<infobot_>
Since Thu Feb 5 05:11:27 2015, there have been 0 modifications, 12 questions, 0 dunnos, 0 morons and 7 commands. I have been awake for 19h 5m 5s this session, and currently reference 119378 factoids. I'm using about 83076 kB of memory. With 0 active forks. Process time user/system 111.24/1.88 child 0/0
<freemangordon>
it could be either plaintex or encrypted PIN
<freemangordon>
*plaintext
<DocScrutinizer05>
like wpwrak suspected: fallback to a simpler / less secure method
<freemangordon>
offline PIN is not a fallback
<freemangordon>
neither it is less secure, it is verified by the card itself
<DocScrutinizer05>
well, here in Germany it is, sort of. since usually every POS transaction checks if your account has sufficient credit for that transaction
<freemangordon>
depends on the so-called "offline limits" and other stuff
<DocScrutinizer05>
yep, which seem to be zero for me at least
<freemangordon>
both terminal and the card itself has offline limits, so if the transaction is bellow the threshold, it is offline approved
<DocScrutinizer05>
would make sense since I don't want debit account
<freemangordon>
the limits are about the transaction amount, not about your account balance :)
<DocScrutinizer05>
yes, but when an account is configured as "no debit" then I guess the offline limits will be zero accordingly
<DocScrutinizer05>
which is exactly the purpose
<freemangordon>
hmm, no, it will be something like 50 EUR
<freemangordon>
so avary transaction for less than 50 will be offline approved.
<freemangordon>
*every
<freemangordon>
well, there are other variables, such as "on every N offline transactions go onlie"
<freemangordon>
etc.
<DocScrutinizer05>
hmm, possible. I know I had that 50EUR "credit" when I used the card on POS which did signature auth instead of PIN auth
<freemangordon>
signature means you most probably went online
<DocScrutinizer05>
huh? no
<freemangordon>
but anyway, there is so called "CVM list" coded in the card which is matched agains what the POS supports, the transaction type, etc
<freemangordon>
*against
<freemangordon>
this processing is explained in the EMV book 3 :)
<DocScrutinizer05>
the POS simply got a signed paper which they withdrew from account some 6 days later
<freemangordon>
what transaction was that? purchase?
<DocScrutinizer05>
or didn't withdraw when the account had no sufficient credit
<DocScrutinizer05>
of course ourchase
<DocScrutinizer05>
purchase*
<DocScrutinizer05>
and maestro, NOT credit card
<freemangordon>
oh, maestro
<freemangordon>
weird, usually this should go online
<freemangordon>
anyway, this all depends of what your bank had coded in the card
<DocScrutinizer05>
no, since the banks charged the merchants with some 40ct per online transaction, while simple withdrawal is free of charge
<DocScrutinizer05>
so many merchants used offline POS
<freemangordon>
was that chip transaction?
<DocScrutinizer05>
which simply reads the account data from card and prints them on a receipt. And later on they withdraw on batch
<DocScrutinizer05>
I think back when cards had no chip
<freemangordon>
oh, magstripe cards are different beast
<freemangordon>
no chip that is
<freemangordon>
does such cards still exist in europe?
<DocScrutinizer05>
in supermarket behind next, they use 90% offline (signature) and 10% online, based on a local database of "criminals" and a random generator
<DocScrutinizer05>
no, not anymore
<freemangordon>
that was my impression too :)
<DocScrutinizer05>
but most POS still don't use chip
<DocScrutinizer05>
maybe that one we talk about here already dos
<DocScrutinizer05>
does
<freemangordon>
the point is - if you have a chip card and the merchant did a magstripe transaction instead of using the chip, then you could dispute the transaction and you'll have your money back - the so called liability shift
<DocScrutinizer05>
that's why all transactions are online, or signature
<DocScrutinizer05>
no dispute in either case
<freemangordon>
no matter if the transaction is online or signature or whatever - if it was not chip based, the liability shift kicks in
<DocScrutinizer05>
you could dispute authenticity of your signature
<freemangordon>
"After the liability shift, if a merchant is still using the “swipe and signature” methodology and the customer has a smartcard, the merchant is liable."
vakkov has joined #neo900
<DocScrutinizer05>
huh? what does *that* mean?
