Error: External authenticate failed: 0x6982 (Security status not satisfied) #8
Comments
|
Can you provide me more details about the card you are using and the card reader as well? Can you also give it a try using the below method? Sadly, I haven't faced this issue before, I would suggest to open an issue here - https://github.com/martinpaljak/GlobalPlatformPro as I believe it has more to do with GP tool. |
|
I am suspecting the following:
|
|
Hi, thank you very much for your kind and prompt reply. Much appreciated. I am using sysmoISIM-SJA2 and using a omnikey smartcard reader and a gemalto usb token. The omnikey says: [INFO] GPSession - Using card master keys with version 112 for setting up session [MAC] and fails immediately and the gemalto token method keeps returning the error above. the keys are correct if i give it wrong keys it says wrong keys and error may brick card etc i tried on purpose to see if the keys are ok but they are i also double checked they are the same as the ones sysmocom sent me. P.S i have also opened an issue at GP tool repo |
Can you share here the output you get via this method? |
|
root@DFK-EVA-FOP:/gitsne/sim-tools/bin# ./shadysim --pcsc -l applet.cap -i applet.cap --kic 8B51206FD44FFA22F78D5667EACA8F82 --kid F5773D2E3D95E2EA17066B2CAEA23BAB --module-aid A00000015141434C00 --instance-aid A00000015141434C00 |
|
both methods should work for this card but i see that both fail on all new 10 cards with both windows and linux 2 diferent pcs and 2 different readers. i dont get the problem.. |
|
i managed to fix the not transacted error now i get this: gp --key-enc DFF145A895A08A9836FCBAEBB2BEF4F0 --key-mac 5C60A8BF7FEBEDCA2754526B87760A54 --key-dek 2A69D3EE732E6D252359D43F066B66B3 -lvi --debug --unlockSCardConnect("OMNIKEY CardMan 1021 0", T=*) -> T=0, 3B9F96801F878031E073FE211B674A4C753034054BA9 GlobalPlatformPro 325fe84Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle CorporationA>> T=0 (4+0000) 00A40400 00 [INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] |
|
I have now updated the instructions for sysmoISIM-SJA2 in this section https://github.com/herlesupreeth/CoIMS_Wiki#ota-ram-remote-applet-management--rfm-remote-file-management-of-installing-the-applet-and-installing-certificates , please try with shadysim_isim.py and not shadysim.py |
|
Excellent thank you i honestly think this will solve the issue, only one problem. I cant get ahold of shadysim_isim.py anywhere |
|
when you clone it, you will find it inside shadysim folder |
|
sorry i already checked its not there these is just shadysim and toorsimtool |
|
master branch was updated 3 months ago |
|
it is also not present in the osmocom git repo. |
|
oops...sorry I didn't notice. I am not allowed to share it in public (its still under development). Please ignore the shadysim_isim.py method. @laf0rge: Can please let me know whether there are any plans to add shadsim_isim for sysmoISIM-SJA2? Btw, did you use Kic1, Kid1 and Kik1 with the GP tool? If so, can you please try the same with Kic3, Kid3 and Kik3? |
|
if you get approval you can send it to me so i can test is i have access to large scale commercial equipment i can test is in large scale networks and i will not share it publicly. also i did not receive kic3 kid3 and kik3 from osmocom. |
|
if any info or news about the tool, please let me know via email. |
|
I have managed to use a 3rd party tool to push an aram-apdu directly to the sim's built in ARA-M applet and install the certificate that way. I later tested that just running shadysim aram-apdu works on this card aswell. But still i can not install other applets and change other stuff regarding javacard and globalplatform. At least i granted CarrierPrivs to COIMS. |
|
Glad you were able to solve it. Unfortunately i hear back about sharing the shadysim_isim.py |
|
please do not worry, for now it is ok. I have however encountered a new problem, my plmn is not in the Carrier db of android and i get sim carrier id -1 or not found so i see there is a way to use ara-m and a signed app to provide mcc mnc to the phone using carrier privileges the same way ims is configured. do you know of such an app available or shoudl i give a shot at making one i see a tutorial on android.com about it. |
|
I don't think it possible to add carrier id to mnc mcc mapping as it's maintained by Google/ aosp project. Or if curiosity can you please send me the link where it says it can be added via an app? |
|
https://source.android.com/devices/tech/config/carrier getCarrierIdFromSimMccMnc public int getCarrierIdFromSimMccMnc () |
|
thanks for the link. However as I said earlier i dont think its possible to update the carrier Id on the fly using a non-system app, please see the below screenshot from Android source
|
|
My apologies i misunderstood what it was trying to say, if anyone is interested, here is the method i find easiest for rooted ues |
|
My sincere appologies for taking so much of your time. But i have an issue again. App has carrier privileges is true, apn is setup in o5gs tun interface exists fohss is setup correctly impu impi all of it. sim is also ok setup i can see imsi imsu impi pcscf in isim info. But adding the ims apn on the ue does nothing the apn stays hidden the volte option does not appear in setting as it does when a carrier sim is in and i cant get it to try to connect dedicated eps barer and request ims. I dont know what to do now and how to approach the issue. |
|
Can you tell me which UE you are using? Is it a Samsung phone? |
|
Yes it's a samsung phone A71 |
|
If that the case, I would go to Samsung IMS settings from my app (top right hand corner menu options), there activate the required IMS settings from IMS switch and see whether you see VoLTE option in Settings->Mobile Networks |
|
Yes i have already done that, i even edited one of the samsung built in profiles with the ims domain and pcscf address but still no luck and im dm settings i tried swirching ims test mode on and off. Nothing has worked so far, wasnt there a place in a file where you have to enter if thebcarrier supports volte or not? I think the used plmn has to already support volte. |
|
Do you get VoLTE switch the phone's Settings --> Connections -->Mobile Networks ? Can you send me screenshot of your Samsung IMS settings and above menu I mentioned? |
|
i just made that part but i got new issues now. I opened a new issue please check it and thank you for your eternal kindness. |
|
Please note that there was some accidental swapping of keys vs. designatoin during the production of sysmoUSIM-SJA2, as explained in martinpaljak/GlobalPlatformPro#253 - please contact the sysmocom support for assistance with getting the correct keys for SCP02. The same accident also applies to 03.48 OTA keys, so no matter if you want to use 03.48 OTA or GP SCP02 - you will always have to reach out to @sysmocom support by e-mail to obtain the correct keys. My apologies, it was a mistake at the (third-party) factory that we didn't notice at sysmocom. |
|
Sorry for revoking the closed issue. Could you please give a hint for it? gp --key-enc A0948DF78069ECCF7EEB5F6BBD16AF28 --key-mac 4E7CC70904931158D8C409BAD4456096 --key-dek ECF2062F810611B6D750041726502EAA -lvi |
|
@baesangwook89 I think this was fixed in ISIMs. Did you try with KIC1, KID1 and KIK1? |
