×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Regular Contributor
    Join Date
    Dec 2004
    Posts
    53

    Info on Authenticating with the Secure Element

    After locking myself our of one 6131 phone, and coming very close to doing the same with a second I thought I'd post a bit about my experience.

    It's mentioned in the SDK User Guide however **Do not try and authenticate more than 10 times incorrectly. This will lock the element and prevent adding/deleting permenantly. There is no way Nokia can unlock this. **

    Once the unlock midlet has been obtained and run through the phone, the following information is known (from the SDK User Guide):
    ENC, MAC and KEY keys are all "404142434445464748494A4B4C4D4E4F".
    The Keyset is "42".
    Authentication must be done with "ENC & MAC" , which is Secure Channel Protocol 02 (SCP02)
    The card follows GlobalPlatform specificaion 2.1.1

    In order to talk to the secure element, APDUs must be sent, however it is not practical to just send these straight to the phone - some deployment tool must be used. I was unable to get the Sun JCDK (Java Card Development Kit) to interact with my cardreader (Cardman 5321), a co-worker had JLoad by Giesecke & Devrient, however this was too old to support spec 2.1.1 and the Sm@rtCafe toolkit is very expensive.

    The GlobalPlatform sourceforce project (http://sourceforge.net/projects/globalplatform/) isn't directly related to the GlobalPlatform specification although does try and implement it. The latest GPShell tool does support spec 2.1.1 however it seems to have issues with the SCP02 (Check the mailing list for some thoughts, however I didn't fully understand it all).

    JCOP is the tool that most people seem to talk about, however is also the hardest to obtain. IBM were working on it, however it is now tranfered to NXP - all requests are to be sent to NXP and I haven't heard of anyone actually getting a response from them. I eventually came across the site http://www.cs.ru.nl/~erikpoll/ooti2007/env_setup.txt which includes a working link to a download site. The easiest way to activate the plugin is to purchase a JCOP Engineering Sample Card - I got one from www.motechno.com for 50Euro; based in Germany but they do ship internationally starting at 9Euro (next day via FedEx is 29Euro). They don't actually list the card as a product on the site but e-mail them and they will confirm cost and provide a paypal link to send payment.

    Once JCOP is activated bring up the JCOP shell and connect to Terminal (left icon on the top right), put the phone on the reader (activate secure application) and type in "/card"
    > /card
    --Waiting for card...
    ATR=3B 88 80 01 00 73 C8 40 13 00 90 00 71 ;....s.@....q
    ATR: T=0, T=1, Hist=0073C84013009000
    => 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
    (38813 usec)
    <= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
    01 FF 90 00 ....
    Status: No Error

    Then set the 3 different keys:
    "set-key 42/1/DES-ECB/404142434445464748494A4B4C4D4E4F 42/2/DES-ECB/404142434445464748494A4B4C4D4E4F 42/3/DES-ECB/404142434445464748494A4B4C4D4E4F"

    Start the authentication process with "init-update 42":
    cm> init-update 42
    => 80 50 2A 00 08 C6 1E FE E6 7E 82 C8 5E 00 .P*......~..^.
    (114726 usec)
    <= 00 00 63 42 80 07 F6 A8 01 09 2A 02 00 0A FB 59 ..cB......*....Y
    58 D6 62 71 DC 24 74 F9 04 54 15 F6 90 00 X.bq.$t..T....
    Status: No Error

    Finaly, perform external authentication "ext-auth enc":
    cm> ext-auth enc
    => 84 82 03 00 10 98 2D 3D 7F F6 D8 78 F3 14 7C DD ......-=...x..|.
    09 54 DF 6E BF .T.n.
    (42657 usec)
    <= 90 00 ..
    Status: No Error

    Confirm this is working by running "card-info":
    cm> card-info
    ....
    Card Manager AID : A000000003000000
    Card Manager state : SECURED

    Application: SELECTABLE (---L----) D276000005AB0503E0040101
    Application: SELECTABLE (--------) D276000005AA0503E0050101
    Application: SELECTABLE (--------) "HelloApplet.app"
    Load File : LOADED (--------) A0000000035350 (Security Domain)
    Load File : LOADED (--------) D276000005AA040360010410
    Load File : LOADED (--------) D276000005AA0503E00401
    Load File : LOADED (--------) D276000005AA0503E00501
    Load File : LOADED (--------) "HelloApplet"

    help <command> will bring up help for the different command and provide different options e.g. all the key types on set-key and authentication levels on ext-auth.

    I'm still working on being able to write applets that sit in the secure element and midlets that interact with them - the InternalSecureCardMIDlet provided with the SDK doesn't work for me. If anyone works this out, feel free to tell me how you did it.

    Hope the above helps.

    -Jeff

  2. #2
    Registered User
    Join Date
    Jul 2007
    Posts
    20

    Re: Info on Authenticating with the Secure Element

    this is documented in the SDK docs (nfc extensions, index page (file:///C:/Nokia/Devices/Nokia_6131_NFC_SDK_1_1/docs/nfc_ext/index.html)). Basically you have to
    String uri = System.getProperty("internal.se.url");
    ISO14443Connection iseConn = (ISO14443Connection) Connector.open(uri);
    The connection opened in this way allows you to send APDU's to the secure element. You will need to select your java card applet and then you can happily send APDU's back and forth.

    This will only work if your midlet is signed!!

  3. #3
    Regular Contributor
    Join Date
    Dec 2004
    Posts
    53

    Re: Info on Authenticating with the Secure Element

    After working work one of the developers from The GlobalPlatform sourceforce project, it is now possible to use GPShell (and anything else that uses the libs) with the 6131NFC. Currently this is only in the CVS, but will probably be included in the next realease.

    After compiling the libs and GPShell itself, issue the following commands to authenticate:

    mode_211
    enable_trace
    establish_context
    card_connect -reader "<reader Name>"
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F

    It should confirm with 90 00. Issue "get_status -element 20" to get a list of current applets on the card.

  4. #4
    Registered User
    Join Date
    Oct 2007
    Posts
    2

    Re: Info on Authenticating with the Secure Element

    Is there any way to use a normal usb-phone - cable to access the phone (6131), and through the phone access the secure card?

    Phoenix uses a GPShell-script that has the line:
    card_connect -reader "<reader Name>"

    Does this mean I have to have a specific card-reader?

    Quote Originally Posted by phoenix__ View Post
    After compiling the libs and GPShell itself, issue the following commands to authenticate:

    mode_211
    enable_trace
    establish_context
    card_connect -reader "<reader Name>"
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F

    It should confirm with 90 00. Issue "get_status -element 20" to get a list of current applets on the card.

  5. #5
    Regular Contributor
    Join Date
    Dec 2004
    Posts
    53

    Re: Info on Authenticating with the Secure Element

    AFAIK you cannot use a regular USB cable. The only way to interact with the secure element is via an external card reader, or through a signed midlet.

    <reader name> is simply how the card reader is identified within Windows and is the actual string name, mine is shows up as something like "cardman 5321 0-1CL" (I can't remember the exact name). I believe you can also use -readernumber instead of name.

  6. #6
    Regular Contributor
    Join Date
    Mar 2003
    Posts
    53

    Unhappy Re: Info on Authenticating with the Secure Element

    Hi,
    I used GPShell to load HelloWorld applet as appl.cap file in Secure Element in 6131 NFC Phone.
    Maybe my phone is locked forever! Can anybody tell me what I am doing wrong hier?

