In short, this post explains how to exchange APDU commands straightforwardly with contactless smartcards thanks to the Hydra NFC v2, either with a serial console or a python driver. As you control any bytes sent to the card, you can send ill-formed command to fuzz a card at the APDU level. In a next post, we will see how to send commands at a lower level with TPDUs commands or ISO 14433 initialization commands. Fuzzing at this level would be far more efficient.
APDU: the basic communication structure
How works a communication between a reader and a smartcard?
- The reader initializes the communication. The RF field is activated, and several low level commands are exchanged to detect a compatible card.
- Then, the reader exchange information with the card using the APDU (Application Protocol Data Unit) protocol. It sends a command to the card, which then answer back with a response.
What is the structure of an APDU? Hereafter, you have the generic format of a command.
| CLA | Class byte |
| INS | Instruction byte. It characterizes the type of command. |
| P1 | Parameter byte 1. It is an option related to the INS field. |
| P2 | Parameter byte 2. It is an option related to the INS field. |
| Lc | Length of the Data field |
| Data | Data Byte |
| Le | Number of bytes expected in the card response |
And below, you have the generic format of a response.
| Data | Card response (optional) |
| Status Word | 2 bytes named SW1 & SW2 |
We know the format of the APDUs. But which information is exchanged?
- Several applications can be embedded by the card, so the reader must select the one to use.
- Then, you can have command enabling to read information about the card.
- Finally, some of them enable to make payment:
- The terminal wants to make a payment. It sends a command indicating among other things the amount, the date, the currency.
- The card checks if the information is correct, for instance if the amount is not too high. If it is accepted, its response will contain a cryptogram to prove the transaction was certified.
- The terminal extracts this cryptogram, and check it to validate the transaction.
Sending APDU with the Hydra NFC v2
The goal of this post is not to explain all the commands of a transaction, but just to show you can send APDUs sraighforwardly with the Hydra NFC.
We saw that the reader needs to select the card payment application:
- But it does know which application is embedded: Mastercard, Visa …
- So, he selects a special application available on all the smart cards. Its response will list all the installed applications. Its name is 2PAY.SYS.DDF01.
- The APDU command to send is described below:
| CLA | 00 |
| INS | A4 (Select command) |
| P1 | 00 |
| P2 | 04 (The application name is set in the Data field) |
| Lc | 0x0E |
| Data | 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 (the application name in hexadecimal) |
| Le | 0x00 |
Let use the Hydra NFC v2!
We connect with picocom (but you could use putty as well).
$ picocom -b 115200 /dev/ttyACM0
Type [C-a] [C-h] to see available commands
Terminal ready
> We type “help” to list the available commands.
> help
Available commands
help Available commands
history Command history
clear Clear screen
show Show information
logging Turn logging on or off
sd SD card management
nfc NFCv2 mode
dnfc Debug/Developer NFCv2 mode
debug Debug mode
>
We select the nfc menu, and type once again help to get information.
> nfc
NFCv2> help
NFCv2 mode
sd SD card management
show Show NFC parameters
nfc-all Select technology NFC-A/B/V/F
nfc-a Select technology NFC-A (ISO14443A includes MIFARE...)
nfc-b Select technology NFC-B (ISO14443B)
nfc-st25tb Select technology NFC-B (ISO14443B ST25TB)
nfc-v Select technology NFC-V Vicinity (ISO/IEC 15693)
nfc-f Select technology NFC-F Felica
scan Scan selected technology (NFC-A/B/V/F...)
emul-3a Emul Tag ISO14443A
ce Set Tag properties for Card Emulation (UID, SAK, T4T params...)
emul-t4t Emulate Type 4 Tag with preset Tag properties
connect Connect to a smartcard (ISO 14443 A & B)
connect-opt Set options for connect & send commands
send Send APDU data to a card initialized with the connect command (only ISO 14443 A & B tags)
exit Exit NFC modeWe use the connect command to detect and initializes smart card.
