WIP: Adds support for KS X 6924 (T-Money / Snapper+)

[micolous]

Adds support for KS X 6924 application, used by T-Money (South Korea) and Snapper+ (Wellington, New Zealand).

This card builds on ISO7816-4 application primitives, and "emv" commands can be used for some of the card functionality.

However, there is a proprietary "get record" command (in addition to regular "get record"), and a "get balance" command.

This only implements support for basic parsing the information in the FCI, and the result of the "get balance" command.

It currently presumes the constants associated with T-Money, and no attempt has been made in this code to tell between T-Money and Snapper cards -- though I've tested with both.

Commands added:

• hf ksx6924 info: Get info about a KS X 6924 (T-Money, Snapper+) transit card
• hf ksx6924 select: Select application, and leave field up
• hf ksx6924 balance: Get current purse balance
• hf ksx6924 prec: Send proprietary get record command (CLA=90, INS=4C)

Reading a T-Money card:

proxmark3> hf ksx6924 info
## KS X 6924 Purse Info:          
          
cardType .............................. 00 (Pre-paid)          
alg (encryption algorithm) ............ 10 (3DES)          
vk (keyset version) ................... 01          
idCenter (issuer ID) .................. 08 (Korea Smart Card Corporation)          
csn (card number) ..................... 101003XXXXXXXXXX
idtr (card usage authentication ID) ... XXXXXXXXX
issueDate ............................. 201X-XX-XX          
expiryDate ............................ 202X-XX-XX          
userCode (ticket type) ................ 01 (Regular/normal)          
disRate (discount type) ............... 00 (No discount)          
balMax (in won/cents) ................. 500000          
bra (branch code) ..................... 0000          
mmax (one-time transaction limit) ..... 0          
tcode (telecom carrier ID) ............ 00 (None)          
ccode (credit card company ID) ........ 00 (None)          
rfu (reserved) ........................ 00 00 00 00 00 00 00 00           
          
Current balance: XXXXX won/cents  

Reading a Snapper+ card:

proxmark3> hf ksx6924 info
## KS X 6924 Purse Info:          
          
cardType .............................. 00 (Pre-paid)          
alg (encryption algorithm) ............ 10 (3DES)          
vk (keyset version) ................... 01          
idCenter (issuer ID) .................. 02 (A-Cash ?? 에이캐시)          
csn (card number) ..................... 101000XXXXXXXXXX
idtr (card usage authentication ID) ... XXXXXXXXX
issueDate ............................. 201X-XX-XX          
expiryDate ............................ 202X-XX-XX          
userCode (ticket type) ................ 01 (Regular/normal)          
disRate (discount type) ............... 00 (No discount)          
balMax (in won/cents) ................. 100000          
bra (branch code) ..................... 0003          
mmax (one-time transaction limit) ..... 0          
tcode (telecom carrier ID) ............ 00 (None)          
ccode (credit card company ID) ........ 00 (None)          
rfu (reserved) ........................ 00 00 00 00 00 00 00 00           
          
Current balance: XXXXX won/cents      

Thanks to @phcoder for writing an implementation of T-Money and starting some English-language documentation and reverse engineering of this protocol. :)

[pwpiwi]

Compiling on Windows fails with

ksx6923/ksx6923core.c:24:23: fatal error: arpa/inet.h: No such file or directory
 #include <arpa/inet.h>
                       ^
compilation terminated.

[micolous]

I'll fix that up Windows problem. What happened with the CI for Windows?

I've amended this significantly as it's actually KS X 6924, not KS X 6923. KS X 6923 is for the Purchase SAM (Secure Access Module), not the actual cards issued to end-users:

(Note: the picture above comes from one of the docs I've found on this -- it's not mine, and I don't have access to any of these SAMs.)

PS: The implementation has been challenging, as I've been unable to get a copy of the standards (the credit card payment gateway used by the Korean Standards Agency is broken), and all of the information is in Korean (which I can't read).

So far, this has been the single best public documentation I've found on it: Mobile Deferred Payment Traffic Card - KS X 6924 for SIM card (TTAK.KO-12.0240, Korean, partial English).pdf

[pwpiwi]

The Windows CI config file is still there in CI/appveyor.yml. I am developing under Windows and therefore use the travis CI tests for Linux and MacOS only. What exactly is the issue with Windows CI?

Great work given the sparse information. Google translator does quite a good job even for Korean but the document leaves lot of room for interpretations.

Anyone else out there with one of these cards who can test?

[micolous]

The Windows CI config file is still there in CI/appveyor.yml. I am developing under Windows and therefore use the travis CI tests for Linux and MacOS only. What exactly is the issue with Windows CI?

Ah, I was just expecting it to trigger when submitting a PR.

Also -- Windows now fixed. I've rebased and squashed the changes, but I had to add an #include <winsock2.h> and link against ws2_32.dll.

The only problem I see is that the UTF-8 descriptions that are still in Korean (that I have been unable to get a good machine translation of) don't come through properly in the console on Windows 7 -- I think that's a limitation of cmd. It should be fine with a proper Unicode-supporting console.

Great work given the sparse information. Google translator does quite a good job even for Korean but the document leaves lot of room for interpretations.

Thanks! I forgot to mention -- @phcoder has helped a lot with this, and came up with an implementation for Metrodroid (my transit card reader project). :)

Anyone else out there with one of these cards who can test?

Either T-Money or Snapper+ card work for me (and hopefully, for others). I suspect that there are some other Korean smartcards that would also work with this (eg: Korea Tour Card).

For Snapper (Wellington, New Zealand), only cards with a "+" in the top right corner will work with this. As far as I can tell, Korea Smart Card Corporation built much of the infrastructure that supports it, and the on-card data format is very similar.

I think there might be a transit card in Peru that uses this as well, but I have no idea which city exactly.

[pwpiwi]

but I had to add an #include <winsock2.h> and link against ws2_32.dll

Didn't have a closer look at the code yet. Why do you need arpa/inet.h or winsock2.h at all? Any networking functions?

Ah, I was just expecting it to trigger when submitting a PR.

Afaik only the owner of a github project can arrange that. Not me.

[pwpiwi]

It is only ntohl() which you are using from arpa/inet.h or winsock2.h. You should be able to go without both includes and the additional library if you use num_to_bytes() from util.h.

[micolous]

You should be able to go without both includes and the additional library if you use num_to_bytes() from util.h.

Ah, good to know. On non-Windows platforms, these are pre-processor macros.

Over the last few weeks, I've managed to get purchase copies of the standards, and done a bunch of other research. This has more layers of complexity than I first thought, so there is more work needed to support the other Korean cards. However, this doesn't apply to Snapper+... so I still need some of this there.

I'm going to get some other code done first before I come back to this.