Search code examples
androidnfcglobalplatformsecure-element

When is the secure element initialized?


I am new to SE and Global Platform. As far as I know from the spec, when you want to manage applications on it, you need to authenticate first.

Since the authentication requires authentication keys, when do these keys get initialized? Are they initialized before the phone is on sale? Or is it during the firmware flashing?

I'm confused about this, because I upgraded the firmware of a Samsung Note 2 and I lost the applet in the SE, but it didn't happen when I upgraded a Meizu MX4 phone.


Solution

  • The keys for access to the issuer security domain (the main management instance on a secure element) are typically initialized before the secure element leaves the factory (secure facility) of the chip manufacturer.

    When the chip modules arrive at the handset manufacturer for later integration in a device they are already equipped with these initial keys. The key sets used for these chips are transmitted to the later secure element owner (e.g. handset manufacturer, device vendor, or separate SE management entity) through a separate channel independently of the chips.

    Why you lost access to existing SE applications on your device might have several reasons and without further information one could only guess what might have happened there. However, it's certainly not related to the keysets for GP card management. A few guesses:

    • If you did not use the OEM provided stock ROM upgrades (though the regular OTA update mechanism), you might have triggered some flags on the device (e.g. disabled Knox) that now prevent access to the SE.
    • You might have performed a factory reset wiping all data related to the wallet application that interacted with the SE.