How to help my projects? Send me bitcoins!

After I explained why flattr was not a so good option in "My Flattr experience", I now try a new experiment with bitcoin.

It is now possible to send me bitcoins at 14iqwd2wEATig6JJD6zwkpvq7AYaECgtng or using the QR code:

Since my bitcoin address is public you can follow the money transfers at

I do not expect to get very rich in bitcoin. I offer you the possibility to support me and my activities without paying banks and intermediaries.

New version of pcsc-lite: 1.8.13

I just released a new version of pcsc-lite 1.8.13.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

pcsc-lite-1.8.13: Ludovic Rousseau
7 November 2014

  • fix a systemd + libudev hotplug bug introduced in version 1.8.12.
    The list of readers was not (yet) available just after the start of pcscd
  • Make the license more 3-clause BSD like
  • Fix a rare race condition in the (non default) libusb hotplug
  • Some other minor improvements and bug corrections

OS X Yosemite and smart cards status

Yosemite (OS X 10.10) is now out since October 16th, 2014.

This article is the continuation of "OS X Yosemite BETA and smart cards status".

CCID driver

The CCID driver is still in /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle.

The driver has been updated from version 1.3.11 (released 28 July 2009) in Mavericks to version 1.4.14 (released 25 November 2013).
$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist 

See the CCID driver README file for a list of the changes between 1.3.11 and 1.4.14. I will not list 4 years of changes here.

