Tcosconfig

Last updated
Save as PDF

Tcosconfig

A command line utility is available in the Helper Applications directory called tcosconfig.exe. This will allow you to scan TCOS smart cards via the PC/SC interface for the purpose of customizing the TCOS configuration in the PBA.

Local Administrator privileges are required to start and use this utility.
The following prerequisites must be met to successfully use tcosconfig:
- The PBA must have undergone successful initialization
- Tcosconfig must be copied to the Windows\NAC\SBS directory

Follow these steps to start tcosconfig:

Copy the tcosconfig.exe application from the Matrix42 Full Disk Encryption delivery package to the Windows\NAC\SBS directory on a client that has undergone successful PBA initialization.
If you start tcosconfig from another directory, then the following error will be displayed if you try to perform any of the administration tasks:

Open a command prompt (with administrator privileges) and navigate to Windows\NAC\SBS directory).
Enter tcosconfig [Return] to start the utility and display the usage as follows:

The tcosconfig utility has the following usages:

Command line parameter	Details
export	Use this parameter to copy the existing tcos_p11.ini file from the PBA (Linux) to the Windows\NAC\SBS directory. Example: tcosconfig export
import	Use this parameter to copy a new custom tcos_p11.ini file from the Windows\NAC\SBS directory to the PBA (Linux). Example: tcosconfig import
scan	Generate a dump of a TCOS card inserted into the smart card reader. This is necessary of you want to check the smart card profile against that that is already supported in the tcos_p11.ini file and edit the tcos_p11.ini file accordingly to support the smart card profile. Example: tcosconfig scan

Command line parameter

Details

export

Use this parameter to copy the existing tcos_p11.ini file from the PBA (Linux) to the Windows\NAC\SBS directory.

Example: tcosconfig export

import

Use this parameter to copy a new custom tcos_p11.ini file from the Windows\NAC\SBS directory to the PBA (Linux).

Example: tcosconfig import

scan

Generate a dump of a TCOS card inserted into the smart card reader. This is necessary of you want to check the smart card profile against that that is already supported in the tcos_p11.ini file and edit the tcos_p11.ini file accordingly to support the smart card profile.

Example: tcosconfig scan

Exporting the tcos_p11.ini file from the PBA

Enter tcosconfig export [Return] to export the tcos_p11.ini file and tcos_p11_default.ini file to the Windows\NAC\SBS directory.

Once completed the command prompt can be closed.

Importing the tcos_p11.ini file into the PBA

Enter tcosconfig import [Return] to export the tcos_p11.ini file and tcos_p11_default.ini file from the Windows\NAC\SBS directory to the PBA.

Once completed the command prompt can be closed.

Scanning a TCOS smart card

Enter tcosconfig scan [Return] (without a smart card in the reader) to display the following sub-parameters:

The sub parameters have the following meaning:

Command line parameters	Details
d	Dump to screen
f	Dump information to the Windows\NAC\SBS directory as *.der files. This will also strip the TeleSec ASN.1 prefix
r	Dump raw files - do not strip TeleSec ASN.1 prefix
a	Dump all files (default: certificates only)
z	Dump empty files (default: check for starting zero byte)

The information displayed in the usage - scantos.exe – refers to an application with the tcosconfig construct for the purpose of reading TCOS cards. It CANNOT be addressed directly via the command line but rather indirectly through tcosconfig.

Use one of the options detailed above to obtain the information you need from the smart card profile you want the PBA to support. If you enter tcosconfig scan [Return] with a TCOS smart card in the reader, then the smart card details will be automatically displayed on the screen. For example:

