Cloned Boy
Professional
- Messages
- 1,228
- Reaction score
- 994
- Points
- 113
This in-depth guide covers the complete process of manually extracting EMV data and structuring it into an IST (Integrated Stack Table) file for educational research on EMV card security. We'll examine raw APDU communication, binary structures, and JCOP card programming.
Would you like a sample IST file for analysis? Let me know!
Table of Contents
- EMV Card Anatomy & IST File Structure
- Required Hardware/Software Tools
- Step-by-Step Data Extraction
- IST Binary Structure Analysis
- Manual IST File Creation
- Writing to JCOP Cards
- Terminal Testing & Troubleshooting
- Security Considerations
1. EMV Card Anatomy & IST File Structure
What Makes an EMV Card Work?
EMV cards contain:- ATR (Answer To Reset) - Initial handshake bytes
- AID (Application Identifier) - Visa/MC/Amex app IDs
- CAP Keys - Issuer public keys (for transaction auth)
- AFL (Application File Locator) - Where data is stored
- PDOL (Processing Options Data List) - Dynamic transaction params
- Cryptograms (ARQC/ARPC/TC) - Dynamic auth codes
IST File Binary Structure
An IST file is a proprietary binary format containing:
Code:
[Header][ATR][AID List][CAP Keys][PDOL][AFL][Custom Configs][Footer]- Header (4 bytes): Magic number (e.g., IST1)
- ATR (Variable): Raw ATR bytes
- AID List: Array of 5-16 byte AIDs
- CAP Keys: Array of 24-48 byte RSA keys
- PDOL: Tag-length-value (TLV) encoded
- Footer (4 bytes): Checksum
2. Required Tools
Hardware
| Tool | Purpose |
|---|---|
| ACR122U | Low-cost NFC reader for APDU communication |
| Proxmark3 | Advanced RFID/EMV analysis |
| JCOP v2.4.2 | Blank JavaCard for testing |
Software
| Tool | Purpose |
|---|---|
| PyResMan | EMV APDU communication |
| python-emv | Low-level EMV library |
| 010 Editor | Binary template analysis |
| JCOP Tools | Card personalization |
3. Step-by-Step Data Extraction
A. Extracting ATR
Python:
from smartcard.System import readers
r = readers()[0]
conn = r.createConnection()
conn.connect()
print("ATR:", conn.getATR()) # e.g., 3B 6F 00 00 80 31 80 65 B0 83B. Selecting Payment Application (AID)
Python:
SELECT_PPSE = [0x00, 0xA4, 0x04, 0x00, 0x0E, 0x32, 0x50, 0x41, 0x59, 0x2E, 0x53, 0x59, 0x53, 0x2E, 0x44, 0x44, 0x46, 0x30, 0x31]
response, sw1, sw2 = conn.transmit(SELECT_PPSE)
print("AID List:", response) # Returns list of supported AIDsC. Reading CAP Keys via AFL
- First, get AFL from GET PROCESSING OPTIONS:
Python:GPO = [0x80, 0xA8, 0x00, 0x00, 0x02, 0x83, 0x00, 0x00] response, sw1, sw2 = conn.transmit(GPO) afl = response[4:] # Skip status bytes - Parse AFL to locate CAP Key Records:
Code:AFL Format: [SFI][Record#][RecordsToRead][OfflineAuth?] - Read each record:
Python:READ_RECORD = [0x00, 0xB2, RECORD_NUM, 0x0C, 0x00] cap_key_data, sw1, sw2 = conn.transmit(READ_RECORD)
4. IST Binary Structure Analysis[
Manual Reverse-Engineering
- Dump known IST files (from EMV Foundry) in hex editor.
- Identify patterns:
- Header: 49 53 54 31 ("IST1")
- ATR Section: Direct copy from card
- AID List: Prefixed with 0xA0 (Visa) or 0xA5 (MC)
- CAP Keys: Usually starts with 9F 46 tag
010 Editor Template
C:
struct IST_File {
char header[4]; // "IST1"
byte atr[20]; // Variable length
struct AID {
byte aid_len;
byte aid_data[16];
} aids[10];
struct CAPKey {
byte modulus[48];
byte exponent[3];
} cap_keys[3];
// ... PDOL, AFL, etc.
};5. Manual IST File Creation
Step-by-Step Assembly
- Start with header: 49 53 54 31 ("IST1")
- Append ATR: 3B 6F 00 00 80 31 80 65 B0 83
- Add AIDs:
Code:A0 00 00 00 03 10 10 // Visa A0 00 00 00 04 10 10 // MC - Insert CAP Keys:
Code:9F 46 81 90 [RSA Modulus] 9F 47 [Exponent] - Add PDOL/AFL: Use TLV encoding
- Calculate Checksum: XOR all bytes
6. Writing to JCOP Cards
Using GlobalPlatform Pro
Bash:
gp --install card_data.ist # Load IST file
gp --list # Verify applet installationTesting in Terminal
- Insert card into POS
- Check if ARQC is generated (dynamic auth)
- If declined, check:
- CAP Key validity
- AID selection
- PDOL formatting
7. Troubleshooting
| Error | Diagnosis | Fix |
|---|---|---|
| "Card blocked" | Invalid CAP keys | Extract correct issuer keys |
| "Insert chip" | ATR mismatch | Clone original ATR exactly |
| "Not accepted" | Wrong AID | Use correct payment app ID |
8. Security Considerations
- EMV cloning is detectable: Banks use:
- Velocity checking (unusual transactions)
- Dynamic cryptograms (ARQC changes per tx)
- DDA/CDA (Offline data authentication)
- Legal risks: Unauthorized cloning is illegal in most countries.
Final Notes
This guide demonstrates how IST files work at a binary level, but:- EMV Foundry automates this process
- Full cloning requires issuer keys (not obtainable via skimming)
- Research only — real-world abuse has legal consequences
Would you like a sample IST file for analysis? Let me know!
