Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-06-08 10:12:03

MP66
Contributor
Registered: 2020-06-08
Posts: 2

EMV scan and GPO

Hi all,
seems that during the scan, when sending the GPO Le is missing so to result in 6700, wrong length.

I'm not a fine programmer but, looking at emvcore.c I see a need to fix EMVGPO: call EMVExchangeEx and use the IncludeLe param = true (or set (channel == ECC_CONTACTLESS) like in EMVSelect)

Am I wrong?

M

Offline

#2 2020-12-11 22:23:09

compr00t
Contributor
Registered: 2020-12-05
Posts: 3

Re: EMV scan and GPO

Hi MP66

I made the same observation about the missing LE. In standalone mode Salvador Mendoza's "HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443)" can successfully read a card and outputs the following for the GPO step:

#db# [Challenge generated ]
#db# 80 a8 00 00 23 83 21 f6
#db# 20 c0 00 00 00 00 00 00
#db# 00 00 00 00 00 00 00 9f
#db# 1a 95 95 95 95 95 5f 2a
#db# 9a 9a 9a 9c 9f 37 9f 37
#db# 00

If i re-send the same PDOL data with "emv gpo" (after selecting an applet of course) I get the same command APDU except the tailing LE of "00" and therefore the same error about the length as you observed with the scan command:

[usb] pm3 --> emv gpo -kat f620C0000000000000000000000000009f1a95959595955f2a9a9a9a9c9f379f37
[+] >>>> 80 A8 00 00 23 83 21 F6 20 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 9F 1A 95 95 95 95 95 5F 2A 9A 9A 9A 9C 9F 37 9F 37
[+] <<<< 67 00
[!!] ? APDU(80a8) ERROR: [6700] Wrong length

More interestingly, it seems I am not able to send this instruction as a command APDU either regardless if I add an tailing LE or not:

[usb] pm3 --> hf 14a apdu -skt 80A80000238321F620C0000000000000000000000000009F1A95959595955F2A9A9A9A9C9F37 9F3700
>>>>[sel keep TLV] 80 A8 00 00 23 83 21 F6 20 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 9F 1A 95 95 95 95 95 5F 2A 9A 9A 9A 9C 9F 37 9F 37 00
<<<< 6D 00
[+] APDU response: 6d 00 - Instruction code not supported or invalid

Did you come up with a working solution or fix?

Cheers

Offline

#3 2020-12-13 00:28:52

compr00t
Contributor
Registered: 2020-12-05
Posts: 3

Re: EMV scan and GPO

Hi MP66

Thanks to your initial hint I was able to quickly rewrite the method in question in order to force add an LE and I can now use `emv gpo` properly as you can see in this issue.

Cheers

Offline

Board footer

Powered by FluxBB