Wednesday, October 8, 2014

CCID USB spy using Wireshark

Sometimes you need to know exactly what is happening at the USB level. You have two options:
  • use a hardware USB analyzer
  • use a software USB analyzer
Since I do not have the budget to buy a hardware USB monitor I will use the software solution.


Since some time, it is possible to use the wonderful Wireshark program to display and analyze USB frames. Wireshark is mainly used for analyzing network packets but it is also possible to display USB packets. Wireshark is even able to display the CCID commands inside the USB packets.


A documentation is available at USB capture setup and also at Capturing USB data through Wireshark.
This article describes what I did.

Setup the kernel

You first need to load the usbmon kernel module.

$ sudo modprobe usbmon

tshark (a command line tool) should now be able to capture on usbmon interfaces. Check it using:
$ tshark -D
1. eth0
2. any
3. lo (Loopback)
4. nflog
5. nfqueue
6. usbmon1
7. usbmon2

In my case I have 2 USB buses labeled usbmon1 and usbmon2.

Capture the USB frames

Before capturing the USB frames you need to know on which USB bus is connected your device.

Identify the device USB bus

$ lsusb 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 004: ID 08e6:3437 Gemplus GemPC Twin SmartCard Reader
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

In my case the device I want to study is on the bus 002 so I will use usbmon2.

Start the capture

$ tshark -i usbmon2 -w trace1.pcap
Capturing on 'usbmon2'
tshark: The capture session could not be initiated on interface 'usbmon2' (Can't open USB bus file /sys/kernel/debug/usb/usbmon/2t: Permission denied).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

For security reasons tshark refuses to be run as root. So I needed to change some file access rights.

$ sudo chmod +rx /sys/kernel/debug/
$ sudo chmod a+rw /sys/kernel/debug/usb/usbmon/2t

Then (re)start tshark and use Ctrl-C to stop after some traffic has been captured.
$ tshark -i usbmon2 -w trace1.pcap
Capturing on 'usbmon2'
1270 tshark: Can't get packet-drop statistics: Can't open USB stats file /sys/kernel/debug/usb/usbmon/2s: Permission denied
Please report this to the Wireshark developers.
(This is not a crash; please do not report it as such.)

Capture analysis

The file trace1.pcap contains the USB frames and can be displayed using the graphical interface of Wireshark.

Enable the CCID decoder

Unless you can read the CCID protocol from hexadecimal, it is a good idea to tell Wireshark to decode the USB frames as USBCCID.
Go in the menu "Analyze" -> "Decode as..." and select USBCCID in the dialog.

Wireshark will then display the USB frames with nice CCID names:

Here you can see a CCID Power On command.
  • The command name is displayed in the top window: "Packet - PC to Reader: ICC Power On"
  • And the content of the command (the 10 last bytes specific to CCID) are documented in the lower window: "Message Type: PC_to_RDR_IccPowerOn (0x62)", etc.

I do not expect every one to use Wireshark to look at CCID frames. But if you have a problem with a CCID reader and wants to know exactly what is happening Wireshark can help you for a very very limited budget (Wireshark is a free software under GNU GPL v2 license).

This blog article is also a way for me to document how to do it for the next time :-)


Wireshark is a great tool.
Linux is a great kernel.
Debian GNU/Linux is a great operating system.

Wednesday, September 24, 2014

PCSC sample in JavaScript (Node.js)

To continue the list of PC/SC wrappers initiated more than four years ago with "PC/SC sample in different languages" I now present a PC/SC sample written in JavaScript using Node.js.

node-pcsclite project

The node-pcsclite project is hosted at github and is quiet active. Support of Windows is not yet available. Support of Mac OS X is now correct after I proposed some patches.

The installation on a Debian unstable or testing (Jessie) system is easy. Just follow the project documentation. Debian stable (Whezzy) do not have the nodejs packages but these packages are available in wheezy-backports.

One potential problem is that the Node.js binary is called nodejs on Debian to avoid a conflict with another node binary. To have a node binary corresponding to Node.js you need to install the Debian package nodejs-legacy. It is not difficult but may be the source of some difficulties at the beginning.

PC/SC accesses from node-pcsclite

The wrapper provides access the following PC/SC functions:
  • connect
  • disconnect
  • transmit
  • control

A reader event (reader removed) is reported as an event.

The card status change is reported as an event.

The reconnect function is missing. A bug #10 is open requesting its addition.

Sample source code

#!/usr/bin/env node

var pcsc = require('./lib/pcsclite');

var pcsc = pcsc();

pcsc.on('reader', function(reader) {

    function exit() {

    cmd_select = new Buffer([0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01]);
    cmd_command = new Buffer([0x00, 0x00, 0x00, 0x00]);


    reader.connect(function(err, protocol) {
        if (err) {
            return exit();
        reader.transmit(cmd_select, 255, protocol, function(err, data) {
            if (err) {
                return exit();
            console.log('Data received', data);
            reader.transmit(cmd_command, 255, protocol, function(err, data) {
                if (err) {
                } else {
                    console.log('Data received', data);
                    console.log('Data received', data.toString());
                return exit();

pcsc.on('error', function(err) {
    console.log('PCSC error', err.message);


Node.js is an asynchronous framework. So a typical Node.js design pattern is to use a call-back instead of blocking the execution of a function.

The code can be complex to follow since you have a cascade of call-backs if you need to send a sequence of APDU. In the sample we only need to send 2 consecutive APDU.

The program is not sequential but event based. So without the explicit exit after 1 second the program never terminates and you need to stop it using Control-C. It is strange for me.


Using: Gemalto PC Twin Reader 00 00
Data received <SlowBuffer 90 00>
Data received <SlowBuffer 48 65 6c 6c 6f 20 77 6f 72 6c 64 21 90 00>
Data received Hello world!�

Similar projects

Two other similar projects are also found at github. They have both the same name node-pcsc but are not the same project:

coolbong node-pcsc

The node-pcsc interface from coolbong uses a synchronous API so no call-back are involved for PC/SC calls. You can send a sequence of APDU as you would do in C.

This wrapper is for Windows only and need some work to port it to Unix. I opened a bug #1 requesting Unix support.

jokesterfr node-pcsc

This wrapper is not yet able to send arbitrary APDU to a card. It looks like a work in progress that stopped in November 2013.


If you want to use a smart card from a JavaScript program using Node.js the best choice may be the node-pcsclite project. The project maintainer is nice and reactive.

If you know a PC/SC wrapper that is not yet in my list then please contact me.

Edit, October 3rd 2014

After discussing with Santiago Gimeno (node-pcsclite author) and fixing Mac OS X bugs in node-pcsclite I modified the sample source code to add the clean up exit() function and exit properly from the program when no more callbacks are waiting.

New version of pcsc-lite: 1.8.12

I just released a new version of pcsc-lite 1.8.12.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

pcsc-lite-1.8.12: Ludovic Rousseau
24 September 2014
  • make hotplug using libudev (default) more robust
  • add ReiserFS file system support (for configuration files)
  • add musl libC support (increase the thread stack)
  • Some other minor improvements and bug corrections

Saturday, September 20, 2014

Open Silicium n°12 en kiosque !

The french magazine Open Silicium latest number Sept., Oct., Nov. 2014 has NFC as its main topic.

If you can read French and you are interested in NFC it is a good reading.

Table of content

Sorry, it is in French.

Au sommaire du magazine :


4 La plateforme de développement mbed

En couverture

9 Un système RFID/NFC pour notre GNU/Linux
14 Utilisation et manipulation des tags Mifare Classic
24 Pour explorer, utilisons Python !
26 Mifare DESFire : un niveau de sécurité adapté
34 RFID : Quelques applications intéressantes pour Android


39 Visualisation temps réel de trafic avec Python et l'API Google Analytics

Mobilité & téléphonie

46 Applications connectées en 3G : pourquoi la ressource radio impacte tant votre batterie
52 Google Projet Ara : Votre smartphone (Android) sur mesure !


59 Reconstruction de structures tridimensionnelles par photographies : le logiciel MicMac

Code & développement

80 Le bootloader DFU des STM32

Saturday, September 13, 2014

New version of libccid: 1.4.18

I just released a version 1.4.18 of libccid the free software CCID class smart card reader driver.

1.4.18 - 13 September 2014, Ludovic Rousseau
  • Add support of
    • Cherry Cherry TC 1100
    • Cherry Smart Card Reader USB
    • Cherry Smartcard Keyboard G87-1xx44
    • FujitsuTechnologySolutions GmbH Keyboard KB SCR2
    • Lenovo Lenovo USB Smartcard Keyboard
    • Yubico Yubikey NEO OTP+U2F+CCID
    • Yubico Yubikey NEO U2F+CCID
    • eID_R6 001 X8
  • fix support of Omnikey CardMan 3121
  • reduce memory consumed when configured with --enable-embedded
  • prepare the port to UEFI

New version of pcsc-tools: 1.4.23

I just released a new version of pcsc-tools, a suite of tools for PC/SC.
The only change is the update of the ATR list.

1.4.23 - 13 September 2014, Ludovic ROUSSEAU
  • 137 new ATRs

Wednesday, July 30, 2014

PySCard: unofficial version 1.6.16 available

I already presented PySCard in "PCSC sample in Python" (April 2010). PySCard is a Python wrapper for PC/SC.


Unfortunately since that time the PySCard software has never seen a new official release, even after I committed many changes upstream.
  • The latest official version is 1.6.12 from August 2010.
  • The version 1.6.14 was planned but not released.
  • The 1.6.16 version is planned but not yet released.

New version

To be able to build PySCard on Mac OS X 10.9 you need to use a version more recent than 1.6.12. That is why I now provide a snapshot of version 1.6.16 at "Beta versions".

I provide 2 files:

Mac OS X installation

The binary "installer" is provided so that you do not have to rebuild the source code yourself. To install it just do:
$ cd /
$ sudo tar xzvf [...]/pyscard-1.6.16.macosx-10.9-intel.tar.gz


I hope Jean-Daniel Aussel (upstream maintainer of PySCard) will have some time and motivation to publish an official new version of PySCard.