Greetings all, we are proud to announce our store new smartcard products to you all. For more details, please visit our online store.

Mifare Classic 1K Card / Mifare Classic 1K Keyfob

125kHz ID Card / 125kHz ID Card Keyfob

MIFARE DESFire EV1 2K(D21) / MIFARE DESFire EV1 4K(D41) / MIFARE DESFire EV1 8K(D81)

gp.exe, GPShell.exe J2A040 from Ali(e^x)press 0x80302000

Other Tools
Posts: 1
Joined: Sat Nov 12, 2016 4:28 pm
Points: 42

gp.exe, GPShell.exe J2A040 from Ali(e^x)press 0x80302000

Postby jcmagicpl » Thu Dec 22, 2016 3:32 pm

Few weeks ago I bought 5 J2A040 cards from Piswords Store.
All card was unfused so I fuse(pre-personalize) it by send sequence of commands:
1. 00 A4 04 00 10 C2 38 E4 49 F7 25 B1 51 0E AA 69 95 50 CA BA 16
2. 00 F0 00 00
3. 00 10 00 00
4. 00 00 00 00

After that I check that card was personalize correctly. I use JCOP Manager and I make few screenshots with card information




In this stage all seems to be OK. But when I try to get installed applet list (it should be empty list) I got errors :o
I clicked on Applet tab

next went to "Enter Keys" dialog and past default keys 40..4F


I suppose that keys are OK, but app showed me annoying error:


Next I try to get more info from GP.exe (0.3.9 version), so I do:

GlobalPlatformPro-0.3.9\gp -d -v -i

And I got result:

Code: Select all

[DEBUG] PlaintextKeys - static keys:
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F KCV: 8BAF47
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F KCV: 8BAF47
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F KCV: 8BAF47
# Detected readers from JNA2PCSC
[*] SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart C 0
SCardConnect("SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart C 0", T=*) -> T=1, 3BF81300008131FE454A434F5076323431B7
SCardBeginTransaction("SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart C 0")
Reader: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart C 0
ATR: 3BF81300008131FE454A434F5076323431B7
More information about your card:

A>> T=1 (4+0000) 00A40400 00
A<< (0103+2) (47ms) 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E0102 9000
[DEBUG] GlobalPlatform - Auto-detected ISD AID: A000000003000000
[DEBUG] GlobalPlatform - Auto-detected block size: 255
[WARN] GlobalPlatform - Unknown/unhandled tag in FCI proprietary data: 9F6E06479100783300
[DEBUG] GlobalPlatform - Auto-detected GP version: GP211
***** Card info:
A>> T=1 (4+0000) 80CA9F7F 00
A<< (0045+2) (31ms) 9F7F2A47905035479100783300504902710297774848125056000000000A254A32373130320000000000000000 9000
Card CPLC:
ICFabricator: 4790
ICType: 5035
OperatingSystemID: 4791
OperatingSystemReleaseDate: 0078
OperatingSystemReleaseLevel: 3300
ICFabricationDate: 5049
ICSerialNumber: 02710297
ICBatchIdentifier: 7748
ICModuleFabricator: 4812
ICModulePackagingDate: 5056
ICCManufacturer: 0000
ICEmbeddingDate: 0000
ICPrePersonalizer: 0A25
ICPrePersonalizationEquipmentDate: 4A32
ICPrePersonalizationEquipmentID: 37313032
ICPersonalizer: 0000
ICPersonalizationDate: 0000
ICPersonalizationEquipmentID: 00000000
A>> T=1 (4+0000) 80CA0066 00
A<< (0078+2) (31ms) 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E0102 9000
Unknown tag: 4c
***** KEY INFO
A>> T=1 (4+0000) 80CA00E0 00
A<< (0020+2) (16ms) E012C00401FF8010C00402FF8010C00403FF8010 9000
Key version suggests factory keys

Next I use GShell (ver. 1.4.4) to get access to the card applet list with script:

Code: Select all

command time: 15 ms
card_connect -readerNumber 3
command time: 235 ms
select -AID A000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000
command time: 78 ms
open_sc -scp 2 -security 3 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000
Command --> 8050000008B371F1354FAEA11000
Wrapped command --> 8050000008B371F1354FAEA11000
Response <-- 00005049027102977748FF020000876E603B9A3F54372DC6ABBEB9BA9000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

But I always get error response
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

My question is: Is the card something wrong or I make something wrong to get applet list?

After several attempts one of the cards was blocked and after that I always get response:

mutual_authentication() returns 0x80206982 (6982: Command not allowed - Security status not satisfied.)
You do not have the required permissions to view the files attached to this post. Please login first.

User avatar
Posts: 176
Joined: Mon May 18, 2015 3:09 am
Points: 1075

Re: gp.exe, GPShell.exe J2A040 from Ali(e^x)press 0x80302000

Postby mabel » Thu Dec 22, 2016 10:09 pm

The second command >>00 F0 00 00 has made all the card configurations back to default value. And that the default setting of card manager keys are Random Values.

The last command you sent >> 00 00 00 00 is FUSE command. The FUSE command disables the access to the Root Applet permanently. Consequently, no further Root Applet commands are available.

So this card can not work any more.

Keep in mind that if you still want to modify the card parameters, DO NOT send FUSE command.

Return to “Other Tools”

Who is online

Users browsing this forum: No registered users and 1 guest

JavaCard OS : Disclaimer