I am trying to access my applet using the NFC interface of my mobile phone. I have two questions.
Consider I have a mobile phone with SWP connected to the SIM card. What are the necessary steps to do to enable applet selection and interaction through NFC port?
Is that enough just to set the system parameters to ISD while installing the applet? (install[for install and make selectable])
What is wrong with APDUs I send to the card while installing the applet? below are the steps I do to install the formerly loaded cap file:
INITIALIZE UPDATE
EXTERNAL AUTHENTICATION
Sending install[for install and make selectable] APDUs as scenarios below:
If I send install APDU without system parameters:
<< 80 E6 0C 00 25 07 E0 E1 E2 E3 E4 E5 01 08 E0 E1 E2 E3 E4 E5 01 02 08 E0 E1 E2 E3 E4 E5 01 02 01 00 07 C9 05 08 31 32 33 34 00 00
>> 00 90 00
applet is successfully installed with application parameters set in the APDU.
The problem is when I try to set system parameters for contactless communication. After INITIALIZE UPDATE and EXTERNAL AUTHENTICATION I send:
<< 80 E6 0C 00 2D 07 E0 E1 E2 E3 E4 E5 01 08 E0 E1 E2 E3 E4 E5 01 02 08 E0 E1 E2 E3 E4 E5 01 02 01 00 10 EF 07 A0 05 A5 03 82 01 FF C9 05 08 31 32 33 34 00 00
>> 6A 80
same result is obtained if I remove application parameters.
What's wrong with my system parameters? each time I try to set contactless parameters, I get 6A 80 (wrong data) status code.
Can anyone please help me to fix this?
Related
I'm currently working on old system that uses RDP. According to 4.1.4 Server MCS Connect Response PDU with GCC Conference Create Response described in [MS-RDPBCGR], packet is containing modulus, which should be part of RSA key. And I need to know where this came from because I need to decrypt some RDP packets stored as log.
First thing I've done is looking up certificates by using mmc. But there was no certificate matching with modulus. Even if I issued new self-signed certificate, there was no luck. Modulus is not changing by it.
More specifically, this is response packet from testing server(VM) containing modulus.
0000: 03 00 02 15 02 f0 80 7f 66 82 02 09 0a 01 00 02 | ......f......
0016: 01 00 30 1a 02 01 22 02 01 03 02 01 00 02 01 01 | ..0...".........
0032: 02 01 00 02 01 01 02 03 00 ff f8 02 01 02 04 82 | .............
0048: 01 e3 00 05 00 14 7c 00 01 2a 14 76 0a 01 01 00 | .....|..*.v....
0064: 01 c0 00 4d 63 44 6e 81 cc 01 0c 10 00 0c 00 08 | ..McDn.......
0080: 00 00 00 00 00 04 00 00 00 03 0c 10 00 eb 03 04 | ...............
0096: 00 ec 03 ed 03 ee 03 ef 03 02 0c ac 01 02 00 00 | ...........
0112: 00 02 00 00 00 20 00 00 00 78 01 00 00 bb e4 de | ..... ...x...
0128: 58 1a 05 8f 26 89 f8 94 0b 88 d4 79 d4 00 ac bf | X..&.y.
0144: e0 07 72 3a e5 9b 17 7f 17 d6 18 92 7f 01 00 00 | .r:........
0160: 00 01 00 00 00 01 00 00 00 06 00 1c 01 52 53 41 | .............RSA
0176: 31 08 01 00 00 00 08 00 00 ff 00 00 00 01 00 01 | 1..............
0192: 00 2d 13 bc 1d a9 5b c8 60 9b be 66 61 ab 09 13 | .-..[`fa..
0208: 4e 0a 1f 64 27 72 df 92 18 42 ea 2c 05 5d 0d a7 | N..d'r..B,.].
0224: f7 06 51 5d 22 2e 4a fa 03 c5 8d 52 47 7c fa 13 | .Q]".J..RG|.
0240: ec dd bb 81 15 50 4b b3 f0 7b e4 75 0e e6 0d b5 | ..PK{u..
0256: ab d2 4a 9c ab f6 8c 83 a3 53 0b 87 b1 07 fc 0f | JS...
0272: 29 12 f4 c8 18 fb 9f 6d 29 10 34 af 34 d0 ca 8d | )..m).44.
