INIT Command

The INIT command is a one-time setup command that is crucial for provisioning the card and activating its secure features. It’s the first secure write to the card and must be used only once, during initial setup of the secure applet.



  def init(
      name: str,
      email: str,
      pin: str,
      puk: str,
      pairing_secret: bytes,
      nfc_sign: bool
  ):
      card.init(
          name,
          email,
          pin,
          puk,
          pairing_secret,
          nfc_sign
      )

  # For example:
  init(
      "name",
      "email",
      "pin_code",
      "puk_code",
      b"Cryptnox_Basic_PairingKey_String",
      False
  )

📘
Note

This command is only available when the applet is in the pre-activate state.

Upon successful execution, the applet transitions to the activate state and securely stores:

PIN (9 digits/bytes)

PUK (12 digits/bytes)

Secure Channel pairing secret (32 bytes)

User personal information (e.g., name and email)

The payload is AES-CBC encrypted using:

A random IV

A key derived via EC-DH between the card's public key (GET CARD CERTIFICATE) and a client-generated ephemeral keypair

ISO/IEC 9797-1 Method 2 padding

Payload format:

[LEN | Name] + [LEN | Email] + PIN + PUK + PairingSecret

The command provides protection against passive MITM attacks but not active MITM, which is considered unrealistic due to the local nature of the communication (NFC or contact interface).

After successful execution:

The command becomes permanently disabled (unless reset)

The Secure Channel is enabled and PIN/PUK become active and required

Application Protocol Data Unit (APDU) Components for INIT

The following table outlines the components of the Application Protocol Data Unit (APDU).

Field	Description	Value
CLA	This field specifies the class of the instruction.	0x80
INS	This field specifies the particular command or operation that the smart card or secure element should execute.	0xFE
P1	First parameter of the instruction that specifies the details about the operation being requested.	0x00
P2	First parameter of the instruction that specifies additional details about the operation being requested.	0x00
Data	Key data	EC public key (LV encoded) \| IV \| encrypted payload

Response

The following table outlines the possible responses that you will receive:

Response Code	Description
0x9000	Success
0x6D00	The applet is already activated
0x6A80	The data is invalid (pubkey, non-digits in PIN, decrypted data length)
0x6984	the decryption is invalid (wrong encryption key or bad padding)