<freemangordon>
that you can get your money back :)
<DocScrutinizer05>
no
<freemangordon>
yes
<Pali>
freemangordon: any idea when V-Pay visa cards (which does not support insecure magnetic strip) will be used widely in EU?
<freemangordon>
Pali: I have one :)
<freemangordon>
dunno about the rest of the EU, but those are widespread here
<DocScrutinizer05>
it means that a merchant has to guess if the true card has a chip, when some rogue person comes and pays with a card that only has mag stripe
<Pali>
bah... In SK and CZ there is no bank which can give it to customers...
<Pali>
but shops already accept it
<freemangordon>
DocScrutinizer05: in the magstripe, in the 3rd byte of the service code it is written whether the card is chip or not
<DocScrutinizer05>
also I doubt english text regulations apply to local german market
<DocScrutinizer05>
so what?
<freemangordon>
"Maestro" means "Mastercard"
<freemangordon>
nothing related to the local regulations
<DocScrutinizer05>
when I already fake the complete card minus chip, I can fake that bit too, no?
<freemangordon>
or rather Banknet (which is EU Mastercard)
<freemangordon>
no, you can't
<freemangordon>
well, you can, but the magstripe becomes invlid
<DocScrutinizer05>
aha
<DocScrutinizer05>
the magstripe is *fake*
<freemangordon>
as there are 3 other digits, the so-called CVV
<DocScrutinizer05>
how could it become more invalid than that?
<Pali>
magstrip is easy to fake... but smart chip not
<freemangordon>
as long as the track data is valid, noone cares if it is fake or not
<Pali>
reason why I want smart chip only card
<freemangordon>
and this is the point - the merchant is *liable* for accepting such a card
<freemangordon>
DocScrutinizer05: google a bit for "emv liability shift" and you'll get it
<DocScrutinizer05>
that's why they either do online or signature, bith being a verification beyond silly "what's the magstripe"
<DocScrutinizer05>
both*
<freemangordon>
DocScrutinizer05: again, no matter even if they took a photo of you, if the chip on a chip card was not used, then you can dispute the transaction and you will win
<DocScrutinizer05>
I will not, here in Germany
<freemangordon>
and your bank will be ok with you, as it is the acquiring bank who will return the money to you, not the issuing bank
<Pali>
freemangordon, when I looked at my more visa cards all had also option no verfication in CVM list of options
<Pali>
it is possible disable "no verification" in bank?
<freemangordon>
Pali: yes, but this is on the chip
<DocScrutinizer05>
since here you don't dispute because of some regulation, you dispute because somebody did wrong to you. You can't prove that since the merchant has all proof on his side#
<Pali>
I know it is on chip
<freemangordon>
and no matter the CVM list, you'll get ARPC
<freemangordon>
with AAC/TC
<freemangordon>
DocScrutinizer05: the marchant *can't* prove the chip was used
<freemangordon>
*merchant
<Pali>
only for online transactions?
<DocScrutinizer05>
proof == either valid PIN+online, or signature
<freemangordon>
no matter
<freemangordon>
Pali: ^^^
<DocScrutinizer05>
nobody gives a shit about "chip used" at court
<Pali>
but this does not prevent to use stolen card
<freemangordon>
DocScrutinizer05: no court here, you just complain to your bank
<freemangordon>
Pali: sure
<DocScrutinizer05>
the bank gives you the finger
<freemangordon>
but protects against skimmed cards
<Pali>
so if on CVM list on chip is disabled "no verification" then it should be more secure against stolen cards, rigth?
<freemangordon>
yep
<freemangordon>
but slows down the transactios
<DocScrutinizer05>
no, I won't since nobody ever did that or I would prolly have heard about before, and even if somebody succeeded, that's no guaranty a judge will decide the same for my case
<freemangordon>
so it is up to the bank to decice
<freemangordon>
*decide
<Pali>
and who is responsible for setting those "config" options on card? bank? visa? or some 3rd company which create and program card?
