1, take a random number
00 84 00 00 04
2, External certification
00 82 00 00 08 plus 8 bytes of encrypted random number
3, delete all files in the MF directory
80 0E 00 00 00
4, Select MF directory
00 A4 00 00 00
5. Create a key file:
80 E0 00 00 07 3F 00 50 01 F0 FF FF
File ID: 00 00
File Space: 00 50
File Short ID: 01
Increase Permission: F0
6, Add line protection key
80 D4 01 00 0D 36 F0 F0 FF 33 FF FF FF FF FF FF FF FF
36: File Line Protection Key
7, Add external authentication key
80 D4 01 00 15 39 F0 F0 AA 33 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
80 D4 01 00 0D 39 F0 F0 AA 55 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 8 bytes
(There is a problem with this command, still use a 4-byte key)
80 D4 01 00 0D 39 F0 F0 AA 55 FF FF FF FF FF FF FF FF
8. Create a fixed-length record file
80 E0 00 01 07 2A 02 13 F0 00 FF FF
File ID: 00 01
File Space: 02 13
9, Create the 05 file in the MF directory
80 E0 00 05 07 A8 00 30 F0 F0 FF FF
Send command: 80E0000507A80030F0F0FFFF
Command reply: 9000 (success)
Command description: 80 (CLA) E0 (INS) 0005 (P1P2 file ID) 07 (Lc) A8 (binary file 28–>A8) 0030 (file space) F0 (read permission) ) F0 (write permission) FF (default) FF (default)
Note: 28–>A8 28=00101000 The high bit changes to 1, namely: 10101000=A8 (plaintext + MAC check)
Note: This step can be omitted.
10, add file record
00 E2 00 08 13 61 11 4F 09 A0 00 00 00 03 86 98 07 01 50 04 50 42 4F 43
08 means: current file
13: hexadecimal, indicating the length of the following data, the latter data is the content of the added record
61114F09A00000000386980701500450424F43 The
recorded information content is the directory name and the ASC code of PBOC
Note : This is a record in TLV format , 61-11:(4F-09:A00000000386980701);50-04:(50424F43)
A00000000386980701 is the directory name
50424F43 is the ASC code of PBOC
11, Create 3F01 file
80 E0 3F 01 11 38 03 6F F0 F0 95 FF FF A0 00 00 00 03 86 98 07 01
Instruction description: 80 (CLA) E0 (INS) 3F01 (P1 P2 file identification) 11 (Lc) 38 (file type (directory file)) 036F (file space) F0 (establish authority) F0 (erase authority) 95 (application File ID) FFFF (Reserved Field) A00000000386980701 (DF Name AID)
12, select 3F01 file
00 A4 04 00 09 A0 00 00 00 03 86 98 07 01
00 A4 00 00 02 3F 01
The DF file has just been created above, and this command must be executed to open it
13, create a key file
80 E0 00 00 07 3F 01 8F 95 F0 FF FF
3F key file
018F file space (byte)
95 short identifier
F0 increase permission
14, Internal key load TAC key:
80 D4 01 00 15 34 F0 02 00 01 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34
15, Line protection key
80 D4 01 00 15 36 F0 02 FF 33 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36
36: File Line Protection Key
16, password unlock key
80 D4 01 00 15 37 F0 02 FF 33 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37
17, password reinstall key
80 D4 01 00 15 38 F0 02 FF 33 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38
18, external authentication key
80 D4 01 00 15 39 F0 02 44 33 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39
19, consumption key
80 D4 01 01 15 3E F0 02 00 01 3E 01 3E 01 3E 01 3E 01 3E 01 3E 01 3E 01 3E 01
20, consumption key consumption key 02
80 D4 01 02 15 3E F0 02 00 01 3E 02 3E 02 3E 02 3E 02 3E 02 3E 02 3E 02 3E 02
21, Load key Load key 01
80 D4 01 01 15 3F F0 02 00 01 3F 01 3F 01 3F 01 3F 01 3F 01 3F 01 3F 01 3F 01
22, transfer key transfer key 02
80 D4 01 02 15 3F F0 02 00 01 3F 02 3F 02 3F 02 3F 02 3F 02 3F 02 3F 02 3F 02
23, Circle the key ring to extract the key 01
80 D4 01 01 15 3D F0 02 01 00 3D 01 3D 01 3D 01 3D 01 3D 01 3D 01 3D 01 3D 01
24, Circle the key ring to extract the key 02
80 D4 01 02 15 3D F0 02 01 00 3D 02 3D 02 3D 02 3D 02 3D 02 3D 02 3D 02 3D 02
25, Modify the overdraft limit key to add and modify the overdraft limit key 01
80 D4 01 01 15 3C F0 02 01 00 3C 01 3C 01 3C 01 3C 01 3C 01 3C 01 3C 01 3C 01
26, Modify the overdraft limit key to add and modify the overdraft limit key 02
80 D4 01 02 15 3C F0 02 01 00 3C 02 3C 02 3C 02 3C 02 3C 02 3C 02 3C 02 3C 02
27, Password (PIN)
80 D4 01 00 0D 3A F0 EF 01 33 12 34 5F FF FF FF FF FF FF
28, Create file No. 15 (binary file) to create a binary file (circuit protection read and write)
