CoreNFC ISO7816 card manager select not allowed

Question

Hello,

I have fully working application with CoreNFC, communicating over ISO7816 with my JavaCard applet, everything works fine here. I select the AID of the applet, send APDUs, receive responses.

The problem is I want to be able to update my applet later in time via iPhone itself. For this I need to select special pre-installed CardManager applet with AID "a000000003000000" (hexcoded). If I add this AID to the com.apple.developer.nfc.readersession.iso7816.select-identifiers array it does not work - empty card is not picked up by the NFC session even though the CardManager applet is present (GlobalPlatformPro shows the applet with this AID as installed on the card).

So I go another way - I preinstall small placeholder applet on the card, put its AID to the info.plist. This works, card is picked-up by the NFC session and I can start sending custom APDUs.

If I send SELECT APDU with the card manager AID, "00a4040008a000000003000000", the system returns error "Error: Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement}"

Other SELECTs works, but CardManager seems to be somehow protected.

The question is, can I somehow get the access to the CardManager applet to install a new applet version? Or can I somehow add this entitlement to the app?

Thanks a lot!

iOS

2.8k

Posted by

ph4r05.2

Reply

Add a Comment

Answer 1

Have you tried listing both AIDs?

It has been stated that certain AIDs are protected / blocked (essentially the ones you'd need to speak with broadly deployed payment cards' EMV payment applets).

In case they have for some reason protected the AID of the card manager, you might try changing the card manager instance AID. That's often a proprietary card-type specific function, and in some cases can only be done during prepersonalization, but you may have luck that way.

Posted by

MattIPiFony

Add a Comment

Answer 2

Have you tried listing both AIDs?

It has been stated that certain AIDs are protected / blocked (essentially the ones you'd need to speak with broadly deployed payment cards' EMV payment applets).

In case they have for some reason protected the AID of the card manager, you might try changing the card manager instance AID. That's often a proprietary card-type specific function, and in some cases can only be done during prepersonalization, but you may have luck that way.

Posted by

MattIPiFony

Add a Comment

Answer 3

Hi! Thanks for the response!

I've tried to list all AIDs, but without success.

But thanks with the advice on changing applet manager AID, I will give it a try!

Posted by

ph4r05.2

Add a Comment

Answer 4

Hi!

the solution you suggested works well!

We changed the Card Manager AID with the GPPro:

gp2 -rename-isd 112233445566

Then after adding "112233445566" to the Info.plist the app was able to do the select, i.e., "00a4040006112233445566" and the card responded with 0x9000 and the select data! So we were able to initiate the secure channel with the card manager.

We still didn't test the whole procedure of the applet upload as we haven't it implemented yet but it seems this will work!

Thanks again!

Regards,

Dusan

Posted by

ph4r05.2

Add a Comment

Answer 5

Hi Dusan,

Good to know that you managed to make it work with ISO7816 tag.

I am also exploring to handle a java based applet.

Do you mind sharing more details about what kind off application is that and what all APDU's you managed to execute?

It will be great, if you can share the code snippets or the same application.

Cheers 🙂

Posted by

baji.19

Add a Comment

Answer 6

For those looking for examples of communicating with complex applets on a card, no different from javacard applet flows, look at:

https://github.com/AndyQ/NFCPassportReader

Posted by

MattIPiFony

Add a Comment

CoreNFC ISO7816 card manager select not allowed

Accepted Reply

Replies