I have a smart card (the Carte Vitale that is used in France), and I need to know where the date of birth is stored. But I don't seem to find any information about the file structure.
For the Belgian eID card I did the same, and I can easily read the date of birth with APDU commands. But the Belgian government provided decent info about the file structure on the card.
Is there a way to 'browse' through the file structure of a smart card with APDU to see what's on it at what address, without knowing anything about it?
EDIT:
I found some more information about reading information from the Carte Vitale: here and here.
A piece from the first link, section "API or not API? That is the question...". Translated by Google...not perfect but you get the idea:
*It is well known that BC C0 00 00 08 to determine the last address of the memory card, the first being invariably 0200h command. Typically (ADMAX = 2188h), and we find, from 2128h to 2180h, a "production area" containing pointers to all areas of interest (in our case, the space free reading would extend from 0288h to 2180h). That being said, a BC 02 88 04 B0 command will return the contents of the first 32-bit word, and BC B0 21 80 04 than the last. Between the two, so many things to discover! Just before the manufacturing area, a few words are reminiscent of the "component mapping" mentioned on page 20 of the specification V1.40 loads. Imagine and a BC B0 20 18 F8 command returns the following data:
3F FF 88 C3
3F 20 C3 50
20 80 02 F0
00 3F C2 B8
2D 3F C2 A0
2C FF 98 C2
Among the "pointers" (?) At C388h C298h, 02F0h attracts attention. So let's BC B0 02 14 F0, and deliver us to the simple decoding of the first two words read:
3F FF F5 40 0011 1111 1111 1111 1111 0101 0100 0000
24 08 43 FF 0010 0100 0000 1000 0100 0011 1111 1111
3F FF FF FF
3F FF FF FF
3F FF FF F8
Ignoring the first two bits of each word, and then forming groups of four bits, one can easily extract the BCD numbers 54 09 02 and specifically, the date of birth of the sole beneficiary is 09.02.1954!*
My ADMAX is different: it's 21 20.
Would that mean that I could write a program that executes a BC B0 02 00 08 to read the first 8 bytes, then add 8 bytes to address 02 00 and then read that again, and so on, all the way up to ADMAX 21 20? Would I then have read all readable date on the card? Or am I seeing things too simple?
Thanks again!