Skip to content

FeliCa

Jump to bottom Edit New page
Michael Farrell edited this page Dec 16, 2019 · 6 revisions

Sony FeliCa (Felicity Card) is a contactless storage-type smartcard.

In Metrodroid, this is used by:

Wikipedia has more detail and a list of users.

Concepts

FeliCa cards are divided into systems (~applications), which contain a collection of services (~files).

In addition, there are areas (~partitions), which are used to manage storage allocation and act as another layer of key management. These aren't important for Metrodroid -- we only ever dump systems and services directly.

Manufacture ID (IDm) and Parameter (PMm)

Both the IDm and PMm are 8 bytes long.

IDm is similar to a UID on other cards:

First Last Length Description
0 1 2 Manufacturer code *️⃣
2 7 6 Card identification number
  • *️⃣ the upper 4 bits of the 0th byte of the IDm indicates the system code index

Systems

System codes are 2 bytes, and are centrally assigned by Sony. Systems have a physical index and a logical naming. A card may have more than one system code.

System codes on a card can be discovered by:

  • Polling using a wildcard (0xffff, 0x__ff or 0xff__) and then using Request System Code
  • Polling with an explicit, desired system code

List of known system codes:

System code Function
0x__ff 🈯️ *️⃣ reserved (used as a wildcard in Polling commands)
0x0003 IC (Japan) (all variants)
0x040f nicepass (Japan)
0x04c0 Edy (to be confirmed, contains no services)
0x12fc 🈯️ NDEF (NFC Data Exchange Format)
0x4___ 🈯️ HCE-F (Host Card Emulation)
0x8005 first-generation Shenzhen Tong
0x8008 Octopus
0x8074 Omi Railway and Bus Card (Japan)
0x80de IruCa (Japan)
0x80e0 IC e-card (Iyo Railway, Japan)
0x8157 CI-CA (Japan), Randen (?)
0x8194 Rapica (Japan)
0x8287 NicoPa (Japan)
0x832c ecomyca, passca (Japan)
0x852b Waon (Japan)
0x862c itappy (Japan)
0x865e SAPICA (Japan)
0x86a7 Suica (not present on other IC cards)
0x88b4 🈯️ FeliCa Lite
0x8b43 NORUCA (Japan)
0x8b98 Randen (Japan)
0x90b7 Kartu Multi-Trip
0x927a Hayakaken (not present on other IC cards)
0x9373 MRT Jakarta
0xaa__ 🈯️ JIS X 6319-4:2016
0xfe00 🈯️ FeliCa Networks Common Area, Edy, IC (Japan)
0xfee1 🈯️ FeliCa Plug
0xff__ *️⃣ reserved (used as a wildcard in Polling commands)

Services

Service codes are 2 bytes: the lower 6 bits are the service attribute, the upper 10 bits are the service number. Metrodroid handles the uses the entire service code as an ID.

Service attributes are as follows:

Value Service type Description
00100n Random service Read/write access
00101n Read only access
00110n Cyclic service Read/write access
00111n Read only access
01000n Purse service Direct access
01001n Cashback/decrement access
01010n Decrement access
01011n Read only access

The lowest bit (n) is set to 0 if authentication is required, or 1 if authentication is not required.

FeliCa features an overlap service -- this allows the same storage blocks to be mapped to services with different attributes. For example, one could map blocks used by a random service multiple times, with one permitting read-only access without authentication, and another with read/write access but requiring authentication.

Services have both a physical index and logical naming. The 0th physical service in a system contains area mapping data for the system. The search service code command works with physical service index, and can be used to discover all the logical service names on the card.

Requests and responses

  • ▶️ indicates a request (command) sent by the reader
  • ◀️ indicates a response sent by the card
  • D indicates a command supported by DES and AES/DES card
  • 🅰️ indicates a command supported by AES and AES/DES card
  • *️⃣ indicates a command supported by all cards
  • References are to FeliCa User's Manual, Excepted Edition where available
  • "redacted" indicates that the documentation is only in the full FeliCa User's manual, not the excerpted edition
Code Dir. Sup. Description Reference
0x00 ▶️ *️⃣ Polling 4.4.2
0x01 ◀️ *️⃣ Polling 4.4.2
0x02 ▶️ *️⃣ Request service 4.4.3
0x03 ◀️ *️⃣ Request service 4.4.3
0x04 ▶️ *️⃣ Request response 4.4.4
0x05 ◀️ *️⃣ Request response 4.4.4
0x06 ▶️ *️⃣ Read 4.4.5
0x07 ◀️ *️⃣ Read 4.4.5
0x08 ▶️ *️⃣ Write 4.4.6
0x09 ◀️ *️⃣ Write 4.4.6
0x0a ▶️ *️⃣ Search service code 4.4.7 (redacted)
0x0b ◀️ *️⃣ Search service code 4.4.7 (redacted)
0x0c ▶️ *️⃣ Request system code 4.4.8
0x0d ◀️ *️⃣ Request system code 4.4.8
0x10 ▶️ D Authentication 1 4.4.9 (redacted)
0x11 ◀️ D Authentication 1 4.4.9 (redacted)
0x12 ▶️ D Authentication 2 (DES) 4.4.10 (redacted)
0x13 ◀️ D Authentication 2 (DES) 4.4.10 (redacted)
0x14 ▶️ D Read (DES) 4.4.11 (redacted)
0x15 ◀️ D Read (DES) 4.4.11 (redacted)
0x16 ▶️ D Write (DES) 4.4.12 (redacted)
0x17 ◀️ D Write (DES) 4.4.12 (redacted)
0x32 ▶️ 🅰️ Request service v2 4.4.13
0x33 ◀️ 🅰️ Request service v2 4.4.13
0x38 ▶️ 🅰️ Get system status 4.4.14 (redacted)
0x39 ◀️ 🅰️ Get system status 4.4.14 (redacted)
0x3c ▶️ 🅰️ Get specification version 4.4.15
0x3d ◀️ 🅰️ Get specification version 4.4.15
0x3e ▶️ 🅰️ Reset mode 4.4.16
0x3f ◀️ 🅰️ Reset mode 4.4.16
0x40 ▶️ 🅰️ Authentication 1 v2 4.4.17 (redacted)
0x41 ◀️ 🅰️ Authentication 1 v2 4.4.17 (redacted)
0x42 ▶️ 🅰️ Authentication 2 v2 (AES) 4.4.18 (redacted)
0x43 ◀️ 🅰️ Authentication 2 v2 (AES) 4.4.18 (redacted)
0x44 ▶️ 🅰️ Read (AES) v2 4.4.19 (redacted)
0x45 ◀️ 🅰️ Read (AES) v2 4.4.19 (redacted)
0x46 ▶️ 🅰️ Write (AES) v2 4.4.20 (redacted)
0x47 ◀️ 🅰️ Write (AES) v2 4.4.20 (redacted)
0x4c ▶️ 🅰️ Set random ID (AES) 4.4.21 (redacted)
0x4d ◀️ 🅰️ Set random ID (AES) 4.4.21 (redacted)

0x0a: search service code

Request:

First Last Length Description
0 1 2 Service index (physical ordering). The 0th system code is area code 0.

Response (service code, 2 bytes):

First Last Length Description
0 1 2 Service code

Response (area code, 4 bytes):

First Last Length Description
0 1 2 Area code
2 3 2 Last service index for the area

References

Metrodroid and its authors are not affiliated with any public transit agency.

Clone this wiki locally