Interesting behaviour of Singapore Transit Readers

[hanpuliu-charles]

Hi, I would like to share an interesting behaviour and see if you experienced something similar. My phone is set up for CATHAY express transit. However, I noticed that when placing my phone up against the transit reader, instead of using the CATHAY express transit card, it prompted for authentication instead as though the express transit isnt enabled. The readers are not broadcasting ECP frames, only REQA and REQB. Is this a behaviour that is known? Thanks!

[kormax]

Perhaps the REQB suppresses CATHAY?

Frankly, I don't remember if it did or not when I was testing. It surely activated express for WUPA.

[kormax]

I've had my Android phone on hand, which does WUPA WUPB WILDCARD INVENTORY loop, and it triggered CATHAY on my iPhone.

I think you should play around a little more with your combo to analyze what's happening.

[hanpuliu-charles]

Is it possible to send custom polling sequences using pn532 board or pm3?

[kormax]

Yeah, with PM3 via 14a/b raw command.

[kormax]

Two more guesses from my side.

CATHAY could be suppressed:

• If transit reader is polling for non-WILDCARD FeliCa card.

• If transit reader is polling for type V INVENTORY (I remember that it caused behavior to change).

[kormax]

You know what, i think that the REQB using different non-default AFI, could also be the reason for CATHAY being suppressed.

If you look closely, it's alternating between 05 00 and 05 10.

[kormax]

I've tried reproducing that polling loop, but it didn't suppress CATHAY to bo avail.

What do you think about a rouge "6a" in your nfc-b trace? Could it perhaps be a ECP fake-out frame that breaks this behavior?

I've tested - sending 6a without any payload also suppresses CATHAY.

[hanpuliu-charles]

Thanks for the insights! I have doubled checked and the 6a seems to be a one time occurance, perhaps due to incomplete frame read. I would like to check if there is anyway(using PN532 or PM3), to send alternating type a and b polling frames? Thanks!

Now that I think about it, could be that the reader is actually polling for FeliCa, but I think the proxmark3 doesn't work well with it. It has a lot of trouble reading the FeliCa cards that I have(could be just my unit's problem).

[kormax]

For Proxmark3:

hf 14a raw

hf 14b raw

For pn532:

Can be done, but no public code that does.

[adipierro]

I have implemented PN532 ECP for ESP32, used in access control reader for our hackspace in Yerevan, Hacker Embassy.

It's not great (💩), but it works 👀

[kormax]

Thanks for chiming in!

Yeah, i think that code can also be used for similar testing purposes.

[hanpuliu-charles]

Also, I see that some of my cards have an automatic selection option in Wallet. I am guessing that is based on ECP/VAS?

[kormax]

If you're talking about regular payment cards that have "Automatic Selection" toggle - that behavior is not fully researched.

As far as I know, this toggle is present on cards that are marked as "cobranded" in pkpass file.

The only card of mine that has this property on my device has "relatedAppIds" property, and if I activate apple pay button while in any of those apps, the cobranded card is selected by default.

According to Passkit, if my memory serves well, there are two similar properties to the first one, which I assume can also play a role:

• "relatedWebsiteURLs"
• "relatedReadedIds"

As for the first one, I assume the behavior is similar to apps - it presents that card as the default one when payment sheet appears when browsing on a particular domain.

As for the most interesting one - honestly no idea as I have no cards with this property, so I have no way to test it or to verify that it even works at all. Taking a broad guess, I think it would indeed work either through VAS or ECP. Although I'm leaning towards VAS, as at the moment this feature was introduced, ECP1 could only hold 3 bytes of data, and even then there were strict limitations upon format. With VAS, I assume there could be an additional TLV tag or command that could indicate a readerId or a preference for a particular cobranded card.

[kormax]

@hanpuliu-charles by the way, if any of your Android devices happen to support Android 15 beta, it could be worth checking out the demo app I've made, which allows to collect info about the polling loop of a particular reader. It should fare batter than a cheap PM3 and would be less awkward to use due to lack of any wires. I've added a link to it in the references section.