Skip to content

Instantly share code, notes, and snippets.

@Yepoleb

Yepoleb/EMV-CAP Transaction.md

Last active September 15, 2019 00:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Yepoleb/754d6bbfc5efd753bb0143f66c023f68 to your computer and use it in GitHub Desktop.
Save Yepoleb/754d6bbfc5efd753bb0143f66c023f68 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
EMV-CAP Transaction.md

OTP Transaction Log

  • Card: Raiffeisen Debit Card from 2017
  • Tangenerator: Gemalto CardTan
  • PIN: 00000
  • Generated TAN: 2879410
  • Standard: CAP-HHD

Unknown

?->? 80

Unknown meaning, seemingly random.

ATR (Answer to reset)

C->T 3bbf11008131fe45455041000000008381231900000000c9

ATR: 3B BF 11 00 81 31 FE 45 45 50 41 00 00 00 00 83 81 23 19 00 00 00 00 C9
+ TS = 3B --> Direct Convention
+ T0 = BF, Y(1): 1011, K: 15 (historical bytes)
  TA(1) = 11 --> Fi=372, Di=1, 372 cycles/ETU
    10752 bits/s at 4 MHz, fMax for Fi = 5 MHz => 13440 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
  TA(3) = FE --> IFSC: 254
  TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
+ Historical bytes: 45 50 41 00 00 00 00 83 81 23 19 00 00 00 00
  Category indicator byte: 45 (proprietary format)
+ TCK = C9 (correct checksum)

Change IFSD buffer

Change IFSD buffer size to 0xFE.

T->C 00c101 fe 3e

Acknowledge by card.

C->T 00e101 fe 1e

Select Application

SELECT FILE by AID a0000000048002.

T->C 00000d 00a4040007a000000004800200 8c

SELECT FILE Response

C->T 000017 6f138407a0000000048002a50850064d43204341509000 d9

6f 13 File Control Information (FCI) Template
  84 07  Dedicated File (DF) Name
    a0000000048002
  a5 08 File Control Information (FCI) Proprietary Template
    50 06 Application Label
      4d4320434150 "MC CAP"
90 00 Issuer Public Key Certificate

EB-Pin Entry and replay of everything above

After the EB-Pin is entered, the card is reset and everything is done again.

?->? 00
C->T 3bbf11008131fe45455041000000008381231900000000c9
T->C 00c101 fe 3e
C->T 00e101 fe 1e
T->C 00000d 00a4040007a000000004800200 8c
C->T 000017 6f138407a0000000048002a50850064d43204341509000 d9

Start new transaction

GET PROCESSING OPTIONS

T->C 004008 80a8000002830000 e1

80a8 GET PROCESSING OPTIONS
00 P1
00 P2
02 Length
8300 Data
00 Lc

GET PROCESSING OPTIONS Response

C->T 00400e 770a820200009404180101009000 ab

77 0a Reponse Message Template Format 2
  82 02 Application Interchange Profile
    0000
  94 04 Application File Locator (AFL)
    18010100
90 00 Issuer Public Key Certificate

Read Transaction Information

READ RECORD

T->C 000005 00b2011c00 aa

READ RECORD Response

C->T 00005a 70565a0a4682144119109281446f5f3401018e0a000000000000000000008c1b9f02069f03069f1a0295055f2a029a039c019f37049f35019f34038d0991088a0295059f37049f5501009f560b00007fffff0000000000009000 29

70 56 EMV Proprietary Template
  5a 0a Application Primary Account Number (PAN)
    4682144119109281446f (Card number in BCD, replaced by an example)
  5f34 01 Application Primary Account Number (PAN) Sequence Number
    01
  8e 0a Cardholder Verification Method (CVM) List
    00000000000000000000
  8c 1b Card Risk Management Data Object List 1 (CDOL1)
    9f02069f03069f1a0295055f2a029a039c019f37049f35019f3403
  8d 09 Card Risk Management Data Object List 2 (CDOL2)
    91088a0295059f3704
  9f55 01 Unknown Tag
    00
  9f56 0b Tan Bitmask
    00007fffff000000000000
90 00 Issuer Public Key Certificate

CDOL1 Contents

9f02 06 Amount, Authorised (Numeric)
9f03 06 Amount, Other (Numeric)
9f1a 02 Terminal Country Code
95 05 Terminal Verification Results
5f2a 02 Transaction Currency Code
9a 03 Transaction Date
9c 01 Transaction Type
9f37 04 Unpredictable Number
9f35 01 Terminal Type
9f34 03 Cardholder Verification Method (CVM) Results

CDOL2 Contents

91 08 Issuer Authentication Data
8a 02 Authorisation Response Code
95 05 Terminal Verification Results
9f37 04 Unpredictable Number

Generate Signature

GENERATE AC for 99a4c7ec41e7235549133d6f5cf868676348f27eae4e022a645f8e5b263e8bda00

How this hash is computed is still unknown.

T->C 004027 80ae00002199a4c7ec41e7235549133d6f5cf868676348f27eae4e022a645f8e5b263e8bda0000 c5

AC Response

C->T 00403b 77379f2701009f3602002b9f2608efb20b35cad3c9649f10200fa502000000000000000000000000000f7e00000000000000000000000000009000 82

77 37 Response Message Template Format 2
  9f27 01 Cryptogram Information Data
    00
  9f36 02 Application Transaction Counter (ATC)
    002b
  9f26 08 Application Cryptogram
    efb20b35cad3c964
  9f10 20 Issuer Application Data
    0fa502000000000000000000000000000f7e0000000000000000000000000000
90 00 Issuer Public Key Certificate

TAN Display

Pick bits from the Cryptogram data according to bitmask and convert them to decimal

00002befb20b35cad3c964
00007fffff000000000000

Tan: 2befb2 -> 2879410

What I know so far about the hash value

  • It's 256bit + 00, I could not confirm my guess of SHA256
  • The value is always the same for the same input, no counter or random value gets introduced, only constants.
  • The value does not even change between different cards.

Documentation for similar Standards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment