GPSHELL(1) GPShell Documentation GPSHELL(1)

gpshell - command line tool for the management of GlobalPlatform compliant smart cards

gpshell scriptfile

gpshell can manage applications on smart cards supporting the GlobalPlatform. This comprises the installation and deletion of applications, getting the applications status and card data. These applications are practical always Java Card applets. Additional key management commands are provided.

The most common way to use gpshell is a script file. But it is also possible to read the commands from stdin if no script file is provided.

Within a script environment variables can be accessed with the syntax ${ENV_VAR_NAME}.

Reading the commands from stdin allows one to feed in the commands dynamically and use conditionals when using the Expect (https://en.wikipedia.org/wiki/Expect) pattern. Tools are available for a variety of script languages, shells and programming languages. Example are to support environment variables and handle results and output conditionally.

There are several txt example scripts provided which gets installed into usr/local/share/docs or /home/linuxbrew/.linuxbrew/opt/globalplatform/share/doc/gpshell1/ or can be found online (https://github.com/kaoh/globalplatform/tree/master/gpshell).

Set protocol mode to OpenPlatform 2.0.1. This is the default.
Set protocol mode to GlobalPlatform 2.1.1 and later
For cards which use the VISA key derivation scheme for the key calculation, like GemXpresso Pro, Palmera Protect or some JCOP cards this must be set.
For cards which uses the EMV CPS 1.1 key derivation scheme for the key calculation, like a Sm@rtCafe Expert 3.0 this must be set.
Enable APDU trace

You will see the sent APDUs in clear text. The last two bytes of the response are the response code. A response code of 9000 means success, otherwise the response code indicates an error. This may be OK when deleting a non existing applet or package.

Enable the logging of the execution times of commands.
Establish context. This must always be executed before connecting to a card.
Connect to card in the reader with readerName. By default protocol is 0 = T0.
Connect to card in the x th reader in the system. By default protocol is 0 = T0.
Open a secure channel

For OpenPlatform 2.0.1’ cards only -keyind -keyver -mac_key and -enc_key are necessary.

For GlobalPlatform 2.1.1 and later cards -scp and -scpimpl should not be necessary to supply. You must also specify -kek_key.

If the card supports a Secure Channel Protocol Implementation with only one base key, specify this key with -key and omit the others.

If the card uses a key derivation mechanism you must enable the derivation mode with the -keyDerivation option and you must specify with -key the master (mother) key. -kek_key, -mac_key and -enc_key are not relevant is this case. See the section Options and Key Derivation. NOTE: If the secure channel is going to be opened when no security domain is selected then the command get_secure_channel_protocol_details must be executed before to be able to get the Secure Channel Protocol Implementation.

Select AID instance
Load and installs an applet in one step

The parameters -AID -instAID -pkgAID -nvCodeLimit can be detected automatically and the -AID and -instAID is set to the first applet in appletfile.

For the sdAID the AID selected with the select command is chosen if not given. Otherwise the default Card Manager / Security Issuer Domain AID is chosen. Usually you do not have to pass it.

-instParam specifies applet installation parameters for the install() method -uiccSystemSpecParam specifies parameters according to ETSI TS 102 226, sect. 8.2.1.3.2.2 to use the Card Application Toolkit (CAT) functionality or to access the UICC file system. The parameters have to be already encoded without the outer tag `EA'. -simSpecParam specifies parameters according to ETSI TS 102 226, sect. 8.2.1.3.2.1 to use the SIM Application Toolkit (STK) functionality or to access the SIM file system. The parameters have to be already encoded without the outer tag `CA'.

Applet load preparation

For the sdAID the AID selected with the select command is chosen if not given. Otherwise the default Card Manager / Security Issuer Domain AID is chosen. Usually you do not have to pass it.

This command may be needed if the combined install command does not work.

Load applet

This command may be needed if the combined install command does not work.

Instantiate applet

This command may be needed if the combined install command does not work. Or you want to install a pre-installed Security Domain.

Makes an installed applet instance selectable

This command may be needed if the combined install command does not work. Typically this is used after an install_for_install followed by personalization.

Disconnect card
List applets and packages and security domains
List packages
List applets or security domains
List Card Manager / Security Issuer Domain
Release context
Add or replace a key set version

If a new key set version is to be added keyver must be set to 0. If keyver equals newkeyver an existing key version is replaced. An existing key set version cannot be replaced with a key set version using a different key size.

