Dec 2 2011

Cracking “Rav-Kav” (Part I)

Yesterday at the university, I’ve got my brand new “Rav-Kav” (רב-קו) card. I was really happy when I discovered that mine was one of those “smart card with the golden chip on it”. Because I’ve got a software on my computer at home, that uses smart-card as a dongle, therefore, I’ve got a smart-card reader back at home.

Rav-Kav card

My first task, was to find out how to communicate with the smart-card. A quick google search and I’ve found the wonderful python module pyscard which allows me to send and receive APDU commands to/from the smart card. My second task was to read a bit about smart cards, and the commands they use. Again, google came up handy, and I’ve found the following site which describing more-or-less every command and response you are likely to get from the little shiny card.

The first thing you need to understand, A smart-card is not a flash drive! A smart-card is a microprocessor, It has it’s own operating system, and it communicates with the device using it (my computer for example) using the T=0 protocol. Meaning: You can’t read and write whatever you want into it.

For those of you who reads this article only to get “free rides”: No, I don’t believe I’ll be able to add “free rides” to my “Rav-Kav” card, because those things are usually very protected (and even if I could, it will be illegal to use it and sharing the information), but it’s quite interesting to check what kind of information is stored in this little piece.

When I plugged the card and connected to it, the ATR was: “3B 6F 00 00 80 5A 0A 07 06 20 04 2C 02 63 EE FF 82 90 00”. But I’m not sure if that means anything….

The first thing I tried was to map all the command classes available for this card.
I’ve scanned the classes simply by trying a random command in all the possible classes (256 possibilities), and ignored all the classes that returned “0x6e – Class not supported“. I’ve found out that the only available classes are 0x80, 0x94. And that all the interesting commands shown on chapter 6 can be found on the 0x94 class.

The next thing I did was to “brute force” the file-system under the master-file using the SELECT command. And I got the following list:

0x0002
0x0003
0x2000
0x2001
0x2004
0x2010
0x2020
0x202a
0x202b
0x202c
0x202d
0x2030
0x2040
0x2050
0x2069
0x206a
0x20f0
0x2100
0x2101
0x2104
0x2110
0x2120
0x2140
0x2150
0x2169
0x21f0
0x2f10
0x3f04
0xfeff

I’m not sure yet which one of those is an EF (normal file) and which one if a DF (a directory). But I’ll find those out next time. Stay tuned.


Nov 11 2011

Happy HDLC Day!

011.11.110

Today is the HDLC day!

For those of you who doesn’t know, the frame delimiter in HDLC is the bit sequence 01111110.

(Thanks to Yoni Ho)


Oct 3 2011

Hello world!

/* HelloWorld.c */
#include <stdio.h>

int main(int argc, char** argv)
{
 printf("Hello World!");
 return 0;
}
; HelloWorld.asm
section .text
 push dword len
 push dword msg
 push dword 1
 mov eax,0x4
 int 0x80

section .data

msg db "Hello World!",0xa
len equ $ - msg