0288: 48 a9 2e 9e 85 9a 39 d6 6c be cb f3 36 75 60 a5 | H.9l6u`
0304: 56 a5 a3 f5 b0 6f af c3 8e 5b 03 11 e4 27 27 bf | Vo.[..''
0320: a0 05 51 aa f1 8d 84 11 53 43 59 b8 83 4f f2 2d | .Q.SCYO-
0336: 40 44 b1 f9 5a 5b e6 2d 32 e4 d8 ef 2a 5a f8 01 | #DZ[-2*Z.
0352: 08 7a 68 a0 05 e2 5b fe 50 b5 38 cd a6 f0 ef e0 | .zh.[P8.
0368: c4 6f 4e f3 f1 9d 0a 89 ce 79 4e 3d 6f e3 a2 b3 | oN.yN=o.
0384: c7 fd dc b2 d8 c6 76 e8 79 67 ca fe 71 5d a5 3d | .vygq]=
0400: d3 40 c4 a4 28 5c 11 b7 2a 51 cd 65 e4 5f fc 2a | #.(\.*Qe_*
0416: bf 4c b1 e0 96 89 05 4b c6 72 1a 62 eb a2 51 0d | L.Kr.bQ.
0432: 45 2f 23 27 67 0e a8 c6 12 ed 81 ee 09 58 10 02 | E/#'g...X..
0448: b2 00 00 00 00 00 00 00 00 08 00 48 00 e9 95 02 | ..........H..
0464: 48 e7 84 d6 fc 60 cd 29 b2 91 7c f4 e8 b4 36 5d | H`)|6]
0480: e5 5e b4 90 d4 d4 5d 6a a1 42 69 c6 4e 5c 87 f2 | ^]jBiN\
0496: 0a cd 86 f5 64 e3 4d 61 60 0a 17 c2 f8 94 93 83 | ..dMa`..
0512: cf 23 7d c4 a3 07 ad f0 b6 bc 1a b1 00 00 00 00 | #}.......
0528: 00 00 00 00 00 | .....
Public exponent is 01 00 01 00, modulus is 2d 13 bc 1d ... 58 10 02 b2 with additional 8 bytes of zero-padding.
After that, if I know what private exponent is, then I can decrypt Client Random and generate session key.
But as I've mentioned, I can't find where modulus is coming from. How can I obtain RSA key(or certificate, so I can use Mimikatz) for it?
Edit
I found there is Proprietary Certificate. It seems this is what I need to find, but I still don't know where it is.
Edit: I came across the Proprietary Certificate, but where is private key?
It was located at registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM and is just public key BLOB. Still need to find private key...
Currently I'm looking into registry key Secrets under RCM, but I don't know what are these values right now.
I'm closing this because I found public key BLOB at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Certificate from registry though I don't know what private key is.
I want to build a BLE Beacon with Raspberry Pi Zero W and with an iOS and Android app (which I'll develop) I'll list the beacons and select one to send 4-6bytes of data to trigger some action on the Pi. Is that possible with Beacons or should I use something else. I am writing in Go and I don't want to pair the devices.
Yes, it is possible to make a Raspberry Pi Zero W scan for beacons and take action which identifier it saw. (Although please note that this must be a Zero W. The base Raspberry Pi Zero does not have wireless functionality.)
You won't find beacon detection code in Go on the Raspberry Pi, so your best bet is to use a native C program to do the beacon scanning part, and call it as a shell script from your Go program. The following C program is one I use on a Raspberry Pi to scan for beacons:
https://gist.github.com/davidgyoung/0a18028b4338ff6cb201fba274502662
That program must be compiled on the Raspberry Pi with cc scanner.c -lbluetooth -o scanner, after which you can start the scanner with just scanner. The output of the program will be something like this:
B8:27:EB:1F:93:4D -68 02 01 06 11 06 82 75 25 D9 37 9D D7 8F 5F 4A F4 20 00 00 75 30
71:5C:23:9D:BC:7F -68 02 01 1A 02 0A 0C 0B FF 4C 00 10 06 03 1A 3B D4 B2 EB
B8:27:EB:1F:93:4D -68 02 01 06 11 06 82 75 25 D9 37 9D D7 8F 5F 4A F4 20 00 00 75 30
4A:53:7F:64:71:EC -91 03 03 9F FE 17 16 9F FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
69:0D:FF:7B:75:65 -73 02 01 1A 02 0A 0C 0A FF 4C 00 10 05 03 1C 27 BB 63
61:39:71:E9:1D:C9 -93 02 01 1A 02 0A 18 0A FF 4C 00 10 05 01 18 3B 24 12
B8:27:EB:1F:93:4D -68 02 01 06 11 06 82 75 25 D9 37 9D D7 8F 5F 4A F4 20 00 00 75 30
Each line above shows the MAC address of the detected bluetooth device, followed by the signal strength RSSI, then the hex bytes of the advertisement.
