-
Notifications
You must be signed in to change notification settings - Fork 72
FeliCa
Sony FeliCa (Felicity Card) is a contactless storage-type smartcard.
In Metrodroid, this is used by:
- Edy (Japan)
- IC (Japan)
- Kartu Multi-Trip (Indonesia)
- MRT Jakarta
- Octopus (Hong Kong), first-generation Shenzhen Tong
Wikipedia has more detail and a list of users.
FeliCa cards are divided into systems (~applications), which contain a collection of services (~files).
In addition, there are areas (~partitions), which are used to manage storage allocation and act as another layer of key management. These aren't important for Metrodroid -- we only ever dump systems and services directly.
Both the IDm and PMm are 8 bytes long.
IDm is similar to a UID on other cards:
First | Last | Length | Description |
---|---|---|---|
0 | 1 | 2 | Manufacturer code *️⃣ |
2 | 7 | 6 | Card identification number |
- *️⃣ the upper 4 bits of the 0th byte of the IDm indicates the system code index
System codes are 2 bytes, and are centrally assigned by Sony. Systems have a physical index and a logical naming. A card may have more than one system code.
System codes on a card can be discovered by:
-
Polling using a wildcard (
0xffff
,0x__ff
or0xff__
) and then using Request System Code - Polling with an explicit, desired system code
List of known system codes:
System code | Function |
---|---|
0x__ff |
🈯️ *️⃣ reserved (used as a wildcard in Polling commands) |
0x0003 |
IC (Japan) (all variants) |
0x040f |
nicepass (Japan) |
0x04c0 |
Edy (to be confirmed, contains no services) |
0x12fc |
🈯️ NDEF (NFC Data Exchange Format) |
0x4___ |
🈯️ HCE-F (Host Card Emulation) |
0x8005 |
first-generation Shenzhen Tong |
0x8008 |
Octopus |
0x8074 |
Omi Railway and Bus Card (Japan) |
0x80de |
IruCa (Japan) |
0x80e0 |
IC e-card (Iyo Railway, Japan) |
0x8157 |
CI-CA (Japan), Randen (?) |
0x8194 |
Rapica (Japan) |
0x8287 |
NicoPa (Japan) |
0x832c |
ecomyca, passca (Japan) |
0x852b |
Waon (Japan) |
0x862c |
itappy (Japan) |
0x865e |
SAPICA (Japan) |
0x86a7 |
Suica (not present on other IC cards) |
0x88b4 |
🈯️ FeliCa Lite |
0x8b43 |
NORUCA (Japan) |
0x8b98 |
Randen (Japan) |
0x90b7 |
Kartu Multi-Trip |
0x927a |
Hayakaken (not present on other IC cards) |
0x9373 |
MRT Jakarta |
0xaa__ |
🈯️ JIS X 6319-4:2016 |
0xfe00 |
🈯️ FeliCa Networks Common Area, Edy, IC (Japan) |
0xfee1 |
🈯️ FeliCa Plug |
0xff__ |
*️⃣ reserved (used as a wildcard in Polling commands) |
- 🈯️ reserved in FeliCa Technology Code Descriptions
- *️⃣ wildcard in Polling command per FeliCa User's Manual, Excerpted Edition, Section 4.4.2, Special Instructions
- all other codes are observed in the wild
Service codes are 2 bytes: the lower 6 bits are the service attribute, the upper 10 bits are the service number. Metrodroid handles the uses the entire service code as an ID.
Service attributes are as follows:
Value | Service type | Description |
---|---|---|
00100n |
Random service | Read/write access |
00101n |
Read only access | |
00110n |
Cyclic service | Read/write access |
00111n |
Read only access | |
01000n |
Purse service | Direct access |
01001n |
Cashback/decrement access | |
01010n |
Decrement access | |
01011n |
Read only access |
The lowest bit (n
) is set to 0
if authentication is required, or 1
if authentication is not required.
FeliCa features an overlap service -- this allows the same storage blocks to be mapped to services with different attributes. For example, one could map blocks used by a random service multiple times, with one permitting read-only access without authentication, and another with read/write access but requiring authentication.
Services have both a physical index and logical naming. The 0th physical service in a system contains area mapping data for the system. The search service code
command works with physical service index, and can be used to discover all the logical service names on the card.
▶️ indicates a request (command) sent by the reader◀️ indicates a response sent by the card-
D
indicates a command supported byDES
andAES/DES
card 🅰️ indicates a command supported byAES
andAES/DES
card- *️⃣ indicates a command supported by all cards
- References are to FeliCa User's Manual, Excepted Edition where available
- "redacted" indicates that the documentation is only in the full FeliCa User's manual, not the excerpted edition
Code | Dir. | Sup. | Description | Reference |
---|---|---|---|---|
0x00 |
*️⃣ | Polling | 4.4.2 | |
0x01 |
*️⃣ | Polling | 4.4.2 | |
0x02 |
*️⃣ | Request service | 4.4.3 | |
0x03 |
*️⃣ | Request service | 4.4.3 | |
0x04 |
*️⃣ | Request response | 4.4.4 | |
0x05 |
*️⃣ | Request response | 4.4.4 | |
0x06 |
*️⃣ | Read | 4.4.5 | |
0x07 |
*️⃣ | Read | 4.4.5 | |
0x08 |
*️⃣ | Write | 4.4.6 | |
0x09 |
*️⃣ | Write | 4.4.6 | |
0x0a |
*️⃣ | Search service code | 4.4.7 (redacted) | |
0x0b |
*️⃣ | Search service code | 4.4.7 (redacted) | |
0x0c |
*️⃣ | Request system code | 4.4.8 | |
0x0d |
*️⃣ | Request system code | 4.4.8 | |
0x10 |
D |
Authentication 1 | 4.4.9 (redacted) | |
0x11 |
D |
Authentication 1 | 4.4.9 (redacted) | |
0x12 |
D |
Authentication 2 (DES) | 4.4.10 (redacted) | |
0x13 |
D |
Authentication 2 (DES) | 4.4.10 (redacted) | |
0x14 |
D |
Read (DES) | 4.4.11 (redacted) | |
0x15 |
D |
Read (DES) | 4.4.11 (redacted) | |
0x16 |
D |
Write (DES) | 4.4.12 (redacted) | |
0x17 |
D |
Write (DES) | 4.4.12 (redacted) | |
0x32 |
Request service v2 | 4.4.13 | ||
0x33 |
Request service v2 | 4.4.13 | ||
0x38 |
Get system status | 4.4.14 (redacted) | ||
0x39 |
Get system status | 4.4.14 (redacted) | ||
0x3c |
Get specification version | 4.4.15 | ||
0x3d |
Get specification version | 4.4.15 | ||
0x3e |
Reset mode | 4.4.16 | ||
0x3f |
Reset mode | 4.4.16 | ||
0x40 |
Authentication 1 v2 | 4.4.17 (redacted) | ||
0x41 |
Authentication 1 v2 | 4.4.17 (redacted) | ||
0x42 |
Authentication 2 v2 (AES) | 4.4.18 (redacted) | ||
0x43 |
Authentication 2 v2 (AES) | 4.4.18 (redacted) | ||
0x44 |
Read (AES) v2 | 4.4.19 (redacted) | ||
0x45 |
Read (AES) v2 | 4.4.19 (redacted) | ||
0x46 |
Write (AES) v2 | 4.4.20 (redacted) | ||
0x47 |
Write (AES) v2 | 4.4.20 (redacted) | ||
0x4c |
Set random ID (AES) | 4.4.21 (redacted) | ||
0x4d |
Set random ID (AES) | 4.4.21 (redacted) |
Request:
First | Last | Length | Description |
---|---|---|---|
0 | 1 | 2 | Service index (physical ordering). The 0th system code is area code 0. |
Response (service code, 2 bytes):
First | Last | Length | Description |
---|---|---|---|
0 | 1 | 2 | Service code |
Response (area code, 4 bytes):
First | Last | Length | Description |
---|---|---|---|
0 | 1 | 2 | Area code |
2 | 3 | 2 | Last service index for the area |
- FeliCa User's Manual, Excerpted Edition (does not document authentication or some commands)
- nfcpy, both tt3.py and tt3_sony.py, covers many details that are only in the full user's manual
- JIS X 6319-4 (Japanese, but English translations also available)