Friday, October 26, 2012

cardpeek: A tool to read the contents of smartcards

A few days ago I discovered a nice tool: cardpeek.






Project

The project is hosted at http://code.google.com/p/cardpeek/.
It is Free Software and uses the GNU GPL v3 licence.

From the project web site:
Cardpeek is a Linux/Windows tool to read the contents of ISO7816 smartcards. It features a GTK GUI to represent card data is a tree view, and is extendable with a scripting language (LUA).

The goal of this project is to allow smartcard owners to be better informed about what type of personal information is stored in these devices.

The tool currently reads the contents of :
  • EMV cards, including NFC ones.
  • Navigo public transport cards (partially supports MOBIB as well)
  • The French health card "Vitale 2"
  • Electronic/Biometric passports in BAC security mode.

It can also read the following cards with limited interpretation of data:
  • Some Mifare cards (such as the Thalys card);
  • Moneo, the French electronic purse;
  • GSM SIM cards.

More info on the Wiki here: http://code.google.com/p/cardpeek/wiki/Main

Installation

It is easy to install under Debian GNU/Linux. You may need to install some dependencies related to the lua language. The program is written in C and lua. The parts sending smart card commands are lua scripts. I do not yet have lua in my list of languages for PC/SC.

You may be unable to run the ./configure script. I already reported this problem. run autoreconf -vis to get correct symlinks.

Examples

EMV

I tried with an EMV card.

The application gives a lot of information. For example you have access to the card transaction records.
In this example I payed 48.11€ on the August 30th of 2012. This transaction was to fil the tank with gasoline but the card do not store information about the merchant.

Navigo Pass

I do not have a Navigo Pass myself so I reused the screen copy from the cardpeek project navigo page.

From the project:
The "calypso" script included in cardpeek can read the content of Navigo cards used in Paris. It provides enhanced "event log" analysis notably with subway/train station names, as illustrated in the screenshot above. It has been successfully tested on Navigo Découverte, Navigo and Navigo Intégrale cards.

SIM

The support is SIM card is indicated as beta but does work quiet well.

For example you can dump the phone book stored in your SIM card.

I guess it is in beta mode because not all the fields are parsed and displayed in a human readable format.

Conclusion

Cardpeek is a very nice tool to explore many common kinds of smart cards. It is tech savvy oriented.

Sunday, October 7, 2012

New version of libccid: 1.4.8

I just released a version 1.4.8 of libccid the free software CCID class smart card reader driver.

1.4.8 - 22 June 2012, Ludovic Rousseau
  • Add support of
    • SCR3310-NTTCom USB (was removed in version 1.4.6)
    • Inside Secure VaultIC 420 Smart Object
    • Inside Secure VaultIC 440 Smart Object
  • Wait up to 3 seconds for reader start up
  • Add support of new PC/SC V2 part 10 properties:
    • dwMaxAPDUDataSize
    • wIdVendor
    • wIdProduct
  • Use helper functions from libPCSCv2part10 to parse the PC/SC v2 part 10 features

Monday, October 1, 2012

Parsing an ATR: now in color

Since 2010 I provide a way to parse an ATR online using a web page. I also provide a Python script to do the same using a command line tool.

I am not a user interface design expert. But I like to have important elements in color. Syntax colorization is a great invention. So I decided to add color to the ATR parsing results.

Web page

Available at http://smartcard-atr.appspot.com/

Before

Parsing ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1

TS = 0x3BDirect Convention
T0 = 0xFAY(1): b1111, K: 10 (historical bytes)
TA(1) = 0x13Fi=372, Di=4, 93 cycles/ETU (43010 bits/s at 4.00 MHz, 53763 bits/s for fMax=5 MHz)
TB(1) = 0x00VPP is not electrically connected
TC(1) = 0xFFExtra guard time: 255 (special value)
TD(1) = 0x81Y(i+1) = b1000, Protocol T=1
----
TD(2) = 0x31Y(i+1) = b0011, Protocol T=1
----
TA(3) = 0x80IFSC: 128
TB(3) = 0x45Block Waiting Integer: 4 - Character Waiting Integer: 5
----
Historical bytes00 31 C1 73 C0 01 00 00 90 00
Category indicator byte: 0x00
(compact TLV data object)
    Tag: 3, Len: 1 (card service data byte)
      Card service data byte: 193
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 7, Len: 3 (card capabilities)
      Selection methods: 192
        - DF selection by partial DF name
        - DF selection by full DF name
      Data coding byte: 1
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: valid
        - Data unit in quartets: 1
     Command chaining, length fields and logical channels: 0
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 0
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 0 (No information given)
      SW: 9000 ()
TCK = 0xB1 (correct checksum)

