Proxmark3 RDV4: SmartCard

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search
Smartcard Chip


The Proxmark3 RDV4 comes with a built-in smartcard chip reader allowing to read and send data to the smartcard. A smartcard chip is a small passive-powered microprocessor that can be used in many ways. Most common, it enables some type of identification and can store a small amount of data. These chips usually are built with security in mind only allowing communication over the contact plates.


  • Proxmark3 RDV4
  • Some Smartcards


Hidden under the lid of the Proxmark RDV4 you can find a smart card reader. You can directly insert a smartcard directly into to the slot or insert it into the optional smartcard extender that allows for card size formats.

Proxmark with the smartcard extender


SC stands for smartcard and allows communication over the metal chip contact plates. The protocol used for communication is defined by the ISO/IEC 7816 standard.

A very informative and high-level introduction can be found here: data-extraction from chip

At the moment following commands are present on the Proxmark3 RDV4:

[usb] pm3 --> sc
help              This help          
list              List ISO 7816 history          
info              Tag information          
reader            Act like an IS07816 reader          
raw               Send raw hex data to tag          
upgrade           Upgrade sim module firmware          
setclock          Set clock speed          
brute             Bruteforce SFI   

At the moment there are not many specific commands available as this feature is rather new. The two main commands are sc info to get the ATS response of the smartcard and sc raw that enables to send command/ data to the chip allowing to interact with it.

I tested the sc info command on an Austrian e-card

[usb] pm3 --> sc info
[=] --- Smartcard Information ---------          
[=] -------------------------------------------------------------          
[=] ISO7618-3 ATR : 3B DD 96 FF 81 B1 FE 45 1F 03 80 xx xx xx xx xx xx xx xx xx  xx xx 05 18            
[=] http:/ / parse?ATR= 3BDD96FF81B1FE451F0380xxxxx xxxxxxxxxxxxxxxxx0518  
[=] ATR            
	- TA1  (Maximum clock frequency, p roposed bit duration) [ 0x96 ]          
	- TC1  (Extra delay between bytes  required by card) [ 0xff ]          
	- TD1  (First offered transmission  protocol, presence of TA2..TD2) [ 0x81 ]  Protoc ol T1           
	- TD2  (A supported pr otocol or more global parameters, presence of  TA3..T D3) [ 0xb1 ] Pr otocol T1           
	- TA3:  0xfe           
	- TB3:  0x45           
	- TD3  [ 0x1f ] Protoc ol T15          
	- TA4:  0x03           
[=] Check  sum OK.           
[=] Histor ical bytes | le n 0x13 | format 80
[=] 	Hi storical bytes           
   	00: 80  xx xx xx xx xx  xx xx xx xx xx xx 05
[=] D/F (T A1)           
	- Di 3 2           
	- Fi 5 12            
	- F  5 ,0 MHz            
	- Cycl es/ETU 16            
	- 2500 00,0 bits/s ec a t 4 MHz          
	- 3125 00,0 bits/s ec a t Fmax (5,0MHz) 

Following the weblink we get the addional information that the smartcard is probably running the operating system StarCOS 3.4

On website:
Austrian "e-card" G3 (State Health Insurance Card)
(running StarCOS 3.4 by Giesecke & Devrient) 

I had an old sim-card (GSM SIM card of the Austrian provider A1) laying around and tested the sc raw command.

For a high-level overview of sim-card commands and responses I recommend:

[usb] pm3 --> sc raw s t d A0 A4 00 00 02 3F 00
[+] 9F16 | Command successfully executed; 'xx' bytes of data are available and can be requested using GET RESPONSE.          
[=] Requesting 0x16 bytes response          
[+] 9000 | Command successfully executed (OK).          
[!] TLV ERROR: Can't parse response as TLV tree.          
[usb] pm3 --> sc list
[+] Recorded activity (trace len = 109 bytes)          
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
[=] ISO7816-4 / Smartcard - Timings N/A yet          
      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation          
          0 |          0 | Tag |3b  3f  96  00  80  69  af  03  3d  00  c6  00  00  00  0e  83  1e  9f   |     |           
            |            |     |16                                                                       |     |           
          0 |          0 | Rdr |a0  a4  00  00  02  3f  00                                               |     | R-block ACK          
          0 |          0 | Tag |a4  9f  16                                                               |     |           
          0 |          0 | Rdr |00  c0  00  00  16                                                       |     | GET RESPONSE          
          0 |          0 | Tag |c0  00  00  59  09  3f  00  01  00  00  00  00  00  09  13  02  0f  08   |     |           
            |            |     |00  83  8a  83  8a  90  00                                               |     |           

I sent the Requet-Block command A0 A4 00 00 02 and appended 3F 00 that tells the chip that I want to read out the file at the destination 0x3F00.


EMV originally stood for "Europay, Mastercard, Visa" which are the three companies that defined the standard that allows contact and contactless paying.

[usb] pm3 --> emv
help              This help          
exec              Executes EMV contactless transaction.          
pse               Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory.          
search            Try to select all applets from applets list and print installed applets.          
select            Select applet.          
gpo               Execute GetProcessingOptions.          
readrec           Read files from card.          
genac             Generate ApplicationCryptogram.          
challenge         Generate challenge.          
intauth           Internal authentication.          
scan              Scan EMV card and save it contents to json file for emulator.          
test              Crypto logic test.          
list              List ISO7816 history          
roca              Extract public keys and run ROCA test       

With the extension of the smartcard-chip reader, it is now possible to perform the commands not only wirelessly but also wired. All the commands can be invoked with the parameter -w:

[usb] pm3 --> emv exec --help
Usage: emv exec [-h|-H|--help] [-s|-S|--select] [-a|-A|--apdu] [-t|-T|--tlv] [-j|-J|--jload] [-f|-F|--forceaid] By default: [-v|-V|--qvsdc] [-c|-C|--qvsdccda] [-x|-X|--vsdc] [-g|-G|--acgpo] [-w|-W|--wired] 
Executes EMV contactless transaction 

    -h, -H, --help       This help
    -s, -S, --select     activate field and select card.
    -a, -A, --apdu       show APDU reqests and responses.
    -t, -T, --tlv        TLV decode results.
    -j, -J, --jload      Load transaction parameters from `emv_defparams.json` file.
    -f, -F, --forceaid   Force search AID. Search AID instead of execute PPSE.
    By default:          Transaction type - MSD
    -v, -V, --qvsdc      Transaction type - qVSDC or M/Chip.
    -c, -C, --qvsdccda   Transaction type - qVSDC or M/Chip plus CDA (SDAD generation).
    -x, -X, --vsdc       Transaction type - VSDC. For test only. Not a standard behavior.
    -g, -G, --acgpo      VISA. generate AC from GPO.
    -w, -W, --wired      Send data via contact (iso7816) interface. Contactless interface set by default.

	emv exec -sat -> select card, execute MSD transaction, show APDU and TLV
	emv exec -satc -> select card, execute CDA transaction, show APDU and TLV

Used Hardware

Proxmark3 RDV4 Kit