dandri/proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2026-06-03 19:41:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7c34b0cf55d54bb904fbbdfef12b1eada6bd61bf
proxmark3/doc/fmcos_example.md
T
klks e1152fc98a Add native fmcos support to pm3
2026-05-24 19:12:12 +08:00

27 KiB
Raw Blame History

FMCOS Wallet Walkthrough

When commands are chained in a session the RF field must stay on between them. Add -k (keep field on) to every command in a chain except the last one.

Keys used throughout

Variable Hex
external_auth_key f49dc1ba1b4deb52647186bc59106c0d
internal_key 2b8a438742c851566f02d881b09d58c0
line_protection_key 8a021972bfec9d152ca9eb82d7d12c09
unlock_pin_key d8f60fa2d791f3a658d27c05458243ed
change_pin_key fb487a6d1b7cbf1bf84c666b8338376e
purchase_key eb18ce6986c820970e876219052ce0cf
credit_key a9e6e145f5df09500a58eef8575d49db
debit_key 97fb4eda4b5237035946ee62d325d909
overdraw_limit_key 94f63c4fae5e4977d749928ad12bc128
int_enc c4608b786af1992343e91a076670ae7c
int_dec b8d4190c76856901fc686f36ab9b1ce0
int_mac 46a3ea8b254ee2749cc681050fd0dbcc
PIN (\x12\x34\x56) 123456 (3 bytes, raw BCD)
New PIN (\x13\x37\x13\x37) 13371337 (4 bytes, raw BCD)
Terminal ID 666666666666 (6 bytes)

1. reset — select MF and erase DF

Select the Master File then erase the application directory from a previous run:

hf fmcos select --id 3f00 -k
hf fmcos erase

hf fmcos erase sends INS=0x0E to delete the currently-selected DF and all its children. Run it only when the card already has a DF selected (the MF itself cannot be erased this way).

2. setup — create directory, keyfile, keys, loop files, balance files

2a. Create the application directory (ADF)

Note

: --space and --size arguments are parsed as hexadecimal. --space 1500 = 0x1500 = 5376 bytes, --size 0208 = 0x0208 = 520 bytes.

77616C6C657454657374 is the hex encoding of ASCII walletTest.

hf fmcos select --id 3f00 -k
hf fmcos create dir --id 3F01 --space 1500 --cperm F0 --eperm F0 --appid 95 --name 77616C6C657454657374 -k

2b. Select the new ADF by name

hf fmcos select --name 77616C6C657454657374 -k

All subsequent setup commands assume this DF remains selected (field stays on).

2c. Create the keyfile

hf fmcos create keyfile --id 0000 --space 200 --dfsid 95 --perm F0 -k

2d. Write keys

  • --op 01 = P1, authorization operation code (0x01 = add/update)
  • --id 00 = P2, key slot to write (0x00 = auto-assign next slot)
  • --usage F0 = usage rights byte

All key writes continue in the same session so every command carries -k.

Key 0 — DES Encrypt (int_enc)

hf fmcos key --op 01 --id 00 --usage F0 --type desenc --change F4 --version 05 --algo 98 --key c4608b786af1992343e91a076670ae7c -k

Key 1 — DES Decrypt (int_dec)

hf fmcos key --op 01 --id 00 --usage F0 --type desdec --change F4 --version 05 --algo 98 --key b8d4190c76856901fc686f36ab9b1ce0 -k

Key 2 — DES MAC (int_mac)

hf fmcos key --op 01 --id 00 --usage F0 --type desmac --change F4 --version 05 --algo 98 --key 46a3ea8b254ee2749cc681050fd0dbcc -k

Key 3 — Internal Key (internal_key)

hf fmcos key --op 01 --id 00 --usage F0 --type internal --change 02 --version 00 --algo 01 --key 2b8a438742c851566f02d881b09d58c0 -k

Key 4 — File Line Protection Key (line_protection_key)

Group C type — uses --change and --errcount.

