Discussion:
SCR331-DI ccid escape commands
(too old to reply)
Pug
2005-03-08 20:04:30 UTC
Permalink
I've been trying to send the ccid escape command for the scr331-di reader
that gets the ATS from a contactless card using scardcontrol but each time I
get the 'invalid function' error, has anyone managed to this working. I also
get the same responsed when using the mcard 1.9 api for accessing memory
cards, but scm tech support don't seem able to help. This is in vb.net on a
winxp sp2 machine.

Steve
Sylvain
2005-03-08 22:45:47 UTC
Permalink
Post by Pug
I've been trying to send the ccid escape command for the scr331-di reader
that gets the ATS from a contactless card using scardcontrol but each time I
get the 'invalid function' error, has anyone managed to this working. I also
get the same responsed when using the mcard 1.9 api for accessing memory
cards, but scm tech support don't seem able to help. This is in vb.net on a
winxp sp2 machine.
Steve
Hi,

I'm not sure to understand what should mean "ccid" command, if you're
dealing with ISO 14443/3 commands, most of these are not available with
the PC/SC layer (for instance you can not send an ActivateA command but
just hope that SCardStatus works as expected).

regarding the ATS, SCM chooses to return in SCardGetAttrib(
SCARD_ATTR_ATR_STRING ) a very specific re-built string; that string was
changed with driver releases but still is not the card returned ATR
(looks like SCM try to rebuild an ISO 7816-3 compliant ATR (with valid
T0, TS).

Sylvain.
Pug
2005-03-09 21:35:41 UTC
Permalink
Post by Sylvain
Post by Pug
I've been trying to send the ccid escape command for the scr331-di reader
that gets the ATS from a contactless card using scardcontrol but each
time I get the 'invalid function' error, has anyone managed to this
working. I also get the same responsed when using the mcard 1.9 api for
accessing memory cards, but scm tech support don't seem able to help.
This is in vb.net on a winxp sp2 machine.
Steve
Hi,
I'm not sure to understand what should mean "ccid" command, if you're
dealing with ISO 14443/3 commands, most of these are not available with
the PC/SC layer (for instance you can not send an ActivateA command but
just hope that SCardStatus works as expected).
regarding the ATS, SCM chooses to return in SCardGetAttrib(
SCARD_ATTR_ATR_STRING ) a very specific re-built string; that string was
changed with driver releases but still is not the card returned ATR (looks
like SCM try to rebuild an ISO 7816-3 compliant ATR (with valid T0, TS).
Sylvain.
I need the ATS when using Mifare cards as they respond with their serial
number in the ATS, on some applications its used to calculate the secret
keys. In the technical manual of the scr331-di manual it states that sending
the picc escape command with a function called 'Reader_cntless_get_ats' it
should return the ATS of the contactless you just connected to,

i.e. ret = scardcontrol(cardhandle, IOCTL_CCID_ESCAPE,
Reader_Cntless_Get_Ats, 1, outbuf, outbuflength, reslen)

on returning ret = scard_s_success and outbuf contains the ATS which is
reslen bytes long. I've assumed that the ioctl_ccid_escape is 0x42000DAC or
SCARD_CTL_CODE(3500).

However, no matter what function I send to the reader, even the original
sample that is provided in the manual, I always get ret = 1 or 'invalid
function'. I've seen mentioned on a few sites that a registry entry called
'EscapeCommandEnable' as a non zero Dword needs to be added to
'HKLM\SYSTEM\CCS\Enum\USB\Vid*Pid*\*\Device Properties', but so far this
hasn't helped.

SCM technical don't know why it doesn't work, but the mcard 1.9 api also
fails because of the same problem as it relies on ioctl_ccid_escape to set
the card type. I tried the same code on a XP SP1 machine and also another XP
SP2 both have the same result.
Sylvain
2005-03-09 23:07:04 UTC
Permalink
Post by Pug
I need the ATS when using Mifare cards as they respond with their serial
number in the ATS, on some applications its used to calculate the secret
keys. In the technical manual of the scr331-di manual it states that sending
the picc escape command with a function called 'Reader_cntless_get_ats' it
should return the ATS of the contactless you just connected to,
i.e. ret = scardcontrol(cardhandle, IOCTL_CCID_ESCAPE,
Reader_Cntless_Get_Ats, 1, outbuf, outbuflength, reslen)
ok, I got your point.

there is not GET ATS escape message, OOH the PUID (or UID or PUPI) is
not returned into the ATS with default settings.

to obtain this information, you must first enable the Get PUPI feature,
then request the ATS and extract the UID from it, ie:

