External Authentication:
FF 82 20 00 06 FF FF FF FF FF FF
What is the correct procedure to run External Authentication? Do we need to run Get Challenge before External Authentication?
If I send the apdu of external authentication to OMNIKEY smart card reader, it will return me 9000 which mean success.
But If I do the same step with Workabout Pro4 and it return 6D00?
6D00 is instruction code is not supported or invalid, but it was working with Omnikey smart card reader. How to solve this problem?
FYI: Read UID APDU Command is working on both devices: FF CA 00 00 00
I have tried many different ways but none is working.
Changing the shared_mode while connect card[Exclusive, Shared]
Lock the thread for specific process
Put the thread to wait for few seconds before sending APDU
Send Get Challenge apdu before external authentication but failed
I found the answer myself.
There are two Load Authentication Keys APDU commands:
FF 82 20 00 06 FF FF FF FF FF FF (Obsolete)
FF 86 00 00 05 01 00 [Block Number] [Key Type] [Key Number]
Use the second APDU command to do Load Authentication Keys then read/write the Mifare card content.
Related
http://ludovic.rousseau.free.fr/softwares/pcsc-tools/
What apdu command of "80 84 00 00 20" means?
I have tried the question to CHATGPT.
ME>> what apdu command of "80 84 00 00 20" means
CHATGPT>> The APDU (Application Protocol Data Unit) response "80 84 00 00 20" is a message sent from a smart card to a smart card reader in response to a previous request.
The response consists of two status words: "80 84". The status words indicate the result of the previous command.
According to the ISO/IEC 7816 standard, the status word "80 84" indicates a "File not found" error. This error usually occurs when the smart card reader sends a request to select a file that doesn't exist in the smart card.
In other words, the APDU response "80 84 00 00 20" means that the smart card was unable to locate the requested file, and it is indicating this error to the smart card reader.
I think the answer is not correct.
"80 84 .." is command, not answer.
I have a USIM card and the Card Life Cycle is OP_READY:
Connected to the Card...
<--> [Mutual Auth]
---> 80 F2 80 00 02 4F 00
<--- 08 A0 00 00 00 03 00 00 00
01 <== LifeCycle = OP_READY
98
90 00
I want to change the card Life Cycle to SECURED. Based on the GlobalPlatform Card Specification I have to first change the card life cycle to INITIALIZED and then to SECURED state:
And this is the coding of differnet Life Cycles in SET STATUS APDU command:
So I tried to change the life cycle as below:
Connected to Card.
<--> [Mutual Auth with SecLevel = 0x00]
---> 80 F0 80 07 00
<--- **Fail** 6A 86
---> 80 F0 80 0F 00
<--- **Fail** 69 85
As you see above, I received 6A86 (INCORRECT P1-P2 Parameters) for INITIALIZED and 6985 (CONDITIONS OF USE NOT SATISFIED) for SECURED life cycle.
I also tried the same process with SecLevel=0x03, but nothing changes:
Connected to Card.
<--> [Mutual Auth with SecLevel = 0x03]
---> 84 F0 80 07 08 <MAC>
<--- **Fail** 6A 86
---> 84 F0 80 0F 08 <MAC>
<--- **Fail** 69 85
What is wrong?
It might be that your card is imposing additional requirements for the state change. If you have a manual consult it if some special behavior is described.
If this is not available my strongest guess would be that the card would like to see some keys to be personalized on the card before the state change is allowed. Use a PUT KEY command to update the keys. If updating the key using the same key version and index does not work try to create an additional key version.
Although unlikely to succeed, you can also try a STORE DATA command to set the life cycle status. The mapping guidelines, 6.13 allows to set the tag 9F70.
So I've been working on a Nodejs tag writer for the NTAG424 DNA and I am still getting the hang of APDU commands. I am tracing the steps of the example from https://www.nxp.com/docs/en/application-note/AN12196.pdf but the documentation is confusing at times. I am attempting to write to file02 to take advantage of the SUN/CMAC mirroring of the tag by using Cmd.WriteData in CommMode.Full. When I write the data I get an <9100> OK response code but in CommMode.Full I believe I should be receiving an encrypted response with more data. Then when I attempt to do Cmd.ChangeFileSetting after WriteData in CommMode.Full, I receive a <911e> error. I have looked up and down for 2 days at my code to see if maybe I fumbled the Initialization Vector or encrypted data step, but I think those parts are all good. I am truly lost as to why this is happening. I am using the example provided on the documentation mentioned above, except I modified the header for CMD.write data to make the command length valid (I was getting <917e> before I changed it from <80> to <98>) since I believe the documentation has a typo for this step.