hf fmcos key --op 01 --id 00 --usage F0 --type lineprotect --change 02 --errcount 33 --key 8a021972bfec9d152ca9eb82d7d12c09 -k

Key 5 — Unlock PIN Key (unlock_pin_key)

hf fmcos key --op 01 --id 00 --usage F0 --type unlockpin --change 02 --errcount 33 --key d8f60fa2d791f3a658d27c05458243ed -k

Key 6 — Change PIN Key (change_pin_key)

hf fmcos key --op 01 --id 00 --usage F0 --type changepin --change 02 --errcount 33 --key fb487a6d1b7cbf1bf84c666b8338376e -k

Key 7 — External Authentication Key (external_auth_key)

Group B type with --change — uses --change, --followup, and --errcount.

hf fmcos key --op 01 --id 00 --usage F0 --type extauth --change 02 --followup 44 --errcount 33 --key f49dc1ba1b4deb52647186bc59106c0d -k

Key 8 — Purchase Key (purchase_key)

hf fmcos key --op 01 --id 00 --usage F0 --type purchase --change 02 --version 00 --algo 01 --key eb18ce6986c820970e876219052ce0cf -k

Key 9 — Credit Key (credit_key)

hf fmcos key --op 01 --id 00 --usage F0 --type credit --change 02 --version 00 --algo 01 --key a9e6e145f5df09500a58eef8575d49db -k

Key 10 — Debit Key (debit_key)

hf fmcos key --op 01 --id 00 --usage F0 --type debit --change 02 --version 00 --algo 01 --key 97fb4eda4b5237035946ee62d325d909 -k

Key 11 — Overdraw Limit Key (overdraw_limit_key)

hf fmcos key --op 01 --id 00 --usage F0 --type overdraft --change 02 --version 00 --algo 01 --key 94f63c4fae5e4977d749928ad12bc128 -k

Key 12 — PIN Key (pin_code)

The PIN \x12\x34\x56 is 3 raw BCD bytes. Group B type — uses --followup and --errcount.

hf fmcos key --op 01 --id 00 --usage F0 --type pin --followup 01 --errcount 33 --key 123456 -k

2e. Create loop files for transaction logging

Loop file 0x0018 (to be linked to the wallet balance file):

hf fmcos create file --id 0018 --type loop --size 0517 --rperm F0 --wperm EF --access FF -k

Loop file 0x0019 (to be linked to the passbook balance file):

hf fmcos create file --id 0019 --type loop --size 0517 --rperm F0 --wperm EF --access FF -k

2f. Create wallet and passbook balance files

Wallet balance file (EF 0x0002, linked to loop file 0x0018):

hf fmcos create file --id 0002 --type wallet --size 0208 --rperm F0 --wperm 00 --access 18 -k

Passbook balance file (EF 0x0001, linked to loop file 0x0019):

hf fmcos create file --id 0001 --type wallet --size 0208 --rperm F0 --wperm 00 --access 19

The last command drops the field to end the setup session.

3. verify_pin — verify the PIN

The PIN \x12\x34\x56 is 3 raw BCD bytes.

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456

4. get_balance — read wallet and passbook balances

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos balance --type wallet -k
hf fmcos balance --type passbook

The command prints the 4-byte big-endian balance in decimal and hex.

5. add_money — credit (load funds)

Credit key index is 9 (written ninth in step 2d, 0-based index = 9 = 0x09).

Credit 1000 units to the wallet, then 2000 to the passbook in one session:

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos credit --type wallet   --id 09 --amount 1000 --terminal 666666666666 --key a9e6e145f5df09500a58eef8575d49db --ikey 2b8a438742c851566f02d881b09d58c0 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos credit --type passbook --id 09 --amount 2000 --terminal 666666666666 --key a9e6e145f5df09500a58eef8575d49db --ikey 2b8a438742c851566f02d881b09d58c0

Note

: FMCOS resets the card's internal security status after each completed financial transaction (Phase 1 + Phase 2). PIN verification must be repeated before each credit or purchase operation, even within the same RF session.