New readers supported

121 readers have been added between 1.3.11 and 1.4.14. They are:
  • Access IS ePassport Reader
  • ACS ACR101 ICC Reader
  • ACS AET65
  • ACS APG8201 PINhandy 1
  • ACS APG8201 USB Reader with PID 0x8202
  • ACS CryptoMate64
  • Akasa AK-CR-03, BZH uKeyCI800-K18
  • Aktiv Rutoken lite readers
  • Aktiv Rutoken PINPad Ex
  • Aktiv Rutoken PINPad In
  • Alcor Micro AU9522
  • Alcor Micro AU9540
  • Ask CPL108
  • Atmel AT90SCR050
  • Atmel AT90SCR100
  • Atmel VaultIC420
  • Atmel VaultIC440
  • Atmel VaultIC460
  • Avtor SC Reader 371
  • Avtor SecureToken
  • BIFIT iBank2Key
  • BIFIT USB-Token iBank2key
  • Bit4id CKey4
  • Bit4id cryptokey
  • Bit4id iAM
  • Bit4id miniLector
  • Bit4id miniLector-s
  • Broadcom 5880
  • C3PO LTC36
  • CCB eSafeLD
  • Cherry SmartTerminal XX7X
  • Covadis Auriga
  • Dectel CI692
  • Feitian ePass2003 readers
  • Feitian SCR310 reader (also known as 301v2)
  • Free Software Initiative of Japan Gnuk token readers
  • Fujitsu SmartCase KB SCR eSIG
  • Gemalto Ezio CB+
  • Gemalto Ezio Shield
  • Gemalto Ezio Shield Branch
  • Gemalto Ezio Shield PinPad
  • Gemalto Ezio Shield PinPad reader
  • Gemalto GemCore SIM Pro firmware 2.0 (using USB)
  • Gemalto Hybrid Smartcard Reader
  • Gemalto IDBridge CT30
  • Gemalto IDBridge K30
  • Gemalto IDBridge K3000
  • Gemalto SA .NET Dual
  • Gemalto Smart Guardian (SG CCID)
  • German Privacy Foundation Crypto Stick v1.2
  • Giesecke & Devrient StarSign CUT
  • GIS Ltd SmartMouse USB
  • GoldKey PIV Token
  • id3 CL1356T5
  • Identive CLOUD 2700 F Smart Card Reader
  • Identive CLOUD 2700 R Smart Card Reader
  • Identive CLOUD 4500 F Dual Interface Reader
  • Identive CLOUD 4510 F Contactless + SAM Reader
  • Identive CLOUD 4700 F Dual Interface Reader
  • Identive CLOUD 4710 F Contactless + SAM Reader
  • Ingenico WITEO USB Smart Card Reader (Base and Badge)
  • Inside Secure AT90SCR050
  • Inside Secure AT90SCR100
  • Inside Secure AT90SCR200
  • Inside Secure VaultIC 420 Smart Object
  • Inside Secure VaultIC 440 Smart Object
  • Inside Secure VaultIC 460 Smart Object
  • Kingtrust Multi-Reader
  • KOBIL mIDentity 4smart
  • KOBIL mIDentity 4smart AES
  • KOBIL mIDentity 4smart fullsize AES
  • KOBIL mIDentity fullsize
  • KOBIL mIDentity visual
  • KOBIL Smart Token
  • KOBIL Systems IDToken
  • Macally NFC CCID eNetPad reader
  • Neowave Weneo
  • new Neowave Weneo token
  • NXP PR533
  • Oberthur ID-ONE TOKEN SLIM v2
  • OmniKey 6321 USB
  • Planeta RC700-NFC CCID
  • Precise Sense MC reader (with fingerprint)
  • REINER SCT cyberJack go
  • ReinerSCT cyberJack RFID basis
  • SafeTech SafeTouch
  • SCM Microsystems Inc. SCL010 Contactless Reader
  • SCM Microsystems Inc. SDI011 Contactless Reader
  • SCM SCL011
  • SCM SCR3500
  • SCM SDI 011
  • SCR3310-NTTCom USB SmartCard Reader
  • SCR3310-NTTCom USB (was removed in version 1.4.6)
  • SecuTech SecuTech Token
  • Smart SBV280
  • SpringCard H512 Series
  • SpringCard H663 Series
  • SpringCard NFC'Roll
  • Teridian TSC12xxF
  • THRC reader
  • Tianyu Smart Card Reader
  • Todos AGM2 CCID
  • Todos CX00
  • Ubisys 13.56MHz RFID (CCID)
  • Vasco DIGIPASS 920
  • Vasco DIGIPASS KEY 101
  • Vasco DIGIPASS KEY 200
  • Vasco DIGIPASS KEY 200
  • Vasco DIGIPASS KEY 860
  • Vasco DIGIPASS KEY 860
  • Vasco DP855
  • Vasco DP865
  • Xiring Leo v2
  • Xiring MyLeo
  • Yubico Yubikey NEO CCID
  • Yubico Yubikey NEO OTP+CCID

PC/SC known bugs fixed in Yosemite

This new version of PC/SC fixes some bugs present in the previous version of OS X (Mavericks and before).

This list is not exhaustive. I had a look at the bugs I reported at (also known as radar) and that were closed by Apple.
Maybe you reported to Apple some PC/SC problems I do not know and these problems are now fixed in Yosemite. Feel free to tell me about it.

Extended APDU case 2 no more limited to 1958 bytes

It is now possible to get up to 64k bytes from a card using an extended APDU.
(radar bug #9983001)

Possibility to use composite CCID devices

It is now possible to use a USB device with more than 1 CCID interface.

For example the Gemalto Prox Dual USB PC Link Reader provides 2 CCID interfaces (1 contact interface and 1 contactless interface). In previous Mac OS X versions only the first interface was usable (unless you use a specially compiled CCID driver).
(radar bugs #17841224, #10469006)

Suspend/resume with 2 readers connected

Suspend and resume now works when you have 2 readers connected.

With the previous OS X versions the pcscd daemon was sometimes locked in a bad state at resume. You had to do a card movement to "wake up" pcscd.
(radar bug #16711906)

No more limited to 16 PC/SC card contexts

It is now possible to call SCardConnect() more than 16 times consecutively.

My test program now blocks at around 750 simultaneous opened card contexts. The application should get a PC/SC error instead of blocking. Still a bug but this one should not happen often in the field.

