This is the fifth part of the story of the smart card track at NSEC 2013. You can see the first four parts: part 1, part 2, part 3 and part 4.
I had made good progress and I only needed one more information to build the keys required to change the PIN on the card. It was the Xored app log data.
At that point I decided to look at the only application I hadn’t looked at yet, the new access application. There were more commands for this application: GetChallenge, verify, read record, write secured and write unsecured. I was pretty sure that write secured would be used to write the new pin following the complex procedure, so at first I issued a GetChallenge. This returned a Hex string of the right length. I tried submitting that just in case the XOR part was misleading…
Of course, it was wrong, and since GetChallenge didn’t take any parameters, I had to try another command. I turned to read record as it looked liked the right thing to get data from the card. After looking up the correct bits to send, I issued a read for the first record and it returned another HEX string of the right length. I tried xoring the challenge and this string and… it failed. So I tried reading the second record and received another HEX string of the right length. At that point I wrote a java program to read all records from 1 to 255. Here is the output:
00B200067F response: 6A83 00B201067F response: D9D12BF27418984A9000 00B202067F response: 30E4F1EE16B6A5999000 00B203067F response: 5D16DA4DF926A0D89000 00B204067F response: 6A83 00B205067F response: 6985 00B206067F response: 6A83 00B207067F response: 6A83 00B208067F response: 6985 00B209067F response: 6A83 00B20A067F response: 6A83 00B20B067F response: 6A83 00B20C067F response: 6A83 00B20D067F response: 6985 00B20E067F response: 6A83 00B20F067F response: 6A83 00B210067F response: 6A83 00B211067F response: 6A83 ...
I got 3 hex strings and then all records are invalid. I xored those 3 and submitted, it was wrong. I tried every permutation of those 3 strings and it was wrong, i xored those 3 with the challenge and it was wrong. Everytime, I would reget the whole output from the card, just in case, there was something related to the number of reads or trying to VERIFY pins to see if it added records. At some point, the card started behaving weirdly and started returning error 6985 for all records, at which point I had to get it physically out and back in. So I had some flaky behavior. This may seem silly, but I spent well over an hour trying things to get the Xored app logs. I even went and told the organizers that their flag was wrong in the database because I was sure I xored everything correctly. They came over looked at what I was doing and said, no everything is there…
00B200067F response: 6A83 00B201067F response: D9D12BF27418984A9000 00B202067F response: 30E4F1EE16B6A5999000 00B203067F response: 5D16DA4DF926A0D89000 00B204067F response: 6A83 00B205067F response: 6985 00B206067F response: 6A83 00B207067F response: 6A83 00B208067F response: 6985 00B209067F response: 6A83 00B20A067F response: 6A83 00B20B067F response: 6A83 00B20C067F response: 6A83 00B20D067F response: 6985 00B20E067F response: 6A83 00B20F067F response: 6A83 00B210067F response: 6A83 00B211067F response: 6A83 ...
I was tired of trying permutations, so I went and tried to help Daniel on some other track. After a while, I came back to this, reran the read loop and saw that I had some 6985 errors in there. But I thought, this is once again the card being corrupted and returning wrong values again. I took the card out and put it back in, still had the same errors. I looked up error 6985, it meant: “conditions of use not satisfied”. Also, by that point I noticed that it was always records 5, 8 and 13 that returned these errors, the others always returned invalid record (unless the card was in corrupted mode where every record would return 6985).
Just for the hell of it, I tried reading records 5,8 and 13 before 1,2 and 3. This time it worked, I got all 6 values and noticed that the challenge I was receiving was equal to the value in record 13. I xored all these together and got the flag.
I was really happy because this flag meant that I had everything I needed to follow the change pin procedure. I’ll tell that story in the next part.