Issuing apdu commands

Similar Messages

• APDU commands for Globalplatform card

  Hi,
  I'm trying to develop embedded software that talks to a Oberthur Cosmo 64 card via low level APDU commands. I've looked at the Globalplatform 2.1.1 specs as well as the cosmo 64 technical brief, but it seems that there are only a few APDU commands. I've only worked with native cards before this, and native cards seem to have a lot more commands. For example, I can't even find a "Get Challenge" command nor any kind of authentication/key generation/pin verification commands.
  Would like to know how I can get started just sending simple APDU commands for key generation, challenge-response, authentication, etc?

  galapogos wrote:
  Well I only see 10 commands under Part IV(APDU Command Reference) of the GPP 2.1.1 specs.
  However when I see Appendix D I realize there's actually an initialize update and external authenticate APDU command, neither of which are found in Part IV.Yes, the commands for secure channel protocol are located in the Appendices. One can argue if this commands should be listed in APDU Command Reference, but GP Committee wanted to make is as flexible as possible in case another SCP is added, with different commands.
  From what I've read so far in Appendices D/E, it seems that the difference is that
  1) SCP01 supports mutual auth while for SCP02, only the card auths the host, with an option for the reverse.
  2) For SCP01, card ensures host is genuine, but no mention of the reverse to be true. For SCP02, both host and card must be ensured to be genuine.
  3) For SCP01, data from host to card is not susceptible to sniffing(encryption?), but no mention of the reverse to be true. For SCP02, both directions are not susceptible to sniffing.You are referencing the R-MAC option. It is only present in SCP02. There is no encryption from the card side (smthg like R-ENCRYPTION), you would need to handle this in your Applet. Be aware that R-MAC is optional, depending on the security policy of the issuer. For example in JCOP, only C-MAC and C-DECRYPTION is supported. Another differences between SCP01 and SCP02:
  - The DEK in SCP02 is a session key, and in SCP01 it is static
  - The INITIALIZE UPDATE command is different regarding the P2 parameter and the structure of the response
  In the latest version of GP 2.2 SCP01 is deprecated.
  Seems like other than the initial authentication, SCP02 is always more secure than SCP01?I would only conclude this if R-MAC is supported in SCP02.
  Also, where can I find Java Card 2.2.1/2.2.2 specs? I'm not interested in using the API since I'm developing embedded firmware, so I need to talk to the card directly via APDU commands.http://java.sun.com/products/javacard/specs.html

• Where should I issue this command

  Hi all,
  I'm configuring a logical standby database (Oracle 10g R2 on Linux 4.5). In the steps, I should convert to a Logical Standby Database and thus the following command should be issued:
  ALTER DATABASE RECOVER TO LOGICAL STANDBY db_name;My question is: if I have db1 as the primary database and db2 as the standby one, on which database should I issue the command? what would be the value of db_name?
  Thanks in advance.

  I can sort of see why this section of the manual (http://download.oracle.com/docs/cd/B19306_01/server.102/b14239/create_ls.htm#i92346) where it says:
  This section describes how to prepare the physical standby database to transition to a logical standby database. It contains the following topics:
  and
  The redo logs contain the information necessary to convert your physical standby database to a logical standby database. To continue applying redo data to the physical standby database until it is ready to convert to a logical standby database, issue the following SQL statement:
  was not clear enough to state definitely that you do the command on the Physical Standby.
  The preceding section header says: 4.2.3 Prepare the Primary Database to Support a Logical Standby Database
  And then it goes to: 4.2.4 Transition to a Logical Standby Database
  I can see where it might look like we're still on the Primary database. I checked the 11.2 manual and it is pretty much the same so I'll file a doc bug to try and clean this up.
  Thanks.
  Larry

• Error while transferring file :: Error while issuing ssh command.

