|
Part 6:
------------------------------------------------------------------------------------
--------------------------------------------------------------------
INS 6 Commands
01 06 xx xx xx xx
These only seem to work on corrupted cards.
--------------------------------------------------------------------
NANO CODES
These are two byte commands embedded in the EMMs. The first byte is the instruction. The second the length of the following string. It would seem that there are compatible nanos.
It is known that 11 (06), 51 (06) and 91 (06) all have the same function. Also there are other pairs eg for date 00 (02) or 40 (02) and new provider ID 28 (0d) and 68 (0d).
It would seem that most (all?) nanos have compatible counterparts that are 40h apart. Possibly four different versions.
For example I have found
1B, 5B, (9B not tested) and the known CB (20)
also
29, 69 and the known A9(02/0A) (E9 not tested) and others.
10 (09) Set Key [1st byte is the key number followed by eight bytes of the actual key].
10 (52) Set Multikey - TWO keys in the same command
10 (E4) Set Multikey - FOUR keys in the same command
Compatible nanos are the known 50 (xx) and 90 (xx) but also D0 (xx) seems to work too.
You may wonder why the Multikey length bytes 52h and E4h do not correspond to the actual length of the strings sent. The reason for this is that only the lower six bits are used. So the length byte must be "AND with 3Fh".
So
09h AND 3Fh =09h or 9 decimal (1 key identifier byte plus 1x eight key bytes)
and
52h AND 3Fh = 12h or 18 decimal (2 key identifier bytes plus 2x eight key bytes)
and
E4h AND 3Fh = 24h or 36 decimal (4 key identifier bytes plus 4x eight key bytes).
Also the high two bits can indicate the number of keys.
09h = 00001001 high bits 00 = 1 key
52h = 01010010 high bits 01 = 2 keys
E4h = 11100100 high bits 11 = 4 keys
------------------------------------
Example of MultiKey Update
01 01 00 00 00 3D 02 pg pg 00 00 37 40 02
dd dd 11 06 Ch ID dd dd
0A 00 10 E4 02 k2 k2 k2
k2 k2 k2 k2 k2 04 k4 k4
k4 k4 k4 k4 k4 k4 06 k6
k6 k6 k6 k6 k6 k6 k6 08
k8 k8 k8 k8 k8 k8 k8 k8
xx xx xx xx xx cs
01 01 00 00 00 3D EMM, length 3D
02 pg pg Address provider group pg pg
00 00 Filler
37 Length
40 02 Set date dd dd
11 06 Ch ID 0A 00 Address this channel ID, timer
10 E4 Multikey update NANO (sometimes 50 E4) and length
02 Key number
k2 k2 ........ Key 2
04 Key number
k4 k4........ Key 4
06 Key number
k6 k6....... Key 6
08 Key number
k8 k8....... Key 8
xx xx xx xx xx Digital signature
cs Checksum
Sometimes the keys are 0A, 0C, 0E and 10.
------------------------------------
11 (06) Activate Channel ID (2 bytes chanID, 2 bytes datestamp + 2 bytes timer)
Compatible nanos 51 (06) and 91 (06) D1 (06). If the two bytes for the date and for the timer are set to 00 00 00 00 this acts as a "kill" or switch off command. On some cards a date stamp of 00 00 is accepted.
--------------------------
28 (0D) Change ProvID (00/11 provider, 00 + eight bytes masterkey, 3 bytes new ProvID.) Used by German system.
This is followed by a 5 byte signature.
Compatible nano 68 (0D)
Example of New Provider ID
01 01 00 00 00 1A C3 hx hx hx 00 14 28 0D 11 00 mk mk mk mk mk mk mk mk pp pp pp xx xx xx xx xx
1A EMM, Length 1A
C3 Get Hex Serial number
hx Hex Serial number
00 Filler
14 Length
28 0D Change provider ID and length
11 Provider identifier (for provider 10)
00 Key number. 00 indicates it is the Masterkey
mk Masterkey
pp New Provider ID
xx Digital Signature
The decrypted masterkey can be read out using dumpbuff0708.crd. The decrypted masterkeys of all cards in the same provider group are the same.
--------------------------
40 (02) Set date (2 Bytes) Also compatible nano 00 (02) .
48 (01) Purpose not known
52 (06) Write 6 unknown Bytes (normally 00 00 00 00 00 00) between ProvID and date
54 (00) Erase all ChanID entries of addressed provider (sets all ChanIds, dates and timers to FFFFFF...)
Compatible nano 94 (00)
56 (02) Put two bytes after the date often (31 00 - German) or (0A 01- Italian). May be used as a Time Zone/ blocker.
56 (10) Writes sixteen bytes of 00. Used in the resetcard.crd. However, it would seem that this only acts like 56 (02).
58 (01) xx : Writes the last byte in the message to xx
59 (08) Writes an eight byte text message (decimal characters) to 01 02 0c string. Used for IPPV?
5a (0a) Writes a ten byte message. First two bytes to 01 02 0f (last eight bytes encrypted)? Used for IPPV?
5b (03) Writes three bytes? As a check to 59 (08)? Used for IPPV?
5f (xx) Can be used for writing new PINs
62 (03) Set the country code. Three ascii bytes. eg 47 45 52 is GER
78 (12) Key number + 12/13 + 16 Bytes (2 x 8 byte Keys to be decrypted) + signature. Used in 01 05 00 command.
95 (02) Used after the set date nano (40 02). Usually 01 E2. Purpose unknown.
98 (01) Write one byte. The penultimate byte in the answer string to "getProvID"
CB (20) Selects the card from the users in that provider group (32 dec Bytes or 256 users)
A9 (0a) Normally 00 00 00 00 00 00 00 00 00 10. Deletes the masterkey?
A9 (02) Normally 00 00. Switch off masterkey command.
When a virgin trial 300/400 or 700/800 card is put in the dbox and is activated, the initial string contains (after the keyon / IDon instructions) the A9 nano. Thus the masterkey on the card is disabled. This means that any new keys cannot be written to the card. The new key has to be decrypted by the masterkey. I suspect something similar occurs with the Italian cards. The return code to new key strings, after the initial activation string has been accepted, is always 7C (wrong signature).
The only way to activate these cards is to write the masterkey again.
It has been attempted to write two keys (with different dates) in one string to a virgin card.
eg
01 01 00 00 00 29 0A pg pg 00 00 23 40 02 d1 d1 10 09 04 k4 k4 k4 k4 k4 k4 k4 k4 40 02 d2 d2 10 09 06 k6 k6 k6 k6 k6 k6 k6 k6 s1
It does not work. Only the key with the date previously set is written. If a date is not set, that is, it is left at FF FF, then neither key is written. The MK is disabled and the card becomes useless.
CRD Macros
In *.crd files you will see some macros. This is what they do:-
R0 - Initiate card reset. If the card is OK it replies with the ATR (Answer to Reset).
// - Ignore the rest of this line. Used for remarks.
P0 - Get Card's set Provider Group 00 and put it here in the crd (2 Bytes)
P1 - Get Card's set Provider Group 10 and put it here (2 Bytes)
P2 - Get Card's set Provider ID 00 and put it here (3 Bytes)
P3 - Get Card's set Provider ID 10 and put it here (3 Bytes)
S0 - Put the HEX serial number here (3 Bytes)
S1 - Put the 5 byte digital signature here and check the value of the final byte.
T0 - Put the date stamp of Provider 00 here (2 Bytes)
T1 - Put the date stamp of Provider 10 here (2 Bytes)
I0 - Opens an input window so that you can enter HEX data. The length of the data string must be correct.
Parameter Format: I0Text_can_be_written_here_without_spaces,_always_ end_with_;
Writing your own CRD
To write your own CRD you have to emulate the EMM commands sent from the provider to YOUR card. You may need only one CRD for one instruction, such as activating one ChanID. Or you may need to write a new key as well. This could be in a second CRD or combined altogether with the first. All CRDs must have the following information:-
1. 01 01 00 00 00 xx (6 bytes) The EMM command initiation where xx is the total length of the following string.
2. Identification bytes of your card's Provider ID/Group/Hex SN - either written long hand or using one of the macros (see above) plus padding 00 (five bytes + 2nd length byte (to end of string )).
3. 40 20 dd dd (date NANO and date, you could use macro T0 or T1)
4. NANO command and data. eg for Chan ID activation :- 11 06 ch id 00 00 FF 00
or for new key 10 09 KN kx kx kx kx kx kx kx kx Where KN is the key number and kx is the eight bytes of the key.
5. The digital signature of 5 bytes or more easily the S1 macro to determine this.
The most difficult part is getting the two length bytes correct. Remember to use HEX and to count all the bytes of a macro.
eg S1 = 5 bytes and t0 = 2 bytes. The second length byte is always six less than the first.
Study some already written CRDs and you will see that it is not as difficult as it may first seem. It is probably easier to edit an existing CRD with a simple text editor and insert/replace your own data as required.
There are also utilities available which, if you input the correct information, will write the appropriate crd for you . See for example CRD Construction Kit v0.4, CRD-Maker V1.2, CardStudioV08 and MasterLog v2.5 (stuff). A utility called cRDcHANGER will convert a Cardmaster type crd to a form that is suitable for SignHunter.
|