Sunday, April 12, 2015

pcsc-lite and CCID driver source code moved from SVN to GIT

The major projects hosted at https://alioth.debian.org/projects/pcsclite/ have moved from SVN (subversion) to GIT as the Version Control System (VCS).

Alioth.debian.org

The new URLs for the source code are:

The source code at the SVN server is still available at https://anonscm.debian.org/viewvc/pcsclite/trunk/ but will not be updated any more.

Github

I also provide a github version of the source codes at:

You can either use use the alioth or github server to clone the repositories.

Master repository is alioth

But be careful that they are different repositories. One repo is NOT the mirror of the other repo. They are both handled by hand.

The "official" repository should be the one at alioth.debian.org.

Conclusion

Maybe this change will bring new blood to the development :-)

The real reason for the move is that alioth only provides an ssh access to push code. So it is not possible to work from places where connecting to an Internet server using ssh is not allowed. I should be able to push code to github from anywhere (since github can use https) and then merge it and push it to alioth from more net-friendly places.

Thursday, April 9, 2015

Some PC/SC bugs of Yosemite 10.10 fixed in 10.10.3

The 10.10.3 release of Yosemite solves some (1 - one) of the PC/SC bugs introduced in 10.10 and that I reported in "OS X Yosemite and smart cards: known bugs".

I updated the main article with the list and also each individual bug documentation.

Some PC/SC bugs are still present in 10.10.3 but they are "minor".

Wednesday, April 1, 2015

Smart card reader p0rn pictures

Federal Communications Commission

Devices emitting radio frequency signals must be declared at the FCC to be sold in the USA (or something like that). Smart card readers are such devices since they use electricity.

I let you read the wikipedia page to know more about the FCC.

Search engine

The Office of Engineering and Technology (part of the FCC) provides a search engine at Equipment Authorization Search.

Example: Gemalto MESPROXDUB

I searched for all the Gemalto devices. The list contains 381 results.

I found the MESPROXDUB also known as IDBridge CL300 (previously known as Prox-DU) smart card reader. I have it in my own list at Gemalto Prox Dual USB PC Link Reader.

The result of the search is a list:

9 Matches found for FCC ID MESPROXDUB
View Attachment Exhibit Type Date Submitted to FCC Display Type Date Available
Confidentiality Request Cover Letter(s) 01/17/2011 pdf 01/17/2011
External Photos External Photos 01/17/2011 pdf 01/17/2011
Label ID Label/Location Info 01/17/2011 pdf 01/17/2011
Internal Photos Internal Photos 01/17/2011 pdf 01/17/2011
Operational Description Operational Description 01/17/2011 pdf 01/17/2011
Test Report Test Report 01/17/2011 pdf 01/17/2011
Test Setup Photos Test Setup Photos 01/17/2011 pdf 01/17/2011
User Manual - Prox-DU Users Manual 01/17/2011 pdf 01/17/2011
User Manual - Prox-SU Users Manual 01/17/2011 pdf 01/17/2011

For a strange reason it is not possible to directly access the referenced PDF documents. You will get a "You are not authorized to access this page." if you click on the links in the table above. You need to get them from the real result page itself.

Pictures

What is interesting for a hardware hacker are the "Internal Photos". This is called "hardware p0rn".

You can search "hardware p0rn" in Google. Maybe some pictures from Google are NSFW. There is also a tumblr dedicated to hardware porn with nice (and safe) pictures.

Pictures of the Gemalto MESPROXDUB

I will not include all the pictures here, just "best of" a selection.






Conclusion

You can also search for "Apple" in the search engine. You will find photos of the internal of the iPhone. But pictures from iFixit are of a much better quality. I do not know an equivalent of iFixit for smart card readers.

Friday, March 27, 2015

Gemalto smart card readers

Now that Gemalto bought SafeNet it has become a big company with a lot of different brands.

Some of the brands in the Gemalto group are used by CCID readers listed in the big matrix. I will only talk about CCID compliant readers. So readers produced before the CCID specification was available (around 2001) are not listed here.

Short history of Gemalto fusions and acquisitions

  • 1926: creation of Schlumberger
  • 1988: creation of Gemplus
  • 2001: Schlumberger buys Sema Group plc and becomes SchlumbergerSema
  • 2004: Axalto is a spin-off of SchlumbergerSema
  • 2006: Axalto and Gemalto merge to become Gemalto
  • 2009: Gemalto buys XIRING’s banking activity
  • 2010: SafeNet buys Aladdin
  • 2010: Gemalto buys Todos AB in Sweden
  • 2015: Gemalto buys SafeNet
I only list the fusions and acquisitions related to smart card reader manufacturers.

VendorID

VendorVendorID# of readers
Total31
Aladdin0x05291
Axalto?1
Gemalto0x08E617
Gemplus0x08E68
SafeNet?1
SchlumbergerSema0x09731
Todos0x0B0C2
Xiring0x0F140

Each USB device is identified by a VendorID.
It looks like Axalto and SafeNet do not have their own VendorID.

Xiring

All the Xiring readers I have in my list are now sold by ingenico Healthcare e-ID (ex Xiring healthcare).
They are available at ingenico technical support page.

So Gemalto bought XIRING’s banking activity but it looks like this division of Xiring had no CCID reader.

Reader list


Aladdin


  1. eToken PRO USB 72K Java (Aladdin_eToken_PRO_USB_72K_Java.txt)


Axalto


  1. Reflex USB v3 (AxaltoV3.txt)


Note that the VendorID used by this reader is 0x04E6 and is the VendorID used by SCM (now Identive) for its readers. I guess the reader is a SCM one rebranded as Axalto.

Gemalto


  1. SA .NET Dual (Gemalto_SA_dotNet_Dual.txt)

  2. Ezio Shield Branch Reader (Gemalto_Ezio_Branch.txt)
  3. Ezio Shield (Gemalto_Ezio_Shield_PinPad.txt)

  4. Ezio Shield (Gemalto_Ezio_Shield.txt)

  5. EZIO CB+ (Gemalto_Ezio_CB+.txt)

  6. ING Shield Pro SC (Gemalto_Ezio_Shield_Secure_Channel.txt)

  7. Ezio Shield Pro SC (Gemalto_Ezio_Shield_Pro_SC.txt)

  8. IDBridge CT30 (Gemalto_IDBridge_CT30.txt)

  9. PDT (Gemalto_PDT.txt)
  10. Hybrid Smartcard Reader (Gemalto_HybridSmartcardReader.txt)
  11. IDBridge K30 (Gemalto_IDBridge_K30.txt)

  12. Smart Enterprise Guardian Secure USB Device (GemaltoSmartEnterpriseGuardian.txt)

  13. USB GemPCPinpad SmartCard Reader (GemPCPinpadv2.txt)

  14. IDBridge K3000 (Gemalto_IDBridge_K3000.txt)

  15. Smart Enterprise Guardian Secure USB Device (Gemalto_SG.txt)

  16. Prox Dual USB PC Link Reader (GemProxDU.txt)

  17. Prox SU USB PC LinkReader (GemProxSU.txt)


Gemplus


  1. Gemplus USB SmartCard Reader 433-Swap (GemPC433_SL.txt)

  2. USB GemPCPinpad SmartCard Reader (GemPCPinpad.txt)

  3. GemCore SIM Pro Smart Card Reader (GemCoreSIMPro.txt)

  4. GemCore POS Pro Smart Card Reader (GemCorePOSPro.txt)
  5. USB Shell Token V2 (GemPCKey.txt)

  6. PC Twin Reader (GemPCTwin.txt)

  7. GemPC Express (GemPC_Express.txt)

  8. Gem e-Seal Pro USB Token (Gem_e-SealPro.txt)

SafeNet


  1. SmartMX Sample (Philips_SmartMX.txt)


Similar remark as for Axalto. Here the iManufacturer is: Philips Semiconductors. The vendorID is 0x04B9 which should be Rainbow Technologies.