<freemangordon>
the bank
<freemangordon>
it fills the so-called "card profile" and sends it to Visa/Banknet for approval and a follow-up certification
<freemangordon>
that happens when a bank registers a new BIN
<freemangordon>
well, wants to register
<Pali>
so can I ask my bank if I want something like that for new visa card?
<Pali>
or just every bank reject all those requests? :D
<freemangordon>
you can ask, but your bank should already have such a card
<freemangordon>
they can't change the profile once certified
<Pali>
new profile is created after card expires (when I get new card from bank)?
<Pali>
or same profile for new card is used?
<freemangordon>
no, new profile is created when the bank wants to have a new "product"
<freemangordon>
your card expired != the BIN is no longer valid
ashneo76 has joined #neo900
<Pali>
because I saw that new card had same number and CVV as old expired one
<freemangordon>
DocScrutinizer05: there is no judge involved, there exist automated procedures for the so-called "chargeback"
<Pali>
how it is possible?
<DocScrutinizer05>
anyway my card is configured to not allow account debit, and thus +every* transaction I do with the card is online (unless signature method is used)
<freemangordon>
Pali: that is fine, the card was simply reissued
<DocScrutinizer05>
freemangordon: not here in germany
<DocScrutinizer05>
not for maestro which is NOT mastercard
<DocScrutinizer05>
and NOT a normal credit card either
<freemangordon>
yes, maestro *IS* Mastercard, where Mastercard == International Card Network, not a card type
<DocScrutinizer05>
maestro is the electronic successor of eurocheque
che1 has joined #neo900
<Pali>
freemangordon: it is possible to disable classic internet "card holder not present" transactions (with or without CVV) without enabled 3 domain secure auth?
<freemangordon>
unless you have some local cards branded as Maestro, wiothout being such
<DocScrutinizer05>
you can pay at credit card POS with mastercards but _not_ with maestro
<freemangordon>
Pali: usually you have to enroll before using 3D secure
<Pali>
because everybody who have (somehow) CVV and card number can use my bank account
<freemangordon>
so it should be disabled by default
<Pali>
I mean internet transactions which do not use 3D secure
<freemangordon>
oh, misread your question
<Pali>
can I disable them?
<freemangordon>
Pali: it is not CVV, but CVV2. you should ask your bank, but usually it should be able to be disabled
mvaenskae has joined #neo900
<DocScrutinizer05>
mastercard is a credit card. maestro is not
<freemangordon>
it depends on the bank's authorization system
<Pali>
and how amazon can charge money from visa cards only with information of card number (without CVV2 code)?
<freemangordon>
DocScrutinizer05: trust me I know what Maestro is, the point is that you (the bank)certify with Mastercard the Maestro BINs
<freemangordon>
Pali: maybe those are registered, no idea
<DocScrutinizer05>
I don't care
<Pali>
will look at google...
<DocScrutinizer05>
>>The payment is authorized by the card issuer to ensure that the cardholder has sufficient funds in their account to make the purchase and the cardholder confirms the payment by either signing the sales receipt or entering their 4 to 6-digit PIN.<<
<Pali>
>> The only thing necessary to make a purchase is the card number, whether in number form or magnetic. You don't even need the expiration date. <<
<DocScrutinizer05>
and that's *not* how usual credit cards work
<Pali>
I thought those transactions are more secure....
<DocScrutinizer05>
maestro != mastercard
<freemangordon>
Pali: it depends on your bank whether cvv2 is required to approve the transaction
<freemangordon>
DocScrutinizer05: please, don't mix the terms
<freemangordon>
Maestro card != Mastercard card
<DocScrutinizer05>
hahahahaha
<freemangordon>
*but* Maestro if a brand of Mastercard international card organization. period.
<DocScrutinizer05>
you go grammar nazi now?
<freemangordon>
*is
<freemangordon>
DocScrutinizer05: red the backscroll about my point - if you issue Maestro cards, then you are Mastercard member bank, and must follow the regulations. One of them being the liability shift
<freemangordon>
*read
<freemangordon>
the same for visa
<DocScrutinizer05>
I'm taling since 30 minutes about maestro not working like mastercard, and you insist that I add a " card" disambiguation, to make sure I'm not talking about the company not working like a known not existing other company?
