I'm the author of Metrodroid, an Android application for reading various public transport smartcards, forked from the Farebot project.

I implemented varying levels of support for different Australian public transport smartcards, including Brisbane's Go card and Sydney’s Opal card. The goal of the project is to be able to read supported cards entirely offline -- no web service, no registration, with the card alone.

Reverse engineering smartcard data formats is a good introduction to black-box reverse engineering techniques.

I will talk about the different approaches to reverse engineering that I used, issues in the underlying card technology being used, and some helpful tips to use when understanding unknown binary data files.

The first card I looked at was Sydney’s Opal card, which was rolled out from December 2012 to December 2014. I implemented support for this card in July 2015. It uses the Mifare DESFIRE EV1 card format. This card has an application processor, and high quality cryptography and security mechanisms. It has one open "sector" on the card consisting of 16 bytes, which is enough to see when the card was last used, its balance, and its trip status. Transport for NSW released the first version of their Opal Travel app for Android, including support for reading cards over NFC. I reverse engineered the application to discover the card format, and build a compatible implementation in Metrodroid. I will go through some basics of reverse engineering Android applications, and different things you can do.

I will compare this to the process I used to reverse engineer the Brisbane Go card and Manly Fast Ferry card, and a couple of the tools which I wrote to help with the process.

I'll also touch on some of the exploits present in commonly used NFC cards.