Hi @herlesupreeth , Sorry for revoking the closed issue again. I encountered exactly the same issue as @baesangwook89 , Could you please provide some hints here? Below is my terminal command and output: I have checked KIC1 KID1 and KIK1 value in the command, they are exactly matching the file I got from sysmocom. I have also tried "OTA RAM (Remote Applet Management) + RFM (Remote File Management) of installing the applet and installing certificates", but failed again. Below is the exact command and output: $ python shadysim_isim.py --pcsc -l applet.cap -i applet.cap --kic F3B80FD41B4AD314183A0D41716A3F82 --kid 653AC73FF88730523A5D85ADC98B4787 --module-aid A00000015141434C00 --instance-aid A00000015141434C00 |
Hi, could you please share which 3rd party tool you used to solve this issue? Thanks! |
|
@helloTkk as mentioned here #8 (comment), please reach out to sysmocom |
Hi @herlesupreeth , Thanks for your quick reply! I contacted Sysmocom support and got the correct keys, and the issue was resolved. Thanks for your tutorial and CoIMS! |
When i try to enter the kic kid kik on the card i get the following error:
gp --key-enc DFF145A895A08A9836FCBAEBB2BEF4F0 --key-mac 5C60A8BF7FEBEDCA2754526B87760A54 --key-dek 2A69D3EE732E6D252359D43F066B66B3 -lvi --debug
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
SCardConnect("Gemalto USB Shell Token V2 00 00", T=*) -> T=0, 3B9F96801F878031E073FE211B674A4C753034054BA9
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Linux 5.7.0-kali1-amd64 amd64, Java 1.8.0_212 by Oracle Corporation
A>> T=0 (4+0000) 00A40400 00
A<< (0018+2) (14ms) 6F108408A000000003000000A5049F6501FF 9000
A>> T=0 (4+0000) 80CA9F7F 00
A<< (0000+2) (3ms) 6A88
A>> T=0 (4+0000) 00CA9F7F 00
A<< (0000+2) (2ms) 6E00
[main] WARN pro.javacard.gp.GPData - GET DATA(CPLC) not supported
A>> T=0 (4+0000) 80CA0042 00
A<< (0005+2) (8ms) 4203000000 9000
IIN: 4203000000
A>> T=0 (4+0000) 80CA0045 00
A<< (0004+2) (7ms) 45020000 9000
CIN: 45020000
Card Data:
A>> T=0 (4+0000) 80CA0066 00
A<< (0051+2) (10ms) 6631732F06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.2.21
-> GP SCP02 i=15
Card Capabilities:
A>> T=0 (4+0000) 80CA0067 00
A<< (0000+2) (3ms) 6A88
A>> T=0 (4+0000) 80CA00E0 00
A<< (0074+2) (12ms) E048C00401708010C00402708010C00403708010C00401018010C00402018010C00403018010C00401028010C00402028010C00403028010C00401038010C00402038010C00403038010 9000
Version: 112 (0x70) ID: 1 (0x01) type: DES3 length: 16
Version: 112 (0x70) ID: 2 (0x02) type: DES3 length: 16
Version: 112 (0x70) ID: 3 (0x03) type: DES3 length: 16
Version: 1 (0x01) ID: 1 (0x01) type: DES3 length: 16
Version: 1 (0x01) ID: 2 (0x02) type: DES3 length: 16
Version: 1 (0x01) ID: 3 (0x03) type: DES3 length: 16
Version: 2 (0x02) ID: 1 (0x01) type: DES3 length: 16
Version: 2 (0x02) ID: 2 (0x02) type: DES3 length: 16
Version: 2 (0x02) ID: 3 (0x03) type: DES3 length: 16
Version: 3 (0x03) ID: 1 (0x01) type: DES3 length: 16
Version: 3 (0x03) ID: 2 (0x02) type: DES3 length: 16
Version: 3 (0x03) ID: 3 (0x03) type: DES3 length: 16
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=DFF145A895A08A9836FCBAEBB2BEF4F0 (KCV: E0B747) MAC=5C60A8BF7FEBEDCA2754526B87760A54 (KCV: 5B97FA) DEK=2A69D3EE732E6D252359D43F066B66B3 (KCV: 9EFAE1) for null
A>> T=0 (4+0008) 80500000 08 D57C79D40C254684 00
A<< (0028+2) (40ms) 00000000000000000000700200008E43019EFACC0023E120C56AB68A 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=DFF145A895A08A9836FCBAEBB2BEF4F0 (KCV: E0B747) MAC=5C60A8BF7FEBEDCA2754526B87760A54 (KCV: 5B97FA) DEK=2A69D3EE732E6D252359D43F066B66B3 (KCV: 9EFAE1) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=4023A18CE9021BAC3FC128570E6A2EC0 MAC=F365B15115B515FBB4A881FE0B2ED91B RMAC=DFE14B80057CA67D50AF539A1FCB9CE0, card keys=ENC=DFF145A895A08A9836FCBAEBB2BEF4F0 (KCV: E0B747) MAC=5C60A8BF7FEBEDCA2754526B87760A54 (KCV: 5B97FA) DEK=2A69D3EE732E6D252359D43F066B66B3 (KCV: 9EFAE1) for SCP02
A>> T=0 (4+0016) 84820100 10 05CC76E9699F0266085FB9CB613E3E52
A<< (0000+2) (16ms) 6982
Error: External authenticate failed: 0x6982 (Security status not satisfied)
can you please help me about this situation?
Thank you kindly.
The text was updated successfully, but these errors were encountered: