Reversing into the depths of Turkish ID Cards
tl;dr Unobfuscated Compiled Java APIs = Jackpot
Now that Ave wrote about TCKK, its time to talk about my side of things.
I was able to sniff out my TCKK certificate back in 2017 but haven't gotten much deeper ever since.
...till 18th of December, 2020. Within 12 hours, I was able to supersede all my previous work with extremely deep work.
(what's not shown: Card Verifiable Certificates and Identity Hashes)
So, how did that happen? Cue e-Government portal logins.
The e-Government portal, e-Devlet, has a login method with TCKK; which I actually use.
The login method is basically a Java Web Applet (fancy way to say dynamic jar download/execution) that interfaces with e-Devlet and the TCKK to sign a challenge nonce and crosscheck the signature.
However, this app is not obfuscated.
And there's a
tar like jar packager called
Remove the GUI applet, repackage the rest and there you have it. The basic (and technically the enterprise) API is now accessible to you. Use the TS 13679 standard or decompile the API with FernFlower (included with IntelliJ IDEA) to understand it.
Reading the standard and looking up the API functions it looks like these are accessible without authentication:
- ID Number
- ID Serial
- Name and Surname
- ID ((Verification)) Certificate
- ID ((Verification)) Sub-Root Certificate
- Chip Serial
- Chip Version Info
- Hashes of the Identity Security Objects (and salts of the first 3 items of this list)
- TCKK Version
- TCKK Template Version
Rest either requires PIN1 (which you know) with Role Authentication (which the reading party has to have), or PIN2 (which you don't know and is only used for the other Electronic Signature Applet.)
This is all I dug up within 2 days! I hope to find more.
If you're from TUBİTAK and somehow ended up here, feel free to contact me at
tckk <kuyruklu a> linuxgemini <nokta> space!