-1

I need your help in order to verify the PIN of a smart card. I am using Python and pyscard. I understood that I have to use an APDU command and that I have to send it using ScardTransmit() but I cannot find which APDU to use. For Example:

SCardTransmit(hcard,dwActiveProtocol, 
              [0x00, 0x20, 0x00, 0x01, 0x06, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x00])

(so with PIN=123456) will return a mere 6A 88 - Referenced data not found

I was wondering: is there a way to get some hints about the commands to use with a particular smart card looking at its ATR? i.e.: the command "20" in INS field (APDU is composed by CLA, INS P1, P2, DATA) is what ISO define to verify the PIN, but how to understand if I'm doing something wrong?

Thanks.

P.S.: by the way, with P2="00" I get 6A 83, record not found.

Bya
  • 55
  • 1
  • 12

3 Answers3

1

This may assist... when it comes to GSM cards we always use a data length of 8 bytes i.e. VERIFY_CHV = [0xA0, 0x20, 0x00, 0x01, 0x08]

The PIN data that follows is padded with 0xFF depending on the actual pin length. i.e. if pin = 123456 then LJUST_PIN_HEX = [0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0xFF, 0xFF ]

The APDU would then be VERIFY_CHV + LJUST_PIN_HEX

QuickPrototype
  • 833
  • 7
  • 18
0

Your APDU would be correct IFF your smart card application (the DF you selected beforehand) had a PIN with ID 1 (which you gave in P2). You can set the most significant bit to tell the command to search PIN 1 in the MF.

ALe
  • 156
  • 1
  • 4
  • Wait: is there a way to understand which command to send to the smart card? maybe reading the ATR? I will have to deal with many different types of smart card and I would like to develop a "general" tool able to do two "simple" things: read the PAN (serial number of the card) and verify the pin. – Bya Mar 27 '17 at 11:59
  • Please #ALe, is there a doc where I could find some info about what is a DF, how to select it and what is a MF? I'm really a newbie about smart cards... I tried to guess the right codes with a for loop, but it didn't work. All I need is to build something like a general application in python in order to verify the pin and get the PAN, if you would kindly tell me where and what to study I'd really appreciate it... – Bya Mar 28 '17 at 13:23
  • @Bya: No the ATR is by no means sufficient (but may give a weak hint); a starting point is ISO 7816, part 4 as well as most of the beginners question here in [smartcard]. – guidot Mar 28 '17 at 15:15
  • thanks @guidot, I had a look at the [ISO7816-4](http://techmeonline.com/most-used-smart-card-commands-apdu/) but really none of the commands work except for the CLA 84 -> get a random number... quite unuseful in my case. – Bya Mar 29 '17 at 08:50
0

Which PINs exist (may also be none at all), and in case of a card having a file system, in which DFs they live, is defined by personalization of the card. Without further details answers must be very general, e.g. try different P2 values (upto 0x1F).

On the other hand, as soon as the PIN has been verified, you are unlikely to make further progress without detailed information concerning the card personalization, so may start to get that right now.

guidot
  • 5,095
  • 2
  • 25
  • 37
  • Thank you. I tried every possible P2 value using `for l in range(255): hresult, response = SCardTransmit(hcard, dwActiveProtocol, [0x00, 0x20, 0x00, int(hex(l), 16), 0x06, 0x31, 0x37, 0x30, 0x32, 0x37, 0x35, 0x02])` but none worked. I know that the card has a PIN because I can access it through my java applet. – Bya Mar 28 '17 at 13:26
  • You convert l to hex and then back to an integer? Your card may use a CLA byte different from zero. – guidot Mar 28 '17 at 15:17
  • `int(hex(l), 16)` will convert to an object of int class, but in base 16. Thank you @guidot, thanks to what you are telling me I can now understand that there is no mean (except the user manual, which is specific for each card...) to understand how to communicate with a smart card... – Bya Mar 29 '17 at 08:47