--key is the credit_key (16-byte 3DES key used to derive the process key). --ikey is the internal_key used for TAC verification.

6. spend_wallet / spend_passbook — purchase (deduct funds)

Purchase key index is 8 (0-based index = 8 = 0x08).

Purchase (deduct) 50 units from the wallet:

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos purchase --type wallet --id 08 --amount 50 --terminal 666666666666 --key eb18ce6986c820970e876219052ce0cf --ikey 2b8a438742c851566f02d881b09d58c0

Purchase 50 units from the passbook:

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos purchase --type passbook --id 08 --amount 50 --terminal 666666666666 --key eb18ce6986c820970e876219052ce0cf --ikey 2b8a438742c851566f02d881b09d58c0

--serial (optional) sets the 4-byte transaction serial number; defaults to 00000001 when omitted.

7. withdraw_money — cash withdrawal (NOT SUPPORTED)

Cash withdrawal uses INS=0x50 P1=0x02. There is currently no hf fmcos command for this operation.

8. pin_block — deliberately block the PIN

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 11223344 -k
hf fmcos pin verify --id 00 --pin 11223344 -k
hf fmcos pin verify --id 00 --pin 11223344 -k
hf fmcos pin verify --id 00 --pin 11223344

After the error counter reaches zero the card blocks the PIN and returns SW=6983.

9. pin_unblock — restore a blocked PIN

Unlock PIN key index is 5 (0-based index = 5 = 0x05).

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin unblock --id 00 --pin 123456 --key d8f60fa2d791f3a658d27c05458243ed

10. online_debit — online transfer (NOT SUPPORTED)

Online debit uses INS=0x50 P1=0x05 (initialize) and INS=0x54 P1=0x03 (commit). There is currently no hf fmcos command for this operation.

11. update_overdraft — set the overdraft limit

Overdraft key index is 11 (0-based index = 11 = 0x0B).

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos overdraft --id 0B --limit 1000 --terminal 666666666666 --key 94f63c4fae5e4977d749928ad12bc128 --ikey 2b8a438742c851566f02d881b09d58c0

--limit is a 24-bit unsigned integer (maximum 16777215).

--ikey is the internal key (DTK, 16 bytes). When provided the card's 4-byte TAC response is verified using DES-CBC-MAC with tac_key = XOR(ikey[0:8], ikey[8:16]) over: balance[4] | online_serial[2] | new_limit[3] | 0x07[1] | terminal[6] | date[4] | time[3]

12. get_history — read transaction history

Read the most recent 10 records from the wallet loop file (SFI 0x18):

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos history --fid 18

Read up to 20 records from the passbook loop file (SFI 0x19):

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos history --fid 19 --count 20

Example output (after a credit of 1000 and a purchase of 50):

 # | Date       | Time     | Type         | Amount     | OD Limit | Serial | Terminal
---+------------+----------+--------------+------------+----------+--------+-------------------
 1 | 2026-05-24 | 14:30:22 | WL purchase  |         50 |        0 | 000002 | 66 66 66 66 66 66
 2 | 2026-05-24 | 14:28:05 | WL purchase  |       1000 |        0 | 000001 | 66 66 66 66 66 66
[+] 2 records

The SFI bytes (18, 19) match the loop file IDs created in step 2e. Loop file record 1 is always the most recently written entry.

13. pin_change — change PIN using old PIN authorization

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos pin change --id 00 --old 123456 --new 13371337 -k
hf fmcos pin verify --id 00 --pin 13371337 -k
hf fmcos pin change --id 00 --old 13371337 --new 123456 -k
hf fmcos pin verify --id 00 --pin 123456

14. pin_reset — set new PIN using change-PIN key (no old PIN needed)

Change PIN key index is 6 (0-based index = 6 = 0x06).

hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos pin reset --id 00 --pin 13371337 --key fb487a6d1b7cbf1bf84c666b8338376e -k
hf fmcos pin verify --id 00 --pin 13371337 -k
hf fmcos pin change --id 00 --old 13371337 --new 123456 -k
hf fmcos pin verify --id 00 --pin 123456

Complete session (sequential)

The following block shows a full session in order: reset, setup, load money, spend, and check balance. Each sub-section starts a new session (field activates) and ends when the last command drops the field.

