Does a manipulated CAP file can break a Java Card in the installation process?

Question

I have a Java Card that works fine :

GlobalPlatfomPro:: gp -list
AID: A000000003000000 (|........|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

I write a simple program to return APDU buffer on reception of each command :

public class BArrayReturner extends Applet {

    public static byte[] theArray={(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff};
    public static short arrayLength=0;

    private BArrayReturner() {

    }

    public static void install(byte bArray[], short bOffset, byte bLength)
            throws ISOException {

        new BArrayReturner().register();
        BArrayReturner.arrayLength=(short)bArray.length;
        Util.arrayCopyNonAtomic(bArray, (short)0,BArrayReturner.theArray , (short) 0, BArrayReturner.arrayLength);    
    }

    public void process(APDU apdu) throws ISOException {
        byte[] buffer=apdu.getBuffer();
        Util.arrayCopyNonAtomic(BArrayReturner.theArray, (short)0,buffer , (short) 0, (short)0x40); 
        apdu.setOutgoingAndSend((short)0, (short)255);
    }

}

After converting of the above program to .cap file, I opened the cap file with WinRAR and change one byte of .CAP file as below :

(I replaced 0x78 instead of 0x07 in ninth bye of class.cap).

Click to enlarge :

Now I tried to install this new cap file. But not only the installation failed, but also I can't list contents of my card anymore :

GlobalPlatfomPro:: gp -list -v -d
# Detected readers
[*] ACS CCID USB Reader 0
SCardConnect("ACS CCID USB Reader 0", T=*) -> T=0
SCardBeginTransaction("ACS CCID USB Reader 0")
Reader: ACS CCID USB Reader 0
ATR: 3B68XxXxXxXxXxXx009000
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B68XxXxXxXxXxXx009000

A>> T=0 (4+0000) 00A40400 00
A<< (0000+2) (20ms) 6F00
SCardEndTransaction()
SCardDisconnect("ACS CCID USB Reader 0", false)
Exception in thread "main" java.lang.IllegalStateException: No selected ISD!
        at openkms.gp.GlobalPlatform.openSecureChannel(GlobalPlatform.java:327)
        at openkms.gp.GPTool.main(GPTool.java:280)

My Question:

What was happened on my smart card by this new generated CAP file? Does anyone have any idea about the byte codes and the meaning of this byte in the origin and manipulated file? Is this a good logical response to installing manipulated files?

Note1:

I tried to install this new cap file my JCOP card also. The installation failed again, but instead of above error, the card mute about 15 minutes. (It must be about 15 minutes in the card reader to be active again!)

Note2:

I tried to change the 10th byte of this file instead of the 9th byte. So I replaced 0x01 with 0x45. After that I installed the new CAP file successfully! Shouldn't the card detect this manipulation after byte-code verification also and prevent installation?

Answer 1

You successfully triggered defense mechanisms on the card! Depending what you changes are the byte code verifier either fails and mutes the card or it will pass the test. the cap file is just an container. If you want deeper anaylsis you have to read more about the actual Java Card Byte code