<DocScrutinizer05>
and I'm telling you that your regulations don't apply for maestro cards
<freemangordon>
regarding the chip there is no difference in the rules regarding magstripe/chip processing
<freemangordon>
yes, they apply
<DocScrutinizer05>
no, they don't
<DocScrutinizer05>
since >>The payment is authorized by the card issuer to ensure that the cardholder has sufficient funds in their account to make the purchase and the cardholder confirms the payment by either signing the sales receipt or entering their 4 to 6-digit PIN.<<
<DocScrutinizer05>
there's no such thing like POS-local PIN verification for maestro cards
<DocScrutinizer05>
at least there wasn't a two years ago
<Pali>
DocScrutinizer05: what is stored in CVM list on your card?
<freemangordon>
yep, there is, if the chip is used, I have such a card
<freemangordon>
Pali: that's irrelevant if the chip is not used
<Pali>
right, for non chip transaction CM list in chip is not used
<DocScrutinizer05>
a two years ago the banks messed up the chip firmware, and you could use the card on POS only when you placed a patch of scotsch film over the chip. Then it worked just fine
<DocScrutinizer05>
maybe 3 years ago
<freemangordon>
omg
che11 has joined #neo900
<DocScrutinizer05>
I brt wpwrak still has a bookmark to the c't article about that incident
<DocScrutinizer05>
bet*
<DocScrutinizer05>
iirc it was around new year
<DocScrutinizer05>
related to change in YYYY
<freemangordon>
BTW this is the so-called "fallback" and is disabled in Europe. i.e. you fail the terminal EMV certification if you do a fallback.
<freemangordon>
but it seems your banks/merchants do whatever they want :)
<DocScrutinizer05>
yes, they do
<DocScrutinizer05>
not many credit cards are used here in Germany at all. everybody has a debit card called maestro
<freemangordon>
still, out of curiosity, ask your bank about the case someone skims your card and does a purchase with it ;)
<Pali>
freemangordon: it is truth, that bank can upgrade firmware on visa card when I insert card into ATM terminal?
<wpwrak>
hmm no, no link farm here
<DocScrutinizer05>
yes
<DocScrutinizer05>
they did on some dozen millions of maestro cards, on that incident I referred to above, iirc
<DocScrutinizer05>
Pali: ^^^
<freemangordon>
the whole firmware? well, you can always load a new applet in GP card, but usually what is "upgraded" is some tags
<DocScrutinizer05>
I can't recall details
<DocScrutinizer05>
they fixed the cards while in ATM
<freemangordon>
EMV cards has a limit on the length of the issuer scripts, iirc it is 256 bytes
<Pali>
script which rewrite that limit? :D
<DocScrutinizer05>
...on 2nd or 3rd of January
<freemangordon>
exactly, it is PUT DATA APDU
<DocScrutinizer05>
all 'IIRC'
<freemangordon>
DocScrutinizer05: most probably they just updated the tag 5F24
<DocScrutinizer05>
dunno what they did. But I know the hotfix was a patch of scotchtape
<Pali>
freemangordon: how secure are contactless chip visa cards?
<DocScrutinizer05>
and that you were supposed to remove that patch again before inserting card into a real ATM
<freemangordon>
abut the same as contact
<freemangordon>
though you lack things like DDA/CDA (iirc)
<Pali>
I read somehere that there was bug in contacless FW which caused that limit for no PIN transactions was infinity for foreign currency
<freemangordon>
well, a faulty/buggy firmware does not compromise the technology as such
<DocScrutinizer05>
I also know that since 20 years or so, paying on POS took like 4..20s until PIN got verified. *always*. except that payment in lil shoppe yesterday
<Pali>
yes, but bug in contacless are more dangerous as in contact chip
<freemangordon>
hmm, what is the difference?
<Pali>
for contact chip I need to insert card into reader
<Pali>
for contactless somebody in bus can do something with card
<Pali>
(when bus is full of people...)
