Thomas Sutter

Two commands are reading for testing: 1. `hf felica reader`: This should read now a felica light and standard cards and print the id's. ``` [usb] pm3 --> hf felica...

> Testing `hf felica raw` > I guess there are errors in your testing instructions, `hf felica raw 06 00 ff ff 00 00` needs `-c` and IDm is bytes...

> FeliCa Lite-S RC-S966 => hf felica raw 06 00 ff ff 00 00 -c works but hf felica raw 0D 02 01 FF FF -c fails, I get zeroes...

> maybe add an option to `felica raw` to automatically add the first length byte ? > `hf felica raw 06 00 ff ff 00 00 -c` => `hf felica...

> Re: "Search Service Code", the command is not publicly undocumented, but there are details in [nfcpy's implementation](https://github.com/nfcpy/nfcpy/blob/af5b13392f74a754fe4fa60f12463b7c392ffe8e/src/nfc/tag/tt3_sony.py#L283-L314) which I've [summarised here](https://github.com/metrodroid/metrodroid/wiki/FeliCa#0x0a-search-service-code). That's actually really cool to know. That will...

Hi everyone, I just uploaded an attempt to reverse engineer the Auth1 command. My Hypothesis: From looking into the FeliCa documents it's possible that they just use standard 3DES encryption...

> RC-S966 Lite : > any combination gives the same answer, no matter what's the provided key: > > ``` > [=] Used last known IDm. > [=] 3DES Master...

hahah oh lol yes of course! My bad...I'm stupid :D

Thanks for testing! I have no idea why that works with the FFFF wild card for service code. That's some really strange behavior for that authentication command. First example RC-S833:...

Ok I see there's a bug with the output of the buffer my response actually contains as well a correct frame: ``` B2 4D 1A 11 01 10 09 10...