Develop Reference

Java Card OwnerPin - APDU Command

I'm starting to learn java card and I'm reading a sample code of a wallet and there an OwnerPin in it.
Here's the part of the code, related to the pin and its verification:
OwnerPIN pin;
private myApplet(byte[] bArray, short bOffset, byte bLength) {
// It is good programming practice to allocate
// all the memory that an applet needs during
// its lifetime inside the constructor
pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
byte iLen = bArray[bOffset]; // aid length
bOffset = (short) (bOffset + iLen + 1);
byte cLen = bArray[bOffset]; // info length
bOffset = (short) (bOffset + cLen + 1);
byte aLen = bArray[bOffset]; // applet data length
// The installation parameters contain the PIN
// initialization value
pin.update(bArray, (short) (bOffset + 1), aLen);
register();
}
I'm having a little trouble understanding this code. I know that this is the part when the pin is set according to the installation script:
0x80 0xB8 0x00 0x00 0xd 0xb 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0x00 0x00 0x00 0x7F;
I can't understand what is the value of pin will be after installing the applet.

The shown code is not enough to actually say anything about the given APDU.
This code sample though:
byte iLen = bArray[bOffset]; // aid length
bOffset = (short) (bOffset + iLen + 1);
byte cLen = bArray[bOffset]; // info length
bOffset = (short) (bOffset + cLen + 1);
byte aLen = bArray[bOffset]; // applet data length
is the default code for the Applet's installation method, therefore could be triggered by a Global Platform INSTALL command. However, the given APDU is not a valid Global Platform at all.
From your code we cannot see the entrypoint of the APDU in the process method, but probably it works like this: the given data is a LV-encoded list (Length/Value), therefore you parse the length byte for aid first, save the length iLen and increment bOffset to the next LV-pair. in the end the value and length of the applet data is taken and feeded into the pin.update.
In the given APDU, the PIN is acutally missing, try to parse the contents and length for aid and info and you will see that the applet data bytes are missing.

Using sniffing in Scapy

I am using Scapy to monitor towards man in the middle I would like to know in Scapy what does mean the following terms???
%IP.src%
%TCP.sport%
%IP.dst%
%TCP.dport%
%TCP.flags%
%TCP.payload%

I'm not Scapy user but seems pretty straight forward:
Source IP Address
TCP Source Port
Destination IP Address
TCP Destination Port
TCP Flags
TCP Payload (message body)

These are the useable TCP-Flags.
# TCP-Flags
FIN = 0x01
SYN = 0x02
RST = 0x04
PSH = 0x08
ACK = 0x10
URG = 0x20
ECE = 0x40
CWR = 0x80
You coul'd test for a flag with the & operator
e.g.:
if paket[TCP].flags & SYN:
do_anything()

nrf24l01+ between arduino and raspberry Pi in NodeJS

I'm trying to retrieve my sensor data from my Raspberry Pi using nrf24l01+ network receiver.
I'm sending it from an Arduino nano board. Here is the setting of my Arduino:
STATUS = 0x0e RX_DR=0 TX_DS=0 MAX_RT=0 RX_P_NO=7 TX_FULL=0
RX_ADDR_P0-1 = 0xcccccc3ccc 0xcccccc3c3c
RX_ADDR_P2-5 = 0x33 0xce 0x3e 0xe3
TX_ADDR = 0xcccccccc3c
RX_PW_P0-6 = 0x20 0x20 0x20 0x20 0x20 0x20
EN_AA = 0x3e
EN_RXADDR = 0x3f
RF_CH = 0x5a
RF_SETUP = 0x07
CONFIG = 0x0f
DYNPD/FEATURE = 0x3f 0x04
Data Rate = 1MBPS
Model = nRF24L01+
CRC Length = 16 bits
PA Power = PA_MAX
My Raspberry Pi is plugged with nrf24l01+ through GPIO. I made sure the connection is OK by using the C++ example given on https://github.com/TMRh20/RF24:
RF24 radio(RPI_BPLUS_GPIO_J8_15,RPI_BPLUS_GPIO_J8_24, BCM2835_SPI_SPEED_8MHZ);
The data is OK. Now i want to use a nodeJS program to get this data. I'm using this library: https://github.com/natevw/node-nrf
The code is very simple, but somehow is not working (console is silent):
var spiDev = "/dev/spidev0.0";
var cePin = 15; //RPI_BPLUS_GPIO_J8_15
var irqPin = null;
var channel = 0x5a; //90
var radio = require('nrf').connect(spiDev, cePin, irqPin);
radio
.channel(channel)
.dataRate('1Mbps')
.crcBytes(1)
// .autoRetransmit({count:15, delay:4000})
;
radio.begin(function () {
var rx = radio.openPipe('rx', 0xcccccccc3c);
rx.pipe(process.stdout);
});
I'm wondering what I'm doing wrong. Hardware is OK and the setting seems pretty good, what do you think?
Thanks

Usually to find out what is wrong with NRF you should start from basics:
Try simpler NRF configs to test if its working, especially with no CRC bytes etc.
Try it w/o dynamic payload and try fixed payload size on both ends.
Auto-acknowledge also can be an issue (note that when auto-ack is enabled, CRC can't be disabled as it is used to ensure transmission acknowledgement in this mode).
Ensure that CRC lengths match on both ends. In your example on Arduino you have CRC Length = 16 bits whether Raspberry configured with radio.crcBytes(1).
Don't rely on default values, always provide same full configuration on both ends.
These steps can considerably reduce time to locate the problem especially when using different libraries and platforms.

USB Audio Descriptor

I'm trying to implement a PIC32 MCU as a Audio device, using USB audio class 1.
I have implementet this project: PIC32 USB Digital Audio Accesory Board Demos.zip
and it works fine, but now i want to cut away some of the Audio Control Interface, so i'm having a more simple Audio function:
The device seems to get enumerated properly acording to the status LED's on the board, and it appears in Device Manager's list of audio devices, but it has a small yellow exclamation mark.. And when i plug in the device, windows tells me: "Device driver software was not succesfully installed"
Anybody has a clue?
USB descriptors, block of code:
ROM BYTE configDescriptor1[] ={
//CD
0x09, // Size : 9 Bytes
0x02, // Configuration Descriptor (0x02)
//0xE4, // Total length in bytes of data returned Includes the combined length of all descriptors (configuration, interface, endpoint, and class- or vendor-specific) returned for this configuration.
0xB4, // Ved simpel Audio Function
0x00, // 2. Byte af Total Length // 228
0x03, // Number of Interfaces: 3
0x01, // bConfigurationValue, Value to use as an argument to select this configuration
0x00, // iConfiguration, Index of String Descriptor describing this configuration
_DEFAULT | _SELF, // bmAttributes, 0b01100000 -> D6: Self-powered, D7: Reserved (set to one)
0xFA, // Maximum Power : 250 * 2mA = 0,5A
//ID - INTERFACE 0 Control
0x09, // Size : 9 Bytes
0x04, // Interface Descriptor (0x04)
0x00, // Number of Interface: Interface nr 0
0x00, // Value used to select alternative setting
0x00, // Number of Endpoints used for this interface, 0
0x01, // Class Code (Assigned by USB Org), AUDIO
0x01, // Subclass Code (Assigned by USB Org), AUDIOCONTROL
0x00, // Protocol Code (Assigned by USB Org)
0x00, // Index of String Descriptor Describing this interface
//ACID - HEADER
0x0A, // Size : 10 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x01, // HEADER descriptor subtype
0x00,0x01, // Audio Device compliant to the USB Audio specification version 1.00
//0x64,0x00, // 100 bytes - Total number of bytes returned for the class-specific AudioControl interface descriptor. // Includes the combined length of this descriptor header and all Unit and Terminal descriptors.
0x00,0x34, // wTotalLength
