Myki
Myki is the smart-card ticketing system in use in the state of Victoria, Australia. It is operated by PTV.
Myki are MIFARE DESFire cards, with two applications, 0x11f2 and 0xf010f2.
All multi-byte values are stored in little-endian on the card, unless specified otherwise.
For convenience, it is recommended to reverse the bytes in the file. Farebot's bit-reading code is all big-endian.
Offsets and lengths listed are measured in bits, and assume you have reversed the data. Ranges listed do not include the end bit.
Metrodroid adds support for this card in v2.9.27. Only reading the card number is supported.
Further work on this is pretty much a dead end. While it is trivial to identify the cards, the configuration of keys on the cards doesn't show any signs of useful data (like trips or balances) being easily readable.
Other applications which "read" Myki cards on Android, like Myki Plus, actually just read the card number from the card, and then uses screen-scraping to get the trips from Myki's website. While this could be a viable strategy for Metrodroid, all the other card readers only read data using the card itself. I consider poking a third-party web service as ultimately a failure to read the data on the card, so I won't implement a patch to do this for Myki.
Further reading about the format of the cards can be found at: https://web.archive.org/web/20160403002633/https://matt.bionicmessage.net/blog/2013/02/17/frequently%20asked%20questions%20about%20nfc%20and%20myki%20cards
While the card number is currently the only available information, an effort to reverse engineer the PTV app and web services has yielded a little more insight into the system.
It appears that the keys for the card are securely delivered via the PTV API (based on research from the PTV Android app).
Account information is delivered via the PTV API (the endpoint appears to be /ticketing).
Additional research is currently stunted due to certificate pinning barring Charles Proxy from peering into the decryption key requests.
However, since the app’s ‘instant top up’ is known to write to the card, there is a strong possibility that write key(s) are being transmitted to the PTV app (similar to the vending machines at stations).
This uses MIFARE2GO to emulate a DESFire card that is triggered by a custom AID.
This has the same level of data access as physical card would (ie: limited). There's not much point in implementing this.
The file is 16 bytes long, and is the "metadata" file
| Start | End | Length | Field description |
|---|---|---|---|
| 64 | 96 | 32 | Card number (digit 7 - 14 inclusive) |
| 96 | 128 | 32 | Card number (digit 1 - 6 inclusive) |
The final (15th) digit is a Luhn check digit.
Transaction journal. Appears to increase size whenever the card is topped up or used.
This file is 16 bytes long.
| Start | End | Length | Field description |
|---|