flexSecure Java Card basics / app install

Hello everyone.

I purchased a flexSecure Java Card and am starting to set it up before actually implanting it. I know it can be bricked so I am looking for advice and to make sure I am doing things correctly.

I am using an generic ACR122U USB device on Fedora 37.

I had issues with the ACR122U drivers and blacklisted the following kernel modules via an /etc/modprobe.d entry:

blacklist nfc
blacklist pn533
blacklist pn533_usb

install nfc /bin/false
install pn533 /bin/false
install pn533_usb /bin/false

I followed the instructions listed in DangerousThings/flexsecure-applets dev setup instructions

I installed the following Fedora equivalents based on these docs. I had to add pcsc-lite-devel and swig as prerequisites for pyscard. Else the pip command would fail.

sudo dnf install ant java-1.8.0-openjdk opensc pcsc-tools pcsc-lite-devel swig
pip3 install pyscard

I did not set up the virtual scard as per the above instructions.

Next I went and downloaded the latest GlobalPlatformPro release (v20.08.12) jar

I placed my flexSecure Java Card on the ACR122U.

I then navigated to my downloads folder and ran this command:

java -jar gp.jar -info

I sadly didn’t save the output but it said something like smartcard required but no smartcard found

I don’t want to brick my device and realized that I am not confident enough to proceed without advice. I never entered the default key for the flexSecure Java Card anywhere.

My questions are:

1. How am I doing? (I assume I have not bricked my flexSecure Java Card)
2. How do I proceed from here? I am aiming to install one or more applets.

I would be glad to write a fedora guide but I want to have a working process first.

Thanks.

I am really excited about the user controlled version of this chip and am excited to get it set up.

@StarGate01 is probably your best source of help

GPP uses the factory (40…4F) key if you don’t specify one, so you’re safe on that front. Is the ACR122U registering a read (green led and beep) when you place the tag?

@scorpion No. It stays red.

@mholiv

(1) The document you linked (flexsecure-applets/3-dev-setup.md at master · DangerousThings/flexsecure-applets · GitHub) is only needed if you want to compile code into applets by yourself. To deploy prebuilt binaries (e.g. those from Releases · DangerousThings/flexsecure-applets · GitHub), you only need to install GlobalPlatformPro (GitHub - martinpaljak/GlobalPlatformPro: 🌐 🔐 Manage applets and keys on JavaCard-s like a pro (via command line or from your Java project))

(2) The GPP info command (java -jar gp.jar -info) does not preform any kind of authentication and can always be used, and won’t brick your chip. GPP will use the key preinstalled in the flexSecure by default for any commands which require authentication (e.g. applet install, see flexsecure-applets/docs/applets at master · DangerousThings/flexsecure-applets · GitHub for details).

(3) Achieving a good connection with a reader while the flexSecure or Apex is still in its sterile packaging is hard. You can use the command pcsc_scan in your terminal to get a live feedback once the chip is properly coupled.

@StarGate01

Got it. Any advice on getting it to couple while in the sterile bag? I at least want to make sure it works before having it implanted

Testing while the chip is still in the bag is reasonable and I recommend doing that.

Make sure that the overlapping area between the coils of the chip antenna and the reader antenna is maximised - I.e. place the chip paralel to the edge of the reader on the perimeter. Think where the edge of a plastic card would be if you placed it on the reader. Try to move it around an monitor the output of pcsc_scan.

@StarGate01

So some progress may or may not have been made, but I am still running into issues.

Here is what I did.

1. Downloaded v0.16.2 of the SmartPGPApplet-default.cap from Releases · DangerousThings/flexsecure-applets · GitHub
2. Downloaded the GlobalPlatformPro v20.01.23-0-g5ad373b jar
3. Ran this command java -jar gp.jar -install SmartPGPApplet-default.cap -create D276000124010304C0FE000000010000

Issue is that I get some sort of timeout error. It takes a few min to actually time out though.

java -jar gp.jar -install SmartPGPApplet-default.cap -create D276000124010304C0FE000000010000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
Failed to communicate with card in JnaCardTerminal{scardHandle=SCardContext{43b6190c}, name=ACS ACR122U PICC Interface 00 00}: SCARD_E_NOT_TRANSACTED

When I try to list the packages I get this:

java -jar gp.jar --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
     Parent:  A000000151000000
     From:    A0000001515350
     Privs:   SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

PKG: A0000001515350 (LOADED)
     Parent:  A000000151000000
     Version: -1.-1
     Applet:  A000000151535041

