smart cards gemclub memo card gemalto gemplus read writ

Posts Tagged smart cards gemclub memo card gemalto gemplus read writ

DECIPHERING THE GEMCLUB MEMO SMART CARD

November 25, 2008 at 9:13 pm · Filed under Smart Cards, Uncategorized ·Tagged smart cards gemclub memo card gemalto gemplus read writ

Debian, Redhat, CentOS and Fedora were used as the test systems.

The card used was still in issue mode. The GemClub memo smart card documentation can be downloaded from the following link: https://jwamicha.wordpress.com/?attachment_id=37

1.) Download JSmartCardExplorer from the following URL: http://sourceforge.net/projec/showfiles.php?group_id=233662

2.) Install pcsc-lite, pcsc-lite-libs and pcsc-lite-tools on your system. The PCSC-Lite homepage can be found on the following link: http://pcsclite.alioth.debian.org/

A list of all smart card ATR (Answer To Reset) responses that can be detected by the drivers can be found inside the smartcard_list.txt file: http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt

A list of all USB CCID (Chip/Smart Card Interface Devices) and ICCD (Integrated Circuit(s) Card Devices) smart card readers supported by the pcsc-lite drivers can be found on the following link: http://pcsclite.alioth.debian.org/ccid.html

The Gemalto PC Twin Reader was used for my tests.

The logs below show the Gemalto PCT Twin Reader being detected after installation of the pcsc drivers:

Nov 21 14:37:00 localhost pcscd: pcscdaemon.c:464:main() pcsc-lite 1.2.9-beta10 daemon ready. Nov 21 14:37:01 localhost pcscd: hotplug_libusb.c:406:HPAddHotPluggable() Adding USB device: 002:003 Nov 21 14:37:01 localhost pcscd: readerfactory.c:1098:RFInitializeReader() Attempting startup of Gemplus GemPC Twin 00 00. Nov 21 14:37:01 localhost pcscd: readerfactory.c:972:RFBindFunctions() Loading IFD Handler 3.0 Nov 21 14:37:01 localhost pcscd: ifdhandler.c:1152:init_driver() LogLevel: 0x0003 Nov 21 14:37:01 localhost pcscd: ifdhandler.c:1162:init_driver() DriverOptions: 0x0000 Nov 21 14:37:01 localhost pcscd: ifdhandler.c:75:IFDHCreateChannelByName() lun: 0, device: usb:08e6/3437:libusb:002:003 Nov 21 14:37:01 localhost pcscd: ccid_usb.c:227:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau@free.fr) Nov 21 14:37:01 localhost pcscd: ccid_usb.c:237:OpenUSBByName() ProductString: Generic CCID driver v1.2.4 Nov 21 14:37:01 localhost pcscd: ccid_usb.c:243:OpenUSBByName() Copyright: This driver is protected by terms of the GNU General Public License version 2, or (at your option) any later version. Nov 21 14:37:01 localhost pcscd: ccid_usb.c:391:OpenUSBByName() Found Vendor/Product: 08E6/3437 (Gemplus GemPC Twin) Nov 21 14:37:01 localhost pcscd: ccid_usb.c:393:OpenUSBByName() Using USB bus/device: 002/003

Ensure the pcscd daemon is running on your system. Additional serial readers can be configured inside /etc/reader.conf.d.

3.) After installation of the pcsc drivers, we shall now use JSmartCardExplorer to examine the Gemplus smart card.

Start up JSmartCardExplorer:

$java -jar JSmartCardExplorer.jar

4.) Select the protocol type name T0. Connect to the Gemplus Memo Smart card. The Card ATR field should show 0X3B 0X02 0X53 0X01, which is the ATR for the Gemplus Memo smart card.

Our tests may now begin. Page 5 was used to reference the Gemlub Memo Card Memory Map Structure. Page 11 was used to reference for the Area Access Conditions.

Each memory address on the Gemclub Memo smart card will store a WORD. Each word is 4 bytes or 32 bits. While issuing commands to the Gemplus Memo smart card, the length should be the hexadecimal representation of the byte length (not the bit or word length) as we shall see below:

6.) Read Manufacturer area: 0X80 0XBE 0X00 0X00 0X04
0X04 represents one word (4 bytes or 32 bits) inside the memory location address 00 (P2 = 00). The class byte (0x80) and P1 byte (0x00) could be anything since they aren’t tested by the card. See page 17 of the GemClub Memo Card manual for more details.

We will now read continue to read consecutive memory locations from the gemclub memo so we see can see a pattern emerge.

7.) Read Issuer area: 0x80 0xBE 0x00 0x01 0x10
Response: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x40

Find out if card is in issuer or user mode by reading memory location 0x04: 0x80 0xBE 0x00 0x04 0x00 0x04
Response: 0x00 0x00 0x00 0x40

0x40 in binary form = 0100 0000 (01 means that the card is in issuer mode. 10 would mean the card is in user mode. 00 and 11 would mean that the card is blocked. – see page 7 in the manual)

8.) Read Protected Area: 0X80 0XBE 0X00 0X05 0X04
(Memory adress = 0x05)

9.) Read CSC0 Key: 0X80 0XBE 0X00 0X06 0X04
(Memory address = 0x06)

10.) Read CS0 Ratification Counter: 0X80 0XBE 0X00 0X07 0X04

11.) Read CTC1 + CTC1 Backup: 0X80 0XBE 0X00 0X08 0X0C
(0X0C = 12 bytes or 3 four byte words/memory locations)

12.) Read Balance1 + Balance1 Backup: 0X80 0XBE 0X00 0X0B 0X14
(0X14 = 20 bytes or 5 four byte words/memory locations)

13.) Read User Area 1: 0X80 0XBE 0X00 0X10 0X40
(0X40 = 64 bytes or 16 four byte words/memory locations)

14.) Read CTC2 + CTC2 Backup: 0x80 0xBE 0x00 0x20 0x0C

15.) Read Balance2 + Balance2 Backup: 0X80 0XBE 0X00 0X23 0X14

16.) Read User Area 2: 0X80 0XBE 0X00 0X28 0X40

17.) Read CSC1 Key: 0X80 0XBE 0X00 0X38 0X04

18.) Read CS1 Ratification Counter: 0X80 0XBE 0X00 0X39 0X04

19.) Read CSC2 Key: <0X80 0XBE 0X00 0X3B 0X04

20.) Read CS2 Ratification Counter: <0X80 0XBE 0X00 0X3C 0X04

21.) Make the Issuer card emulates the user mode.

Verify CSC0 Key: 0X00 0X20 0X00 0X07 0X04 0XAA 0XAA 0XAA 0XAA
(0x07 = CSC0 Ratification Counter)
(0x04 = Length of data the smart card should expect which in this case is our CSC0 4 byte key)

Send the card into emulated user mode: 0X00 0X20 0X00 0X3A 0X04 0XAA 0XAA 0XAA 0XAA

Now we will continue to use the card as though we were in user mode.

22.) Read User Area 1: 0X80 0XBE 0X00 0X10 0X40

23.) Write to User Area 1:

Verify CSC1 Key: 0x00 0x20 0x00 0x39 0x04 0x11 0x11 0x11 0x11
(0x39 is the CSC1 Ratification counter)
(0x04 = Length of data the smart card should expect which in this case is our 4 byte CSC1 key)

Write 4 bytes to User Area 1: 0x80 0xDE 0x00 0x10 0x04 0x22 0x22 0x22 0x22
0X10 = First Word Address of User Area 1
0x04 = Length of the bytes we want to write to write to the smart card (4 bytes in this case)
0x22 0x22 0x22 0x22 = the 4 bytes we write to the gemclub smart card.

Read User Area 1 to verify our data has been correctly written to the smart card.

24.) Read User Area 2: 0X80 0XBE 0X00 0X28 0X40

25.) Write to User Area 2:

Verify CSC2 Key: 0x00 0x20 0x00 0x3B 0x04 0x22 0x22 0x22 0x22
(0x3B is the CSC2 Ratification counter)

Write 4 bytes to User Area 2: 0x80 0xDE 0x00 0x28 0x04 0x33 0x33 0x33 0x33
0X28 = First Word Address of User Area 2
0x04 = Length of the bytes we want to write to write to the smart card (4 bytes in this case)
0x33 0x33 0x33 0x33 = the 4 bytes we write to the gemclub smart card.

Read User Area 2 to verify our data has been correctly written to the smart card.

GemClub Smart Card successfully deciphered.

REFERENCES:

1.) http://www.gemalto.com
2.) http://pcsclite.alioth.debian.org/
3.) http://jveliot.free.fr/blog/wp-content/smartcardpgonlinuxfornewbies.txt
4.) http://cheef.ru/docs/HowTo/APDU.info
5.) http://cheef.ru/docs/HowTo/SW1SW2.info

Permalink Comments (22)

Tsavo

Posts Tagged smart cards gemclub memo card gemalto gemplus read writ

DECIPHERING THE GEMCLUB MEMO SMART CARD

Pages

Archives

Categories

Search

Meta