<freemangordon>
ah, I see
<Pali>
anybody can read my card without my approval
<freemangordon>
well, that is why contactless is usually used for low amounts
<DocScrutinizer05>
unless you use tinfoil hat err purse ;-)
<DocScrutinizer05>
which actually is a sane idea
<freemangordon>
Pali: that is why it is better to have NFC phone with capability to turn of the NFC radios :D
<Pali>
yes :D
<freemangordon>
Pali: BTW someone reading you contactless card means nothing ;)
<freemangordon>
the account is not on the card itself
<freemangordon>
but I guess you know that
<Pali>
somebody told me that on card are stored last transactions
<freemangordon>
bullshit
<DocScrutinizer05>
yeah, it needs a second person at the far end of that communication line who uses the data to feed it to a card proxy
<Pali>
but at least card holder name is there stored
<Pali>
also country
<freemangordon>
so?
<Pali>
so anybody in bus can identify me :D
<freemangordon>
yeah, you're the only Pali in your country :P
<mvaenskae>
Pali: your neo900 will be quite unique i figure
<mvaenskae>
that's the easiest method to ID one of you guys ;)
<Pali>
but if I have it hidden in pocket while in bus nobody know it
<freemangordon>
I guess there are faster and easier ways to understand your name and country, by just politely asking you :)
<mvaenskae>
Pali: it's a brick, we can tell :D
<mvaenskae>
freemangordon: nonsense, that's too easy, it'll never work on me!
<mvaenskae>
and neither does it on girls :(
<freemangordon>
mvaenskae: and what about a pretty girls asking you?
<freemangordon>
*girl
<mvaenskae>
freemangordon: are you a pretty girl? ;)
<freemangordon>
Am I asking you? And no, I am not :)
<Pali>
DocScrutinizer05: if one boot was successfull and others not (without changing SW and HW), it looks like HW problems
<Pali>
it is possible that there are problems with RAM modules?
<DocScrutinizer05>
err, maybe not. If stuff like register inits and timing etc are not done correctly, the whole think might be over the edge
<Pali>
because I cannot believe that one time it was (somehow) initialized correctly and others not (which caused no output)
<DocScrutinizer05>
in such cases any random statistic noise comes in to success vs failure. Maybe American Forces Network radio just played a song that made the RAM behave during that one boot
drathir has quit [Client Quit]
drathir has joined #neo900
<DocScrutinizer05>
or some star in andromeda sent a friendly gamma quantum at the right time
<Pali>
can you ask on u-boot mailinglist about this problem?
<Pali>
u-boot now has u-boot spl subproject which is replacement for x-loader
<DocScrutinizer05>
we expect a second board any time soonish, but for now we dunno if that's a "reproducible" error or a hw statistical bug caused by chip deterioration during rework
<DocScrutinizer05>
it seems usually not even uBoot gets started, xloader is what already barfs up chunks
<Pali>
if xloader does not init something correctly it can fail
<DocScrutinizer05>
so I guess we need to check RAM init in xLoader/MLO
<Pali>
but u-boot has replacement also for x-loader directly in u-boot mailine tree
<DocScrutinizer05>
ooooh
<Pali>
so they could know something what is needed
<DocScrutinizer05>
anyway, I'm a complete noob regarding all that stuff. Could you...? Pretty please, with sugar on top :-)
<Pali>
if there is missing init, some TI u-boot people could know more info
<Pali>
maybe somebody with board in hands should do that
<DocScrutinizer05>
it seems ROMBL runs just fine, but xLoader usually says BYEBYE...ughhhh
<Pali>
as people on ML will ask more details
<Pali>
log with working boot is not enought
<DocScrutinizer05>
(somebody with board in hands) that's Nikolaus then
<freemangordon>
DocScrutinizer05: seems harm kernel does not init DRAM chips :(
<freemangordon>
and there is nothing in xloader, so wen need N9 BootRom
<DocScrutinizer05>
freemangordon: no surprise, since xLoader loads kernel into that very DRAM
<freemangordon>
yep, but xloader could be prepended with DRAM timings
<freemangordon>
so BR sets the RAM before loading xloader in it
<Pali>
I think that onenand does not support execute in place, so n900/n9 bootrom first copy xloader into RAM and then it execute it?