80 E0 00 15 07 A8 00 1E F0 F0 FF FF
Instruction description: 80 (CLA) E0 (INS) 0015 (P1 P2 file identification) 07 (Lc) A8 (plaintext MAC 28 (binary file high bit changes to 1) –> A8) 001E (file space) F0 (read permission) F0 ( Increase permission) FF (default FF) FF (default FF)
Note: 28–>A8 28=00101000 The high bit changes to 1, namely: 10101000=A8 (plaintext + MAC check)
29, create file 16 (binary file)
80 E0 00 16 07 A8 00 27 F0 F0 FF FF
30, Create file 17 (binary file)
80 E0 00 17 07 28 05 DC F0 F0 FF FF
31, Create file No. 18 (cycle file)
80 E0 00 18 07 2E 0A 17 F0 EF FF FF
0A 17 is the file space
F0 is the read permission
EF is the write permission
32. Create wallet file (electronic passbook)
80 E0 00 01 07 2F 02 08 F1 00 FF 18
Instruction description: 80 (CLA) E0 (INS) 0001 (P1 P2 file identification) 07 (Lc) 2F (PBOC ED/EP) 0208 (default 0208) F1 (use right) 00 (reserved 00) FF (default FF) 18 (Short ID of transaction details file)
33. Create wallet file (electronic wallet)
80 E0 00 02 07 2F 02 08 F0 00 FF 18
Command reply: 9000 (successfully created)
Command description: 80 (CLA) E0 (INS) 0002 (P1 P2 file identification) 07 (Lc) 2F (PBOC ED/EP) 0208 (default 0208) F0 (use right) 00 (reserved) 00) FF (default FF) 18 (short identification of transaction details file)
Reference:
"cpu card psam card"
"PBOC CPU card FM1208 card issuing instruction explanation.pdf"
MAC calculation:
15 EF file writing
select MF
send instructions: 00A40000023F00
instruction responding: 6f15840e315041592e5359532e4444463031a5038801019000
Select EF
send instructions: 00A4040009A00000000386980701
instruction responding: 6f328409a00000000386980701a5259f0801029f0c1e0000000000000000000000000000000000000000000000000000000000009000
take random
send instructions: 0084000004
instruction responding: a3bbcfc89000
MAC calculation by writing
to compute a MAC search mode by Baidu PBOC MAC calculation tool
data source: 04D6950022000122000001FFFF01010000220000000000000620160101205012310000
initial vector: a3bbcfc800000000 (random number +00000000)
key: 36363636363636363636363636363636 (each line in the file protection key)
results: 96E32EF1
transmission instruction: 04D6950022000122000001FFFF0101000022000000000000062016010120501231000096E32EF1 (instruction + MAC)
instruction reply: 9000 ( Added successfully)
Instruction description: 04 (CLA) D6 (INS) 95 (file identification) 00 (write data offset) 22 (Lc Date+Mac) 000122000001FFFF01010000220000000000000620160101205012310000 (Data is written according to the situation, can be freely defined) 96E32EF1 (MAC)
MAC calculation As shown below:
The MAC calculation is as follows:
密钥:36363636363636363636363636363636
初始向量:A3BBCFC800000000
数据:04D6950022000122000001FFFF01010000220000000000000620160101205012310000
MAC计算结果:96E32EF1F26E6428
Writing of data (binary data, record data)
05 file write under MF
Select MF
send instructions: 00A40000023F00
instruction responding: 6f15840e315041592e5359532e4444463031a5038801019000
take random
send instructions: 0084000004
instruction responding: 88bbe4e39000
by writing data to compute a MAC
calculated MAC Tools may be calculated by searching Baidu PBOC MAC
Data Source: 04D6850034000122000001FFFF22000000000000060001201610280000000000010001000000000000000000000000000020501231
initial vector: 88bbe4e300000000 (random number + 00000000)
key: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (each line in the file protection key)
results: AE8D8774
transmission instruction: 04D6850034000122000001FFFF22000000000000060001201610280000000000010001000000000000000000000000000020501231AE8D8774 (instruction + MAC)
instruction reply: 9000 (added successfully)
Instruction Description: 04 (CLA) D6 (INS ) 85 ( File ID) 00 (write data offset) 34 (Lc Data + MAC) 000122000001FFFF22000000000000060001201610280000000000010001000000000000000000000000000020501231 (Data written according to circumstances, can define) AE8D8774 (the MAC)
the MAC calculation As shown below:
密钥:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
初始向量:88BBE4E300000000
处理数据:04D6850034000122000001FFFF22000000000000060001201610280000000000010001000000000000000000000000000020501231
计算MAC:AE8D87749035B013