Javacard J2A040 changing default key with GPShell script not work

Question

I want to change default key but script below on GPShell return 6A80.

mode_211 
enable_trace 
establish_context 
card_connect 
select -AID A000000003000000 
open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F // Open secure channel
put_sc_key  -keyver 0 -newkeyver 1 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F 
card_disconnect 
release_context

pyResMan

What is wrong ?

my J2A040 is pre-personalised but not fused and not protect.

Thanks for your help

score 0 · Answer 1 · answered Sep 02 '20 at 23:13

put_sc_key  -keyver 0 -newkeyver 1 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F

is creating a new key. Because the key in key set version 1 already exists, the command fails. To replace a key a key use this syntax:

put_sc_key  -keyver 1 -newkeyver 1 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F

If this fails it would be interesting for me to know if addign a new key set version works. Please try (adding key set version 2):

put_sc_key  -keyver 0 -newkeyver 2 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F

I think I have some issues left in the code, currently I'm investigating this, your support could be helpful here. Are you using the latest binaries release for Windows / Homebrew?

score 0 · Answer 2 · answered Sep 03 '20 at 15:42

This script work for me now

mode_211 
enable_trace 
establish_context 
card_connect 
select -AID A000000003000000 
open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -key 404142434445464748494A4B4C4D4E4F -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F // Open secure channel
put_sc_key  -keyver 1 -newkeyver 0 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F 
card_disconnect 
release_context

With this :

put_sc_key  -keyver 0 -newkeyver 2 -mac_key 404142434445464748494A4B4C4D4E4E -enc_key 404142434445464748494A4B4C4D4E4E -kek_key 404142434445464748494A4B4C4D4E4E  -current_kek 404142434445464748494A4B4C4D4E4F

It work too. But what i actually want is to replace the 3 default keys (S-ENC, S-MAC, DEK) and not add new keys, now I have 3 new keys with version 2, look on l 'picture.

Picture from new version 2 key pyResMan

Now how to delete keys for version 2

I did not find how to erase the version keys, I reset the card by pre-personalizing it again, because it is not fused and protected, now everything is back to normal, I have them 3 default keys in version 1, but my problem is not solved, how to erase the 3 default keys, and how to replace the 3 existing default keys with new key values. — andromeda92, Sep 03 '20 at 16:20

Javacard J2A040 changing default key with GPShell script not work

2 Answers2