Skip to content

Instantly share code, notes, and snippets.

@darconeous

darconeous/ouch.md Secret

Last active February 23, 2024 11:08
Show Gist options
  • Save darconeous/4cb9c1ac10c5309b3f4ce1f94d698631 to your computer and use it in GitHub Desktop.
Save darconeous/4cb9c1ac10c5309b3f4ce1f94d698631 to your computer and use it in GitHub Desktop.
Download ZIP
Death of an NFC Ring Omni
Raw
ouch.md

Everything looked good, I wanted to erase the card to make sure I had a blank slate:

rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
     Privs:   SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: 4A43416C675465737431 (SELECTABLE)
     Privs:   

PKG: 4A43416C6754657374 (LOADED)
     Applet:  4A43416C675465737431

I deleted the 4A43416C6754657374 package, and that went fine:

rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --delete 4A43416C6754657374
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F

But when I went to install the new cap, GP crashed... Which I have seen happen occasionally when PCSC indicates a zero-length response APDU:

rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --install AlgTest_v1.6_supportOnly_jc222.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
Exception in thread "main" java.lang.IllegalArgumentException
	at java.nio.Buffer.position(Buffer.java:244)
	at jnasmartcardio.Smartcardio$JnaCardChannel.transmitImpl(Smartcardio.java:807)
	at jnasmartcardio.Smartcardio$JnaCardChannel.transmit(Smartcardio.java:688)
	at apdu4j.CardChannelBIBO.transceive(CardChannelBIBO.java:22)
	at apdu4j.APDUBIBO.transmit(APDUBIBO.java:36)
	at pro.javacard.gp.GPSession.transmit(GPSession.java:524)
	at pro.javacard.gp.GPSession.loadCapFile(GPSession.java:653)
	at pro.javacard.gp.GPSession.loadCapFile(GPSession.java:573)
	at pro.javacard.gp.GPTool.loadCapAccordingToDapRequirement(GPTool.java:854)
	at pro.javacard.gp.GPTool.calculateDapPropertiesAndLoadCap(GPTool.java:831)
	at pro.javacard.gp.GPTool.main(GPTool.java:457)

But this time I could no longer authenticate to the ISD:

rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
INITIALIZE UPDATE failed: 0x6A88 (Referenced data not found)
rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --info
GlobalPlatformPro 19.06.16-4-g1f6b677
Running on Mac OS X 10.15.2 x86_64, Java 1.8.0_221 by Oracle Corporation
Reader: ACS ACR122U
ATR: 3B8C8001506932C4AE0000001177818308
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B8C8001506932C4AE0000001177818308

CPLC: ICFabricator=4090
      ICType=7805
      OperatingSystemID=4091
      OperatingSystemReleaseDate=2013 (2012-01-13)
      OperatingSystemReleaseLevel=0110
      ICFabricationDate=8329 (2018-11-25)
      ICSerialNumber=28010739
      ICBatchIdentifier=B973
      ICModuleFabricator=4092
      ICModulePackagingDate=8297 (2018-10-24)
      ICCManufacturer=4093
      ICEmbeddingDate=8297 (2018-10-24)
      ICPrePersonalizer=0000
      ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
      ICPrePersonalizationEquipmentID=00000000
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (2010-01-01)
      ICPersonalizationEquipmentID=00000000

IIN: 42074953445F49494E
CIN: 45074953445F43494E
Card Data: 
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.2.21
-> GP SCP02 i=15
Tag 65: 1.2.840.114283.2.1.1
-> GP Version: 1.1
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities: 
Supports: SCP03 i=10 i=20 i=60 with AES-128
Supports: SCP02 i=15 i=55 i=1A
Supported DOM privileges: SecurityDomain, DelegatedManagement, CardLock, CardTerminate, CardReset, CVMManagement, MandatedDAPVerification, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, GlobalService, ReceiptGeneration, CipheredLoadFileDataBlock
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, GlobalLock, GlobalRegistry, FinalApplication, GlobalService
Supported LFDB hash: 01
Supported Token Verification ciphers: 01
Supported Receipt Generation ciphers: 05
Supported DAP Verification ciphers: 01
Version:   1 (0x01) ID:   1 (0x01) type: DES3 length:  16 
Version:   1 (0x01) ID:   2 (0x02) type: DES3 length:  16 
Version:   1 (0x01) ID:   3 (0x03) type: DES3 length:  16 
rquattle-macpro:AlgTest_dist_1.6.1 (master?)$ gp --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
INITIALIZE UPDATE failed: 0x6A88 (Referenced data not found)

Turning on debugging:

rquattle-macpro:AlgTest_dist_1.7.9 (master?)$ gp --list -d -v 
GlobalPlatformPro 19.06.16-4-g1f6b677
Running on Mac OS X 10.15.2 x86_64, Java 1.8.0_221 by Oracle Corporation
# Detected readers from JNA2PCSC
[*] ACS ACR122U
SCardConnect("ACS ACR122U", T=*) -> T=1, 3B8C80015061D1A8E100000011778183C0
SCardBeginTransaction("ACS ACR122U")
Reader: ACS ACR122U
ATR: 3B8C80015061D1A8E100000011778183C0
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B8C80015061D1A8E100000011778183C0

