GPShell

# vyber modu, muzes mit mode_201 nebo mode_211
mode_211
# nektere karty specifickym zpusobem krypli protokol, pokud autentizace neprobehne, zkus odkomentovat dalsi radek
# gemXpressoPro
enable_trace
establish_context
card_connect
# vyber card manageru - myslim ze tvoje karta bude mit A000000018434D00
# dalsi bezne moznosti jsou: A000000018434D a000000003000000
select -AID A000000018434D00
 
# autentizace a derivovani klicu sezeni - verze pro staticke klice
# prepinac security urcuje uroven kanalu: 0 nic, 1 integrita, 3 sifrovani i integrita
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
 
# autentizace a derivovani klicu sezeni - verze pro jeden mother key
#open_sc -security 1 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45
 
# ted bys mel mit kanal, muzes si treba vypsat obsah karty
get_status -element 40
 
# enbo smazat predchozi applet a nahrat novy. Nejdriv se maze instance appletu, pak package, ze keterho se instance dela (opacne nefunguje)
delete -AID 6D7970616330303031
delete -AID 6D797061636B616731
 
# a nainstalujes novy. Pozor. *.cap je konvertovany applet z puvodniho *.jar. Muzes se jeste setkat s koncovkou jar (ale konvertovanym), *.ijc
# (konvertovany) nebo *.sap (pro Gemalto simultor, nelze nakartu)
# -AID je aid apletu, -pkgAID je aid pro package daneho appletu
#  -nvDataLimit 8000 je omezeni, kolik applet potrebuje datoveho uloziste v bajtech na karte, -priv dava data pri instalci appletu (jde
# do konstruktoru, je to tvoje vec, muzes si tam treba svoje davat seriove cislo pro danou kartu nebo klice)
install -file AlgTest.cap -priv 00 -nvDataLimit 8000 -AID 6D7970616330303031 -pkgAID 6D797061636B616731
 
#odpojeni, konec
card_disconnect
release_context

Oberthur CosmoV7

mode_211 // NOTE: must be mode_211 mode, otherwise will fail with 0x6a88 during put_sc_key (although everything else will stay same)
enable_trace
establish_context
card_connect
 
# CM is already pre-selected on Oberthur Cosmo v7 card, so select is not necessary
select -AID A0000001510000
 
open_sc -security 0 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel 
#open_sc -security 3 -keyind 0 -keyver 3 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel 
#open_sc -security 3 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Open secure channel 
 
# put new keyset version 2 (NOTE: if this is first time a new keyset is created, then default keyset (-keyind 0 -keyver 0) will be replaced). Newly created keyset can be used for authentication both with (-keyind 0 -keyver 0) and (-keyind 0 -keyver 2)
#put_sc_key -keyver 0 -newkeyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
 
# put another new keyset version 3 
#put_sc_key -keyver 0 -newkeyver 3 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
 
# replace keys in keyset version 2 (NOTE: must use -keyver instead of -newkeyver)
#put_sc_key -keyver 1 -keyver 2 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
 
get_status -element 80
 
card_disconnect
release_context
 
 
# The problem: When trying to modify default keyset on Oberthur Cosmo v7 card, PUT KEY (put_sc_key in GPShell) command fail with 0x6a88 (REFFERENCE_DATA_NOT_FOUND)
# Solution: 
# 1. Correct secure channel version must be used. Although Oberthur supports both SCP01 and SCP02, SCP02 must be used, otherwise command will fail.
#      mode_211
# 2. Mode of secure channel is not important (will work with open_sc -security = 0, 1 and 3)
# 3. Put new keys into newly created keyset version 2. NOTE: if this is first time a new keyset is created, then default keyset (-keyind 0 -keyver 0) will be replaced). Newly created keyset can be used for authentication both with (-keyind 0 -keyver 0) and (-keyind 0 -keyver 2)
#      put_sc_key -keyver 0 -newkeyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# 4. Old default keys should not work (next command will fail)
#     open_sc -security 0 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
# 5. Authentication with new keys should work.  Both (open_sc -keyind 0 -keyver 0) and (open_sc open_sc -keyind 0 -keyver 2) should work at this moment
#     open_sc -security 3 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
#     open_sc -security 3 -keyind 0 -keyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# 6. You can change replace already inserted keys by 
#     put_sc_key -keyver 1 -keyver 2 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f