SchlumbergerSema


  1. SchlumbergerSema Cyberflex Access (e-gate.txt)

Todos


  1. CX00 (Todos_Cx00.txt)

  2. Argos Mini II (Todos_AGM2_CCID.txt)


Conclusion

After so much fusion and acquisitions in the smart card industry it may be difficult to know where to get manufacturer support for a given reader.

Gemalto provides a drivers support page where you can find most of the "Gemalto" readers.

Tuesday, March 24, 2015

Change syslog logging level on Yosemite

In "Debug a smart card application on Yosemite" we have seen how Apple provides a way to get the ATR and exchanged APDU from the com.apple.ifdreader process (new on Yosemite).

syslog(3)

In some cases you need more than just ATR and APDU. That is why my CCID driver also uses syslog() to log debug messages.

According to syslog(3) manual page syslog() prototype is: void syslog(int priority, const char *message, ...);

The priority parameter is used to tell if the syslog message is important or not. For example messages of level LOG_EMERG are "A panic condition. This is normally broadcast to all users."

You can use the syslog(1) command line tool to log a message. To log an emergency message just do:
$ syslog -s -l 0 Read http://ludovicrousseau.blogspot.fr/
  • -s to send a message
  • -l 0 to use level 0 i.e. Emergency

You should see a message broadcasted in every Terminal console and a message in /var/log/system.log. You can use the Console application to read the /var/log/system.log file.

By default messages with level Info (6) or Debug (7) are just ignored.

Logging low level messages

To log messages of level Info and Debug from the CCID driver you need to tell syslog to accept them. We could change the global configuration to accept debug messages from every running process but that may generate a lot of noise. Each process has its own syslog filter. We will use that feature instead.

First step is to get the process identification (PID) of the com.apple.ifdreader process. I use something like:
$ ps -Aww | grep com.apple.ifdreader
28775 ??         0:00.74 /System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader
28803 ttys000    0:00.00 grep com.apple.ifdreader

In my case the PID is 28775.

You can see the syslog filter for the process using:
$ syslog -c 28775
Process 28775 syslog filter mask: Off

Change the filter using:
$ sudo syslog -c 28775 -d
-d indicates: set the filter level to cause to log messages from Emergency up to Debug.

And verify the filter has changed:
$ syslog -c 28775 
Process 28775 syslog filter mask: Emergency - Debug

Displaying logs

You can use the Console application to display the logs.

You can also use a command line program with:
$ syslog -w -k Sender com.apple.ifdreader
This will continuously display the log messages from com.apple.ifdreader as they are generated by the driver.

Conclusion

Apple removed the ability to run pcscd in foreground mode from the console on Yosemite because pcscd has been replaced by something different (See "OS X Yosemite and smart cards status").

As we have seen in this article it is still possible to log messages from a smart card reader driver. Using syslog may even be easier to use than restarting the pcscd process.

Thursday, February 26, 2015

Some PC/SC bugs of Yosemite 10.10 fixed in 10.10.2

The 10.10.2 release of Yosemite solves some of the PC/SC bugs introduced in 10.10 and I reported in "OS X Yosemite and smart cards: known bugs".

I updated the main article with the list and also each individual bug documentation.

Maybe the 10.10.3 release will solve the other PC/SC bugs.

Monday, February 23, 2015

Debug a smart card application on Yosemite

In the previous article "Debug a smart card reader driver on Yosemite" I wrote about how to get some log from a new version of my CCID driver.

APDU logging from Apple

After I wrote the previous article Dustin N. told me that Apple now provides a logging facility for APDUs.

SmartCardServices.7

The SmartCardServices manpage says (online HTML version at SmartCardServices):

SMARTCARDSERVICES(7) BSD Miscellaneous Information Manual SMARTCARDSERVICES(7)

NAME

SmartCardServices — overview of smart card support

DESCRIPTION

The SmartCardServices is a set of components which add native support for smart cards
to operating system. Supported smart cards appear as separate keychains.