(radar bug #10038432 and

PC/SC new internal Architecture

Maybe I am completely wrong about my interpretation. We will know for sure when/if the source code of PC/SC is published at

This is what I found for now.


The daemon /usr/sbin/pcscd is no more present and has been replaced by something more complex (and with new bugs).

PCSC framework

Binary is /System/Library/Frameworks/PCSC.framework/PCSC.

This file is still present and is used by a PC/SC application. It is the entry point for any PC/SC application on OS X.

Binary is /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/

The process is started (directly or indirectly) by the PC/SC framework linked to the application.

For example when the (still present) test program pcsctest.
$ ps -Aj | grep pcsc
root              110     1   110      0    0 Ss     ??    0:00.02 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/
lroussea         2282     1  2282      0    0 Ss     ??    0:00.01 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/
lroussea         2281  1410  2281      0    1 S+   s002    0:00.00 pcsctest

One is run by root (process id 110) and is started at boot.

One is run by lroussea (process id 2282). pcsctest (process id 2281) is also run by lroussea.

Using the strings(1) command line tool on the binary we note some results:
  • /SourceCache/SmartCardServices/CryptoTokenKit-22.1.3/PCSC/ctkpcscd/main.m
    I guess the source code of will be published (soon?) in the SmartCardServices project.
  • It looks like Apple completely rewrote pcsc-lite, and in Objective C this time (.m file extension).
  • "Refusing sandboxed PCSC.framework client without entitlement"
    A new entitlement is necessary to use the PC/SC API? Or just to use CryptoTokenKit?
  • TKPcscContext, TKPcscChangeItem, TKPcscStateChangeItem, TKPcscSlotArrivalItem, TKPcscChangeSet, TKPcscCard are new functions. See below.
The process uses the libray (binary /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit).

Binary is /System/Library/CryptoTokenKit/

This process loads the smart card reader driver (for example ifd-ccid.bundle in /usr/libexec/SmartCardServices/drivers/) and is in relation with

This process also uses the library (binary /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit).


How to get logs from a reader driver? It was easy to use /usr/sbin/pcscd --debug --forground to get the driver debug messages in the terminal. It is no more available :-(

PC/SC in JavaScriptAppleEvents?

I found the file /System/Library/PrivateFrameworks/JavaScriptAppleEvents.framework/Versions/A/Resources/BridgeSupportCache/PCSC.plist. This file contains a description of the PC/SC functions (like SCardTransmit) and also old libMuscleCard functions (like MSCWriteObject).

I don't know yet what can be done with this file. But since it is in PrivateFrameworks I do not expect to find much documentation.


As presented in the previous article  "OS X Yosemite BETA and smart cards status" a new framework is provided: CryptoTokenKit


The headers files are in /System/Library/Frameworks/CryptoTokenKit.framework/Headers. The API is in Objective C language. I would have preferred the new Apple programming language Swift (or just plain C).

Dirk-Willem van Gulik provides a sample application CryptoTokenKit-TrivialExample-OpenSC.

Relation with PC/SC

When running the sample application mentioned above I note that no is started. So the CryptoTokenKit library may talk directly to and not use PC/SC at all.
Apple wants to replace PC/SC by a new API?

The CryptoTokenKit API definesTKSmartCard* functions. But not TKPcsc* functions as found in What are these TKPcsc* functions?

It looks like CryptoTokenKit will replace PC/SC on OS X. I was hopping for a replacement of tokend and CDSA that are deprecated since Lion (3 OS X versions from now).

PC/SC evolutions

When I wrote "Evolution of Apple pcsc-lite (from Jaguar to Mavericks)" and "Differences between Apple pcsc-lite and the "official" pcsc-lite" I was still expecting a merge of Apple pcsc-lite and the offcial pcsc-lite. Now my hopes are over. A merge will be very hard since the two projects have diverge so much.

