8 Replies Latest reply: May 23, 2012 1:20 AM by safarmer RSS

    Problem in pre-personalisation of jcop10

    938137
      plz i need help about protecting jcop card , i writed my applet and test all isok , i want protect card fromp installing other applet as i read there is some exploit to read memory card if card not locked.. i read documention form my suplier and hall forum that talk about prepersonalisation but can't get it work in my card :
      ii use eclipse with jcop plugin, i send atr then boot command + Atk then protect command this what i get
      cm> /atr
      resetCard with timeout: 0 (ms)
      --Waiting for card...
      ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 32 31 56 ;.....1.EJCOP21V
      32 33 32 92 232.
      ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP21V232"
      /send 00A4040010404142434445464748494a4b4c4d4e4f
      => 00 A4 04 00 10 40 41 42 43 44 45 46 47 48 49 4A .....@ABCDEFGHIJ
      4B 4C 4D 4E 4F KLMNO
      (18217 usec)
      <= 6A 82 j.
      Status: File not found
      /send 00F00000
      => 00 F0 00 00 ....
      (12348 usec)
      <= 6E 00 n.
      Status: CLA value not supported

      also i want understand if i succed to protect card and fuse it , with defaults des key is this dangerous ? i mean from hacking side? or need also change des default key ? where i can found eeprom adress of key ? i asked my dealer he don't know what i talking about

      thanks alot plz somone can help
        • 1. Re: Problem in pre-personalisation of jcop10
          Umer
          935134 wrote:
          /send 00A4040010404142434445464748494a4b4c4d4e4f
          This APDU means you are trying to select an installed applet with AID: 404142434445464748494a4b4c4d4e4f. That's why it is getting fail as it could not found any applet with AID of:404142434445464748494a4b4c4d4e4f.
          I think that you are tying to select your keys isn't it ? But, you can't select your keys in that way. You must know about the key version and key index for this.
          => 00 F0 00 00 ....
          (12348 usec)
          <= 6E 00 n.
          Status: CLA value not supported
          Why you are sending this APDU ?

          To get keys information, send Get Data Command APDU.

          Can you tell what happend when you click on the authenticate button on in the JCOP Shell ?
          • 2. Re: Problem in pre-personalisation of jcop10
            938137
            hi,
            thainks you for your reply, this log status :
            /card -a a000000003000000 -c com.ibm.jc.CardManager
            resetCard with timeout: 0 (ms)
            --Waiting for card...
            ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 32 31 56 ;.....1.EJCOP21V
            32 33 32 92 232.
            ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP21V232"
            => 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
            (48284 usec)
            <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 oe...........Y.e
            01 FF 9F 6E 06 47 91 73 51 2E 00 73 4A 06 07 2A ...n.G.sQ..sJ..*
            86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B .H..k.`...*.H..k
            02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 ....c...*.H..k.d
            0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 ...*.H..k...e...
            2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 +...Hd...f...+..
            04 01 2A 02 6E 01 02 90 00 ..*.n....
            Status: No Error
            cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
            cm> init-update 255
            => 80 50 00 00 08 1D 57 06 98 25 A9 38 98 00 .P....W..%.8..
            (58055 usec)
            <= 00 00 11 92 00 21 16 95 65 52 FF 02 00 04 B1 B7 .....!..eR......
            96 02 B1 CB 6F E3 2F EF B1 88 6C 95 90 00 ....o./...l...
            Status: No Error
            cm> ext-auth plain
            => 84 82 00 00 10 89 3E F1 2E CD A7 D1 06 DE 2B 95 ......>.......+.
            99 C9 AA 3A 5A ...:Z
            (72615 usec)
            <= 90 00 ..
            Status: No Error

            as you see my des key is default one i want to change to new one than protect and fuse , as i understand i must select root first with /select <KT> i make but i get this
            cm> /select CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
            => 00 A4 04 00 10 CC CC CC CC CC CC CC CC CC CC CC ................
            CC CC CC CC CC 00 ......
            (18898 usec)
            <= 6A 82 j.
            Status: File not found
            jcshell: Error code: 6a82 (File not found)
            jcshell: Wrong response APDU: 6A82

            what i make wrong? plz help
            • 3. Re: Problem in pre-personalisation of jcop10
              Umer
              Ok it means you want to use put-key command. It is mentioned in GP specs that how to use put-key command.
              Also, you can look into this thread to get how to know what is: JCOP put-key encryption key
              • 4. Re: Problem in pre-personalisation of jcop10
                safarmer
                A little more information for you:

                As indicated by your logs, your card has already been pre-personalised. If it had not been you would not be able to select the card manager and authenticate to it.

                It may not have been fused but if this is the case the card is still protected by the transport key. The select you mentioned failed as the value you had for the transport key was 404142...4d4e4f. Either this is the wrong transport key or the card has been fused already.

                As mentioned, once you have installed your applet, you can change the card manager key set. This is a general practice that ensures that only the card issuer knows the keys on the card. Normally, you would receive cards that have a master keycreated by the manufacturer that was used to create unique keys for each card. The manufacturer and card issuer would exchange this key and the issuer would use this key to add their own key. Then the issuer would load the card and possibly place another key set on the card before shipping the card to the card holder.

                If you want to swap the keys, you can use the JCOP shell command put-keyset. You can check the help for details on this command.

                Shane
                • 5. Re: Problem in pre-personalisation of jcop10
                  Umer
                  Dear Shane, Can you explain what is meant by "fuse" a card ? and protecting a card by a transport key ?
                  As, I have not seen them in docs.
                  • 6. Re: Problem in pre-personalisation of jcop10
                    safarmer
                    As far as I am aware, these pre-personalisation steps are proprietary to NXP. The selecting the root file is the first step of the process. Since it is a 16 byte random AID it is considered a key. It is hard to guess what the AID would be so unless you are told you wont be able to configure the card. Fusing is the process of locking the card configuration so the system is considered secure. Once fused the card cannot be pre-personalised any more.

                    I have also seen similar processes from other vendors. This process is generally done in a secure environment before the cards leave the manufacturer as before the fusing takes place the card OS may be reconfigurable which may make it possible to disable certain security features or add keys to the card manager.

                    Shane
                    • 7. Re: Problem in pre-personalisation of jcop10
                      Umer
                      Thanks for the explanation.
                      I am also aware with that kind of technique that is after loading the OS they destroy the Mother key of the card but this is the case with native card. Is NXP is doing this with Java Cards too ?
                      • 8. Re: Problem in pre-personalisation of jcop10
                        safarmer
                        I would assume so with this thread being started about a JCOP java card sample :)

                        Shane