J3R180 from chinese distributor - initialization required?

Hello everybody,

recently I ordered a batch of JCOP4 J3R180 samples from a Chinese NXP distributor claiming SCP03 as being the default setting in their product listing.

However, on arrival those cards had their factory default keys (key version 255) still active and the cards are in SCP02 mode. After a bit of back and forth and the distributor claiming I would not pay I finally got the according keys from them and could access the cards.

But: it is impossible to create a supplemental security domain with SCP03 enabled. I followed GlobalPlatform Confidential Card Content Management, etc. and tried parameter 81020370 (SCP03 i70) during initialization of the SSD. But those cards deny that parameter setting. Other J3R200/J3R180 happily accept exactly the very same command.

So, the distributor told me I've to "do initialization" - without any details. They're now trying to sell me additional services after delivering misconfigured cards.

I tried STORE-DATA to the ISD with DGI 0070 and 810402550370 to migrate from SCP02 to a SCP03 key-set as this worked out on other secure elements. The cards accept the STORE-DATA command and a key-set pushed via STORE-DATA as well with key version 0x31 and AES-128 gets created - but cannot be used during init-update. So this tell's me SCP03 is not enabled on those cards. I already have one card locked up with a SCP03 key-set and version 0x31 - not being able to complete init update.

They stick to their explanation that some initialization has to be done.

I've docstore access and know the JCOP Tools for JCOP3, JCOP4 and JCOP5. But obviously I missed something until now. Where do I have to look for?

This can't be more than a single APDU if they are correct. Or do they try to scam us?

Thanks & best regards,

Christian