Three billion devices run java. A statement causing fear in some and yearning in others. What if one could become one of those three billion devices. Running Java Bytecode as Sun must have intended. Taking write once, run anywhere to the max. This is the story about how this one got a JavaCard implant.

Where to get the JavaCard implant

DangerousThings, a company producing all sorts of implantable fun, also sells the flexSecure, an implantable JavaCard to which one can install custom applets. After thinking about that for what felt like an eternity (probably like half a year), it bought itself one (not at DangerousThings, but at a German importer called "Upgraded Humans" (good name) to not have to wait as long).

Getting java installed

Now it has this beauty; time to get it installed.

As installing that itself seemed a bit [risky, stupid], lucy went to one of the recommended piercers, "Lines & Dots" in Hamburg.

They poked a hole with the included needle (after coating it with some liquid to lessen pain), made enough space to put in the implant, shoved that in, and put a band-aid on there. It bled a bit, but not as badly as this one had thought. The whole process only hurt a little, took like 15 minutes, cost ~70€, and this one was out of there two minutes after its appointment was scheduled to start. Good experience.

They gave it a bunch of small band-aids and some antiseptic, of which it applied some daily for the first few days until the wound was closed.

Wound healing took a couple of weeks for it (as clumsily it repeatedly hit its hand on something, which reopened the wound), but now, two months later, only a small scar is visible.

What to do with the JavaCard

Now that it's one of the three billion devices, it shall be useful somehow.

The only way to interface with the JavaCard is NFC, so it needs to get an NFC reader.

NFC readers

The reader (or some driver for the reader) needs to be PC/SC compatible to just work(tm) with all the tools one wants to use with it. This should include all libccid compatible readers (watch out to get one with NFC) and some more.

This one tried a few readers:

SCM Microsystems SCL011

One of the (BSI Certified (tm)) readers sold in 2010 to use with the eID features of the (then) new German ID cards. It even came with a CD to install AusweisApp (1, not 2, not 3 which is also branded as AusweisApp) on Windows 2000 (no DOS support qwq) to 7, Mac OS 10.5 and 10.6, Ubuntu 9.04 and 10.04, Debian 5 and OpenSuse 11. A pinnacle of German engineering still mostly unused 15 years after its inception.

It got picked up by pcscd after a quick services.pcscd.plugins = [ pkgs.pcsc-scm-scl011 ];.

Works for this one (on NixOS), but has abysmal reception requiring it to position its hand in the perfect spot on the reader to detect anything (even after disassembling it and pressing its hand against the raw PCB (although this improved stuff slightly)).

Proxmark3 Easy

it got one of the cheap ali PM3 clones. Setting it up to use as a PCSC device is a bit weird, but then it also works.

One has to install a daemon called vsmartcard-vpcd (a simple services.vsmartcard-vpcd.enable = true; on NixOS (as always)), and run pm3 smart pcsc for the proxmark to connect to the daemon.

vpcd is a PCSC to TCP adapter (foreshadowing), and the proxmark3 host software connects to that daemon.

Android Phones

There's also an Android App that allows one to connect to vpcd with any nfc compatible android phone.

This is the main way this one uses the JavaCard, as its phone (a pixel 8) seemingly has a good NFC antenna. (vsmartcard-remote reader -> tailscale -> laptop)

Applets

the main reason to get the JavaCard implant is to install applets on it. DangerousThings has a list of applets and assorted documentation, which is what this one exclusively used.

The applets this one has installed and uses are:

PGP

having a pgp key in its hand is cool (write its hand messages and encrypt them to C456133700066642 :3).

As the flexSecure is a JavaCard of version 3.0.5, it doesn't natively support ed25519 crypto, so this one needed to settle to something else. It (based on nothing really (except that RSA Keys are giant and would've needed more storage)) chose to use brainpool p512r1 for its key (and even wrote a tool to generate vanity pgp keys as all the existing ones were made for basically every other curve). Should've prbly choosen to use one of the NIST curves so it can use the gpg key for SSH but welp, ssh also works with fido2.

Another fun thing is that one can freely set the card id openpgp reports, so this one's is C0FE 00066642.

YubiKey HMAC

yubico, in its pattern of adding proprietary features to their security keys, has a feature called "HMAC-SHA1 Challenge-Response mode", which KeePassXC can use as a second factor to decrypt one's password database.

KeePassDX (the android app) also flawlessly supports usage of this second factor.

This one would recommend to write the secret down somewhere to not loose access to ones passwords.

FIDO2

Kinda self explanatory.

Firefox on linux only supports USB FIDO2 Keys, but there are adapter softwares to make it work over NFC. this one uses fido2-hid-bridge.

NDEF

32 kilobytes to carry shitposts everywhere one goes.

this one just has a link to xyno.space in there like some boring being, although this ofc could be used for more fun stuff.

Things it would like to do in the future

Framework NFC Reader

it (regrettably) has a Framework 13, and started to design a NFC reader expansion slot thing for that. Hope it'll ever finish that project lmao.

Door Access

Door Access with something that doesn't have completely horrible (or no) crypto would be cool. its dream would probably be to just use fido2 single factor (also known as passkeys) for that, there aren't any commercially available readers for that though, so this could be a fun project.

Alternatives

There's also the VivoKey Apex Flex, which has some proprietary applets, a phone app to install them (instead of GlobalPlatformPro), but doesn't support installation of custom applets.

Probably the more sensible (they even have support) but less fun choice

Conclusion

getting chipped is very good for the bot, every time it uses this thing it smiles more than it reasonably should. 10/10 would get chipped again. (probably will get chipped again)