smartcard javacard globalplatform gemalto

Opening a secure connection with Java Card and Global Platform

After succeeding with Java Card development on emulators now I'm dealing with a real Java Card (Gemalto IDCore 3010). I have been experiencing with the Global Platform, but I have problems even with the most basic sample code, that would list the applets on the card.

This is the original code:

mode_201
enable_trace
establish_context
card_connect
select -AID a0000000030000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
get_status -element e0
card_disconnect
release_context

Which I have modified and it is like this now:

//I changed this, because the Card Management & API is compliant with GP2.1.1. 
mode_211
enable_trace
establish_context
//Switches are not necessary as I am using only one single-slot card reader
card_connect
//The auto-detected ISD AID of the card is: A000000018434D00
select -AID A000000018434D00
//This is the line where the command fails
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key 47454d5850524553534f53414d504c45   // Open secure channel
//This would list applets and packages and security domains
get_status -element e0
card_disconnect
release_context

On the Global Platform page one can find that these are the switches for an open_sc command:

open_sc -keyind x -keyver x -key xyz -mac_key xyz -enc_key xyz -kek_key xyz -security x -scp x -scpimpl x -keyDerivation x
Open secure channel

But sadly I couldn't find enough information on these switches.

keyind: The only information I found is that it is a key index, which I would have guessed also all by myself.
keyver: Key set version. Same as above.
key: I read that If I have a card which uses key derivation I must enable the derivation mode with the -keyDerivation option and I must specify with -key the master (mother) key. So here I provided my mother key (4F454D5850524553534F53414D504C45).
mac_key: It should not be relevant, because it is calculated from the master key.
enc_key: It should not be relevant, because it is calculated from the master key.
kek_key: It should not be relevant, because it is calculated from the master key.
security: The information I found is this: 0: clear, 1: MAC, 3: MAC+ENC. Since in the datasheet of my card I couldn't find something like this I chose "0".
scp: Secure Channel Protocol (1 SCP01, 2 SCP02, default not set). Should not be necessary to be stated explicitly. My card supports both SCP01 and SCP02.
scpimpl: Secure Channel Implementation (default not set). Should not be necessary to be stated explicitly.
keyDerivation: Possible values are "none", "visa2" or "emvcps11". Also since I couldn't find information on this in the datasheet I stack to "none".

This is the error message that I get with the modified code:

C:\JavaCard\GPShell-1.4.4>GPShell.exe list.txt
mode_211
enable_trace
establish_context
card_connect
select -AID A000000018434D00
Command --> 00A4040008A000000018434D00
Wrapped command --> 00A4040008A000000018434D00
Response <-- 6F198408A000000018434D00A50D9F6E061291518101009F6501FF9000
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key 47454d585052455
3534f53414d504c45   // Open secure channel
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 6A88
GP211_get_secure_channel_protocol_details() returns 0x80206A88 (6A88: Referenced
 data not found.)

Could somebody tell me what is wrong and how I should parameterize and execute the open_sc command? Thank you very much!

Solution: This was the working version:

mode_201
enable_trace
establish_context
card_connect
select -AID A000000018434D00
open_sc -scp 1 -scpimpl 0x15 -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2
get_status -element e0
card_disconnect
release_context

Solution

Unfortunately in contrast to other devices of the daily life complete manuals or instructions are often not provided with smart cards. If you have not some of the necessary parameters you are lost. Try to use the switch mode_201:

mode_201
enable_trace
enable_timer
establish_context
card_connect
select -AID A000000018434D00
open_sc -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2 // Open secure channel
get_status -element e0
card_disconnect
release_context

There is a example file called listgemXpressoProR3_2E64.txt: https://sourceforge.net/p/globalplatform/code/HEAD/tree/trunk/gpshell/helloInstallgemXpressoProR3_2E64.txt

Maybe your card is compatible to this Gemalto card.