SCARDHANDLE scard; // is assumed to contain a valid handle

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(0xDAC)
// the 3 escape commands are
#define CCID_GET_PUPI_STATUS 0xFF9B
#define CCID_SET_PUPI_ON 0x019B
#define CCID_SET_PUPI_OFF 0x009B

// enable the "get UID" feature

WORD command = CCID_SET_PUPI_ON;
byte outByte;
ULONG length = 1;
long err = ::SCardControl(scard, IOCTL_CCID_ESCAPE,
&command, 2, &outByte, 1, &length);

// now request the ATS

byte ats[32];
length = 32;
err = ::SCardGetAttrib(scard, SCARD_ATTR_ATR_STRING, ats, &length);

// the ATS shall read:
// ats[ 0] = 0x3B Proprietary
// ats[ 1] = 0xFn n indicates the number of bytes following
// atr[ 2] = 0x91 Proprietary
// atr[ 3] = 0x00 Proprietary
// atr[ 4] = 0xFF Proprietary
// atr[ 5] = 0x91 Proprietary
// atr[ 6] = 0x81 Proprietary
// atr[ 7] = 0x71 Proprietary
// atr[ 8] = 0xFE Proprietary
// atr[ 9] = 0x40 Proprietary
// atr[10] = 0x00 Proprietary
// atr[11] = 'A' or 'B'
// atr[12] = SAK Selective Acknowledgement for Type A ONLY
// atr[13] = UID length (shall be 4, 7 or 10)
// atr[14] = first (MSB) byte of UID
// atr[15] = second byte of UID
// atr[..] = first (MSB) byte of UID
// atr[nn] = last (LSB) byte of UID
// atr[+1] = 0xY1 (Y = SFGI value)
// atr[+2] = baud rate
// atr[+3] = wait time integer
// atr[+4] = first historical byte for type A only
// atr[+5] = next historical byte
// atr[++] = next historical byte, and so on
// atr[+n] = TCK

so using a type A card, your data start at (ats + 14) and are ats[13]
bytes long.

Sylvain.
Pug
2005-03-10 00:09:27 UTC
Permalink
Post by Sylvain
Post by Pug
I need the ATS when using Mifare cards as they respond with their serial
number in the ATS, on some applications its used to calculate the secret
keys. In the technical manual of the scr331-di manual it states that
sending the picc escape command with a function called
'Reader_cntless_get_ats' it should return the ATS of the contactless you
just connected to,
i.e. ret = scardcontrol(cardhandle, IOCTL_CCID_ESCAPE,
Reader_Cntless_Get_Ats, 1, outbuf, outbuflength, reslen)
ok, I got your point.
there is not GET ATS escape message, OOH the PUID (or UID or PUPI) is not
returned into the ATS with default settings.
to obtain this information, you must first enable the Get PUPI feature,
SCARDHANDLE scard; // is assumed to contain a valid handle
#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(0xDAC)
// the 3 escape commands are
#define CCID_GET_PUPI_STATUS 0xFF9B
#define CCID_SET_PUPI_ON 0x019B
#define CCID_SET_PUPI_OFF 0x009B
// enable the "get UID" feature
WORD command = CCID_SET_PUPI_ON;
byte outByte;
ULONG length = 1;
long err = ::SCardControl(scard, IOCTL_CCID_ESCAPE,
&command, 2, &outByte, 1, &length);
// now request the ATS
byte ats[32];
length = 32;
err = ::SCardGetAttrib(scard, SCARD_ATTR_ATR_STRING, ats, &length);
// ats[ 0] = 0x3B Proprietary
// ats[ 1] = 0xFn n indicates the number of bytes following
// atr[ 2] = 0x91 Proprietary
// atr[ 3] = 0x00 Proprietary
// atr[ 4] = 0xFF Proprietary
// atr[ 5] = 0x91 Proprietary
// atr[ 6] = 0x81 Proprietary
// atr[ 7] = 0x71 Proprietary
// atr[ 8] = 0xFE Proprietary
// atr[ 9] = 0x40 Proprietary
// atr[10] = 0x00 Proprietary
// atr[11] = 'A' or 'B'
// atr[12] = SAK Selective Acknowledgement for Type A ONLY
// atr[13] = UID length (shall be 4, 7 or 10)
// atr[14] = first (MSB) byte of UID
// atr[15] = second byte of UID
// atr[..] = first (MSB) byte of UID
// atr[nn] = last (LSB) byte of UID
// atr[+1] = 0xY1 (Y = SFGI value)
// atr[+2] = baud rate
// atr[+3] = wait time integer
// atr[+4] = first historical byte for type A only
// atr[+5] = next historical byte
// atr[++] = next historical byte, and so on
// atr[+n] = TCK
so using a type A card, your data start at (ats + 14) and are ats[13]
bytes long.
Sylvain.
I tried the CCID_GET_PUPI_STATUS as well but it had the same result
'Invalid function'.
Sylvain
2005-03-10 02:54:10 UTC
Permalink
Post by Pug
I tried the CCID_GET_PUPI_STATUS as well but it had the same result
'Invalid function'.
Are you sure UR using a "normal" SCR331 ??

open it to check the hardware version, also check you driver release,
and be sure to select the "contactless" interface (old/most of PC/SC
drivers show 2 logical readers (contact & contactless) for 1 physical
reader.

Sylvain.
Pug
2005-03-10 19:21:46 UTC
Permalink
Post by Sylvain
Post by Pug
I tried the CCID_GET_PUPI_STATUS as well but it had the same result
'Invalid function'.
Are you sure UR using a "normal" SCR331 ??
open it to check the hardware version, also check you driver release, and
be sure to select the "contactless" interface (old/most of PC/SC drivers
show 2 logical readers (contact & contactless) for 1 physical reader.
Sylvain.
The p/n on the board says v1.2, which is what I was expecting. The firmware
is the latest from SCM v6.22 and the driver is the newest version
v4.3.0.0.1. I'm selecting the contactless interface as it is passing the
stage where I connect to the contactless card. Its a very strange problem.
Sylvain
2005-03-11 00:03:51 UTC
Permalink
Post by Pug
The p/n on the board says v1.2, which is what I was expecting. The firmware
is the latest from SCM v6.22 and the driver is the newest version
v4.3.0.0.1. I'm selecting the contactless interface as it is passing the
stage where I connect to the contactless card. Its a very strange problem.
the hw is a little bit old - the last one I received is "rev 1.4" / "17
MAY 2004".

I'm using PC/SC driver 4.30.0.1 (I think it's what you called
"4.3.0.0.1") and also fw 6.22

I so neither understand why it doesn't work from your side.

you can double-check the FW to be sure to load the version 6.22 *for HW
1.2* ("SCR331-DI DualSlot Firmware_HW Rev 1.2 Ver 6.22.bin"), the same
fw release (6.22) exists for HW 1.4 (even there is only one byte
different in these files)

you should also try something more reliable than "vb.net", I guess it is
supposed to (also) remap the SCardControl but if "invalid function",
only means invalid for the (dirty, useless, ...) .NET/VB to C/etc layer,
we are just losing our time.

cheers,
Sylvain.
Pug
2005-03-11 01:24:12 UTC
Permalink
Post by Sylvain
Post by Pug
The p/n on the board says v1.2, which is what I was expecting. The
firmware is the latest from SCM v6.22 and the driver is the newest
version v4.3.0.0.1. I'm selecting the contactless interface as it is
passing the stage where I connect to the contactless card. Its a very
strange problem.
the hw is a little bit old - the last one I received is "rev 1.4" / "17
MAY 2004".
I'm using PC/SC driver 4.30.0.1 (I think it's what you called "4.3.0.0.1")
and also fw 6.22
I so neither understand why it doesn't work from your side.
you can double-check the FW to be sure to load the version 6.22 *for HW
1.2* ("SCR331-DI DualSlot Firmware_HW Rev 1.2 Ver 6.22.bin"), the same fw
release (6.22) exists for HW 1.4 (even there is only one byte different
in these files)
you should also try something more reliable than "vb.net", I guess it is
supposed to (also) remap the SCardControl but if "invalid function", only
means invalid for the (dirty, useless, ...) .NET/VB to C/etc layer, we are
just losing our time.
cheers,
Sylvain.
I've tried with other commands such as the basic 0x42000000 which does get a
different response i.e. 'incorrect parameters', I've also tried the PC/SC
VB6 example on the SCM ftp site but that failed as well. I'll try it on a
Win98 machine tomorrow it may just be something with the versions of XP I'm
using. I've got 10 readers being shipped from the US which should be v1.4's,
the official UK distributor only has the v1.2's and it took three days for
them work out which version they had after I told tell them the part
numbers.

Thanks for helping.
Pug
2005-03-30 17:03:59 UTC
Permalink
Post by Pug
Post by Sylvain
Post by Pug
The p/n on the board says v1.2, which is what I was expecting. The
firmware is the latest from SCM v6.22 and the driver is the newest
version v4.3.0.0.1. I'm selecting the contactless interface as it is
passing the stage where I connect to the contactless card. Its a very
strange problem.
the hw is a little bit old - the last one I received is "rev 1.4" / "17
MAY 2004".
I'm using PC/SC driver 4.30.0.1 (I think it's what you called
"4.3.0.0.1") and also fw 6.22
I so neither understand why it doesn't work from your side.
you can double-check the FW to be sure to load the version 6.22 *for HW
1.2* ("SCR331-DI DualSlot Firmware_HW Rev 1.2 Ver 6.22.bin"), the same fw
release (6.22) exists for HW 1.4 (even there is only one byte different
in these files)
you should also try something more reliable than "vb.net", I guess it is
supposed to (also) remap the SCardControl but if "invalid function", only
means invalid for the (dirty, useless, ...) .NET/VB to C/etc layer, we
are just losing our time.
cheers,
Sylvain.
I've tried with other commands such as the basic 0x42000000 which does get
a different response i.e. 'incorrect parameters', I've also tried the
PC/SC VB6 example on the SCM ftp site but that failed as well. I'll try it
on a Win98 machine tomorrow it may just be something with the versions of
XP I'm using. I've got 10 readers being shipped from the US which should
be v1.4's, the official UK distributor only has the v1.2's and it took
three days for them work out which version they had after I told tell them
the part numbers.
Thanks for helping.
Well I finally got hold of my 10 new v1.4 readers, and not a single one
works well enough on T=CL to use beyond get the ATR.

I've tried Jcop30's, Philips SmartMX 72kb, IBM Jcop engineering sample
cards and the new Siemens SLE66 series chip with a Java OS and none of them
work. Neither of the Java cards will work with the ibm jcop tools cardman
program getting comms errors continuously and the jcop / smartmx mifare
emulation works about 90% of the time but the worst is the siemens sle66
chip, it connects then dies - reconnects - dies and so on. I guess I'm not
having much luck with SCM readers. Annoyingly all the chips work perfectly
with the old v1.2 reader which I rejected as the US SCM techsupport said
that they recommended the v1.4 for working on jcop's. Someday I'll get a
pc/sc contactless read that actually does what it's supposed to do.

Pug
Sylvain
2005-03-30 23:03:10 UTC
Permalink
Post by Pug
Well I finally got hold of my 10 new v1.4 readers, and not a single one
works well enough on T=CL to use beyond get the ATR.
I've tried Jcop30's, Philips SmartMX 72kb, IBM Jcop engineering sample
cards and the new Siemens SLE66 series chip with a Java OS and none of them
work. Neither of the Java cards will work with the ibm jcop tools cardman
program getting comms errors continuously and the jcop / smartmx mifare
emulation works about 90% of the time but the worst is the siemens sle66
chip, it connects then dies - reconnects - dies and so on. I guess I'm not
having much luck with SCM readers. Annoyingly all the chips work perfectly
with the old v1.2 reader which I rejected as the US SCM techsupport said
that they recommended the v1.4 for working on jcop's. Someday I'll get a
pc/sc contactless read that actually does what it's supposed to do.
Hi Pug,

looks like a very unlucky story...

the tests I made was also on a Philips SmartMX with a different OS, I
don't remember the step design used for the JCop 30 and will check this
point. meantime, I didn't observe big differences between the firmware
1.2 & 1.4, the one I currently use in 1.4.

may be you should try "to change your environment", meaning turning off
all radio sources near of the reader (including "dirty" power unit,
phone, ...) these may explain a poor communication.

Sylvain.
Sylvain
2005-03-31 23:21:57 UTC
Permalink
Post by Pug
I've tried Jcop30's, Philips SmartMX 72kb, IBM Jcop engineering sample
cards and the new Siemens SLE66 series chip with a Java OS and none of them
work.
I'm sure it isn't the reason of your problems but ...

the JCop3X is a P8RF5016 component (the "30" is dedicated to bank
markets, since it is EMV certified and the "31" is for not-banking market).

only the JCop41 is on SmartMX.

Sylvain.
Pug
2005-04-01 01:46:26 UTC
Permalink
Post by Sylvain
Post by Pug
I've tried Jcop30's, Philips SmartMX 72kb, IBM Jcop engineering sample
cards and the new Siemens SLE66 series chip with a Java OS and none of
them work.
I'm sure it isn't the reason of your problems but ...
the JCop3X is a P8RF5016 component (the "30" is dedicated to bank markets,
since it is EMV certified and the "31" is for not-banking market).
only the JCop41 is on SmartMX.
Sylvain.
I think it may be a problem with stray RF signals where I work. If I press
the card and reader against the metal support on my desk it begins to work,
I haven't done extensive tests I'm only getting the cardman.exe to list
applets loaded on the card but when I take the reader and card away from the
support it dies again, but standard mifares work perfectly where ever the
reader is. I have a feeling that it's the uplighters used all over my office
causing the problem plus the metal covered floor panels (I had a problem
with a cheap wireless keyboard that was connecting to another wireless
keyboard over 60feet away because of the floor), so I'll take them home and
try them there.


Steve.

Loading...