Monday, August 12, 2019

ISO 7816-4 spy using Wireshark

In a previous blog article "CCID USB spy using Wireshark" I documented how to use Wireshark to analyse USB CCID packets.

It is also possible to continue the packet decoding to show ISO 7816-4 format commands.

Raw USB packets

By default you will get USB packets.



CCID packets

Enable the USBCCID decoder in the Wireshark menu Analyze -> Decode as...
You will then see CCID packets.
But APDUs sent to the reader may be hard to read is you do not decode ISO 7816-4 directly in your head.
All we get here is Data: 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00

ISO 7816 commands

Now enable the ISO 7816 decoder.
And you will see ISO 7816-4 command names.
Here you see that the APDU 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00 is a "Select file" (the second byte, INS byte, is 0xA4)

Limitations

Not all the CCID packets are decoded.

For example the Secure command (0x69) is not (yet) decoded.
Only the first CCID byte is decoded as "Message Type: PC_to_RDR_Secure (0x69)". The remaining of the CCID frame is not decoded. And this command is not easy to decode by hand without the CCID specification.

This CCID Secure command is used with a pinpad reader to make the user enter its PIN code in the pinpad and not on the computer keyboard. See here for a list of pinpad readers working with my CCID driver.
The Secure command uses parameters to set the PIN padding, the messages displayed to the user, the min and max PIN lengths, the validation conditions and some other parameters. Not all pinpad readers support the same set of parameters so the situation is complex.

Windows support

In my previous article "CCID USB spy using Wireshark" I make the USB trace acquisition on a GNU/Linux system.

This time I made the capture on Windows, saved the file on disk (.pcapng format) and used Wireshark on macOS to study the file. Yes, I prefer to NOT use Windows as much as possible.

So whatever the system you are using (GNU/Linux, macOS or Windows, and maybe others) Wireshark can help you.

Conclusion

Wireshark is a very nice tool. I should use it more often to debug issues and understand why a program is working on Windows and not on GNU/Linux. It can be used to do some reverse engineering, especially with complex CCID commands like the Secure command.

Saturday, August 10, 2019

New version of libccid: 1.4.31

I just released a version 1.4.31 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.4.31 - 10 August 2019, Ludovic Rousseau
  • Add support of
    • ACS ACR1252 Reader
    • Aladdin R.D. JaCartaReader
    • Alcor Link AK9563
    • AvestUA AvestKey
    • Avtor SecureToken (idProduct: 0x0020)
    • Bit4id TokenME EVO v2
    • Bit4id miniLector AIR EVO
    • Bit4id miniLector Blue
    • Broadcom Corp 58200 (idProduct: 0x5843)
    • Broadcom Corp 58200 (idProduct: 0x5844)
    • Broadcom Corp 58200 (idProduct: 0x5845)
    • Certgate GmbH ONEKEY ID 2 USB
    • HID Global Crescendo Key 0x0028
    • HID Global Crescendo Key 0x0029
    • HID Global Crescendo Key 0x002B
    • HID Global Crescendo Key 0x002D
    • Identiv SCR3500 C Contact Reader
    • InfoCert WirelessKey
    • NXP PN7462AU CCID
    • Route1 MobiKEY Fusion3
    • SPECINFOSYSTEMS DIAMOND token
  • MacOSX/configure: fix checking error for dynamic library libusb
  • Some minor improvements for debug

Friday, August 9, 2019

PySCard 1.9.9 released

I just released a new version 1.9.9 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


Changes

1.9.9 (August 2019)
  • Makefile: use twine to upload to pypi.python.org
  • test: fix Exception test on 32-bits CPU
  • test: correctly handle macOS versions older than 10.10