Note

: --space and --size are hex — --space 1500 = 5376 bytes, --space 400 = 1024 bytes, --size 0517 = 1303 bytes, --size 0208 = 520 bytes.

# ── 1. Reset ────────────────────────────────────────────────────────────────
hf fmcos select --id 3f00 -k
hf fmcos erase

# ── 2. Create ADF ────────────────────────────────────────────────────────────
hf fmcos select --id 3f00 -k
hf fmcos create dir --id 3F01 --space 1500 --cperm F0 --eperm F0 --appid 95 --name 77616C6C657454657374 -k

# ── 3. Select ADF ────────────────────────────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k

# ── 4. Create keyfile ────────────────────────────────────────────────────────
hf fmcos create keyfile --id 0000 --space 400 --dfsid 95 --perm F0 -k

# ── 5. Write 13 keys (indexes 0-12) ─────────────────────────────────────────
hf fmcos key --op 01 --id 00 --usage F0 --type desenc    --change F4 --version 05 --algo 98 --key c4608b786af1992343e91a076670ae7c -k
hf fmcos key --op 01 --id 00 --usage F0 --type desdec    --change F4 --version 05 --algo 98 --key b8d4190c76856901fc686f36ab9b1ce0 -k
hf fmcos key --op 01 --id 00 --usage F0 --type desmac    --change F4 --version 05 --algo 98 --key 46a3ea8b254ee2749cc681050fd0dbcc -k
hf fmcos key --op 01 --id 00 --usage F0 --type internal  --change 02 --version 00 --algo 01 --key 2b8a438742c851566f02d881b09d58c0 -k
hf fmcos key --op 01 --id 00 --usage F0 --type lineprotect --change 02 --errcount 33 --key 8a021972bfec9d152ca9eb82d7d12c09 -k
hf fmcos key --op 01 --id 00 --usage F0 --type unlockpin   --change 02 --errcount 33 --key d8f60fa2d791f3a658d27c05458243ed -k
hf fmcos key --op 01 --id 00 --usage F0 --type changepin   --change 02 --errcount 33 --key fb487a6d1b7cbf1bf84c666b8338376e -k
hf fmcos key --op 01 --id 00 --usage F0 --type extauth  --change 02 --followup 44 --errcount 33 --key f49dc1ba1b4deb52647186bc59106c0d -k
hf fmcos key --op 01 --id 00 --usage F0 --type purchase --change 02 --version 00 --algo 01 --key eb18ce6986c820970e876219052ce0cf -k
hf fmcos key --op 01 --id 00 --usage F0 --type credit   --change 02 --version 00 --algo 01 --key a9e6e145f5df09500a58eef8575d49db -k
hf fmcos key --op 01 --id 00 --usage F0 --type debit    --change 02 --version 00 --algo 01 --key 97fb4eda4b5237035946ee62d325d909 -k
hf fmcos key --op 01 --id 00 --usage F0 --type overdraft --change 02 --version 00 --algo 01 --key 94f63c4fae5e4977d749928ad12bc128 -k
hf fmcos key --op 01 --id 00 --usage F0 --type pin --followup 01 --errcount 33 --key 123456 -k

# ── 6. Create loop files ─────────────────────────────────────────────────────
hf fmcos create file --id 0018 --type loop --size 0517 --rperm F0 --wperm EF --access FF -k
hf fmcos create file --id 0019 --type loop --size 0517 --rperm F0 --wperm EF --access FF -k

# ── 7. Create balance files ──────────────────────────────────────────────────
hf fmcos create file --id 0002 --type wallet --size 0208 --rperm F0 --wperm 00 --access 18 -k
hf fmcos create file --id 0001 --type wallet --size 0208 --rperm F0 --wperm 00 --access 19

