3

After succeeding with Java Card development on emulators now I'm dealing with a real Java Card (Gemalto IDCore 3010). I have been experiencing with the Global Platform, but I have problems even with the most basic sample code, that would list the applets on the card.

This is the original code:

mode_201
enable_trace
establish_context
card_connect
select -AID a0000000030000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
get_status -element e0
card_disconnect
release_context

Which I have modified and it is like this now:

//I changed this, because the Card Management & API is compliant with GP2.1.1. 
mode_211
enable_trace
establish_context
//Switches are not necessary as I am using only one single-slot card reader
card_connect
//The auto-detected ISD AID of the card is: A000000018434D00
select -AID A000000018434D00
//This is the line where the command fails
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key 47454d5850524553534f53414d504c45   // Open secure channel
//This would list applets and packages and security domains
get_status -element e0
card_disconnect
release_context

On the Global Platform page one can find that these are the switches for an open_sc command:

open_sc -keyind x -keyver x -key xyz -mac_key xyz -enc_key xyz -kek_key xyz -security x -scp x -scpimpl x -keyDerivation x
Open secure channel

But sadly I couldn't find enough information on these switches.

  • keyind: The only information I found is that it is a key index, which I would have guessed also all by myself.
  • keyver: Key set version. Same as above.
  • key: I read that If I have a card which uses key derivation I must enable the derivation mode with the -keyDerivation option and I must specify with -key the master (mother) key. So here I provided my mother key (4F454D5850524553534F53414D504C45).
  • mac_key: It should not be relevant, because it is calculated from the master key.
  • enc_key: It should not be relevant, because it is calculated from the master key.
  • kek_key: It should not be relevant, because it is calculated from the master key.
  • security: The information I found is this: 0: clear, 1: MAC, 3: MAC+ENC. Since in the datasheet of my card I couldn't find something like this I chose "0".
  • scp: Secure Channel Protocol (1 SCP01, 2 SCP02, default not set). Should not be necessary to be stated explicitly. My card supports both SCP01 and SCP02.
  • scpimpl: Secure Channel Implementation (default not set). Should not be necessary to be stated explicitly.
  • keyDerivation: Possible values are "none", "visa2" or "emvcps11". Also since I couldn't find information on this in the datasheet I stack to "none".

This is the error message that I get with the modified code:

C:\JavaCard\GPShell-1.4.4>GPShell.exe list.txt
mode_211
enable_trace
establish_context
card_connect
select -AID A000000018434D00
Command --> 00A4040008A000000018434D00
Wrapped command --> 00A4040008A000000018434D00
Response <-- 6F198408A000000018434D00A50D9F6E061291518101009F6501FF9000
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key 47454d585052455
3534f53414d504c45   // Open secure channel
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 6A88
GP211_get_secure_channel_protocol_details() returns 0x80206A88 (6A88: Referenced
 data not found.)

Could somebody tell me what is wrong and how I should parameterize and execute the open_sc command? Thank you very much!

Solution: This was the working version:

mode_201
enable_trace
establish_context
card_connect
select -AID A000000018434D00
open_sc -scp 1 -scpimpl 0x15 -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2
get_status -element e0
card_disconnect
release_context
bp14
  • 244
  • 4
  • 16

2 Answers2

1

Unfortunately in contrast to other devices of the daily life complete manuals or instructions are often not provided with smart cards. If you have not some of the necessary parameters you are lost. Try to use the switch mode_201:

mode_201
enable_trace
enable_timer
establish_context
card_connect
select -AID A000000018434D00
open_sc -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2 // Open secure channel
get_status -element e0
card_disconnect
release_context

There is a example file called listgemXpressoProR3_2E64.txt: https://sourceforge.net/p/globalplatform/code/HEAD/tree/trunk/gpshell/helloInstallgemXpressoProR3_2E64.txt

Maybe your card is compatible to this Gemalto card.

k_o_
  • 5,143
  • 1
  • 34
  • 43
  • Thanks, though sadly it didn't work. Same error message: referenced data not found. I think I will try to contact Gemalto once again and see if they can help. – bp14 Mar 22 '15 at 22:27
  • Can you try `-keyind 0 -keyver 32`? This was the key version of a different Gemalto card. If you have a solution please share it. – k_o_ Mar 23 '15 at 00:26
  • Sadly I got the _referenced data not found_ output again. – bp14 Mar 23 '15 at 21:58
  • 1
    I just see that the Gemalto is not supporting the GET DATA command for tag 0x66. This is the actual reason for the error "referenced data not found". In this case you have to specify the secure channel protocol and implementation manually, because the card is not providing this data in advance. – k_o_ Mar 23 '15 at 23:43
  • So the command will be: `-scp 2 -scpImpl 0xyy -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2` In your case possible values for `-scpImpl` are 0x45, 0x55, 0x15, 0x05. – k_o_ Mar 24 '15 at 00:01
  • It says that _unknown option -scpImpl_. How should I put the values (0x45, 0x55, 0x15, 0x05) after the switch scpImpl? – bp14 Mar 24 '15 at 23:02
  • 1
    Oh, this must be a lower case letter, so `-scpimpl` instead `-scpImpl`. You have to try out all 4 values, so `-scpimpl 0x45` ... etc until one is hopefully working. E.g. `-scp 2 -scpimpl 0x45 -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2` – k_o_ Mar 25 '15 at 15:13
  • Yes, it was the lower case issue, though I get the same output for the four values: _mutual_authentication() returns 0x8030F00A (The Secure Channel Protocol passed and reported do not match.)_. – bp14 Mar 25 '15 at 22:27
  • 1
    I guess we are close. This error means that the card is not using SCP02, but SCP01. So the next try: `-scp 1 -scpImpl 0x15 -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2` – k_o_ Mar 26 '15 at 00:06
  • Wicked! The secure connection is established, but now there's an issue with the get_status command. Here's the output: `get_status -element e0 Command --> 80F2E000024F0000 Wrapped command --> 84F2E0001014330AB9568070ED3AC0914714F45AE700 Response <-- 6982 get_status() returns 0x80206982 (6982: Command not allowed - Security status not satisfied.)` – bp14 Mar 26 '15 at 22:00
  • 1
    Well, maybe my assumed modifier of 0x15 is not correct. So, if the card is only supporting SCP01, lets try the updated answer above. We are trying `mode_201` directly. – k_o_ Mar 26 '15 at 23:54
  • I added the card as supported card in the GPShell Wiki. I alos added an example script https://sourceforge.net/p/globalplatform/code/461/tree/trunk/gpshell/listGemaltoIDCore3010.txt You you test if it works? – k_o_ Mar 27 '15 at 16:21
-1

Please try the below script:

mode_211
gemXpressoPro
enable_trace
establish_context
card_connect -readerNumber 1
select -AID A000000018434D00
open_sc -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -mac_key 47454d5850524553534f53414d504c45 -enc_key 47454d5850524553534f53414d504c45 // Open secure channel
delete -AID A000000482
card_disconnect
release_context
Rugmangathan
  • 3,186
  • 6
  • 33
  • 44
Win Zaw
  • 1