Your Go program will need to read each line of the output of scanner then parse the bytes of the advertisement to look for beacon patterns to perform various functions when it sees a packet with a certain byte pattern (indicating that a mobile phone sent out that packet.)
I can't finish the authentication phase.
What I am using:
SAM module by NXP
Mifare Desfire PICC
I am following the next steps:
Get PICC SerialNumber (or UID) with GetVersion.
GET VERSION:
Tx: 90 60 00 00 00
Rx: 04 01 01 00 02 18 05 91 AF
GET VERSION 2:
Tx: 90 AF 00 00 00 00
Rx: 04 01 01 00 06 18 05 91 AF
GET VERSION 3:
Tx: 90 AF 00 00 00 00
Rx: 04 65 41 49 65 1B 80 8E 65 58 51 30 46 07 91 00
Get encrypted(RndB) from PICC.
Tx: 90 0A 00 00 01 00 00
Rx: 31 15 1A 19 DB ED CD 5A 91 AF
Send to SAM PICC_SN + ek(RndB).
Tx: 80 41 01 03 0F 80 1B 65 49 41 65 04 31 15 1A 19 DB ED CD 5A
Rx: 61 20
Get from SAM encrypted(RndA + RndB_rotated) + 1st half Session Key
Tx: 00 C0 00 00 20
Rx: F3 10 55 B1 D3 18 91 5B 92 48 16 1F E1 58 D5 CB E9 F3 51 04 41 8A 4E A5 A2 B5 67 CA FF D8 D2 35 90 00
Send PICC encrypted(RndA + RndB_rotated).
Tx: 90 AF 00 00 10 F3 10 55 B1 D3 18 91 5B 92 48 16 1F E1 58 D5 CB 00
Rx: 91 AE
So, this is a guide I have received from my suplier, and i don't have explanations about the apdus used; some i have found them on the internet, some others i guessed.
What I need to know is what does the next command i use:
to SAM module: 80 41 01 03 Lc Data
I need to know what encryption it deploys, why it needs PICC's UID (is this the IV), how can i know RndB, and what is expecting the PICC to end the authentication.
Thanks
Pd: Sorry for the text's format, it seems I'm unable to use correctly the tools for posting, everything gets in the same line it's disgusting...
I solved the problem and finished authentication.
The error was that i was requesting RndB encrypted with keyNo = 0, while corresponding key from SAM's key encryption should be keyNo = 2.
So:
--> 90 0A 00 00 01 02 00
<-- 91 B6 08 CE 9F B5 34 3B 91 AF
Carrying on, i finnish authentication:
--> 90 AF 00 00 10 0F DC FA B6 37 5F 30 34 D7 93 2D A1 3D D6 11 10 00
<-- E9 C2 F2 69 FE 38 78 28 91 00
But now I have the next problem. I've authenticated and I can read PICC's data but i'm afraid it's encrypted. I suppose it is encrypted with session key, so I need some apdu command to be sent to SAM, with data and session key, in order to decrypt data retrieved from PICC.
Am I right? if that is... which would be that SAM APDU?
I am getting started with a PN532 NFC module recently. I can successfully read/write M1 and S50 cards.
Now I am trying to learn how to use P2P communication. However,
when I send a TgInitAsTarget command to the PN532 (ELEHOUSE module), I receive an ACK frame, but I never receive the normal information frame that should follow afterwards.
Here are my steps:
Get PN532 into target mode by sending TgInitAsTarget command:
TgInitAsTarget:
{ 00 00 ff 0x27 0xd9
d4 8c 04
08 00 12 34 56 40
01 fe a2 a3 a4 a5 a6 a7 c0 c1 c2 c3 c4 c5 c6 c7 ff ff
aa 99 88 77 66 55 44 33 22 11
00
00
fd 00 }
Get a second PN532 into initiator mode by sending InJumpForDEP command:
InJumpForDEP:
{ 00 00 ff 0a f6
d4 56 01 02
01 00 ff ff 00 00
d4 00 }
Put the initiator above the target.