C:\Windows\NAC\SBS>tcosconfig scan
Broadcom Corp Contacted SmartCard 0
ATR is 3bbf96008131fe5d00640411030131c073f701d00090007d
/
/DF01/       name=D27600006601 name=A000000167455349474E
/DF01/D000   s=0008 ft=Trans
/DF01/5049   s=00C0 ft=LinVar t=DATA
PIN 81 status: NULL-PIN
PIN 83 status: FBZ: 0
PIN 82 status: NULL-PIN
/DF01/5044   s=0042 ft=LinFix t=PIN
/DF01/5045   s=0016 ft=LinFix t=PIN
/DF01/5349   s=0069 ft=LinVar t=DATA
A0(76)=[FID=84 94(25)=[alg=RSA-CRT len=128 record=01 ... ] ] B6(25)=[7A(12)=[SigCntStart=1] ]
/DF01/5344   s=0288 ft=LinVar t=Key
/DF01/4531   s=0278 ft=LinVar
/DF01/B000   s=0200 ft=Trans
/DF01/C000   s=1000 ft=Trans
/DF01/C008   s=0C00 ft=Trans
/DF01/C00E   s=0C00 ft=Trans
/DF02/       name=D2760000030102
/DF02/5349   s=0250 ft=LinVar t=DATA
A0(81)=[FID=80 94(38)=[alg=RSA-CRT len=128 fid=5344 record=01 ... ] ] B6(8)=[]
A0(89)=[FID=81 94(38)=[alg=RSA-CRT len=128 fid=5344 record=07 ... ] ]
A0(89)=[FID=82 94(38)=[alg=RSA-CRT len=128 fid=5344 record=0D ... ] ]
A0(83)=[FID=83 94(32)=[alg=RSA-CRT len=96 fid=5344 record=13 ... ] ]
A0(15)=[FID=84 94(7)=[alg=DES3 len=96 fid=4480 record=01 ... ] ]
A0(32)=[FID=85 94(4)=[alg=DES3 len=0 ... ] ]
A0(32)=[FID=86 94(4)=[alg=DES3 len=0 ... ] ]
/DF02/5344   s=0A20 ft=LinVar t=Key
/DF02/4480   s=0030 ft=LinVar t=Key
/DF02/5049   s=00F0 ft=LinVar t=DATA
PIN 81 status: FBZ: 3
PIN 83 status: FBZ: 3
PIN 82 status: NULL-PIN
/DF02/5044   s=0058 ft=LinFix t=PIN
/DF02/5453   s=0800 ft=Trans
/DF02/C000   s=0800 ft=Trans
/DF02/C200   s=0800 ft=Trans
/DF02/C500   s=0800 ft=Trans
/DF02/C201   s=0800 ft=Trans
/DF02/4531   s=0208 ft=LinVar
/DF02/45B1   s=0108 ft=LinVar
/DF02/4571   s=0108 ft=LinVar
/DF02/45B2   s=0088 ft=LinVar
/DF02/B000   s=0288 ft=Trans
/DF02/5345   s=0066 ft=LinVar t=DATA
/DF02/544F   s=0048 ft=LinVar t=DATA
/DF02/43B1   s=06C5 ft=Trans
/DF02/4331   s=06A1 ft=Trans
/DF03/       name=D2760000030302
/DF03/5349   s=0100 ft=LinVar t=DATA
A0(15)=[FID=81 94(7)=[alg=DES len=96 fid=5344 record=01... ] ]
A0(15)=[FID=82 94(7)=[alg=DES3 len=96 fid=5344 record=02 ... ] ]
/DF03/5344   s=0020 ft=LinVar t=Key
/DF03/5049   s=00F0 ft=LinVar t=DATA
PIN 81 status: FBZ: 3
PIN 83 status: NULL-PIN
/DF03/5044   s=0042 ft=LinFix t=PIN
/DF03/474F   s=0008 ft=Trans
/DF03/5345   s=004A ft=LinVar t=DATA
/DF04/       name=D2760000030202
/DF04/5349   s=0080 ft=LinVar t=DATA
A0(15)=[FID=81 94(7)=[alg=DES len=96 fid=5344 record=01 ... ] ]
/DF04/5344   s=0008 ft=LinVar t=Key
/DF04/5049   s=0070 ft=LinVar t=DATA
/DF04/5044   s=002C ft=LinFix t=PIN
/DF04/474C   s=0010 ft=Trans
/DF04/5345   s=0020 ft=LinVar t=DATA
/DF05/       name=4F564944
/DF05/5349   s=0080 ft=LinVar t=DATA
A0(42)=[FID=80 94(7)=[alg=DES3 len=96 fid=5344 record=01 ... ] ]
/DF05/5344   s=0018 ft=LinVar t=Key
/DF05/5049   s=0070 ft=LinVar t=DATA
             PIN 80 status: FBZ: 3
/DF05/5044   s=0016 ft=LinFix t=PIN
/DF05/6E64   s=001E ft=Trans
/DF05/6570   s=0008 ft=Trans
/DF05/5345   s=0020 ft=LinVar t=DATA
/4101/       name=D2760001050002
/4101/5345   s=00F0 ft=LinVar t=DATA
/4101/5183   s=0250 ft=LinVar t=DATA
/4101/5283   s=0610 ft=LinVar t=Key
/4101/4E03   s=0210 ft=LinVar
/4101/4352   s=06A0 ft=Trans
/DF06/       name=4D534350
/DF06/5345   s=0080 ft=LinVar t=DATA
/DF06/80FE   s=0020 ft=Trans
/DF06/8003   s=0015 ft=Trans
/DF06/8001   s=002F ft=Trans
/DF06/8002   s=000D ft=Trans
/DF06/8080   s=0005 ft=Trans
/DF06/80FF   s=01E2 ft=Trans
/DF06/0002   s=050F ft=Trans
/DF06/1100   s=000E ft=Trans
/DF06/1201   s=000E ft=Trans
/DF06/1202   s=000E ft=Trans
/DF06/1103   s=000E ft=Trans
/DF06/1104   s=000E ft=Trans
/DF06/1105   s=000E ft=Trans
/DF06/80FD   s=0066 ft=Trans
/2F02        s=000C ft=Trans t=DATA
/2F00        s=0320 ft=LinVar-STLV
/5049        s=00CD ft=LinVar t=DATA
PIN 00 status: FBZ: 3
PIN 01 status: FBZ: 3
PIN 02 status: FBZ: 3
/5044        s=0058 ft=LinFix t=PIN
/5349        s=0255 ft=LinVar t=DATA
A0(30)=[FID=74 94(7)=[alg=DES3 len=96 fid=4400 record=01 ... ] 90(1)=05 ]
A0(28)=[FID=01 94(20)=[alg=RSA-CRT len=32 record=01 ... ] ]
A0(67)=[FID=73 name=3030 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 94(13)=[alg=RSA-Pub len=128 fid=4500 record=03 ... ] ]
B6(7)=[]
A0(45)=[FID=77 94(13)=[alg=RSA-Pub len=128 fid=4500 record=05 ... ] ]
A0(41)=[FID=72 name= 94(4)=[alg=RSA-Pub len=0 ... ] ] B6(11)=[]
A0(45)=[FID=71 name=4445545343110106 94(13)=[alg=RSA-Pub len=128 fid=4500 record=01 ... ] ] B6(11)=[]
A0(25)=[FID=75 94(3)=[alg=DES3 len=138 fid=0105 ... ] ]
A0(25)=[FID=76 94(3)=[alg=DES3 len=138 fid=0105 ... ] ]
A0(27)=[FID=07 94(7)=[alg=DES3 len=96 fid=5007 record=01 ... ] ]
/5344        s=0144 ft=LinVar t=Key
/4400
/4500        s=018C ft=LinVar t=Key
/4349        s=009A ft=LinVar t=DATA
/2F03        s=00D1 ft=Trans
/4570        s=0088 ft=LinVar
/2F04        s=00D2 ft=Trans
/4401        s=0018 ft=LinVar
/2F01        s=0024 ft=LinVar t=DATA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scanner for TCOS Smartcards using PC/SC interface.
Version 06.04.2017. Copyright (c) 2004-2017 by Matrix42.
 
Syntax: scantcos.exe [dfrt]
 
d: dump to screen
f: dump to files in current folder
r: raw, do not strip TeleSec ASN.1 prefix
a: dump all files (default: certificates only)
z: dump empty files (default: check for starting zero byte)

Once completed, the command prompt can be closed.