NFCv2> connect
> 26
< 04 00
> 93 20
< B9 CC 13 71 17
> 93 70 B9 CC 13 71 17
< 20
> E0 00
< 0A 78 80 82 02 20 63 CB A3 A0
> D0 01
< D0
ISO 14443-A card detected.An ISO 14443-A card was discovered, and some information were exchanged. We will talk about it later.
Know, we can send the APDU command with “send”.
NFCv2> send 00A404000E325041592E5359532E444446303100
> 1A 00 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44
< AA 00
> 0B 00 46 30 31 00
< 1B 00 6F 57 84 0E 32 50 41 59 2E 53 59 53
> BA 00
< 1A 00 2E 44 44 46 30 31 A5 45 BF 0C 42 61
> BB 00
< 1B 00 1B 4F 07 A0 00 00 00 42 10 10 50 02
> BA 00
< 1A 00 43 42 87 01 01 9F 28 08 40 02 00 00
> BB 00
< 1B 00 00 00 00 00 61 23 4F 07 A0 00 00 00
> BA 00
< 1A 00 04 10 10 50 0A 4D 41 53 54 45 52 43
> BB 00
< 1B 00 41 52 44 87 01 02 9F 28 08 40 00 20
> BA 00
< 0A 00 00 00 00 00 00 90 00
6F 57 84 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 A5 45
BF 0C 42 61 1B 4F 07 A0 00 00 00 42 10 10 50 02 43 42 87 01
01 9F 28 08 40 02 00 00 00 00 00 00 61 23 4F 07 A0 00 00 00
04 10 10 50 0A 4D 41 53 54 45 52 43 41 52 44 87 01 02 9F 28
08 40 00 20 00 00 00 00 00 90 00 The APDU response is: 6F 57 84 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 A5 45 BF 0C 42 61 1B 4F 07 A0 00 00 00 42 10 10 50 02 43 42 87 01 01 9F 28 08 40 02 00 00 00 00 00 00 61 23 4F 07 A0 00 00 00 04 10 10 50 0A 4D 41 53 54 45 52 43 41 52 44 87 01 02 9F 28 08 40 00 20 00 00 00 00 00 90 00.
We can interpret the data with emvlab.org/tlvutils. We will see later the meaning of the command line starting with a “>” or a “<“.
OK, but what happens if you want to send a lot of commands? And parse their results to create the next commands? It will be very tedious to forge/analyze them one by one…
No problems, there is a python driver to do it!
Hydra NFC v2 python driver
There is another way to communicate with a python driver https://github.com/gvinet/pynfcreader:
- It does not simply create a serial communication and send the commands that we saw previously.
- In fact, it uses a dedicated mode of the HydraNFC v2 named BBIO. In short, it enables to send short binary commands, instead of huge ASCII text.
Let see a script to communicate with our card:
import time
from pynfcreader.devices.hydra_nfc_v2 import HydraNFCv2
from pynfcreader.sessions.iso14443.iso14443a import Iso14443ASession
hydra_nfc = HydraNFCv2(port="/dev/ttyACM1", debug=False)
hn = Iso14443ASession(drv=hydra_nfc, block_size=250)
hn.connect()
hn.field_off()
time.sleep(0.1)
hn.field_on()
hn.polling()With this driver:
- you can scripts your commands,
- and you can use it easily with a lot of python library enabling to communicate with contactless smart card.
What next?
So with the Hydra NFC v2:
- You have a contactless smart card reader available either with a serial console or a Python library.
- You can send incorrect APDU commands to fuzz the smartcards.
But, there still other fun things to do:
- The APDUs are not directly exchanged between the reader and the card. They are encapsulated in Transport Protocol Data Unit (TPDU) frames. It could be fun to able to send.
- In the same way, specific commands are sent to detect and intialize the card.
In the previous outputs, these commands correspond to the line starting with a “>” or a “<“, for instance:
- A REQA: “> 26”
- A TDPU: “> 1A 00 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44”
The TPDU and the initialisation sequence is described by the ISO 14443 norm. In a next post, we will explain this communication protocol, and see how it’s easy to play with it thanks to the Hydra NFC v2!