Pin verify command returns 90 00

Question

I want to verify PIN1 on smart card and read retry counter. According to ISO 7816-4 page 54 (1), retry counter is stored in 2 LSB of SW2(SW1 should be 63) after verify command, but I have SW1 SW2 = 90 00 in case of correct password:

>> Reset
<<  3b 19 94 80 67 94 08 01 03 02 01 03
>>  ff 00 ff
<<  ff 00 ff
>>  a0 a4 00 00 02
<<  a4
>>  3f 00
<<  9f 16
>>  a0 f2 00 00 16
<<  f2 00 00 63 f4 3f 00 01 00 00 00 00 00 09 33 03 0a 08 00 83 8a 83 8a 90 00
0: pin enabled...
>>  a0 20 00 01 08
<<  20
>>  31 31 31 31 ff ff ff ff
<<  90 00

And 98 04 in case of incorrect PIN1:

>>  a0 20 00 01 08
<<  20
>>  31 31 31 32 ff ff ff ff
<<  98 04

What I missed?

(1) http://www.embedx.com/pdfs/ISO_STD_7816/info_isoiec7816-4%7Bed2.0%7Den.pdf

Answer 1

Your smart card seems to be a GSM SIM Card. The class byte clearly has the MSB set, so it does not follow the ISO 7816. In this case, you should refer to 3GPP TS 11.11 (can be downloaded from this link).

The Verify CHV command is described in section 9.2.9, section 8.9, and section 11.3.1.

Some of the possible returned status words for this command are:

1. '9000': successful CHV verification
2. '9804': unsuccessful CHV verification, at least one attempt left.
3. '9840': CHV blocked
4. '9808': in contradiction with CHV status (i.e. verifying PIN which is currently disabled)
5. '91XX' : also successful CHV verification, but there is proactive command pending.

The number of remaining tries can be found in response of successful SELECT of directory (MF or DF), or by sending STATUS command (INS 'F2'). Low nibble of byte 19 contains remaining tries for CHV1/PIN1, byte 20 for PUK1, byte 21 for PIN2, and byte 22 for PUK2. For more details, refer to section 9.2.1.

---

Additional notes:

1. If the card is a USIM, the VERIFY command follows the ISO 7816. You can use CLA '00' and find 63CX status word in this card.
2. PIN1 enabled or disabled can be checked from SELECT directory byte 14. b8=0: CHV1 enabled; b8=1: CHV1 disabled.

Answer 2

While I don't understand your dump format completely, note the following:

• The 63 Cx is returned only, if VERIFY is sent without data and the access right is not already granted.

• Each card operating system is free to implement this retry counter response.

A correct verification (i. e. VERIFY with verification data) obviously must return 90 00 to indicate, that the verification was successful. 98 04 is a GSM-specific ("proprietary") return code, you will not find explained in ISO 7816.