# ── 8. Verify PIN ────────────────────────────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456

# ── 9. Credit wallet +1000, passbook +2000 ───────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos credit --type wallet   --id 09 --amount 1000 --terminal 666666666666 --key a9e6e145f5df09500a58eef8575d49db --ikey 2b8a438742c851566f02d881b09d58c0 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos credit --type passbook --id 09 --amount 2000 --terminal 666666666666 --key a9e6e145f5df09500a58eef8575d49db --ikey 2b8a438742c851566f02d881b09d58c0

# ── 10. Check balances ───────────────────────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos balance --type wallet -k
hf fmcos balance --type passbook

# ── 11. Purchase (spend) from wallet then passbook ───────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos purchase --type wallet   --id 08 --amount 50 --terminal 666666666666 --key eb18ce6986c820970e876219052ce0cf --ikey 2b8a438742c851566f02d881b09d58c0 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos purchase --type passbook --id 08 --amount 50 --terminal 666666666666 --key eb18ce6986c820970e876219052ce0cf --ikey 2b8a438742c851566f02d881b09d58c0

# ── 12. Check balances again ─────────────────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos balance --type wallet -k
hf fmcos balance --type passbook

# ── 13. Update overdraft limit to 1000 ──────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos pin verify --id 00 --pin 123456 -k
hf fmcos overdraft --id 0B --limit 1000 --terminal 666666666666 --key 94f63c4fae5e4977d749928ad12bc128 --ikey 2b8a438742c851566f02d881b09d58c0

# ── 14. Read transaction history ─────────────────────────────────────────────
hf fmcos select --name 77616C6C657454657374 -k
hf fmcos history --fid 18 -k
hf fmcos history --fid 19

File operations walkthrough

That script demos binary/variable/loop file creation with line protection (none, MAC, MAC+enc), plus application block/unblock. Two DFs are created on the same card:

  • blockTest (DF 3FFF, appid 0x94) — block/unblock target
  • fileTest (DF 3F01, appid 0x95) — file read/write target

Keys used

Variable Hex
internal_key 659a500f0f1fce35b6884bdff966576a
line_protection_key 980093b4d77ff65f7476bf9019a80892
external_auth_key 7c3f149ed331b11211d2fb62e2df9637
line_protection_key_1 49439874a1f623fc5e14818365d34699
external_auth_key_1 da152a9a56def40a1386ca258788fea6
internal_key_1 bb4a314981b20ce696d6c1e1cda5820c
enc_external_auth_key 44ea0184094995a845b612522a8ab463

DF names as hex: 626c6f636b54657374 = blockTest, 66696c6554657374 = fileTest

reset

hf fmcos select --id 3f00 -k
hf fmcos erase

setup — create both DFs

blockTest DF (3FFF)

hf fmcos select --id 3f00 -k
hf fmcos create dir --id 3FFF --space 500 --cperm F0 --eperm F0 --appid 94 --name 626c6f636b54657374 -k
hf fmcos select --name 626c6f636b54657374 -k
hf fmcos create keyfile --id 0001 --space 200 --dfsid 94 --perm F0 -k

Keys written into blockTest (keyfile 0001):

# Key 0 — lineprotect (line_protection_key_1)
hf fmcos key --op 01 --id 00 --usage F0 --type lineprotect --change 02 --errcount 33 --key 49439874a1f623fc5e14818365d34699 -k

# Key 1 — extauth (external_auth_key_1)
hf fmcos key --op 01 --id 00 --usage F0 --type extauth --change F0 --followup AA --errcount FF --key da152a9a56def40a1386ca258788fea6 -k

# Key 2 — internal (internal_key_1)
hf fmcos key --op 01 --id 00 --usage F0 --type internal --change F0 --version 00 --algo 01 --key bb4a314981b20ce696d6c1e1cda5820c -k

Seed binary file 0x0002 in blockTest:

hf fmcos create file --id 0002 --type bin --size 50 --rperm F0 --wperm F0 --access FF -k
hf fmcos select --id 0002 -k
hf fmcos write binary --p1 00 --p2 00 --data 62696e66696c655f626c6f636b5f74657374

(62696e66696c655f626c6f636b5f74657374 = ASCII binfile_block_test)

fileTest DF (3F01)

hf fmcos select --id 3f00 -k
hf fmcos create dir --id 3F01 --space 1500 --cperm F0 --eperm F0 --appid 95 --name 66696c6554657374 -k
hf fmcos select --name 66696c6554657374 -k
hf fmcos create keyfile --id 0001 --space 200 --dfsid 95 --perm F0 -k

Keys written into fileTest (keyfile 0001). Keys 2 and 3 are written with MAC+enc line protection (--prot enc --authkey <external_auth_key>):

# Key 0 — extauth (external_auth_key), unprotected write
hf fmcos key --op 01 --id 00 --usage F0 --type extauth --change F0 --followup AA --errcount FF --key 7c3f149ed331b11211d2fb62e2df9637 -k

# Key 1 — internal (internal_key), unprotected write
hf fmcos key --op 01 --id 00 --usage F0 --type internal --change F0 --version 00 --algo 01 --key 659a500f0f1fce35b6884bdff966576a -k

# Key 2 — lineprotect (line_protection_key), written with enc protection
hf fmcos key --op 01 --id 00 --usage F0 --type lineprotect --change F0 --errcount FF --key 980093b4d77ff65f7476bf9019a80892 --authkey 7c3f149ed331b11211d2fb62e2df9637 --prot enc -k

# Key 3 (slot 02) — extauth (enc_external_auth_key), written with enc protection
hf fmcos key --op 01 --id 02 --usage F0 --type extauth --change F0 --followup AA --errcount FF --key 44ea0184094995a845b612522a8ab463 --authkey 7c3f149ed331b11211d2fb62e2df9637 --prot enc -k

Files created in fileTest. Three trios: unprotected (--access FF), MAC (--access 7F --prot mac), MAC+enc (--access 7F --prot enc). --access 7F = protection required, use key 0.

# Binary files
hf fmcos create file --id 0002 --type bin --size 50 --rperm F0 --wperm F0 --access FF -k
hf fmcos create file --id 0003 --type bin --size 50 --rperm F0 --wperm F0 --access 7F --prot mac -k
hf fmcos create file --id 0004 --type bin --size 50 --rperm F0 --wperm F0 --access 7F --prot enc -k

# Variable-length record files
hf fmcos create file --id 0006 --type var --size 50 --rperm F0 --wperm F0 --access FF -k
hf fmcos create file --id 0007 --type var --size 50 --rperm F0 --wperm F0 --access 7F --prot mac -k
hf fmcos create file --id 0008 --type var --size 50 --rperm F0 --wperm F0 --access 7F --prot enc -k

# Loop (cyclic) files  --size 210 = 0x210 = 528 bytes
# space = record_count*(record_len+1)+8; e.g. 5 records × (0x50+1) + 8 = 0x19D
hf fmcos create file --id 000A --type loop --size 210 --rperm F0 --wperm F0 --access FF -k
hf fmcos create file --id 000B --type loop --size 210 --rperm F0 --wperm F0 --access 7F --prot mac -k
hf fmcos create file --id 000C --type loop --size 210 --rperm F0 --wperm F0 --access 7F --prot enc

write_binary

hf fmcos select --id 3f01 -k
hf fmcos select --id 0002 -k
hf fmcos write binary --p1 00 --p2 00 --data 111213141516171819101a1b1c1d1e1f -k

hf fmcos select --id 0003 -k
hf fmcos write binary --p1 00 --p2 00 --data 212223242526272829202a2b2c2d2e2f --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k

