# vyber modu, muzes mit mode_201 nebo mode_211
mode_211
# nektere karty specifickym zpusobem krypli protokol, pokud autentizace neprobehne, zkus odkomentovat dalsi radek
# gemXpressoPro
enable_trace
establish_context
card_connect
# vyber card manageru - myslim ze tvoje karta bude mit A000000018434D00
# dalsi bezne moznosti jsou: A000000018434D a000000003000000
select -AID A000000018434D00
# autentizace a derivovani klicu sezeni - verze pro staticke klice
# prepinac security urcuje uroven kanalu: 0 nic, 1 integrita, 3 sifrovani i integrita
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
# autentizace a derivovani klicu sezeni - verze pro jeden mother key
#open_sc -security 1 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45
# ted bys mel mit kanal, muzes si treba vypsat obsah karty
get_status -element 40
# enbo smazat predchozi applet a nahrat novy. Nejdriv se maze instance appletu, pak package, ze keterho se instance dela (opacne nefunguje)
delete -AID 6D7970616330303031
delete -AID 6D797061636B616731
# a nainstalujes novy. Pozor. *.cap je konvertovany applet z puvodniho *.jar. Muzes se jeste setkat s koncovkou jar (ale konvertovanym), *.ijc
# (konvertovany) nebo *.sap (pro Gemalto simultor, nelze nakartu)
# -AID je aid apletu, -pkgAID je aid pro package daneho appletu
# -nvDataLimit 8000 je omezeni, kolik applet potrebuje datoveho uloziste v bajtech na karte, -priv dava data pri instalci appletu (jde
# do konstruktoru, je to tvoje vec, muzes si tam treba svoje davat seriove cislo pro danou kartu nebo klice)
install -file AlgTest.cap -priv 00 -nvDataLimit 8000 -AID 6D7970616330303031 -pkgAID 6D797061636B616731
#odpojeni, konec
card_disconnect
release_context
mode_211 // NOTE: must be mode_211 mode, otherwise will fail with 0x6a88 during put_sc_key (although everything else will stay same)
enable_trace
establish_context
card_connect
# CM is already pre-selected on Oberthur Cosmo v7 card, so select is not necessary
select -AID A0000001510000
open_sc -security 0 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel
#open_sc -security 3 -keyind 0 -keyver 3 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel
#open_sc -security 3 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Open secure channel
# put new keyset version 2 (NOTE: if this is first time a new keyset is created, then default keyset (-keyind 0 -keyver 0) will be replaced). Newly created keyset can be used for authentication both with (-keyind 0 -keyver 0) and (-keyind 0 -keyver 2)
#put_sc_key -keyver 0 -newkeyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# put another new keyset version 3
#put_sc_key -keyver 0 -newkeyver 3 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
# replace keys in keyset version 2 (NOTE: must use -keyver instead of -newkeyver)
#put_sc_key -keyver 1 -keyver 2 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
get_status -element 80
card_disconnect
release_context
# The problem: When trying to modify default keyset on Oberthur Cosmo v7 card, PUT KEY (put_sc_key in GPShell) command fail with 0x6a88 (REFFERENCE_DATA_NOT_FOUND)
# Solution:
# 1. Correct secure channel version must be used. Although Oberthur supports both SCP01 and SCP02, SCP02 must be used, otherwise command will fail.
# mode_211
# 2. Mode of secure channel is not important (will work with open_sc -security = 0, 1 and 3)
# 3. Put new keys into newly created keyset version 2. NOTE: if this is first time a new keyset is created, then default keyset (-keyind 0 -keyver 0) will be replaced). Newly created keyset can be used for authentication both with (-keyind 0 -keyver 0) and (-keyind 0 -keyver 2)
# put_sc_key -keyver 0 -newkeyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# 4. Old default keys should not work (next command will fail)
# open_sc -security 0 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f
# 5. Authentication with new keys should work. Both (open_sc -keyind 0 -keyver 0) and (open_sc open_sc -keyind 0 -keyver 2) should work at this moment
# open_sc -security 3 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# open_sc -security 3 -keyind 0 -keyver 2 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f
# 6. You can change replace already inserted keys by
# put_sc_key -keyver 1 -keyver 2 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f