Use APDU commands to get some information for a card

3
votes

I have a terminal that has its own API to stablish and send commands between chip and terminal, there is a function that transmits the APDU command and returns the answer in a byte array.

For example, if a want to read the tag 5A (Application PAN), I send the following command:

byte[] byteArrayAPDU = new byte[]{(byte)0x00, (byte)0xCA, (byte)0x00, (byte)0x5A};
int nResult = SmartCardInterface.transmit(nCardHandle, byteArrayAPDU, byteArrayResponse);

The variable byteArrayResponse gets the response to the APDU command.

When I translate the value of byteArrayAPDU to a string of hexadecimal digits, this gives me: 00 CA 00 5A. And the response to that command is 6E 00 (class not supported).

My device works with ISO 7816 as technical specifications. Is the way in which I am sending APDU commands correct? I ask this because I have read that an APDU command must have 5 values at least, but I don't know what to send in the fifth parameter. I don't know what the lenght of the response is.

Can you give an example of how to get the tag 5A or something else in APDU commands?

If the command where correct, in place of where I see 6E 00 at the moment, would I see the information as plain text when cast to a string?

3
javasmartcardapdusmartcard-readeremv
Before going any further, can we assume (1) you are following the emv standards for APDU commands and (2)that you are using a popular card application like vsdc, m/chip, d-pas( visa, mastercard, discover respectively) and not a proprietary card ?Adarsh Nanu
Yes, I'm using the EMV specifications as the EMV specifications said (EMV_v4.3_Book_3_Application_Specification_20120607062110791) also I send the APDU commands that are in this example code.google.com/archive/p/javaemvreader/wikis/… the cards that I have to read are VISA and MasterCard Y del libro:angelreyes17

3 Answers

16
votes

The input and output values that you showed in your question suggest that your use of the method transceive() is correct, i.e. the second argument is a command APDU and the third argument is filled with the response APDU:

resultCode = SmartCardInterface.transmit(cardHandle, commandAPDU, ResponseAPDU);

Your question regarding the format and validity of APDU commands is rather broad. In general, the format of APDUs and a basic set of commands is defined in ISO/IEC 7816-4. Since you tagged the question with and mention the application primary account number, you are probably interacting with some form of EMV payment card (e.g. a credit or debit card from one of the major schemes). In that case, you would probably want to study the various specifications for EMV payment systems which define the data structures and application-specific commands for those cards.

Regarding your specific questions:

Do APDUs always consist of at least 5 bytes?

No, certainly not. Command APDUs consist of at least 4 bytes (the header bytes). These are

+-----+-----+-----+-----+
| CLA | INS | P1  | P2  |
+-----+-----+-----+-----+

Such a 4-byte APDU is called "case 1". This means that the command APDU does not contain a data field sent to the card and that the card is not expected to generate a response data field. So the response APDU is expected to only contain a response status word:

+-----+-----+
| SW1 | SW2 |
+-----+-----+

What is the 5th byte of a command APDU?

The 5th byte is a length field (or part of a length field in case of extended length APDUs, which I won't further explain in this post). Depending on the case, this length field may have two meanings:

  1. If the command APDU does not have a data field, that length field indicates the expected length (Ne) of the response data field:

    +-----+-----+-----+-----+-----+
| CLA | INS | P1  | P2  | Le  |
+-----+-----+-----+-----+-----+
    • Le = 0x01 .. 0xFF: This means that the expected response data length Ne is 1, 2, ... 255 bytes (i.e. exactly the value of Le).
    • Le = 0x00: This means that the expected response data length Ne is 256 bytes. This is typically used to instruct the card to give you as much bytes as it has available (up to 256 bytes). So even if Le is set to 0x00, you won't always get exactly 256 bytes from the card.

  2. If the command APDU itself has a data field, that length field indicates the length (Nc) of the command data field:

    +-----+-----+-----+-----+-----+-----------------+
| CLA | INS | P1  | P2  | Lc  | DATA (Nc bytes) |
+-----+-----+-----+-----+-----+-----------------+
    • Lc = 0x01 .. 0xFF: This means that the command data length Nc is 1, 2, ... 255 bytes (i.e. exactly the value of Lc).
    • Lc = 0x00: This is used to indicate an extended length APDU.

  3. If there is a command data field and the command is expected to generate response data, that command APDU may again be followed by an Le field:

    +-----+-----+-----+-----+-----+-----------------+-----+
| CLA | INS | P1  | P2  | Lc  | DATA (Nc bytes) | Le  |
+-----+-----+-----+-----+-----+-----------------+-----+

Is the command 00 CA 00 5A correct?

Probably not, for several reasons:

  1. Since you expect the card to deliver a response data field (i.e. the data object 0x5A), you need to specify an Le field. Hence, a valid format would be

    +------+------+------+------+------+
| CLA  | INS  | P1   | P2   | Le   |
+------+------+------+------+------+
| 0x00 | 0xCA | 0x00 | 0x5A | 0x00 |
+------+------+------+------+------+

  2. You receive the status word 6E 00 in response to the command. The meaning of this status word is "class not supported". This indicates that commands with the CLA byte set to 0x00 are not supported in the current state. With some cards this also simply means that this combination of CLA and INS (00 CA) is not supported, eventhough this contradicts the definition in ISO/IEC 7816-4.

    Overall, you can assume that your card does not support this command in its current execution state.

  3. Assuming you are interacting with an EMV payment card, you typically need to select an application first. Your question does not indicate if you do this already, so I assume, you don't do this right now. Selecting an application is done by sending a SELECT (by AID) command:

    +------+------+------+------+------+-----------------+------+
| CLA  | INS  | P1   | P2   | Le   | DATA            | Le   |
+------+------+------+------+------+-----------------+------+
| 0x00 | 0xA4 | 0x04 | 0x00 | 0xXX | Application AID | 0x00 |
+------+------+------+------+------+-----------------+------+

    The value of the application AID, of course, depends on the card application and may be obtained by following the discovery procedures defined in the EMV specifications.

  4. Even after application selection, the GET DATA APDU command for EMV applications is defined in the proprietary class. Consequently, the CLA byte must be set to 0x80:

    +------+------+------+------+------+
| CLA  | INS  | P1   | P2   | Le   |
+------+------+------+------+------+
| 0x80 | 0xCA | 0x00 | 0x5A | 0x00 |
+------+------+------+------+------+

  5. Finally, even then, I'm not aware of any schemes where cards would allow you to retrieve the PAN through a GET DATA command. Usually, the PAN is only accessible through file/record based access. Since you did not reveal the specific type/brand of your card, it's impossible to tell what your card may or may not actually support.

3
votes

At Start

Standard ISO 7816 includes several parts. When terminal device vendors noticed about ISO 7816 they just confirm that the common Physical characteristics (Part 1), Dimension and Contacts (Part 2) and Transmission protocol (Part 3) were applied to the device reader.

APDU commands and responses defined in ISO 7816 Part 4 (and few other parts also) are generic definition and might not fully supported by your smartcard.

You need to learn about the card-terminal interaction layers related to your card type:

  • EMV is the customized version of ISO 7816 for Payment cards.
  • Global Card Brands used own customized specifications based on EMV and ISO 7816. For sample Amex "AEIPS", Diners "D-PAS", MasterCard "M/Chip", Visa "VIS", etc. They are almost the same with small differences related to the supported Commands, flows and list of Tags.

Unfortunately most of payment cards are not supposed to return Tag 0x5A value with GET DATA APDU command. Usually you need to follow payment procedure. At least SELECT card application and READ Tag Values from SFI card records.

According to EMV GET DATA P1 P2 values should be used for Tags 0x9F36, 0x9F13, 0x9F17, or 0x9F4F.

Answering your questions:

What to send in the fifth parameter? What is the length of the response?

Fifth byte known as "Le" - Length of Expected Data. You can try to use Le = "00". If APDU command supported by card you may get SW1SW2 as 0x"6Cxx" where xx is the hexadecimal length of the requested data. When you can repeat same command with correct Le value.

For sample, to read PIN Counter 

Get Data (Tag = '9F 17')
Request : 80 CA 9F 17 00
Response: 6C 04
    SW1 SW2: 6C 04 (SW_Warning Wrong length(Le))

Get Data (Tag = '9F 17')
Request : 80 CA 9F 17 04
Response: 9F 17 01 00 90 00
    Data     : 9F 17 01 03 // Tag + Length + Value
        Tag 9F 17: Personal Identification Number (PIN) Try Counter : 03
    SW1 SW2  : 90 00 (SW_OK)

If the command where satisfactory in place of see 6E 00 at the moment of cast the answer to string I would see the information as plain text?

APDU commands and responses used BYTE encoding. According to provided terminal API example you will get Array of Bytes.

As developer you can transform bytes into desired format or use it as-is. Please keep in mind that according to EMV specifications the formats of Tags data can be variable:

  • HEX (or binary) for sample for numeric Tags like amounts;
  • BCD for sample for date/time or some numbers like currency. PAN also BCD encoder;
  • Strings in different charsets (ASCII, Unicode, ...) for sample for Cardholder Name, Application Name.
  • etc.

Tag 0x5A - Application Primary Account Number (PAN) encoded as BCD and can be padded with 0xF in case odd PAN length.

1
votes

Just answering to how READ your specific tag data since APDU and application State behavior is already answered. After you SELECT application, you can initiate a GET PROCESSING OPTIONS. This is the actual start of the transaction. Here you will be returned a tag named AFL (application file locator). You need to parse this element and do multiple READ RECORDS till you find the data. AFL is a set of four byte data( If you have two sets of SFI, there will be eight byte data).

  • First byte denote the SFI(5 most significant bytes is the input to P2 of READ RECORD). Second byte denotes the first record to read( input to P1 of READ RECORD). Third byte denotes the last record to read.( you need to loop READ RECORD this many times) The fourth byte donotes the number of records involved in offline data authentication.

As you parse through, you will find the your required data. In case you are not sure how to parse, copy the hex data an try it here