CMD for WriteData to NDEF: 90 8d 00 00 9f 02 00 00 00 98 00 00 {encData} + {macT} + {LE}
CMD for ChangeFileSettings: 90 5f 00 00 19 02 {encData} + {macT} + {LE}
This is all in reference to 6.8.2 and 6.9 of the personalization example in the https://www.nxp.com/docs/en/application-note/AN12196.pdf document.
I'm working on a C platform and I want to read the AFL of a card.
If the previous command, select of the AID, don't give me a PDOL tag, it's ok: I can read the AFL without issues.
But I need to write a method that can generate a GET PROCESSING OPTION regardless the PDOL.
So the questions are:
How can I write an universal method that work despite the PDOL?
Have I to map every single possible TAG?
How can I format the GPO
command with the correct data? Look the following example:
SELECT AID Response
PDOL: 9F 1A 02
So I have to put the Terminal Country Code, in my case Italy: 380
So the GPO call is:
80 A0 00 00 04 83 02 03 80 00
But the response that I have is 6D 00: Instruction code not supported or invalid
Where am I wrong?
I'm programming on Ingenico Pos (Point of sale).
Good to know that you are aware with the concept of PDOL very well. As far I can understand with your question, you are comfortable to construct GPO command if PDOL is not present. I think You are in doubt to write a generic function to construct GPO APDU command.
First of all I want to tell you that if PDOL information is present in SELECT response then you should send PDOL data in GPO command APDU, otherwise card application may throw some error.
So you can set an indicator when you receive PDOL in SELECT command. If PDOL is not there you can simply send 80 A8 00 00 02 83 00 00 and if your indicator stated that PDOL is required then simply parse the PDOL and from SELECT response and prepare a value for PDOL data if you know (as you described in your question) to be send in GPO command APDU.
If you don't know what value then you can simply fill hexadecimal zeros in value field.
Taking your example : 80 A8 00 00 04 83 02 03 80 00. This is the correct command (I have corrected INS byte). Or you can also send 80 A8 00 00 04 83 02 00 00 00 (PDOL value is replace by zeros)
I think this explanation can help you to get the answers of both the questions. Try it and let us know if there is any further clarification needed.
You have two options:
Issue a command with data field of "8300" - 80 A8 00 00 02 83 00 00
Issue a command with data field of all hexadecimal zeroes - 80 A8 00 00 04 83 02 00 00 00
You receive the error, because in option 1 you omit the Le byte of the C-APDU - this byte is mandatory for all CASE 4 commands and in option 2 you give wrong INS byte, A0 instead of A8.
Card Issuers don't put just any tag and expect the terminal to provide the data. You can get the best practices(recommended tags) from each payment scheme you are certifying with. Besides, if it is some tag which you don't support, you can always zero fill and proceed.
After selection of the card and RATS, i want to start the authentication.
In the mifare documentation is described that an 0A 00 should be sent. This data is supposed to be ISO14443-4. I have to frame it to fit ISO14443-3.
The Block format goes like that
PCB|CID|INF|EDC
In the PCB I am supposed to say if it is an I-block, R-block or S-block.
I saw an example in this thread where he sent something like that:
90 0A 00 00 01 00 00
Where is it documented this frame, it looks like none of the blocks described in ISO14443-4
The Block format PCB|CID|INF|EDC with I-block, R-block or S-block you described is actually ISO 7816-3 T=1 frame (not ISO 14443 frame, not ISO 7816-4 APDU). This is low-level ISO 7816 that implemented in driver level.
The thread you mentioned uses 7816 APDU.
1st "to card" is actually 7816 APDU: CLA=90 INS=0A P1=00 P2=00 LC=01 Data=00 Le=00
2nd "to card" is another APDU: CLA=90 INS=AF P1=00 P2=00 Lc=10 Data=43 9D 17 8E 9A 5F BA 70 8D 23 57 10 C9 32 D5 17 Le=00.
Depending on the version of Mifare DESFire, you can use native, native-wrapped or ISO 7816-4 command set styles.
7816 wraps Mifare native command as follow:
90 [mifare native ins] 00 00 Lc [data] 00
From the 2 commands above, native commands are 0x0A (Authenticate) & 0xAF (More data).
You can't get the mifare native command set documentation freely. You need to sign an NDA. However, take a look at this doc to see learn more: http://www.nxp.com/documents/application_note/AN11004.pdf
Another resource: http://ridrix.wordpress.com/2009/09/19/mifare-desfire-communication-example/
This is not a ISO 14443 frame; it is an ISO 7816-4 APDU.