Info on Authenticating with the Secure Element

[phoenix__]

After locking myself our of one 6131 phone, and coming very close to doing the same with a second I thought I'd post a bit about my experience.

It's mentioned in the SDK User Guide however **Do not try and authenticate more than 10 times incorrectly. This will lock the element and prevent adding/deleting permenantly. There is no way Nokia can unlock this. **

Once the unlock midlet has been obtained and run through the phone, the following information is known (from the SDK User Guide):
ENC, MAC and KEY keys are all "404142434445464748494A4B4C4D4E4F".
The Keyset is "42".
Authentication must be done with "ENC & MAC" , which is Secure Channel Protocol 02 (SCP02)
The card follows GlobalPlatform specificaion 2.1.1

In order to talk to the secure element, APDUs must be sent, however it is not practical to just send these straight to the phone - some deployment tool must be used. I was unable to get the Sun JCDK (Java Card Development Kit) to interact with my cardreader (Cardman 5321), a co-worker had JLoad by Giesecke & Devrient, however this was too old to support spec 2.1.1 and the Sm@rtCafe toolkit is very expensive.

The GlobalPlatform sourceforce project (http://sourceforge.net/projects/globalplatform/) isn't directly related to the GlobalPlatform specification although does try and implement it. The latest GPShell tool does support spec 2.1.1 however it seems to have issues with the SCP02 (Check the mailing list for some thoughts, however I didn't fully understand it all).

JCOP is the tool that most people seem to talk about, however is also the hardest to obtain. IBM were working on it, however it is now tranfered to NXP - all requests are to be sent to NXP and I haven't heard of anyone actually getting a response from them. I eventually came across the site http://www.cs.ru.nl/~erikpoll/ooti2007/env_setup.txt which includes a working link to a download site. The easiest way to activate the plugin is to purchase a JCOP Engineering Sample Card - I got one from www.motechno.com for 50Euro; based in Germany but they do ship internationally starting at 9Euro (next day via FedEx is 29Euro). They don't actually list the card as a product on the site but e-mail them and they will confirm cost and provide a paypal link to send payment.

Once JCOP is activated bring up the JCOP shell and connect to Terminal (left icon on the top right), put the phone on the reader (activate secure application) and type in "/card"
> /card
--Waiting for card...
ATR=3B 88 80 01 00 73 C8 40 13 00 90 00 71 ;....s.@....q
ATR: T=0, T=1, Hist=0073C84013009000
=> 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
(38813 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error

Then set the 3 different keys:
"set-key 42/1/DES-ECB/404142434445464748494A4B4C4D4E4F 42/2/DES-ECB/404142434445464748494A4B4C4D4E4F 42/3/DES-ECB/404142434445464748494A4B4C4D4E4F"

Start the authentication process with "init-update 42":
cm> init-update 42
=> 80 50 2A 00 08 C6 1E FE E6 7E 82 C8 5E 00 .P*......~..^.
(114726 usec)
<= 00 00 63 42 80 07 F6 A8 01 09 2A 02 00 0A FB 59 ..cB......*....Y
58 D6 62 71 DC 24 74 F9 04 54 15 F6 90 00 X.bq.$t..T....
Status: No Error

Finaly, perform external authentication "ext-auth enc":
cm> ext-auth enc
=> 84 82 03 00 10 98 2D 3D 7F F6 D8 78 F3 14 7C DD ......-=...x..|.
09 54 DF 6E BF .T.n.
(42657 usec)
<= 90 00 ..
Status: No Error

Confirm this is working by running "card-info":
cm> card-info
....
Card Manager AID : A000000003000000
Card Manager state : SECURED

Application: SELECTABLE (---L----) D276000005AB0503E0040101
Application: SELECTABLE (--------) D276000005AA0503E0050101
Application: SELECTABLE (--------) "HelloApplet.app"
Load File : LOADED (--------) A0000000035350 (Security Domain)
Load File : LOADED (--------) D276000005AA040360010410
Load File : LOADED (--------) D276000005AA0503E00401
Load File : LOADED (--------) D276000005AA0503E00501
Load File : LOADED (--------) "HelloApplet"

help <command> will bring up help for the different command and provide different options e.g. all the key types on set-key and authentication levels on ext-auth.