  Hi All,
  I am having a JSP based website application.
  I am getting the following exception in my logs.
  [ERROR] 05/04/2007 03:43:44 - Error while transferring file :: Error while issuing ssh command.
  java.net.ConnectException: Connection timed out
              at java.net.PlainSocketImpl.socketConnect(Native Method)
              at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
              at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
              at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
              at java.net.Socket.connect(Socket.java:464)
              at java.net.Socket.connect(Socket.java:414)
              at java.net.Socket.<init>(Socket.java:310)
              at java.net.Socket.<init>(Socket.java:125)
              at com.sshtools.j2ssh.net.SocketTransportProvider.<init>(Unknown Source)
              at com.sshtools.j2ssh.net.TransportProviderFactory.connectTransportProvider(Unknown Source)
              at com.sshtools.j2ssh.SshClient.connect(Unknown Source)
              at com.sshtools.j2ssh.SshClient.connect(Unknown Source)
              at com.sshtools.j2ssh.SshClient.connect(Unknown Source)
              at com.novartis.util.DataExporter.transportFile(DataExporter.java:127)
              at com.novartis.util.DataExporter.export(DataExporter.java:101)
              at com.novartis.businessmanagers.SandosSignupManagerPojoImpl.export(SandosSignupManagerPojoImpl.java:103)
              at com.novartis.util.DataExportJob.process(DataExportJob.java:48)
              at com.novartis.util.ExclusiveJob.execute(ExclusiveJob.java:35)
              at org.quartz.core.JobRunShell.run(JobRunShell.java:191)
              at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:516)Any help would be appreciated.
  Thanks.

  This means that the SSH server you're trying to connect to isn't listening. Is the SSH server running? Are you trying to connect to the right machine?

• User-friendly way to issue chown commands on remote servers

  I'd like my technically unversed users to have, on demand, the benefit of chown commands giving them ownership of certain files being executed on remote servers. I'd like this to be doable without administrators' involvement and with no physical access to the servers by any of the users being entailed.
  By "benefit of chown commands" I mean the results a competent user would get entering the command if he or she were actually doing so. By "technically unversed" I mean specifically that said users aren't and won't ever be trained to ssh into subject servers and issue chown commands themselves directly.
  I should mention that the "Get Info" interface does not in this case avail users of a way to take ownership of particular files because ACEs apply to the files in question. That ACEs apply changes what is presented: instead of any editable fields under Ownership and Permissions, all users see in the "Get Info" interface is a list of whatever ACEs apply.
  Please note that users do, by virtue of ACEs, have "change ownership" permissions for the files in question. Also, authentication to the servers in question under subject users' own logins is possible as necessary.
  What I'd like to start with is getting some idea how complicated this could be for me to do myself as a beginning AppleScripter. I'll describe what I guess would be involved and hope for someone to shed light.
  I'm guessing that something the user at his or her own machine does involving a file he or she has selected would constitute an Apple Event which a process on the client would send to a process on the server. Then I expect the server process would issue the chown command locally respectively of
  1) which file was selected when the Apple Event took place, and
  2) subject user's identity.
  Finally, I expect some feedback might contingently be sent to client process incidentally to need to give user feedback.
  Is this a fair sketch of how this should work? What is a beginner with limited time likely to accomplish attempting this?
  (Find context for this posting here: http://discussions.apple.com/thread.jspa?threadID=831517&tstart=0)
  PowerMac   Mac OS X (10.4.8)  

  First, if I understand you correctly, I'd be using
  Curl and, say, Perl rather than Applescript to get
  this done. In other words, what you wrote in
  Applescript is about all I'd need in that
  language--yes?
  That's correct, give or take any errors in the script. (For obvious reasons I didn't test it.)
  Then, please note that I want to chown, not chmod. Is
  this an issue?
  Nope. (Beyond what you pointed out below.)
  I am looking at Perl documentation and read that "on
  most systems, you are not allowed to change the
  ownership of the file unless you're the superuser..."
  (http://perldoc.perl.org/functions/chown.html).
  However, isn't apache running as root?
  I never thought about that. Wow, this is complicated! Are you really sure you can't make do with chmod instead?
  Anyway, the answer is yes and no. The main Apache process usually runs as root, but executes CGI scripts (and other requests) as another user to avoid inherent insecurity. So unless you do something terribly, terribly insecure, you will not be able to chown from Perl. (And, although I am often lax about security, enabling root access for CGIs strikes even me as dangerous, which means it's a very bad idea.)
  Really what you want is for the CGI, which does not run as root, to hand off to another process which does. I'm not a Unix guru, and would never claim to be, but I think the two following methods might work:
  1. Set up a cron job running as root which looks in a directory once every minute/hour/whatever. The file name should be the user to change the owner to, and it should contain a delimited (in some form; return is possibly safe) list of files. Have the cron job walk through the list of files and use chown, then clobber the contents of the file. (Note that a CGI can use "chmod", which can make sure that the files it creates in the directory are readable by the cron job.) (Also note that you'll want to use flock to avoid race conditions between the cron job and the CGI!) This method would not be instantaneous, since the cron job only runs periodically.
  2. Set up a script which runs as root which takes a line of text in the format:
  user:path/to/file
  and executes chown using that information. Make this process run at startup as root. Have it open a named pipe, with permissions such that CGI script can write to it, and watch for input from that pipe.
  Some general notes:
  A. Whatever you do, make sure that the binary/script/whatever running as root can't be written to by anyone who doesn't have root permissions.
  B. Make sure to check that the user and file actually exist before doing anything with them. (And make sure to do it in the root process, since you have no guarantee that someone won't figure out what's going on and come up with some clever injection scheme to make your root process break security.) (And don't do it by passing a command to the shell; use Perl's chown or some equivalent, so that you'll be somewhat less vulnerable.)
  C. For that matter, don't forget to check and make sure that the path you're about to chown is within the share point, and that the user you're going to chown to makes sense in context, so that nobody can (for example) take over someone else's user directory, or get write permission to /sbin, or something evil like that. (In fact, it might be for the best if you limited the chown operations to files only, just to be sure.)
  Also, I get the part about how a constraint involving
  "do shell script" method argues against using pure
  Applescript in this case. But just for my information
  is Applescript otherwise sufficiently capable?
  If it weren't such matter of getting everything on
  one line, could Applescript send commands between
  hosts, convert local paths to paths on servers, issue
  change ownership commands, and handle authentication?
  Do methods adequate to those purposes exist in
  Applescript?
  Or would using multiple scripting languages be
  entailed anyway? I'm guessing the latter.
  Yes and no. Helpful answer, right?
  First and foremost: AppleScript was originally created as a language to control programs, which would have an extensible grammar through the installation of files called "Scripting Additions". It has since been puffed up via AppleScript Studio to an application-building language in its own right, but the language itself does not have support for a lot of things which, nevertheless, the language can do by controlling another program or by extension.
  AppleScript can send messages between hosts. If the remote host is a Mac, and has "Remote Apple Events" turned on in the "Sharing" control panel, then you can send commands to programs on the remote machine almost exactly as though they were local. (The only differences are in how you specify the application and how you let AppleScript know what the remote application "understands".) This support is built into the language.
  If the remote host is not a Mac, you must control a program which can "translate". When it comes to terminal programs, for security reasons Apple did not include any interactive systems which could be controlled. (Although they did include "expect", I see, which would theoretically allow you to work around this...)
  Since converting a path is really just text processing, yes, AppleScript can do that. I didn't try to build that in because I am under the impression that you know some other language/shell scripting tool better than AppleScript, so it makes better sense for you to put as much of the work into the parts you know, in order to make debugging easier. One method of doing it in AppleScript:
  set x to [a POSIX path found somehow for a file on a connected server]
  if (the offset of "/Volumes/" in x) is 1 then
  -- "the offset of" uses 1-based offsets, not 0 as in most languages
  set x to text 10 through -1 of x
  -- This removes "/Volumes/" from the beginning of x
  set x to text ((the offset of "/" in x) + 1) through -1 of x
  -- That removes up through the next slash, which is the volume name
  set x to "/Path/To/The/Share/Point/On/The/Server/" & x
  else
  error "The path isn't in /Volumes/, so either the server is mounted in a nonstandard way or the path isn't on a remote host at all." number 9000
  end if
  (The other method of which I am aware is to change AppleScript's text item delimiter to "/", convert the path to a list, test whether the first item is "Volumes", then put together items 3 and up into a string again. I have always had a semi-irrational prejudice against using this method because Apple's documentation circa about 1996, from which I learned AppleScript, made it sound like this might be dangerous, but it works.)
  The Finder (which can be scripted) can apparently change ownership and permissions -- a fact which I did not know until just now; I must have missed it last time I looked for it -- and of course "do shell script" can be used to call "chmod" and "chown". The problem with both of these methods, vis-a-vis your particular difficulty, is that your files are not local. You could turn on Remote Apple Events and have the Finder do it, but that's really a security hole. And a potentially maddening one to figure out if anyone starts exploiting it.
  I'd stick with a CGI and the cron/named pipe scheme. No matter what you do you're going to have a little extra security risk, just because chown requires root permissions, but minimizing that risk is probably a good thing.

• Can I issue this command in PL/SQL: EXECUTE IMMEDIATE '@filename.sql';

  can I issue this command in PL/SQL: EXECUTE IMMEDIATE '@filename.sql';

  Hi,
  Rather the opening a new process (sqlplus), a new connection (need password) etc... I would rather read and execute the file in pl/sql.
  I do not know if someone wrote it already, but here is a quick and dirty code for doing that with UTL_FILE.GET_LINE
  Here, I am only processing some DML statements and no SELECT statements. Correct it as you like !
  CREATE OR REPLACE PROCEDURE run_script ( dir_name IN VARCHAR2,file_name IN VARCHAR2)
  IS
  vSFile UTL_FILE.FILE_TYPE;
  vCmd VARCHAR2(200);
  vNewLine VARCHAR2(200);
  BEGIN
      vSFile := UTL_FILE.FOPEN(dir_name, file_name,'r');
      vCmd := NULL;
      IF UTL_FILE.IS_OPEN(vSFile) THEN
      LOOP
          BEGIN
              UTL_FILE.GET_LINE(vSFile, vNewLine);
              if (vCmd is null) THEN
                  if (upper(vNewLine) like 'INSERT%' or upper(vNewLine) like 'UPDATE%' or upper(vNewLine) like 'DELETE%') THEN
                      if (vNewLine like '%;') THEN
                          /* we have a single line command, execute it now */
                          dbms_output.put_line(substr(vNewLine,1, length(vNewLine)-1));
                          execute immediate substr(vNewLine,1, length(vNewLine)-1);
                      else
                          /* we have a command over multiple line, set vCmd */
                          vCmd := vNewLine;
                      end if;
                  else
                      /* ignore the rest like spool, prompt, accept, errors, host, @, ... */
                      null;
                  end if;
              else
                  if (vNewLine like '%;') THEN
                      /* we have a the last line of the command, execute it now */
                      vCmd := vCmd || ' ' || substr(vNewLine,1, length(vNewLine)-1);
                      dbms_output.put_line(vCmd);
                      execute immediate vCmd;
                      vCmd := null;
                  else
                      /* keep concatenating to vCmd */
                      vCmd := vCmd ||' '|| vNewLine;
                  end if;
              end if;
          EXCEPTION
              WHEN NO_DATA_FOUND THEN
                  EXIT;
              END;
      END LOOP;
      COMMIT;
      END IF;
      UTL_FILE.FCLOSE(vSFile);
  EXCEPTION
      WHEN utl_file.invalid_path THEN
          RAISE_APPLICATION_ERROR (-20052, 'Invalid File Location');
      WHEN utl_file.read_error THEN
          RAISE_APPLICATION_ERROR (-20055, 'Read Error');
      WHEN others THEN
          RAISE_APPLICATION_ERROR (-20099, 'Unknown Error');
  END run_script;
  set serverout on
  create directory scriptdir as '/home/oracle';
  grant read,write on directory to scott;
  exec run_script('SCRIPTDIR', 'test.sql')

• [SOLVED] Long prompt delay after issuing a command

  I use VirtualBox to run archlinux.
  When I issue a command, like ls in a directory with many files, the long outcome on the screen ends relatively fast (2-5 sec) but the command prompt is only available after 20-30 sec. In the meantime, processor is still in heavily use (95-100%). As soon as the prompt becomes again available the processor use drops to normal level.
  Does it have to do with virtualbox or ...?
  Thanks
  Last edited by barcher (2010-12-16 20:33:49)

  I run Arch Linux in Virtualbox and yes its does take up quite a bit of system resouces
  Depends on your system specs, amount of ram given over to VM etc...
  But to answer your question yes it does have a lot to do with Virtualbox.
  Arch would of course run very very fast in a real sytem enviroment
  Welcome to Arch :-)

• 'Get Response' APDU command in a script for apdutool

  Dear all,
  I'm facing some problems with apdutool (javacard 2.2.2 distribution) in executing the 'Get Response' command.
  In fact its syntax differs from the one specified for other APDU commands accepted by apdutool, as Lc is replaced by the expected response lenght, i.e. by Le.
  I tried inserting a fake P3 (Lc), but I always get ParseException errors.
  All previous commands in the script are properly executed, including the one for which the subsequent 'Get Response' is tried. In particular, the SW2 byte returned by the latter command contains the right expected length.
  I'm working with T0 algorithm and non-extended mode is specified in the APDU script.
  Thank you very much to anyone who could help.
  Best regards
  Marco

  Hi,
  You could ensure that both of the text fields are not empty on your 'dashboard' before executing the FS00 tcode. This would negate the popup from ever appearing.
  To do this you can use the "IF <text field control ID> Is Empty" statement in your script and then output a custom error message to another text box if the condition is true. then use an "IF <text field control ID> Is NOT Empty" statement to copy the value/s execute the FS00 tcode if the condition is true.
  Now if you're going to check multiple fields for entries before executing the FS00 you'll have to get a little more creative and do something like I did in one my scripts (thanks again to Steve Rumsby for the tips) and create a 'check field' where you can enter values for items checked successfully and then use a little bit of javascript to count up the checks and check the result before executing the next part of the script.
  Another idea is to check for the existence of the popup and navigate past it in your script, to do this you can use the "IF <control ID> control exists" statement.
  Either one should work.

• What is the data associated with the APDU commands

  hi,
  Please guide me on what data should be associated with the command APDU.
  for eg. we send 00 a4 04 00 for the select command followed by the AID.
  Similarly what should be sent as a data (eg. AID in case of SELECT) with following APDU commands::::
  LOAD,, InItUPDATE,, External Authentication,, Install
  regards,,
  PhadkeA

  I have the book Javacard technology for smartcards by Zhiqun Chen so
  I" ll try to help you. About the install command it's syntax is:
  install(byte[] bArray,short bOffset,byte bLength)
  The bArray contains the installation parameters, but from what I read in
  the book they are optional. From the example of the book it seems
  that generally they are some initialization values for the variables of
  the applet.
  I didn't find any info about the other commands that you mention.Sorry!

• Issuing SQL command through  Forms

  Hi
  How we can issue SQL command e.g. CREATE USER, through Forms.
  Regards!

  Issues dynamic SQL statements at runtime, including server-side PL/SQL and DDL.
  Note All DDL operations issues an implicit Commit
  Syntax
  Function FORMS_DDL(statement VARCHAR2);
  If you use FORMS_DDL to executed a valid PL/SQL Block:
  If you user FORM_DDL to executed a single DML or DDL stmt :
  Omit the trailing semicolon to avoid an invalid character error
  Thanks

• Status 69c2 on Verify APDU command

  Hi,
  I have successfully complete the APDU command new CommandAPDU(0x00, 0x20, 0x00, 0x01, new byte[]{ 0x31, 0x32, 0x33, 0x34, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF } ) for verify with the correct pin code (1234). I get status 0x9000.
  But when i try with wrong pin code i get status response 0x69C2. Why I get this status instead of 0x63Cx, as ISO7816-4 states? If i get 0x63Cx i can use the last value to calculate how many tries remaining!
  Beside this, not so much information exist for status response 0x69C2. It means "swAccessDenied 69C2 -The required access conditions were not satisfied".
  What an i doing wrong? What to do to get status 0x63Cx if the pin is wrong?
  Thank you
  Edited by: Valentino on Aug 22, 2012 5:02 AM

  Hi,
  Valentino wrote:
  Is this behavior normal?The status word bytes SW1-SW2 are defined by specification for your card application. What application are you using?
  May be a developer of your card application mistook with the status word SW1 0x69 instead of 0x63 for VERIFY command as a status for wrong PIN-code? ;)
  The value x in the status word SW2 0xCx defines the amount of the attempts remained.
  So it would be normal for each next wrong PIN-code entered to get the status words: 69C2 -> 69C1 -> 69C0 -> 6983

• Apdu command length

  Hi
  I want to get the length of the entire command in my applet.
  I want to know "5" for the following example.
  /send 8084000000
  Is there such API?

  a command parser in process method can be something like that:
  byte MY_CLA = (byte)0x80;
  byte MY_INS = (byte)0x84;
  // get the APDU buffer bytes (get header first)
  byte[] apduBuffer = apdu.getBuffer();
  // Checking CLA values
  switch(apduBuffer[ISO7816.OFFSET_CLA]){
    case MY_CLA:
      // For a given CLA value, checking INS values
      switch(apduBuffer[ISO7816.OFFSET_INS]){
        case MY_INS:
          // For a given INS value, checking P1, P2, P3 for example:
          if((apduBuffer[ISO7816.OFFSET_P1] != (byte)0x00) || (apduBuffer[ISO7816.OFFSET_P2] != (byte)0x00))
             ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
          if(apduBuffer[ISO7816.OFFSET_LC] != (byte)0x08)
             ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
          // After the command format checking, i can continue the processing that my command is supposed to do
        break;
        default:
          // Throw iso exception: bad instruction byte value
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        break;
    break;
    default:
      // Throw iso exception: bad class byte value
      ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
    break;
  }This example is for a case 3 apdu command.
  If your command is a case 2, you will need to get Le by invoking setOutgoing() method and checking the expected value of Le.
  Thomas
  http://jaccal.sourceforge.net/

• APDU command chaining

  Hello, I am sending some byte array by portions of 255 bytes to my on-card Applet using a sequence of APDU command-response operations. I just wanted to know, in case there is any possibility to make on-side chaining: send some sequence of APDU commands and receive only one response from the applet after the last portion of data received.
  Best regards,
  Eve

  According to ISO 7816-4 the chaining possibilities are
  - Extended APDU --> up to 65k data field
  - Command chaining --> ICCD responds after each APDU
  Your requirement would fit only to extended APDU. Java Card adopts only a certain class of the APDU structure from ISO 7816-4, which does not allow extended APDU: JC 2.2.1 API, javacard.framework.APDU (p. 44) ..
  This class does not support extended length fields.
  ..This is one of the reasons it won't work with a card compliant to Java Card. The other reason are the fixed constants for the ISO7816 interface (e.g. javacard.framework.ISO7816.OFFSET_CDATA, which is 5 --> extended length field not possible).

• When I issue the 'Force group Settings' command what effect will this have on existing flows? Do I need to disable WCCP prior to issuing this command on the affected WAE's?

  Hi WAAS Experts,
  I have a query, when I issue the 'Force group Settings' command what effect will this have on existing flows? Do I need to disable WCCP prior to issuing this command on the affected WAE's?
  Thanks,
  Shankar K

  Hi Shankar,
  A change of classifier/policy on the WAE is not affecting the existing flows so you shouldn't need to disable WCCP if you want to force group settings there.
  Regards,
  Nicolas

• "GemSafeXpresso Card returns "6D 00" for most of APDU commands"

  Hi everyone,
  I am confused with GemSafeXpresso smart card, GemSafeXpresso card can be authenticate with CardManager but I can not delete the instance of applet with GlobalPlatform Delete APDU command,it returns "6D 00"
  In following you can find what was happend on my card:
  At first,I installed GemSafe V2.04 applet that is placed on Rom of the card,I mean I created an instance of GemSafe applet with "A0 00 00 00 18 0A 00 00 01 63 42 00" ID successfully, after that I selectd GemSafe applet and Root and then I created some EFs under root ,but now I can not delete the instance of applet that I have created,The card returns "6D 00" ,I can authenticate with CardManager but I can not delete , create or install ,...
  I should say ,at first I installed and deleted the instance some times but I can not do now ,I would like to know what is the reason of this problem.
  I appreciate for any help,
  Yours sincerely,
  Orchid

  Dear lexdabear,
  Thanks a lot for your reply,
  Gemalto has written GemSafe applet and has loaded on Rom of GemSafeXpresso card but I can just install it and make an instance of it on the card ,So I don not have source of applet.
  In following you can find the APDU command for install ,delete ,...
  Authenticate
  key file: C:\GemXpressoJCardManager\keyfiles\jc2.2.1 - gp2.1.1\default.keys
  key set 0 (Card Defined)
  Select the CardManager
  -> 00 A4 04 00 08 A0 00 00 00 18 43 4D 00
  <- 61 1B [Normal ending of the command with <27> bytes of extra information.]
  Initialize Update
  80 50 00 01 08 00 01 02 03 04 05 06 07 (00)
  4D 00 72 38 02 04 7D 89 0C 77 FF 01 D2 89 12 21 AA 07 FE 36 07 F0 51 9F 2D D1 88 10, 90 00 [Normal ending of the command.]
  Card info KeySet=-1
  (SCP 01,implementation i05)
  External Authenticate
  84 82 00 00 10 01 93 6B 90 77 1F 72 F7 A4 6F 6D 63 B5 D3 0D AF
  90 00 [Normal ending of the command.]
  *1)Install for Install*
  80 E6 04 00 44 10 A0 00 00 00 18 30 08 01 00 00 00 00 00 00 00 FF 10 A0 00 00 00 18 30 08 01 00 00 00 00 00 00 00 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 01 00 11 C9 0F DF 0A 06 02 0F 00 01 0C 01 DF 0B 03 06 E1 E1 00 (00)
  00, 90 00 [Normal ending of the command.]
  2) Install for Make Selectable
  80 E6 08 00 13 00 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 01 00 00 00 (00)
  00, 90 00 [Normal ending of the command.]
  3)*Select Applet*
  00 A4 04 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 (10)
  90 00 [Normal ending of the command.]
  4) Select Root
  00 A4 00 00 02 3F 00 (30)
  6F 17 83 02 3F 00 8C 03 06 E1 E1 84 0C A0 00 00 00 18 0C 00 00 01 63 42 00, 90 00 [Normal ending of the command.]
  5)*Create EF SN-0001*
  00 E0 00 00 15 62 13 81 02 00 08 82 01 01 83 02 00 01 8A 01 01 8C 03 03 FF 00
  90 00 [Normal ending of the command.]
  6) Authenticate
  key file: C:\GemXpressoJCardManager\keyfiles\jc2.2.1 - gp2.1.1\default.keys
  Select the CardManager
  -> 00 A4 04 00 08 A0 00 00 00 18 43 4D 00
  <- 61 1B [Normal ending of the command with <27> bytes of extra information.]
  key set 0 (Card Defined)
  Initialize Update
  -> 80 50 00 01 08 00 01 02 03 04 05 06 07 (00)
  <- 4D 00 72 38 02 04 7C 89 0C 77 FF 01 6A E1 C6 FD AB 43 12 E1 18 CC 97 8C 3A B2 25 29, 90 00 [Normal ending of the command.]
  Card info KeySet=-1
  (SCP 01,implementation i05)
  External Authenticate
  -> 84 82 00 00 10 6B AD 05 2C 70 42 67 01 C5 53 31 90 1B 50 15 10
  <- 90 00 [Normal ending of the command.]
  7)*Delete instance of applet*
  -> 80 E4 00 00 0E 4F 0C A0 00 00 00 18 0A 00 00 01 63 42 00 (00)
  [ERROR  ] <- 6D 00
  [ERROR  ] <- Invalid instruction.
  Thanks in advance for your help.
  yours sincerely,
  Orchid
  Edited by: NewOrchid on May 8, 2008 7:40 AM