3

I want to verify PIN1 on smart card and read retry counter. According to ISO 7816-4 page 54 (1), retry counter is stored in 2 LSB of SW2(SW1 should be 63) after verify command, but I have SW1 SW2 = 90 00 in case of correct password:

>> Reset
<<  3b 19 94 80 67 94 08 01 03 02 01 03
>>  ff 00 ff
<<  ff 00 ff
>>  a0 a4 00 00 02
<<  a4
>>  3f 00
<<  9f 16
>>  a0 f2 00 00 16
<<  f2 00 00 63 f4 3f 00 01 00 00 00 00 00 09 33 03 0a 08 00 83 8a 83 8a 90 00
0: pin enabled...
>>  a0 20 00 01 08
<<  20
>>  31 31 31 31 ff ff ff ff
<<  90 00

And 98 04 in case of incorrect PIN1:

>>  a0 20 00 01 08
<<  20
>>  31 31 31 32 ff ff ff ff
<<  98 04

What I missed?

(1) http://www.embedx.com/pdfs/ISO_STD_7816/info_isoiec7816-4%7Bed2.0%7Den.pdf

Ivan Borshchov
  • 3,036
  • 5
  • 40
  • 62
  • 2
    Note that there is often a `GET DATA` command specified to get the retry counter in advance. If there is such a command and the form of the command may well differ per implementation though. – Maarten Bodewes Jun 30 '15 at 15:07
  • Thx, it is interesting. Yes 7816-4: has this command. But as I understand it only works on some selected EF, but it is not clear what EF should it be. Also some example will be very helpfull. – Ivan Borshchov Jul 01 '15 at 09:00
  • 1
    The dump suggests all proprietary commands, meaning that all of ISO 7816-4 is not applicable except the structure of the command / response APDU. What kind of card is this exactly? – Maarten Bodewes Jul 01 '15 at 09:19
  • GSM SimCard, I thought it should be compatible to this ISO. – Ivan Borshchov Jul 01 '15 at 09:32
  • 1
    7816-4 is only a base standard for a file system OS. Nobody will support all possible feateres. You need a specification that builds on 7816-4 to create actual applications. – Maarten Bodewes Jul 01 '15 at 09:43
  • Really impotant info, I didn' found it anywhere – Ivan Borshchov Jul 01 '15 at 09:49

2 Answers2

7

Your smart card seems to be a GSM SIM Card. The class byte clearly has the MSB set, so it does not follow the ISO 7816. In this case, you should refer to 3GPP TS 11.11 (can be downloaded from this link).

The Verify CHV command is described in section 9.2.9, section 8.9, and section 11.3.1.

Some of the possible returned status words for this command are:

  1. '9000': successful CHV verification
  2. '9804': unsuccessful CHV verification, at least one attempt left.
  3. '9840': CHV blocked
  4. '9808': in contradiction with CHV status (i.e. verifying PIN which is currently disabled)
  5. '91XX' : also successful CHV verification, but there is proactive command pending.

The number of remaining tries can be found in response of successful SELECT of directory (MF or DF), or by sending STATUS command (INS 'F2'). Low nibble of byte 19 contains remaining tries for CHV1/PIN1, byte 20 for PUK1, byte 21 for PIN2, and byte 22 for PUK2. For more details, refer to section 9.2.1.

Additional notes:

  1. If the card is a USIM, the VERIFY command follows the ISO 7816. You can use CLA '00' and find 63CX status word in this card.
  2. PIN1 enabled or disabled can be checked from SELECT directory byte 14. b8=0: CHV1 enabled; b8=1: CHV1 disabled.
David
  • 3,957
  • 2
  • 28
  • 52
2

While I don't understand your dump format completely, note the following:

  • The 63 Cx is returned only, if VERIFY is sent without data and the access right is not already granted.

  • Each card operating system is free to implement this retry counter response.

A correct verification (i. e. VERIFY with verification data) obviously must return 90 00 to indicate, that the verification was successful. 98 04 is a GSM-specific ("proprietary") return code, you will not find explained in ISO 7816.

guidot
  • 5,095
  • 2
  • 25
  • 37
  • Thanks, now it is clear. Can, you please give me advice how to run VERIFY without data? I tried a0 20 00 01, on sim-card with pin-code, but card didn't responded me at all. P.S. my dump was selecting MF, and reading status to know is pin is present by cheking MSB in 14th byte of status. – Ivan Borshchov Jul 01 '15 at 07:34
  • 1
    @user3479125: The card did not even provide a status code upon your Verify without data? I would expect at least 67 00, if the card does not support the empty verify. As Maarten pointed out, there may exist a different command for retrieving the counter, but I'm not sufficiently familiar with GSM to suggest one. Your APDU looks correct to me (LC **has** to be omitted, if no data follow), however. – guidot Jul 01 '15 at 08:37