0x02, // bInCollection -> Number of streaming interfaces = 2
0x01, // baInterfaceNr(1) -> 0x01 = 1 -> Interface number of the first AudioStreaming interface in the Collection
0x02, // baInterfaceNr(2) -> 0x02 = 2 -> Interface number of the second AudioStreaming interface in the Collection
//ACID - INPUT_TERMINAL ID = 1
0x0C, // size : 12 bytes
0x24, // CS_INTERFACE Descriptor Type
0x02, // INPUT_TERMINAL - Descriptor subtype = 2
0x01, // ID of this Input Terminal. // Constant uniquely identifying the Terminal within the audio function.
0x01,0x01, // wTerminalType -> 0x0101 = USB streamming
0x00, // bAssocTerminal -> 0x00 = No association.
//0x03, // bAssocTerminal -> 0x03 = Associated with OUTPUT TERMINAL 3
0x02, // bNrChannels -> 0x02 two channel.
0x03,0x00, // wChannelConfig -> 0x0003 = stereo, Right / Left // se Audio Devices Dok side 34
//0x00,0x00, // wChannelConfig -> 0x0000 = mono ?
0x00, // iChannelNames -> 0x00 = Unused.
0x00, // iTerminal -> 0x00 = Unused.
//ACID - INPUT_TERMINAL ID = 4
0x0C, // size : 12 bytes
0x24, // CS_INTERFACE Descriptor Type
0x02, // INPUT_TERMINAL - Descriptor subtype
0x04, // bTerminalID -> ID of this Input Terminal = 4
0x01,0x02, // wTerminalType -> 0x0201 = Microphone
0x00, // bAssocTerminal -> 0x00 = No association.
//0x06, // bAssocTerminal -> 0x06 = Associated with OUTPUT TERMINAL 6
0x01, // bNrChannels -> 0x01 one channel.
0x01,0x00, // wChannelConfig -> Left Front <- original fra ex.
//0x00,0x00, // wChannelConfig -> 0x0000 = mono
0x00, // iChannelNames -> 0x00 = Unused.
0x00, // iTerminal -> 0x00 = Unused.
//ACID - OUTPUT_TERMINAL ID = 3
0x09, // size : 9 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x03, // OUTPUT_TERMINAL - Descriptor subtype
0x03, // bTerminalID -> ID of this Output Terminal = 3
0x01,0x03, // wTerminalType -> 0x0301 = Speaker
0x00, // bAssocTerminal -> 0x00 = Unused
//0x01, // bAssocTerminal -> 0x01 = Associated with INPUT TERMINAL 1
//0x02, // bSourceID -> 0x02 = From FEATURE_UNIT ID 2 = USB stream
0x01, // bSourceID -> 0x01 = From Input Terminal ID 1
0x00, // iTerminal -> 0x00 = Unused.
//ACID - OUTPUT_TERMINAL ID = 6
0x09, // Size : 9 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x03, // OUTPUT_TERMINAL - Descriptor subtype
0x06, // bTerminalID -> ID of this Output Terminal = 6
0x01,0x01, // wTerminalType -> 0x0101 = USB streaming
0x00, // bAssocTerminal -> 0x00 = Unused
//0x04, // bAssocTerminal -> 0x04 = Associated with INPUT TERMINAL 4
//0x09, // bSourceID -> 0x09 = From Selector Unit ID 9
0x04, // bSourceID -> 0x04 = From INPUT_TERMINAL ID 4
0x00, // iTerminal -> 0x00 = Unused.
/* ##### INTERFACE 1 - OUT ##### */
//ID - INTERFACE 1/0 Stream
0x09, // Size : 9 Bytes
0x04, // Interface Descriptor (0x04)
0x01, // bInterfaceNumber -> 0x01 Interface ID = 1 Number of this interface. Zero-based value identifying the index in the array of concurrent interfaces supported by this configuration.
0x00, // bAlternateSetting -> 0x00 = index of this interface's alternate setting
0x00, // bNumEndpoints -> 0x00 = 0 Endpoints to this interface