modem has quit [Ping timeout: 244 seconds]
<DocScrutinizer05>
now that's pretty bad. Naybe ROMBL is responsible for initializing RAM? Meh, hardly
<freemangordon>
Pali: correct
<freemangordon>
at least in n900 CHxxxx is in BootROM
<DocScrutinizer05>
Pali: the supposed sequence is: ROMBL loads xLoader into 64k(?) of SRAM, then executes it, then xLoader initializes SDRAM and loads kernel to there
<freemangordon>
I guess it is the same for N9
<freemangordon>
hmm, wait
<DocScrutinizer05>
the whole reason for xLoader
<freemangordon>
DocScrutinizer05: yep, maybe you're correct, xloader is loaded in SRAM not in DRAM
<Pali>
I will check at which address is loaded xloader and which nolo
<DocScrutinizer05>
I also know that the KCE00E00CA consists of two banks (actually probably even "chips" aka dies) a 512MB, controlled by CS1 and CS2 (ChipSelect signal pins)
<DocScrutinizer05>
note that KCE00E00CA is a MCP, a MultiChip Package
<DocScrutinizer05>
it prolly consists of 3 "chips": 2 x RAM, plus NAND
<freemangordon>
ok, what is DRAM hip then?
<DocScrutinizer05>
hip?
<freemangordon>
*chip
<DocScrutinizer05>
DRAM = SDRAM
<Pali>
if SRAM where is x-loader loaded working fine, I wold suggest to compile u-boot spl with some small debug console
<freemangordon>
hmm, for cortex a8: "MPU DPLL, set to provide 96 MHz for the Cortex-A8 MPU"
<freemangordon>
DocScrutinizer05: see 26.4.8.2.2in 3430 TRM
<DocScrutinizer05>
wait wait. shouldn't xLoader also do at least *some* output to UART, whatever? And xloader runs in SRAM, not DRAM, and SRAM gets initialized by ROMBL. So when even xLoader usually fails (in 99 of 100 cases), it *must* be a hw defect, right?
<freemangordon>
seems like
<DocScrutinizer05>
:-S, or \o/. Dunno
<DocScrutinizer05>
\o/ since that means we might just see borkage/deterioration of SoC/PoP caused by rework
<DocScrutinizer05>
which we might get handled even for rework, and for sure shouldn't be an issue for proper prototypes done in usual reflow from fresh components
* DocScrutinizer05
goes back to reading what Nik reported, once again
* freemangordon
is afk
<DocScrutinizer05>
>> But: I do not get to an U-Boot or Linux prompt. Well, not even a message from X-Loader. But: not always nothing. I was able to see something reasonable in est. 1% of the reset attempts.<< [quote Nikolaus] So *if* xloader is supposed to output some bytes, we clearly see a hw issue here
<DocScrutinizer05>
right?
<DocScrutinizer05>
since it's highly unlikely that Nokia made that chip work on N9 and we can't on beagleboard, it's either the chips are crap from factory, or they got damaged by rework
<DocScrutinizer05>
ok, afk too. sorry. But bbl
bencoh has quit [Ping timeout: 256 seconds]
bencoh has joined #neo900
Kabouik has quit [Ping timeout: 250 seconds]
silviof has joined #neo900
raccoon_ has quit [Ping timeout: 272 seconds]
modem has joined #neo900
raccoon_ has joined #neo900
arcean has quit [Quit: Application terminated!]
b1101 has joined #neo900
arcean has joined #neo900
che11 has quit [Ping timeout: 240 seconds]
mvaenskae has quit [Ping timeout: 264 seconds]
arcean has quit [Ping timeout: 255 seconds]
arcean has joined #neo900
b1101 has quit [Remote host closed the connection]
b1101 has joined #neo900
paulk-collins has quit [Read error: Connection reset by peer]
sparetire has joined #neo900
b1101 has quit [Ping timeout: 250 seconds]
b1101 has joined #neo900
MonkeyofDoom has quit [Ping timeout: 245 seconds]
trx has joined #neo900
vakkov has quit [Remote host closed the connection]