Tech Flashback: Tcard

Since I was cleaning up the house because there’s a council clean-up on the way, and things had been flooded with sewage – I managed to unearth many old items I had kept and almost completely forgotten about.

This is a Tcard, issued in the beginning of 2005 for the bus part of the student transport scheme. As I had a bus pass at the time, I was eligible and indeed received a Tcard.

tcard-front

The image above is altered to remove my details and card number, which was printed in all capital black text in the lower left corner. I’m sure there’s still quite a few of these cards out there.

tcard-rear

The rear of the Tcard is unaltered. One thing to note is that the website www.tcard.com.au is now occupied by a domain squatter that has no relation to the Tcard project whatsoever.

The Tcard was our first glimpse at the possibility of integrated contactless ticketing. Intended to be in place by the 2000 Sydney Olympic Games, it never made it – instead, it was only rolled out to the extent of school bus trials (which is how I got my card) and a brief bus trial with Punchbowl Bus Company. The project itself was in a lot of strife from the beginning, the award of the tender to ERG being contested by Cubic Systems (the manufacturer of the current magnetic stripe system). When ERG, who successfully introduced many contactless systems including the highly successful Octopus Card, failed to turn up milestones on time and had software bugs, the project was scrapped. A new project was undertaken to salvage the remains – ironically, that lead to the Opal card, the Opal consortium has Cubic Systems in it!

What is the Technology?

Back when I was in high school, using one of these cards, I had no access to contactless reader/writer equipment. Now, many people carry one around in their pockets – an NFC enabled phone or tablet device.

Lets find out what the card is made of – first, using NXP TagInfo:

NXPTaginfo-Unknown NXPTaginfo-TechnologiesSupp

Looking at this, it appears that the tag has been very cleverly secured. From the ATQA of 0x4403, it is almost certain that it is an NXP Mifare DESFire (original version) but with the byes in the wrong order. These cards are truly smart, and run an operating system on top of the embedded 8051 processor which can make them behave like any card (or unlike any other card) as they wish. As a result, it appears that NXP TagInfo gets somewhat confused when trying to identify the IC involved. This is also a fairly modern card, having a 7-byte UID – yes that’s my unique ID there. No 4-byte UIDs and MiFare Classics here folks!

Lets try the other NFC TagInfo:

NFC Taginfo-UnexpectedRemove

The first thing to notice is that this program always complains of the tag being removed, even when it hasn’t – suggesting the Tcard is “shutting down” due to security schemes being invoked – probably a lack of authentication.

NFC Taginfo-Tag Information NFC Taginfo-Applications

Again, we see the 7-byte UID, and ATQA is 0x0344 which matches the Mifare DESFire signature in the NXP Mifare Type Identification Procedure.

The interesting thing is that at the lowest emulation level, we cannot authenticate with the default keys and access the application directory. This implies that the guys behind the card have gone to the lengths of diversifying the keys to ensure all access to the card is barred without a key – and may have even customized the operating system on the DESFire card to ensure further security.

The Mifare DESFire cards have been discontinued and the DESFire EV1’s have now taken over in their place – a sophisticated side-channel attack against the original DESFire cards could have led to information disclosure.

Conclusion

Well, it’s nice to know that even at the Tcard stage, the system designers were diligent to choose a more-secure platform and secure it with diversified keys. The whole Tcard situation was unfortunate, with a large amount of money being thrown at it – and excuses including the complicated fare structure being put forward as reasons for delays.

It is a big irony that, after the whole thing was shuttered, the revival of the system leading to the Opal card involves Cubic Systems – the company that caused the initial delay by taking ERG and the state government to court in a rather contemptuous way.

Bonus Material

This isn’t really worth a post on its own, but I picked up another status report printed by a Datafare 2000 machine operated by Sydney Buses.

recent-statusreport

This one looks like it may have been printed on a fresh start and complains of both ticket readers not being able to establish communications with the driver’s console. Comparing the output from the previous one that I had picked up tells us that the ROLFF version number has gone up, but the console and ticket reader versions have stayed the same. I wonder if the upgrade to ROLFF (whatever that is!) may have something to do with becoming more Opal-ready?

recent-statusreport-rear

And as usual, Sydney Buses takes pride in its ticket stock, printing hints, notices and other things on the back, shop-a-docket style.

About lui_gough

I'm a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!
This entry was posted in Tech Flashback, Travel and tagged . Bookmark the permalink.

Error: Comment is Missing!