0x01, // bInterfaceClass -> 0x01 = Audio Interface
0x02, // bInterfaceSubclass -> 0x02 = AUDIO_STREAMING
0x00, // bInterfaceProtocol -> 0x00 = Unused
0x00, // iInterface -> 0x00 = Unused
//ID - INTERFACE 1/1 Stream
0x09, // Size : 9 Bytes
0x04, // Interface Descriptor (0x04)
0x01, // bInterfaceNumber -> 0x01 Interface ID = 1
0x01, // bAlternateSetting -> 0x01 = index of this interface's alternate setting
0x01, // bNumEndpoints -> 0x01 = 1 Endpoints to this interface
0x01, // bInterfaceClass -> 0x01 = Audio Interface
0x02, // bInterfaceSubclass -> 0x02 = AUDIO_STREAMING
0x00, // bInterfaceProtocol -> 0x00 = Unused
0x00, // iInterface -> 0x00 = Unused
//ASID - GENERAL
0x07, // Size : 7 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x01, // bDescriptorSubtype -> 0x01 = GENERAL subtype
0x01, // bTerminalLink -> 0x01 = The Terminal ID of the Terminal to which the endpoint of this interface is connected.
0x01, // bDelay -> 0x01 = Delay (delta) introduced by the data path (see Section 3.4, ?Inter Channel Synchronization? - in Audio Devices). Expressed in number of frames.
0x01,0x00, // wFormatTag -> 0x0001 = PCM
//ASID - FORMAT_TYPE
0x0E, // Size : 14 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x02, // bDescriptorSubtype -> 0x02 = FORMAT_TYPE
0x01, // bFormatType -> 0x01 = FORMAT_TYPE_I -> ref: A.1.1 Audio Data Format Type I Codes -> Audio Data Format Dok
0x02, // bNrChannels -> 0x02 = Two channels
0x02, // bSubFrameSize -> 0x02 = 2 bytes pr audio subframe
0x10, // bBitResolution -> 0x10 = 16 bit pr sample
0x02, // bSamFreqType -> 0x02 = 2 sample frequencies supported
0x80,0xBB,0x00, // tSamFreq -> 0xBB80 = 48000 Hz
0x00,0x7D,0x00, // tSamFreq -> 0x7D00 = 32000 Hz
//0x44,0xAC,0x00,
//ED - ENDPOINT OUT
0x09, // Size : 9 Bytes
0x05, // 0x05 -> ENDPOINT Descriptor Type
0x01, // bEndpointAddress -> 0x01 = adress 1, OUT, -> ref 9.6.6 Endpoint -> usb_20 Dok
0x09, // bmAttributes -> 0b00001001 -> Bits 0-1 = 01 = Isochronous , Bits 2-3 = 10 = Adaptive
AUDIO_MAX_SAMPLES * sizeof ( AUDIO_PLAY_SAMPLE ), 0x00, // wMaxPacketSize -> 48 * 4 = 0x0030 :Maximum packet size this endpoint is capable of sending or receiving when this configuration is selected.
0x01, // bInterval -> 0x01 = 1 millisecond
0x00, // ?? not described -> 0x00 = Unused
0x00, // ?? not described -> 0x00 = Unused
//CSED - CS ENDPOINT
0x07, // Size : 7 Bytes
0x25, // CS_ENDPOINT
0x01, // bDescriptorSubtype -> 0x01 = GENERAL
0x01, // bmAttributes -> 0b00000001 = Bit 1 = 1 => Sample Freq Control is supported by this endpoint
0x00, // bLockDelayUnits -> 0x00 = Indicates the units used for the wLockDelay field: 0 = Undefined
0x00,0x00, // the time it takes this endpoint to reliably lock its internal clock recovery circuitry.
/* ##### INTERFACE 2 - IN ##### */
//ID - INTERFACE 2/0 Stream
0x09, // Size : 9 Bytes
0x04, // Interface Descriptor (0x04)
0x02, // bInterfaceNumber -> 0x02 Interface ID = 2
0x00, // bAlternateSetting -> 0x00 = Value used to select this alternate setting for the interface identified in the prior field