Possibly identified card: OpenPGP

After

Parsing ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1

TS = 0x3BDirect Convention
T0 = 0xFAY(1): b1111, K: 10 (historical bytes)
TA(1) = 0x13Fi=372, Di=4, 93 cycles/ETU (43010 bits/s at 4.00 MHz, 53763 bits/s for fMax=5 MHz)
TB(1) = 0x00VPP is not electrically connected
TC(1) = 0xFFExtra guard time: 255 (special value)
TD(1) = 0x81Y(i+1) = b1000, Protocol T=1
----
TD(2) = 0x31Y(i+1) = b0011, Protocol T=1
----
TA(3) = 0x80IFSC: 128
TB(3) = 0x45Block Waiting Integer: 4 - Character Waiting Integer: 5
----
Historical bytes00 31 C1 73 C0 01 00 00 90 00
Category indicator byte: 0x00
(compact TLV data object)
    Tag: 3, Len: 1 (card service data byte)
      Card service data byte: 193
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 7, Len: 3 (card capabilities)
      Selection methods: 192
        - DF selection by partial DF name
        - DF selection by full DF name
      Data coding byte: 1
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: valid
        - Data unit in quartets: 1
      Command chaining, length fields and logical channels: 0
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 0
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 0 (No information given)
      SW: 90 00 ()
TCK = 0xB1 correct checksum

Possibly identified card: OpenPGP

Command line

The same software is also available as a command line tool: parseATR.py

Before

ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1
TS = 0x3B --> Direct Convention
T0 = 0xFA --> Y(1): b1111, K: 10 (historical bytes)
 TA(1) = 0x13 --> Fi=372, Di=4, 93 cycles/ETU (43010 bits/s at 4.00 MHz, 53763 bits/s for fMax=5 MHz)
 TB(1) = 0x00 --> VPP is not electrically connected
 TC(1) = 0xFF --> Extra guard time: 255 (special value)
 TD(1) = 0x81 --> Y(i+1) = b1000, Protocol T=1
----
 TD(2) = 0x31 --> Y(i+1) = b0011, Protocol T=1
----
 TA(3) = 0x80 --> IFSC: 128
 TB(3) = 0x45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
----
Historical bytes --> 00 31 C1 73 C0 01 00 00 90 00
  Category indicator byte: 0x00 -->  (compact TLV data object)
    Tag: 3, Len: 1 (card service data byte)
      Card service data byte: 193
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 7, Len: 3 (card capabilities)
      Selection methods: 192
        - DF selection by partial DF name
        - DF selection by full DF name
      Data coding byte: 1
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: valid
        - Data unit in quartets: 1
      Command chaining, length fields and logical channels: 0
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 0
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 0 (No information given)
      SW: 9000 ()
TCK = 0xB1  --> (correct checksum)
Possibly identified card: OpenPGP

After

ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1
TS = 0x3B --> Direct Convention
T0 = 0xFA --> Y(1): b1111, K: 10 (historical bytes)
 TA(1) = 0x13 --> Fi=372, Di=4, 93 cycles/ETU (43010 bits/s at 4.00 MHz, 53763 bits/s for fMax=5 MHz)
 TB(1) = 0x00 --> VPP is not electrically connected
 TC(1) = 0xFF --> Extra guard time: 255 (special value)
 TD(1) = 0x81 --> Y(i+1) = b1000, Protocol T=1
----
 TD(2) = 0x31 --> Y(i+1) = b0011, Protocol T=1
----
 TA(3) = 0x80 --> IFSC: 128
 TB(3) = 0x45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
----
Historical bytes --> 00 31 C1 73 C0 01 00 00 90 00
  Category indicator byte: 0x00 -->  (compact TLV data object)
    Tag: 3, Len: 1 (card service data byte)
      Card service data byte: 193
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 7, Len: 3 (card capabilities)
      Selection methods: 192
        - DF selection by partial DF name
        - DF selection by full DF name
      Data coding byte: 1
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: valid
        - Data unit in quartets: 1
      Command chaining, length fields and logical channels: 0
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 0
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 0 (No information given)
      SW: 90 00 ()
TCK = 0xB1  --> correct checksum
Possibly identified card: OpenPGP

Conclusion

I like colorization.