I'm still working on being able to write applets that sit in the secure element and midlets that interact with them - the InternalSecureCardMIDlet provided with the SDK doesn't work for me. If anyone works this out, feel free to tell me how you did it.

Hope the above helps.

-Jeff

[tfroidcoeur]

this is documented in the SDK docs (nfc extensions, index page (file:///C:/Nokia/Devices/Nokia_6131_NFC_SDK_1_1/docs/nfc_ext/index.html)). Basically you have to

String uri = System.getProperty("internal.se.url");
ISO14443Connection iseConn = (ISO14443Connection) Connector.open(uri);

The connection opened in this way allows you to send APDU's to the secure element. You will need to select your java card applet and then you can happily send APDU's back and forth.

This will only work if your midlet is signed!!

[phoenix__]

After working work one of the developers from The GlobalPlatform sourceforce project, it is now possible to use GPShell (and anything else that uses the libs) with the 6131NFC. Currently this is only in the CVS, but will probably be included in the next realease.

After compiling the libs and GPShell itself, issue the following commands to authenticate:

mode_211
enable_trace
establish_context
card_connect -reader "<reader Name>"
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F

It should confirm with 90 00. Issue "get_status -element 20" to get a list of current applets on the card.

[dacre]

Is there any way to use a normal usb-phone - cable to access the phone (6131), and through the phone access the secure card?

Phoenix uses a GPShell-script that has the line:
card_connect -reader "<reader Name>"

Does this mean I have to have a specific card-reader?

After compiling the libs and GPShell itself, issue the following commands to authenticate:

mode_211
enable_trace
establish_context
card_connect -reader "<reader Name>"
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F

It should confirm with 90 00. Issue "get_status -element 20" to get a list of current applets on the card.

[phoenix__]

AFAIK you cannot use a regular USB cable. The only way to interact with the secure element is via an external card reader, or through a signed midlet.

<reader name> is simply how the card reader is identified within Windows and is the actual string name, mine is shows up as something like "cardman 5321 0-1CL" (I can't remember the exact name). I believe you can also use -readernumber instead of name.

[yakdogan]

Hi,
I used GPShell to load HelloWorld applet as appl.cap file in Secure Element in 6131 NFC Phone.
Maybe my phone is locked forever! Can anybody tell me what I am doing wrong hier?

My environment is: Java Card Dev Kit 2.2.1 / J2JDK 1.4.1
Command line:
> Gpshell hello6131.txt
The text file “hello6131.txt “ content was as followed:

mode_211
enable_trace
establish_context
card_connect -reader "OMNIKEY CardMan 5x21 0"
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
delete -AID a00000006203010c0101
delete -AID a00000006203010c01
delete -AID a00000006203010c0101
install -file appl.cap -priv 2
card_disconnect
release_context

Output of GPShell is:

mode_211
enable_trace
establish_context
card_connect -reader "OMNIKEY CardMan 5x21 0"
reader name OMNIKEY CardMan 5x21 0
card_connect() returns 0x80100069 (further communication is not possible, because smart card is removed)
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_ke
y 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
--> 00CA006600
GP211_get_secure_channel_protocol_details() returns 0x00000006 (The reference is unvalid)


how do you interpret the output of GPShell?
do i have a chance for one more try (but a right one)?

[yakdogan]

Hi,

The issue was the card reader name. My phone was not locked.

I found out that Omnikey CardMan 5321 registers two readers:
1) “OMNIKEY CardMan 5x21 0”
2) “OMNIKEY CardMan 5x21-CL 0”

Second one is the right one for contactless cards (Nokia 6131 NFC phone).

yakdogan

[berroto]

I'm using GPShell also, but I didn't understand why we need the following lines in the download script:

delete -AID a00000006203010c0101
delete -AID a00000006203010c01
delete -AID a00000006203010c0101

Why we need to delete 3 application

anyone has any idea?

and anyone did a successful listing of the application ID in the SE? I tried to use the script with GPShell:

mode_211
enable_trace
establish_context
card_connect -reader "OMNIKEY CardMan 5x21-CL 0"
select -AID a0000000030000
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
get_status -element e0
card_disconnect
release_context

the message returned is:

mode_211
enable_trace
establish_context
card_connect -reader "OMNIKEY CardMan 5x21-CL 0"
reader name OMNIKEY CardMan 5x21-CL 0
select -AID a0000000030000
--> 00A4040007A0000000030000
<-- 6F108408A000000003000000A5049F6501FF9000
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
--> 00CA006600
<-- 734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
--> 80502A00086A9839F64830D26500
<-- 0000634230C1F5A801092A020002598DD3961BFDFA4642927532123C9000
--> 8482030010784BC9AF31FF93C36CAB0308B7F6A46F
<-- 9000
get_status -element e0
--> 80F2E000024F0000
<-- 6A86
GP211_get_status() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

Why it returns "6A86: Incorrect parameters (P1, P2)" without listing the AID?

thanks
Roberto

[lovercjs]

ya, so u need this line instead:
card_connect -readerNumber 2

roberto,
use this:

mode_211
enable_trace
establish_context
card_connect -readerNumber 2
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
get_status -element 20
card_disconnect
release_context

[lovercjs]

delete -AID a00000006203010c0101
delete -AID a00000006203010c01
delete -AID a00000006203010c0101

roberto,

this is the aid of Hello.cap, the sample cap file inside the GPShell folder.
00000006203010c01 is the package contain a class of aid 00000006203010c0101.

the aid for a cap is specific when you are converting the java class file to .cap using java card development kit. (java card development kit 2.2.1 is used with Nokia 6131 NFC or Global Platform 2.1.1)

[berroto]

roberto,

this is the aid of Hello.cap, the sample cap file inside the GPShell folder.
00000006203010c01 is the package contain a class of aid 00000006203010c0101.

the aid for a cap is specific when you are converting the java class file to .cap using java card development kit. (java card development kit 2.2.1 is used with Nokia 6131 NFC or Global Platform 2.1.1)

OK,
thanks, now it's clear.

bye
Roberto

[xjachim]

Hello,

I have new Nokia 6131 NFC phone and I try to comunicate with NFC chip, but the phone returns 6A88 during init-update.

- /terminal "winscard:4|OMNIKEY CardMan 5x21-CL 0"
--Opening terminal
> /card
--Waiting for card...
ATR=3B 88 80 01 00 73 C8 40 13 00 90 00 71 ;....s.@....q
ATR: T=0, T=1, Hist=0073C84013009000
=> 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
(68468 usec)
<= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 o..............e
01 FF 90 00 ....
Status: No Error
cm> set-key 42/1/DES-ECB/404142434445464748494A4B4C4D4E4F 42/2/DES-ECB/404142434445464748494A4B4C4D4E4F 42/3/DES-ECB/404142434445464748494A4B4C4D4E4F
cm> init-update 42
=> 80 50 2A 00 08 EE 68 11 00 10 70 57 7F 00 .P*...h...pW..
(34991 usec)
<= 6A 88 j.
Status: Reference data not found
jcshell: Error code: 6a88 (Reference data not found)
jcshell: Wrong response APDU: 6A88

Can anybody give me any hint, please?

Mike

[berroto]

wich tool are you using to download the applet?

check the JCsheel 1.4.1 and try the script that I wrote before in the previous posts.

bye,
Roberto

[enyab]

Hi,
I use GPShell and I have unlocked the 6131 and I want to install an hello world applet. Before this, I wanted to try if I can communicate with the SE. I tried the following commands using GPShell and I do get an error that raises concern..

mode_211
enable_trace
establish_context
card_connect -reader "OMNIKEY Cardman 5x21-CL 0"
reader name OMNIKEY Cardman 5x21-CL 0
open_sc -security 3 -keyver 42 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
Command --> 80CA006600
Wrapped command --> 80CA006600
GP211_get_secure_channel_protocol_details() returns 0x0000001F (A device attached to the system is not functioning.
)

Could someone give me a hint please ?:
How do I check if my secure element is permanently locked..?

thanks
Enya

[geri-m]

I'm not a 100 % sure, as I'm not using GPShell, but the Security Level of the SE In the 6131 is configured fot C-MAC only (without encryptin). So propably this is an issue ... just an idea.

cheers, geri-m