too little open mindedness

Way too easy for ā€œnot my jobā€ when everything is so compartmentalized

I wish you luck on getting permission

I would highly recommend in person, since that would make it harder to dismiss you and you can make follow up arguments

Lol I just assumed you were being sarcastic

1 Like
15

Yeah,
Iā€™m normally in the better to ask for forgiveness than permission camp, but this one could work in my favour, and if I dont get permission, I can still do it anyway

16

Out of the box thought,

Find someone they answer to, and talk to them
Especially someone they answer to, that might like a ā€œlook how cool and competent we areā€ article

17

Maybe a bit of a derail already butā€¦

Iā€™ve tried contacting a lot of people for a lot of weird biohacking-related things. Iā€™ve always had the best luck sending a short, to the point email with an attached PDF explaining my project comprehensively, complete with facts, documentation, references to research papers if needed, risk assessment, and a proposed timeline.

The short email hooks whoever might have 10 seconds of focused attention to devote to your request, and the comprehensive PDF rationalizes the request and proves youā€™re serious and youā€™ve done your research - and also prevents your email from going to the trash folder too quickly.

18

No, I genuinely forgot. I have the memory span of a goldfish. No offense.

19

Hmmm, Great idea, but that is not this guy, I would rather stay out of the lime light, but would happily provide them all the info.
This guy

Not at all, this is my plan, but all the info is for everybody / anybody looking to do the same, so any input is welcome.

Your email idea is valid and a good strategy, I have also found in life it is harder for people to deny you in person than from behind a keyboard.

Accompanying documents are great, and in person I would take them with me.
The beauty of email is, they are not ā€œput on the spotā€, the beauty of in-person is you get a feel of the person :wink: and can follow it up with supporting documents for them to digest in their own time.

I guess it is a matter of ā€œHorses- for -coursesā€

I am yet to decide anywayā€¦

20

Alternative approach: send them an email saying ā€œEither you help me get a bona fide transport card implant, or Iā€™ll get your regular AT card and Iā€™ll implant it UNSANITIZED, AS-IS, with a KITCHEN KNIFE. And then youā€™ll be responsible for my DEATH! - Which one will it be?ā€

:slight_smile:

1 Like