Dealing With Unfused JCOP Java Cards Sold from AliExpress or eBay

Recently I acquired a set of 5 JCOP J2A040 Java Cards with the intention of loading the GidsApplet on them for Windows Smart Card Logon with an Active Directory Domain Controller.

Upon receipt of the smart cards in the mail, I’ve ran into this error with GlobalPlatformPro: STRICT WARNING: Unfused JCOP detected

After a few hours spent with Google and various search engines and some trial and error, I’ve put together an explanation on what an unfused JCOP card really is and how to perform the pre-personalization steps that a card manufacturer would have taken to enable the GlobalPlatform Card Manager so a developer can load a .CAP file on to the card for the end user to use.

A big disclaimer here before I continue on: I am not a smart card or Java Card expert, so please do not leave comments or e-mail me about developing Java Card Applets for your organization. Also, hello legal, the following information I’m posting here is compiled from searching on Google and no, I have not signed an NDA with NXP or other entities. The APDU’s I’m posting here is also found on Google.

I am simply a systems administrator that’s using low cost Java Cards to experiment with Smart Card logon in an Active Directory Envrionment. Any findings I post here may be incorrect, or worse can cause irreversible damage to your Java Card(s).

With the disclaimer aside, an unfused JCOP card basically means the card has not been “pre-personalized”. In this context, what “pre-personalization” means is setting up the JCOP card’s operating parameters, such as the card’s ATR historical bytes, what transmission mode to use and etc. Initially, getting your hands on a unfused JCOP card may sound like a good idea, but in practice this can frustrate Java Card developers as the GlobalPlatform Card Manager is not accessible to the developer, until at least it has gone through the pre-personalization phase. Also, the actual pre-personalization APDU’s aren’t that easy to find as they are usually kept under an NDA(?) from NXP.

When you are shopping for Java Cards on eBay or similar sites, you’ll probably see some listings stating something similar along the lines of:

We can only provide the TK default value (Transport key) ,like: .
Before you use JCOP Card,you need 2 commands for opening the JCOP21-40K card.
here is :
APDU:00A4040010( TK - KEY )
APDU:00F00000 ( open for Initialize )
If you don’t know how to use it ,please don’t order it! Otherwise, we will not be responsible for the return.

What they really mean is “We’re selling you unfused JCOP cards, if you can’t figure out how to pre-personalize them, good luck!”. Not off to a really good start, but I’ve come up with an sequence of APDU’s that you issue to your JCOP card for enabling the Card Manager so you can load a Java Card applet on it:

# GPShell style APDU commands, but you should be able to adapt it to anything that can send raw APDU's to the card
# Our TK Key
send_apdu -sc 0 -APDU 00A4040010
# Reset card to factory defaults - THIS WILL WIPE OUT ALL APPLETS INSTALLED
send_apdu -sc 0 -APDU 00F00000
# Set the Card to use T=1 transmission mode
send_apdu -sc 0 -APDU C0D6012301DA
send_apdu -sc 0 -APDU C0D6014601DA
# Not sure what this does...
send_apdu -sc 0 -APDU C0D6012201FE

# Make the Card identify as SLEEPMODE/NEGOTIABLE/T=1 on both cold and warm states
send_apdu -sc 0 -APDU C0D60124010F
send_apdu -sc 0 -APDU C0D60147010F
# The following sequence of APDU's is to be used if you are using T=0 transmission mode, comment out the APDU's above,
# starting with the reset to factory defaults and uncomment the lines below to use T=0 transmission
# Set the Card to use T0
#send_apdu -sc 0 -APDU c0d601240108
#send_apdu -sc 0 -APDU c0d601470108

# Set the Card to identify as T0
#send_apdu -sc 0 -APDU c0d6012604036000ff
#send_apdu -sc 0 -APDU c0d6014904036000ff

# Set the card's historical ATR bytes to display as J 2 A 0 8 1 , T = 1
# Cold
send_apdu -sc 0 -APDU c0d601370b0a4a32413038312C543D31
# Warm
send_apdu -sc 0 -APDU c0d6015A0b0a4a32413038312C543D31

# Set the auth key to a the default value 404142434445464748494a4b4c4d4e4f
send_apdu -sc 0 -APDU c0d6030510404142434445464748494a4b4c4d4e4f
send_apdu -sc 0 -APDU c0d6032110404142434445464748494a4b4c4d4e4f
send_apdu -sc 0 -APDU c0d6033D10404142434445464748494a4b4c4d4e4f
# Protect the Card
# send_apdu -sc 0 -APDU 00100000
# Fuse it
# send_apdu -sc 0 -APDU 00000000

Starting with the first APDU they provide you, 00 A4 04 00 10 along with the Transport Key selects the pre-personalization application. At this stage, make sure you are getting a status code of 90 00, indicating success. If you see anything else, contact the seller to provide you with the Transport Key. Without that Transport Key, your JCOP card will be unusable until you get your hands on it.

Once the card receives the APDU of 00 F0 00 00, it starts the Java Card’s OS up and resets everything back to the factory state. This also means the key required to load applets on it will be randomized.

Moving along the sequence of APDU’s, they set up the card’s transmission protocols, the card’s historical ATR and finally the Card Manager keys which will be needed later if you want to install applets on to your JCOP card.

When you get to the bottom of the sequence of APDU’s, you will notice 00 10 00 00 and 00 00 00 00. The APDU 00 10 00 00 protects the configuration from being changed until the next factory reset(?) and the second 00 00 00 00 APDU fuses the card and prevents any further configuration of the card. For development purposes, fusing the card is optional as the APDU’s prior to the PROTECT and FUSE commands would have already enabled the Card Manager. However, in production runs, it is recommended that you fuse the card to prevent further changes to the card’s operating parameters.

After issuing the APDU’s, your JCOP card should be ready for use with GPShell or GlobalPlatformPro to install Java Card applets on them.

Leave a Reply

Your email address will not be published. Required fields are marked *