CryptoTokenKit is a new API. Maybe it will be available on other systems than OS X (like GNU/Linux). But since the API is in Objective C I don't think it will interest much people to work on such an API.

It will be more difficult to write a project that would build and run on Windows, GNU/Linux and OS X if the smart card API is not the same on the 3 systems. The PC/SC API has not yet been deprecated. So it is still possible to use this API for now.

PC/SC new bugs

Apple made big changes in the smart card layer. With big changes comes bugs and regression.

I plan to list the known bugs and regressions in another article (this one is already too long). If you know a regression in Yosemite regarding the smart card layer, please tell me so I can add it to the list.


Still a lot of unanswered questions. Some new bugs in the new PC/SC layer. And no news about the tokend replacement.

The main question is: why has Apple replaced PC/SC by a new API? What is the plan? Will CryptoTokenKit be available also on iOS to talk to a secure element?

My Flattr experience

I am a flattr member since August 2010, just 4 years ago.

See my previous blog post about flattr "How to help my projects?".

I added 20€ on my flattr account when I registered in 2010. At that time it was mandatory to add money on its flattr account.

Since that time I allocated a budget of 2€ per month, and I "reinvested" any received fund from flattr users in my flattr account. For the first time I do not have 2€ left on my account for the next month. I only have 0.87€.


In 4 years of using flattr I invested 2€ each month.
That is 4 years x 2€ per month = 4 x 12 x 2€ = 96€ in total invested in flattr projects I support.

Results as of today (October 2014)

According to flattr:
  • You have done 406 flattrs in total
  • You have given €98.79 in total to 45 creators
  • You have received 195 flattrs in total
  • Other users have 4 subscriptions active for your things
  • You have received €80.36 in total from 53 supporters

The problem

According to flattr: "Creators receive 90% of the money you give."

So 10% of the money you give do NOT got to creators and goes to flattr itself.

It could be fine but the system is closed and unless you are a very famous (and rich) creator you do not withdraw the money from flattr. So the money you receive is used to be given to other creators.

flattr gets 10% of the money you receive. And also 10% on the money you distribute, etc. After a few cycles in the system the money has all "evaporated" into the flattr account.

After 10 cycles, 61% of the money has "evaporated" as flattr taxes and only 39% is still available for creators.

After 24 cycles (2 years) only 9% of the initial money is still distributed to creators.

In that case only flattr is the winner in the story.

These numbers are only for the money your redistribute. If you have 10€ and only distribute 2€ each month then flattr will tax you 10% on the 2€, not on the 10€. But after 5 months at 2€ per month all your 10€ will be redistributed and then taxed.


flattr is not the good tool, for me, to get rich. So I decided to not inject more real money I think flattr will slowly die.

Getting rich

If you really want to help me get rich, just contact me. I think we can do something more efficient than flattr.

CCID USB spy using Wireshark

Sometimes you need to know exactly what is happening at the USB level. You have two options:

  • use a hardware USB analyzer
  • use a software USB analyzer
Since I do not have the budget to buy a hardware USB monitor I will use the software solution.


Since some time, it is possible to use the wonderful Wireshark program to display and analyze USB frames. Wireshark is mainly used for analyzing network packets but it is also possible to display USB packets. Wireshark is even able to display the CCID commands inside the USB packets.


A documentation is available at USB capture setup and also at Capturing USB data through Wireshark.
This article describes what I did.

Setup the kernel

You first need to load the usbmon kernel module.

$ sudo modprobe usbmon

tshark (a command line tool) should now be able to capture on usbmon interfaces. Check it using:
$ tshark -D
1. eth0
2. any
3. lo (Loopback)
4. nflog
5. nfqueue
6. usbmon1
7. usbmon2

In my case I have 2 USB buses labeled usbmon1 and usbmon2.

Capture the USB frames

Before capturing the USB frames you need to know on which USB bus is connected your device.

