https://osmocom.org/
https://osmocom.org/favicon.ico?1664741409
2022-07-04T07:55:35Z
Open Source Mobile Communications
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=24320
2022-07-04T07:55:35Z
fixeria
<ul></ul><p>Hello,</p>
<p>as far as I can see from your pastebin, simtrace2-cardem-pcsc basically crashes due to an integer overflow.</p>
<p><a class="external" href="https://gerrit.osmocom.org/c/simtrace2/+/28513">https://gerrit.osmocom.org/c/simtrace2/+/28513</a> host/cardem: fix integer overflow in process_do_rx_da()</p>
<p>This patch is not going to solve your problem, but should fix the segfault.</p>
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=24321
2022-07-04T09:50:56Z
laforge
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>boggy123</i></li></ul><p>re-classifing this as a "feature" as it is not something we claim to support. The only bug is that it segfaults right now.</p>
<p>First of all, I would assume that <strong>normally</strong> EMV cards use T=1, while SIMtrace (both for tracing and for cardem) only supports T=0.</p>
<p>In your case, surprisingly, they seem to use T=0 (maybe it's a fall-back?)</p>
<p>adding the paste here in-line:<br /><pre>
boggy@boggy-HP-Laptop-14-dk0xxx:~/Work/simtrace2/host/src$ sudo ./simtrace2-cardem-pcsc --usb-vendor 1d50 --usb-product 60e3 --usb-path 1-1.1 --usb-config 1 --pcsc-reader-num 1 --skip-atr
simtrace2-cardem-pcsc - Using PC/SC reader as SIM
(C) 2010-2022, Harald Welte <laforge@gnumonks.org>
(C) 2018, sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>
DLINP NOTICE [0] <= osmo_st2_cardem_request_config(features=00000001)
DLINP NOTICE [0] <= osmo_st2_cardem_request_card_insert(inserted=1)
DLINP NOTICE [0] <= _modem_sim_select(remote_sim=1)
DLINP NOTICE [0] <= _modem_reset(asserted=2, pulse_ms=300)
Entering main loop
DLGLOBAL NOTICE => IRQ STATUS: flags=0x0, fi=1, di=1, wi=10 wtime=9600 ()
DLGLOBAL NOTICE => IRQ STATUS: flags=0x10, fi=1, di=1, wi=10 wtime=9600 (RESET )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x11, fi=1, di=1, wi=10 wtime=9600 (RESET VCC )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x13, fi=1, di=1, wi=10 wtime=9600 (RESET VCC CLK )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x12, fi=1, di=1, wi=10 wtime=9600 (RESET CLK )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x10, fi=1, di=1, wi=10 wtime=9600 (RESET )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x11, fi=1, di=1, wi=10 wtime=9600 (RESET VCC )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x13, fi=1, di=1, wi=10 wtime=9600 (RESET VCC CLK )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x3, fi=1, di=1, wi=10 wtime=9600 (VCC CLK )
DLGLOBAL NOTICE Warm Resetting card in reader...
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 a4 04 00 0e
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_rx(pb=a4, le=14)
DLGLOBAL NOTICE => IRQ STATUS: flags=0x13, fi=1, di=1, wi=10 wtime=9600 (RESET VCC CLK )
DLGLOBAL NOTICE => IRQ STATUS: flags=0x3, fi=1, di=1, wi=10 wtime=9600 (VCC CLK )
DLGLOBAL NOTICE Warm Resetting card in reader...
