Interfacing with a PayPass card under Linux using LibNFC

This morning, I received an Orange Cash prepaid debit MasterCard, and preceded to see if I could use its ISO/IEC 14443-A interface to access its EMV application directory.

After spending some time searching the Web, I realised that not many people have successfully attempted to do so using LibNFC (or if they have, they’ve decided to remain quiet about it, for reasons unknown); and resorted to trying to use CardPeek‘s EMV script – which worked successfully with the ISO/IEC 7816 contact interfaces of all of the cards that I’ve tried (until I accidentally broke one of the contact interface pins), but doesn’t work with my reader’s RFID transceiver…

Using LibNFC’s nfc-list -v command, I was able to obtain the following information regarding the contactless interface:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 29  8b  cf  51
      SAK (SEL_RES): 28
* Compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
   ATS: 78 80 82 02 80 31 80 66 b0 84
 12 01 6e 01 83 00 90 00
* Max Frame Size accepted by PICC: 256 bytes
* Bit Rate Capability:
  * Same bitrate in both directions mandatory
* Frame Waiting Time: 77.33 ms
* Start-up Frame Guard Time: 1.208 ms
* Node ADdress not supported
* Card IDentifier supported
* Historical bytes Tk: 80 31 80 66 b0 84 12 01 6e 01 83 00 90 00
  * Tk after 0x80 consist of optional consecutive
      COMPACT-TLV data objects;
    the last data object may carry a status indicator of one,
      two or three bytes.
    See ISO/IEC 7816-4 for more info
Fingerprinting based on ATQA & SAK values:
* JCOP31 v2.3.1
* SmartMX with Mifare 1K emulation

I’ve modified the formatting of that command’s output slightly, so that it fits within this blog’s template boundaries –  but the data is identical to what I see when running it.

Since I couldn’t find any useful example code in C or C++ for exchanging ISO/IEC 7816 APDUs with contactless cards, I decided to investigate the possibility of modifying one of the TAMA scripts (UltraLightRead.cmd) in the LibNFC repository, and discovered that by prefixing the EMV commands mentioned in Saush’s blog post with 40 01, I was able to make the card respond to a request for the Payment System Environment.

The resulting script looks like this:

02; // Get firmware version
4A 01 00; // 1 target requested
// Select the payment system environment
40 01 00 A4 04 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31;

And the resulting packet received from the card reader’s PN532 chipset looks like:

If I get chance, I’ll probably see if I can modify CardPeek’s EMV script somehow to generate APDUs with InDataExchange (0x40) framing, and hopefully get contactless mode working with my reader (so that I don’t have to implement EMV by myself, in order to test other commands) – but I have my doubts, somehow.

In the meantime, I hope that this discovery is vaguely helpful for others…

Explore posts in the same categories: Everything

Tags: , , , , , , , , , , ,

You can comment below, or link to this permanent URL from your own site.

7 Comments on “Interfacing with a PayPass card under Linux using LibNFC”

  1. nvondad Says:

    I’ve done the same using a modified version of RFIDIOt’s script. This successfully talks to EMV apps.

    • Tyson Key Says:

      Heh, I tried to modify, and failed miserably in my initial attempt. If I remember correctly, I managed to generate EMV packets with the appropriate pseudo-APDU wrappers – but it seems that I couldn’t initialise the reader properly, so it kept refusing said EMV packets with a malformed error code that I couldn’t locate in my reader’s command set documentation…

    • Tyson Key Says:

      I neglected to mention that I also tried the latest version of the RFIDIOT scripts – which supposedly work with LibNFC, although it seems that they fail when initialising devices, since the authors of LibNFC keep changing their APIs, and RFIDIOT’s author hasn’t caught up with those changes. (And it seems that he hasn’t worked on that project for a long time, given the drought of updates on its Website).

      • nvondad Says:

        I was the one that wrote the initial pynfc code for the RFIDIOt scripts in 2009, and no I haven’t kept them updated, but there is now a new pynfc wrapper script which I should integrate into RFIDIOt. RFIDIOt is still maintained, and Adam (the author) is also active in LibNFC I believe.

    • Tyson Key Says:

      I’ve since had another play with the very latest SCM revisions of LibNFC, PyNFC, and your version of RFIDIOT (as of writing), and it seems that I can never get any further than this:

      tyson@UmBongo:~/RFIDIOt$ ./ -f 0
      Failed to load symbol for: SCardCancelTransaction, /lib/ undefined symbol: SCardCancelTransaction!
      Traceback (most recent call last):
      File "./", line 28, in
      import RFIDIOtconfig
      File "/home/tyson/RFIDIOt/", line 181, in
      card= RFIDIOt.rfidiot(readernum,readertype,line,speed,timeout,debug,noinit,nfcreader)
      File "/home/tyson/RFIDIOt/", line 155, in __init__
      self.nfc = pynfc.NFC()
      File "/home/tyson/RFIDIOt/", line 97, in __init__
      File "/home/tyson/RFIDIOt/", line 157, in configure
      self.device = self.libnfc.nfc_connect(target)
      File "/usr/lib/python2.7/ctypes/", line 366, in __getattr__
      func = self.__getitem__(name)
      File "/usr/lib/python2.7/ctypes/", line 371, in __getitem__
      func = self._FuncPtr((name_or_ordinal, self))
      AttributeError: /usr/local/lib/ undefined symbol: nfc_connect

      I’m tempted to write PyNFC off as abandonware, at this stage.

      • Hi there,
        thanks for everything Tyson… You helped me a lot. I bought a touchatag reader almost 2years ago and I couldn’t manage to crack any mifare classic even with mfoc and the other stuff. After a longer break and a lot of struggling, finally I was able to do that and more. Now I’m trying to modify the cardpeek emv script to work with an paypass card, but nothing yet 🙂
        I had a lot (i mean a lot!) of trouble with this reader, driver, libs, and tools. The final version of mine is a freebsd with 1.7.2 pcscd, and python 2.7. If you want to use the mfoc you have to use the libnfc 1.4.2, if not then you can use the newer 1.6.0-rc1 too. I think the rfidiot works with both. If you have touchatag reader too, then you have to modify the protocol (T0 to T1 and backwards I think in the
        So your little blogpost helped me a lot with my paypass card, thanks again.

      • Tyson Key Says:

        No worries, Balázs.

        I am indeed using a TouchATag-branded ACS ACR122U reader, if you’re curious. That said, I intended to publish my “works-first-time” (at least under *buntu and Mac OS X) set-up instructions, a while ago – although I’ve been busy with other things recently, so it’s taken a back-seat (unfortunately).

        I can paraphrase them here for future reference, though:

        * Download the drivers from the ACS Website – and use those instead of the ones supplied by your platform distributor, if the distributor’s don’t work initially
        * Use the /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist file from, if your device isn’t recognised after installing the aforementioned drivers
        * If you’re going to use MFOC, don’t run it under a virtual machine (especially a VirtualBox one) – since the emulated USB controller adds too much latency, and it becomes very difficult to recover A keys along with B keys

        I don’t know much about PCSC under FreeBSD – although it’s probably possible to recompile ACS’s drivers from the source archive; and I’d expect that that Info.plist file is easy to find. As for Mac OS X, you can find it at /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist

        I hope that helps.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: