13 Replies Latest reply: Mar 15, 2012 10:20 AM by 801926 RSS

    write new card manager AID  for JCOP 4 1 v.2.3.1 problem .

    923075
      hello mate can you help us to solve our problem :
      My team have smartcard security project now , we buy blank smart card from some friend in china.
      the suplier already gave us the step for Pre-Personalization, we already follow that step one by one :
      1. select root using transport key >>> ok
      00 a4 04 00 10 (transport key)
      2. boot to jcop card >>> ok
      00 f0 00 00
      3. write the new card manager AID >>> here we have some problem ....

      we follow the instruction to write command from our supplier >> is (a2) B0 (a1) (a0) <DATA>
      can somebody help us to understand this step, to fill a2,a1,a0 variable from that command . ?

      regards

      fixdigital.
        • 1. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
          Umer
          (a2) B0 (a1) (a0) <DATA>
          It seems like a propritery command which can be explain better by the vendor. Moreover, the command should mapped on a standard APDU template i.e.,

          CLA INS P1 P2 LC +<Data>+ Le

          By using above structure you can map your frields.
          • 2. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
            923075
            Here i post log when i skip step number 3 :



            ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
            +32 33 31 97 231.+
            ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"
            +=> 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............+
            +(14674 usec)+
            +<= 6A 82 j.+
            Status: File not found
            jcshell: Unable to select Card Manager or invalid FCI: Unknown Global Platform Java Card.
            Subsequent commands might fail! Inspection might not be possible!
            +??> /send 00a4040010 (transport key)
            +=> 00 A4 04 00 10 ________________ .........C...v:.+
            __________________

            +(23367 usec)+
            +<= 90 00 ..+
            Status: No Error
            +??> /send 00f00000+
            +=> 00 F0 00 00 ....+
            +(83525 usec)+
            +<= 90 00 ..+
            Status: No Error
            +??> /card+
            --Waiting for card...+
            ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
            +32 33 31 97 231.+
            ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"
            +=> 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............+
            +(150720 usec)+
            +<= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 oe...........Y.e+
            +01 FF 9F 6E 06 40 51 63 45 29 00 73 4A 06 07 2A ...n.@QcE).sJ..*+
            +86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B .H..k.`...*.H..k+
            +02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 ....c...*.H..k.d+
            +0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 ...*.H..k...e...+
            +2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 +...Hd...f...+..+
            +04 01 2A 02 6E 01 02 90 00 ..*.n....+
            Status: No Error
            cm>  set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
            cm>  init-update 255
            +=> 80 50 00 00 08 D4 B8 B8 64 F8 80 7D 22 00 .P......d..}".+
            +(94420 usec)+
            +<= 00 00 93 23 00 23 87 91 54 88 FF 02 00 00 46 0C ...#.#..T.....F.+
            +71 E4 C4 67 5B 71 CA 9D 7B 39 4C CD 90 00 q..g[q..{9L...+
            +Status: No Error+
            +jcshell: Error code: -5 (Authentication failed)+


            can somebody guide me step by step ...to solve my problem.

            Many Thanks

            Edited by: 920072 on Mar 12, 2012 12:45 AM
            • 3. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
              Umer
              To my understandings, you have selected your card manager sucessfully but you are unable to authenticate your card. There can be two possiblites, one is that your card keys are not "default" keys and has been changed by someone most probably your vendor and other can be that you card is locked.
              • 4. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                923075
                thanks for your reply bro' ... i have another 2 question here..

                # if we want do pre personalization, we should input key or not ?
                # that smart card already have that key or we must set it first .. ?

                thanks
                • 5. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                  Umer
                  # if we want do pre personalization, we should input key or not ?
                  You must changed your default keys.
                  # that smart card already have that key or we must set it first .. ?
                  It depends. Most of the cards have setted default keys. and also you can put your own keys at any time you want.
                  • 6. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                    923075
                    Can you describe how to change this key ? we used JC shell .
                    i mean like command to put key maybe, or you have an example ...

                    we already try to change the key but unsucced, like log we post before ...
                    still confuse which step we do wrong ...

                    the procedure we already do

                    *(1) Pre-Personalization*

                    /atr
                    /send 00a4040010<TranspotKey>
                    /send 00f00000 <== boot
                    /send 00100000 <== protect
                    /send 00000000 <== Fuse



                    *(2) then we try auth with default key, the auth still failed*

                    *##try use JCShell (eclispse)*
                    ??> /card
                    --Waiting for card...
                    ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56 ;.....1.EJCOP41V
                    32 33 31 97 231.
                    ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"
                    => 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
                    (150720 usec)
                    <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 oe...........Y.e
                    01 FF 9F 6E 06 40 51 63 45 29 00 73 4A 06 07 2A ...n.@QcE).sJ..*
                    86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B .H..k.`...*.H..k
                    02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 ....c...*.H..k.d
                    0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 ...*.H..k...e...
                    +2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 ...Hd...f.....+
                    04 01 2A 02 6E 01 02 90 00 ..*.n....
                    Status: No Error
                    cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
                    cm> init-update 255
                    => 80 50 00 00 08 D4 B8 B8 64 F8 80 7D 22 00 .P......d..}".
                    (94420 usec)
                    <= 00 00 93 23 00 23 87 91 54 88 FF 02 00 00 46 0C ...#.#..T.....F.
                    71 E4 C4 67 5B 71 CA 9D 7B 39 4C CD 90 00 q..g[q..{9L...
                    Status: No Error
                    jcshell: Error code: -5 (Authentication failed)

                    _##try use GPShell_
                    D:\Programming\Dongle_SCard\GlobalPlatform\GPShell-1.4.4>GPShell.exe helloInstallGP211.txt
                    mode_211
                    enable_trace
                    enable_timer
                    establish_context
                    command time: 15 ms
                    card_connect
                    command time: 219 ms
                    select -AID a000000003000000
                    Command --> 00A4040008A000000003000000
                    Wrapped command --> 00A4040008A000000003000000
                    Response <-- 6F658408A000000003000000A5599F6501FF9F6E06405163452900734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000
                    command time: 202 ms
                    open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
                    Command --> 80CA006600
                    Wrapped command --> 80CA006600
                    Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000
                    Command --> 8050000008CDA19913D438CC9300
                    Wrapped command --> 8050000008CDA19913D438CC9300
                    Response <-- 00009323002330915488FF020000460C71E4C46792ACEBB71CE0D0739000
                    mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)





                    thanks
                    • 7. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                      816119
                      we follow the instruction to write command from our supplier >> is (a2) B0 (a1) (a0) <DATA>
                      can somebody help us to understand this step, to fill a2,a1,a0 variable from that command . ?>
                      it is not write command, it is read command;
                      a2,a1,a0 - EEPROM address;
                      actually you need documentation for the card to know pre-personalisation steps, command coding and EEPROM addresses. For JCOP this documentation is provided by NXP under NDA.
                      ??> /send 00f00000
                      at least you need send protect command after this command
                      and do not send fuse command untill you check that card works
                      • 8. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                        816119
                        then we try auth with default key, the auth still failed
                        so, it can mean that keys are not default after boot command and you need to write keys
                        • 9. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                          923075
                          can you help us give an example write command for this case ?
                          like write keys after boot..

                          we only have limit documentation from our supplier...like i write below :

                          procedure for activating jcop card (pre personalisation)
                          1. Select Root using the transport key
                          2. Boot to the Jcop Card
                          3. Write the new card manager AID
                          4. Protect the card
                          5. Fuse the card

                          explanation :

                          to select ROOT use 00 A4 04 00 10 <TANSPORT KEY>
                          to BOOT to card use 00 F0 00 00
                          WRITE command is (a2) B0 (a1) (a0) <DATA>
                          where a2 a1 a0 is address *>>> where we can get the address ?*

                          Protect command is 00 10 00 00
                          Fuse command is 00 00 00 00
                          after fusing teh card - it can be accessed using teh new AID written
                          • 10. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                            816119
                            3. Write the new card manager AID
                            instead, try to write card manager keys. Coding for write command and eeprom address you can find from this thread Re: Pre-personalization step on JCOP cards

                            DES_K1_address C003D9
                            DES_K2_address C003F5
                            DES_K3_address C00411

                            /send "C0D603D9 10 404142434445464748494a4b4c4d4e4f"
                            /send "C0D603F5 10 404142434445464748494a4b4c4d4e4f"
                            /send "C0D60411 10 404142434445464748494a4b4c4d4e4f"
                            5. Fuse the card
                            fuse is optional, do not use it until you check keys
                            • 11. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                              923075
                              Thanks for your quick reply, will post the result soon.
                              • 12. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                                923075
                                ok we already solve our problem. the Key is not match with the default.

                                Thanks for Everyone. :)





                                #thx maz bro... !! :)
                                • 13. Re: write new card manager AID  for JCOP 4 1 v.2.3.1 problem .
                                  801926
                                  Be aware that every JCOP version and revision has different EE addresses for pre-personalization. Writing to incorrect EE addresses may corrupt the card irreversibly. The pre-perso addresses are documented in JCOP datasheet or admin manual.