Smart Card Pre-Personalization and Historical Bytes

2
votes

I had a Smart Card that it was not fused (I mean it was not pre-personalized). It has an ATR=3B F9 13 00 00 81 31 FE 45 4A 43 4F 50 32 34 32 52 33 A2.

Q1: What/where is the historical byte of my card? How I can analyse them?

Q2: Where I can find the model of my card? I searched for its ATR in the Internet, but I found nothing!

When you try to list applets of a really-blank card (I mean a card that not-fused) with a tool such as GPJ, you receive this output :

>> gpj -list

>> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B F9 13 00 00 81 31 FE 45 4A 43 4F 50 32 34 32 52 33 A2

DEBUG: Command  APDU: 00 A4 04 00 07 A0 00 00 01 51 00 00
DEBUG: Response APDU: 6A 82
Failed to select Security Domain GP211 A0 00 00 01 51 00 00 , SW: 6A 82

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 18 43 4D 00
DEBUG: Response APDU: 6A 82
Failed to select Security Domain GemaltoXpressPro A0 00 00 00 18 43 4D 00 , SW:6A 82

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6A 82
Failed to select Security Domain OP201a A0 00 00 00 03 00 00 00 , SW: 6A 82

DEBUG: Command  APDU: 00 A4 04 00 07 A0 00 00 00 03 00 00
DEBUG: Response APDU: 6A 82
Failed to select Security Domain OP201b A0 00 00 00 03 00 00 , SW: 6A 82

net.sourceforge.gpj.cardservices.exceptions.GPSecurityDomainSelectionException:Could not select any of the known Security Domains!
at net.sourceforge.gpj.cardservices.GlobalPlatformService.open(Unknown Source)
at net.sourceforge.gpj.cardservices.GlobalPlatformService.main(Unknown Source)

The above output means that the tools couldn't find any SC to select.

I searched a lot in the Internet and finally find out that I need a key (Transport-Key) for Pre-Personalization procedure.

Let me to share some knowledge!

The pre-personalization procedure is as below(for JCOP):

  1. Request of ATR
  2. Select command to select the Root Applet (Transport-Key is AID of this applet)
  3. Boot Command
  4. As many Read, WRITE, ADMINEXEC, SB_NAT_APPLET_INSTRUCTION, and AUTH commands as needed are possible
  5. PROTECT command
  6. Fuse the command
  7. Reset the card.

In the step 4, we initialize the IC with default settings(configuring IC desired Life Cycle, defining communications behavior, ATR and/or ATS parameters or preload Applets).

BTW, I did the first two steps (1 & 2) and then I reset the card and I tried to list the applets again : 

>> gpj -list

>> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B F9 13 00 00 81 31 FE 45 4A 43 4F 50 32 34 32 52 33 A2

DEBUG: Command  APDU: 00 A4 04 00 07 A0 00 00 01 51 00 00
DEBUG: Response APDU: 6F 64 84 08 A0 00 00 01 51 00 00 00 A5 58 9F 65 01 FF 9F 6E 06 47 91 23 47 41 00 73 49 06 07 2A 86 48 86 FC 6B 01 60 0B 06 09 2A 86 48 86 FC 6B 02 02 02 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 55 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00
Successfully selected Security Domain GP211 A0 00 00 01 51 00 00

DEBUG: Command  APDU: 80 50 00 00 08 E7 41 23 4E F5 3B EB E3
DEBUG: Response APDU: 00 00 41 98 00 17 14 97 42 48 FF 02 00 00 BA FF B1 51 C8 BD F1 69 59 8D 80 D6 72 66 90 00

javax.smartcardio.CardException: Card cryptogram invalid.at net.sourceforge.gpj.cardservices.GlobalPlatformService.openSecureChannel(Unknown Source)
at net.sourceforge.gpj.cardservices.GlobalPlatformService.main
(Unknown Source)

As you see an applets appear with AID=A0 00 00 01 51 00 00. But I couldn't do EXTERNAL AUTHENTCAT command succesfully!

Q3: Why External Authentication failed? Because I didn't set SD Keys?

I tried to select this applet using OpenSC Tool :

>> opensc-tool -s 00A4040007A0000001510000

Using reader with a card: ACS CCID USB Reader 0
Sending: 00 A4 04 00 07 A0 00 00 01 51 00 00
Received (SW1=0x90, SW2=0x00):
6F 64 84 08 A0 00 00 01 51 00 00 00 A5 58 9F 65 od......Q....X.e
01 FF 9F 6E 06 47 91 23 47 41 00 73 49 06 07 2A ...n.G.#GA.sI..*
86 48 86 FC 6B 01 60 0B 06 09 2A 86 48 86 FC 6B .H..k.`...*.H..k
02 02 02 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B ...c...*.H..k.d.
06 09 2A 86 48 86 FC 6B 04 02 55 65 0B 06 09 2B ..*.H..k..Ue...+
85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 ...Hd...f...+...
01 2A 02 6E 01 02                               .*.n..

Q4: What is the meaning of this output?

In the below you can see the output of GP Shell after get-data script also :

.:: gpshell get_data.txt

establish_context
enable_trace
enable_timer
card_connect
command time: 281 ms
get_data -identifier 9F7F
Command --> 80CA9F7F00
Wrapped command --> 80CA9F7F00
Response <-- 9F7F2A4790507547912347410041980017149742484812420500000000143E24303
137313400000000000000009000
9F7F2A4790507547912347410041980017149742484812420500000000143E243031373134000000
0000000000
command time: 62 ms
get_data -identifier 66
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664B734906072A864886FC6B01600B06092A864886FC6B020202630906072A86488
6FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A0
26E01029000
664B734906072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06
092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E0102
command time: 47 ms
card_disconnect
command time: 141 ms
release_context
command time: 0 ms

.::

Q5: What is the meaning of this output? How I can Analyse it?

3
smartcardjavacardglobalplatformjcop
You should ask one question per - eh - question. These are rather distinct.Maarten Bodewes
OK Mr.Owlstead :) I'll ask distinct questions in separated posts from now.Ebrahim Ghasemi

3 Answers

10
votes

Q1: What/where is the historical byte of my card? How I can analyse them?

A1: You can enter an ATR in this site and it will parse it for you. Based on that the historical byte of your card is 4A 43 4F 50 32 34 32 52 33.

Q2: Where I can find the model of my card? I searched for its ATR in the Internet, but I found nothing!

A2: You don’t need to do anything cause this site makes all things easy for you :) congrats, it recognized your card! It’s NXP JCOP v2.4.x.

Q3: Why External Authentication failed? Because I didn't set SD Keys?

A3: The error is Card cryptogram invalid. It seems keys that used from card side and from gpj side are different. You need to know what keys are set in the card and set same for gpj.

Q4: What is the meaning of this output?

A4: If you want to continue working on Java Cards, It’s important to read Global platform document. The data field returned in the response message of select command is explained in section 9.9.3.1 of GP document.

Based on your result I separated each part and then list each tag below. Note that the bolded hex bytes are the tags.

6F 64 84 08 A0 00 00 01 51 00 00 00 A5 58 9F 65 od......Q....X.e
01 FF 9F 6E 06 47 91 23 47 41 00 73 49 06 07 2A ...n.G.#GA.sI..*
86 48 86 FC 6B 01 60 0B 06 09 2A 86 48 86 FC 6B .H..k.`....H..k
02 02 02 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B ...c....H..k.d.
06 09 2A 86 48 86 FC 6B 04 02 55 65 0B 06 09 2B ..*.H..k..Ue...+
85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 ...Hd...f...+...
01 2A 02 6E 01 02

Tag 6F: File Control Information (FCI template) [Mandatory]--> 64

Tag 84: Application/File AID [Mandatory] --> 08 A0 00 00 01 51 00 00 00

Tag A5: Proprietary data [Mandatory]--> 58

Tag 9F65: Maximum Length of data field in command message [Mandatory]--> 01 FF

Tag 9F6E: Application production life cycle data [Optional]--> 06 47 91 23 47 41 00

Tag 73: Security Domain Management Data [Optional]--> 49 06 07 2A 86 48 86 FC 6B 01 60 0B 06 09 2A 86 48 86 FC 6B 02 02 02 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 55 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02

Q5: What is the meaning of this output? How I can Analyse it?

A5: Check this wiki for Global Platform in order to learn all GP commands and then analyse the output by yourself

And finally please never ever ask such a long question again :( please break the parts and ask each part as a separated question, thanks :)

2
votes

The ATR is mostly intended for establishing communication with the reader. While some mapping can be done of this information via experience and lots of comparison data, this is not guaranteed. ISO 7816-3 describes the coding of the ATR, which may also contain some historical bytes (not evaluated by the reader and therefore often used for simply retrievable identification).

In your case contains 9 historical bytes contain simple ASCII text 'JCOP242R3', which might help to get you started.

1
votes

Answer1:According to your card ATR(3B F9 13 00 00 81 31 FE 45 4A 43 4F 50 32 34 32 52 33 A2) your Historical Bytes are**(4A 43 4F 50 32 34 32 52 33**) Historical bytes analysing:---According to ISO/IEC 7816-3 Bit 4 to 1 in Format byte T0(in your ATR ie F9) tells the available number of historical bytes ie total 9 historical bytes avilable.

Your ATR description are given below

TS = 0x3B   Direct Convention
T0 = 0xF9   Y(1): b1111, K: 9 (historical bytes)
TA(1) = 0x13    Fi=372, Di=4, 93 cycles/ETU (43010 bits/s at 4.00 MHz, 53763 bits/s for fMax=5 MHz)
TB(1) = 0x00    VPP is not electrically connected
TC(1) = 0x00    Extra guard time: 0
TD(1) = 0x81    Y(i+1) = b1000, Protocol T=1
----
TD(2) = 0x31    Y(i+1) = b0011, Protocol T=1
----
TA(3) = 0xFE    IFSC: 254
TB(3) = 0x45    Block Waiting Integer: 4 - Character Waiting Integer: 5
----
Historical bytes    4A 43 4F 50 32 34 32 52 33
Category indicator byte: 0x4A   (proprietary format) "JCOP242R3"
TCK = 0xA2  correct checksum

Answer2:What do you mean by card model?