为什么 SET STATUS APDU 命令返回 6985？

Question

I have a USIM card and the Card Life Cycle is OP_READY :

Connected to the Card...

<--> [Mutual Auth]

---> 80 F2 80 00 02 4F 00       
<--- 08 A0 00 00 00 03 00 00 00
     01 <== LifeCycle = OP_READY
     98
     90 00

I want to change the card Life Cycle to SECURED . Based on the GlobalPlatform Card Specification I have to first change the card life cycle to INITIALIZED and then to SECURED state:

And this is the coding of diffe.net Life Cycles in SET STATUS APDU command:

So I tried to change the life cycle as below:

Connected to Card.

<--> [Mutual Auth with SecLevel = 0x00]

---> 80 F0 80 07 00
<--- **Fail** 6A 86

---> 80 F0 80 0F 00
<--- **Fail** 69 85

As you see above, I received 6A86 (INCORRECT P1-P2 Parameters) for INITIALIZED and 6985 (CONDITIONS OF USE NOT SATISFIED) for SECURED life cycle.

I also tried the same process with SecLevel=0x03, but nothing changes:

Connected to Card.

<--> [Mutual Auth with SecLevel = 0x03]

---> 84 F0 80 07 08 <MAC>
<--- **Fail** 6A 86

---> 84 F0 80 0F 08 <MAC>
<--- **Fail** 69 85

What is wrong?

Answer 1

It might be that your card is imposing additional requirements for the state change. If you have a manual consult it if some special behavior is described.

If this is not available my strongest guess would be that the card would like to see some keys to be personalized on the card before the state change is allowed. Use a PUT KEY command to update the keys. If updating the key using the same key version and index does not work try to create an additional key version.

Although unlikely to succeed, you can also try a STORE DATA command to set the life cycle status. The mapping guidelines, 6.13 allows to set the tag 9F70 .