Identify the device USB bus

$ lsusb 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 004: ID 08e6:3437 Gemplus GemPC Twin SmartCard Reader
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

In my case the device I want to study is on the bus 002 so I will use usbmon2.

Start the capture

$ tshark -i usbmon2 -w trace1.pcap
Capturing on 'usbmon2'
tshark: The capture session could not be initiated on interface 'usbmon2' (Can't open USB bus file /sys/kernel/debug/usb/usbmon/2t: Permission denied).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

For security reasons tshark refuses to be run as root. So I needed to change some file access rights.

$ sudo chmod +rx /sys/kernel/debug/
$ sudo chmod a+rw /sys/kernel/debug/usb/usbmon/2t

Then (re)start tshark and use Ctrl-C to stop after some traffic has been captured.
$ tshark -i usbmon2 -w trace1.pcap
Capturing on 'usbmon2'
1270 tshark: Can't get packet-drop statistics: Can't open USB stats file /sys/kernel/debug/usb/usbmon/2s: Permission denied
Please report this to the Wireshark developers.
(This is not a crash; please do not report it as such.)

Capture analysis

The file trace1.pcap contains the USB frames and can be displayed using the graphical interface of Wireshark.

Enable the CCID decoder

Unless you can read the CCID protocol from hexadecimal, it is a good idea to tell Wireshark to decode the USB frames as USBCCID.
Go in the menu "Analyze" -> "Decode as..." and select USBCCID in the dialog.

Wireshark will then display the USB frames with nice CCID names:

Here you can see a CCID Power On command.
  • The command name is displayed in the top window: "Packet - PC to Reader: ICC Power On"
  • And the content of the command (the 10 last bytes specific to CCID) are documented in the lower window: "Message Type: PC_to_RDR_IccPowerOn (0x62)", etc.

I do not expect every one to use Wireshark to look at CCID frames. But if you have a problem with a CCID reader and wants to know exactly what is happening Wireshark can help you for a very very limited budget (Wireshark is a free software under GNU GPL v2 license).

This blog article is also a way for me to document how to do it for the next time :-)


Wireshark is a great tool.
Linux is a great kernel.
Debian GNU/Linux is a great operating system.

PCSC sample in JavaScript (Node.js)

To continue the list of PC/SC wrappers initiated more than four years ago with "PC/SC sample in different languages" I now present a PC/SC sample written in JavaScript using Node.js.

node-pcsclite project

The node-pcsclite project is hosted at github and is quiet active. Support of Windows is not yet available. Support of Mac OS X is now correct after I proposed some patches.

The installation on a Debian unstable or testing (Jessie) system is easy. Just follow the project documentation. Debian stable (Whezzy) do not have the nodejs packages but these packages are available in wheezy-backports.

One potential problem is that the Node.js binary is called nodejs on Debian to avoid a conflict with another node binary. To have a node binary corresponding to Node.js you need to install the Debian package nodejs-legacy. It is not difficult but may be the source of some difficulties at the beginning.

PC/SC accesses from node-pcsclite

The wrapper provides access the following PC/SC functions:
  • connect
  • disconnect
  • transmit
  • control

A reader event (reader removed) is reported as an event.

The card status change is reported as an event.

The reconnect function is missing. A bug #10 is open requesting its addition.

Sample source code

#!/usr/bin/env node

var pcsc = require('./lib/pcsclite');

var pcsc = pcsc();

pcsc.on('reader', function(reader) {

    function exit() {

    cmd_select = new Buffer([0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01]);
    cmd_command = new Buffer([0x00, 0x00, 0x00, 0x00]);


    reader.connect(function(err, protocol) {
        if (err) {
            return exit();
        reader.transmit(cmd_select, 255, protocol, function(err, data) {
            if (err) {
                return exit();
            console.log('Data received', data);
            reader.transmit(cmd_command, 255, protocol, function(err, data) {
                if (err) {
                } else {
                    console.log('Data received', data);
                    console.log('Data received', data.toString());
                return exit();

pcsc.on('error', function(err) {
    console.log('PCSC error', err.message);


Node.js is an asynchronous framework. So a typical Node.js design pattern is to use a call-back instead of blocking the execution of a function.

The code can be complex to follow since you have a cascade of call-backs if you need to send a sequence of APDU. In the sample we only need to send 2 consecutive APDU.

The program is not sequential but event based. So without the explicit exit after 1 second the program never terminates and you need to stop it using Control-C. It is strange for me.


Using: Gemalto PC Twin Reader 00 00
Data received <SlowBuffer 90 00>
Data received <SlowBuffer 48 65 6c 6c 6f 20 77 6f 72 6c 64 21 90 00>
Data received Hello world!�

Similar projects

Two other similar projects are also found at github. They have both the same name node-pcsc but are not the same project:

coolbong node-pcsc

The node-pcsc interface from coolbong uses a synchronous API so no call-back are involved for PC/SC calls. You can send a sequence of APDU as you would do in C.

This wrapper is for Windows only and need some work to port it to Unix. I opened a bug #1 requesting Unix support.

jokesterfr node-pcsc

This wrapper is not yet able to send arbitrary APDU to a card. It looks like a work in progress that stopped in November 2013.


If you want to use a smart card from a JavaScript program using Node.js the best choice may be the node-pcsclite project. The project maintainer is nice and reactive.

If you know a PC/SC wrapper that is not yet in my list then please contact me.

Edit, October 3rd 2014

After discussing with Santiago Gimeno (node-pcsclite author) and fixing Mac OS X bugs in node-pcsclite I modified the sample source code to add the clean up exit() function and exit properly from the program when no more callbacks are waiting.

New version of pcsc-lite: 1.8.12

I just released a new version of pcsc-lite 1.8.12.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

pcsc-lite-1.8.12: Ludovic Rousseau
24 September 2014

  • make hotplug using libudev (default) more robust
  • add ReiserFS file system support (for configuration files)
  • add musl libC support (increase the thread stack)
  • Some other minor improvements and bug corrections

Open Silicium n°12 en kiosque !

The french magazine Open Silicium latest number Sept., Oct., Nov. 2014 has NFC as its main topic.

If you can read French and you are interested in NFC it is a good reading.

Table of content

Sorry, it is in French.

Au sommaire du magazine :


4 La plateforme de développement mbed

En couverture

9 Un système RFID/NFC pour notre GNU/Linux
14 Utilisation et manipulation des tags Mifare Classic
24 Pour explorer, utilisons Python !
26 Mifare DESFire : un niveau de sécurité adapté
34 RFID : Quelques applications intéressantes pour Android


39 Visualisation temps réel de trafic avec Python et l'API Google Analytics

Mobilité & téléphonie

46 Applications connectées en 3G : pourquoi la ressource radio impacte tant votre batterie
52 Google Projet Ara : Votre smartphone (Android) sur mesure !


59 Reconstruction de structures tridimensionnelles par photographies : le logiciel MicMac

Code & développement

80 Le bootloader DFU des STM32

New version of libccid: 1.4.18

I just released a version 1.4.18 of libccid the free software CCID class smart card reader driver.

1.4.18 - 13 September 2014, Ludovic Rousseau

  • Add support of
    • Cherry Cherry TC 1100
    • Cherry Smart Card Reader USB
    • Cherry Smartcard Keyboard G87-1xx44
    • FujitsuTechnologySolutions GmbH Keyboard KB SCR2
    • Lenovo Lenovo USB Smartcard Keyboard
    • Yubico Yubikey NEO OTP+U2F+CCID
    • Yubico Yubikey NEO U2F+CCID
    • eID_R6 001 X8
  • fix support of Omnikey CardMan 3121
  • reduce memory consumed when configured with --enable-embedded
  • prepare the port to UEFI