DLGLOBAL INFO => DATA: flags=0x02 (FINAL ), 31 50 41 59 2e 53 59 53 2e 44 44 46 30 31
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=611c)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 c0 00 00 1c
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_tx(pb=c0, tx=6f 1a 84 0e 31 50 41 59 2e 53 59 53 2e 44 44 46 30 31 a5 08 88 01 01 5f 2d 02 65 6e , len=28)
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=9000)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 b2 01 0c 00
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=6c59)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 b2 01 0c 59
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_tx(pb=b2, tx=70 57 61 25 4f 07 a0 00 00 00 03 10 10 50 0a 56 69 73 61 20 44 65 62 69 74 87 01 02 73 0b 9f 0a 08 00 01 05 01 00 00 00 00 61 16 4f 07 a0 00 00 00 29 10 10 50 08 4c 49 4e 4b 20 41 54 4d 87 01 01 61 16 4f 07 a0 00 00 00 03 80 02 50 08 42 41 52 43 4c 41 59 53 87 01 00 , len=89)
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=9000)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 b2 02 0c 00
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=6a83)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 a4 04 00 07
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_rx(pb=a4, le=7)
DLGLOBAL INFO => DATA: flags=0x02 (FINAL ), a0 00 00 00 03 10 10
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=612f)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 00 c0 00 00 2f
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_tx(pb=c0, tx=6f 2d 84 07 a0 00 00 00 03 10 10 a5 22 50 0a 56 69 73 61 20 44 65 62 69 74 87 01 02 5f 2d 02 65 6e bf 0c 0b 9f 0a 08 00 01 05 01 00 00 00 00 , len=47)
DLINP DEBUG [0] <= osmo_st2_cardem_request_sw_tx(sw=9000)
DLGLOBAL INFO => DATA: flags=0x01 (HDR ), 80 a8 00 00 02
DLGLOBAL ERROR Unknown APDU case 0
DLINP DEBUG [0] <= osmo_st2_cardem_request_pb_and_tx(pb=a8, tx=00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 05 00 00 00 00 00 00 e0 c7 88 7a ef 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a0 76 30 ef 7f 00 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 d2 72 30 ef 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 04 06 00 00 00 00 00 28 a9 7a cf d2 55 00 00 4e a9 7a cf d2 55 00 00 48 a9 7a cf d2 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 msgb(0x55d2cf7aa8a0): Not enough tailroom msgb_put (allocated 920, head at 0, len 7, tailroom 1017 < want tailroom 65534)
backtrace() returned 19 addresses
/usr/local/lib/libosmocore.so.19(osmo_generate_backtrace+0x1c) [0x7fef3070c238]
/usr/local/lib/libosmocore.so.19(+0x2ce8c) [0x7fef3070be8c]
/usr/local/lib/libosmocore.so.19(osmo_panic+0xe0) [0x7fef3070bf71]
/home/boggy/Work/simtrace2/host/lib/.libs/libosmo-simtrace2.so.1(+0x35cc) [0x7fef307695cc]
/home/boggy/Work/simtrace2/host/src/.libs/simtrace2-cardem-pcsc(+0x3c6e) [0x55d2cea98c6e]
/lib/x86_64-linux-gnu/libusb-1.0.so.0(+0xe5f5) [0x7fef306be5f5]
/lib/x86_64-linux-gnu/libusb-1.0.so.0(+0xf104) [0x7fef306bf104]
/lib/x86_64-linux-gnu/libusb-1.0.so.0(+0xf661) [0x7fef306bf661]
/lib/x86_64-linux-gnu/libusb-1.0.so.0(+0x104ec) [0x7fef306c04ec]
/lib/x86_64-linux-gnu/libusb-1.0.so.0(libusb_handle_events_timeout_completed+0x208) [0x7fef306c1cd8]
/usr/local/lib/libosmousb.so.0(+0x274a) [0x7fef3073f74a]
/usr/local/lib/libosmocore.so.19(+0x12a5c) [0x7fef306f1a5c]
/usr/local/lib/libosmocore.so.19(+0x12b76) [0x7fef306f1b76]
/usr/local/lib/libosmocore.so.19(osmo_select_main+0x19) [0x7fef306f1b95]
/home/boggy/Work/simtrace2/host/src/.libs/simtrace2-cardem-pcsc(+0x2efd) [0x55d2cea97efd]
/lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7fef304afd90]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7fef304afe40]
/home/boggy/Work/simtrace2/host/src/.libs/simtrace2-cardem-pcsc(+0x2fc5) [0x55d2cea97fc5]
Aborted
// I would ignore trail of 0's. It's being displayed when the reader and card fail to transmit the GPO and is just a side effect not the main cause in my estimation