A>> T=1 (4+0000) 00A40400 00 
A<< (0097+2) (84ms) 6F5F8408A000000151000000A553734906072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040215650B06092A864886FC6B020101660C060A2B060104012A026E01039F6E01019F6501FE 9000
[TRACE] GPSession -  [6F]
[TRACE] GPSession -      [84] A000000151000000
[TRACE] GPSession -      [A5]
[TRACE] GPSession -          [73]
[TRACE] GPSession -              [06] 2A864886FC6B01
[TRACE] GPSession -              [60]
[TRACE] GPSession -                  [06] 2A864886FC6B020202
[TRACE] GPSession -              [63]
[TRACE] GPSession -                  [06] 2A864886FC6B03
[TRACE] GPSession -              [64]
[TRACE] GPSession -                  [06] 2A864886FC6B040215
[TRACE] GPSession -              [65]
[TRACE] GPSession -                  [06] 2A864886FC6B020101
[TRACE] GPSession -              [66]
[TRACE] GPSession -                  [06] 2B060104012A026E0103
[TRACE] GPSession -          [9F6E] 01
[TRACE] GPSession -          [9F65] FE
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[TRACE] GPSession - Generated host challenge: 7B46456B5083041E
A>> T=1 (4+0008) 80500000 08 7B46456B5083041E 00
A<< (0000+2) (23ms) 6A88
INITIALIZE UPDATE failed: 0x6A88 (Referenced data not found)

There is no obvious way to recover from this condition.

@andrea6407
Copy link

Hey @darconeous,
Was wondering if the ACR122U being used happened to have the ACS logo? (one on the bottom right, and another on the grey sticker on the back). If it doesn't, it is a counterfeit version. Would be interesting to do further testing to see if all ACR122Us cause this issue, or if its only the counterfeit ones that do this

@darconeous
Copy link
Author

It was a real one as far as I know, with the ACS logo.

@darconeous
Copy link
Author

I'll also add that Omni was able to reproduce this condition and destroyed several rings on their end.

@andrea6407
Copy link

andrea6407 commented Feb 22, 2024
edited
Loading

@darconeous Sorry for the late reply.

Interesting, could it be the ACR122U timing out? I saw a fido applet that ran a command first before any gp install operations that prevented the reader from timing out

The command sent is:

# This is for the ACR122U to put it into
# a nice state where it won't time out on us.
$GP -d -v -a ff0041ff00 -a ff00520000 || true

Source: https://gist.github.com/darconeous/adb1b2c4b15d3d8fbc72a5097270cdaf

Would running this first before any gp install operations prevent the ring from being bricked?

Also does the ring brick on the first gp operation, or after multiple? If multiple it may be timing out, and would the issue be solved by removing the ring and putting it back on the reader after every gp command and every 1-2 minutes?

@darconeous
Copy link
Author

I honestly can't remember, it was so long ago... But from my memory that seems plausible.

But be careful. These things are super easy to brick if anything goes wrong.

@darconeous
Copy link
Author

See this issue for more info: mclear/OMNI-Ring#10 (comment)

@darconeous
Copy link
Author

Sorry, I meant this issue: mclear/OMNI-Ring#5 (comment)

@andrea6407
Copy link

andrea6407 commented Feb 23, 2024
edited
Loading

Sorry, I meant this issue: mclear/OMNI-Ring#5 (comment)

Thanks for sharing, I had a good look.

For what it's worth, I've found that my ACR122U-A9 will end up failing (returning a zero-length APDU) after doing a bunch of GP operations with the OMNI unless I remove and replace the ring after each GP operation.

Something that popped in my head, maybe remembering to remove and replace the ring on the reader could be a workaround for this issue? I don't have any OMNI rings to test this theory though. (and also scared to because if my theory proved false i'd be sending 100+ dollars down the drain)

Also curious if this issue affects gp operations on NXP SmartMX cards, or only the OMNI which uses SLE78

One of the replies below also kind of caught my attention

I vaguely remember having some issues with ACR122u in Linux where I had to remove the ring from the reader occasionally. Had no issues with ACR1252U and therefore thought it's the pcsc-lite compatibility issue with ACR122u.

Could this issue only happen on unix systems (linux and macos) running GlobalPlatformPro?

I know my ACR122U behaves differently when using it with Kali (libnfc) and with Windows.

On Windows, when running mfoc, the ACR122U will disconnect and hang. The only way to return the reader to a usable state is to unplug and plug the reader back in. When running GP commands (only gp --info i have tried), theres no problems or disconnecting.

When using my ACR122U on Kali (and likely other linux systems), it initially doesn't work and returns a libnfc issue. I have to run this command to get it to work first:

sudo modprobe -r pn533_usb

sudo modprobe -r pn533

Behavior is also slightly different, the reader not beeping when a card is put on (however the card is still detected), and the indicator light not turning on (or staying on whatever state it was in earlier).

When using mfoc on Kali, the ACR122U doesn't hang. I haven't tried GPP on Kali or other linux distros before yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment