I want to verify PIN1 on smart card and read retry counter. According to ISO 7816-4 page 54 (1), retry counter is stored in 2 LSB of SW2(SW1 should be 63) after verify command, but I have SW1 SW2 = 90 00 in case of correct password:
>> Reset
<< 3b 19 94 80 67 94 08 01 03 02 01 03
>> ff 00 ff
<< ff 00 ff
>> a0 a4 00 00 02
<< a4
>> 3f 00
<< 9f 16
>> a0 f2 00 00 16
<< f2 00 00 63 f4 3f 00 01 00 00 00 00 00 09 33 03 0a 08 00 83 8a 83 8a 90 00
0: pin enabled...
>> a0 20 00 01 08
<< 20
>> 31 31 31 31 ff ff ff ff
<< 90 00
And 98 04 in case of incorrect PIN1:
>> a0 20 00 01 08
<< 20
>> 31 31 31 32 ff ff ff ff
<< 98 04
What I missed?
(1) http://www.embedx.com/pdfs/ISO_STD_7816/info_isoiec7816-4%7Bed2.0%7Den.pdf
Your smart card seems to be a GSM SIM Card. The class byte clearly has the MSB set, so it does not follow the ISO 7816. In this case, you should refer to 3GPP TS 11.11 (can be downloaded from this link).
The Verify CHV command is described in section 9.2.9, section 8.9, and section 11.3.1.
Some of the possible returned status words for this command are:
'9000': successful CHV verification'9804': unsuccessful CHV verification, at least one attempt left.'9840': CHV blocked'9808': in contradiction with CHV status (i.e. verifying PIN which is currently disabled)'91XX' : also successful CHV verification, but there is proactive command pending.The number of remaining tries can be found in response of successful SELECT of directory (MF or DF), or by sending STATUS command (INS 'F2'). Low nibble of byte 19 contains remaining tries for CHV1/PIN1, byte 20 for PUK1, byte 21 for PIN2, and byte 22 for PUK2. For more details, refer to section 9.2.1.
Additional notes:
'00' and find 63CX status word in this card.