    My environment is: Java Card Dev Kit 2.2.1 / J2JDK 1.4.1
    Command line:
    > Gpshell hello6131.txt
    The text file “hello6131.txt “ content was as followed:

    mode_211
    enable_trace
    establish_context
    card_connect -reader "OMNIKEY CardMan 5x21 0"
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
    delete -AID a00000006203010c0101
    delete -AID a00000006203010c01
    delete -AID a00000006203010c0101
    install -file appl.cap -priv 2
    card_disconnect
    release_context

    Output of GPShell is:

    mode_211
    enable_trace
    establish_context
    card_connect -reader "OMNIKEY CardMan 5x21 0"
    reader name OMNIKEY CardMan 5x21 0
    card_connect() returns 0x80100069 (further communication is not possible, because smart card is removed)
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_ke
    y 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
    --> 00CA006600
    GP211_get_secure_channel_protocol_details() returns 0x00000006 (The reference is unvalid)


    how do you interpret the output of GPShell?
    do i have a chance for one more try (but a right one)?

  7. #7
    Regular Contributor
    Join Date
    Mar 2003
    Posts
    53

    Talking Re: Info on Authenticating with the Secure Element

    Hi,

    The issue was the card reader name. My phone was not locked.

    I found out that Omnikey CardMan 5321 registers two readers:
    1) “OMNIKEY CardMan 5x21 0”
    2) “OMNIKEY CardMan 5x21-CL 0”

    Second one is the right one for contactless cards (Nokia 6131 NFC phone).

    yakdogan

  8. #8
    Regular Contributor
    Join Date
    Apr 2006
    Posts
    58

    Re: Info on Authenticating with the Secure Element

    I'm using GPShell also, but I didn't understand why we need the following lines in the download script:

    delete -AID a00000006203010c0101
    delete -AID a00000006203010c01
    delete -AID a00000006203010c0101
    Why we need to delete 3 application

    anyone has any idea?

    and anyone did a successful listing of the application ID in the SE? I tried to use the script with GPShell:
    mode_211
    enable_trace
    establish_context
    card_connect -reader "OMNIKEY CardMan 5x21-CL 0"
    select -AID a0000000030000
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
    get_status -element e0
    card_disconnect
    release_context
    the message returned is:

    mode_211
    enable_trace
    establish_context
    card_connect -reader "OMNIKEY CardMan 5x21-CL 0"
    reader name OMNIKEY CardMan 5x21-CL 0
    select -AID a0000000030000
    --> 00A4040007A0000000030000
    <-- 6F108408A000000003000000A5049F6501FF9000
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
    --> 00CA006600
    <-- 734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
    --> 80502A00086A9839F64830D26500
    <-- 0000634230C1F5A801092A020002598DD3961BFDFA4642927532123C9000
    --> 8482030010784BC9AF31FF93C36CAB0308B7F6A46F
    <-- 9000
    get_status -element e0
    --> 80F2E000024F0000
    <-- 6A86
    GP211_get_status() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)
    Why it returns "6A86: Incorrect parameters (P1, P2)" without listing the AID?

    thanks
    Roberto

  9. #9
    Regular Contributor
    Join Date
    May 2007
    Posts
    63

    Re: Info on Authenticating with the Secure Element

    ya, so u need this line instead:
    card_connect -readerNumber 2

    roberto,
    use this:
    mode_211
    enable_trace
    establish_context
    card_connect -readerNumber 2
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
    get_status -element 20
    card_disconnect
    release_context
    Last edited by lovercjs; 2008-01-09 at 07:16.

  10. #10
    Regular Contributor
    Join Date
    May 2007
    Posts
    63

    Re: Info on Authenticating with the Secure Element

    delete -AID a00000006203010c0101
    delete -AID a00000006203010c01
    delete -AID a00000006203010c0101
    roberto,

    this is the aid of Hello.cap, the sample cap file inside the GPShell folder.
    00000006203010c01 is the package contain a class of aid 00000006203010c0101.

    the aid for a cap is specific when you are converting the java class file to .cap using java card development kit. (java card development kit 2.2.1 is used with Nokia 6131 NFC or Global Platform 2.1.1)

  11. #11
    Regular Contributor
    Join Date
    Apr 2006
    Posts
    58

    Re: Info on Authenticating with the Secure Element

    Quote Originally Posted by lovercjs View Post
    roberto,

    this is the aid of Hello.cap, the sample cap file inside the GPShell folder.
    00000006203010c01 is the package contain a class of aid 00000006203010c0101.

    the aid for a cap is specific when you are converting the java class file to .cap using java card development kit. (java card development kit 2.2.1 is used with Nokia 6131 NFC or Global Platform 2.1.1)
    OK,
    thanks, now it's clear.

    bye
    Roberto

  12. #12
    Registered User
    Join Date
    Feb 2008
    Posts
    1

    Re: Info on Authenticating with the Secure Element

    Hello,

    I have new Nokia 6131 NFC phone and I try to comunicate with NFC chip, but the phone returns 6A88 during init-update.