When I read the information received from the target through UART, I get the following:
target->pc:
{ 01
00 00 ff 00 ff 00 }
This seems to be an ACK frame indicating that the TgInitAsTarget command was processed correctly. But afterwards the PN532 does not send the normal information frame containing the result of the TgInitAsTarget command and the target is always in busy state.
What is going wrong here?
Several things seem to be wrong with your commands.
First of all, the InJumpForDEP command seems to be malformed. That command decodes to the following:
d4 56 InJumpForDEP
01 ActPass = Active Mode
02 Baud Rate = 424 kbps
01 Next = NFCID3i
00 ff ff 00 00 NFCID3i ? (HERE is the problem)
The NFCID3i field of that command is not valid. An NFCID3i must consist of 10 bytes (e.g. 11 22 33 44 55 66 77 88 99 AA). The easiest way would be to let the PN532 automatically generate a random NFCID3i by not specifying an NFCID3i field at all:
d4 56 InJumpForDEP
01 ActPass = Active Mode
02 Baud Rate = 424 kbps
00 Next = none
Note that length field and checksum of the command frame need to be adapted accordingly.
The initiator is polling in active mode at baud rate 424 kbps. However, with your TgInitAsTarget command, you instruct the target to listen in PICC mode only:
d4 8c TgInitAsTarget
04 Mode = PICC only ! (HERE is the problem)
08 00 12 34 56 40 MifareParams
01 fe a2 a3 a4 a5 a6 a7 c0 c1 c2 c3 c4 c5 c6 c7 ff ff FelicaParams
aa 99 88 77 66 55 44 33 22 11 NFCID3t
00 no Gt
00 no Tk
Consequently, the target will only operate as ISO/IEC 14443-4 PICC (which is similar to passive mode at 106 kbps). Therefore, the initiator and the target are configured to speak two completely different protocols and, hence, do not understand each other. As a result, the PN532 in target mode will never be invoked by the PN532 in initiator mode and will, consequently, never return from the TgInitAsTarget command.
In order to configure the target in a way that is compatible to your initiator configuration, you could use this:
d4 8c TgInitAsTarget
02 Mode = DEP only
08 00 12 34 56 40 MifareParams (not used in active mode)
01 fe a2 a3 a4 a5 a6 a7 c0 c1 c2 c3 c4 c5 c6 c7 ff ff FelicaParams (not used in active mode)
aa 99 88 77 66 55 44 33 22 11 NFCID3t
00 no Gt
00 no Tk (not used in active mode)
Finally,I solved the problem, it is a hardware problem ,and i buy new PN532 module. The normal information frame return successfully。 Thanks anyway #Michael Roland .
I have problem with use direct command for mifare 1k via ACR122U. I use original SDK for Windows (including for delphi), and I sent these commands in one session:
FF 00 00 00 means pseudo-apdu. It is used to send direct commands to tag or to device (ACR).
<< FF 00 00 00 02 D4 02 // GET FIRMWARE
>> D5 03 32 01 06 07 90 00
<< FF 00 00 00 03 D4 12 24 // SET PARAMETERS (I want to disable not suported ISO 14443-4)
// (I also tried D2 12 14 without success)
>> D5 13 90 00
<< FF 00 00 00 0F D4 40 01 60 00 FF FF FF FF FF FF xx xx xx xx // auth with key A (tag UID hidden)
>> D5 41 00 90 00 // OK
<< FF 00 00 00 05 D4 40 01 30 00 // direct mifare read (30) block 00
>> D5 41 13 90 00 // ERROR 13 (incorrect value of PCB or PFB, invalid or unexpected received frame, NAD or DID incoherence, bad length of received RF frame).
I cannot read any card (i have three). All cards can be read with command FF B0 00 00 10...
Can you please tell me, what command(s) shall be sent before and after authentification to correctly communicate with the card? Please also send links to specification of commands Read register (D4 06) and write register (D4 08). I don't know what means register "63 05" (D4 06 63 05) for example.
BTW. What mean abbreviations (in context): NAD, DID, PFB, PCB?