Proxmark3 RDV4: SmartCard
Summary
The Proxmark3 RDV4 comes with a built-in smartcard chip reader allowing to read and send data to the smartcard. A smartcard chip is a small passive-powered microprocessor that can be used in many ways. Most common, it enables some type of identification and can store a small amount of data. These chips usually are built with security in mind only allowing communication over the contact plates.
Requirements
- Proxmark3 RDV4
- Some Smartcards
Setup
Hidden under the lid of the Proxmark RDV4 you can find a smart card reader. You can directly insert a smartcard directly into to the slot or insert it into the optional smartcard extender that allows for card size formats.
SC-Command
SC stands for smartcard and allows communication over the metal chip contact plates. The protocol used for communication is defined by the ISO/IEC 7816 standard.
A very informative and high-level introduction can be found here: data-extraction from chip
At the moment following commands are present on the Proxmark3 RDV4:
[usb] pm3 --> sc help This help list List ISO 7816 history info Tag information reader Act like an IS07816 reader raw Send raw hex data to tag upgrade Upgrade sim module firmware setclock Set clock speed brute Bruteforce SFI
At the moment there are not many specific commands available as this feature is rather new. The two main commands are sc info
to get the ATS response of the smartcard and sc raw
that enables to send command/ data to the chip allowing to interact with it.
I tested the sc info
command on an Austrian e-card
[usb] pm3 --> sc info [=] --- Smartcard Information --------- [=] ------------------------------------------------------------- [=] ISO7618-3 ATR : 3B DD 96 FF 81 B1 FE 45 1F 03 80 xx xx xx xx xx xx xx xx xx xx xx 05 18 [=] http:/ /smartcard-atr.appspot.com/ parse?ATR= 3BDD96FF81B1FE451F0380xxxxx xxxxxxxxxxxxxxxxx0518 [=] ATR - TA1 (Maximum clock frequency, p roposed bit duration) [ 0x96 ] - TC1 (Extra delay between bytes required by card) [ 0xff ] - TD1 (First offered transmission protocol, presence of TA2..TD2) [ 0x81 ] Protoc ol T1 - TD2 (A supported pr otocol or more global parameters, presence of TA3..T D3) [ 0xb1 ] Pr otocol T1 - TA3: 0xfe - TB3: 0x45 - TD3 [ 0x1f ] Protoc ol T15 - TA4: 0x03 [=] Check sum OK. [=] Histor ical bytes | le n 0x13 | format 80 [=] Hi storical bytes 00: 80 xx xx xx xx xx xx xx xx xx xx xx 05 [=] D/F (T A1) - Di 3 2 - Fi 5 12 - F 5 ,0 MHz - Cycl es/ETU 16 - 2500 00,0 bits/s ec a t 4 MHz - 3125 00,0 bits/s ec a t Fmax (5,0MHz)
Following the weblink we get the addional information that the smartcard is probably running the operating system StarCOS 3.4
On website: https://smartcard-atr.apdu.fr/ Austrian "e-card" G3 (State Health Insurance Card) (running StarCOS 3.4 by Giesecke & Devrient)
I had an old sim-card (GSM SIM card of the Austrian provider A1) laying around and tested the sc raw
command.
For a high-level overview of sim-card commands and responses I recommend:
- http://rebelsimcard.com/sim-commands.html
- http://rebelsimcard.com/what-is-an-apdu.html
- http://rebelsimcard.com/sim-file-system.html
[usb] pm3 --> sc raw s t d A0 A4 00 00 02 3F 00 [+] 9F16 | Command successfully executed; 'xx' bytes of data are available and can be requested using GET RESPONSE. [=] Requesting 0x16 bytes response [+] 9000 | Command successfully executed (OK). [!] TLV ERROR: Can't parse response as TLV tree. [usb] pm3 --> sc list [+] Recorded activity (trace len = 109 bytes) [=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer [=] ISO7816-4 / Smartcard - Timings N/A yet Start | End | Src | Data (! denotes parity error) | CRC | Annotation ------------+------------+-----+-------------------------------------------------------------------------+-----+-------------------- 0 | 0 | Tag |3b 3f 96 00 80 69 af 03 3d 00 c6 00 00 00 0e 83 1e 9f | | | | |16 | | 0 | 0 | Rdr |a0 a4 00 00 02 3f 00 | | R-block ACK 0 | 0 | Tag |a4 9f 16 | | 0 | 0 | Rdr |00 c0 00 00 16 | | GET RESPONSE 0 | 0 | Tag |c0 00 00 59 09 3f 00 01 00 00 00 00 00 09 13 02 0f 08 | | | | |00 83 8a 83 8a 90 00 | |
I sent the Requet-Block command A0 A4 00 00 02
and appended 3F 00
that tells the chip that I want to read out the file at the destination 0x3F00.
EMV-Command
EMV originally stood for "Europay, Mastercard, Visa" which are the three companies that defined the standard that allows contact and contactless paying.
[usb] pm3 --> emv help This help exec Executes EMV contactless transaction. pse Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory. search Try to select all applets from applets list and print installed applets. select Select applet. gpo Execute GetProcessingOptions. readrec Read files from card. genac Generate ApplicationCryptogram. challenge Generate challenge. intauth Internal authentication. scan Scan EMV card and save it contents to json file for emulator. test Crypto logic test. list List ISO7816 history roca Extract public keys and run ROCA test
With the extension of the smartcard-chip reader, it is now possible to perform the commands not only wirelessly but also wired. All the commands can be invoked with the parameter -w:
[usb] pm3 --> emv exec --help Usage: emv exec [-h|-H|--help] [-s|-S|--select] [-a|-A|--apdu] [-t|-T|--tlv] [-j|-J|--jload] [-f|-F|--forceaid] By default: [-v|-V|--qvsdc] [-c|-C|--qvsdccda] [-x|-X|--vsdc] [-g|-G|--acgpo] [-w|-W|--wired] Executes EMV contactless transaction -h, -H, --help This help -s, -S, --select activate field and select card. -a, -A, --apdu show APDU reqests and responses. -t, -T, --tlv TLV decode results. -j, -J, --jload Load transaction parameters from `emv_defparams.json` file. -f, -F, --forceaid Force search AID. Search AID instead of execute PPSE. By default: Transaction type - MSD -v, -V, --qvsdc Transaction type - qVSDC or M/Chip. -c, -C, --qvsdccda Transaction type - qVSDC or M/Chip plus CDA (SDAD generation). -x, -X, --vsdc Transaction type - VSDC. For test only. Not a standard behavior. -g, -G, --acgpo VISA. generate AC from GPO. -w, -W, --wired Send data via contact (iso7816) interface. Contactless interface set by default. Usage: emv exec -sat -> select card, execute MSD transaction, show APDU and TLV emv exec -satc -> select card, execute CDA transaction, show APDU and TLV