How to decode the Tesco Clubcard QR Aztec code?

I used a Tesco Clubcard QR code I found on the net as source, and an online code reader produced the result: "123123123123123:AKnp5O6eS3NeQAOh2lYmZSKSMSjJ+fCe1cG5FSQFU7vmkff2X8n+//T4dw==" with 123123123123123 being the supposed card number, and the rest being Base64 encoded binary. While the card number and the colon are obvious, I am stuck decoding the resulting binary.

00000000 00 a9 e9 e4 ee 9e 4b 73 5e 40 03 a1 da 56 26 65 |.©éäî.Ks^@.¡ÚV&e|00000010 22 92 31 28 c9 f9 f0 9e d5 c1 b9 15 24 05 53 bb |".1(Éùð.ÕÁ¹.$.S»|00000020 e6 91 f7 f6 5f c9 fe ff f4 f8 77 |æ.÷ö_Éþÿôøw|

No typical compression seems to match, nor do XORs. What else could I try?

1

Best Answer

I was searching information about the barcode myself and have not found much. I will include the most interesting data I've found so far.

I've only observed two (2) Aztec barcode formats so far.

The smaller Aztec barcode format encodes only 16 digits. The printed 18 digit number below the barcode will usually start with something like 634004 ... but this gets replaced by something like 9794 ... in the barcode itself. The rest of the clubcard number is unchanged. Those example digit change depending on the type of card it is (Tesco Personal Finance, Clubcard, Fuelcard, etc.).

Note: The printed clubcard number is what passes the Luhn algorithm (something that all major credit/debit cards usually have to pass to validate the number). The encoded number does not pass the Luhn algorithm.

The larger Aztec barcode format encodes the same as above, but also appears to include a colon (":") and Base64 encoded binary data, as you asked about.

A very small sample collection I can find online (almost all of them altered for publication purposes) appear to be completely randomised data. Some decoded to 86 bytes of data, some decoded to 90 bytes. I can't see any pattern. Not with any degree of certainty but I'd probably guess that what we're dealing with is a self-signed barcode to prevent people trying to generate their own. Self-signed barcodes were also seen with NHS covid QR barcodes for the same reason.

If it is definitely self-signed barcodes, then it seems strange that Tesco would bother considering the only reason anyone would want to generate their own would be to get slightly cheaper shopping and God forbid anyone gets an underwhelming deal without handing over their personal information first.

Random Posts

How to create a custom AppBar widget?Ruby: "&& return" vs "and return"Can I use "Config" object with boto3 resource?What's the best way to store a phone number in Django models?Conda install and update do not work also solving environment get errorsNot able to connect to my local graphql server with apollo studio sandboxFlatten array of arrays in TypeScriptHow to draw line slowly from a point to another point in P5?do I use "rescale=1. / 255" or not? Building VGG-like CNNGet a resource using getResource()Could not find imported module support code for ansiblemodule (community kubernetes collection )JDBC driver Exception issue is coming in keycloak servicelinux command explain du -h --max-depth=1 [closed]postgres C:: Permission denied using windowsHexadecimal To Decimal in Shell ScriptConverting latex code to Images (or other displayble format) with PythonHow to determine NTP communication statusJava List <T> T[] toArray(T[] a) implementationComparing Strings in Arduino C++?What are the benefits of functional programming? [closed]