APDU Command Reference
APDU (Application Protocol Data Unit) is the message format for all communication between a smart card and its host. Defined in ISO 7816-4, APDUs are the lingua franca of smart card programming: whether you are talking to a banking chip, an identity card, or a JavaCard applet, all commands and responses follow the same structure.
Use the APDU Builder to construct, encode, and send APDUs interactively — including extended-length APDUs and chained sequences.
Command and Response Structure
A command APDUAPDUProtocolCommunication unit between card and reader.Click to view → has a mandatory 4-byte header and an optional body:
┌──────┬─────┬────┬────┬────────────────────────┬────────────────┐
│ CLA │ INS │ P1 │ P2 │ Lc + Data (optional) │ Le (optional) │
│ 1 B │ 1 B │ 1B │ 1B │ 1–3 B + 0–65535 B │ 1–3 B │
└──────┴─────┴────┴────┴────────────────────────┴────────────────┘
| Field | Meaning |
|---|---|
| CLA | Class byte: industry (0x00), proprietary (0x80), chaining (bit 4) |
| INS | Instruction: identifies the command |
| P1, P2 | Parameters: command-specific |
| Lc | Length of command data; absent if no data sent to card |
| Data | Command data field, Lc bytes long |
| Le | Expected response length; 0x00 = up to 256 bytes; absent if no response expected |
A response APDU contains an optional data field followed by a mandatory 2-byte status word:
┌─────────────────────────────┬──────┬──────┐
│ Response data (0–65535 B) │ SW1 │ SW2 │
└─────────────────────────────┴──────┴──────┘
T=0 and T=1 differ in how they transport APDUs: T=0T=0ProtocolCharacter-oriented smart card protocol.Click to view → is byte-oriented and requires GET RESPONSE to fetch deferred response data; T=1T=1ProtocolBlock-oriented smart card protocol.Click to view → is block-oriented and can carry the full response in a single exchange.
Common ISO 7816-4 Commands
| INS (hex) | Command | P1 | P2 | Data | Response |
|---|---|---|---|---|---|
| A4 | SELECT | 00/04 | 00/0C | AID or File ID | FCI / none |
| B0 | READ BINARY | P1 high offset | P2 low offset | — | Binary data |
| D6 | UPDATE BINARY | P1 high offset | P2 low offset | Data to write | — |
| B2 | READ RECORD | Record number | SFI<<3 + 04 | — | Record data |
| DC | UPDATE RECORD | Record number | SFI<<3 + 04 | Record data | — |
| 20 | VERIFY | 00 | PIN ref | PIN data | — |
| 24 | CHANGE REFERENCE DATA | 00 | PIN ref | Old + new PIN | — |
| 2C | RESET RETRY COUNTER | 03 | PIN ref | PUK + new PIN | — |
| 82 | EXTERNAL AUTHENTICATE | Security level | Key ref | Cryptogram | — |
| 84 | GET CHALLENGE | 00 | 00 | — | Random challenge |
| 88 | INTERNAL AUTHENTICATE | Algorithm ref | Key ref | Challenge | Cryptogram |
| C0 | GET RESPONSE | 00 | 00 | — | Deferred response |
| CA | GET DATA | Tag high | Tag low | — | Data object |
| DA | PUT DATA | Tag high | Tag low | Data object | — |
Status Words
Status words (SW1 SW2) encode the outcome of every command. A complete handling layer must distinguish success, conditional success, warning, and error classes.
| SW1 SW2 | Meaning |
|---|---|
| 90 00 | Normal completion |
| 61 xx | Normal completion; xx more bytes available via GET RESPONSE |
| 62 00 | No information given (NV memory unchanged) |
| 62 82 | End of file or record reached before Le |
| 63 Cx | Warning: PIN retry count = x (x = 0 → PIN blocked) |
| 64 00 | Execution error: NV memory state unchanged |
| 65 81 | Execution error: memory failure |
| 67 00 | Wrong length: Lc or Le incorrect |
| 68 81 | Function not supported in current logical channel |
| 69 82 | Security conditions not satisfied |
| 69 83 | Authentication method blocked |
| 69 85 | Conditions of use not satisfied |
| 69 86 | Command not allowed: no current EF |
| 6A 80 | Incorrect parameters in the command data field |
| 6A 81 | Function not supported |
| 6A 82 | File or application not found |
| 6A 86 | Incorrect parameters P1-P2 |
| 6A 88 | Referenced data not found |
| 6B 00 | Wrong parameters P1-P2 |
| 6C xx | Wrong Le; xx = correct value |
| 6D 00 | Instruction code not supported or invalid |
| 6E 00 | Class not supported |
| 6F 00 | No precise diagnosis |
Extended-Length APDUs
Standard APDUs carry at most 255 bytes of command data and 256 bytes of response. Extended-length APDUs (ISO 7816ISO 7816StandardPrimary standard for contact smart cards.Click to view → part 4, edition 3+) extend these limits to 65,535 bytes using 3-byte Lc and Le fields. Extended length is mandatory for ePassport biometric data transfer and large certificate chains.
Extended command: CLA INS P1 P2 00 LcH LcL Data... 00 LeH LeL
Extended response: Data... SW1 SW2
Support is signalled in the card's ATR historical bytes or by
the response to SELECT MF. Not all readers support extended length — verify via
GetCapabilities before sending.
Logical Channels
ISO 7816-4 supports up to 20 simultaneous logical channels (basic channel 0 plus channels 1–19). The channel number occupies the two low-order bits of CLA: CLA = 0x01 targets channel 1, CLA = 0x00 targets the basic channel. Each channel maintains its own currently-selected application, allowing two applets to be simultaneously open without interfering with each other.
Channel management commands: MANAGE CHANNEL (INS = 70), with P1 = 00 to open, P1 = 80 to close.
See JavaCard Applet Development for how these commands are handled on the card side, or Understanding ISO 7816 for the full standard context.
الأسئلة الشائعة
APDU stands for Application Protocol Data Unit — the communication unit exchanged between a smart card and a reader (ISO 7816-4). There are two types: Command APDUs sent from reader to card (CLA, INS, P1, P2, Lc, data, Le) and Response APDUs returned by the card (response data + SW1-SW2 status word). The status word 0x9000 indicates successful execution; other values signal warnings or errors.
CLA (Class byte) indicates the command class and secure messaging level — 0x00 is standard ISO 7816-4, 0x80 is proprietary/interindustry. INS (Instruction byte) identifies the specific command (e.g., 0xA4 = SELECT, 0xB0 = READ BINARY, 0x20 = VERIFY). P1 and P2 are parameter bytes that qualify the instruction — for SELECT, P1=0x04 means select by AID, P1=0x00 means select by file ID.
Short APDUs use a one-byte Lc (data length, 1–255 bytes) and one-byte Le (expected response length, 1–256 bytes). Extended APDUs, defined in ISO 7816-4 since the 2005 revision, use three-byte Lc and Le fields, allowing up to 65535 bytes of command data or response. Extended length is required for operations involving large objects such as RSA-4096 key material or biometric data in ePassport chips.
Secure messaging (SM) wraps standard APDUs with cryptographic protection defined in ISO 7816-4. The command data is encrypted (typically AES-CBC or 3DES-CBC) and a Message Authentication Code (MAC) is appended to ensure integrity. The CLA byte's bit 2 (0x0C) signals that SM is active. SM is used by ePassports (PACE/BAC), GlobalPlatform secure channels (SCP02/SCP03), and any scenario requiring confidentiality of APDU exchanges.
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.