0x00, // bNumEndpoints -> 0x00 = 0 -> Number of endpoints used by this interface
0x01, // bInterfaceClass -> 0x01 = 1 = AUDIO
0x02, // bInterfaceSubClass -> 0x02 = AUDIO_STREAMING
0x00, // bInterfaceProtocol -> 0x00 = Unused
0x00, // iInterface -> 0x00 = Unused -> Index of string descriptor.
//ID - INTERFACE 2/1 Stream
0x09, // Size : 9 Bytes
0x04, // Interface Descriptor (0x04)
0x02, // bInterfaceNumber -> 0x02 Interface ID = 2
0x01, // bAlternateSetting -> 0x01 = Value used to select this alternate setting for the interface identified in the prior field
0x01, // bNumEndpoints -> 0x01 = 1 -> Number of endpoints used by this interface
0x01, // bInterfaceClass -> 0x01 = 1 = AUDIO
0x02, // bInterfaceSubClass -> 0x02 = AUDIO_STREAMING
0x00, // bInterfaceProtocol -> 0x00 = Unused
0x00, // iInterface -> 0x00 = Unused -> Index of string descriptor.
//ASID - GENERAL
0x07, // Size : 7 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x01, // GENERAL Descriptor
0x06, // bTerminalLink -> 0x06 = The Terminal ID of the Terminal to which the endpoint of this interface is connected = 6
0x01, // bDelay -> 0x01 = Delay (delta) introduced by the data path (see Section 3.4, ?Inter Channel Synchronization? - in Audio Devices). Expressed in number of frames.
0x01,0x00, // wFormatTag -> 0x0001 = PCM
//ASID - FORMAT_TYPE
0x0E, // Size : 14 Bytes
0x24, // CS_INTERFACE Descriptor Type
0x02, // bDescriptorSubtype -> 0x02 = FORMAT_TYPE
0x01, // bFormatType -> 0x01 = FORMAT_TYPE_I -> ref: A.1.1 Audio Data Format Type I Codes -> Audio Data Format Dok
0x02, // bNrChannels -> 0x02 = Two channels
0x02, // bSubFrameSize -> 0x02 = 2 bytes pr audio subframe
//0x03, // bSubFrameSize -> 0x03 = 3 bytes pr audio subframe
0x10, // bBitResolution -> 0x10 = 16 bit pr sample
//0x18, // bBitResolution -> 0x18 = 24 bit pr sample
0x02, // bSamFreqType -> 0x02 = 2 sample frequencies supported
0x80,0xBB,0x00, // tSamFreq -> 0xBB80 = 48000 Hz
0x00,0x7D,0x00, // tSamFreq -> 0x7D00 = 32000 Hz
//0x44,0xAC,0x00, // 44100 Hz
//ED - ENDPOINT IN
0x09, // Size : 9 Bytes
0x05, // 0x05 -> ENDPOINT Descriptor Type
0x82, // bEndpointAddress -> 0x82 = adress 2, IN, -> ref 9.6.6 Endpoint -> usb_20 Dok
0x05, // bmAttributes -> 0b00000101 -> Bits 0-1 = 01 = Isochronous , Bits 2-3 = 01 = Asynchronous
AUDIO_MAX_SAMPLES * (sizeof ( AUDIO_PLAY_SAMPLE )), 0x00, // wMaxPacketSize -> 48 * 4 = 0x0030 :Maximum packet size this endpoint is capable of sending or receiving when this configuration is selected.
//0x20,0x01,
0x01, // bInterval -> 0x01 = 1 millisecond
0x00, // bRefresh -> ??
0x00, // bSynchAddress -> ??
//CSED - CS ENDPOINT
0x07, // Size : 7 Bytes
0x25, // bDescriptorType -> 0x25 = CS_ENDPOINT
0x01, // bDescriptorSubtype -> 0x01 = GENERAL
0x01, // bmAttributes -> 0b00000001 = Bit 1 = 1 => Sample Freq Control is supported by this endpoint
0x00, // bLockDelayUnits -> 0x00 = Indicates the units used for the wLockDelay field: 0 = Undefined
0x00,0x00, // the time it takes this endpoint to reliably lock its internal clock recovery circuitry
};

