ISO14443A Commands

Sentinel · 2015-03-06 12:20:15

Using a chip card reader mfrс522 for VISA paywave. where to find documentation on work with records?

->26 (REQA)
<-0400

->9320
<-B81900AA0B

->9370B81900AA0B (SELECT CARD)
<-28

<-E050 (RATS)
->137880820280318066B0840C016E0183009000

<-0200A4040007A0000000031010 (SELECT VISA)
->026F318407A0000000031010A526.....900000 (55 byte)

<-0300B2010C (read record 1)
->13704D57134402......43000 (63 bytes)

<-A2 (continue read???)
->0230303030.........900000 (22 byte)

If the command 0хA2 - continue reading to learn how to give it or not?

in another device I use chip pn531. 0xA2 command was intercepted when pn531 read record 1
pn531 chip joined 2 pieces (63byte and 22 byte) and gave them one piece.
RATS comand I do not ask to send pn531. he decided to send this command

thefkboss · 2015-03-06 12:27:29

Visa books..... 4 books.....you can find the books in pirateba......

asper · 2015-03-06 13:36:41

Any hint about books name ?

thefkboss · 2015-03-06 13:46:42

I don't know if is legal??
I could upload....but
I don't know if that could have legal problems to the forum.
Some moderator......

thefkboss · 2015-03-06 13:47:48

EMV visa books

asper · 2015-03-06 14:55:30

They seems to be freely available on the net.

Last edited by asper (2015-03-06 14:57:07)

Sentinel · 2015-03-06 16:28:24

Red line - APDU comand
Blue line - responce, decoding by www. emvlab. org/tlvutils/
Green line - ???

iceman · 2015-03-06 17:45:23

apdu command/status byte, if I remember it correct.

asper · 2015-03-06 18:00:23

Can I ask you what is the way you logged data ? Snoop with pm3 ? Those "green" bytes seems the header of the incapsulated apdus (CLA INS P1 P2 P3)...

I think there is a problem in the arrows you used:

-> sent to the card
<- received from the card

like:

->26 (REQA)
<-0400

What we have next:

<-E050  (RATS)
->137880820280318066B0840C016E0183009000

E050 is sent by the card to the reader ?

EDIT: no Iceman, the status byte are 2 bytes at the end of the string (ex. 90 00) called also SW1 and SW2.

Ex: ->137880820280318066B0840C016E0183009000

Last edited by asper (2015-03-06 18:09:24)

Sentinel · 2015-03-06 18:16:30

" 0x02, 0x03, 0x0A, 0x0B...this is the Protocol Control Byte (called PCB), comes from ISO14443-4, in the Prologue field, indicates if the block is I, R or S, and if chaining is being used" from forum http://e2e.ti.com/

The next question is where to get the Standard ISO14443-4 )))

asper · 2015-03-06 18:23:40

Yes, I did not remember "protocol control byte" but this is what I meant.

Last edited by asper (2015-03-06 18:52:57)

Sentinel · 2015-03-06 18:31:00

to Asper: Can I ask you what is the way you logged data ? Snoop with pm3 ? Those "green" bytes seems the header of the incapsulated apdus (CLA INS P1 P2 P3)...

I use "Saleae Logic - 8-Channel USB Logic Analyzer"

with the direction of the arrow I really made a mistake...

answers from cards get from the buffer circuit MFRC522

asper · 2015-03-06 18:34:27

So you sniffed a contact, not a contactless communication ? Am I wrong ?

Sentinel · 2015-03-06 18:37:48

pn531 chip adds PCB(0x02 or 0x03) and glues packages (use A2 comand?).
I need to use MFRC522, but it is not so clever %)

Sentinel · 2015-03-06 18:39:41

I wrapped the antenna, and it is perfectly catches the signal)))

asper · 2015-03-06 21:13:26

Can you make a picture of the wrapped antenna ? (I contacted you to the other ICQ account)

holiman · 2015-03-06 22:40:31

I've been curious to play with paywave, but haven't seen any such cards here in sweden yet...
... and it's not like someone else will send me their credit card for experimentation either..

holiman · 2015-03-06 22:41:39

@Sentinel - you don't use a proxmark for this ? How come?

iceman · 2015-03-07 09:39:40

Hasn't Peter Fillmore a branch filled with all EMV functions for Visa and Mastercard? https://github.com/peterfillmore/proxmark3

Sentinel · 2015-03-09 10:57:38

Sentinel · 2015-03-09 11:05:49

@ holiman - In the near future plan to buy proxmark .. because I'm tired of painting bits and bytes)))

Sentinel · 2015-03-09 11:52:02

parse command RATS according to standard 14443-4
-> E050 (RATS)

Chip buffer is limited(64byte), and it is, continue to see that the length of the record cut

Sentinel · 2015-03-09 12:14:33

The figure illustrates how the string "0123456789ABCDEF" transferred from the card to the reader, if the reader is limited budffer 7 bytes. In fact, the first constraint = 16 bytes (See previous picture)

Sentinel · 2015-03-09 12:21:06

@ iceman - in the source code to which you sent the link, as described command PCB and ACK )))

Proxmark3 community

Announcement

#1 2015-03-06 12:20:15

ISO14443A Commands

#2 2015-03-06 12:27:29

Re: ISO14443A Commands

#3 2015-03-06 13:36:41

Re: ISO14443A Commands

#4 2015-03-06 13:46:42

Re: ISO14443A Commands

#5 2015-03-06 13:47:48

Re: ISO14443A Commands

#6 2015-03-06 14:55:30

Re: ISO14443A Commands

#7 2015-03-06 16:28:24

Re: ISO14443A Commands

#8 2015-03-06 17:45:23

Re: ISO14443A Commands

#9 2015-03-06 18:00:23

Re: ISO14443A Commands

#10 2015-03-06 18:16:30

Re: ISO14443A Commands

#11 2015-03-06 18:23:40

Re: ISO14443A Commands

#12 2015-03-06 18:31:00

Re: ISO14443A Commands

#13 2015-03-06 18:34:27

Re: ISO14443A Commands

#14 2015-03-06 18:37:48

Re: ISO14443A Commands

#15 2015-03-06 18:39:41

Re: ISO14443A Commands

#16 2015-03-06 21:13:26

Re: ISO14443A Commands

#17 2015-03-06 22:40:31

Re: ISO14443A Commands

#18 2015-03-06 22:41:39

Re: ISO14443A Commands

#19 2015-03-07 09:39:40

Re: ISO14443A Commands

#20 2015-03-09 10:57:38

Re: ISO14443A Commands

#21 2015-03-09 11:05:49

Re: ISO14443A Commands

#22 2015-03-09 11:52:02

Re: ISO14443A Commands

#23 2015-03-09 12:14:33

Re: ISO14443A Commands

#24 2015-03-09 12:21:06

Re: ISO14443A Commands

Board footer