</pre></p>
<p>The general problem is that the simtrace software doesn't know about instruction 'a8', as this is one that's not used in SIM card communication. You will have to teach <a href="https://gitea.osmocom.org/sim-card/simtrace2/src/commit/e4503232eb49397894a93e11d6c3e37d5e9fc43b/host/lib/apdu_dispatch.c#L78" class="external">osmo_apdu_segment_in</a> about the specific instructions of your application (EMV). This is probably best done by creating an alternative card profile, similar to the <code>osim_uicc_sim_cic_profile</code> we currently use for SIM/UICC cards. You can find the source at <a class="external" href="https://gitea.osmocom.org/osmocom/libosmocore/src/branch/master/src/sim/class_tables.c">https://gitea.osmocom.org/osmocom/libosmocore/src/branch/master/src/sim/class_tables.c</a></p>
<p>What those tables do is tell the code which <em>APDU case</em> (see ISO 7816-4) is present for each combination of CLA+INS bytes. We need this to know the direction of transmission after the TPDU header.</p>
<p>Once you have created (and start using) a table for EMV, I would assume it should work just fine, judging from how far you get in your paste.</p>
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=24322
2022-07-04T09:52:38Z
laforge
<ul></ul><p>additional note: You can just define your own <code>const struct osim_cla_ins_card_profile</code> in your application (the simtrace2 code right now?). This will avoid having to rebuild patch + libosmocore all the time during R&D.</p>
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=24422
2022-07-22T06:25:58Z
laforge
<ul></ul><p>I'm curious if you implemented that <em>card profile</em> telling the code how to handle the EMV APDU cases?</p>
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=25802
2022-12-14T12:26:33Z
anton123
<ul><li><strong>File</strong> <a href="/attachments/5779">funny.jpg</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/5779/funny.jpg">funny.jpg</a> added</li></ul><p>laforge wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<p>additional note: You can just define your own <code>const struct osim_cla_ins_card_profile</code> in your application (the simtrace2 code right now?). This will avoid having to rebuild patch + libosmocore all the time during R&D.</p>
</blockquote>
<p>laforge wrote in <a href="#note-4">#note-4</a>:</p>
<blockquote>
<p>I'm curious if you implemented that <em>card profile</em> telling the code how to handle the EMV APDU cases?</p>
</blockquote>
<p>Happy Holidays!</p>
<p>Seems I got stuck on same problem as boggy123. can you explain a bit more where and in which file should add the EMV support, I will share any updates please help. :-).</p>
<p>PS: any other pointers or advice is very welcome</p>
<p>thank you</p>
SIMtrace 2 - Feature #5600: SIMtrace2 fails to emulate EMV cards
https://osmocom.org/issues/5600?journal_id=25803
2022-12-14T13:07:20Z
laforge
<ul></ul><p>anton123 wrote in <a href="#note-5">#note-5</a>:</p>
<blockquote>
<p>Seems I got stuck on same problem as boggy123. can you explain a bit more where and in which file should add the EMV support, I will share any updates please help. :-).</p>
</blockquote>
<p>I don'r think I can be any more specific than the previous you commented on, sorry.</p>
<ol>
<li>in general, I would be surprised if EMV does T=0 (what simtrace implements) as normally it's all T=1. That's a completely different protocol requiring completely different state machines etc. in the firmware. Even for somebody knowing exactly what they do I'd say it's a couple of person-days of focused full-time work.</li>
<li><strong>onyl</strong> if you have evidence that your particular card is actually using T=0, you would have to define your own <code>const struct osim_cla_ins_card_profile</code> for the CMD/INS used in the EMV protocol.</li>
</ol>