Replace key set version keyver using key derivation derivation using the master (mother) key y
Add a RSA delegated management key in version newkeyver
Send APDU apdu without secure channel

The APDU is given as hex without spaces and without leading 0x.

A GET DATA command returning the data for the given identifier. See the identifier options for details.
A GET DATA command returning the key information templates in the selected security domain. NOTE: The security domain must be selected and this only works outside of a secure channel.
A GET DATA command returning the extended card resources information in the issuer security domain. NOTE: The security domain must be selected and this only works outside of a secure channel.
A GET DATA command returning the secure channel protocol details and remembering them for a later open_sc. NOTE: The security domain must be selected and this only works outside of a secure channel.
Prints a line of text. Prints an empty line if no text is given.
Prepare a security domain for the personalization of an applet with following store_data commands. NOTE: The security domain must be selected and this only works outside of a secure channel.
Executes a STORE DATA command passing the data to the selected applet.
A GET DATA command returning the card recognition data. NOTE: The security domain must be selected.
Deletes a key set version with a DELETE command. If only the keyver is passed the complete key set version is deleted. By default keyind is 0xFF to delete the complete key set version. If keyver is 0 all key set with the passed keyind are deleted.

Key index x

-keyver x Key set version x

New key set version x
Key value in hex
MAC key value in hex
ENC key value in hex
KEK key value in hex
0: clear, 1: MAC, 3: MAC+ENC, 51: MAC+ENC+R-MAC+E-ENC (SCP03 only), 19: MAC+ENC-R-MAC (SCP02+SCP03 only), 17: MAC+R-MAC (SCP02+SCP03 only)
Smart card reader name
Number of the reader in the system to connect to. If -reader is given this is ignored.
Protocol, 0:T=0, 1:T=1 Should not be necessary to be stated explicitly.
Applet ID
Security Domain AID
Package AID
Instance AID
Non-volatile code size limit
Non-volatile data size limit
Volatile data size limit
File name
Installation parameter
UICC System Specific Parameters according to ETSI TS 102 226, sect. 8.2.1.3.2.2.
SIM File Access and Toolkit Application Specific Parameters according to ETSI TS 102 226, sect. 8.2.1.3.2.1.
Element type to be listed in hex
80 - Card Manager / Card Issuer Security Domain only.
40 - Applications (and Security Domains only in GP211 and later).
20 - Executable Load Files only.
10 - Executable Load Files and their Executable Modules only (Only GP211 and later)
Sets the format of the response of the get_status command. This is only used for GlobalPlatform cards and required and only needed if the default is not supported by the smart card.
Sets the data format flag for store_data command. Default 0.
0 - No general encryption information or non - encrypted data
0x20 - Application dependent encryption of the data
0x40 - RFU(encryption indicator)
0x60 - Encrypted data. Must be encrypted with data encryption key.
Sets the encryption format flag for store_data command. Note that this is just a flag and the data must be passed already in the correct encryption. Default 0.
0 - No general data structure information
0x08 - DGI format of the command data field
0x10 - BER-TLV format of the command data field
0x18 - RFU (data structure information)
Sets if response data is expected for store_data command. 1 for expecting response data. Default 0.
Sets the key template index to return for the get_key_templates command. Default 0.
0 - Deprecated format
2 - New format (default)
Secure Channel mode (0 off, 1 on)
APDU to be sent. Must be in hex format, e.g. 80CA00CF00.
Privilege. E.g. 0x04 Default Selected
Secure Channel Protocol (1 SCP01, 2 SCP02, 3 SCP03, default no set). Should not be necessary to be stated explicitly.
Secure Channel Implementation (default not set) Should not be necessary to be stated explicitly. See the get_secure_channel_protocol_details command to detect the Secure Channel Protocol Implementation. NOTE: The value can be passed as decimal value or hexadecimal prefixed by “0x”. The hexadecimal version is the common one.
Password for key decryption
Identifier for the tag for the get_data command. Must be in hex format, e.g. 9F7F.

There are several identifiers available but in general not all cards are supporting them. The GlobalPlatform specification v2.3.1 lists a few in section 11.3.3.1. It is useful to use some ASN.1 parser to interpret these data, like asn1js (https://lapo.it/asn1js)

Some useful identifier are:

9F7F - CPLC (Card Production Life Cycle) Data
00E0 - Key Information Templates. Instead of the first byte 00 also 01, ... can be used to get more key information templates if available. There is a dedicated command for getting this: get_key_information_templates
2F00 - List of applications
FF21 - Extended card resources. There is a dedicated command for getting this: get_extended_card_resources_information
0066 - Card Recogniti0on Data. There is a dedicated command for getting this: get_card_recognition_data
Data in hex format for the store_data command.
Does not stop in case of an error
Type of the key for the put_sc_key command. Must be in hex format, e.g. 88.