USB SMART CARD READER DRIVERS

OS X has built-in support for USB CCID class-compliant smart card readers. For other
readers, install the reader driver in /usr/libexec/SmartCardServices/drivers. Each driver
is a bundle. The bundle contains an XML file Info.plist which contains the device’s USB vendor ID and product ID. For detailed description of plist format and how to write driver, see <http://pcsclite.alioth.debian.org/api/group__IFDHandler.html>

SMART CARD APDU LOGGING

It is possible to turn on logging for smart cards. Logging is turned on by setting global preference:
sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes
After a smart card reader is connected (or after reboot) all operations including contents of sent and received APDU messages are then logged into system log. Logging uses facility com.apple.security.smartcard.log so it is possible to set up filtering of these logs into custom targets (see asl.conf(5)) Note that logging setting is one-shot; it must be turned on by the command above to start logging again with a new reader. This is to avoid security risk that logging is turned on indefinitely.

SEE ALSO

sc_auth(8), defaults(1), asl.conf(5)

Mac OS X August 5, 2014 Mac OS X

Configuration


As documented the activation of APDU logging is easy. Just do (on 1 line):
$ sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes

A new file /Library/Preferences/com.apple.security.smartcard.plist will be created.

You can display the .plist file using Xcode for example. But you can't edit it directly with Xcode since the file can only be updated by root.
$ ls -l /Library/Preferences/com.apple.security.smartcard.plist
-rw-r--r--  1 root  wheel  55 23 fév 10:09 /Library/Preferences/com.apple.security.smartcard.plist

You can get the logging status using:
$ defaults read /Library/Preferences/com.apple.security.smartcard Logging
1
You do not need to be root to read the logging status.

First time only

As indicated in the manpage documentation, you can note that the logging activation is only one shoot. Once the logging state has been read and activated by com.apple.ifdreader then the value is reset to no logging.

To see that just do:
  1. Activate logging
    $ sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes
  2. Read logging state
    $ defaults read /Library/Preferences/com.apple.security.smartcard Logging
    1
  3. Plug in a USB reader
  4. Read logging state again
    $ defaults read /Library/Preferences/com.apple.security.smartcard Logging
    0

This is very smart idea. It will prevent you from forgeting to disable logging after use. You can be sure that the logging will be disabled after a reboot or at the next USB reader connection and no secret PIN code will be stored in your log file without you explicitly requesting it.

Sample output

As in "Debug a smart card reader driver on Yosemite" I used a combination of lwatch and ansi2html. If the file foo contains the log lines I use the combination:
$ lwatch -i - < foo | ansi2html -i

$ syslog -w -k Sender com.apple.ifdreader
Feb 23 19:54:49 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: logging slot 'Gemalto PC Twin Reader'
Feb 23 19:54:53 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: card in
Feb 23 19:54:53 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: ATR:3b fa 94 00 00 81 31 20 43 80 65 a2 01 01 01 3d 72 d6 43 21
Feb 23 19:54:58 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: unpower
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: ATR:3b fa 94 00 00 81 31 20 43 80 65 a2 01 01 01 3d 72 d6 43 21
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: T=1
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: APDU ->:00 a4 04 00 0a a0 00 00 00 62 03 01 0c 06 01
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: APDU <-:90 00
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: APDU ->:00 00 00 00
Feb 23 19:54:59 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: APDU <-:48 65 6c 6c 6f 20 77 6f 72 6c 64 21 90 00
Feb 23 19:55:04 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: unpower
Feb 23 19:55:07 iMac-de-Ludovic.local com.apple.ifdreader[586] <Notice>: card out

You can see that the card in inserted at 19:54:53, the log is "card in" And 5 seconds later the card is power off, the log line is "unpower". This is what I already explained in "OS X Yosemite bug: SCardTransmit returns SCARD_W_UNPOWERED_CARD".

Security

Since you need to have the administration privilege (be root) to edit the file /Library/Preferences/com.apple.security.smartcard.plist the situation is not less secure than what I presented in "Debug a smart card reader driver on Yosemite" since you also needed to have the same administration privilege (be root) to edit the driver configuration file /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist.

Conclusion

Apple provides a nice way to get the card ATR, APDU sent to the card and response from a smart card reader.

Maybe I should add a similar feature in pcsc-lite for GNU/Linux. What do you think?