4

I have a simple JavaCard applet installed on my SIM card. I try to communicate with my applet using Omnikey 5121 CL reader and NFC-enabled Sony Xperia L through NFC/SWP (single wire protocol).

The problem is I cannot select the applet - as a status word I get 6999. The LED light is turned on, so I suppose there is some communication between reader and the SIM card. Moreover, I cannot select my security domain either.

However, when I put the SIM card into a standard contact smartcard reader, everything works fine.

Is there any extra configuration of Android OS, SIM card, NFC modem etc. I have to setup before communicating with SIM card over NFC? Any ideas?

More information:

ATR of SIM accessed in the contact way:

3B9F96C00A3FC6A08031E073FE211F65D001900F3B810FE6

ATR (generated by PCSC from ATS) of SIM accessed over NFC in the contactless way:

3B8880010000000000817000F8

My INSTALL for INSTALL APDU: (worked, finally!)

80E6040C32 //CLA INS P1 P2 Lc
0CF0AAAAAAAAAAAAAAAABBBBBB // AIDs
09F0AAAAAAAAAAAAAAAA
09F0AAAAAAAAAAAAAAAA
01
 00 //privileges
0B //length of parameters
 EF07 //system parameters
  A005A5038201FF
 C900 //applet parameters
00
vojta
  • 5,591
  • 2
  • 24
  • 64
  • 1
    Isn't related with PIN verification? – Ebrahim Ghasemi May 26 '15 at 13:22
  • @Abraham I don't know much about that... Could you please be more specific? – vojta May 26 '15 at 13:24
  • Actually I'm not sure about that. But one of the situations that you receive 0x6999 instead of 0x9000 is when the card need a PIN verification and you ignore it. I just guessed that maybe this PIN verification is enabled on your SIM.when you insert the SIM in the mobile phone reader(for example) in the turning on step you enter the PIN and verify it, so you can select the CM and the applets. But when you use the above reader, you forget to do the verification and so you can't select them. btw its just an idea! ;) – Ebrahim Ghasemi May 26 '15 at 13:37
  • @Abraham thanks, interesting idea. However, it works in the smartcard reader (no phone involved, no PIN verified) and it does not work in the phone (PIN verified successfully at phone boot-time)... – vojta May 26 '15 at 13:40
  • 1
    Isn't it a dual chip dual interface smart card? (I think the name is Combo or Hybrid card) In this kind of cards when you install applet through the contact interface, the applet install on the chip1 and when you install it through the contact-less interface, the applet install on chip2. So if you install it through contact interface, you can't select it through contact-less interface. – Ebrahim Ghasemi May 26 '15 at 15:00
  • 3
    Did you make the applet selectable through the contactless (SWP) interface? (In the Contactless Protocol Parameters of the ISTALL FOR INSTALL MAKE SELECTABLE command) – Michael Roland May 26 '15 at 15:56
  • @MichaelRoland He can not select the Security Domain either. I think it means that origin of the problem is not that parameters, right? – Ebrahim Ghasemi May 26 '15 at 16:15
  • 2
    The security domain not being selectable over the contactless interface is not unusual for a SIM card. – Michael Roland May 26 '15 at 16:20
  • @MichaelRoland thanks, I did not actually! However, I cannot install the applet through SWP, because I cannot select the SD. Can I do it somehow through the contact interface? – vojta May 26 '15 at 16:41
  • 1
    As I wrote before, you have to set the proper Contactless Protocol Parameters in the INSTALL FOR INSTALL MAKE SELECTABLE command (or by doing a registry update). Sure you would do that over whatever interface you use for card/applet management (hence, the contact interface in your case). See Global Platform Card specification Amendment C for further details. – Michael Roland May 26 '15 at 18:12
  • @MichaelRoland Thanks! I try to provide the contactless protocol parameters, but I still get 6999 through contactless interface. Could you please have a look at my INSTALL for INSTALL APDU I added to my question? I am not really sure about values in B0 tag... Is there any "default" way to fill them? – vojta May 27 '15 at 08:49
  • Is there any APP or system service needed when using the SIM card? As far as i known, you need APP or system service to receive NFC apdu command and forward it to the SIM card, and send apdu response to NFC when received from SIM card. – JavaCardOS May 27 '15 at 09:09
  • @Ellisun Thanks to SWP no application is needed - SWP forwards the communication from NFC modem to SIM. – vojta May 27 '15 at 09:22
  • 1
    @MichaelRoland It works!!! I can select my applet!!! Thank you so much, you really saved my day! Please, post your comment as an answer, I would like to accept it. – vojta May 27 '15 at 10:12
  • @vojta I have 2 questions. Are these APDUs sent to ISD? when I do so it returns 6A 80 (wrong data!) meaning that I'm sending wrong TLV data field. Why your P1 is 04 I think it should be 40 and why privilege is 00, is it a security domain? – MJay Dec 15 '20 at 07:24
  • @vojta in your INSTALL for INSTALL APDU, How did you select P2 parameter? according to GP spec, INSTALL for INSTALL (80 E6 ...) P2 parameter can only have three values (00 or 01 or 03). – MJay Feb 14 '21 at 07:48
  • @vojta and another question, what is `A5` tag used in system parameters? can you help me find the reference? I searched in GP and GP amendment C – MJay Feb 16 '21 at 12:00

1 Answers1

4

Receiving status code 6999 in response to the SELECT (by AID) command is a clear indication that the applet was not found/not selectable. If the applet has been installed and is selectable (using the same AID) over the contact interface of the UICC/SIM card, then it is likely not made selectable over the SWP (contactless) interface. Typically secure elements allow to selectively enable/disable applets for specific interfaces (in addition to this, applets can detect over which interface they are selected and can react accordingly).

Applets typically need to be explicitly made selectable over the contactless interface by setting the Contactless Protocol Parameters in the INSTALL (for MAKE SELECTABLE) command (or later on by doing a registry update). See Amendment C to the Global Platform Card specification for further details.

Btw. the security domain not being selectable over the contactless interface is not unusual for a SIM card. Card management is typically restricted to the contact interface for security reasons. (Card management over the contactless interface is typically not used in production environments anyways.)

Michael Roland
  • 39,663
  • 10
  • 99
  • 206