Share My Creation MiFare Classic Buspass

There was a time when NXP's Mifare Classic NFC tags were the go-to card for, among others, bus, metro and train passes, hotel keys, club memberships, etc.
They offered security of a sort which required keys to access the tag's memory. Due to discovered security flaws, however, its day has mostly passed.
Nevertheless, reading from and writing to Mifare Classic is an interesting exercise, and we still see some interest here on the forum from time to time.

The most interesting aspect of the tag is its ability to perform simple arithmetic. In other words, the tag contains a program.

Gbuspass is a proof of concept since I don't actually run a bus company, nor should you try to use any tag initialized by the app to ride a bus. You need a Mifare Classic tag (1K or 4K will do). The project consists of a primitive driver app and a small library to execute the various functions offered by the card. While I make no claims about the purity of my code, the library tells you what you need to know about reading from and writing to Mifare Classic tags. It might be possible to run some functions in B4A using javaobject, but there is a lot of interstitial fiddling required before actually running a given method. I found it simpler to use inline java and, from there, to package things into a library.

When used to store "credits" (NXP's choice of words), the tag only stores values as integers. In other words, if a given currency has fractional parts (eg, 100 cents = 1 euro), the balance kept on the card must be in that fractional value. A value of, eg, 1,50 euro is not possible; the balance would have to be 150 cents. As far as the app is concerned, its imaginary currency (the Slurn) has no fractional part. The app sets the cost of a ticket to ride the bus at 3 Slurns.

The app provides 5 functions: initializing the tag, a general scan of the tag, topping off the tag, paying for a bus ride and checking the pass's current balance. All of the functions involve a (simple) process: select the appropriate function and acknowledge a message giving you time to place your card against the back of your device. Whatever happens next, happens automatically. I chose to handle things this way as opposed to how some other NFC tag-reading apps handle tag discovery. I found that with some other apps, it's difficult to keep the tag in position while tapping buttons at the same time. With my app, you tap the buttons first and then let the tag be discovered. Topping off the tag and using it to ride the bus are activated on screen. Initializing the tag, scanning it and checking its balance are selected from the drop-down menu. In general, things happen pretty fast. However, scanning a tag does take some time (a couple seconds), so you do have to hold the tag steady until the results of the scan are displayed. If you are accoustomed to NFC scans, the results will make some sense to you.

The only interesting part of a scan is that, before initializing the tag, you should be able to read the tag's memory (on a virgin card). Once you have initialized the tag, a scan will show everything except where the buspass's balance has been stored. That's because the initialization process changes the access keys to that location. If you look through the (lengthy) results report, you will see that authentication fails at a certain point in the scan. If the tag is not new, initializing it in the app may or may not have any effect. I have no way of knowing what's on your tag, and it is possible to lock oneself out of areas of memory. I could have made initializing automatic, but you may want to scan a tag without using it as a buspass. The app does function as a simple Mifare Classic scanner.

Technically, there are 3 ways to communicate with a Mifare Classic tag: Mifare tools, NFC-A APDU commands and NDEF commands. The first 2 are essentially the same thing (NXP wraps the NFC-A commands to create its own toolset, which is much easier to use). as to NDEF, there are no access keys involved. Furthermore, NDEF is pretty much limited to reading and writing a single message, whereas the other methods allow you to use memory as you wish. When I say NDEF allows you to write a "message", what we're talking about is bytes. So, a "message" could be text, an image, an audio snippet, or a number of other things. And when I say that there are no access keys with NDEF, this does not stop you from encrypting your message. Whatever you store on the tag using NDEF can be seen using Mifare tools. NDEF is simply in a better position to handle what it stored. A text message would be plainly visible either way. But NDEF knows where the message begins and ends and what kind of message it is. Mifare tools just sees the bytes.

Unarchive the attached .zip file and copy the library .jar and .xml to your additional libraries folder. Build and run the app. Don't forget the Mifare Classic tag; they're cheap. I hope the gui displays OK on your device.


  • 1.png
    171.1 KB · Views: 760
  • 2.png
    138.8 KB · Views: 377
  • 3.png
    147.7 KB · Views: 103
  • 4.png
    65.7 KB · Views: 109
    192 KB · Views: 68
Last edited:

Situ LLC

Active Member
Licensed User
Very Nice Thanks