hf fmcos select --id 0004 -k
hf fmcos write binary --p1 00 --p2 00 --data 313233343536373839303a3b3c3d3e3f --prot enc --key 980093b4d77ff65f7476bf9019a80892

write_loop (APPEND RECORD)

hf fmcos select --id 3f01 -k
hf fmcos select --id 000a -k
hf fmcos append --fid 0a --data 919293949596979899909a9b9c9d9e9f -k

hf fmcos select --id 000b -k
hf fmcos append --fid 0b --data a1a2a3a4a5a6a7a8a9a0aaabacadaeaf --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k

hf fmcos select --id 000c -k
hf fmcos append --fid 0c --data b1b2b3b4b5b6b7b8b9b0babbbcbdbebf --prot enc --key 980093b4d77ff65f7476bf9019a80892

write_record (UPDATE RECORD)

P2 encodes the SFI: (file_id & 0x1F) << 3 | 4. The CLI --fid takes the raw file ID byte (130) and encodes P2 automatically.

Variable-length files require --tlv so the data is wrapped as 00[len][data].

hf fmcos select --id 3f01 -k
hf fmcos select --id 0006 -k
hf fmcos write record --rec 1 --fid 06 --data 515253545556575859505a5b5c5d5e5f --tlv -k

hf fmcos select --id 0007 -k
hf fmcos write record --rec 1 --fid 07 --data 616263646566676869606a6b6c6d6e6f --tlv --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k

hf fmcos select --id 0008 -k
hf fmcos write record --rec 1 --fid 08 --data 717273747576777879707a7b7c7d7e7f --tlv --prot enc --key 980093b4d77ff65f7476bf9019a80892

read_binary

For MAC-protected reads the card appends a 4-byte MAC before the SW; the CLI strips it automatically.

hf fmcos select --id 3f01 -k
hf fmcos select --id 0002 -k
hf fmcos read binary --p1 00 --p2 00 --len 16 -k

hf fmcos select --id 0003 -k
hf fmcos read binary --p1 00 --p2 00 --len 16 --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k

hf fmcos select --id 0004 -k
hf fmcos read binary --p1 00 --p2 00 --len 16 --prot enc --key 980093b4d77ff65f7476bf9019a80892

read_record

Variable-length files need --tlv; the CLI requests 2 extra bytes and strips the 00[len] prefix before printing.

hf fmcos select --id 3f01 -k
hf fmcos read record --rec 01 --fid 06 --len 16 --tlv -k
hf fmcos read record --rec 01 --fid 07 --len 16 --tlv --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k
hf fmcos read record --rec 01 --fid 08 --len 16 --tlv --prot enc --key 980093b4d77ff65f7476bf9019a80892

read_loop

Loop files use the same READ RECORD command; --rec 01 reads the most recently appended record.

hf fmcos select --id 3f01 -k
hf fmcos read record --rec 01 --fid 0a --len 16 -k
hf fmcos read record --rec 01 --fid 0b --len 16 --prot mac --key 980093b4d77ff65f7476bf9019a80892 -k
hf fmcos read record --rec 01 --fid 0c --len 16 --prot enc --key 980093b4d77ff65f7476bf9019a80892

card_block / app_block

Permanent application block

hf fmcos select --name 626c6f636b54657374 -k
hf fmcos block --app --perm --key 49439874a1f623fc5e14818365d34699

Temporary application block:

hf fmcos select --name 626c6f636b54657374 -k
hf fmcos block --app --key 49439874a1f623fc5e14818365d34699

app_unblock

After a block the app cannot be selected normally (SELECT returns an error SW), but the DF is still addressed. Send unblock while the field is still on from the failed select, then re-select:

hf fmcos select --name 626c6f636b54657374 -k
hf fmcos unblock --key 49439874a1f623fc5e14818365d34699 -k
hf fmcos select --name 626c6f636b54657374 -k
hf fmcos select --id 0002 -k
hf fmcos read binary --p1 00 --p2 00 --len 16
Reference in New Issue View Git Blame Copy Permalink