    - /terminal "winscard:4|OMNIKEY CardMan 5x21-CL 0"
    --Opening terminal
    > /card
    --Waiting for card...
    ATR=3B 88 80 01 00 73 C8 40 13 00 90 00 71 ;....s.@....q
    ATR: T=0, T=1, Hist=0073C84013009000
    => 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
    (68468 usec)
    <= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
    01 FF 90 00 ....
    Status: No Error
    cm> set-key 42/1/DES-ECB/404142434445464748494A4B4C4D4E4F 42/2/DES-ECB/404142434445464748494A4B4C4D4E4F 42/3/DES-ECB/404142434445464748494A4B4C4D4E4F
    cm> init-update 42
    => 80 50 2A 00 08 EE 68 11 00 10 70 57 7F 00 .P*...h...pW..
    (34991 usec)
    <= 6A 88 j.
    Status: Reference data not found
    jcshell: Error code: 6a88 (Reference data not found)
    jcshell: Wrong response APDU: 6A88

    Can anybody give me any hint, please?

    Mike

  13. #13
    Regular Contributor
    Join Date
    Apr 2006
    Posts
    58

    Re: Info on Authenticating with the Secure Element

    wich tool are you using to download the applet?

    check the JCsheel 1.4.1 and try the script that I wrote before in the previous posts.

    bye,
    Roberto

  14. #14
    Registered User
    Join Date
    Sep 2008
    Posts
    34

    Re: Info on Authenticating with the Secure Element

    Hi,
    I use GPShell and I have unlocked the 6131 and I want to install an hello world applet. Before this, I wanted to try if I can communicate with the SE. I tried the following commands using GPShell and I do get an error that raises concern..

    mode_211
    enable_trace
    establish_context
    card_connect -reader "OMNIKEY Cardman 5x21-CL 0"
    reader name OMNIKEY Cardman 5x21-CL 0
    open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
    Command --> 80CA006600
    Wrapped command --> 80CA006600
    GP211_get_secure_channel_protocol_details() returns 0x0000001F (A device attached to the system is not functioning.
    )
    Could someone give me a hint please ?:
    How do I check if my secure element is permanently locked..?

    thanks
    Enya

  15. #15
    Registered User
    Join Date
    Apr 2004
    Location
    Vienna
    Posts
    321

    Re: Info on Authenticating with the Secure Element

    I'm not a 100 % sure, as I'm not using GPShell, but the Security Level of the SE In the 6131 is configured fot C-MAC only (without encryptin). So propably this is an issue ... just an idea.

    cheers, geri-m

Similar Threads

  1. Nokia 6131 NFC and Secure Element of a MiFare SmartCard
    By j.delinselle in forum Near Field Communication
    Replies: 2
    Last Post: 2009-11-05, 08:56
  2. Using the secure element of 6131
    By lore1505 in forum Near Field Communication
    Replies: 1
    Last Post: 2007-09-27, 15:21
  3. Installing to the secure element (already unlocked)
    By phoenix__ in forum Near Field Communication
    Replies: 1
    Last Post: 2007-08-13, 13:13
  4. Deploying Java Card Applet into Secure Element
    By lovercjs in forum Near Field Communication
    Replies: 0
    Last Post: 2007-07-23, 07:22
  5. Problem executing Maze Racer
    By IFtechsupport in forum Mobile Java Games
    Replies: 1
    Last Post: 2006-09-22, 17:18

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×