The card does show up in pcsc_scan

Tue Jan 17 14:33:46 2023
 Reader 0: ACS ACR122U PICC Interface 00 00
  Event number: 13
  Card state: Card inserted, 
  ATR: 3B 8D 80 01 00 31 C1 73 C8 40 00 52 A5 10 00 90 00 70

ATR: 3B 8D 80 01 00 31 C1 73 C8 40 00 52 A5 10 00 90 00 70
+ TS = 3B --> Direct Convention
+ T0 = 8D, Y(1): 1000, K: 13 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 
-----
+ Historical bytes: 00 31 C1 73 C8 40 00 52 A5 10 00 90 00
  Category indicator byte: 00 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: C1
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 7, len: 3 (card capabilities)
      Selection methods: C8
        - DF selection by full DF name
        - DF selection by partial DF name
        - Implicit DF selection
      Data coding byte: 40
        - Behaviour of write functions: write OR
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 1
      Command chaining, length fields and logical channels: 00
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 1
    Tag: 5, len: 2 (card issuer's data)
      Card issuer data: A5 10
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)
+ TCK = 70 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
        NONE

Updating /home/user/.cache/smartcard_list.txt using http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt

Possibly identified card (using /home/user/.cache/smartcard_list.txt):
        NONE

Your card is not present in the database.
Please submit your unknown card at:
https://smartcard-atr.apdu.fr/parse?ATR=3B8D80010031C173C8400052A51000900070

Am I doing something wrong?

If the --list command works, you did everything properly.

Transacting large binaries takes a few seconds during which the connection must not be broken. I suspect the NFC connection is a bit flaky due to chip position / packaging.

@StarGate01

Ok so far so good. I basically spammed trying to install openjavacard-ndef-tiny.cap until I found a spot where it spontaneously worked. Without moving anything I tried again to install SmartPGPApplet-default.cap this time it installed successfully. I just had to be persistent.

Once the flexSecure is out of the packaging and into me, it should be better/connect more reliably, right?

Depends on your install location, and on your reader. I have been using small readers with more success than large ones.

Example: Digital Logic Ltd. | DL533R USB Reader PC/SC Reader Writer

IMG_20221209_0908121920×1440 193 KB

The smaller antenna couples well to the flex formfactor. On the credit-card sized ones, I use the bottom edge of the reader.

That makes sense. Do you have a recommended location?

Imagine placing your left arm on your desk with the thumb facing up and the pinky against the desk. My plan was to have the chip implanted in the part of the lower forearm touching the desk.

The idea was that I could just rest my arm on a reader.

Does this seem reasonable? Is there a better location you recommend?

Location really comes down to your preferences. I implanted mine on the top of the wrist due to medical concerns: Install Videos and Pictures 🩸 - #269 by StarGate01 .

I usually place the small reader on my hand or hold my wrist to my phone, but I plan to 3d- print a small fixture for the reader.

@StarGate01

Ok! Chip implanted and working great! Installed the SmartPGP applet, transferred some keys and things are going well.

I am now looking for a second reader and was considering the Digital Logic Ltd. | DL533R USB Reader PC/SC Reader Writer you recommended earlier.

Do you know if it supports linux well?

Thanks for all of your help here. I am just excited about user controled implants.

Yes Linux support is great, I use it regularly.

The DL533R is literally “just” the reference design AN11064 by NXP for the NXP PR533 chip, which is supported by the pcsc-lite included CCID drivers - see the matrix and search for PR533 - it is listed as “should work”, which it does.

Be advised that Digital Logic ships from Serbia, so you might have to pay for taxes and shipping.

@StarGate01

Ahh cool. Thanks. Hopefully it won’t be too bad to Germany. I am considering just whipping up my own implementation / board layout. That reference design looks simple enough… Only issue is that it dabbles with the black art of wireless communications and I lack the education to know how any layout changes would possibly affect things.

That being said a flexible PCB would be PERFECT here.

I am based in Germany as well - no problems with shipping.

The PR533 chis is very hard to buy nowadays. @Satur9 is working on a custom reader design, maybe you could team up.

I know the dark arts. If you’re willing to do the legwork on the design I can definitely advise. I have a lot of experience with flex PCBs and NFC/RFID

I’d even be willing to put in some money. You can expect 150-250USD per order on flex PCBs. Might be wise to do a couple revisions in rigid first.

Sorry to derail a bit, but @StarGate01, mind sending/sharing a video or two (either pm, or on another thread) on what you do with this? I have one, and I’m still clueless on what to use it for. So far I have only been able to scan my xM1 with it.

I originally bought it because I thought it would be like a kbr1, but doesn’t seem like it.

It’s a PCSC reader. It doesn’t spit out a UID like a keyboard wedge. You need to send commands with software.