You see the command trace of a GET DATA command and the interpreted result.

=> 80 CA 9F 7F 00 .....
(12102 usec)
<= 9F 7F 2A 47 90 50 40 47 91 81 02 31 00 83 58 00 ..*G.P@G...1..X.
11 68 91 45 81 48 12 83 65 00 00 00 00 01 2F 31 .h.E.H..e...../1
30 31 31 36 38 00 00 00 00 00 00 00 00 90 00 01168..........
Status: No Error
IC Fabricator : 4790
IC Type : 5040
Operating System ID : 4791
Operating System release date : 8102 (11.4.2008)
Operating System release level : 3100
IC Fabrication Date : 8358 (23.12.2008)
IC Serial Number : 00116891
IC Batch Identifier : 4581
IC Module Fabricator : 4812
IC Module Packaging Date : 8365 (30.12.2008)
ICC Manufacturer : 0000
IC Embedding Date : 0000
IC Pre-Personalizer : 012F
IC Pre-Perso. Equipment Date : 3130 (10.5.2003)
IC Pre-Perso. Equipment ID : 31313638
IC Personalizer : 0000
IC Personalization Date : 0000
IC Perso. Equipment ID : 00000000

Dates are stored as 2 bytes, the first specifying the year in the decade and the last 3 bytes the day within the year.

Possible values are none, visa2 or emvcps11

Choose visa2 if you have a card which uses the VISA key derivation scheme for the key calculation, like GemXpresso Pro or some JCOP cards you must set this.

Choose emvcps11 If you have a card which uses the EMV CPS 1.1 key derivation scheme for the key calculation, like a Sm@rtCafe Expert 3.0 and later you must set this. Also for put_sc_key this is necessary for Sm@rtcafe 5.0 (and earlier(?)) cards

Enables debugging output from the underlying GlobalPlatform library.
Sets the log file name for the debugging output.

For the VISA2 key derivation scheme, like used in a GemXpresso Pro or some JCOP cards.
For the key derivation according to EMV CPS 1.1 (CDK (CPG 2.04)), like Sm@rtCafe Expert 3.0 and later.

Known unsupported key derivation schemes are:

CDK (CPG 2.02)
ISK(D)

Gemalto IDCore 3010
Oberthur CosmopoliC 32K (OP201)
CosmopoliC 64K V5.2 (GP211, SCP01, Impl05)
Axalto Cyberflex e-gate 32k (OP201)
GemXpresso R3.2 E64
IBM JCOP v2.2 41 (GP211)
IBM JCOP 31 (36k)
Palmera Protect V5
JTopV15
Nokia 6131 NFC Phone (GP211)
Axalto Cyberflex Access 64k
Gemalto Generations Flexible
Sm@rtCafe Expert 3.0
Tongfang420
Infineon SECORA™ ID S
JCOP4 P71
JCPO3 P60 EMV
JCOP3 P60 SecID CS
JCOP3 P40 EMV
JCOP3 P40 SecID
JCOP2.4.x

For CosmopoliC 64K (tested on V5.2), you need to specify the Security Domain AID. For example,

install -file helloworld.cap -sdAID A000000003000000 -nvCodeLimit 4000

For GemXpresso R3.2 E64, you need to specify the Security Domain AID (Card Manager AID). For example,

install -file helloworld.cap -sdAID A000000018434D00 -nvCodeLimit 4000

If you cannot authenticate to your card it might be not fused. In this case you need the transport key from the vendor. Execute the JCOP IDENTIFY command.

select -aid A000000167413000FF Offset 14 (decimal) of the response has the pre-personalized state. 00h means not fused (not personalized), 01h means fused.

For the Cyberflex you also need the CAP transformer (I believe this is a kind of obfuscator) which you must apply to the CAP file. Download it from http://www.trusted-logic.fr/down.php and use it.

install_for_load fails for unknown reason, so nothing can be installed.

Some cards are not supporting the GET DATA command. This command is used by GPShell for retrieving the secure channel parameters. So you have to pass -scp 2 -scpimpl 0x15 to open_sc command.

Karsten Ohme k_o_@users.sourceforge.net Snit Mo snitmo@gmail.com

See the file AUTHORS for a complete list.

2.2.0