So i solved my question!
As chris commented, i had to implement some sort of control, into the control interface. First i added two Feature units, as seen on the picture. I implemented made then support no controls, by setting:
bmaControls(1) = 0x00 // No control support
This cause windows to install the device driver properly, but i still couldn't see the microphone in "Recording Devices" in the sound settings.
The i implemented Mute control, by changing the control parameter to:
bmaControls(1) = 0x01 // Mute support
Now i could see the microphone in the settings, but the gain was different from what i expected. Then i changed the controls to Volume control, by changing the control parameter to:
bmaControls(1) = 0x02 // Volume support
This made the microphone work as i expected...
Thanks Chris!

Why a ACR38U-CCID always return 0x6e 0x00?

Am working on a project to read from and write data to smart cards. The Card Reader am using is ACR38U-H1 from ACS. Following their APDU commands, I have being able to get access to the card and read some data. But am suspecting that I still have not being able to read the exact data inside, because always I get a response to the command APDU 0x6e 0x00, 0x00 instead of0x90 0x00.
What am I doing wrong?
Maybe the problem is in the smart card?
Python code:
#! /usr/bin/env python
from smartcard.scard import *
import smartcard.util
SELECT = [
#0xA0, 0xA4, 0x00, 0x00, 0x02, 0x3F, 0x00
0XFF, 0xA4, 0x00, 0x00, 0x01, 0x05
]
COMMAND = [
0x00, 0xC0, 0x00, 0x00, 0x00, 0x0B
]
try:
hresult, hcontext = SCardEstablishContext(SCARD_SCOPE_USER)
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to establish context : ' +
SCardGetErrorMessage(hresult))
print 'Context established!'
try:
hresult, readers = SCardListReaders(hcontext, [])
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to list readers: ' +
SCardGetErrorMessage(hresult))
print 'PCSC Readers:', readers
if len(readers) < 1:
raise Exception('No smart card readers')
reader = readers[0]
print "Using reader:", reader
try:
hresult, hcard, dwActiveProtocol = SCardConnect(hcontext, reader,
SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T1)
if hresult != SCARD_S_SUCCESS:
raise Exception('Unable to connect: ' +
SCardGetErrorMessage(hresult))
print 'Connected with active protocol', dwActiveProtocol
try:
hresult, response = SCardTransmit(hcard, dwActiveProtocol,
SELECT)
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to transmit: ' +
SCardGetErrorMessage(hresult))
print 'Select: ' + smartcard.util.toHexString(response,
smartcard.util.HEX)
#==========================================================================
hresult, response = SCardTransmit(hcard, dwActiveProtocol,
COMMAND)
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to transmit: ' +
SCardGetErrorMessage(hresult))
print 'Command: ' + smartcard.util.toHexString(response,
smartcard.util.HEX)
# =========================================================================
finally:
hresult = SCardDisconnect(hcard, SCARD_UNPOWER_CARD)
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to disconnect: ' +
SCardGetErrorMessage(hresult))
print 'Disconnected'
except Exception, message:
print "Exception:", message
finally:
hresult = SCardReleaseContext(hcontext)
if hresult != SCARD_S_SUCCESS:
raise Exception('Failed to release context: ' +
SCardGetErrorMessage(hresult))
print 'Released context.'
except Exception, message:
print "Exception:", message
Result of this code:
Context established!
PCSC Readers: ['ACS ACR38U-CCID 00 00']
Using reader: ACS ACR38U-CCID 00 00
Connected with active protocol 2
Select: 0x6E 0x00
Command: 0x67 0x00
Disconnected
Released context.
Result of open-tool:
[17:06:00]:~$ opensc-tool -s ff:a4:00:00:01:05
Using reader with a card: ACS ACR38U-CCID 00 00
Sending: FF A4 00 00 01 05
Received (SW1=0x6E, SW2=0x00)

You are using SELECT_CARD_TYPE APDU command (0xFF00000101) which is meant to be used with I2C memory cards (up to 16 kilobits specifically) -- see section 9.3.1.1 in the reader reference manual.
This SELECT_CARD_TYPE command (having CLA set to 0xFF) is not addressed to the card but to the reader (which refuses it as the card does not use I2C).
Your card is a microprocessor card speaking T=1 protocol so you need to use "normal" ISO 7816 APDUs -- which ones should be specified in your card documentation.
Nevertheless there is a script for Smart Card Shell 3 tool which seems to read (and in a limited way emulate) FOMS card (I have not tried).
Given the script source it seems that card supports standard ISO 7816-4 SELECT and READ_BINARY APDU commands which are used behind new CardFile() and CardFile.readBinary().
Good luck!
Disclaimer: I have worked neither with any FOMS card nor with the scsh3 tool.

SELECT = [
#0xA0, 0xA4, 0x00, 0x00, 0x02, 0x3F, 0x00
0XFF, 0xA4, 0x00, 0x00, 0x01, 0x05
]
Here it seems you are trying to select MF ( AID = 3F00 on commented # command) OR Command seems wrong because no AID is of 1 byte length , Please check your command
0XFF, 0xA4, 0x00, 0x00, 0x01, 0x05 // check it.
and getting 6E 00 Class not supported
Your other command is C0 - GET RESPONSE,
COMMAND = [
0x00, 0xC0, 0x00, 0x00, 0x00, 0x0B
]
This command is used to get the response from the card of length specified by previous command having return code like - 61 XX and APDU sequence should like
CLASS, INS, P1, P2, Le //please check your Get Response command
Here Get Response giving 6700 , it seems correct because previous command is failed already and card does not have nothing to return to it so unable to return Le data ( 0x0B - Suppose it is your Le)
I suggest , understand your card well before firing any command, seems it is a proprietary card so you should know the file structure/CLASS byte USED before sending command, when you shoot with correct CLA value, hope you will not get - CLA not supported error.
Hope this information helps to identify the problem.